Managing options for computers through Group Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing options for computers through Group Policy

Windows Installer can be configured by using Group Policy and Active Directory to manage the computer installation options.

The following table shows policies concerned with managing the Group Policy computer options for Windows Installer. To configure these policies, start Group Policy, then in the console tree, click the Windows Installer node.

Where?

  • applicable policy name/Computer Configuration/Administrative Templates/Windows Installer
Policy Details

Disable Windows Installer

Disables or restricts the use of Windows Installer.

This policy can prevent users from installing software on their system, or permit users to install only those programs offered by an administrator.

If you enable this policy, you can use the options in the Disable Windows Installer dialog box to establish an installation policy.

  • Never--Windows Installer is fully enabled. Users can install and upgrade software. Windows Installer is enabled by default in Windows.

  • For non-managed apps only--Users can install only those programs that an administrator assigns (offers on the desktop) or publishes (adds to Add or Remove programs).

  • Always--Windows Installer is disabled.

Note

  • This policy affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.

Always install with elevated privileges

Directs Windows Installer to use system permissions when it installs any program on the system.

This policy extends to all programs the elevated privileges usually reserved for programs that have been assigned to the user (offered on the desktop) or the computer (installed automatically), or made available in Add or Remove programs in Control Panel. This policy lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

If you disable this policy, or do not configure it, the system applies the current user's permissions when it installs programs that are not distributed or offered by an administrator.

Note

  • This policy appears in both the Computer Configuration and User Configuration folders. To make this policy effective, you must enable the policy in both folders.

Prohibit rollback

Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.

Prohibit rollback also prevents Windows Installer from recording the original state of the system and frequency of changes it makes during installation, and prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.

This policy is designed to reduce the amount of temporary disk space required to install programs. Prohibit rollback also prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy unless essential.

This policy appears in both the Computer Configuration and User Configuration folders. To make this policy effective, you must enable the policy in both folders.

Remove browse dialog box for new source

Prevents users from searching for installation files when adding features or components to an installed program.

This policy disables the Browse button next to the Use feature from list in the Windows Installer dialog box. Users must select an installation file source from the Use features from list configured by the administrator.

This policy applies even when the installation is running in the user's security context.

If you disable this policy or do not configure it, the Browse button is enabled when an installation is running in the user's security context, but only administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove programs.

This policy affects Windows Installer only. It does not prevent users from using other browsers, such as Windows Explorer or My Network Places, to search for installation files.

Prohibit patching

Prevents users from installing patches to upgrade their programs.

Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.

This policy applies only to installations that run in the user's security context. By default, users who are not administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove programs.

Disable IE security prompt for Windows Installer scripts

Allows Web-based programs to install software on the computer without notifying the user.

By default, when a script hosted by an Internet browser attempts to install a program on the system, the system warns the user and prompts the user to either allow or refuse the installation. This policy suppresses the warning and allows the installation to proceed without user intervention.

This policy is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because it might pose a security risk, it should be applied cautiously.

Enable user control over installs

Permits users to change installation options that typically are available only to administrators.

This policy bypasses some of the security features of Windows Installer. It permits installations to complete that otherwise would be halted due to a security violation.

The security features of Windows Installer prevent users from changing installation options that are typically reserved for administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays an error message. These security features operate only when the installation program is running in a privileged security context in which the installation program has access to directories that are denied to the user.

This policy is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevent software from being installed.

Enable user to browse for source while elevated

Permits users to search for installation files during privileged installations.

This policy enables the Browse button on the Use feature from dialog box. Users can search for installation files, even when the installation program is running, with elevated system privileges. By default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove programs.

Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow.

This policy does not affect installations that run in the user's security context. For more information, see the Remove browse dialog box for new source policy.

Enable user to use media source while elevated

Permits users to install programs from removable media, such as floppy disks and CD-ROMs, during privileged installation.

This policy permits all users to install programs from removable media, even when the installation program is running with elevated system privileges. By default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove programs, only system administrators can install from removable media.

This policy does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.

For more information, see the Prevent removable media source for any install policy in Managing options for users through Group Policy.

Enable user to patch elevated products

Permits users to upgrade programs during privileged installations.

This policy permits all users to install patches, even when the installation program is running with elevated privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.

By default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove programs.

This policy does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. For more information about prohibiting patch installations, see the prohibit patching policy.

Allow admin to install from Terminal Services session

Permits Terminal Services administrators to install and configure programs remotely.

By default, system administrators can install programs only when they are logged on to the computer on which the program is being installed. This policy creates a special exception for computers running Terminal Services.

This policy affects system administrators only. Other users cannot install programs remotely.

Cache transforms in secure location on workstation

Copies of transform files are saved in a secure location on the local computer.

Transform files consist of instructions to modify or customize a program during installation. By default, Windows Installer stores transform files in the Application Data directory in the user's profile. When a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer, or isn't connected to the network.

If you enable this policy, the transform file is saved in a secure location on the user's computer instead of in the user profile. Because Windows Installer requires the transform file to repeat an installation in which the transform file was used, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation.

This policy is designed for enterprises that must take special precautions to prevent unauthorized or malicious editing of transform files.

prohibit User Installs

Allows you to configure user installs. To configure this setting, set it to enabled and use the drop-down list to select the behavior you want.

If this setting is not configured, or if the setting is enabled and Allow User Installs is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.

If this setting is enabled and Hide User Installs is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.

If this setting is enabled and prohibit User Installs is selected, the installer prevents applications from being installed per user, and it ignores previously installed per-user applications. An attempt to perform a per-user installation causes the installer to display an error message and stop the installation. This setting is useful in environments where the administrator only wants per-computer applications installed, such as on a kiosk or a Windows Terminal Server.

Turn off creation of System Restore Checkpoints

Stops Windows Installer from generating System Restore checkpoints when installing applications.

System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.

If you disable this setting or do not configure it, Windows Installer automatically creates a System Restore checkpoint each time an application is installed.

Note

  • This setting only applies to Windows XP Professional.

Logging

Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, msi.log, appears in the systemroot\Temp directory. The Windows Installer logging options are listed in the following table. To indicate that an event type is recorded, enter the letter representing the event type. You can enter the letters in any order, and list as many or as few event types as you want. To disable logging, delete all of the letters from the box. If you disable this policy, or do not configure it, Windows Installer logs the default event types, represented by the letters iweap. You can include all possible events in the installation log file by entering iwearucmpvo. However, doing so will add considerable time to the installation process.
Mode Log entry

i

Status messages

w

Non-fatal warnings

e

All error messages

a

Startup of actions

r

Action-specific records

u

User requests

c

Initial user interface parameters

m

Out-of-memory

p

Terminal properties

v

Verbose output

o

Out of disk space messages