janhoedt
asked on
Windows 2008 terminal server: msi was rejected by digital signature policy msi
Hi,
I have the error above after installing a plugin for Excel (msi) on a Windows 2008 R2 server (X64).
The path of the msi is included in the applocker executable rule. I found some articles but they refer to Windows 2003.
I prefer not to install a hotfix anyway, if needed I can but (as mentioned) articles which mention hotfix refer to Windows 2003.
Please advise.
J.
I have the error above after installing a plugin for Excel (msi) on a Windows 2008 R2 server (X64).
The path of the msi is included in the applocker executable rule. I found some articles but they refer to Windows 2003.
I prefer not to install a hotfix anyway, if needed I can but (as mentioned) articles which mention hotfix refer to Windows 2003.
Please advise.
J.
ASKER
Thanks, I ll check!
ASKER
Checked it, didn't work.
It is a Windows Installer rule which allows E:\sourefiles\
It is a Windows Installer rule which allows E:\sourefiles\
ASKER
Note: installed size = 152 MB, it might be a problem that file is to big. There is a KB about it, however that's about Windows 2003,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I did install the package with the administrator user on the Windows 2008 terminal server. However, when another user logs on, he gets the message stated in title of this ticket.
I is NOT applocker: fully disabled the applocker policy for windows installer.
It might be the certificate, but not familiar with that, how can I check that?
Regards,
J.
I did install the package with the administrator user on the Windows 2008 terminal server. However, when another user logs on, he gets the message stated in title of this ticket.
I is NOT applocker: fully disabled the applocker policy for windows installer.
It might be the certificate, but not familiar with that, how can I check that?
Regards,
J.
ASKER
On the server which has the problem ".msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted"
you say that you have added the path to the executable rule. However the error message references digital signature policy (Publisher Rule).
If you have enabled a Publisher rule in applocker then you need to ensure the MSI is signed by an allowed Publisher. File path has no effect on the Publisher rule...
Can you confirm whether you are using a Path rule or Publisher rule under the Windows Installer rule collection?
Also note that MSI files are not configured under the Executable rule collection but under the Windows Installer rule collection.