3.1.5.2.4 Package Removal

Administrators might want an application that is deployed in a GPO to be removed from all clients that previously installed it through this protocol. Package removal MUST accomplish this through the following protocol sequence:

  1. The Common LDAP Bind sequence (section 3.2.5.6) MUST be issued.

  2. Retrieve the GUID string, as defined in [RFC4122] section 3, of the package to be removed. A Package Search Request (section 2.2.3.1.1) MUST be generated by the client with the following parameters:

    • baseObject: MUST be a DN of the form CN=Packages,CN=Class Store,<scoped gpo dn>, where <scoped gpo dn> is a scoped GPO DN.

    • scope: MUST be set to 1 (singleLevel)

    • Filter: The following LDAP filter (as specified in [RFC2254]) MUST be used to search the Packages container of the GPO (the representation given here is what is specified in [RFC2254]). This representation can be mapped to the LDAP protocol representation and wrapped with the AND operator (&):

      • packageName=<name of package to be removed>

    • attributes: MUST be objectclass and packageFlags.

      The reply MUST be a Package Search Reply (section 2.2.3.1.2) containing the ObjectName of the package and the objectclass and packageFlags attributes.

  3. Retrieve the packageFlags of the package to be removed. A Package Search Request (section 2.2.3.1.1) MUST be generated by the client with the following parameters:

    • baseObject: MUST be the DN of the package returned as the ObjectName from step 2.

    • scope: MUST be set to 0 (base Object).

    • Filter: The following LDAP filter (as specified in [RFC2254]) MUST be used to search the package (the representation given here is what is specified in [RFC2254]). This representation can be mapped to the LDAP protocol representation and wrapped with the AND operator (&):

      • objectClass=*

    • attributes: MUST be packageFlags.

      The reply MUST be a Package Search Reply (section 2.2.3.1.2) containing the packageFlags attribute.

  4. Mark the package for removal. A package update sequence (as specified in section 2.2.3.2.5) MUST be generated by the client with the following attributes:

    • packageFlags MUST have the ACTFLG_Uninstall flag set.

    • msiScriptName MUST be "R".

      If the resultCode field of the modifyResponse message is non-zero, this protocol sequence MUST proceed to step 7 (LDAP UnBindRequest).

  5. Update the timestamp of the class store container. A Class Store Confirmation Message (section 2.2.3.2.4) MUST be generated by the client specifying only the lastUpdateSequence attribute. If the resultCode field of the modifyResponse message is non-zero, this protocol sequence MUST proceed to step 7 (LDAP UnBindRequest).

    Information on how this causes the client to remove this application when the policy application mode sequence is invoked is specified in section 3.2.5.3.

  6. Issue the Group Policy Extension Update event described in [MS-GPOL] section 3.3.4.4.

  7. The Common LDAP UnBind sequence (section 3.2.5.7) MUST be issued.