How to Configure Software Deployment via Group Policy on Windows Server 2025
Group Policy Software Installation (GPSI) has been part of Windows Server since Windows 2000, and it remains a practical, zero-cost method for deploying MSI-packaged applications to managed computers and users without requiring a third-party software distribution system. Windows Server 2025 supports the full GPSI feature set, including assigning, publishing, upgrading, and removing software via Computer and User Configuration policies. While modern environments often use Microsoft Intune or SCCM for software deployment, GPSI is still a reliable choice for on-premises Active Directory environments, particularly for organizations that have not yet adopted cloud management. This tutorial covers the complete workflow from creating the distribution share to targeting specific groups and troubleshooting deployment failures.
Prerequisites
- Windows Server 2025 domain controller with the Group Policy Management feature installed
- A file server with a shared folder accessible by all target computers/users
- An MSI package for the application you want to deploy
- Group Policy Management Console (gpmc.msc) available
- PowerShell GPMC module (included with Group Policy Management feature)
- Domain Admin or Group Policy Creator Owners membership
Step 1: Create and Configure the Software Distribution Share
The MSI package must be hosted on a UNC share that target computers (and users) can access during Group Policy processing. This occurs at system startup (Computer Configuration) or user logon (User Configuration), so the share must be accessible to the SYSTEM account on client machines and to domain users respectively.
# Create the software distribution directory on your file server
New-Item -Path "C:SoftwareDeploy" -ItemType Directory -Force
# Create subdirectories per application for clean organization
New-Item -Path "C:SoftwareDeploy7zip" -ItemType Directory -Force
New-Item -Path "C:SoftwareDeployNotepadPP" -ItemType Directory -Force
# Create the SMB share
New-SmbShare `
-Name "SoftwareDeploy" `
-Path "C:SoftwareDeploy" `
-Description "GPSI Software Distribution Share" `
-FullAccess "Domain Admins" `
-ReadAccess "Authenticated Users"
# Verify share permissions
Get-SmbShareAccess -Name "SoftwareDeploy"
# Set NTFS permissions — Authenticated Users need Read & Execute
$acl = Get-Acl "C:SoftwareDeploy"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"Authenticated Users", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.AddAccessRule($rule)
Set-Acl -Path "C:SoftwareDeploy" -AclObject $acl
# Copy MSI to the share
Copy-Item -Path "C:Downloads7-Zip.msi" -Destination "C:SoftwareDeploy7zip" -Force
Always use the UNC path (\fileserverSoftwareDeploy7zip7-Zip.msi) when configuring the GPO—never a local drive path—because client computers access the share over the network at policy application time.
Step 2: Create a Group Policy Object for Software Deployment
# Import Group Policy module
Import-Module GroupPolicy
# Create a new GPO for computer-assigned software
New-GPO -Name "Deploy-7zip-Computers" -Comment "Assigns 7-Zip to all domain workstations"
# Link the GPO to the target OU
New-GPLink `
-Name "Deploy-7zip-Computers" `
-Target "OU=Workstations,DC=contoso,DC=com" `
-LinkEnabled Yes
# Verify the link
Get-GPInheritance -Target "OU=Workstations,DC=contoso,DC=com" |
Select-Object -ExpandProperty GpoLinks |
Format-Table DisplayName, Enabled, Enforced, Order
# Get GPO details
Get-GPO -Name "Deploy-7zip-Computers" | Format-List *
Step 3: Understanding Assign vs Publish
The Software Installation extension supports two deployment modes. Assigned software is mandatory: for Computer Configuration assignments, the application installs during startup before the user logs in. For User Configuration assignments, a shortcut appears at logon and the application completes installation on first launch. Published software (User Configuration only) appears in Add/Remove Programs (Programs and Features) and installs only when the user actively selects it—it cannot be applied at the Computer Configuration level.
- Computer Configuration → Assigned: Installs silently at machine startup. Best for mandatory corporate tools.
