enter display name here enter description here Allow users to browse for source while elevated This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow. This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. Allow users to use media source while elevated This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. Also, see the "Prevent removable media source for any install" policy setting. Allow users to patch elevated products This policy setting allows users to patch elevated products. If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. Always install with elevated privileges This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. Restart Manager On Restart Manager Off Restart Manager Off for Legacy App Setup Always Prohibit use of Restart Manager This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. -- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. -- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. -- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. Remove browse dialog box for new source This policy setting prevents users from searching for installation files when they add features or components to an installed program. If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. This policy setting applies even when the installation is running in the user's security context. If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. Also, see the "Enable user to browse for source while elevated" policy setting. Prohibit flyweight patching This policy setting controls the ability to turn off all patch optimizations. If you enable this policy setting, all Patch Optimization options are turned off during the installation. If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. Disable logging via package settings off Disable logging via package settings on Turn off logging via package settings This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. -- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. -- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. Prevent removable media source for any installation This policy setting prevents users from installing any programs from removable media. If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. This policy setting applies even when the installation is running in the user's security context. If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. Turn off Windows Installer This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. -- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. -- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. -- The "Always" option indicates that Windows Installer is disabled. This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. Never For non-managed applications only Prevent users from using Windows Installer to install updates and upgrades This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. Note: This policy setting applies only to installations that run in the user's security context. If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to patch elevated products" policy setting. Prohibit rollback This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. Allow user control over installs This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. Windows Installer Allow User Installs Prohibit non-administrators from applying vendor signed updates This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. Prohibit removal of updates This policy setting controls the ability for users or administrators to remove Windows Installer based updates. This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." Turn off creation of System Restore checkpoints This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. Prohibit User Installs This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. Enforce upgrade component rules This policy setting causes the Windows Installer to enforce strict rules for component upgrades. If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: (1) Remove a component from a feature. This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. (2) Add a new feature to the top or middle of an existing feature tree. The new feature must be added as a new leaf feature to an existing feature tree. If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. Hide User Installs Control maximum size of baseline file cache This policy controls the percentage of disk space available to the Windows Installer baseline file cache. The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. Specify the types of events Windows Installer records in its transaction log Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. To disable logging, delete all of the letters from the box. If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." Patch Optimization Off Patch Optimization On Prevent Internet Explorer security prompt for Windows Installer scripts This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. If you enable this policy setting, the warning is suppressed and allows the installation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. Specify the order in which Windows Installer searches for installation files This policy setting specifies the order in which Windows Installer searches for installation files. If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: -- "n" represents the network; -- "m" represents media; -- "u" represents URL, or the Internet. To exclude a file source, omit or delete the letter representing that source type. Microsoft Windows XP or Windows 2000 with Windows Installer v2.0 Windows Installer v3.0 Windows Installer v4.0 Windows Installer v4.5 Save copies of transform files in a secure location on workstation This policy setting saves copies of transform files in a secure location on the local computer. Transform files consist of instructions to modify or customize a program during installation. If you enable this policy setting, the transform file is saved in a secure location on the user's computer. If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files. If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. Turn off shared components This policy setting controls the ability to turn off shared components. If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. Prevent embedded UI This policy setting controls the ability to prevent embedded UI. If you enable this policy setting, no packages on the system can run embedded UI. If you disable or do not configure this policy setting, embedded UI is allowed to run. This policy setting must be set for the machine and the user to be enforced. This policy setting must be set for the machine and the user to be enforced. Prohibit Usage of Restart Manager Prohibit Flyweight Patching Disable logging via package settings Disable Windows Installer This policy setting may be set for the machine or for the user. This policy setting may be set for the machine or for the user. User Install Behavior: Baseline file cache maximum size iweap To activate logging, enter one or more of the modes below. "iwearucmpvox" will log everything but adds time to the install. i - Status messages w - Non-fatal warnings e - All error messages a - Start up of actions r - Action-specific records u - User requests c - Initial UI parameters m - Out-of-memory p - Terminal properties v - Verbose output o - Out of disk space messages x - Extra debugging information nmu n = network, m = media (CD), u = URL A few valid examples: nmu, n, nu, mn