How to Deploy Software using Group Policy

by Robert Allen

In this tutorial, I will show you how to use Group Policy to deploy software to computers and users.

In this example, I will deploy Chrome to computers via Group Policy. The steps in this example will work with other MSI files.

Check it out!

Table of contents:

  1. Create a Secure Network Share for The MSI Install Files
  2. Create GPO to deploy software to computers
  3. GPO Settings to Install Software to Users Only
  4. Tips & Troubleshooting

Video Tutorial

If you don’t like video tutorials or want more details, then continue reading the instructions below.

Create a Network Share for the MSI Install File

The first step is to ensure you have a secure shared folder for the MSI file so users and computers can access it. The MSI files do not get copied to computers; they will run from a network share.

Tip: It is critical that you don’t set “everyone” permissions on your network shares. There is no need for this and it is just bad practice. This gives everyone on your network access to the shared folder including unauthenticated users. Also, this is how ransomware and viruses spread, as they are often programmed to look for UNC shares and attack the files and folders. Even if you set “READ ONLY” access, you are still giving everyone access to read the files in this directory. Again, this is just bad practice and can easily be avoided.

/end rant

Steps to create a secure network share:

Pick a server that everyone can access to configure the shared folder.

Right-click a folder, then click the sharing tab and advanced sharing.

click the advanced sharing button

I’m using a 2019 Windows server. I created a folder called software to store the install files. You can name your folders anything you want. 

On the advanced sharing screen, click the box to share this folder. The share name can be anything you want, I’ve called mine “software”. 

Now click the permissions button. 

advanced sharing screen

On the share permissions screen, remove everyone. 

remove everyone from the permissions

Now add domain computers and domain users and set the permissions to read. You can lock the permissions down to specific users and computers if needed by creating new security groups. 

add domain users and domain computers

Click ok to get back to the properties page and click on the security tab. 

NTFS security screen

Make sure everyone is not listed, if so remove it. 

Add domain users and domain computers and give them read & execute, list, and read permissions. 

ntfs security permissions for domain users and computers

Ok, good job. The shared folder configuration is complete. Now copy the MSI install files to the folder you just created.

Test access to the network share on a remote computer. On the remote computer in the search box type the \\hostname\sharename. My server name is “srvwef” and the share name is “software”.

test accessing unc share path

If you can access the share you should see a list of files.

list of msi files on share

That completes the network share configuration. The next section will configure the GPO for software deployment to computers.

Create GPO to Deploy Software to Computers

Group policy has settings for targeting computers and settings to target users. In this section, we will target computers for deploying software. This means the software install will be installed for anyone that logs into the computer.

I recommend creating a new GPO for the software install, do not add these settings to the Default Domain Policy. 

In the group policy management console browse to the OU, right click and select “Create a GPO in this domain, and link it here”

Create and link new GPO

In this example, I’m going to install Chrome on all the computers in the IT OU, so I will create and link the GPO to the IT OU.

Give the GPO a name. I’ve named mine “Computer – Chrome Install”

Edit the new GPO:

Computer Configuration > Policies > Software Setting > Software installation

edit new gpo

Right click Software installation and select New > Package

gpo new software package

On the open screen browse to the network share using the UNC path, select the MSI you want to install, and click open. DO NOT browse using the local drives or the install will fail.

gpo unc patch to msi file

On the deploy software screen, click Assigned and then click Ok. Published will be grayed out as that option can only be used when deploying software to users.

gpo deploy software assigned settings

That completes the GPO configuration. The GPO settings should look like this.

gpo software install settings

The software will only install during a reboot and the computer must have its GPO settings updated. GPO settings will refresh automatically every 90 minutes.

To force the GPO settings you can use the gpupdate /force command.

run gpupdate /force

When you run the gpupdate command you will get a message saying one or more settings must be processed before the system start or user logon. This is referring to the software installed by GPO and is expected. Type Y to restart the computer. 

The software will be installed on reboot.

When I log in I can see the Google Chrome icon on the desktop and that confirms the software installed. 

gpo chrome install icon

That completes the steps on how to deploy software using group policy.

GPO Settings to Install Software to Users Only

If you want to install software to specific users just use the user configuration GPO settings instead of the computer.

This works differently than deploying to a computer.

gpo user configuration for software installs

In my testing, the user configuration does not install the software automatically for the user. This is why I prefer to use the computer configuration for deploying software but everyone has different requirements.

Published vs Assigned Deployment Method: 

gpo deploy software published vs assigned

There is little to no documentation on this from Microsoft. From my testing, they seem to do the same thing. The only thing I see this does is add the software to the list of programs that can be installed from the network.

The user will need to click on Google Chrome from here and then the software will install. Some articles I found said the assigned option should put an icon on the desktop, then it will install when the user clicks the icon. This was not my experience.

Tips and Troubleshooting

Here are some tips to troubleshoot GPO software installation issues.

Tip #1 Check the event logs

On the computer that fails to install, check the system event logs for errors. This will provide details as to why the installation failed.

Tip #2 Display detailed messages at startup

This will display the “Applying software installation settings” during startup.

You will need to enable this GPO setting.

Computer Configuration > Policies > Administrative Templates > System and enable “Display highly detailed status messages.

Tip #3 Enable Wait for the network at computer startup and logon

If you are having issues with the software installation you may need to enable this GPO setting. 

Computer Configuration > Policies > Administrative Templates > System > Logon and enable “Always wait for the network at computer startup and logon”

Tip #4 Test with a small MSI file

The problem might be the MSI install file. Test with a small program like 7zip or notepad ++, these are really small install files that are known to work.

Tip #5 Use gpresult to verify the GPO is enabled.

Use the built-in gpresult command to verify the GPO settings are getting applied to the computer.

Sources

Summary

Deploying software with Group Policy is easy to do. Although it doesn’t have a lot of options and features, it’s useful for deploying simple software packages.

I hope you enjoyed this tutorial. If you have questions, post them in the comment section. 

If you need to deploy an exe then refer to the article Deploy Software (EXE) Using Group Policy – Part 2.

42 thoughts on “How to Deploy Software using Group Policy”

  1. Josh

    Using this method, is there any way we can find out how many machines the software was installed successfully on and how many machines it failed to install on? (logging installation logs and generating a success/failure report)

    Reply
  2. Cristhian

    thank you, succesfully updated 7zip on all machines, but i cant see any option to remove the task now

    Reply
  3. Hamza

    Hi Robert,

    Thanks for the detailed explanation. I have followed step by step as described here but unfortunately it does not installed the application at the end host. my application is spark messenger and I have converted exe file to msi.

    I am installing it via computer configuration option, also I have tried with user configuration to verify whether it work with publish option or not, But still did not get the any results.

    The group policy is applied correctly and showing at gpresult output when applied computer based policy.

    I’d be thankful if you help me in this regard.

    Reply
    • Avatar photo
      Robert Allen

      Check the event logs on the computer, it should provide details as to why it is failing. See the Tips and Troubleshooting section.

      Reply
  4. Trey George

    How to deploy a browser shortcut on all workstations in our OU? Is it the same process as software?

    Reply
  5. BB

    Let’s say you used a GPO to push out the software and then you have to do an update and push out an updated software package. Let’s say you have been doing this for years and you have a list in your GPO showing all of these updates. Can you delete the old install files in the shared folder?

    Reply
    • Avatar photo
      Robert Allen

      I want to say yes but it’s Microsoft and you never know what will happen. It can also depend on the software, maybe it checks for updates each time it opens…idk. Two options. 1. Block access to the share and then test the software to make sure it works with no errors. 2. Backup the shared folder before deleting the old install files.

      Reply
  6. Emre B.

    very usefull article. thanks

    Reply
  7. Franco Fassio

    Very useful article, just a note about “Published vs Assigned Deployment Method” in the “GPO Settings to Install Software to Users Only” section.
    To force the assigned software to be installed for the user you need to:
    – select your assigned software package,
    – open the properties dialog,
    – click on the Deployment tab and enable “Install this application at logon” (it’s not checked by default)

    Reply
    • Avatar photo
      Robert Allen

      Franco, thanks for the details.

      Reply
  8. Annas

    Hi, Robert, your article help me so much. But can i deploy an application without running gpupdate on the target’s computer?

    Reply
    • Avatar photo
      Robert Allen

      Ye, here are two options.

      1. By default, Group Policy refreshes every 90 minutes for typical machines and users and every 5 minutes for domain controllers (DCs). So you could wait and just let it refresh on its own.
      2. In the group policy management console you can right click an OU and select Group Policy Update.

      Reply
  9. Clemens

    Hello,
    the GPO runs everytime i boot the Computer so it would try to install every rebbot right?

    Reply
    • Avatar photo
      Robert Allen

      That is correct

      Reply
      • Feko

        so , what happen if the software already install?

        and what happen also if user doing uninstall the software? Is it will push and install again?

        Reply
        • Avatar photo
          Robert Allen

          It will depend on your install package. You would need to test it to determine if it’s going to re-install or do nothing. If a user uninstalls the software and the GPO is still applied it will install again.

          Reply
  10. Richard

    Excellent article! I appreciate you posting this in such an easy-to-understand way.
    –RW

    Reply
  11. Naunta

    Hi Robert,

    I browse a web and find this information I was looking for. Thanks it did help very much.
    Just a quick question, when the package is installed and you update the group policy update command it will appear after the computer restarted. How about the server, is it not affected by this installation by having the package installed as well on it? Or it will be updated as well if you apply the Group Policy update command?

    Is there a way that the server desktop is not affected by the installation but only the domain computers?
    Grateful your kind assistance in due course.

    Naunta.T

    Reply
    • Avatar photo
      Robert Allen

      Hi Naunta,

      1. Apply the GPO
      2. Run the gpupdate command
      3. You should get a message about restarting. The software will install after restarting.

      The process is the same for servers. You can exclude servers by targeting OUs or groups that contain only domain computers.

      Reply
  12. Hamza

    That is a great article really enjoy reading…can you please help me with differences between the computer configuration and user configuration pls.

    Reply
    • Avatar photo
      Robert Allen

      Basically, when using GPO computer settings the software will install during startup for all users. The user GPO settings the software does not automatically install, the user will need to click on the program to install it.

      Reply
      • giovanna

        With GPO computer settings, how can a computer, before the user login, to access a folder inside a domain?

        Reply
        • Avatar photo
          Robert Allen

          Computers are objects in Active Directory just like users, so AD can authenticate and authorize them to resources (a folder) in a domain. Group policy runs in the background when a computer boots up and will start running GPOs in the background, this is how it can process computer GPOs before the user login.

          Reply
          • giovanna

            I have a file server in a Domain and a I want to create a folder where to put a software for the GPO “Computer Configuration”.
            I shared the folder with all my domain computers and I gave to all my domain computers the permissions as in your example.
            I tried with a local user of one on these computers to access this folder (my thoughts are that if a pc, before the user login, can access a folder THEN a local user should be able to open this same folder.) The problem is that, even if the computer have the right to open this folder, the system asks me for a domain user authentication. Is this normal?

  13. godwin

    I need to install .msi file with license key, Kindly help me.

    .msi file and key.txt files are available.

    Reply
    • Jake Hindle

      Did you get head around how to do it?

      Reply
  14. Seva

    What if I deploy for example Skype and Skype will need to be updated on the computer?
    Can I do it remotely from GPO just like you deploy software?

    Reply
    • Avatar photo
      Robert Allen

      Yes, it should work. Most of the time it depends on the software so I would test it on a few computers before a mass rollout.

      Reply
  15. John Bob

    Hi, this looks like it works great for MSIs that don’t take any arguments, but can you also do the same for software that’s installed via MSI but requires additional parameters added as a switch, e.g. if I would normally call “msiexec /i [path_to_MSI] /q /license=xyz” then how do you add the switches?

    Reply
  16. Naren

    Nice article. can you help me, how to update chrome version with the help of GPO.
    how to update latest chrome version with help of GPO every month

    Reply
    • Avatar photo
      Robert Allen

      I would install the ADM or ADMX chrome policy templates. Then you can manage chrome settings through group policy including its update settings.

      Reply
      • Ben

        Good afternoon Robert,

        I’m here for a similar question, except, my networks are offline, not internet facing. I deployed Chrome following this process, as stated above. If I wanted to update my computers to say version 107 from 105 what is the best way? Do I just add a new package to the existing GPO? Or can I just remove the current package and add the newest one available (107). I didn’t want to assume anything and risk screwing things up and having to go out manually to fix stuff.

        Thanks again for all you do!

        Reply
      • Matt Lyszyk

        Robert, good post I found it very teaching. What happens if the target computer and server holding the GPO don’t show the lengthy confirmation after the gpupdate /force?

        Reply
        • Avatar photo
          Robert Allen

          I would say the GPO is not applying or configured incorrectly. Do you see the GPO using the gpresult /r command?

          Reply
  17. Matteo

    Great article! Thanks a lot for your clear explanation on software installation via GPO!

    Reply
    • Avatar photo
      Robert Allen

      No problem.

      Reply
  18. Ben

    Thanks for the excellent tutorial on this! My question is, how would one do this with other installation file types?

    This blog has been an awesome reference for many tasks. Thanks for the hard work!

    Reply
    • Avatar photo
      Robert Allen

      This method only works with MSI files. To install an exe you would need to use a start up script that would run the exe. You would need the script to check if it is installed or else it would try to install everytime the computer reboots. I might create a separate tutorial for installing exe files.

      Reply
      • Ben

        That would be awesome, looking forward to it! Thanks again.

        Reply
      • Baris

        Thank you Allen, exe video help.

        Reply

Leave a Comment