What is Windows Installer – Tutorial 3

Windows Installer Policy – User

Windows installer user policy settings can be found in the registry under

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

Or managed in GPO under

User Configuration>Policies>Administrative Templates>Windows Components>Windows Installer

 

User Group Policy Management

 

This table contains a description of what each value / setting controls from the image above.

Value name Value data types Description
AlwaysInstallElevated REG_DWORD If this value is set to “1” and the corresponding computer value is also set, the installer always installs with elevated privileges.

Otherwise, the installer uses elevated privileges to install managed applications and uses the current user’s privilege level for nonmanaged applications.

DisableMedia REG_DWORD If the DisableMedia policy is set to “1”, users and administrators running a maintenance installation of one product are prevented from using the Browse Dialog to browse media sources, such as CD-ROM, for the sources of other installable products. Browsing for other products is prevented regardless of whether the installation is with elevated privileges. It is still possible for the user to reinstall the product from media if the user has a correctly labelled media source.
Disable Rollback REG_DWORD If this value is set to “1”, the installer will not store rollback files during installation, disabling installation rollback. By default, rollback is enabled. Administrators are advised to not use this policy unless it is absolutely essential.
SearchOrder REG_SZ Order in which the installer searches the three different types of sources:

“n”– network

“m”– media (CD-ROM or DVD)

“u”– URL (Uniform Resource Locator)

For example, a value of “nmu” instructs the installer to search network sources first, media sources second, and URL sources last. Leaving out a letter removes the corresponding volume type from the search. Default order in absence of this value is network first, then media followed by URL.

TransformsAtSource policy REG_DWORD If this value exists and is set to “1”; the installer searches for transform files in the root of any network sources in the sourcelist for the product. By default, transforms are stored in the Application Data folder of a user’s profile.

 

Windows Installer Policy – Machine

Windows Installer machines policy

Windows installer user policy settings can be found in the registry under

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Or managed in GPO under

Computer Configuration>Policies>Administrative Templates>Windows Components>Windows Installer

 

 

Group Policy Values and Descriptions – Machine

Policy Value data type Description
AlwaysInstallElevated REG_DWORD If this policy value is set to 1 and the corresponding user value is also set, the installer always installs with elevated privileges.

Otherwise, the installer uses elevated privileges to install managed applications and uses the current user’s privilege level for unmanaged applications.

AllowLockdownBrowse REG_DWORD If this policy value is set to 1, non-administrative users can browse for new sources while running an installation at elevated privileges. The default is that only administrators can browse for sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.
AllowLockdownMedia REG_DWORD If this policy value is set to 1, non-administrative users can use media sources, such as a CD-ROM, while running an installation at elevated privileges. The default is that only administrators can use media sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.
AllowLockdownPatch REG_DWORD If this per-machine system policy value is not set, only administrators can patch existing products that were installed at elevated privileges. If this policy value is set to 1, non-administrative users can, in some cases, apply patches to products while running an installation using elevated privileges. With the policy set, the patch can install minor upgrades while running an installation using elevated privileges; the patch cannot install major upgrades. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.
Debug REG_DWORD If this policy value exists and is set to 1, the installer writes common debugging messages to the debugger using the OutputDebugString function. If this value exists and is set to 2, the installer writes all valid debugging messages to the debugger using the OutputDebugString function.

This policy is for debugging purposes only and may not be supported in future versions of Windows Installer.

DisableAutomaticApplicationShutdown REG_DWORD If this policy value exists and is set to 1, Windows Installer does not interact with Restart Manager but will use the FilesInUse Dialog functionality.

Windows Installer 3.1 and earlier:  Not supported.

DisableBrowse REG_DWORD If this policy value exists and is set to 1, users are prevented from browsing to locate installer sources. The Use feature from combo box for direct input is locked and the Browse button is disabled. For more information about source browsing, see Source Resiliency.
DisableFlyWeightPatching REG_DWORD If this per-machine system policy value is set to 1, all Patch Optimization options are turned off during the installation.

Windows Installer 2.0:  Not supported.

DisableLUAPatching REG_DWORD If this per-machine system policy value is set to 1, the installer prevents non-administrators from using least-privileged account (LUA) patching to any application installed on the computer. When this value is not set or 0, non-administrators can apply LUA patches to LUA-enabled application.
DisableMSI REG_DWORD If this policy value is set to 0, is absent, or any number other than 1 or 2, the effect on the Windows Installer depends on the operating system. On Windows Server 2003, Windows Installer is enabled for managed applications and disabled for unmanaged application installs. On Windows XP the Windows Installer is enabled for all applications.

