Group Policy Software Installation Extension Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group Policy Software Installation Extension Tools and Settings
In this section
Group Policy Software Installation Extension Tools
Group Policy Software Installation Extension Group Policy Settings and Registry Entries
Related Information
This section summarizes the tools and settings associated with the Group Policy Software installation extension.
Group Policy Software Installation Extension Tools
The following tools are associated with the Group Policy Software installation extension:
InstallShield
Application Experience Lookup Service
Windows Installer
InstallShield
Category
InstallShield products do not ship with Windows.
Version compatibility
InstallShield Corporation creates several tools for building Windows Installer packages that work on all versions of Windows managed by Group Policy. Make sure you use the correct version for the systems that you manage.
InstallShield creates popular tools for developing Windows Installer .msi packages.
Application Experience Lookup Service
Category
The Application Experience Lookup Service is a new service included in Windows Server 2003 with Service Pack 1 (SP1).
Version compatibility
This service is part of an infrastructure that provides a way to apply fixes to applications in order to ensure that they run on newly released Windows operating systems or service packs.
This service needs to be running for the application fixes to work. There are no entry points to this service for customizations and it is for operating system internal use only. There is no out-of-the box communication in the service. This service does not use any Active Directory, network, or internet resources.
The functionality of the service can be disabled though Group Policy settings for application compatibility. When this setting is disabled, the service will continue to run, but there will be no calls made to the service. The service itself cannot be stopped or disabled.
Windows Installer
Category
Windows Installer ships with Microsoft Windows Server 2003 family, Windows XP, Windows 2000, and Windows Millennium Edition (Windows Me). The installer is also provided as a service pack for Microsoft Windows NT version 4.0, Windows 98, and Windows 95.
Version compatibility
Windows Installer version 2.0 adds advanced features and requires Windows NT 4.0 with Service Pack 6 or later, Windows 2000, Windows Me, or Windows XP. Earlier Windows Installer versions require Windows NT 4.0 with Service Pack 3 or later, Windows 2000, or Windows Me.
Windows Installer supports advertisement of applications and features according to operating system. The following table outlines Windows Installer advertisement support on different operating systems.
Group Policy Software Installation Advertisement Support on Different Operating Systems
| Operating System | Advertisement Support |
|---|---|
Windows 2000 Windows XP |
|
Windows 98 Windows Me |
All of the above except CLSID, which is only written when installing an advertised component. Shell and MIME support. |
Microsoft Windows 95 with IE4.01 Service Pack 1 installed with Windows Desktop Update installed (shell32.dll of 4.72.3110.0 or newer) Windows NT 4.0 with IE4.01 Service Pack 1 installed with Windows Desktop Update installed (shell32.dll of 4.72.3110.0 or newer) |
All of the above except CLSID, which is only written when installing an advertised component. Shell and MIME support. |
Windows 95 Windows NT 4.0 (shell32.dll older than 4.72.3110.0) |
Advertisement is not supported by these platforms. |
On Windows 98 or Windows 95 with the updated shell32.dll, advertised shortcuts do not work until the computer is restarted. This only affects the first product that installs the package for Windows Installer. The installation of the product might not require a restart, but any advertised shortcuts do not work until the computer has been restarted. Advertised shortcuts of subsequent installations work without a restart. Conditional statements can check the ShellAdvtSupport property and Version9X property.
Windows Installer is a Windows operating system-based service that reduces the total cost of ownership by allowing administrators to manage the installation, modification, upgrade, and removal of software applications using a standard package format.
Windows Installer includes the operating system-based service, a package format, and an application-programming interface (API) that allows both the operating system and applications to interact with the service to install, modify, or repair the software.
Group Policy Software Installation Extension Group Policy Settings and Registry Entries
In addition to setting configuration options for the application in Properties, you can use several Group Policy settings to control the behavior of Windows Installer and the Add or Remove Programs feature of Windows.
The following tables list the Group Policy settings and associated registry keys that control Windows Installer and Add or Remove Programs. The settings are all part of the System.adm file.
