• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1983
  • Last Modified:

Cannot run silent MSIs with Windows 8 and UAC

Hi - i have created a batch file containing the following to install a package silently:

msiexec /i MyPackage.msi /qn

When I run this it stops after a second or so and there is an error in the event log telling me I do not have permission to install:-

"Product: MyPackage -- Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine.  Log on as administrator and retry this installation."

even though I am domain admin and in the loal admin group on the pc.

I have noticed that if I change the msi swich to /passive it works fine. It also works fine - with no prompts, if I run the MSI manually.
It's only the silent switch that fails.

If I completely disable UAC via the registry HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System - EnableUA = 0
It works fine but I need to have UAC on for the Metro apps to work.

I have played around with UAC settings in Group Policy and just cannot get it working.
I have also taken our Windows 7 Group Policy settings for UAC and applied them to the W8 pc and still it's not working.

I have Googled this to death and cannot find any information pointing me to a viable solution.

I have tried multiple different MSIs and get the same problem with all of them.

Please help....

Thanks
0
naifyboy123
Asked:
naifyboy123
3 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
I am not certain there is a problem. I have Windows 8 Pro and *every* install of *every* kind will cause UAC to pop up. I do not disable UAC and do not recommend disabling UAC.

So I think you have to install within the given limits of UAC.  

... Thinkpads_User
0
 
naifyboy123Author Commented:
@thinkpads_user - thanks

There must be ways round this otherwise how can you use an OS in the Enterprise with which you cannot push out silent installations
0
 
David Johnson, CD, MVPOwnerCommented:
Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
        In the console tree, right-click your domain, and then click Properties.
        Click the Group Policy tab, select the policy that you want, and then click Edit.
        Under Computer Configuration, expand Software Settings.
        Right-click Software installation, point to New, and then click Package.

        In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \file server\share\file name.msi.

        Important Do not use the Browse button to access the location. Make sure that you use the UNC path of the shared installer package.
        Click Open.
        Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.
        Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers snap-in.
        When the client computer starts, the managed software package is automatically installed.

http://serverfault.com/questions/419931/how-to-silently-install-any-software-across-all-my-office-computers
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
McKnifeCommented:
Windows 8 has no problems installing MSIs silently via GPO software deployment. What you are doing is invoking the installation manually, which will make the installation run as user and not as the system as it would do with automated software deployment. So if you run it manually you are relying on elevation to function correctly. If it does not and elevation is not triggered by UAC and this is what we seem to have here, the package is not compatible to UAC and has to be elevated manually by right clicking the batch and selecting "run as administrator".

This is not Windows 8's fault.
0
 
Mike TLeading EngineerCommented:
Hi,

The two experts above are right and have shown how to deploy an MSI via AD and also then explained.

To reiterate: to deploy any MSI silently it needs /qn and then run as system. AD, Altiris and SCCM all do this. Local system is higher security context than local admin. One way to simulate it is to use the task scheduler. Personally I find it easier to create a testdeploy OU and assign the MSI there. You then can re-use the OU (unlike using the scheduler).

info: http://msdn.microsoft.com/en-us/library/windows/desktop/ms677973(v=vs.85).aspx
0
 
McKnifeCommented:
> To reiterate: to deploy any MSI silently it needs /qn and then run as system
No, not as system. But elevated.
0
 
Mike TLeading EngineerCommented:
I stand corrected :).

Also
"The actual name of the account is NT AUTHORITY\System.

The Local System account does not have any rights to access the network. When network access is necessary, Local System uses the account Domain\computername$. "
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now