How I deploy GPO software in my enviroment

There is no wrong or right way of deploying software via Group Policies, however through my experience I now recommend using the below method because it is the most flexible.

The Key points about how I deploy GPO software:

  • I use an individual GPO per software title.
  • I upgrade each software title using the same GPO
  • I utilise the security tab under the individual software package to test the application with my stakeholders before I push it to everyone
  • I use a DFS-R name space for a number of reasons:
    • I can change the location of the source files without breaking the GPO package
    • I can replicate the software across multiple sites to speed up deployment for clients
  • I deploy software Per Computer as I have found Per User to be more problematic

  1. Create a GPO called “Software Title” or similar. Don’t include versions. Below is an example of Adobe Flash Player where you can see i have version 10.0 and version 10.2 in the same GPO called SW – Adobe Flash Player

    So to add your latest version (and test it to a hand full of users first) you need to do the following…
  2. Expand Computer Configuration -> Policies -> Software Settings -> Software installation. Right click on Software Installation and select New -> Package…
  3. Select the msi that you used modified before. Note this needs to be on a network location that all users can access. I recommend using a DFS share.
  4. Make sure you then select the advanced option and click ok. After a second or two you should get the properties dialog box. From here you need to make the following settings:
    1. General Tab – Change the Name to be something more appropriate. I always include the full version number followed by the company name. That way you know it was deployed via GPO just by going to Add/Remove Programs. Eg. Adobe Flash Player ActiveX – Contoso
    2. Deployment Tab -> Advanced -> tick ‘Ignore language when deploying this package’. May cause problems some times so its good practice (when you are not worried about language issues)
    3. Deployment Tab -> Advanced -> tick ‘Make this 32-bit x86 application available to Win64 machines’ when you have separate 32-bit and 64-bit packages to deploy. Perfect example would be software where only 64-bit version of software works on a 64-bit operating system.
    4. Upgrades Tab should contain the old applications (in this case Adobe Flash) that you previously deployed. If this is your first time, the second time you do this with the next version you should see the old deployed package here. You can manually add it from the same or different Group Polciy objects.
    5. Modifications tab, add the MST file. Note you can only do this during initial stage. You cant do it after you close the dialog. Note if you dont have modifications then you can simply move on to the next tab.
    6. Security Tab for testing before production deployment Remember when i said you want to test it to a few users first? Well its very simple! All you have to do is:
      Click security tap -> Advanced. Untick ‘Include inheritable permissions from this objects parent’. On the dialog select Copy to copy what was originally there. Now you have to remove Authenticated Users from the list, and add the computer objects for the machines you want to test the deployment to.
      When you have finished with your testing and you are happy you can simply remove the extra users you added and re-tick “include inhertiable permission from this objects parent’ again so everyone gets it distributed. Nice to remove the individually added computer objects as well as they may cause havoc when troubleshooting.

If you follow the above example you will be able to manage software deployments quite easily, even when its across multiple sites with a large user base.

Leave a comment ?


  1. Deploy Gpo – Adobe Flash « SaveTheSysAdmins - pingback on 3 January, 2012 at 19:18
  2. Konrad Bauckmeier

    Thank you for the information. One Question: How do you deal with old deploys?
    It is Ok to just delete them if you are sure, that the update is applied to all machines? Or is there a reason to keep them?

    • That is a great question. One I have not covered in my article, and the reason for that is my knowledge and experience on that are somewhat slim.
      I have found some problems where I have removed old GP Software (that I knew I was no longer using) but it was quite some time ago. Since then I have just left them all in there. Because I have a GPO per software title it doesn’t clutter up a lot, and gives me some historical data should I ever need it.

  3. Great Article. What if you had a package that you never wanted to deploy to certain machines? For instance, what if you never wanted Adobe Reader installed on computers with Adobe Acrobat Pro? I’m assuming you would put the computer objects under security with “Deny” permissions?

    • Hi John, You are absolutely correct. Simply create an AD group called “Deny Adobe Reader” and add the computer objects into that group that you do not want to receive the installation. Then go to the Security properties of the Application and give it the Deny permissions. That’s it 🙂

      An alternative would be to separate the computers into different OU’s however this method over time becomes very hard to manage. Use the Group Method – far more flexible.

      • Came here from the JRE deploy article, very nice!

        I don’t use GP much but in the past I have done it slightly differently:
        (using group policy management console in server 2008 R2)

        1. put all the computers you want the policy to apply to into a group
        2. right click the GPO and choose edit
        3. in the GP management editor that pops up right click the “GPO name” (it’s at the top in the left pane) and choose properties
        4. click security tab then select authenticated users
        5. remove (i.e. untick) the apply permission for authenticated users
        6. now add your group of computers
        7. give it read and apply group policy permissions

        Not sure if this is a better way or not ?!

        • Hi Nick,

          If you package multiple software in the one Group Policy Object, then yes that is one way of doing this however it is hard to manage over a long period of time as you add more software.
          I recommend the following:
          -Use a separate GPO for each software
          -Use the Security Filtering on the entire GPO to restrict who the software is accessible to
          -Deploy software without touching the security tab (as the Security Filtering will propagate to the software installation)
          -When testing an update/new version of software, use your method above to deploy it to your test machines first and validate that the upgrade/install works successfully. Once you are satisfied you can then reset to default permissions so that the software gets deployed to everyone in your Security Filtered group.

          With my method it allows you to easily and quickly see who has been granted for each particular GPO (rather than going to Software > Properties > Security tab which can take some time.
          GPResults will also produce clearer reports when it comes to diagnosing problems.

          Kind Regards,

  4. Another question: In your blog, talking about security, you say “Click security tap -> Advanced. Untick ‘Include inheritable permissions from this objects parent’. On the dialog select Copy to copy what was originally there.” My options are “Add”, “Remove”, and “Cancel”. Which of those choices am I supposed to choose before going to the next step?

    • Hi John,
      Either my documentation is incorrect or there is a difference between 2003/2008 systems.
      The correct option to select is ‘Add’. What this will do is effectively copy the existing security settings as they are, then remove the inheritance. It saves having to re-add all the correct permissions for Group Policies to work – which if any of it is wrong can be very painful to troubleshoot.
      Hope that helps.

  5. Great Article, when you have got 2 packages in the GPO how does it know to use the latest one?
    Is there anyway to turn the auto update function off on version 11.4 by editing the MSI??
    Has anyone done an upgrade from 11.1 to 11.4 via GPO?

    • Hi Bharat,

      When you add the package, you specify which packages it supersedes. This then tells the system what application to use.
      Editing the MSI will break the upgrade process. I tried this with an earlier version and it was only problem after problem. Best not to do it. Read my post on pushing out mms.cfg file – it will allow you to configure auto-update functions amongst others. Read the Adobe Flash Administration guide – its a good start.

  6. Will this work on Windows 7 computers? I constantly get “the install of application from policy xxx failed. The error was :%%1612” event error 102, do you know why?


    • That is a fairly common error. There are some questions to be asked first…
      – What software are you deploying?
      – Is it an upgrade to an existing application?
      – how many machines is this happening on?
      – does Microsoft’s Fix It resolve the issue on the client?


  7. Hey Ivan,

    Thanks for the great step by step info, but since I unchecked” include inheritable from this object…the checkbox has disappeared and all the group say not inherited now…what am I missing?

    • Hi Marc,
      Sorry im not quite understanding what you are getting stuck with. If you put up some screenshots on SkyDrive ill happily have a look for you to work out what is going on.

Leave a Reply

QR Code Business Card
%d bloggers like this: