Click here to monitor SSC
  • Av rating:
  • Total votes: 14
  • Total comments: 5
Joseph Moody

Group Policy Software Deployment: Extraction to Installation

13 March 2013

When you have a large number of PCs in the domain on which to deploy software, based on the role of the user within the organization, and you haven't a large budget, then Group Policy Software Installation is a good and simple way to do it.

Being able to deploy and manage software is a critical skill for any administrator. After all, who wants to install software manually! This article will walk through each step of this process, from extraction through installation, by using Group Policy.

To Use or Not to Use?

The pace of technology has always amazed me. No matter the tool or technology, we are still solving the same core problems. One main issue has always been connecting people to the software they need. Methods of accomplishing this vary from basic batch files with limited functionality to complex software management systems with mountains of features. Sitting right in the middle of this range is Group Policy Software Installation (GPSI).

GPSI is made simple by being natively available in any Active Directory Domain Services environment, which means no additional server components are required. A Domain Controller paired (or combDeplined) with a File Server constitute the only requirement. Because the Group Policy service handles the client side, your users and computers do not require anything extra.

Simple in nature, GPSI does lack certain features found in dedicated software management systems (such as System Center Configuration Manager). First, GPSI does not have a central reporting component. The logs, though detailed, are stored on clients. Also, GPSI can only deploy two file types (MSI and ZAP). Finally, installation requires either a logoff or restart; it is a foreground only installation system.

If your organization needs a solid (but free) way to manage software, GPSI is the way to go. If you want to ensure certain software are available immediately on new domain machines, GPSI accomplishes that perfectly as Group Policy processes on first boot. Because it is built on top of Active Directory, you can use it to manage some or all of your software needs. Likely, you can take advantage of GPSI in some way.


A majority of enterprise software comes in a MSI format that is wrapped inside of an executable. Most of the time, the trick is getting that MSI out. The first step is to determine if the application actually contains an MSI. This is easily accomplished by launching task manager and running the executable. If the application contains an MSI, task manager will show the Windows installer process (MSIEXEC).

Task Manager showing the Windows Installers

From the picture above, we know that our software contains an MSI. Let’s get it out now. Method 1 of doing this is opening the EXE as an archive. Using a file compression program, we can attempt to open the EXE like a compressed folder. My favorite program for this is 7Zip. In the example below, I was able to open the iTunes setup executable by righting clicking on it and selecting Open Archive. As you can see, MSI galore!

Using 7Zip get a list of the MSIs in an executable

Every MSI registers itself with your computer. Knowing this, you can use this information as your second method of retrieving the file. Open up REGEDIT and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products. Search for the name of the application and expand the source list key. Copy the contents of the LastUsedSource entry and open that folder on a local machine. With any luck, your MSI should reside there.

The results when searching for PackageName

If your MSI is not there, you can also search a local computer for the PackageName value. Be sure to enable hidden and protected files before searching.

If your MSI is still missing, head on over to (formally Likely, someone has found it and posted tips on getting it. Just search for your application (without a version number) to find helpful hints.


But what if your software isn’t an MSI? Check with the manufacturer first – it is not uncommon for one to be provided at request. If you are still stuck with an executable, it is time to repackage it to a GPSI friendly format!

Repackaging is the art of taking the entire executable (or the installed components of the software) and embedding it into an MSI. There are two schools of thought on doing this:

  1. Wrapping the EXE into an empty MSI. The MSI essentially calls the EXE and runs the application silently.
  2. Capturing all new files/registry keys that a particular software installs. Once captured, these settings are stored within an MSI for installation.

If given the choice, I prefer method 2 for repackaging. When using method 1, you are limited to software that can be installed with silent commands (/q, /silent, etc). Normally, software without an MSI lack other standard features such as these commands. Method 1 also prevents you from easily editing the MSI. By capturing an installation into an MSI, you can simply remove files (like a desktop shortcut) that you do not want in the final package.

Capturing an installation is fairly simple. With a clean machine, use a repackaging tool to look at the difference between a before snapshot and after (the installation) snapshot. My favorite tool for doing this is WinInstall LE (free edition). While you can certainly purchase heavy duty repacking programs, I have yet to find a software that couldn’t be repackaged with the free edition.

Editing the MSI

In all likelihood, your extracted MSI will need to be customized for your organization or edited for deployment. By editing an MSI, you can:

  • Remove unnecessary files/registry entries
  • Disable automatic updating
  • Alter Launch Conditions (such as minimum Hardware, Software, or Operating System requirements)

To edit an MSI, download Orca from Microsoft Support. After installation, you can right click on any MSI and view it as a simple database.

