In this tutorial, I will show you how to use Group Policy to deploy software to computers and users.
In this example, I will deploy Chrome to computers via Group Policy. The steps in this example will work with other MSI files.
Check it out!
Table of contents:
- Create a Secure Network Share for The MSI Install Files
- Create GPO to deploy software to computers
- GPO Settings to Install Software to Users Only
- Tips & Troubleshooting
If you don’t like video tutorials or want more details, then continue reading the instructions below.
Create a Network Share for the MSI Install File
The first step is to ensure you have a secure shared folder for the MSI file so users and computers can access it. The MSI files do not get copied to computers; they will run from a network share.
It is critical that you don’t set “everyone” permissions on your network shares. There is no need for this and it is just bad practice. This gives everyone on your network access to the shared folder including unauthenticated users. Also, this is how ransomware and viruses spread, as they are often programmed to look for UNC shares and attack the files and folders. Even if you set “READ ONLY” access, you are still giving everyone access to read the files in this directory. Again, this is just bad practice and can easily be avoided.
Ok, I’m done with my rant, moving on.
Steps to create a secure network share:
Pick a server that everyone can access to configure the shared folder.
Right-click a folder, then click the sharing tab and advanced sharing.
I’m using a 2019 Windows server. I created a folder called software to store the install files. You can name your folders anything you want.
On the advanced sharing screen, click the box to share this folder. The share name can be anything you want, I’ve called mine “software”.
Now click the permissions button.
On the share permissions screen, remove everyone.
Now add domain computers and domain users and set the permissions to read. You can lock the permissions down to specific users and computers if needed by creating new security groups.
Click ok to get back to the properties page and click on the security tab.
Make sure everyone is not listed, if so remove it.
Add domain users and domain computers and give them read & execute, list, and read permissions.
Ok, good job. The shared folder configuration is complete. Now copy the MSI install files to the folder you just created.
Test access to the network share on a remote computer. On the remote computer in the search box type the \\hostname\sharename. My server name is “srvwef” and the share name is “software”.
If you can access the share you should see a list of files.
That completes the network share configuration. The next section will configure the GPO for software deployment to computers.
Create GPO to Deploy Software to Computers
Group policy has settings for targeting computers and settings to target users. In this section, we will target computers for deploying software. This means the software install will be installed for anyone that logs into the computer.
I recommend creating a new GPO for the software install, do not add these settings to the Default Domain Policy.
In the group policy management console browse to the OU, right click and select “Create a GPO in this domain, and link it here”
In this example, I’m going to install Chrome on all the computers in the IT OU, so I will create and link the GPO to the IT OU.
Give the GPO a name. I’ve named mine “Computer – Chrome Install”
Edit the new GPO:
Computer Configuration > Policies > Software Setting > Software installation
Right click Software installation and select New > Package
On the open screen browse to the network share using the UNC path, select the MSI you want to install, and click open. DO NOT browse using the local drives or the install will fail.
On the deploy software screen, click Assigned and then click Ok. Published will be grayed out as that option can only be used when deploying software to users.
That completes the GPO configuration. The GPO settings should look like this.
The software will only install during a reboot and the computer must have its GPO settings updated. GPO settings will refresh automatically every 90 minutes.
To force the GPO settings you can use the gpupdate /force command.
When you run the gpupdate command you will get a message saying one or more settings must be processed before the system start or user logon. This is referring to the software installed by GPO and is expected. Type Y to restart the computer.
The software will be installed on reboot.
When I log in I can see the Google Chrome icon on the desktop and that confirms the software installed.
That completes the steps on how to deploy software using group policy.
GPO Settings to Install Software to Users Only
If you want to install software to specific users just use the user configuration GPO settings instead of the computer.
This works differently than deploying to a computer.
In my testing, the user configuration does not install the software automatically for the user. This is why I prefer to use the computer configuration for deploying software but everyone has different requirements.
Published vs Assigned Deployment Method:
There is little to no documentation on this from Microsoft. From my testing, they seem to do the same thing. The only thing I see this does is add the software to the list of programs that can be installed from the network.
The user will need to click on Google Chrome from here and then the software will install. Some articles I found said the assigned option should put an icon on the desktop, then it will install when the user clicks the icon. This was not my experience.
Tips and Troubleshooting
Here are some tips to troubleshoot GPO software installation issues.
Tip #1 Check the event logs
On the computer that fails to install, check the system event logs for errors. This will provide details as to why the installation failed.
Tip #2 Display detailed messages at startup
This will display the “Applying software installation settings” during startup.
You will need to enable this GPO setting.
Computer Configuration > Policies > Administrative Templates > System and enable “Display highly detailed status messages.
Tip #3 Enable Wait for the network at computer startup and logon
If you are having issues with the software installation you may need to enable this GPO setting.
Computer Configuration > Policies > Administrative Templates > System > Logon and enable “Always wait for the network at computer startup and logon”
Tip #4 Test with a small MSI file
The problem might be the MSI install file. Test with a small program like 7zip or notepad ++, these are really small install files that are known to work.
Tip #5 Use gpresult to verify the GPO is enabled.
Use the built-in gpresult command to verify the GPO settings are getting applied to the computer.
- Use Group Plicy to remotely install software
- 15+ years of experience doing this in production environments
- Tested this solution in my Active Directory lab
Deploying software with Group Policy is easy to do. Although it doesn’t have a lot of options and features, it’s useful for deploying simple software packages.
I hope you enjoyed this tutorial. If you have questions, post them in the comment section.
If you need to deploy an exe then read this guide Deploy Software (EXE) Using Group Policy – Part 2.