How to deploy software with active directory

Software deployment is an art. There are many different ways to do the same thing. But one of the cool things is that these methods can be combined. And in this series, I’m going to show you how to deploy software with Microsoft’s Active Directory products.

Software deployment can be a tricky venture. It is generally accepted that the goal of software deployment is to deploy security updates, bug fixes, and new features with minimal downtime. In large organizations, this check box can become very large indeed. Even if a system administrator is marginally involved with an organization’s production environment, it is good to have a working knowledge about the way software deployments are made.

If you’re deploying software with active directory, you need to follow these steps:

  1. Configure the domain controller with your domain and forest.
  2. Create a new Group Policy Object (GPO) that will apply to your users and computers in the domain.
  3. Enable the GPO by linking it to an OUs.
  4. Configure security options for the GPO, such as whether or not the GPO applies to all users in an OU or only those who are members of certain security groups (which can be used to target specific users with an application).
  5. Create a script that will install the software on each computer in your domain when they boot up for the first time after installing Active Directory

There are many ways to deploy software, but the best way to do so is using Active Directory.

If you are using Windows Server 2008 R2 or later, you can use Group Policy to deploy software. The first step is to create a package containing the application and all of its files. The next step is to create an administrative template file (.admx) for the package. This .admx file contains instructions for how to install the application.

To use Group Policy, you will need an account with administrator privileges on your domain controller or in your Active Directory environment. You must also have permissions to modify Group Policy settings for each user who will be installing the software.

You can then create a GPO that contains these two elements: the .admx file and the .msi file (or whatever format your package uses). You’ll want to place this GPO into the correct OU (Organizational Unit) where users will be installing it; otherwise they won’t see it during installation.

Extracting an MSI Package from an EXE Installer

Let’s see how to install the MSI software package on users’ computers via Windows Group Policies on the example of the Microsoft Teams client.

Download the MSI package with the Teams client ( and copy Teams_windows_x64.msi to the SYSVOL folder on the domain controller (\\\SysVol\\scripts).

Using SYSVOL to deploy software via GPO

Please note that there are x86 and x64 MS Teams versions. If you still have computers running x86 versions of Windows, you will need to create a separate GPO for x86 and x64 computers. You can use GPO WMI filters to filter Windows versions in Group Policies.

Many apps are not provided in a form of MSI packages. Most often, developers distribute them as EXE files that are not suitable for deployment through GPO. However, in some cases, you can extract the MSI package from the EXE installation file:

  • Some EXE installers extract their files into the %temp% directory during installation. So, then installing the program (just minimize the installation window), try to open this folder and find the installation MSI file in it.
  • Another way to get an MSI file is to try to open the setup EXE file using 7-Zip. Start 7-Zip and select File -> 7ZIP –> Open Archive. 7ZIP will try to open an EXE file as an archive. In our case, we got an MSI and MST files of Acrobat Reader from its EXE file. In our case, we successfully extracted the MSI and MST files from the Acrobat Reader installation EXE file. Extracting MSI from EXE installation

Creating a GPO to Deploy Software to Domain Computers

Then create a new domain Group Policy Object to install your software.

  1. Open the domain Group Policy Management console (gpmc.msc);
  2. Create a new policy (CorpInstallTeams) and link it to the OU with computers you want to install the app on (Create a GPO in this domain, and link it here); create gpo to deploy msi package
  3. Edit the GPO and go to Computer Configuration -> Policies -> Software Settings -> Software installation;
  4. Select New -> Package in the menu; create software deployment package in group policy management editor
  5. Select your MSI file located in the SYSVOL directory (by the UNC path);
  6. Select Advanced and click OK;The Assigned option allows installing apps at the user logon. The Published option publishes apps to computers and users can install them in Add/Remove Programs.deploying software via gpo with advanced or assigned method
  7. In the next window, you can set additional MSI package options. I will only change the displayed name from Teams Machine-Wide Installer to Microsoft Teams Clientchange software installation options in GPO editoror
  8. Click Advanced in the Deployment tab and check Ignore language when deploying this package;
  9. Restart your computer to update the GPO settings and the app will be installed the next time you boot your computer. It will appear in the list of installed Windows apps. You can find the installation events in the System section of the Event Viewer (filter the event list by the Application Management Group source);Windows 11 has built-in Teams Chat, but it’s not a full-featured Microsoft Teams software appeared in the list of installed apps
  10. You can display the detailed GPO processing status on the computer. To do it, enable the GPO option Display highly detailed status messages under Computer Configuration -> Policies -> Administrative Templates -> System. Now all background GPO processing tasks will be displayed when Windows starts. If any apps are installed using GPO, you will see the message: Installing managed software AppNameInstalling managed software message on Windows startup screen

If the software deployment GPO doesn’t apply to target computers, use the troubleshooting tools described in the article Why a Group Policy Is not Applied to a Computer and the gpresult command.

How to Change MSI Package Options Before Deploying via GPO?

You cannot specify installation keys or parameters for MSI installation packages in the standard GPO interface. For example, when installing an anti-virus agent on a user’s computer, you must specify the IP address/FQDN of the management server. Or, when you install Teams from the command prompt using msiexec, you can disable the MS Teams client automatic startup and hide it from the list of installed apps (a local administrator won’t be able to remove the Teams client). To do it, the following command is used:

msiexec /i Teams_windows_x64.msi OPTIONS="noAutoStart=true" ALLUSERS=0

How to add setup options to an MSI package? To do it, MST transformation files are used. This file type allows you to change the default MSI package settings and use your installation scenario.

To create an MST file for an MSI package, you can use the ORCA tool (it is a part of Windows Installer SDK).

Open your MSI package using Orca.

Create a New Transformation and set your custom MSI package options in the Property section. I will change the following options for my Teams client:

  • noAutoStart = True
  • ALLUSERS = 0
Modify an MSI file options with the Orca MSI editor

Select Transform -> GenerateTransform and save the changes as MST file (teams_mod.mst). Copy the file to the SYSVOL directory.

Then remove the previous rule to install the MSI package in the GPO (because you can add an MST file with package modifications only when creating an app installation rule).

Select All –> Task -> Remove.

remove app deployment GPO

Create a new software deployment rule, select the MSI file from SYSVOL, and go to the Modification tab. Click Add. Select the MST file you created earlier.

adding MST modifier to software deployment gpo

The MST file will now be automatically applied during the MSI installation using the GPO and the application will be installed with the settings you need.

The main disadvantages of MSI installation through GPO:

  1. Only MSI and ZAP installers are supported;
  2. You cannot schedule app installation for the time you want. Simultaneous app installation on multiple computers (usually it occurs in the morning when computers are turned on) may result in high network and Domain Controllers load. In this case, it is better to use, SCCM with maintenance windows or WOL (Wake On LAN) settings;
  3. You cannot change the order in which the software is installed in the GPO. When you add a new installation package to GPO, it is installed last;
  4. You cannot get a report to know if the installation was successful or if there were any installation errors on the computers.

Leave a Comment