What are the advantages of using .msi files over regular setup.exe files?
I have the impression that deployment is easier on machines where users have few permissions, but not sure about the details.
What features does msiexec.exe have that makes deployment more easy than using setup.exe scenarios?
Any tips or tricks when deploying .msi applications?
UPDATE, July 2018: An extremely compressed summary of the below information is available on stackoverflow: The Major Benefits of MSI ("executive summary" - of sorts).
I have worked in development as a release manager, build engineer, setup developer and as an application packager and deployment engineer in large corporations.
This is a review of the best (and worst) conceptual and real-world features of MSI. The most common design problems found in MSI files are presented as a separate answer below. Not pretending to be complete - really just a messy "brain dump" - intended as "that stuff that can't be found in books" (probably for good reason).
I also want to suggest this MSDN article as a good read: Windows Installer: Benefits and Implementation for System Administrators.
In a word, MSI is about standardization, and about dealing with "deployment smells" of legacy installer technologies. A whole collection of bad installation architecture designs that caused repeated deployment problems.
Overall MSI provides a comprehensive, standardized framework for the installer, which crucially also includes the uninstall and built-in features and options for silent running with standardized GUI which can be triggered remotely.
These features alone constitute a massive improvement over previous installation technologies which treated uninstall and silent running haphazardly - perhaps the most important features for corporate deployment along with reliable remote package management via Active Directory or dedicated remote administration tools such as Microsoft SCCM (formerly SMS), IBM Tivoli, CA Unicenter and similar.
Someone duplicated a prior version of this answer. Maybe a quicker read?
MSI actively discourages legacy deployment smells by design. These topics are discussed in later sections below, but as a quick list the most recognizable issues with legacy installers and older deployment technology were:
The list goes on with plenty of other crucial and recognized deployment flaws. It was obviously in the world of corporate deployment that these problems surfaced most often, and it has resulted in the business of "application repackaging" where a legacy installer is captured with disk and registry scanning technologies in order to create a standards-compliant MSI file for reliable deployment.
Application repackaging is a specialist job and generally results in excellent quality MSI files if done right by knowledgeable people, but it is not possible to repackage all applications due to complex registration logic that must be run interactively for certain applications to work.
In plain language the really important benefits of MSI are (in no particular order):
In the real world I have found less successful aspects to include patching (very complex), MSI-GUI (plain features, quite complex, lacks flexibility), resiliency (may cause hard to debug repeating self-repair problems), and the overall complexity of dealing with the technology for beginners (high complexity of basic operations at times - for example upgrades, GUI and the many interacting details cause unexpected results etc...). The speed of the installation process has also slowed considerable due to the increased overhead of MSI. See some tips for improving MSI installation speed.
The rest of the text deals with some of these aspects of MSI in more detail.
An MSI file is essentially a stripped down SQL-Server database stored as a COM-structured storage file - essentially a file system in a file or a collection of data streams. This is the file type used in Microsoft Office documents, and it yields a standard format that can be reviewed and inspected - a huge issue for large corporations.
With the exception of compiled custom actions an MSI file is a white box. If the setup changes something crazy such as the system-wide network settings, you can actually see it using the appropriate tools. The notable exception is compiled custom actions - which are black box. Windows logo requirements require custom actions to be annotated to explain what they are doing, but this is often ignored by setup developers. Hopefully the advent of Wix will improve this.
To determine what such compiled custom actions actually do in a technical sense, a setup capture is necessary. This is hardly ever done in my experience. It is more common to contact the vendor for information if the software needs approval for corporate deployment, and then it might be the application itself which prevents its use, and not just the setup.
