When managing software deployments through Group Policy Objects (GPO), upgrading existing packages requires careful consideration. Let's examine the three primary approaches with their technical implications:
This method involves replacing the MSI file at the distribution point and using the 'Redeploy application' function:
# PowerShell command to trigger redeployment (for reference) Get-GPO -Name "Install X" | Set-GPPermission -PermissionLevel GpoApply -Replace -TargetName "Domain Computers"
Disadvantages:
- Limited version control - difficult to track which clients received which version
- Potential conflicts if the MSI isn't properly configured for upgrades
- No rollback capability if issues arise
The proper upgrade procedure involves creating a new package with upgrade relationships:
<!-- Sample XML snippet for upgrade detection in MSI -->
<Upgrade Id="YOUR_UPGRADE_CODE">
<UpgradeVersion Minimum="1.0.0" Maximum="1.0.0"
Property="PREVIOUSVERSIONSINSTALLED" />
<UpgradeVersion Minimum="0.0.0" OnlyDetect="yes"
Property="NEWERPRODUCTFOUND" />
</Upgrade>
Implementation steps:
- Create new GPO or modify existing one
- Right-click Software Installation → New → Package
- Select the new MSI and choose "Advanced"
- Navigate to the Upgrades tab → Add → Select old package
While this method works, it's generally less efficient:
- Forces application removal before installation
- May cause temporary service interruptions
- User settings might not persist through the reinstallation
Several factors influence your upgrade strategy:
| Factor | Impact |
|---|---|
| MSI Upgrade Code | Must match between versions |
| Versioning Scheme | Should follow semantic versioning |
| Dependencies | May require additional handling |
For upgrading Java Runtime across your domain:
# Log snippet from GPO upgrade operation [MSI] Executing op: UpgradeRelatedProducts(...) [MSI] Property: PREVIOUSVERSIONSINSTALLED = 8.0.1720.0 [MSI] Property: NEWPRODUCTFOUND = 8.0.2210.0 [MSI] Action: InstallValidate
Remember to test upgrades in a controlled environment before domain-wide deployment. The event log (Application and GroupPolicy/Operational) provides valuable debugging information during upgrade operations.
When deploying software through Group Policy Objects (GPO), the Windows Installer (MSI) packages are stored in a network share with appropriate permissions (Read & Execute for Domain Computers). The deployment can be either assigned (mandatory installation) or published (available in Control Panel).
Option 1 (Redeploy): Replacing the MSI and using redeploy forces all clients to reinstall the application on next policy refresh. The main disadvantages include:
- Forces complete reinstallation regardless of version
- Generates more network traffic
- May cause temporary application unavailability
Option 2 (Upgrade): The proper method involves creating a new package with upgrade settings:
# PowerShell snippet to check upgrade codes
$installer = New-Object -ComObject WindowsInstaller.Installer
$product = $installer.ProductsEx("YourProductCode", "", 7)
$upgradeCode = $product.InstallProperty("UpgradeCode")
1. Verify the new MSI supports upgrades by checking its UpgradeTable:
Orca.exe → Open MSI → View → Upgrade Table
2. In Group Policy Management Console:
- Right-click the existing package → Properties → Upgrades tab
- Click "Add" to specify the new package
- Select "Uninstall the existing package..." for major version changes
Consider upgrading Notepad++ from v7.9 to v8.0:
# Sample transform file (MST) for upgrade scenarios INSTALLDIR="C:\Program Files\Notepad++\" REINSTALL=ALL REINSTALLMODE=vomus
The complete upgrade process should be tested in this order:
- Test workstations with gpupdate /force
- Verify installation logs (%windir%\logs\msi*.log)
- Monitor network bandwidth during mass deployment
When upgrades fail, check these key areas:
- Event Viewer → Applications and Services Logs → Microsoft → Windows → MSIInstaller
- Verify network share permissions haven't changed
- Check for conflicting transform files (MST)
For advanced scenarios, use verbose logging:
msiexec /i package.msi /lvx* logfile.txt