If this policy value is set to 0, Windows Installer is enabled for all applications. All install operations are allowed.

If this policy value is set to 1, Windows Installer is disabled for unmanaged applications but is still enabled for managed applications. Non-elevated per-user installations are blocked. Per-user elevated and per-machine installs are allowed.

If this policy value is set to 2, Windows Installer is always disabled for all applications. No installs are allowed including repairs, reinstalls, or on-demand installations.

DisablePatch REG_DWORD If this policy value is set to 1 the installer does not apply patches. This policy can be used to provide security in environments where patching must be restricted.
DisablePatchUninstall REG_DWORD If this policy value is set to 1, patches cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove patches that are no longer applicable to a product.

Windows Installer 2.0:  Not supported.

DisableRollback REG_DWORD If this policy value is set to 1, the installer does not store rollback files during installation, disabling installation rollback. By default, rollback is enabled. Administrators are advised not to use this policy unless it is absolutely essential.
DisableSharedComponent REG_DWORD If this per-machine system policy is set to 1, no package on the system gets the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component table.
DisableUserInstalls REG_DWORD If this policy value is not set, the installer searches the registry for products in the following order: managed products that are registered as per-user, unmanaged products that are registered as per-user, and finally products that are registered as per-machine.

If this policy value is set to 1, the installer ignores all products that are registered as per-user and only searches for products that are registered as per-machine. An attempt to perform a per-user installation causes the installer to display an error message and stops the installation.

EnforceUpgradeComponentRules REG_DWORD Set this policy value to 1 to apply upgrade component rules during small updates and minor upgrades of all products on the computer.

Windows Installer 2.0:  Not supported.

EnableAdminTSRemote REG_DWORD Setting this policy enables administrators to perform installations from a client session of a server running the Terminal Server role service.
EnableUserControl REG_DWORD If this policy value is set to 1, then the installer can pass all public properties to the server side during a managed installation using elevated privileges. Setting this policy has the same effect as setting the EnableUserControl property.
LimitSystemRestoreCheckpointing REG_DWORD This policy turns off the creation of checkpoints by Windows Installer.

If the policy value is set to 0 or absent, Windows Installer does normal checkpointing for install or uninstall.

If the policy value is set to 1, Windows Installer creates no checkpoints.

Logging REG_SZ This policy value is used only if logging has not been enabled by the “/L” command-line option or MsiEnableLog. If a policy is set in this case, a log file is created in the temp directory with the random name: MSI*.LOG. Specify the logging mode by setting the policy value to a string of characters. Use the same characters to specify logging mode policy as used by the “/L” command-line option. For more information, see Command Line Options. Note that you cannot use “+” and “*” for the policy.
MaxPatchCacheSize REG_DWORD If this policy value is set to a value greater than 0, Windows Installer saves old versions of patched files in a cache. Set the value to the maximum percentage of disk space that can be used for the file cache. For example, a value of 15 and sets the maximum to 15%. Set to 0 to save no files. When this policy is not set, the default is 10%.
MsiDisableEmbeddedUI REG_DWORD To disable embedded UI handlers on the computer, set this policy value to 1.

Windows Installer 4.0 and earlier:  Not supported.

SafeForScripting REG_DWORD If this policy value is set to 1, users are not prompted when scripts use installer automation within a Web page. This may be useful for Web-based tools but can allow silent installations of applications without user knowledge or consent.
TransformsSecure policy REG_DWORD Setting the TransformsSecure policy value to 1 informs the installer that transforms are to be cached locally on the user’s computer in a location where the user does not have write access.
DisableLoggingFromPackage REG_DWORD Set this policy value to 1 to disable the logging specified for the package by the MsiLogging property for all users of the computer.

Windows Installer 3.1 and earlier:  Not supported.

WinHttpAutoLogonLevel REG_SZ The automatic logon (auto-logon) policy determines when it is acceptable to include the default credentials in a request to the server.

Windows 8 and Windows Server 2012:  This policy requires Windows Installer running on the Windows 8 or Windows Server 2012 and is unavailable on all earlier versions of Windows.

 

Do you want to know the “3 common vendor installer types?  then check out more in our next tutorial

“What is Windows Installer – Tutorial 1”

“What is Windows Installer – Tutorial 2”

” Understanding Vendor Installers – Tutorial 1″

 

New to Application Packaging, check out some more of our online tutorials.

Author: Geoffrey Regalado

With career spanning over 10 years specialising as an Application Delivery Systems and Application Packaging engineer, I have worked on various enterprise projects as a technical lead and consultant. As a specialist trainer in MSI, application virtualisation and layering technologies i am also a tech evangelist in the field.

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *