The purpose of this document is to provide a detailed explanation of how to prepare and execute the installation of the Forefront Identity Manager 2010 Add-ins and Extensions through Group Policy. 


  1. Orca – You will need this tool to be able to build a Windows Installer Transform file (MST).  The tool is available in the Windows Installer SDK which you can download from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e96f8abc-62c3-4cc3-93ad-bfc98e3ae4a3.  Once downloaded, you will find it in the %programfiles%\Microsoft SDKs\Windows\v6.0a\Bin.
  2. Microsoft Windows Server 2008 Active Directory
  3. Microsoft Outlook 2007 Service Pack 2


We will cover the steps to prepare the Forefront Identity Manager 2010 Add-ins and Extensions package for deployment.  It is a good idea to execute the steps in order, as it will allow things to flow more smoothly in your deployment process.

  1. Create a network installation share if you do not already have one.
  2. Create a Windows Installer Transform file
  3. Add the installation package to the Group Policy Management Editor and prepare it for deployment
  4. Verify the package install on the client


A transform is a collection of changes applied to an installation. By applying a transform to a base installation package, the installer can add or replace data in the installation database. The installer can only apply transforms during an installation.  You might want to add some custom information to the installation to help configure things as the product is installed.

  1. Navigate to the installation folder for the Add-ins and Extensions (Forefront Identity Manager\Add-ins and extensions)

*NOTE* You will need to build a MST for each x64 and x32 if you have a mixed x64/x32 bit environment.

  1. Right click on the Add-ins and extensions.msi file and select Edit in Orca

*NOTE* If you need to deploy to another language, you will need to build a MST file for each of the language packs.

  1. From the Transform menu select New Transform
    1. Select Property from the left hand column

i.      At this point, you can work with Public Properties that you need to customize for your environment.  In this sample, I will be updating the following: (RMS_LOCATION, PORTAL_LOCATION, PORTAL_PREFIX, MONITORED_EMAIL, SITELOCK_DOMAIN, IE7TRUSTEDSITES, BEST_EFFORT_INSTALL)

*NOTE: For more information on the properties mentioned above, refer to the following links:
  -- Unattended installation of FIM 2010
  -- Unattended installation of FIM 2010 R2 Self-Service Password Reset

ii.      What to do when you do not see the property.

          1. From the tables menu select Add Row
          2. Enter the property name in all capital letters. 
          3. Enter the value
          4. Click Ok

iii.      What to do when you see the property.

  1. Simply double click on the value and update the value.
  2. From the Transform menu select Generate Transform
    1. Save it to a good location. 
    2. From the Transform menu select Close Transform
      1. *NOTE*  You have to select the Close Transform menu option.  If you do not you will not be able to associate the MST file with the MSI file.
      2. Close Orca
      3. You should now have an MST file.

For more information on Windows Installer Transforms please visit:

  1. http://technet.microsoft.com/en-us/library/cc181086.aspx
  2. http://msdn.microsoft.com/en-us/library/aa367447(VS.85).aspx



  1. Open Administrative Tools and double click on Group Policy Management
  2. Expand Domains and then your domain
  3. Select Default Domain Policy
  4. From the Action menu select Edit
  5. This will open the Group Policy Management Editor window
  6. Expand Computer Configuration > Policies > Software Settings
  7. Select Software Installation
  8. From the Action menu select New > Package
  9. Point to the network share installation point using the UNC path beginning with (e.g. \\machinename\installationshare)
  10. Select the Add-ins and extensions.msi file and click Open
  11. Select Advanced and click Ok
  12. Select Modifications and click Add
  13. Point to the MST file that you created and click Ok
  14. Open a command-window and type: gpupdate /force
  15. You will receive a prompt to restart the computer.  Please press “N” and then press the Enter key. 
    1. *NOTE* This restart option is for the DC and not the client computer.  If you check “Y” here, the DC will prompt you that it is restarting and it will apply the installation policy to itself.
    2. The package is now ready to be deployed


  1. Go to the client machine
  2. Restart the client machine
  3. Open Control Panel and then Programs and Features
  4. Notice the installed package
  5. Open Microsoft Outlook and start a new mail.  You should see the Group information in the Office Ribbon.


Logging and troubleshooting ideas

EVENT IDs to be aware of:


Log Name:      Application
Source:        Software Installation
Date:          3/9/2010 3:20:34 PM
Event ID:      110
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      USARS.speedskaters.nttest.microsoft.com

Software Installation was unable to generate the script for \\usars\AandE\x64\Add-ins and extensions.msi.  The following error was encountered: Another installation is already in progress. Complete that installation before proceeding with this install.


This means that you have not executed a GPUPDATE yet to fully configure the installation, or you have clicked the Ok button again before the properties window closes.

  1. Remove the item that added when the properties window closes.
  2. Open a command-prompt
  3. Type: gpupdate /force and press the <ENTER> key
  4. Go back to the Group Policy Editor and add the package