Prohibit use of Restart Manager
This policy setting controls Windows Installer’s interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. If you enable this policy setting you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. — The “Restart Manager On” option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart when possible. — The “Restart Manager Off” option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. — The “Restart Manager Off for Legacy App Setup” option applies to packages that were created for Windows Installer versions lesser than 4. 0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. If you disable or do not configure this policy setting Windows Installer will use Restart Manager to detect files in use and mitigate a system restart when possible.
Always install with elevated privileges
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change including directories on highly restricted computers. If you disable or do not configure this policy setting the system applies the current user’s permissions when it installs programs that a system administrator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
Always install with elevated privileges
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change including directories on highly restricted computers. If you disable or do not configure this policy setting the system applies the current user’s permissions when it installs programs that a system administrator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
Allow users to patch elevated products
This policy setting allows users to patch elevated products. If you enable this policy setting all users are permitted to install patches even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs some installations prohibit their use. If you disable or do not configure this policy setting by default only system administrators can apply patches during installations with elevated privileges such as installations offered on the desktop or displayed in Add or Remove Programs. This policy setting does not affect installations that run in the user’s security context. By default users can install patches to programs that run in their own security context. Also see the “Prohibit patching” policy setting.
Allow users to use media source while elevated
This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting all users are permitted to install programs from removable media such as floppy disks and CD-ROMs even when the installation program is running with elevated system privileges. This policy setting does not affect installations that run in the user’s security context. By default users can install from removable media when the installation runs in their own security context. If you disable or do not configure this policy setting by default users can install programs from removable media only when the installation runs in the user’s security context. During privileged installations such as those offered on the desktop or displayed in Add or Remove Programs only system administrators can install from removable media. Also see the “Prevent removable media source for any install” policy setting.
Allow users to browse for source while elevated
This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting the Browse button in the “Use feature from” dialog box is enabled. As a result users can search for installation files even when the installation program is running with elevated system privileges. Because the installation is running with elevated system privileges users can browse through directories that their own permissions would not allow. This policy setting does not affect installations that run in the user’s security context. Also see the “Remove browse dialog box for new source” policy setting. If you disable or do not configure this policy setting by default only system administrators can browse during installations with elevated privileges such as installations offered on the desktop or displayed in Add or Remove Programs.
Configure MSI Corrupted File Recovery behavior
This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:Prompt for Resolution: Detection troubleshooting and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog box when application reinstallation is required. This is the default recovery behavior on Windows client. Silent: Detection troubleshooting and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery behavior on Windows server. Troubleshooting Only: Detection and verification of file corruption will be performed without UI. Recovery is not attempted. If you enable this policy setting the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client) Silent (default on Windows server) or Troubleshooting Only. If you disable this policy setting the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. If you do not configure this policy setting the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. If you enable this policy setting users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default the support provider is set to Microsoft Corporation. If you disable this policy setting MSDT cannot run in support mode and no data can be collected or sent to the support provider. If you do not configure this policy setting MSDT support mode is enabled by default. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
Microsoft Support Diagnostic Tool: Restrict tool download
This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems MSDT may prompt the user to download additional tools for troubleshooting. These tools are required to completely troubleshoot the problem. If tool download is restricted it may not be possible to find the root cause of the problem. If you enable this policy setting for remote troubleshooting MSDT prompts the user to download additional tools to diagnose problems on remote computers only. If you enable this policy setting for local and remote troubleshooting MSDT always prompts for additional tool downloading. If you disable this policy setting MSDT never downloads tools and is unable to diagnose problems on remote computers. If you do not configure this policy setting MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. This policy setting will take effect only when MSDT is enabled. This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
Microsoft Support Diagnostic Tool: Configure execution level
This policy setting determines the execution level for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. If you disable this policy setting MSDT cannot gather diagnostic data. If you do not configure this policy setting MSDT is turned on by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.