Policy CSP - ADMX_MSI
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
AllowLockdownBrowse
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownBrowse
This policy setting allows users to search for installation files during privileged installations.
- If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.
Because the installation is running with elevated system privileges, users can browse through directories that their own permissions wouldn't allow.
This policy setting doesn't affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting.
- If you disable or don't configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AllowLockdownBrowse |
| Friendly Name | Allow users to browse for source while elevated |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | AllowLockdownBrowse |
| ADMX File Name | MSI.admx |
AllowLockdownMedia
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownMedia
This policy setting allows users to install programs from removable media during privileged installations.
- If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges.
This policy setting doesn't affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.
- If you disable or don't configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
Also, see the "Prevent removable media source for any install" policy setting.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AllowLockdownMedia |
| Friendly Name | Allow users to use media source while elevated |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | AllowLockdownMedia |
| ADMX File Name | MSI.admx |
AllowLockdownPatch
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownPatch
This policy setting allows users to patch elevated products.
If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.
If you disable or don't configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
This policy setting doesn't affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AllowLockdownPatch |
| Friendly Name | Allow users to patch elevated products |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | AllowLockdownPatch |
| ADMX File Name | MSI.admx |
DisableAutomaticApplicationShutdown
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableAutomaticApplicationShutdown
This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update.
If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior.
The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible.
The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used.
The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection.
If you disable or don't configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableAutomaticApplicationShutdown |
| Friendly Name | Prohibit use of Restart Manager |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
DisableBrowse
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableBrowse
This policy setting prevents users from searching for installation files when they add features or components to an installed program.
- If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures.
This policy setting applies even when the installation is running in the user's security context.
- If you disable or don't configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
This policy setting affects Windows Installer only. It doesn't prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files.
Also, see the "Enable user to browse for source while elevated" policy setting.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableBrowse |
| Friendly Name | Remove browse dialog box for new source |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisableBrowse |
| ADMX File Name | MSI.admx |
DisableFlyweightPatching
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableFlyweightPatching
This policy setting controls the ability to turn off all patch optimizations.
If you enable this policy setting, all Patch Optimization options are turned off during the installation.
If you disable or don't configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableFlyweightPatching |
| Friendly Name | Prohibit flyweight patching |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
DisableLoggingFromPackage
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableLoggingFromPackage
This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package.
If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior.
The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property.
The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.
If you disable or don't configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableLoggingFromPackage |
| Friendly Name | Turn off logging via package settings |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
DisableMedia
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMedia
This policy setting prevents users from installing any programs from removable media.
- If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature can't be found.
This policy setting applies even when the installation is running in the user's security context.
- If you disable or don't configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableMedia |
| Friendly Name | Prevent removable media source for any installation |
| Location | User Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisableMedia |
| ADMX File Name | MSI.admx |
DisableMSI
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMSI
This policy setting restricts the use of Windows Installer.
If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.
The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy isn't configured.
The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy isn't configured.
The "Always" option indicates that Windows Installer is disabled.
This policy setting affects Windows Installer only. It doesn't prevent users from using other methods to install and upgrade programs.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableMSI |
| Friendly Name | Turn off Windows Installer |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
DisablePatch
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisablePatch
This policy setting prevents users from using Windows Installer to install patches.
- If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.
Note
This policy setting applies only to installations that run in the user's security context.
- If you disable or don't configure this policy setting, by default, users who aren't system administrators can't apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs.
Also, see the "Enable user to patch elevated products" policy setting.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisablePatch |
| Friendly Name | Prevent users from using Windows Installer to install updates and upgrades |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisablePatch |
| ADMX File Name | MSI.admx |
DisableRollback_1
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_1
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
This policy setting appears in the Computer Configuration and User Configuration folders.
- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableRollback_1 |
| Friendly Name | Prohibit rollback |
| Location | User Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisableRollback |
| ADMX File Name | MSI.admx |
DisableRollback_2
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_2
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
This policy setting appears in the Computer Configuration and User Configuration folders.
- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableRollback_2 |
| Friendly Name | Prohibit rollback |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisableRollback |
| ADMX File Name | MSI.admx |
DisableSharedComponent
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableSharedComponent
This policy setting controls the ability to turn off shared components.
If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table.
If you disable or don't configure this policy setting, by default, the shared component functionality is allowed.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableSharedComponent |
| Friendly Name | Turn off shared components |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisableSharedComponent |
| ADMX File Name | MSI.admx |
MSI_DisableLUAPatching
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableLUAPatching
This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users.
If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications.
If you disable or don't configure this policy setting, users without administrative privileges can install non-administrator updates.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSI_DisableLUAPatching |
| Friendly Name | Prohibit non-administrators from applying vendor signed updates |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisableLUAPatching |
| ADMX File Name | MSI.admx |
MSI_DisablePatchUninstall
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisablePatchUninstall
This policy setting controls the ability for users or administrators to remove Windows Installer based updates.
This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed can't be removed by users or administrators.
If you enable this policy setting, updates can't be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that's no longer applicable to the product.
If you disable or don't configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context".
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSI_DisablePatchUninstall |
| Friendly Name | Prohibit removal of updates |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | DisablePatchUninstall |
| ADMX File Name | MSI.admx |
MSI_DisableSRCheckPoints
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableSRCheckPoints
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files.
If you enable this policy setting, the Windows Installer doesn't generate System Restore checkpoints when installing applications.
If you disable or don't configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSI_DisableSRCheckPoints |
| Friendly Name | Turn off creation of System Restore checkpoints |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | LimitSystemRestoreCheckpointing |
| ADMX File Name | MSI.admx |
MSI_DisableUserInstalls
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableUserInstalls
This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want.
If you don't configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.
If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSI_DisableUserInstalls |
| Friendly Name | Prohibit User Installs |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
MSI_EnforceUpgradeComponentRules
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_EnforceUpgradeComponentRules
This policy setting causes the Windows Installer to enforce strict rules for component upgrades.
- If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following:
(1) Remove a component from a feature.
This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component.
(2) Add a new feature to the top or middle of an existing feature tree.
The new feature must be added as a new leaf feature to an existing feature tree.
- If you disable or don't configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSI_EnforceUpgradeComponentRules |
| Friendly Name | Enforce upgrade component rules |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | EnforceUpgradeComponentRules |
| ADMX File Name | MSI.admx |
MSI_MaxPatchCacheSize
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_MaxPatchCacheSize
This policy controls the percentage of disk space available to the Windows Installer baseline file cache.
The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.
- If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache.
If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed.
If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache.
- If you disable or don't configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSI_MaxPatchCacheSize |
| Friendly Name | Control maximum size of baseline file cache |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
MsiDisableEmbeddedUI
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MsiDisableEmbeddedUI
This policy setting controls the ability to prevent embedded UI.
If you enable this policy setting, no packages on the system can run embedded UI.
If you disable or don't configure this policy setting, embedded UI is allowed to run.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MsiDisableEmbeddedUI |
| Friendly Name | Prevent embedded UI |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | MsiDisableEmbeddedUI |
| ADMX File Name | MSI.admx |
MSILogging
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSILogging
Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.
When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want.
To disable logging, delete all of the letters from the box.
If you disable or don't configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap".
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | MSILogging |
| Friendly Name | Specify the types of events Windows Installer records in its transaction log |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
SafeForScripting
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/SafeForScripting
This policy setting allows Web-based programs to install software on the computer without notifying the user.
If you disable or don't configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.
If you enable this policy setting, the warning is suppressed and allows the installation to proceed.
This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | SafeForScripting |
| Friendly Name | Prevent Internet Explorer security prompt for Windows Installer scripts |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | SafeForScripting |
| ADMX File Name | MSI.admx |
SearchOrder
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MSI/SearchOrder
This policy setting specifies the order in which Windows Installer searches for installation files.
If you disable or don't configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search:
"n" represents the network;
"m" represents media;
"u" represents URL, or the Internet.
To exclude a file source, omit or delete the letter representing that source type.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | SearchOrder |
| Friendly Name | Specify the order in which Windows Installer searches for installation files |
| Location | User Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| ADMX File Name | MSI.admx |
TransformsSecure
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/TransformsSecure
This policy setting saves copies of transform files in a secure location on the local computer.
Transform files consist of instructions to modify or customize a program during installation.
If you enable this policy setting, the transform file is saved in a secure location on the user's computer.
If you don't configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation.
This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files.
If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile.
If you don't configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or isn't connected to the network.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TransformsSecure |
| Friendly Name | Save copies of transform files in a secure location on workstation |
| Location | Computer Configuration |
| Path | Windows Components > Windows Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Installer |
| Registry Value Name | TransformsSecure |
| ADMX File Name | MSI.admx |