How to deploy a MSI package with Group Policy?

Group Policy Software Installation (GPSI) was once hailed as a great incentive for all organizations to upgrade their NT4 domains to Active Directory.  It meant that there was no longer a need for those complex application deployment tools, it can now all be done from Group Policy. Well, that was the marketing story from the MS AD/GPO team. The software industry didn’t get that memo, and the MS SMS/SCCM team were none too pleased either!

What are the benefits of GPSI?

  • You can deploy MSI packages to any computer (or user) object in your domain.
  • It’s enforced by Group Policy, so no need for a client. You can target by OU, Security Group, and WMI filtering.
  • You can publish apps in Programs and Features/Add and Remove Programs.
  • It uses BITS to send the deployment to the workstations, so its bandwidth friendly and downloads can resume if interrupted.
  • No extra infrastructure or expensive database licenses to purchase – AD is your database.
  • Easy to use (right-click, and add new package). Don’t forget to specify a network share rather than your C: Drive.

What are the drawbacks of GPSI?

  • You can ONLY deploy MSIs. Not every piece of software comes as an MSI which means that those pieces of software need repackaging, which is no easy task.
  • Applications targeted to a computer only install at startup. If you don’t disable Fast Startup or Fast Boot, most applications will never install. This is also a problem for machines that mainly use a Wi-Fi connection as the Wi-Fi network rarely connects in time for that initial Group Policy. It can even be an issue where you have gigabit connected desktops. In that scenario, some network cards won’t negotiate that connection quickly enough before Windows gives up and displays the login box.
  • You can’t schedule a deployment. If you want to deploy a package before users arrive in the morning, you’ll need to get up early and come in.
  • You don’t get any feedback about what’s installed successfully, where and if it failed, and the error message. Keeping track of license usage and troubleshooting installations will rely on user complaining to you about it.
  • Nobody wants to rely on users to install an app from Programs and Features/Add and Remove Programs we just want it delivered and working.
  • What if you want to target deployments on something else such as disk space, OS type, BIOS version, etc.?

There are some pretty major drawbacks that have never been remedied since its birth nearly 20 years ago. Although MSIs are still quite common, they certainly haven’t become the standard installation method. Microsoft Office is a great example of Microsoft deliberately making it difficult. All the separate applications are actually MSI installs, but you can’t use them directly. Instead, you have to run the setup.exe which of course GPSI can’t handle.

If you really want to manage your desktops properly, you need to look for a different tool. All of the features that are great about GPSI would be good to keep, we just need to fix what’s broke. Look no further, Specops Deploy is here to help.

What are the benefits of Specops Deploy?

Specops Deploy uses AD as the database (plus free SQL Express for installation feedback), so no need for those expensive SQL licenses. It also uses BITS to deliver the application to the workstation, and of course you can still configure it all using Group Policy.

I like to think of Deploy App as more of a way of running “something” under an administrative context on any domain joined PC. Whether it’s an .exe, .msi, .msp, batch file, command file, or anything that includes drivers and BIOS/firmware updates. It can even handle AppX (Win 8/10 Modern Apps) or an App-V app, it can do it!

Specops Deploy runs installations every time Group Policy is refreshed, not just at install time. If it fails for whatever reason, it will try again and again until it works. If it does go wrong, you get feedback sent to your admin console that will tell you which machines have failed, and the error message.

You don’t need to get up at 5am to link a GPO anymore – you can schedule deployments for a future date/time.

Users can postpone an installation, maybe they need to save their work before an upgrade, but they will always get the installation in the end, without having to go to Programs and Features/Add and Remove Programs.

Scalable, doesn’t matter if you have 50 machines or 500000 machines, you still only need a single server to gather the feedback data. The heavy lifting is done by AD/GPO.

Finally targeting, you can now use just about anything to make sure that the right app hits the right PC. Whether it’s got enough disk space/RAM, dependencies on other software, or is in a certain IP range/AD site. The targeting options are calculated at each GP refresh, so if you add some extra RAM to a PC, there’s no need to “redo” the deployment. Simply, power it back on, and it will run GP Refresh at startup. The application will be automatically installed providing the machine has met all the other targeting criteria you may have specified.


Group Policy and Active Directory, even after 20 years, are great tools to manage users and computers. With a system like Specops Deploy, you can leverage those technologies to take management possibilities to the next level.



Written by

Darren James

Product Specialist, Specops Software

More Articles
Back to Blog