How to run an .exe only once using Windows GPO’s

January 10, 2018 admin Citrix, Windows 1

i dont know why, but until today there is no “execute once” option in Microsoft GPO’s – but this is actually often desired, especially on the first login in a XenApp or VDI environment.

i found a lot of different solutions online – like running a script and then set a flag in the registry to make it not run it again on the next login. but why all the hassle when you can do it with Windows itself?

the whole topic came into my mind when i was thinking about, how i could use my SetUserFTA or SetDefaultBrowser to define a default, but then letting the user decide later to use whatever HE wants. using the logon GPO feature, will always overwrite the users choice – which is not always what we want.

actually Microsoft offers us everything we need already out of the box, just not in one setting. but combining two of them, lets us achieve exactly what we want.

Windows itself has a registry key that will be executed only once and then deletes itself after. kinda like autorun, but only once:

RunOnce Registry Key: https://msdn.microsoft.com/de-de/library/aa376977(v=VS.85).aspx

if we set something in that registry key (under HKEY_CURRENT_USER) we can run an executable once and then it will remove that entry. thats quite handy – but we need to set this key per user and of course also somehow automated (and make sure it happens only once).

with GPO Preferences we can set registry keys and there is a very useful option called “apply once and do not reapply“. you can read more about that feature here: https://technet.microsoft.com/en-us/library/cc772371(v=ws.11).aspx#BKMK_Apply

now – what if we combine these two features to make an executable run only once? lets say we want to set the default browser only one time per user?

simple as that:

  1. configure a Registry Key in GPO preferences (maybe you need loopback mode on)
  2. set it to run your exe under this Key: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  3. the value name doesnt matter, but the exe must be in the PATH of the machine that this policy will apply
  4. in the Common tab select “apply once and do not reapply”

thats is. now your executable will be run only one time (either on first login or once after you created this GPO). very useful for SetUserFTA or SetDefaultBrowser and other little utilities that help you to design a proper desktop design. User Experience Matters!

1 Comment

Leave a Reply