How to Set Up Windows Defender Application Control on Windows Server 2022

Software Deployment via Group Policy Overview

Group Policy Software Installation (GPSI) is a built-in Windows Server feature that lets administrators deploy software to computers or users across the domain without requiring a third-party tool. It relies on Windows Installer (.msi) packages and can install, update, or remove software based on Group Policy application. While it lacks the sophistication of modern endpoint management tools like Microsoft Intune or SCCM, GPSI remains useful in environments that need simple, zero-cost software deployment with no additional infrastructure.

Software can be deployed under Computer Configuration (installs during startup, before user login) or User Configuration (installs when a user logs on or when they try to launch the software). Each has distinct deployment modes: Assigned (mandatory) or Published (optional, user-initiated). Understanding which combination to use is fundamental to GPSI planning.

Preparing the Software Distribution Share

Before creating a Group Policy for software deployment, you need a network share that all target computers or users can access. This share must contain the .msi file and all required transform files (.mst) or other dependencies. The share must be accessible during computer startup or user logon, which means domain computers need at minimum Read access to the share using their computer account (not just the logged-on user).

Create the share and set permissions using PowerShell:

New-Item -Path "C:SoftwareDeploy" -ItemType Directory
New-SmbShare -Name "SoftwareDeploy" -Path "C:SoftwareDeploy" -ReadAccess "Domain Computers","Domain Users" -FullAccess "Domain Admins"

Copy the MSI file to the share. Always reference the MSI using its UNC path in the GPO (e.g., \DC01SoftwareDeployapplication.msi), not a local drive letter. Drive letters are not mapped at computer startup time and may not be consistent across users.

Creating a Software Installation GPO

Open Group Policy Management Console (gpmc.msc). Right-click the OU containing the target computers or users and select “Create a GPO in this domain and Link it here.” Name the GPO descriptively, such as “Deploy – 7-Zip 23.01.”

Right-click the new GPO and click Edit. Navigate to:

Computer Configuration > Policies > Software Settings > Software Installation
-or-
User Configuration > Policies > Software Settings > Software Installation

Right-click Software Installation, select New > Package. Browse to the UNC path of the MSI and click Open. You will be prompted to select the deployment method:

Assigned: The software is advertised and will install automatically at the next computer startup (Computer Config) or user logon (User Config). For Computer Config assigned deployments, the software installs before any user logs on. For User Config assigned deployments, the software is advertised on the Start menu and installs on first launch.

Published: Only available under User Configuration. The software appears in Control Panel under “Get Programs” (or Programs and Features > Install a program from the network). The user must actively choose to install it. Published software can also be triggered by document activation — if a user double-clicks a file with an extension associated with the software, it installs automatically.

Advanced: Same as Assigned but allows you to configure transforms (.mst files) and modifications before confirming.

Applying MST Transform Files

Many MSI packages are customized using transform files (.mst), which modify the installation behavior without altering the original MSI. Transform files are created using tools like ORCA (from the Windows SDK) or commercial tools like Admin Studio. A common use of transforms is to pre-configure application settings, disable optional components, or set a license key silently.

To apply a transform in a GPO, choose Advanced deployment when adding the package. In the package properties on the Modifications tab, click Add and specify the UNC path to the .mst file. The transform must reside in the same share as the MSI, accessible to the target machines.

To create a basic transform using ORCA:

# Install ORCA from Windows SDK
# Open MSI in ORCA
# Make property changes (e.g., set INSTALLLEVEL, disable features)
# File > Generate Transform > save as yourapp.mst

Repackaging EXE Installers as MSI

GPSI only supports MSI packages natively. Many applications still distribute as EXE installers. You have several options to deploy them:

The simplest approach for EXE installers that wrap an MSI (common with many enterprise applications) is to extract the embedded MSI. Many EXEs accept a /x or /extract switch:

setup.exe /extract:"C:Extracted"
setup.exe /a  # Administrative install for some MSI-based EXEs

For EXE installers without embedded MSIs, you can use WiX Toolset to create an MSI wrapper. WiX is a free, open-source toolset from Microsoft. A minimal WiX MSI that runs a silent EXE install looks like this:

Build the WiX MSI with:

candle.exe product.wxs
light.exe product.wixobj -o myapp.msi

Managing Software Updates and Upgrades

To deploy an updated version of software via GPSI, add the new MSI package to the GPO and configure it to upgrade the previous version. Right-click the new package, select Properties, and go to the Upgrades tab. Click Add to specify the old package that this new version replaces. Select “Uninstall the existing package, then install the upgrade package” for clean upgrades, or “Package can upgrade over the existing package” for in-place upgrades (which requires the MSI to support this).

To remove software deployed via GPSI, right-click the package in the GPO and select All Tasks > Remove. You will be asked whether to immediately uninstall the software from computers (recommended) or simply stop managing it (leaves the software on existing computers but removes the policy).

Troubleshooting Software Deployment Failures

When GPSI fails to deploy software, check the Application event log on the target computer. Key Event IDs:

Event ID 101 (MsiInstaller): The install of application X failed. This usually includes the MSI error code. Error code 1603 is a generic MSI installation failure — check the MSI log. Error code 1618 means another installation is already in progress.

Event ID 108 (Group Policy Software Installation): Failed to apply changes to software installation settings. Often caused by the MSI file not being accessible via the UNC path at the time of install. Verify share permissions for the computer account (not just the user).

Enable MSI verbose logging to diagnose complex failures. Create this registry value on the target machine:

reg add "HKLMSoftwarePoliciesMicrosoftWindowsInstaller" /v Logging /t REG_SZ /d "voicewarmup" /f

After the next installation attempt, check %TEMP% for MSI*.log files. These verbose logs show exactly which action in the MSI sequence failed and why.

Force an immediate Group Policy refresh including software installation:

gpupdate /force
# For software under Computer Configuration, restart is typically required
shutdown /r /t 0

To verify which software policies are applied to a machine:

gpresult /h C:gpresult.html /f
# Open gpresult.html in browser and review Software Installation section

AppLocker as a Complement to GPSI

While GPSI handles deployment, AppLocker controls which software users can run. Configuring AppLocker alongside GPSI ensures that only approved, centrally-deployed software executes on endpoints. AppLocker rules are configured in Group Policy under:

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker

AppLocker supports rules based on publisher (digital signature), path, or file hash. Publisher rules are most robust because they survive file renames and minor version updates, as long as the software remains signed by the same certificate. To create an AppLocker rule using PowerShell:

$rule = New-AppLockerPolicy -FileInformation (Get-AppLockerFileInformation -Path "C:Program Files7-Zip7z.exe") -RuleType Publisher -User Everyone
Set-AppLockerPolicy -PolicyObject $rule -Merge

Deploying Software via Startup and Logon Scripts

For EXE deployments that cannot be repackaged as MSI, Group Policy startup and logon scripts provide an alternative. A startup script runs as SYSTEM during computer boot, making it suitable for per-machine installations. A logon script runs as the user, suitable for user-specific tools.

Configure scripts at:

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)

A sample PowerShell startup script that installs software if not already present:

# Check if software is already installed
$installed = Get-ItemProperty HKLM:SoftwareMicrosoftWindowsCurrentVersionUninstall* |
    Where-Object { $_.DisplayName -like "*7-Zip*" }

if (-not $installed) {
    $source = "\DC01SoftwareDeploy7z2301-x64.exe"
    $dest = "C:WindowsTemp7z2301-x64.exe"
    Copy-Item $source $dest -Force
    Start-Process -FilePath $dest -ArgumentList "/S" -Wait
    Remove-Item $dest -Force
}

Place this script in the SYSVOL GPO scripts folder and assign it as a startup script in the GPO. This approach provides more flexibility than GPSI but requires more scripting effort and careful error handling.