In this tutorial, I will show you how to use Group Policy to deploy software to computers and users.
In this example, I will deploy Chrome to computers via Group Policy. The steps in this example will work with other MSI files.
Check it out!
Table of contents:
- Create a Secure Network Share for The MSI Install Files
- Create GPO to deploy software to computers
- GPO Settings to Install Software to Users Only
- Tips & Troubleshooting
Video Tutorial
If you don’t like video tutorials or want more details, then continue reading the instructions below.
Create a Network Share for the MSI Install File
The first step is to ensure you have a secure shared folder for the MSI file so users and computers can access it. The MSI files do not get copied to computers; they will run from a network share.
Tip: It is critical that you don’t set “everyone” permissions on your network shares. There is no need for this and it is just bad practice. This gives everyone on your network access to the shared folder including unauthenticated users. Also, this is how ransomware and viruses spread, as they are often programmed to look for UNC shares and attack the files and folders. Even if you set “READ ONLY” access, you are still giving everyone access to read the files in this directory. Again, this is just bad practice and can easily be avoided.
/end rant
Steps to create a secure network share:
Pick a server that everyone can access to configure the shared folder.
Right-click a folder, then click the sharing tab and advanced sharing.
I’m using a 2019 Windows server. I created a folder called software to store the install files. You can name your folders anything you want.
On the advanced sharing screen, click the box to share this folder. The share name can be anything you want, I’ve called mine “software”.
Now click the permissions button.
On the share permissions screen, remove everyone.
Now add domain computers and domain users and set the permissions to read. You can lock the permissions down to specific users and computers if needed by creating new security groups.
Click ok to get back to the properties page and click on the security tab.
Make sure everyone is not listed, if so remove it.
Add domain users and domain computers and give them read & execute, list, and read permissions.
Ok, good job. The shared folder configuration is complete. Now copy the MSI install files to the folder you just created.
Test access to the network share on a remote computer. On the remote computer in the search box type the \\hostname\sharename. My server name is “srvwef” and the share name is “software”.
If you can access the share you should see a list of files.
That completes the network share configuration. The next section will configure the GPO for software deployment to computers.
Create GPO to Deploy Software to Computers
Group policy has settings for targeting computers and settings to target users. In this section, we will target computers for deploying software. This means the software install will be installed for anyone that logs into the computer.
I recommend creating a new GPO for the software install, do not add these settings to the Default Domain Policy.
In the group policy management console browse to the OU, right click and select “Create a GPO in this domain, and link it here”
In this example, I’m going to install Chrome on all the computers in the IT OU, so I will create and link the GPO to the IT OU.
Give the GPO a name. I’ve named mine “Computer – Chrome Install”
Edit the new GPO:
Computer Configuration > Policies > Software Setting > Software installation
Right click Software installation and select New > Package
On the open screen browse to the network share using the UNC path, select the MSI you want to install, and click open. DO NOT browse using the local drives or the install will fail.
On the deploy software screen, click Assigned and then click Ok. Published will be grayed out as that option can only be used when deploying software to users.
That completes the GPO configuration. The GPO settings should look like this.
The software will only install during a reboot and the computer must have its GPO settings updated. GPO settings will refresh automatically every 90 minutes.
To force the GPO settings you can use the gpupdate /force command.
When you run the gpupdate command you will get a message saying one or more settings must be processed before the system start or user logon. This is referring to the software installed by GPO and is expected. Type Y to restart the computer.
The software will be installed on reboot.
When I log in I can see the Google Chrome icon on the desktop and that confirms the software installed.
That completes the steps on how to deploy software using group policy.
GPO Settings to Install Software to Users Only
If you want to install software to specific users just use the user configuration GPO settings instead of the computer.
This works differently than deploying to a computer.
In my testing, the user configuration does not install the software automatically for the user. This is why I prefer to use the computer configuration for deploying software but everyone has different requirements.
Published vs Assigned Deployment Method:
There is little to no documentation on this from Microsoft. From my testing, they seem to do the same thing. The only thing I see this does is add the software to the list of programs that can be installed from the network.
The user will need to click on Google Chrome from here and then the software will install. Some articles I found said the assigned option should put an icon on the desktop, then it will install when the user clicks the icon. This was not my experience.
Tips and Troubleshooting
Here are some tips to troubleshoot GPO software installation issues.
Tip #1 Check the event logs
On the computer that fails to install, check the system event logs for errors. This will provide details as to why the installation failed.
Tip #2 Display detailed messages at startup
This will display the “Applying software installation settings” during startup.
You will need to enable this GPO setting.
Computer Configuration > Policies > Administrative Templates > System and enable “Display highly detailed status messages.
Tip #3 Enable Wait for the network at computer startup and logon
If you are having issues with the software installation you may need to enable this GPO setting.
Computer Configuration > Policies > Administrative Templates > System > Logon and enable “Always wait for the network at computer startup and logon”
Tip #4 Test with a small MSI file
The problem might be the MSI install file. Test with a small program like 7zip or notepad ++, these are really small install files that are known to work.
Tip #5 Use gpresult to verify the GPO is enabled.
Use the built-in gpresult command to verify the GPO settings are getting applied to the computer.
Sources
- Use Group Policy to remotely install software
- 15+ years of experience doing this in production environments
- Tested this solution in my Active Directory lab
Summary
Deploying software with Group Policy is easy to do. Although it doesn’t have a lot of options and features, it’s useful for deploying simple software packages.
I hope you enjoyed this tutorial. If you have questions, post them in the comment section.
If you need to deploy an exe then refer to the article Deploy Software (EXE) Using Group Policy – Part 2.
Using this method, is there any way we can find out how many machines the software was installed successfully on and how many machines it failed to install on? (logging installation logs and generating a success/failure report)
thank you, succesfully updated 7zip on all machines, but i cant see any option to remove the task now
Hi Robert,
Thanks for the detailed explanation. I have followed step by step as described here but unfortunately it does not installed the application at the end host. my application is spark messenger and I have converted exe file to msi.
I am installing it via computer configuration option, also I have tried with user configuration to verify whether it work with publish option or not, But still did not get the any results.
The group policy is applied correctly and showing at gpresult output when applied computer based policy.
I’d be thankful if you help me in this regard.
Check the event logs on the computer, it should provide details as to why it is failing. See the Tips and Troubleshooting section.
How to deploy a browser shortcut on all workstations in our OU? Is it the same process as software?
Hi Trey,
I’ve got an article on how to deploy shortcuts.
https://activedirectorypro.com/group-policy-desktop-shortcuts/
Let’s say you used a GPO to push out the software and then you have to do an update and push out an updated software package. Let’s say you have been doing this for years and you have a list in your GPO showing all of these updates. Can you delete the old install files in the shared folder?
I want to say yes but it’s Microsoft and you never know what will happen. It can also depend on the software, maybe it checks for updates each time it opens…idk. Two options. 1. Block access to the share and then test the software to make sure it works with no errors. 2. Backup the shared folder before deleting the old install files.
very usefull article. thanks
Very useful article, just a note about “Published vs Assigned Deployment Method” in the “GPO Settings to Install Software to Users Only” section.
To force the assigned software to be installed for the user you need to:
– select your assigned software package,
– open the properties dialog,
– click on the Deployment tab and enable “Install this application at logon” (it’s not checked by default)
Franco, thanks for the details.
Hi, Robert, your article help me so much. But can i deploy an application without running gpupdate on the target’s computer?
Ye, here are two options.
1. By default, Group Policy refreshes every 90 minutes for typical machines and users and every 5 minutes for domain controllers (DCs). So you could wait and just let it refresh on its own.
2. In the group policy management console you can right click an OU and select Group Policy Update.
Hello,
the GPO runs everytime i boot the Computer so it would try to install every rebbot right?
That is correct
so , what happen if the software already install?
and what happen also if user doing uninstall the software? Is it will push and install again?
It will depend on your install package. You would need to test it to determine if it’s going to re-install or do nothing. If a user uninstalls the software and the GPO is still applied it will install again.
Excellent article! I appreciate you posting this in such an easy-to-understand way.
–RW
Hi Robert,
I browse a web and find this information I was looking for. Thanks it did help very much.
Just a quick question, when the package is installed and you update the group policy update command it will appear after the computer restarted. How about the server, is it not affected by this installation by having the package installed as well on it? Or it will be updated as well if you apply the Group Policy update command?
Is there a way that the server desktop is not affected by the installation but only the domain computers?
Grateful your kind assistance in due course.
Naunta.T
Hi Naunta,
1. Apply the GPO
2. Run the gpupdate command
3. You should get a message about restarting. The software will install after restarting.
The process is the same for servers. You can exclude servers by targeting OUs or groups that contain only domain computers.
That is a great article really enjoy reading…can you please help me with differences between the computer configuration and user configuration pls.
Basically, when using GPO computer settings the software will install during startup for all users. The user GPO settings the software does not automatically install, the user will need to click on the program to install it.
With GPO computer settings, how can a computer, before the user login, to access a folder inside a domain?
Computers are objects in Active Directory just like users, so AD can authenticate and authorize them to resources (a folder) in a domain. Group policy runs in the background when a computer boots up and will start running GPOs in the background, this is how it can process computer GPOs before the user login.
I have a file server in a Domain and a I want to create a folder where to put a software for the GPO “Computer Configuration”.
I shared the folder with all my domain computers and I gave to all my domain computers the permissions as in your example.
I tried with a local user of one on these computers to access this folder (my thoughts are that if a pc, before the user login, can access a folder THEN a local user should be able to open this same folder.) The problem is that, even if the computer have the right to open this folder, the system asks me for a domain user authentication. Is this normal?
I need to install .msi file with license key, Kindly help me.
.msi file and key.txt files are available.
Did you get head around how to do it?
What if I deploy for example Skype and Skype will need to be updated on the computer?
Can I do it remotely from GPO just like you deploy software?
Yes, it should work. Most of the time it depends on the software so I would test it on a few computers before a mass rollout.
Hi, this looks like it works great for MSIs that don’t take any arguments, but can you also do the same for software that’s installed via MSI but requires additional parameters added as a switch, e.g. if I would normally call “msiexec /i [path_to_MSI] /q /license=xyz” then how do you add the switches?
Hi John, You cannot pass any arguments to an MSI deployed with group policy. You would need to use a script or using the orca tool to create a transform file (MST). Here is some info on the orca tool https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe
Nice article. can you help me, how to update chrome version with the help of GPO.
how to update latest chrome version with help of GPO every month
I would install the ADM or ADMX chrome policy templates. Then you can manage chrome settings through group policy including its update settings.
Good afternoon Robert,
I’m here for a similar question, except, my networks are offline, not internet facing. I deployed Chrome following this process, as stated above. If I wanted to update my computers to say version 107 from 105 what is the best way? Do I just add a new package to the existing GPO? Or can I just remove the current package and add the newest one available (107). I didn’t want to assume anything and risk screwing things up and having to go out manually to fix stuff.
Thanks again for all you do!
Robert, good post I found it very teaching. What happens if the target computer and server holding the GPO don’t show the lengthy confirmation after the gpupdate /force?
I would say the GPO is not applying or configured incorrectly. Do you see the GPO using the gpresult /r command?
Great article! Thanks a lot for your clear explanation on software installation via GPO!
No problem.
Thanks for the excellent tutorial on this! My question is, how would one do this with other installation file types?
This blog has been an awesome reference for many tasks. Thanks for the hard work!
This method only works with MSI files. To install an exe you would need to use a start up script that would run the exe. You would need the script to check if it is installed or else it would try to install everytime the computer reboots. I might create a separate tutorial for installing exe files.
That would be awesome, looking forward to it! Thanks again.
Thank you Allen, exe video help.