The following table lists the Group Policy Machine settings and associated registry keys that control Windows Installer. These settings are found in these locations:
Group Policy Location: MACHINE\Administrative Templates\Windows Components\Windows Installer
Registry Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
Group Policy Settings for Windows Installer (Machine)
| Setting | Description |
|---|---|
Disable Windows Installer |
Disables or restricts the use of Windows Installer. This setting can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. |
Always install with elevated privileges |
Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. |
Prohibit rollback |
Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. |
Remove browse dialog box for new source |
Prevents users from searching for installation files when they add features or components to an installed program. This setting disables the Browse button beside the Use feature from list in the Windows Installer dialog box. |
Prohibit patching |
Prevents users from using Windows Installer to install patches. |
Disable IE security prompt for Windows Installer scripts |
Allows Web-based programs to install software on the computer without notifying the user. |
Enable user control over installs |
Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer. It permits installations to complete that otherwise would be halted due to a security violation. |
Enable user to browse for source while elevated |
Allows users to search for installation files during privileged installations. This setting enables the Browse button in the Use feature from dialog box. As a result, users can search for installation files, even when the installation program is running with elevated system privileges. |
Enable user to use media source while elevated |
Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during privileged installations. This setting permits all users to install programs from removable media, even when the installation program is running with elevated system privileges. |
Enable user to patch elevated products |
Allows users to upgrade programs during privileged installations. This setting permits all users to install patches, even when the installation program is running with elevated system privileges. |
Allow admin to install from Terminal Services session |
Allows Terminal Services administrators to install and configure programs remotely. |
Cache transforms in secure location on workstation |
Saves copies of transform files in a secure location on the local computer. |
Logging |
Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. |
Prohibit User Installs |
Allows you to configure user installs. This setting is useful in environments where the administrator only wants per-computer applications installed, such as on a kiosk or a Windows Terminal Server. |
Turn off creation of System Restore Checkpoints |
If you disable this setting or do not configure it, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed. |
The following table lists the Group Policy User settings and associated registry keys that control Windows Installer. These settings are found in these locations:
Group Policy Location: USER\Administrative Templates\Windows Components\Windows Installer
Registry Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
Group Policy Settings for Windows Installer (User)
| Setting | Description |
|---|---|
Always install with elevated privileges |
Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. |
Search order |
Specifies the order in which Windows Installer searches for installation files. |
Prohibit rollback |
Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. |
Prevent removable media source for any install |
Prevents users from installing programs from removable media. |
The following table lists the Group Policy User settings and associated registry keys that control Add or Remove Programs. These settings are found in these locations:
Group Policy Location: USER\Administrative Templates\Control Panel\Add or Remove Programs
Registry Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Group Policy Settings for Add or Remove Programs (User)
| Setting | Description |
|---|---|
Remove Add or Remove Programs |
Prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. |
Hide Change or Remove Programs page |
Removes the Change or Remove Programs button from the Add or Remove Programs bar. |
Hide Add New Programs page |
Removes the Add New Programs button from the Add or Remove Programs bar. |
Hide Add/Remove Windows Components page |
Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. |
Hide the Set Program Access and Defaults page |
Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. |
Hide the Add a program from CD-ROM or floppy disk option |
Removes the Add a program from CD-ROM or floppy disk section from the Add New Programs page. |
Hide the Add programs from Microsoft option |
Removes the Add programs from Microsoft section from the Add New Programs page. |
Hide the Add programs from your network option |
Prevents users from viewing or installing published programs. This setting removes the Add programs from your network section from the Add New Programs page. |
Go directly to Components Wizard |
Prevents users from using Add or Remove Programs to configure installed services. This setting removes the Set up services section of the Add/Remove Windows Components page. |
Remove Support Information |
Removes links to the Support Info dialog box from programs on the Change or Remove Programs page. |
Specify default category for Add New Programs |
Specifies the category of programs that appears when users open the Add New Programs page. If you enable this setting, only the programs in the category you specify are displayed when the Add New Programs page opens. |
The following table lists the Group Policy Machine settings and associated registry keys for application compatibility. These settings are found in these locations:
Group Policy Location: MACHINE\Administrative Templates\Windows Components\Application Compatibility
Registry Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
Group Policy Settings for Application Compatibility (Machine)
| Setting | Description |
|---|---|
Turn Off Application Compatibility Engine |
Controls the state of the application compatibility engine in the system. |
Turn Off Program Compatibility Wizard |
Controls the state of the Program Compatibility Wizard. When enabled, this setting disables the start page of the wizard in Help and Support, and in the Start menu. |
Remove Program Compatibility Property Page |
Controls the visibility of the Program Compatibility property page shell extension. |
Turn On Application Help Log Events |
Blocks known incompatible applications and displays a dialog to the end-user regarding the problem. |
Prevent access to 16-bit applications |
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. |
The following table lists the Group Policy User settings and associated registry keys for application compatibility. These settings are found in these locations:
Group Policy Location: USER\Administrative Templates\Windows Components\Application Compatibility
Registry Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
Group Policy Setting for Application Compatibility (User)
| Setting | Description |
|---|---|
Prevent access to 16-bit applications |
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running for all users. This setting affects the launching of 16-bit applications in the operating system. |
Related Information
The following resources contain additional information that is relevant to this section.
“Group Policy Settings Reference” in the Tools and Settings Collection
“Resource Kit Tools” in the Tools and Settings Collection
“Microsoft Platform SDK” on MSDN for more information about Windows Installer.