How to Configure Software Distribution via Group Policy on Windows Server 2012 R2

How to Configure Software Distribution via Group Policy on Windows Server 2012 R2

Group Policy Software Distribution (GPSD) is the built-in Microsoft mechanism for deploying MSI packages to domain-joined computers without requiring any additional tools or agents. Managed through the Group Policy Object (GPO) infrastructure, software assignment and publishing allows administrators to automatically install, upgrade, or remove applications on workstations and servers across the entire Active Directory environment. While limited to MSI packages and lacking the flexibility of SCCM or Chocolatey, Group Policy software distribution is completely free, built into Windows Server, and sufficient for deploying baseline tools, security software, and small application sets. This guide covers configuring a software distribution share, creating a GPO with software assignment, scoping delivery to target OUs, and troubleshooting failed installations.

Prerequisites

• Windows Server 2012 R2 acting as a domain controller or a member server in an Active Directory domain
• Group Policy Management Console (GPMC) installed
• MSI installer packages for the software to be distributed
• A shared network folder accessible by the domain computer accounts (not just users)
• Domain admin rights to create and link GPOs

Step 1: Create the Software Distribution Share

Software distributed via Group Policy must be stored on a network share accessible to domain computer accounts. Use a DFS path for resilience, or a direct share path on a file server:

New-Item -ItemType Directory -Path "D:SoftwareDistribution" -Force
New-Item -ItemType Directory -Path "D:SoftwareDistribution7-Zip"    -Force
New-Item -ItemType Directory -Path "D:SoftwareDistributionNotepadPP" -Force
New-Item -ItemType Directory -Path "D:SoftwareDistributionAgents"    -Force

# Share the parent directory
New-SmbShare -Name "SoftwareDist" -Path "D:SoftwareDistribution" -ReadAccess "Domain Computers","Domain Users","Authenticated Users" -FullAccess "Domain Admins"

Write-Host "Software distribution share created: \$env:COMPUTERNAMESoftwareDist"

Important: Computer accounts (not just user accounts) must have read access to the share. When software is installed at computer startup, it runs as the SYSTEM account under the computer’s domain identity. Granting Read access to “Domain Computers” ensures all domain-joined machines can access the share.

Set NTFS permissions to match the share permissions:

$acl = Get-Acl "D:SoftwareDistribution"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Computers","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl "D:SoftwareDistribution" $acl

Step 2: Copy MSI Packages to the Share

Copy MSI installer files to the appropriate subdirectories. Ensure you use the UNC path (not a mapped drive letter) when creating GPO software packages, as the UNC path must be resolvable from any client computer on the network:

# Download and stage packages
Invoke-WebRequest -Uri "https://www.7-zip.org/a/7z2406-x64.msi" -OutFile "D:SoftwareDistribution7-Zip7zip-24.06-x64.msi"

# Verify the MSI is valid
$msiInfo = Start-Process "msiexec.exe" -ArgumentList "/i `"D:SoftwareDistribution7-Zip7zip-24.06-x64.msi`" /qn /norestart" -Wait -PassThru -NoNewWindow
Write-Host "MSI exit code: $($msiInfo.ExitCode)"  # 0 = success, 3010 = reboot required

Step 3: Create a Group Policy Object for Software Distribution

Import-Module GroupPolicy

$Domain = (Get-WmiObject Win32_ComputerSystem).Domain
$GPOName = "Deploy - Baseline Utilities"

# Create the GPO
$GPO = New-GPO -Name $GPOName -Domain $Domain
Write-Host "GPO created: $($GPO.Id)"

The software installation configuration must be done through the GPMC GUI or via COM automation. Use the following PowerShell approach to configure software installation settings through the Windows Installer database:

# The preferred method for WS2012 R2 is to use the GPMC GUI:
# 1. Open Group Policy Management Console (gpmc.msc)
# 2. Right-click the new GPO and select "Edit"
# 3. Navigate to: Computer Configuration > Policies > Software Settings > Software Installation
# 4. Right-click Software Installation > New > Package
# 5. In the file browser, enter the UNC path: \fileserverSoftwareDist7-Zip7zip-24.06-x64.msi
# 6. Choose "Assigned" for automatic installation at computer startup
# 7. Click OK

# Alternatively, use COM automation:
$gpmGPO = Get-GPO -Name $GPOName
$gpmPath = $gpmGPO.Path

For fully scripted deployment using COM objects:

# Add software installation via ADSI/COM
$GPOSession = Open-NetGPO -PolicyStore "$Domain$GPOName"

# Use registry-based approach to configure software installation
$SWInstallKey = "SOFTWAREPoliciesSoftwareInstallation"
$PackagePath = "\$env:COMPUTERNAMESoftwareDist7-Zip7zip-24.06-x64.msi"

# Note: Full GPO software package creation requires GPMC COM automation
# The recommended approach for production is using the GPMC GUI or SCCM
# For scripted MSI deployment without GPMC, use Scheduled Tasks or PowerShell remoting

Step 4: Configure Software Deployment Options

When configuring software packages in the GPO editor, the deployment options control behavior:

• Assigned (Computer): Package installs automatically at next computer startup. This is the most common choice for server and workstation baseline software. The software appears in Add/Remove Programs and cannot be uninstalled by the user.
• Assigned (User): Package installs when the user logs on, or on first use if advertised. The application appears in the user’s Start menu.
• Published (User): Package appears in Add/Remove Programs for the user to install optionally. Not available for Computer scope.

Configure package deployment properties via PowerShell to set additional options like the product language and deployment type:

# Set GPO enforcement and WMI filters if needed
$GPO = Get-GPO -Name $GPOName

# Configure automatic installation with no user interface
Set-GPRegistryValue -Name $GPOName `
    -Key "HKLMSoftwarePoliciesMicrosoftWindowsInstaller" `
    -ValueName "EnableAdminTsiData" `
    -Type DWord `
    -Value 1

Step 5: Link the GPO to Target OUs

Link the GPO to the Organizational Units containing the target computers. Scoping the GPO to specific OUs prevents software from being deployed to domain controllers or other servers where it is not needed:

$TargetOU = "OU=Workstations,DC=$($Domain.Replace('.',',DC='))"

New-GPLink -Name $GPOName -Target $TargetOU -LinkEnabled Yes -Enforced No

Write-Host "GPO linked to: $TargetOU"

# Verify the link
Get-GPLink -Name $GPOName | Format-Table -AutoSize

Step 6: Create a WMI Filter for Targeted Deployment

Use WMI filters to restrict package deployment to specific operating system versions or hardware configurations:

# Create a WMI filter for 64-bit systems only
$WMIFilter = @{
    Name = "64-bit Systems Only"
    Description = "Targets only 64-bit Windows computers"
    Query = "SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture = '64-bit'"
}

# WMI filters are created and linked via GPMC GUI:
# GPMC > WMI Filters > New > add namespace rootCIMv2 and the query above
# Then link the filter to the GPO in the GPO's Scope tab

Step 7: Test and Verify Software Distribution

Force Group Policy refresh on a test client machine to immediately apply the new software installation policy:

# On the target client, run:
gpupdate /force /boot   # /boot triggers reboot, required for computer-assigned software

# Or push remotely:
Invoke-Command -ComputerName "testworkstation01" -ScriptBlock {
    gpupdate /force
}

After the client reboots, verify the software was installed:

Invoke-Command -ComputerName "testworkstation01" -ScriptBlock {
    Get-WmiObject Win32_Product | Where-Object { $_.Name -like "*7-Zip*" } | Select-Object Name, Version, InstallDate
}

Step 8: Troubleshoot Failed Deployments

Review the Application and System event logs on the target machine for Group Policy software installation events:

Get-EventLog -LogName Application -Source "MsiInstaller" -Newest 20 | Select-Object TimeGenerated, EntryType, Message | Format-List

Get-EventLog -LogName System -Source "Software Installation" -Newest 10 | Select-Object TimeGenerated, EntryType, Message | Format-List

Check Group Policy result status using GPRESULT:

gpresult /R /SCOPE COMPUTER
# OR for detailed HTML report:
gpresult /H "C:TempGPResult.html"

Summary

Software distribution via Group Policy on Windows Server 2012 R2 provides a built-in, infrastructure-free mechanism for deploying MSI packages to domain-joined computers. You have created a properly permissioned distribution share accessible to domain computer accounts, created and linked a GPO scoped to target OUs, reviewed the deployment options for assigned versus published software, configured WMI filtering for targeted rollouts, and established troubleshooting procedures using event logs and GPRESULT. While Group Policy software distribution has limitations compared to SCCM or Chocolatey (MSI only, no progress reporting, no dependency management), it is completely free and sufficient for distributing baseline tools across a Windows Server environment.