- User Configuration → Assigned: Application advertised at logon, installs on first use. Works across any machine the user logs into.
- User Configuration → Published: Available on-demand from Programs and Features. User installs when needed.
Step 4: Configuring Software Installation in the GPO
Software Installation is configured through the GPMC GUI (Computer Configuration or User Configuration → Policies → Software Settings → Software installation). You add a package by right-clicking and choosing New → Package, then entering the UNC path. PowerShell does not expose a native cmdlet for adding GPSI packages (the Software Installation extension is COM-based), but you can confirm and manage GPO settings via the GPMC snap-in.
# Open GPMC to configure the Software Installation package
# (Navigate manually in the GUI:
# Computer Configuration > Policies > Software Settings > Software installation)
# Right-click "Software installation" > New > Package
# Enter: \fileserverSoftwareDeploy7zip7-Zip.msi
# Choose: Assigned
# After configuring via GUI, verify with RSOP or GPResult
gpresult /h C:Logsgpresult-$(Get-Date -Format yyyyMMdd).html /F
Invoke-Item C:Logsgpresult-$(Get-Date -Format yyyyMMdd).html
# Force Group Policy refresh on a target client to trigger software install
Invoke-GPUpdate -Computer "WORKSTATION01" -Force -RandomDelayInMinutes 0
# Check software installation events on the client
Invoke-Command -ComputerName WORKSTATION01 -ScriptBlock {
Get-WinEvent -LogName "Application" -MaxEvents 100 |
Where-Object { $_.ProviderName -eq "MsiInstaller" } |
Select-Object TimeCreated, Id, Message |
Format-Table -AutoSize
}
Step 5: Applying MSI Transforms
MSI transforms (MST files) customize an MSI package without modifying it—used to pre-configure installation options like installation directory, feature selection, or license keys. Transforms must be placed in the same UNC share as the MSI and associated at GPO configuration time.
# Copy the transform file to the distribution share
Copy-Item -Path "C:Downloads7zip-custom.mst" `
-Destination "C:SoftwareDeploy7zip" -Force
# Verify the file is accessible
Test-Path "\fileserverSoftwareDeploy7zip7zip-custom.mst"
# List files in the package folder
Get-ChildItem "\fileserverSoftwareDeploy7zip"
# In GPMC: After adding the MSI package, right-click the package,
# choose Properties > Modifications tab > Add the .mst file
# The transform must use the same UNC base path as the MSI
Step 6: Upgrading Deployed Packages
When a new version of an application is available, configure the new GPO package to upgrade the existing deployment. This ensures the old version is removed before the new one installs, preventing side-by-side conflicts.
# Copy the new MSI version to the share
New-Item -Path "C:SoftwareDeploy7zip-v24" -ItemType Directory -Force
Copy-Item -Path "C:Downloads7-Zip-v24.msi" `
-Destination "C:SoftwareDeploy7zip-v24" -Force
# In GPMC on the new package:
# Right-click new package > Properties > Upgrades tab
# Click Add, select the GPO containing the old package
# Choose: "Package can upgrade over the existing package" (optional uninstall first)
# Or: "Uninstall the existing package, then install the upgrade package" (cleaner)
# Verify upgrade relationship after GUI configuration
# Use RSOP to confirm on a test client
Invoke-Command -ComputerName TESTPC01 -ScriptBlock {
gpresult /scope computer /v 2>&1 | Select-String "7-Zip"
}
Step 7: Targeting with Security Filtering and WMI Filters
By default, GPOs apply to all Authenticated Users in the linked OU. Use security filtering to restrict application to a specific group, and WMI filters to target based on hardware or OS properties.
