Best Practice: How to deploy Software using Group Policy

Originally this was just going to be a post showing you how to deploy the Windows InTune client to a computer using Group Policy however it turned out I think this article would be best suited to show you how to use some advanced techniques to deploy software via Group Policy. So even if you don’t want to specifically  deploy the InTune software client to your computers this article will still serve you as a good reference for Group Policy software deployment in general….

Tip #1: DONT! If at all possible do not deploy software this way… Group Policy software deployment has a number of restrictions that makes this one of the less desirable methods of software deployment. Some of the reasons why I would not recommend this deployment method are:

  1. Lack or scheduling. When you deploy software to a computer using Group Policy it will only ever install/un-install on the next reboot of the computer. This makes it very difficult to schedule rollouts especially when deploying large software updates that would put immense load on the LAN when deploying to all the computers first thing in the morning when they are all turned on at the same time. Using something like SCCM is much better with it options for maintenance windows and Wake On LAN options…
  2. MSI and ZAP Installer Only. The only supported applications formats are the more popular MSI installer and the lesser known ZAP package format. This is somewhat restrictive and again software deployment tools like SCCM are vasty superior as they support any sort of installation method.
  3. Fixed Application Install Order. When you add application to the Group Policy Object they install onto the computer in the same order with no way of changing this order.
  4. Nill Visibility. When you go to deploy software using Group Policy the configuration it pushed to the computers but there is never any feedback on weather the software has successfully installed. This lack of visibility could mean you think you have deployed something to all your computers successfully but in reality it has failed to install on many of the computers.
  5. Poor Scoping. When you deploy software using Group Policy you can only specify a UNC path as the location to install the software from. If you have specified a single server in head office this would mean that all the workstation at remote sites will try and download and install over the WAN… Not good. I will make a few recommendation further on as to how to mitigate this however other deployment software tools (again like SCCM) handle this much more automatically which can reduce you admin overhead.

Now that I have sufficiently warned you about Group Policy Software Deployment I would also say there is one exception to this rule where and that is Agent software Deployment. Weather it is SCCM Agent or InTune or even a Anit-Virus software package GP Software deployment is good at deploying the same software package to a large number of computers.

And speaking of services that require agents…

Windows InTune is a new services that is offered by Microsoft that allows IT administrators to manage and monitor computers via a web based console. This service has been often referred to as SCCM in the cloud as it allows you to manage many workstations without the need for any server infrastructure.

For more information on Windows InTune visit

While there is no software to install on servers for the InTune to work it does require you deploy a management client to your workstations. This client software can be either installed manually but when you have 10+ computer in your organisation this can quickly become a management nightmare so Microsoft also provides a way to deploy the InTune client via Group Policy.

Configuring the application install files for Group Policy Deployment

Step 1: Go to Windows Intune website and download the InTune Client software.

Step 2: Right click on “” and select the “Extract All” option

Step 3: Extract the contents of the “Windows_Intune_Setup.exe” to the current folder by opening up a command prompt and  running “Windows_Intune_Setup.exe /extract .”.


Step 4: Copy the all the files (see below) to the software distribution file share in your organisation .

  • Windows_Intune_Setup.exe
  • Windows_Intune_X64.msi
  • Windows_Intune_X86.msi
  • WindowsIntune.accountcert

You have now setup the installation files for the InTune client (or other software) ready to be deployed in your organisation.

Tip #2: This location needs to have read permission for the “Domain Computers” group applied so that the computer can download and install the files.

Configuring the Group Policy Object for Software Deployment

Step 5: Edit a Group Policy Object that is applied to all the workstation that you want to deploy the InTune client.

Step 6: Navigate to “Computer Configuration > Policies > Software Settings > Software installation” then right click on “Software installation” then click on “New” then “Packages”


Step 7: Navigate to the path that you placed the installation files and select “Windows_Intune_X64.msi” then click “Open”

Tip #3: If you have x86 client repeat from step 7 with the additional steps in my other article How to prevent x86 (32bit) applications installing via Group Policy on Windows x64 to prevent the x86 version from being deployed to the x64 platforms.


Step 8: Click on “Advanced” and then click “OK”


Tip #4: Wait a few seconds while it reads the MSI…

Step 9: As this is a x64 version of the application I recommend that you Add “ x64” to the name of the program to distinguish what version you have deployed.

Step 10 (Optional): If you want to selectively deploy the client to the workstations click on the “Security” tab and click the “Advanced”.


Step 11 (Optional): Un-tick “Include inheritable permission from this object’s parent.


Step 12 (Optional): Click “Add”


Step 13 (Optional): Click “OK”


Step 14 (Optional): Click on “Authenticated Users” and click on “Remove”


Step 15 (Optional): Click “Add” and select the security group name (e.g. “InTune Computers”) that will be used to assign this application to specific computers.


Step 16 (Optional): Click on “OK”


Step 15: Accept all other default setting and click “OK”


You should now see something like the image below… The software will now install on the selected computer’s at the next reboot….


InTune Note: The client software that you downloaded from the InTune web site is customised for your computers so they will automatically appear in your InTune web console.

Tip #5: If you also have Verbose vs normal status messages enabled you will see the software being installed during computer start-up.


Group Policy not running correctly on Workstations

If you are experiencing any of the Event ID’s in the Application/System logs, as shown in the tags of this post and are having problems with GPO scripts etc. running then instead of trying to rebuild the SYSVOL share and all its permissions, do CTRL+ALT+DEL and reset the password supplying old and new password as the same!