Platform SDK: Windows Installer

Machine Policies

The following machine policies can be configured under:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Value Value data type Description
AlwaysInstallElevated REG_DWORD If this value is set to "1" and the corresponding user value is also set, the installer always installs with elevated privileges.

Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for non-managed applications.

AllowLockdownBrowse REG_DWORD If this policy value is set to "1", non-administrative users can browse for new sources while running an installation at elevated privileges. The default is that only administrators can browse for sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.

This policy not available with Windows Installer version 1.0.

AllowLockdownMedia REG_DWORD If this policy value is set to "1", non-administrative users can use media sources, such as a CD-ROM, while running an installation at elevated privileges. The default is that only administrators can use media sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.

This policy not available with Windows Installer version 1.0.

AllowLockdownPatch REG_DWORD If this per-machine system policy is not set, only administrators can patch existing products that were installed at elevated privileges. If set to "1", non-administrative users can, in some cases, apply patches to products while running an installation using elevated privileges. With the policy set, the patch can install minor upgrades while running an installation using elevated privileges, the patch cannot install major upgrades. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation. This policy not available with Windows Installer version 1.0.
Debug REG_DWORD If this value exists and is set to "1", the installer writes common debugging messages to the debugger using the OutputDebugString function. If this value exists and is set to "2", the installer writes all valid debugging messages to the debugger using the OutputDebugString function. This policy is for debugging purposes only and may not be supported in future versions of Windows Installer.
DisableBrowse REG_DWORD If this value exists and is set to "1", users are prevented from browsing to locate installer sources. The "Use feature from:" combo box for direct input is locked and the "Browse..." button is disabled. See the source resiliency topic for more details on source browsing.
DisableMSI REG_DWORD If this value exists and is set to "2", the installer is always disabled for all applications.

If this value is set to "1", the installer is disabled for non-managed applications but is still enabled for managed applications.

If this value is set to "0", any other number, or is absent, the installer is always enabled.

DisablePatch REG_DWORD If this value is set to "1" the installer does not apply patches. This policy can be used to provide security in environments where patching must be restricted.
DisableRollback REG_DWORD If this value is set to "1", the installer does not store rollback files during installation, disabling installation rollback. By default, rollback is enabled. Administrators are advised to not use this policy unless it is absolutely essential.

This policy is not available with Windows Installer version 1.0.

DisableUserInstalls REG_DWORD If this policy is not set, the installer searches the registry for products in the following order: managed products registered as per-user, unmanaged products registered as per-user, and finally products registered as per-machine.

If this policy is set to 1, the installer ignores all products registered as per-user and only searches for products registered as per-machine. An attempt to perform a per-user installation causes the installer to display an error message and stops the installation.

Available with Windows Installer version 2.0 and later versions.

EnableAdminTSRemote REG_DWORD Setting this policy enables administrators to perform installations from Terminal Server client sessions.

This policy is not available with Windows Installer version 1.0. This policy is only available with Windows 2000 or later.

EnableUserControl REG_DWORD If this value is set to 1, then the installer can pass all public properties to the server side during a managed installation using elevated privileges. Setting this policy has the same effect as setting the EnableUserControl property.
LimitSystemRestoreCheckpointing REG_SZ Turns off the creation of checkpoints by Windows Installer.

Set to 0 or absent, Windows Installer does normal checkpointing for install or uninstall.

Set to 1, Windows Installer creates no checkpoints.

Available with Windows Installer version 2.0 and later.

Logging REG_SZ This policy is used only if logging has not been enabled by the "/L" command line option or MsiEnableLog. If policy is set in this case, a log file is created in the temp directory with the random name: MSI*.LOG. Specify the logging mode by setting the policy value to a string of characters. Use the same characters to specify logging mode policy as used by the '/L' command line option. See Command Line Options. Note that you cannot use "+" and "*" for the policy.
SafeForScripting REG_DWORD If this value is set to "1", users are not prompted when scripts use installer automation within a web page. This may be useful for web based tools but can allow silent installations of applications without user knowledge or consent.
TransformsSecure REG_DWORD Setting the TransformsSecure policy to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access.

This policy is not available with Windows Installer version 1.0.