GPO cannot copy MSI from NETLOGON share - but when the file is renamed it can be copied

I have a Computer GPO in a Windows Active Directory based network (with on-premises Domain Controllers) that currently installs an application from \\MYDOMAIN\NETLOGON\...\application.msi at startup. This works well for all my machines that are network connected at boot, but I have a growing number of Windows users connecting via VPN, which means that the machine is not network connected until some point after user login.

In the absence of any obvious best practice alternative my proposed solution is to copy the application.msi to a hidden dedicated folder C:\localapps and to install from there.

The top-level folder creation works well. Copying the configuration file works well. Inherited permissions on the folder tree work well. What doesn't work is that the application.msi file cannot be copied.

Frustratingly, if I rename application.msi to application.msi.zzz the same GPO can - and does - copy the file to the local machine quite happily.

Further research, psexec -i -s explorer.exe gives me an Explorer window running as the GPO's SYSTEM account. Indeed, I can navigate to the appropriate place on \\MYDOMAIN\NETLOGIN and I can copy files from there unless they are named as executables or installers. All files in the folder have inherited permissions and I have confirmed they are the same. All files are "unblocked". All files have the same owner (MYDOMAIN\Administrators). I'm not trying to execute the MSI from the network share, just to copy it.

Empirical conclusion: the SYSTEM account used by the GPO cannot copy *.msi or *.exe files from the \\MYDOMAIN\NETLOGON\ share.

This doesn't seem to be a reasonable state of affairs, so how do I get my GPO to copy the application.msi as is, so that at the next opportunity it can be installed from the local disk?