Insert Uninstaller (MSI or EXE)

Privilege Management for Windows allows standard users to uninstall Microsoft Software Installers (MSIs) and Executables (EXEs) that would normally require local admin rights.

When the Uninstaller application type is added to an Application Group and assigned to an Application Rule in the Privilege Management for Windows policy, the user can uninstall applications using Programs and Features or, in Windows 10, Apps and Features.

The Uninstaller application type allows you to uninstall any EXE or MSI when it is associated with an Application Rule. As the process of uninstalling a file requires admin rights, you need to ensure that when you target the Application Group in the Application Rules you set the access token to Add Admin Rights.

The Uninstaller type must be associated with an Application Rule. It does not apply to On-Demand Application Rules.

You cannot use the Uninstaller application type to uninstall BeyondTrust Privilege Management for Windows or the BeyondTrust iC3 Adapter using Privilege Management for Windows irrespective of your user rights. Privilege Management for Windows's anti-tamper mechanism prevents users from uninstalling Privilege Management for Windows, and the uninstall fails with an error message.

If a user attempts to use Privilege Management for Windows to modify the installation of Privilege Management for Windows, for example, uninstall it, and they do not have an anti-tamper token applied, the default behavior for the user is used. For example, if Windows UAC is configured the associated Windows prompt is displayed.

If you want to allow users to uninstall either BeyondTrust Privilege Management for Windows or the BeyondTrust iC3 Adapter, you can do this by either:

  • Logging in as a full administrator
  • Elevating the Programs and Features control panel (or other controlling application) using a Custom Access Token that has anti-tamper disabled.

For more information, please see Edit a Custom Token in a Workstyle.

Upgrade Considerations

Any pre 5.7 Uninstaller Application Groups which matched all uninstallations are automatically upgraded when loaded by the Policy Editor to File or Folder Name matches *. These are honored by Privilege Management for Windows.

Pre 5.7 versions of Privilege Management for Windows no longer match the upgraded rules. The behavior is that of the native operating system in these cases.

If you do not want the native operating system behavior for uninstallers, please ensure that your clients are upgraded to the latest version before you deploy any policy which contains upgraded uninstaller rules.

  1. Select the Application Group you want to add the uninstaller to.
  2. In the right pane, select Actions > Add Application > Uninstaller (msi or exe).
  3. We recommend that you add a Description so that you can identify the uninstaller in the Application Group table. The Description is not used as matching criteria for the application definition.
  4. Configure the matching criteria for the executable. You can configure:
    • File or Folder Name matches
    • Publisher matches
    • Product name matches
    • Upgrade Code matches
  5. The advanced options are selected by default for the uninstaller application type. This cannot be changed.
  6. Click OK. The application is added to the Application Group.