[wix-users] Least privileged user account patching without UAC elevation

Neil Hayes Neil.Hayes at syspro.com
Fri Sep 16 00:07:43 PDT 2016 

I just can't get this to work....totally frustrating.

Our dummy project has this :

<PatchCertificates>
                <DigitalCertificate Id="Cert" SourceFile="mycertificate.pfx" />
</PatchCertificates>


The pfx certificate is valid (sha256) and doesn't expire for another year.
On building the MSI the following 2 tables are created and populated.

MsiDigitalCertificate
                MsiPatchCertificate

ALLUSERS property is set to 1

The MSI does not have external CAB files
The MSI is signed with the same certificate

When you install it asks for elevation and deployed - as expected.

Patch created, signed with the same certificate. - Asks for elevation (now frustrated) -Patch works if I elevate and install.

MSI (c) (E0:6C) [07:39:10:239]: SOFTWARE RESTRICTION POLICY: Verifying patch --> 'C:\Dummy\Digital\patch\HF001.msp' against software restriction policy
MSI (c) (E0:6C) [07:39:10:240]: SOFTWARE RESTRICTION POLICY: C:\Dummy\Digital\patch\HF001.msp has a digital signature
MSI (c) (E0:6C) [07:39:10:275]: SOFTWARE RESTRICTION POLICY: C:\Dummy\Digital\patch\HF001.msp is permitted to run at the 'unrestricted' authorization level.

MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisablePatch' is 0
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'AllowLockdownPatch' is 0
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableMsi' is 0
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (c) (E0:6C) [07:39:10:378]: User policy value 'AlwaysInstallElevated' is 0
MSI (c) (E0:6C) [07:39:10:378]: Product {8985D4B0-D759-4E34-AB18-1C494780FF7A} is admin assigned: LocalSystem owns the publish key.
MSI (c) (E0:6C) [07:39:10:378]: Product {8985D4B0-D759-4E34-AB18-1C494780FF7A} is managed.
MSI (c) (E0:6C) [07:39:10:378]: Running product '{8985D4B0-D759-4E34-AB18-1C494780FF7A}' with elevated privileges: Product is assigned.
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableLUAPatching' is 0
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (c) (E0:6C) [07:39:10:378]: Validating digital signature of file 'C:\Dummy\Digital\patch\HF001.msp'
MSI (c) (E0:6C) [07:39:10:384]: Certificate of signed file 'C:\Dummy\Digital\patch\HF001.msp' differs in size with the certificate authored in the package

ACTION part of the log

MSI (s) (B8:98) [07:39:12:926]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (B8:98) [07:39:12:927]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (B8:98) [07:39:12:927]: Validating digital signature of file 'C:\WINDOWS\Installer\48349a30.msp'
MSI (s) (B8:98) [07:39:12:931]: Certificate of signed file 'C:\WINDOWS\Installer\48349a30.msp' differs in size with the certificate authored in the package


I've looked at lots of posts where people have the same issue but I haven't found one that comes to a working conclusion.

Do I need something like the property "MSIDEPLOYMENTCOMPLIANT"
The primary install writes to HKLM\Software\Company -  but not deployed to Program Files or install a service.
Testing is on a simple windows 10 VM (Standalone)
No group policies applied or local software settings
I'm using a pfx file, should it work with a pfx file.
I see the MEDIA node also makes provision for Digital Signature (But for external CAB files) mine is embedded.

Why am I doing this?

In the environment where this is deployed, for a large amount of companies getting an 'Admin' requires booking time, sometimes a month in advance regardless if the company comes to a grinding halt in a faction of its business.

Please - What am I missing?

Neil

More information about the wix-users mailing list