Using AD distribution with the Window Credential Provider

Windows Vista / Server 2008 through Windows 8.1 / Server 2012r2

Since Group Policy can not use silent mode for installation with an .EXE we need to be a bit creative.

If you use this silent mode guide you can build your own .BAT / .VBS / .PS1 type scripted installer file.

Once you have the script file built we can follow a simple deployment model.

  1. Copy the .EXE & .BAT to the target machine.
    Note: These files must be copied to a local folder like c:\temp, c:\kworking etc. Network shares, lancache etc. will not work.
  2. Execute the script file.
  3. Delete the two files.

End result the machine will have a Windows Credential Provider configured with your desired settings.

Note this method will only work with this installer.


Windows 10 - newer

For organizations that use Group Policy to manage software distribution, you can deploy the AAOD Credential Provider using Active Directory.

Note: This process is designed to be used with this installer or this installer.

Preparing for Deployment

To properly use software distribution policies, you must prepare an MSI configuration set using this KB.

  1. Set up a network share available to all domain based computers
  2. Configure the AuthAnvil Two Factor Auth installation INI for the MSI package
  3. Set up a Group Policy Object for the deployment

Setup the network share

To deploy using Active Directory, member workstations and servers need to be able to access a share as the machine’s SYSTEM account. The best way to do this is to create a new share and assign Domain Computers to the share, and ALSO assign it NTFS Read, Read and Execute, and List Folder Contents permissions for the shared folder. Once this is done, copy the MSI packages included in the deployment kit to the share.

Note: Make sure that all files in the share inherit this permission, or you will not be able to remotely deploy the MSI.

Configure the INI for the MSI package

As MSI packages distributed by Active Directory are not designed to use the standard silent mode installation options, you need to create a special INI file that the MSI will read during remote installation. This INI file needs to exist in the same shared directory as the underlying MSI file.

To aid in the setup and configuration of this INI file, see this article for more information.

The options are the same settings as available in the silent mode installer, hold that to the BANNER variable. If you have been issued a digital fingerprint for your own banner, you will need to manually edit the INI file and add the line “Banner=xxxxx”, where xxxxx is the digital hash provided to you by Scorpion Software. If you store your aalogon.bmp file in the same directory as the INI and MSI files, during deployment the bmp will be copied to the target system and applied.

Once you have configured the settings for the INI the way you like it press the Create File button and select to store it in the same network share as the MSI file(s).

Note: There is no secondary redundant SAS URL so please use the same SAS URL's for both fields.

Note 2: The installation password is not supported for deployments to command line systems. Any value set there will be ignored.

Set up the Group Policy Object

Before setting up the GPO, you need to consider how you will manage software distribution. One thing to consider is that there are different MSI packages for GINA based operating systems (Windows XP and Windows Server 2003 based systems) and Credential Provider based operating systems (Windows Vista, Windows 7 and Windows Server 2008). You should apply AAWinLogon.msi for GINA based systems, and AAWinLogonCP.msi for Credential Provider based systems. You are encouraged to separate such systems into their own Organizational Units (OUs), to make deployment easier to manage.

To begin, start Active Directory User and Computers and create a child OU under the current location where your workstations and/or servers are stored. As an example, customers with Small Business Server may decide to create a new OU called “AAoD Protected Workstations – GINA” under MyBusiness->Computers->SBSComputers. Later when you are ready to deploy the software, you can then drag and drop the workstations you want to apply this policy to into that OU and force a gpupdate.

Once you have the target OU set up, you need to create and link a GPO to it.

To do this in Windows Server 2003 based systems, right click the OU and select “Properties”. Select the Group Policy tab and press the New button to create a new GPO, and give it a name. Then press the Edit button to start the Group Policy Object Editor tool.

On Windows Server 2008 based systems, open the Group Policy Management tool directly from Administrative Toolsand do the following:

  1. Right click the OU and select the menu option to “Create and Link a GPO Here…“. Name the policy something easy for you to remember, like “AAoD MFA Protection Policy“.
  2. Right click on this new policy and select “Edit” from the popup menu.

Once the Group Policy Object Editor launches, expand Computer Configuration->Software Settings, then right click on Software installation and select to create a new Package.

Browse to the network share where the MSI package is located and select it. Click Open.

Select to Deploy Software using the Assigned method.


At this point the MSI will now be tied to the GPO and computers added to the OU this is assigned to will have the AAod Credential Provider deployed to it the next time it is rebooted.

Note: Active Directory Software Distribution Policies only run on boot up after the policy is applied. On GINA based systems, this means it will take two reboots before the agent will be applied, since the first reboot will install the agent, and the second one will actually load it. On Credential Provider based systems (Vista/2008/7), you will only need to log in and then log back out again after the first reboot to reload the Credential Provider.

It is recommended that you run gpupdate /force and reboot the computer twice when you want to accomplish this. If you wish to do this remotely, use psexec from the SysInternals PSTools package to do this on a machine basis.

ie: psexec ComputerName gpupdate /target:computer /force /boot

Uninstalling a Distributed Package

If you need to uninstall the agent, you can do this by editing the GPO and selecting to Remove the package.

Once prompted, select to “Immediately uninstall the software from users and computers“.

Once you press OK, the next time policy is updated for the target systems and it is rebooted, the agent will be uninstalled. On GINA based systems, a second reboot will be required to remove the protection scope of the AuthAnvil MFA agent and properly reload the regular Windows Logon Agent. On Credential Provider based systems, you will only need to log in and then log back out again after the first reboot to reload Credential Provider.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us