Automatic Software Deployment with Group Policy Objects


Automatic deployment of software updates ist today more important than virus scanners are, because antivirus vendors have lost the race, and malware often uses known software bugs to get in. If you don't believe this, read more here.


Windows includes a largely unknown function to automatically install and update software. Most people know only Windows Update or Microsoft Update. Thse functions can update Windows, Internet Explorer, and Microsoft Office. But there is another function, which can install and update arbitrary software.

However there are limitations:

  • The function accepts commands only from Group Policy Objects (GPO) in Active Directory, thus
    • you need a server that runs at least Windows Server 2003 or Samba 4.
    • all clients must be members of the Active Directory Domain.
    • only the professional, ultimate, or enterprise editions of windows can be domain members, thus it will not work with home editions.
  • Configuring the function on the server is a pain, because not all members of the server group of Microsoft know drag & drop, some defaults must be manually adjusted for each and every package, and many things are counterintuitive.
  • Moving from locally installed software to software deployed from the server requires to first uninstall the locally installed software, then reinstall it from the server. If you try to do it without first uninstalling, you are likely to end up with a mess, that can be difficult to clean up.
  • It requires some other settings be deployed via GPO, otherwise if will be unreliable.
  • Only MSI-files can be automatically deployed, not software that comes as an installer of type setup.exe.

The last limitation is mitigated by the fact that today most installers somehow base on MSI-files. Thus even if the software distributor doesn't offer an MSI variant, it's often possible to extract the MSI-files from the installer with certain tricks. But still this limitation is the most serious one. If you start to deploy software via GPO, the most time consuming part is not to learn how to configure the server, but to find out two things: how to get the required MSI-files, and what you need to configure inside them to make the whole concept really work well and reliably.

That said here is my Howto use GPO to deploy software packages.

Why not use other automatic updaters?

Some of the software, which urgently needs frequent updates, comes with their own automatic updaters. But most of them work only if either the users work with admin rights, or if the software was installed inside a user directory. Both cases mean that the executable files are writable by users, which means that malware can spread. So this is not a solution.

(Update: Firefox and Thunderbird do now have an updater, which can update even if the users do not have admin rights. But it is incompatible with Software Restriction Policy).

(Side note: Antivirus software can update itself since decades. But something seems to prevent this idea from spreading to other software companies, outside the antivirus world.)

I have tried several others tools that promise to automate software updates. However I restricted myself to free tools. All of the ones which I tested failed more or less. Some try to run while the users are logged on (prone to fail), some require the PC to run 24 hours (might be usual in the U.S.A., but not here), some hang when the update server is not reachable. So I decided to use GPO software deployment from a windows server, because it is free, reliable, and just works.

(If your organization allows you to spend money on this issue, you can find several good automatic updaters on the market, but I needed a free solution for various reasons.)


Obtaining the MSI files is different for each and every software product. Each software needs some other tricks, even new versions of the same software may need different tricks. The difficulty level goes from trivial, with great support from the software vendor, to almost impossible, with their community coordinator telling you that they don't care if you stop using their software.

Configuration is needed for most MSI-files to make them really work reliably. It is for example required because you don't want the installation to fail with an error message, if the installer detects that a new version is already available. Also if you decided to deploy updates, you don't want your users to be annoyed by automatic updaters that come together with the installed software. You cannot possibly offer all updates on the same day they are available, so these functions must be disabled.

I have collected here descriptions for obtaining and patching MSI-files for several programs. The list contains those for which I think it's most important, because their bugs are most commonly used to plant malware. Look in the vertical menu in the upper left of this page.

(last update: 18-Jan-2012)

WSUS Package Publisher
Microsoft System Management Server 2003
Microsoft Configuration Manager 2007
Microsoft System Center 2012