How Group Policy Software Installation Handles Already Installed Applications: MSI Version Checking Behavior


2 views

The fundamental question revolves around whether Group Policy's Software Installation feature will reinstall an application when:

  • The same MSI package is deployed through different GPOs
  • The application already exists on the target machine
  • Users move between sites/subnets with different GPO assignments

Windows Installer (msiexec) performs these key checks when processing GPO-deployed software:

1. ProductCode verification (GUID in MSI)
2. UpgradeCode comparison (for version detection)
3. Package transform validation (if applicable)
4. Installation state check in registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)

Through extensive testing and Microsoft documentation analysis:

  • Scenario 1 is correct: Windows Installer service checks the installed programs list via ProductCode/UpgradeCode
  • Scenario 2 is incorrect: There's no separate "APP cache" that would cause reinstalls

The MSI engine uses this decision flowchart:

if (ProductCode matches) {
    if (InstalledVersion >= PackageVersion) {
        skip installation (unless REINSTALLMODE specified)
    } else {
        perform upgrade
    }
} else if (UpgradeCode matches) {
    handle as upgrade scenario
} else {
    fresh installation
}

Consider this PowerShell snippet to verify installation state before GPO processing:

function Test-ProductInstalled {
    param(
        [string]$productCode
    )
    $uninstallPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
    $items = Get-ChildItem -Path $uninstallPath
    foreach ($item in $items) {
        $properties = Get-ItemProperty $item.PSPath
        if ($properties.PSObject.Properties.Match('WindowsInstaller').Count -gt 0) {
            if ($properties.PSObject.Properties.Match('ProductCode').Count -gt 0) {
                if ($properties.ProductCode -eq $productCode) {
                    return $true
                }
            }
        }
    }
    return $false
}

When deploying across multiple sites:

  • Use identical MSI packages across all GPOs
  • Ensure consistent deployment options (Assign vs Publish)
  • Set "Uninstall this application when it falls out of scope" to Disabled
  • Consider adding a WMI filter for version checking

Check these event logs for installation details:

  • Application Event Log (MSIInstaller source)
  • GroupPolicy/Operational log
  • Windows Installer verbose logging (enable via registry)

When dealing with Group Policy Object (GPO) software installation across multiple sites, the core question revolves around Windows Installer's intelligent detection mechanism. The Windows Installer service (msiexec.exe) performs version comparison through the ProductCode, UpgradeCode, and PackageCode GUIDs in the MSI file.

Here's what actually happens during policy application:

1. The client-side extension (CSE) checks the registry under:
   HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
   
2. For MSI packages, it compares:
   - ProductVersion property
   - PackageCode (transformable via MST)
   - Installation context (per-user vs per-machine)

3. The installation only triggers if:
   - No matching ProductCode found OR
   - Higher version detected OR
   - Different installation context required

To verify this behavior empirically:

# PowerShell detection script
$app = Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "YourAVSuite"}
if ($app.Version -lt $gpoMSIVersion) {
    Write-Host "Triggering upgrade installation"
    Start-Process msiexec.exe -ArgumentList "/i policy.msi REINSTALL=ALL REINSTALLMODE=vomus"
}

Since DFS was denied, consider this site-aware deployment script:

@echo off
for /f "tokens=2 delims=:" %%i in ('ipconfig ^| findstr "IPv4"') do (
    set IP=%%i
    set IP=%IP: =%
)

:: Site-specific MSI selection
if "%IP:~0,6%"=="10.1.0" (
    set MSIPATH=\\Site1\Deploy\AVSuite.msi
) else if "%IP:~0,6%"=="10.2.0" (
    set MSIPATH=\\Site2\Deploy\AVSuite.msi
)

msiexec /i "%MSIPATH%" /qn /norestart

GPO maintains installation tracking in these registry locations:

- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- HKLM\SOFTWARE\Classes\Installer\Products
  • Always increment the ProductVersion in your MSI when updating
  • Use transforms (MST) for site-specific configurations rather than separate MSIs
  • Implement a WMI filter to check installation status before applying policy