Machine Policies

The following machine policies can be configured under:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Policy Value data type Description
AlwaysInstallElevated
REG_DWORD
If this policy value is set to 1 and the corresponding user value is also set, the installer always installs with elevated privileges.
Otherwise, the installer uses elevated privileges to install managed applications and uses the current user's privilege level for unmanaged applications.
AllowLockdownBrowse
REG_DWORD
If this policy value is set to 1, non-administrative users can browse for new sources while running an installation at elevated privileges. The default is that only administrators can browse for sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.
AllowLockdownMedia
REG_DWORD
If this policy value is set to 1, non-administrative users can use media sources, such as a CD-ROM, while running an installation at elevated privileges. The default is that only administrators can use media sources during an elevated installation. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.
AllowLockdownPatch
REG_DWORD
If this per-machine system policy value is not set, only administrators can patch existing products that were installed at elevated privileges. If this policy value is set to 1, non-administrative users can, in some cases, apply patches to products while running an installation using elevated privileges. With the policy set, the patch can install minor upgrades while running an installation using elevated privileges; the patch cannot install major upgrades. Setting this policy also enables non-administrative users to run programs at LocalSystem privileges during an elevated installation.
Debug
REG_DWORD
If this policy value exists and is set to 1, the installer writes common debugging messages to the debugger using the OutputDebugString function. If this value exists and is set to 2, the installer writes all valid debugging messages to the debugger using the OutputDebugString function.
This policy is for debugging purposes only and may not be supported in future versions of Windows Installer.
DisableAutomaticApplicationShutdown
REG_DWORD
If this policy value exists and is set to 1, Windows Installer does not interact with Restart Manager but will use the FilesInUse Dialog functionality.
Windows Installer 3.1 and earlier: Not supported.
DisableBrowse
REG_DWORD
If this policy value exists and is set to 1, users are prevented from browsing to locate installer sources. The Use feature from combo box for direct input is locked and the Browse button is disabled. For more information about source browsing, see Source Resiliency.
DisableFlyWeightPatching
REG_DWORD
If this per-machine system policy value is set to 1, all Patch Optimization options are turned off during the installation.
Windows Installer 2.0: Not supported.
DisableLUAPatching
REG_DWORD
If this per-machine system policy value is set to 1, the installer prevents non-administrators from using least-privileged account (LUA) patching to any application installed on the computer. When this value is not set or 0, non-administrators can apply LUA patches to LUA-enabled application.
DisableMSI
REG_DWORD
If this policy value is set to 0, is absent, or any number other than 1 or 2, the effect on the Windows Installer depends on the operating system. On Windows Server 2003, Windows Installer is enabled for managed applications and disabled for unmanaged application installs. On Windows XP the Windows Installer is enabled for all applications.
If this policy value is set to 0, Windows Installer is enabled for all applications. All install operations are allowed.
If this policy value is set to 1, Windows Installer is disabled for unmanaged applications but is still enabled for managed applications. Non-elevated per-user installations are blocked. Per-user elevated and per-machine installs are allowed.
If this policy value is set to 2, Windows Installer is always disabled for all applications. No installs are allowed including repairs, reinstalls, or on-demand installations.
DisablePatch
REG_DWORD
If this policy value is set to 1 the installer does not apply patches. This policy can be used to provide security in environments where patching must be restricted.
DisablePatchUninstall
REG_DWORD
If this policy value is set to 1, patches cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove patches that are no longer applicable to a product.
Windows Installer 2.0: Not supported.
DisableRollback
REG_DWORD
If this policy value is set to 1, the installer does not store rollback files during installation, disabling installation rollback. By default, rollback is enabled. Administrators are advised not to use this policy unless it is absolutely essential.
DisableSharedComponent
REG_DWORD
If this per-machine system policy is set to 1, no package on the system gets the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component table.
DisableUserInstalls
REG_DWORD
If this policy value is not set, the installer searches the registry for products in the following order: managed products that are registered as per-user, unmanaged products that are registered as per-user, and finally products that are registered as per-machine.
If this policy value is set to 1, the installer ignores all products that are registered as per-user and only searches for products that are registered as per-machine. An attempt to perform a per-user installation causes the installer to display an error message and stops the installation.
EnforceUpgradeComponentRules
REG_DWORD
Set this policy value to 1 to apply upgrade component rules during small updates and minor upgrades of all products on the computer.
Windows Installer 2.0: Not supported.
EnableAdminTSRemote
REG_DWORD
Setting this policy enables administrators to perform installations from a client session of a server running the Terminal Server role service.
EnableUserControl
REG_DWORD
If this policy value is set to 1, then the installer can pass all public properties to the server side during a managed installation using elevated privileges. Setting this policy has the same effect as setting the EnableUserControl property.
LimitSystemRestoreCheckpointing
REG_DWORD
This policy turns off the creation of checkpoints by Windows Installer.
If the policy value is set to 0 or absent, Windows Installer does normal checkpointing for install or uninstall.
If the policy value is set to 1, Windows Installer creates no checkpoints.
Logging
REG_SZ
This policy value is used only if logging has not been enabled by the "/L" command-line option or MsiEnableLog. If a policy is set in this case, a log file is created in the temp directory with the random name: MSI*.LOG. Specify the logging mode by setting the policy value to a string of characters. Use the same characters to specify logging mode policy as used by the "/L" command-line option. For more information, see Command Line Options. Note that you cannot use "+" and "*" for the policy.
MaxPatchCacheSize
REG_DWORD
If this policy value is set to a value greater than 0, Windows Installer saves old versions of patched files in a cache. Set the value to the maximum percentage of disk space that can be used for the file cache. For example, a value of 15 and sets the maximum to 15%. Set to 0 to save no files. When this policy is not set, the default is 10%.
MsiDisableEmbeddedUI
REG_DWORD
To disable embedded UI handlers on the computer, set this policy value to 1.
Windows Installer 4.0 and earlier: Not supported.
SafeForScripting
REG_DWORD
If this policy value is set to 1, users are not prompted when scripts use installer automation within a Web page. This may be useful for Web-based tools but can allow silent installations of applications without user knowledge or consent.
TransformsSecure policy
REG_DWORD
Setting the TransformsSecure policy value to 1 informs the installer that transforms are to be cached locally on the user's computer in a location where the user does not have write access.
DisableLoggingFromPackage
REG_DWORD
Set this policy value to 1 to disable the logging specified for the package by the MsiLogging property for all users of the computer.
Windows Installer 3.1 and earlier: Not supported.
WinHttpAutoLogonLevel
REG_SZ
The automatic logon (auto-logon) policy determines when it is acceptable to include the default credentials in a request to the server. Windows 8 and Windows Server 2012: This policy requires Windows Installer running on the Windows 8 or Windows Server 2012 and is unavailable on all earlier versions of Windows.