[wix-users] Least privileged user account patching without UAC elevation

Hoover, Jacob Jacob.Hoover at greenheck.com
Fri Sep 16 08:56:35 PDT 2016 

The original MSI is also signed with the same certificate?

You need to have the public cert in the PatchCertificates table, as well as signing the MSI with that same certificate.  Then when you generate the patch, it also needs the same.  The certificate can't change from initial MSI to the patched MSI (without generating a patch to patch in a new certificate).  I'd also ensure when signing that you'd use the timestamp option to ensure your cert still remains valid on older MSI's after the expiration date.

Also, how are you generating your patch?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Neil Hayes
Sent: Friday, September 16, 2016 2:08 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [wix-users] Least privileged user account patching without UAC elevation

I just can't get this to work....totally frustrating.

Our dummy project has this :

<PatchCertificates>
                <DigitalCertificate Id="Cert" SourceFile="mycertificate.pfx" /> </PatchCertificates>


The pfx certificate is valid (sha256) and doesn't expire for another year.
On building the MSI the following 2 tables are created and populated.

MsiDigitalCertificate
                MsiPatchCertificate

ALLUSERS property is set to 1

The MSI does not have external CAB files The MSI is signed with the same certificate

When you install it asks for elevation and deployed - as expected.

Patch created, signed with the same certificate. - Asks for elevation (now frustrated) -Patch works if I elevate and install.

MSI (c) (E0:6C) [07:39:10:239]: SOFTWARE RESTRICTION POLICY: Verifying patch --> 'C:\Dummy\Digital\patch\HF001.msp' against software restriction policy MSI (c) (E0:6C) [07:39:10:240]: SOFTWARE RESTRICTION POLICY: C:\Dummy\Digital\patch\HF001.msp has a digital signature MSI (c) (E0:6C) [07:39:10:275]: SOFTWARE RESTRICTION POLICY: C:\Dummy\Digital\patch\HF001.msp is permitted to run at the 'unrestricted' authorization level.

MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisablePatch' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'AllowLockdownPatch' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableMsi' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (c) (E0:6C) [07:39:10:378]: User policy value 'AlwaysInstallElevated' is 0 MSI (c) (E0:6C) [07:39:10:378]: Product {8985D4B0-D759-4E34-AB18-1C494780FF7A} is admin assigned: LocalSystem owns the publish key.
MSI (c) (E0:6C) [07:39:10:378]: Product {8985D4B0-D759-4E34-AB18-1C494780FF7A} is managed.
MSI (c) (E0:6C) [07:39:10:378]: Running product '{8985D4B0-D759-4E34-AB18-1C494780FF7A}' with elevated privileges: Product is assigned.
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableLUAPatching' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (c) (E0:6C) [07:39:10:378]: Validating digital signature of file 'C:\Dummy\Digital\patch\HF001.msp'
MSI (c) (E0:6C) [07:39:10:384]: Certificate of signed file 'C:\Dummy\Digital\patch\HF001.msp' differs in size with the certificate authored in the package

ACTION part of the log

MSI (s) (B8:98) [07:39:12:926]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (B8:98) [07:39:12:927]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (B8:98) [07:39:12:927]: Validating digital signature of file 'C:\WINDOWS\Installer\48349a30.msp'
MSI (s) (B8:98) [07:39:12:931]: Certificate of signed file 'C:\WINDOWS\Installer\48349a30.msp' differs in size with the certificate authored in the package


I've looked at lots of posts where people have the same issue but I haven't found one that comes to a working conclusion.

Do I need something like the property "MSIDEPLOYMENTCOMPLIANT"
The primary install writes to HKLM\Software\Company -  but not deployed to Program Files or install a service.
Testing is on a simple windows 10 VM (Standalone) No group policies applied or local software settings I'm using a pfx file, should it work with a pfx file.
I see the MEDIA node also makes provision for Digital Signature (But for external CAB files) mine is embedded.

Why am I doing this?

In the environment where this is deployed, for a large amount of companies getting an 'Admin' requires booking time, sometimes a month in advance regardless if the company comes to a grinding halt in a faction of its business.

Please - What am I missing?

Neil

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list