Insert Installer Packages

Privilege Management for Windows allows standard users to install and uninstall Windows Installer packages that normally require local admin rights. Privilege Management for Windows supports the following package types:

  • Microsoft Software Installers (MSI)
  • Microsoft Software Updates (MSU)
  • Microsoft Software Patches (MSP)

When a Windows Installer package is added to an Application Group, and assigned to an Application Rule or On-Demand Application Rule, the action is applied to both the installation of the file, and also uninstallation when using Add/Remove Programs or Programs and Features.

The publisher property of an MSx file may sometimes differ from the publisher property once installed in Programs and Features. We therefore recommend applications targeted using the Match Publisher validation rule be tested for both installation and uninstallation, prior to deployment, using the Privilege Management for Windows Activity Viewer.

Installer packages typically create child processes as part of the overall installation process. Therefore, we recommend when elevating MSI, MSU, or MSP packages, that the advanced option Allow child processes will match this application definition be enabled.

If you want to apply more granular control over installer packages and their child processes, use the Child Process validation rule to allowlist or blocklist those processes that you want or do not want to inherit privileges from the parent software installation.

  1. Select the Application Group you want to add the installer package to.
  2. Right-click and select Insert Application > Installer Package.
  3. You can leave the File or Folder Name blank to match on all applications of this type, type in a specific name or path manually, or click Browse File, Browse Folder or Template.
  4. Enter a description, if required. By default, this is the name of the application you're inserting.
  5. You need to configure the matching criteria for the installer package. You can configure:
    • File or Folder Name matches
    • Command Line matches
    • Drive matches
    • File Hash (SHA-1 Fingerprint) matches
    • Product Name matches
    • Publisher matches
    • Product Version matches
    • Product Code matches
    • Upgrade Code matches
    • Trusted Ownership matches
    • Application Requires Elevation (UAC)
    • Parent Process matches
    • Source URL matches
    • BeyondTrust Zone Identifier exists
  6. You need to configure the Advanced Options for the application. You can configure:
    • Allow child processes will match this application definition
    • Force standard user rights on File Open/Save common dialogs
  7. Click OK. The application is added to the Application Group.