Editing an MSI through the Orca interface

From here, specific attributes of the MSI can be modified or removed. In the picture above, we are looking at the Shortcut table. By deleting any entry in this table, we can remove a shortcut. Two other common tables are the LaunchCondition and Property tables. The LaunchCondition table contains restrictions on the MSI execution. As an example, this table would limit execution of the MSI to Windows 7 and below. The Property table contains options for the MSI installation. If a software requires a serial number to install, you can probably paste that value into the serial number entry under the Property table.

As a best practice, avoid editing MSIs directly. By using Orca, you can select Transform and then Generate Transform. This will create an MST file that will apply your changes (without directly making edits).

Saving to Share

Once edited, the next step is to save your MSI to a network share. When we create our Group Policy Object (GPO) for deployment, this share will be our distribution point. Because you will likely store all of your deployed software in a central location, it is best to configure you Share/Folder permissions in a way that supports multiple deployment types.

Generally, your share name should be something simple and short (ex: \\SERVER\MSI or \\SERVER\APPS). If you prefer a little more obsecurity (i.e. Security through Obscurity), it is perfectly fine to hide the Share with a $ value.

For your share permissions, it is acceptable to give Everyone Full Control or to give Authenticated Users Read permission and Administrators Full Control. For the folder permissions, give Authenticated Users Read/Execute and Administrators Full Control. Remember that Authenticated Users includes both Domain Computers and Domain Users. Finally, create specific folders for each manufacturer or piece of software. In the picture below, you can see a sample hierarchy organization.

A simple folder hierarchy

Creating the GPO

Now that the MSI is on the network, let’s link it to a GPO. Create a new unlinked GPO. As a best practice, give the GPO a specific name (usually with a related starting prefix). In our environment, all deployment GPOs start with “APP_”. This allows for easy filtering, sorting, and scripting.

Now decide whether to install the software to the computer or link it to a user. Generally, if the software is static (used consistently at one or many locations), large, or requires regular updates – deploy it on the computer side. If the software is small and used by specific users, deploy it on the user side.

In this example, we are going to create a GPO named APP_7Zip and we will create a corresponding security group named after the GPO. We will then edit the Scope options on the GPO to remove Authenticated Users and to add in our new security group. If you plan on deploying a lot of software, it is best to store these groups in a central location such as a top level OU or physical site level/department OU.

As a general recommendation, avoid extremely detailed GPO and Security Group names (ex: APP-7Zip_v9.00.1.2). Version information, language, and OS type can all be found (or commented) within the GPO itself. Using a general name will keep you from constantly renaming policies.

Edit the GPO. We are going to deploy this MSI to the computer side so we will navigate to Computer Configuration\Policies\Software Settings\Software Installation within the Group Policy Management Console.

Right-click on Software installation in the explorer window

Right click on Software installation and select New Package. Browse to the UNC where you stored the MSI.

Open the file and choose Advanced option, and the Deployment Tab

After selecting Open, choose the Advanced Option and press Ok. Select the Deployment Tab and then Advanced. Check “Ignore language when deploying this package”. This will ensure that if an MSI doesn’t have a language set, deployment will still continue. If you created an MST with ORCA, select the Modifications tab and add the MST. Press OK, make any other changes needed to your GPO, and link it to an OU. Be sure to add any computers to the software security group. Finally, restart the computer twice. After two restarts, your software will install!

The installing message

But What if it Doesn’t?

Like anything made by man, GPSI can break. Most of the time, it is a pretty easy fix though. Below are the troubleshooting steps I take when faced with an installation problem.

  • Does the MSI install normally if I run it on a computer? If it won’t install this way, I know Group Policy isn’t at fault.
  • Can you run the MSI silently? EX: msiexec /I MSI-FILE.msi /qb. If the file can’t install silently, I know Group Policy isn’t at fault.
  • Am I deploying the MSI to the correct object (user or computer)? Some MSIs can’t install to a user and some only want to be installed to a user.
  • Do I see any errors in the event log under application?
  • Is the policy being applied correctly? Running GPRESULT /h Report.htm /f will generate a detailed Group Policy Result.

Done with this Deployment!

In this article, we covered Group Policy Software Installation from start to Finish. We learned how to extract, edit, deploy, and troubleshoot our MSIs. If you have any questions or issues, let us know in the comments.

Joseph Moody

Author profile:

Joseph is a desktop administrator for a public school system, helping manage 5,500 computers. He specializes in Active Directory, Group Policy, deployment and software management. His blog can be found at

Search for other articles by Joseph Moody

Rate this article:   Avg rating: from a total of 14 votes.





Must read
Have Your Say
Do you have an opinion on this article? Then add your comment below:
You must be logged in to post to this forum

Click here to log in.

Subject: technet
Posted by: Sinaosh (not signed in)
Posted on: Saturday, March 30, 2013 at 9:18 AM
Message: I was referred to this article from TechNet. It helped me deploy my first software. thank you

Subject: Group Policy Software Deployment
Posted by: khutjok (view profile)
Posted on: Tuesday, April 9, 2013 at 3:55 AM
Message: Hi Sinaosh,

The GPSD is a great tool for small organization.i disagree for Medium/Large environments because Project & Account Managers require detailed reports that consist of client deployment progress(Business continuity).that way they are able to track completion status of the project.With deployment technologies like SCCM you able to pull reports and keep machines compliant with company procedures and policies.(Large companies are reluctant to freeware softwares)

Subject: Easy to use example
Posted by: taho (view profile)
Posted on: Monday, June 16, 2014 at 1:55 AM
Message: Great and simple .MSI deployment example I found here:
helped me a lot

Subject: Create Security Group - Edit Scope to remove..... Missing steps
Posted by: Rickkee Ranton (view profile)
Posted on: Friday, September 18, 2015 at 6:18 PM
Message: Hi I got all excited when I read.....
"In this example, we are going to create a GPO named APP_7Zip and we will create a corresponding security group named after the GPO. We will then edit the Scope options on the GPO to remove Authenticated Users and to add in our new security group.

You forgot the steps Create a corresponding security group.... and edit the Scope options to remove......

I'm a Nube to this, and will wing-it as usual, but it would be most helpful if you could add a couple of paragraphs to the step by step to help correctly create the security group, or just use the existing group "domain computers"

Lingering question.... What happens when new computers are joined to the domain? Will the policy apply? How to push to newly joined computers without redeploying to all computers? It would be nice to have an automatic deploy to newly joined computers.... Thanks! Great article, very helpful and I've looked at a dozen....Keep up the good work.

Subject: Software deployment tool alternative
Posted by: Alex Raddle (view profile)
Posted on: Tuesday, March 29, 2016 at 1:54 AM
Message: Hi,

I'd like to suggest a new deployment tool. Recently I became a fan of Total Software Deployment which has 3 different methods to create deployment packages. This allows deploying MSI, EXE, self extracting archives, batch files etc. TSD is still in development and currently it's missing several "must have" features like deployment scheduler and remote uninstall. But the tool is still fresh and I hope that they will develop it further.


Top Rated

Unified Approach to Generating Documentation for PowerShell Cmdlets
 Now, it is easy to provide professional-quality documentation for PowerShell cmdlets, and to keep it in... Read more...

The Poster of the Plethora of PowerShell Pitfalls
 One of the downsides of learning a new computer language is that transfer of training doesn't always... Read more...

Getting Data Into and Out of PowerShell Objects
 You can execute PowerShell code that creates the data of an object, but there is no cmdlet to generate... Read more...

SMTP Routing Changed in an Exchange Database Availability Group
 In Exchange Server 2010 it is possible to make the system more resilient by creating a Database... Read more...

Emulating the Exchange 2003 RUS for Out-of-Band Mailbox Provisioning in Exchange 2007
 Exchange's Recipient Update Service was important in Exchange 2000 or 2003 in order to complete the... Read more...

Most Viewed

Upgrade Exchange 2003 to Exchange 2010
  In this article, the first of two in which Jaap describes how to move from Exchange Server 2003... Read more...

Upgrade Exchange 2003 to Exchange 2010 - Part II
 In Jaap's second article on upgrading straight from Exchange Server 2003 to 2010, he explains how to... Read more...

Goodbye Exchange ExMerge, Hello Export-Mailbox
 ExMerge was a great way of exporting a mailbox to an Exchange PST file, or for removing all occurences... Read more...

Exchange E-mail Addresses and the Outlook Address Cache
 Because Exchange auto-complete cache uses X.500 addresses for e-mail sent to addresses within the... Read more...

Introduction to Exchange Server 2010
 What’s new in Exchange Server 2010 and what features from Exchange Server 2007 have been deprecated?... Read more...

Why Join

Over 400,000 Microsoft professionals subscribe to the Simple-Talk technical journal. Join today, it's fast, simple, free and secure.