MSI: Application Deployment via MSI / GPO


Description:  The Software Installation extension of Group Policy is used to centrally manage software distribution. You can assign and publish software for groups of users and computers using this extension.

Assigning Applications:  When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.)

When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user’s computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications.

When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package.

Publishing Applications:  You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers.

To take advantage of all of the features of Group Policy Software Installation, it is best to use applications that include a Windows Installer (.msi) package. For example, published MSI packages support installation for users who do not have administrative credentials.


Scoping the Issue:  There are a number of scoping questions that will help to more clearly define the nature of the issue:

  1. Are there any Event ID’s in the client’s event logs? Look for source Application Management and event IDs 102, 108, 303 and 307.

  2. Do any other policies fail to apply, or is the problem only with application deployment?

  3. Are the applications being Assigned or Published?

  4. Are the applications being deployed to Computers or Users?

  5. Are all user groups affected (User vs. Admin)?

  6. Are all clients affected? What client OS version are they running (XP/2000), and what type of Domain (2000/2003)?

  7. Can you install the application from the local machine?

  8. Can you manually install the application from a UNC path or Mapped Network Drive?

  9. Have you check for GPO and Permissions on the share?

  10. Has the ISV that distributed the package been engaged?  If the package is one that was developed internally, you may need to work with our Developer Support group to investigate the package itself.


Data Gathering:  In all instances, collecting either MPS Reports with the General, Internet and Networking, Business Networks and Server Components diagnostics, or a Performance-oriented MSDT manifest must be done.  Additional data required may include the following:

  • Use Process Monitor to gather a log while trying to install the package

  • Capture a verbose MSI log that we can use to troubleshoot the issue.  See Microsoft KB Article 223300 for more information on configuring MSI Logging

  • Capture GPResult data


Troubleshooting / Resolution:  There are several steps that you can take:

  • Review the relevant log files for errors, and address where possible – in particular look at the Windows Installer, AppMgmt and Application Event logs

  • Create a basic deployment scenario using MBSA as the software package and assign it to a test user with no other policies applied to that user.  If this works, then the basic Windows Installer functionality and GPO processing is occurring.

  • Determine which GPO in Active Directory contains the software policies and verify the GPResult output against that

  • Determine if the users have rights to access the install location – try and run the installation manually from the UNC path

  • Check File / Share permissions and Group Policy permissions

  • Force applications to be reapplied using the steps in Microsoft KB Article 268595


Additional Resources: