This tutorial will describe how to deploy a MSI on multiple machines by using Group Policy.

1. Methods of deployment

Group Policy supports two methods of deploying a MSI package:

  • Assign software - A program can be assigned per-user or per-machine. If its assigned per-user, it will be installed when the user logs on. However, if its assigned per-machine then the program will be installed for all users when the machine starts.
  • Publish software - A program can be published for one or more users. This program will be added to the Add or Remove Programs list and the user will be able to install it from there.

2. Create a distribution point

The first step in deploying a MSI through GPO is to create a distribution point on the publishing server. This can be done by following these steps:

  • log on to the server as an Administrator user
  • create a shared network folder (this folder will contain the MSI package)
  • set permissions on this folder in order to allow access to the distribution package
  • copy the MSI in the shared folder

NoteIn the shared folder you can also perform an administrative install for a MSI package contained by an EXE bootstrapper.

3. Create a Group Policy Object

A MSI package is deployed (distributed) through GPO as a Group Policy Object. In order to create an object for your package, you can follow these steps:

  • click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
  • right-click your domain name in the console tree and select the Properties context menu
  • select the Group Policy tab and click New
  • set the name of the policy (for example MyApplication)
  • click Properties and select the Security tab
  • check the Apply Group Policy checkbox only for the groups to which the policy will be applied
  • click on the OK button

4. Assign a MSI package

A package can be assigned per-user or per-machine. Also, if the package is assigned, it will automatically be installed silently. In order to assign a package you can follow these steps:

  • click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
  • right-click your domain name in the console tree and select the Properties context menu
  • go to the Group Policy tab, select the object you want and click Edit
  • expand Software Settings under Computer Configuration
  • right-click Software Installation, select the New context menu and then click on Package
  • in the Open dialog type the full UNC path of the shared package you want to assign
  • click on the Open button
  • click on Assigned and then click OK (the package will be added to the right pane of the "Group Policy" window)
  • close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in
  • when the client computers start, the assigned package will be installed automatically

ImportantDo not use the Browse button in the Open dialog to access the UNC location. Make sure that you use the UNC path to the shared package.

5. Publish a MSI package

When using Group Policy, you can publish a package in order to allow the target user to install it by using Add or Remove programs. The steps for publishing a package are:

  • click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
  • right-click your domain name in the console tree and select the Properties context menu
  • go to the Group Policy tab, select the object you want and click Edit
  • expand Software Settings under User Configuration
  • right-click Software Installation, select the New context menu and then click on Package
  • in the Open dialog type the full UNC path of the shared package you want to publish
  • click on the Open button
  • click on Publish and then click OK (the package will be added to the right pane of the "Group Policy" window)
  • close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in
  • test the package:
    • log on to the target computer
    • click on the Start button and go to Control Panel
    • double-click the Add or Remove programs applet and select Add New Programs
    • in the Add programs from your network list select the program you published
    • use the Add button to install the package
    • click OK and then Close

ImportantDo not use the Browse button in the Open dialog to access the UNC location. Make sure that you use the UNC path to the shared package.

6. Redeploy a MSI package

Sometimes you may need to redeploy a package (for example when doing an upgrade). For redeploying a package you can follow these steps:

  • click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
  • right-click your domain name in the console tree and select the Properties context menu
  • go to the Group Policy tab, select the object you used to deploy the package and click Edit
  • expand the Software Settings element (per-user or per-machine) which contains the deployed package
  • expand the Software Installation element which contains the deployed package
  • right-click the package in the right pane of the Group Policy window
  • select the All Tasks menu and click Redeploy application
  • click the Yes button for reinstalling the application wherever it is installed
  • close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

7. Remove a MSI package

Group Policy also allows you to remove packages which have been deployed in the past. Here are the steps for removing a package:

  • click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
  • right-click your domain name in the console tree and select the Properties context menu
  • go to the Group Policy tab, select the object you used to deploy the package and click Edit
  • expand the Software Settings element (per-user or per-machine) which contains the deployed package
  • expand the Software Installation element which contains the deployed package
  • right-click the package in the right pane of the Group Policy window
  • select the All Tasks menu and click Remove
  • select from the following options:
    • Immediately uninstall the software from users and computers
    • Allow users to continue to use the software but prevent new installations
  • click the OK button to continue
  • close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

8. Troubleshooting Active Directory/GPO deployments

Here is an article that shows how to troubleshoot an Active Directory/GPO installation: How do I create an installation log?

The End

This concludes our tutorial.