An MSI can be customized via transforms to fit an organization's needs and standards whilst still allowing interoperability with the vendor's installer updates. You don't change the installer itself, you create your customization in a separate, organization-specific file called the transform (.mst file) (a database fragment or change transaction if you like). You are free to disable custom actions and in general change, override or disable anything in the installer, and you can even add new things, including files. The transform files are also sometimes used to localize an MSI file to different languages. Several transforms can be applied to a single MSI, here is a sample with truncated paths:
msiexec.exe /I "My.msi" /QN /L*V "C:\My.log" TRANSFORMS="C:\1031.mst;C:\My.mst"
Quick Parameter Explanation:
/QN = run completely silently
/L*V "C:\My.log"= verbose logging
TRANSFORMS="C:\1031.mst;C:\My.mst" = Apply transforms 1031.mst and My.mst.
Windows Installer maintains a comprehensive database of all items a product has installed in the registry (HKEY_CLASSES_ROOT\Installer - never change anything here directly! That goes for experts too).
You can reliably determine if a product is installed, what features were installed, and what file versions were installed. In addition you can get a list of any patches that have been applied to the base product, if any. You can access this database via API's supporting Win32, COM or .NET using a variety of scripting, configuration and admin tools such as Microsoft SCCM, IBM Tivoli, CA Unicenter etc...
MSI also encompasses "elevated rights" principles which allows a restricted user to trigger the install of a product that requires admin-rights to install. This is part of the "advertisement feature" which allows an administrator to make installers available to users without actually installing them on all workstations. The installer itself must be correctly authored on several core accounts for this elevated rights concept to work correctly. The users may trigger the install of the product themselves, or the install might be controlled by a dedicated deployment system such as SCCM, Tivoli, Unicenter (larger companies normally). There is no need to mess with temporary admin-rights to get things working which is often the case with legacy installers.
The comprehensive installation database also ensures that you have full overview of installed patches and therefore a possibility to detect security vulnerabilities via automation and admin tools.
MSI files can be checked with validation rules to ensure it is in compliance with a number of internal consistency rules (referred to as ICE). Corporations can create their own ICE checks to enforce special corporate rules and requirements. This helps greatly with QA. The reason validation is possible is due to the self-referencing nature of relational databases and the associated database schema. The database has to be internally consistent and compliant with its own schema with regards to foreign keys, data types, field width, schema version, etc... Validation also goes beyond this and is capable of detecting genuine logical flaws and errors in the package, not just formatting and type flaws. For example it can detect files or file types that are being deployed to erroneous target destinations.
The admin install feature of Windows installer provides a standard way to extract the source files from an MSI (here is some additional information on this topic). These source files can then be put on a share and be available to all workstations for installation. This ensures repair, uninstall and modify operations complete without requesting the installation media on CD or similar. This is particularly important for patching and update operations which may require access to the old versions source files in special circumstances.
There are also common problems with this resiliency feature. Most administrators have experienced machines with cyclical self-repair cycles that never seem to stop. Follow the link for a long list of causes of this problem. And again, here is a shorter version that might be easier to read.
The installation of an MSI file will normally trigger the creation of a restore point. Furthermore all files and registry items replaced or overwritten during the installation will be saved and restored if the install fails to complete, barring any changes done in custom actions.
Custom actions must implement their own rollback support for Windows logo compliance. This is often ignored, but involves creating a second custom action to undo the changes made by the main custom action.
Rollback ensures that the workstation is left in a stable state even if the install should fail. The actual rollback script is stored in a hidden folder directly on the system drive - generally C:\Config.MSI, and it contains files with the extensions .RBS and .RBF - Rollback Script Files. As you might expect poorly designed MSI files can violate the built-in features of Windows here, see my other post in this thread for more details.
There are ways to disable rollback and speed up installation. Not generally recommended, but here are details on the MSIFASTINSTALL property and DISABLEROLLBACK. This is a complicated feature, but here is a quick rollback overview.
Though highly complex, patching in Windows installer is fully managed and registered on the system so that a systems security state can be determined by checking what has been installed. Updates are standardized to a few basic variants, and this allows updates to be performed with a higher degree of certainty provided you are able to handle the complexity involved. Deployment systems will be able to report what updates failed and why.
In a subjective view patching works well for 2 basic uses: 1) small hotfixes for delivered products, and 2) patching an installed product to fix its faulty uninstall sequence that prevents a products clean uninstall.
A patch is just a delivery mechanism for an update that is already working. As such it is just a container that is more complicated and error prone than the original setup itself. The number one rule for a patch is that it must be smaller than the original MSI or there is no obvious reason to deliver a patch at all. A patch can get huge quickly if it targets multiple product versions.
Windows Installer provides a standardized logging feature which is greatly superior to previous incarnations, though almost excessively verbose. Log files can be deciphered using log analyzers, and custom log levels can be used to eliminate generating too large log files with unnecessary information. For debugging purposes verbose logging is extremely useful. See Rob Mensching's blog for a good manual way to read an MSI log file (essentially you search for "value 3" in the log file). Here is a sample command line that performs verbose logging:
msiexec.exe /I "C:\Installer.msi" /QN /L*V "C:\msilog.log"
This article from Robert Macdonald from the Windows Installer Team is highly recommended as a practical look at MSI logging: How to Interpret Windows Installer Logs.
Not everything is good about Windows Installer. Its complexity can be baffling at times, but for large corporations MSI files are vastly superior to any other form of deployment when you take into account the list of benefits above.
To understand the new "paradigm" it is important to understand that MSI is intended as a declarative description of what is going to happen on the target system, rather than a fixed sequence of events. I suppose you can think of it as a huge SQL-statement. For example you declare items you want added or modified to an INI file. As the installation runs changes are tracked and rollback is available so that changes can be reverted if the installation fails. This really works like "automagic", and is reliable when done right.
It is a huge headache for experienced MSI developers to see people rely on complex, unreliable custom actions for functionality that is better implemented with built-in MSI features. A significant share of all MSI errors and rollback problems are caused by erroneous custom actions, and most other errors are caused by erroneous use of the MSI design (see separate answer for list of common MSI errors).
In addition to the built-in MSI features, more and more custom functionality is now available via new framework such as Wix - the XML way to compile MSI files, so there is less and less need for complex custom action logic for most operations.
MSI features full support for handling merging of ini file settings, fonts, environment variables, registry keys, COM information, shortcuts, file extensions, launch conditions, GAC installation, ODBC, etc...
WIX goes further with support for very advanced features such as SQL server extensions, IIS installations and configuration, performance counters, DirectX checking and other game related tasks, .NET native image generation, COM+, drivers, firewall rules, PowerShell extensions, application closing, management of users, groups, shares and much more. Somewhat involved to deal with, but much more reliable than your own custom actions.
To try to put it in perspective: these built-in and ready-made solutions are made by the best deployment experts available, and they are tested by thousands, tens of thousands or perhaps even millions of users (for built-in stuff in MSI itself). Do you really think you can do better making your own custom actions? Using a custom action should be a rare event, and it should be absolutely necessary to achieve something unique for the product you install. And you must write proper rollback support as well, which is quite involved.
Writing a custom action is almost always a mistake, but there are genuine cases when you really need the flexibility as well. As always it is important to pick your battles well. It might be a fun task at first, but you will likely be facing many unexpected problems and waste a lot of costly time. I mean this very seriously. I have written a suite of C++ custom actions for corporate use myself (to eliminate error prone VBScript custom actions) - it is no walk in the park, and though the coding may not be the most difficult in the world, the debugging and testing and hookup to an actual MSI file is nothing short of extremely involved. Some time researching what ready-made options are available will likely save you weeks of development work, and yield much greater deployment reliability.
A very important point is that a lot of application configuration should happen on application launch when you have a predictable runtime context and good error handling available, and not in the setup which is only run once and features very complicated impersonation, sequencing, conditioning and runtime complexity.
Your setup should not configure the application, it should prepare the application for configuration on first launch. Specifically your setup should write all settings that require elevated rights - writing to HKLM, registering services, installing to per-machine paths and any such things that an application cannot write on its own with regular user rights.
If you are a setup developer you should offer to get involved coding the application launch sequence instead of writing setup custom actions. If nothing else, in order to avoid looking like you are trying to "pass the buck" to someone else. In this launch sequence you can write much more reliable and testable code which is easier to get help from QA personnel to test (they often don't understand deployment testing as well as application testing).
The core of setup complexity centers around the fact that errors are cumulative (you are managing a delivery process, not just a quick recompile), errors are very hard to debug (no access to the systems where the errors occur), and the target system states differ in just about every way imaginable. Please see this answer for a more thorough discussion of this complexity and how target systems may wary in a shocking number of ways: Windows Installer and the creation of WiX, and The Complexity of Deployment (see towards bottom).
Read this WiX quick introduction for a description of the new XML-based way to compile MSI files. The text based source files provide much better source control than before. This is a free, open source toolkit that is highly recommended.
N.B: See elsewhere in the thread for a quick rundown of the common design problems with MSI files - it is very incomplete, but should be worth a read. I didn't want to add that to this reply since it isn't 100% related, but for real world use it is a crucial topic.
(pardon the shameless "promotion" - it is for easy access and retrieval)
Here are just a few links to topics that may be helpful to system administrators in their effort to control the deployment on their networks:
Special how-to topics:
Conceptual Topics / Best Practice:
Just a few benefits:
I think to when I'm deploying software in an enterprise setting: deploying software via MSI is almost enjoyable. In contrast, I almost always find myself dreading deploying software when it's in another container.
For some additional info on manipulating MSI installations, type msiexec into the Run dialog.
This answer is very much a work in progress and a rough outline. Additions, questions and updates welcome. This list is by no means exhaustive. Add a comment with information about troublesome packages.
I must also warn that a lot of MSI files contain errors, sometimes serious ones, but trained application packagers will be able to detect this and in most cases eliminate the problem. I am adding this as a separate answer since it essentially answers a different question, but I feel it is relevant in the same thread.
The technical details involved in MSI are very complicated. At the basic level it is about decomposing your files and registry settings into components (atomic installation) and features (user selectable application parts to install, for example a dictionary feature). There are a number of best practice rule for splitting up the components, and errors in MSI files here are plentiful. These errors are generally handled by standardizing on the use of "major upgrades".
The actual installation is performed in a number of installation sequences, some with elevated rights. All of these things are defined in database tables, and this is where MSI is terribly complicated to understand and deal with. Spread throughout the installation sequences are standard and custom actions. The standard actions are Microsoft designed and need to take place (sequence can sometimes be modified). Custom actions are available to vendors to perform custom logic not covered by MSI itself. These can be in script or compiled form. Custom actions can be immediate (run at once, should not change the system but often does) or deferred (written into an excecution script that is then executed as a transaction and hence supporting rollback).
Typical errors in an MSI are (in no particular order - and presented as a real mess really):
There are a number of more subtle errors and several larger, typical problems that I will have forgotten.
Check out the Windows Installer Best Practice article from MSDN.
Using MSI's also makes patching (MSP files) and upgrades easier. MSI's use the concept of unique Product and Upgrade codes which makes the whole process easier.
Some deployment systems (CA Unicenter Software Delivery is one example) can also understand MSI's in a special way, which allows them to integrate much better into the deployment system. For example you can feed an MSI into the software library of the deployment system and it will automatically detect the various features within the product and automatically allow much more granular custom actions (Local Install, Verify, Repair etc.) and logging.
Self-heal / repair is also a major plus for MSI's.
Also, check out open source Windows Installer XML, "a toolset that builds Windows installation packages from XML source code. The toolset supports a command line environment that developers may integrate into their build processes to build MSI and MSM setup packages." This is used by MS to prepare several of its major software packages.
you can do transformations - in theory you can customize a lot, if program was packaged properly by vendor you can make fully automated deployment without any interaction with end user - which is very helpful when you want to standardize your windows environment and have more then handful of computers.
to see what people do with msis [ or unattended deployment ] visit for instance this site and it's forums.
