In this tutorial, you will learn how to deploy an exe install file using group policy.
If you need to install an MSI file then check out my previous tutorial How to Deploy Software using GPO.
Group policy software deployment does not support exe files. You will need to use a script and group policy to deploy software with an exe. I’ll show you these steps below.
I do not recommend this method as it will require the users to have administrator rights and the ability to run scripts. I strongly recommend against users having either of those rights. If you must deploy an exe with group policy then try to grant temporary rights, when the deployment is done remove the rights and ability to run scripts. The preferred method would be to use a 3rd party program that can securely install software on your remote computers. Those programs can be expensive so I understand the desire to use free options. I’ve been there before and at times you have no choice due to a lack of funding or management constraints.
Steps for deploying an EXE:
- Step 1: Configure a PowerShell Script
- Step 2: Configure UNC Share
- Step 3: Configure GPO Settings
- Step 4: Reboot the Computer
Step 1: Configure a PowerShell Script
First, you need to configure a script. The script needs to check if the program is already installed if not then install it, if already installed then do nothing. I’m using PowerShell but you could also use a batch file.
Here is the script I’m using:
#Script to install exe via GPO
$folder = 'C:\Program Files\7-Zip'
if (-not (Test-Path -Path $Folder)) {
start-process -FilePath "\\srvwef\software\7z2107-x64.exe" -ArgumentList '/S'
}
else { }
Let me explain what each line does.
$folder = 'C:\Program Files\7-Zip'
The above line sets $Folder to the directory to check if it already exists. This will be used in the next line to determine if the program is already installed. Change the path to whatever program you want to check for.
if (-not (Test-Path -Path $Folder))
This line is testing if the path of $Folder does not exist. If it doesn’t exist then it will start the install process. If it does exist it will move to the else line and do nothing.
start-process -FilePath "\\srvwef\software\7z2107-x64.exe" -ArgumentList '/S'
This line starts the installation if the $Folder does not exist. I’m using a UNC path and the /S argument so it is a silent install. Users will need access to the location of the installer.
else {}
If the path of $Folder exists the script will move to this line and do nothing.
It’s a very basic script. You can modify it and add logging or other options. That is the nice thing about PowerShell you can customize it to your needs.
Save the script as this will be used in the next step. I saved my script as install.ps1
Step 2: Configure UNC Share
You need to have a secured distribution point for your EXE install file. It needs to be accessable for remote computers and users. I walked through on how to create a secure network share in the pervious tutorial for deploying an MSI file. Check it out if you need step by step instructions.
Step 3: Configure GPO Settings
Now let’s configure the group policy.
Create and link a new GPO to the OU containing your users. I’m going to add a new GPO to my Accounting OU.
Give the GPO a name. Then edit the GPO
Navigate to User Configuration > Windows Settings > Scripts (Logon/Logoff)
On the right side click on “Logon”.
Then click on PowerShell Scripts or Scripts if using a batch file.
Click on the Add button, then click browse.
With the browser window open you want to copy and past the .ps1 file into this window. Do not modify the path, this is the path of the GPO, and the script needs to be copied into this path. Your path will look different than mine.
Click ok and ok again. You should be back at the main screen. This completes the GPO configuration.
Step 4: Reboot Computer
Now reboot, login and the software should install.
If the software is a silent install the user will not see anything when they login, it will install in the background with no user interaction. Unless you add some logging into the script you will not know if it installs are not. That is one drawback to using group policy to install the software. If this is a method you will use long term then I would add some logging to the script to help track for failed and successful installs.
The installation went smoothly, but is it possible to create a shortcut to the application on the desktop after installation?
Two options.
1. Include the shortcut in your installer.
2. Create shortcut with GPO. https://activedirectorypro.com/group-policy-desktop-shortcuts/
Hello,
I converted may exe packager to MSI package, is this the same procedure?
how can I by pass the install button or forcefully install a 3rd party package?(VERSA VPN CLIENT EXE)
Example of these package you need to select some option Default or Advance, i just need to forcefully install the package.
For an msi see this article -> https://activedirectorypro.com/deploy-software-using-group-policy/
You can change various settings with the Orca MSI editor. Check out this guide -> https://4sysops.com/archives/edit-an-msi-file-with-the-orca-msi-editor/
What is the best way to deploy software? Computer oriented or user oriented and if we run the script on both (computer and user) which one will get priority? Can I see a graphical list with the status of all computers or users against this GPO?
With group policy I prefer deploying to computer. 1. It will install for all users. 2. It will install automatically. Deploying to users will not install automatically.
What if my users dont have software install permission? I understand that regular software deployment via GPO (using .msi files) don’t require admin rights for the install, but in this case, using an .exe file running as a script, how can I “bypass” the admin password input? Thanks
I don’t think this can be done with GPO. I would look at 3rd party options that allow you to specify an account for installing the software.
Could it be done by modifying the technique you describe above by replacing “Navigate to User Configuration > Windows Settings > Scripts (Logon/Logoff)” with “Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)” and replacing “On the right side click on “Logon”” with “On the right side click on “Startup”” both in step 3?
If that works the way I’m thinking, that would alleviate the concerns you expressed just before you listed the steps. Also, most software installations performed require UAC permission, and if the user is not an administrator, then administration credentials are needed to give a yes to the UAC. I do not think installations done through the computer side of the GPO would trigger UAC.
Yes, this should work. I’ve used startup scripts in the past to deploy software but have not tested recently. You will need to make sure the computer object has read access to the share.
As in I’m dealing with the same issue have you find the solution for it?
Hi Sehran Jan,
I’ve have a method that you can use.
You can create a scheduled task that executes the exe (in computer configuration), in scheduled task mention the user, using which you want to execute the scheduled task (That will take care of the UAC Prompt)
In that case also make sure that, the user you mentioned in scheduled task does have rights to read and execute the exe from shared folder.
It is not easier to convert exe to msi, you can use different wrappers from exetomsi to Silent Install.
Google is very simple.
Top 3 search queries examples:
https://www.exetomsi.com/
https://www.exemsi.com/
https://apreltech.com/Blog/Exe_to_msi_wrapper
And also a very nice gpo tool without PowerShell:
https://www.silentinstall.org/exe-to-gpo/
I hope this helped you)
Have you tried them?
Is there any preference of choose one or another?
What are limitations of there free versions?
Good threads!
Thanks Silas
I need to deploy the Evergreen WebView2 Runtime to client machines and need to check if it is installed already. Your PS script looks like it would work but I cannot use the folder option to check for the software existence. Microsoft recommends checking two registry keys with populated fields for existence or use the GetAvailableCoreWebView2BrowserVersionString API and query the result for the nullprt response in the VersionInfo field. I am a total nubie with any scripting so do you have any examples that would meet this criteria. Any assistance would be much appreciated!
You can modify the script to check for a registry path. Use test-path to check a path, here is an example.
test-path ‘HKLM:\software\7-Zip’
It will return true or false.