Insert Installer Packages

Privilege Management for Windows allows standard users to install and uninstall Windows Installer packages that would normally require local admin rights. Privilege Management for Windows supports the following package types:

  • Microsoft Software Installers (MSI)
  • Microsoft Software Updates (MSU)
  • Microsoft Software Patches (MSP)

When a Windows Installer package is added to an Application Group, and assigned to an Application Rule or On-Demand Application Rule, the action is applied to both the installation of the file, and also uninstallation via Add/Remove Programs, or Programs and Features.

By default, elevation of software uninstalls is disabled in Privilege Management for Windows. When this feature is enabled, then the Repair option is not available for any installed software package that matches a Workstyle. If you want to grant uninstall privileges to users, and do not require the use of the Repair option, you can enable MSI Uninstall support by adding the following registry entry:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Client\ DWORD "MsiUninstallFeatureEnabled" = 1

The publisher property of an MSI, MSU, or MSP file may sometimes differ to the publisher property once installed in Programs and Features. We therefore recommend that applications targeted using the Match Publisher validation rule are tested for both installation and uninstallation, prior to deployment, using the Privilege Management for Windows Activity Viewer.

Installer packages typically create child processes as part of the overall installation process. We therefore recommend that when you elevate MSI, MSU or MSP packages, that you enable the advanced option Allow child processes will match this application definition.

If you want to apply more granular control over installer packages and their child processes, use the Child Process validation rule to allow or block those processes that you do or do not wish to inherit privileges from the parent software installation.

  1. Select the Application Group you want to add the installer package to.
  2. In the right pane, select Actions > Add Application > Installer Package.
  3. We recommend that you add a Description so that you can identify the installer package in the Application Group table. The Description is not used as matching criteria for the application definition. Alternatively, you can click the Template button to add an installer package from a list of templates.
  4. You need to configure the matching criteria for the installer package. You can configure:
    • File or Folder Name matches
    • Command Line matches
    • Drive matches
    • File Hash (SHA-1 Fingerprint) matches
    • Product Name matches
    • Publisher matches
    • Product Version matches
    • Product Code matches
    • Upgrade Code matches
    • Trusted Ownership matches
    • Application Requires Elevation (UAC)
    • Parent Process matches
    • Source URL matches
    • BeyondTrust Zone Identifier exists
  5. You need to configure the Advanced Options for the application. You can configure:
    • Allow child processes will match this application definition
    • Force standard user rights on File Open/Save common dialogs
  6. Click OK. The application is added to the Application Group.