How to deploy a MSI package with Group Policy?

Group Policy Software Installation (GPSI) was once hailed as a great incentive for all organizations to upgrade their NT4 domains to Active Directory.  It meant that there was no longer a need for those complex application deployment tools, it can now all be done from Group Policy. Well, that was the marketing story from the MS AD/GPO team. The software industry didn’t get that memo, and the MS SMS/SCCM team were none too pleased either!

What are the benefits of GPSI?

  • You can deploy MSI packages to any computer (or user) object in your domain.
  • It’s enforced by Group Policy, so no need for a client. You can target by OU, Security Group, and WMI filtering.
  • You can publish apps in Programs and Features/Add and Remove Programs.
  • It uses BITS to send the deployment to the workstations, so its bandwidth friendly and downloads can resume if interrupted.
  • No extra infrastructure or expensive database licenses to purchase – AD is your database.
  • Easy to use (right-click, and add new package). Don’t forget to specify a network share rather than your C: Drive.

What are the drawbacks of GPSI?

  • You can ONLY deploy MSIs. Not every piece of software comes as an MSI which means that those pieces of software need repackaging, which is no easy task.
  • Applications targeted to a computer only install at startup. If you don’t disable Fast Startup or Fast Boot, most applications will never install. This is also a problem for machines that mainly use a Wi-Fi connection as the Wi-Fi network rarely connects in time for that initial Group Policy. It can even be an issue where you have gigabit connected desktops. In that scenario, some network cards won’t negotiate that connection quickly enough before Windows gives up and displays the login box.
  • You can’t schedule a deployment. If you want to deploy a package before users arrive in the morning, you’ll need to get up early and come in.
  • You don’t get any feedback about what’s installed successfully, where and if it failed, and the error message. Keeping track of license usage and troubleshooting installations will rely on user complaining to you about it.
  • Nobody wants to rely on users to install an app from Programs and Features/Add and Remove Programs we just want it delivered and working.
  • What if you want to target deployments on something else such as disk space, OS type, BIOS version, etc.?

There are some pretty major drawbacks that have never been remedied since its birth nearly 20 years ago. Although MSIs are still quite common, they certainly haven’t become the standard installation method. Microsoft Office is a great example of Microsoft deliberately making it difficult. All the separate applications are actually MSI installs, but you can’t use them directly. Instead, you have to run the setup.exe which of course GPSI can’t handle.

If you really want to manage your desktops properly, you need to look for a different tool. All of the features that are great about GPSI would be good to keep, we just need to fix what’s broke. Look no further, Specops Deploy is here to help.

What are the benefits of Specops Deploy?

Specops Deploy uses AD as the database (plus free SQL Express for installation feedback), so no need for those expensive SQL licenses. It also uses BITS to deliver the application to the workstation, and of course you can still configure it all using Group Policy.

I like to think of Deploy App as more of a way of running “something” under an administrative context on any domain joined PC. Whether it’s an .exe, .msi, .msp, batch file, command file, or anything that includes drivers and BIOS/firmware updates. It can even handle AppX (Win 8/10 Modern Apps) or an App-V app, it can do it!

Specops Deploy runs installations every time Group Policy is refreshed, not just at install time. If it fails for whatever reason, it will try again and again until it works. If it does go wrong, you get feedback sent to your admin console that will tell you which machines have failed, and the error message.

You don’t need to get up at 5am to link a GPO anymore – you can schedule deployments for a future date/time.

Users can postpone an installation, maybe they need to save their work before an upgrade, but they will always get the installation in the end, without having to go to Programs and Features/Add and Remove Programs.

Scalable, doesn’t matter if you have 50 machines or 500000 machines, you still only need a single server to gather the feedback data. The heavy lifting is done by AD/GPO.

Finally targeting, you can now use just about anything to make sure that the right app hits the right PC. Whether it’s got enough disk space/RAM, dependencies on other software, or is in a certain IP range/AD site. The targeting options are calculated at each GP refresh, so if you add some extra RAM to a PC, there’s no need to “redo” the deployment. Simply, power it back on, and it will run GP Refresh at startup. The application will be automatically installed providing the machine has met all the other targeting criteria you may have specified.


Group Policy and Active Directory, even after 20 years, are great tools to manage users and computers. With a system like Specops Deploy, you can leverage those technologies to take management possibilities to the next level.


(Last updated on August 9, 2023)


darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog

Related Articles

  • A smart alternative to SCCM

    Are you looking for a smart and simple alternative to System Center Configuration Manager (SCCM)? Specops Deploy automates the installation of operating systems, software, and applications in your Microsoft Active Directory environment. Specops Deploy extends the functionality of Group Policy and can be used to target any number of user and computer objects within Active…

    Read More
  • Deploy / OS Training Series (part 1): Environmental Preparations

    Specops Deploy has been designed from the ground up to utilize and integrate with your existing Windows environment. This offers customers unique advantages such as fast implementation, and native scalability. Most importantly, your Specops Deploy environment will be as stable, and reliable as your Windows environment. The Training Series will provide you with all the…

    Read More
  • Customize the Windows 10 start menu

    If you are ready to install Windows 10, stop for a minute to find out how you customize the Windows 10 start menu. You will save yourself time and avoid a major hassle for your end users. We love Windows 10, but not the start menu, which still contains many icons that most users do…

    Read More