Insert Uninstaller (MSI or EXE)

Privilege Management for Windows allows standard users to uninstall Microsoft Software Installers (MSIs) and executables (EXEs) that would normally require local admin rights.

When the Uninstaller application type is added to an Application Group and assigned to an Application Rule in the Privilege Management for Windows policy, the end user can uninstall applications using Programs and Features or, in Windows 10, Apps and Features.

The Uninstaller application type allows you to uninstall any EXE or MSI when it is associated with an Application Rule. As the process of uninstalling a file requires admin rights, you need to ensure when you target the Application Group in the Application Rules you set the access token to Add Full Admin.

The Uninstaller type must be associated with an Application Rule. It does not apply to On-Demand Application Rules.

You cannot use the Uninstaller application type to uninstall the BeyondTrust Privilege Management for Windows or the BeyondTrust PMC Adapter using Privilege Management for Windows, irrespective of your user rights. The anti-tamper mechanism built into Privilege Management for Windows prevents users from uninstalling Privilege Management for Windows, and an uninstall attempt fails with an error message.

If a user attempts to use Privilege Management for Windows to modify the installation of Privilege Management for Windows, for example, uninstall it, and they do not have an anti-tamper token applied, the default behavior for the user is used. For example, if Windows UAC is configured, the associated Windows prompt is displayed.

If you want to allow users to uninstall either BeyondTrust's Privilege Management for Windows or the BeyondTrust PMC Adapter, you can do this by either:

  • Logging in as a full administrator
  • Elevating the Programs and Features control panel (or other controlling application) using a Custom access token that has anti-tamper disabled.

For more information, please see Anti-Tamper Protection.

Upgrade Considerations

Any pre 5.7 Uninstaller Application Groups which match all uninstallations are automatically upgraded when loaded by the Policy Editor to File or Folder Name matches *. These are honored by Privilege Management for Windows.

Pre 5.7 versions of Privilege Management for Windows no longer match the upgraded rules; the behavior is that of the native operating system in these cases.

If you do not want the native operating system behavior for uninstallers, please ensure that your clients are upgraded to the latest version before you deploy any policy which contains upgraded uninstaller rules.

  1. Select the Application Group you want to add the uninstaller to.
  2. Right-click and select Insert Application > Uninstaller.
  3. Enter a description, if required. By default, this is the name of the application you're inserting.
  4. Click Browse File to select an uninstaller file and populate the available matching criteria for the selected uninstaller file.
  5. Configure the matching criteria for the executable. You can configure:
    • File or Folder Name matches
    • Product Name matches
    • Publisher matches
    • Upgrade Code matches