| Platform SDK: Windows Installer |
Machine Policies
The following machine policies can be configured under:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
| Value | Value data type | Description |
|---|---|---|
| AlwaysInstallElevated | REG_DWORD | If this value is set to "1" and the corresponding user
value is also set, the installer always installs with elevated privileges.
Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for non-managed applications. |
| AllowLockdownBrowse | REG_DWORD | If this policy value is set to "1", non-administrative
users can browse for new sources while running an installation at elevated
privileges. The default is that only administrators can browse for sources
during an elevated installation. Setting this policy also enables
non-administrative users to run programs at LocalSystem privileges during
an elevated installation.
This policy not available with Windows Installer version 1.0. |
| AllowLockdownMedia | REG_DWORD | If this policy value is set to "1", non-administrative
users can use media sources, such as a CD-ROM, while running an
installation at elevated privileges. The default is that only
administrators can use media sources during an elevated installation.
Setting this policy also enables non-administrative users to run programs
at LocalSystem privileges during an elevated installation.
This policy not available with Windows Installer version 1.0. |
| AllowLockdownPatch | REG_DWORD | If this per-machine system policy is not set, only administrators can patch existing products that were installed at elevated privileges. If set to "1", non-administrative users can, in some cases, apply patches to products while running an installation using elevated privileges. With the policy set, the patch can install minor upgrades while running an installation using elevated privileges, the patch cannot install major upgrades. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation. This policy not available with Windows Installer version 1.0. |
| Debug | REG_DWORD | If this value exists and is set to "1", the installer
writes common debugging messages to the debugger using the |
| DisableBrowse | REG_DWORD | If this value exists and is set to "1", users are prevented from browsing to locate installer sources. The "Use feature from:" combo box for direct input is locked and the "Browse..." button is disabled. See the source resiliency topic for more details on source browsing. |
| DisableMSI | REG_DWORD | If this value exists and is set to "2", the installer is
always disabled for all applications.
If this value is set to "1", the installer is disabled for non-managed applications but is still enabled for managed applications. If this value is set to "0", any other number, or is absent, the installer is always enabled. |
| DisablePatch | REG_DWORD | If this value is set to "1" the installer does not apply patches. This policy can be used to provide security in environments where patching must be restricted. |
| DisableRollback | REG_DWORD | If this value is set to "1", the installer does not store
rollback files during installation, disabling installation rollback. By
default, rollback is enabled. Administrators are advised to not use this
policy unless it is absolutely essential.
This policy is not available with Windows Installer version 1.0. |
| DisableUserInstalls | REG_DWORD | If this policy is not set, the installer searches the
registry for products in the following order: managed products registered
as per-user, unmanaged products registered as per-user, and finally
products registered as per-machine.
If this policy is set to 1, the installer ignores all products registered as per-user and only searches for products registered as per-machine. An attempt to perform a per-user installation causes the installer to display an error message and stops the installation. Available with Windows Installer version 2.0 and later versions. |
| EnableAdminTSRemote | REG_DWORD | Setting this policy enables administrators to perform
installations from Terminal Server client sessions.
This policy is not available with Windows Installer version 1.0. This policy is only available with Windows 2000 or later. |
| EnableUserControl | REG_DWORD | If this value is set to 1, then the installer can pass all public properties to the server side during a managed installation using elevated privileges. Setting this policy has the same effect as setting the EnableUserControl property. |
| LimitSystemRestoreCheckpointing | REG_SZ | Turns off the creation of checkpoints by Windows
Installer.
Set to 0 or absent, Windows Installer does normal checkpointing for install or uninstall. Set to 1, Windows Installer creates no checkpoints. Available with Windows Installer version 2.0 and later. |
| Logging | REG_SZ | This policy is used only if logging has not been enabled by the "/L" command line option or MsiEnableLog. If policy is set in this case, a log file is created in the temp directory with the random name: MSI*.LOG. Specify the logging mode by setting the policy value to a string of characters. Use the same characters to specify logging mode policy as used by the '/L' command line option. See Command Line Options. Note that you cannot use "+" and "*" for the policy. |
| SafeForScripting | REG_DWORD | If this value is set to "1", users are not prompted when scripts use installer automation within a web page. This may be useful for web based tools but can allow silent installations of applications without user knowledge or consent. |
| TransformsSecure | REG_DWORD | Setting the TransformsSecure policy to 1 informs the
installer that transforms are to be cached locally on the user's computer
in a location where the user does not have write access.
This policy is not available with Windows Installer version 1.0. |
'
)
|
|