# Create a security group for software deployment targeting
New-ADGroup -Name "GPO-Deploy-7zip" `
-GroupScope Global `
-GroupCategory Security `
-Path "OU=Groups,DC=contoso,DC=com" `
-Description "Computers that receive 7-Zip via GPSI"
# Add computers to the group
Add-ADGroupMember -Identity "GPO-Deploy-7zip" -Members "WORKSTATION01$", "WORKSTATION02$"
# Remove Authenticated Users from GPO security filtering
# and add only the targeted group
$gpo = Get-GPO -Name "Deploy-7zip-Computers"
Set-GPPermission -Name "Deploy-7zip-Computers" `
-PermissionLevel None `
-TargetName "Authenticated Users" `
-TargetType Group
Set-GPPermission -Name "Deploy-7zip-Computers" `
-PermissionLevel GpoApply `
-TargetName "GPO-Deploy-7zip" `
-TargetType Group
# Add a WMI filter to target Windows 11 workstations only
# WMI Query: SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.2%" AND ProductType = 1
New-GPWmiFilter -Name "Windows 11 Workstations" `
-Expression "SELECT * FROM Win32_OperatingSystem WHERE Version LIKE '10.0.2%' AND ProductType = 1" `
-Description "Targets Windows 11 client OS only"
# Link the WMI filter to the GPO (requires GUI in GPMC or direct WMI manipulation)
# In GPMC: Select the GPO > WMI Filtering dropdown > select the filter
Step 8: Removing Deployed Software
# To remove software, right-click the package in GPMC Software Installation
# and choose "All Tasks > Remove"
# Options:
# "Immediately uninstall the software from users and computers" — active removal
# "Allow users to continue to use the software, but prevent new installations" — passive
# After configuring removal in GPMC, force policy application on clients
Invoke-GPUpdate -Computer "WORKSTATION01" -Force
# Verify uninstallation via event log on client
Invoke-Command -ComputerName WORKSTATION01 -ScriptBlock {
Get-WinEvent -LogName "Application" |
Where-Object { $_.Id -eq 1034 -and $_.Message -like "*7-Zip*" } |
Select-Object TimeCreated, Message
}
Step 9: Troubleshooting Software Deployment Events
Software deployment issues are logged in the Application event log under the MsiInstaller provider. Event IDs 101 and 108 are the key events to monitor for GPSI deployments.
# Event ID 101: Software installation began
# Event ID 108: Software installation failed
# Event ID 1022: Product installed successfully (assigned)
# Event ID 1033: Product removal succeeded
# Query software installation events on a remote client
Invoke-Command -ComputerName WORKSTATION01 -ScriptBlock {
Get-WinEvent -LogName "Application" -MaxEvents 200 |
Where-Object { $_.ProviderName -eq "MsiInstaller" -and $_.Id -in @(101,108,1022,1033) } |
Select-Object TimeCreated, Id, Message |
Format-Table -AutoSize -Wrap
}
# Check Group Policy operational log for processing errors
Invoke-Command -ComputerName WORKSTATION01 -ScriptBlock {
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" -MaxEvents 100 |
Where-Object { $_.LevelDisplayName -ne "Information" } |
Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize -Wrap
}
# Verify the UNC path is reachable from the client
Invoke-Command -ComputerName WORKSTATION01 -ScriptBlock {
Test-Path "\fileserverSoftwareDeploy7zip7-Zip.msi"
}
Conclusion
Group Policy Software Installation on Windows Server 2025 provides a built-in, fully integrated mechanism for deploying, upgrading, and removing MSI-packaged applications across domain-joined computers and users. By carefully constructing the distribution share with correct NTFS and SMB permissions, choosing between assigned and published deployment, applying transforms for customization, targeting specific groups using security filtering and WMI filters, and monitoring deployment through Application event log entries 101 and 108, you can maintain precise control over your software estate without additional tooling. While SCCM, SCCM-lite features in Windows 365, or Intune offer more granular reporting and non-MSI package support, GPSI remains an effective and cost-free solution for organizations running on-premises Active Directory with standardized MSI-packaged software.
