• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 7.3. Windows Installer > Modifying Windows Installer Behavior

Modifying Windows Installer Behavior

There are four locations under Administrative Templates in a GPO that control the behavior of Group Policy and Software installation. Two of the locations, one under User and one under Computer, control the application of GPOs and were dealt with in Chapter 7.2. The other two locations, one under Computer and one under User, control the actions of Windows Installer. Tables 7.3.2 and 7.3.3 list the major settings in these areas that affect the behavior of software installation. You should be careful about making changes in this area. Only the Disable Windows Installer setting will result in more restricted security. All the other settings have the potential to loosen security. Many of them leave potential entry points for virus infection of your network. Finally, some of the settings must be set under both the User and Computer sections of the GPO in order to be effective. These dual settings are noted in the table.

Table 7.3.2. Settings from Computer Configuration\ Administrative Components\Windows Components\Windows Installer
Disable Windows InstallerThis setting can be used to disable manual use of Windows Installer. After enabling this setting, you can choose between three options:
  • Never. Allows the use of Windows Installer by GPOs and anual invocation by the user.

  • For non-managed apps only. Windows Installer can only be used when invoked by a GPO.

  • Always. Windows Installer is disabled and cannot be used.

This setting will not prevent users from installing apps, which do not require use of the Windows Installer.
Always install with elevatedprivilegesBy default, the Windows Installer serviceaccount can be used only to install with elevated security privileges when installing published or advertised applications. This setting allows Windows Installer to use the elevated privileges when installing Windows Installer-based applications manually as well. This setting will not be effective unless you set it both in the Computer and User sections of the GPO.
Disable patchingThis setting disables the installation of .msp (patch) files by Windows Installer. Because patches replace portions of installed programs, they can be used to introduce virus-contaminated files into a healthy system. Some administrators prefer to avoid this possibility by not processing .msp files.
Disable IE security promptfor Windows Installer scriptsSoftware installed across the Internet isone of the prime sources of viruses on computers. In order to prevent unauthorized installation, a prompt is generated whenever Windows Installer is invoked in response to a Web link. Companies who use an intranet as a software distribution mechanism may want to use this setting to disable the prompt.
Enable user control over installsFeatures chosen for installation by application of an .mst (transform) file cannot normally be overridden during installation by the user. This setting allows users to select or deselect features during an installation started by a GPO.
LoggingThis setting is used to change the default options for logging activity of the Windows Installer service. Disabling this setting will not disable logging; instead it will revert logging to the default settings (iweap).



Not a subscriber?

Start A Free Trial

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint