This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 26%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
I have a installer (msi), where App2 installer is embedded in App1 installer - Chained installer.
In a regular windows 10 machine, when i install App1, both App1 and App2 get installed in their respective installation path.
Now, in Device Guard environment, in the Audit mode, I ran the installer for App1, and both App1 and App2 got installed. But the Event viewer, Under Code Integrity, had logs for App1 binaries, and not for App2 binaries.
As a result, even after creating the audit policy and deploying Device guard in Enforced mode, my installation rolls back when App2 is being installed.
I collected installation logs, and when the App2 installation starts, i see the below error code:
"MainEngineThread is returning 1625"
Note: i also used the PackageInspector and created the relevant catalog file.
I need help here, to know, why the App2 binaries were not captured in the Event viewer during Audit mode.
Is the chained installer not supported or is there a different way to audit such installers?
Guidance here, to unblock this situation, is much appreciated.
I have followed the links to create the code integrity policies and the catalog files:
https://blogs.technet.microsoft.com/ukplatforms/2017/04/04/getting-started-with-windows-10-device-guard-part-1-of-2/
@Murali, Priya
Hi,
Error #1625 is a Windows error that comes up during installation if a security policy on the computer has been enabled. You can adjust the setting to allow you to install but you will have to login as an Administrator to make the changes.
Try the following method:
Click on Start and type gpedit.msc then press Enter
Select Administrative Templates under Computer Configuration
Double-click on Windows Components-Windows Installer
Go to Turn off Windows Installer and double-click on it to change the current state. Enabled means installation is restricted, resulting to Error #1625.
Select Not Configured and click OK to save the changes
Click OK on the error prompt and retry installing.
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I have already checked the GPO. It is already in the Not COnfigured state.
Let me know what other security policies should be checked?
ALso, i have enabled Device Guard. is there any policy related to this setting that could be impacting?
Thank you for your reply.
Since this question is hard to answer, if we have any updates or any thoughts about this issue, we will keep you posted as soon as possible.
Your kind understanding is appreciated.