Workaround for Error 1718

When installing Visual Studio 2005 Service Pack 1, you may see an error like the following (file name will vary):

Error 1718.File D:WINDOWSInstaller50baad.msp was rejected by digital signature policy.

Knowledge Base article 925336 had originally documented instructions using the Local Security Policy UI to work around this issue based on my previous blog post. While both Windows XP and Windows Server 2003 are theoretically susceptible to this issue, to date it’s only been observed on Windows Server 2003 – particularly on machines in an Active Directory domain.

Investigations showed that when there’s a conflict with domain policy, the UI instructions I documented won’t set the registry value that SAFER – the software restriction policy API introduced in Windows XP – uses to determine whether to validate all files.

To reliably workaround this issue, you should follow the instructions below. It is highly recommended that you remove your machine from any domain while installing Visual Studio 2005 Service Pack 1 if you’ve encountered this problem. Otherwise a domain policy refresh could override the registry value during installation and block the installation.

  1. Leave your domain if belong to a domain and reboot
  2. Set the DWORD registry value PolicyScope to 1 in the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers registry key
  3. From an elevated command prompt, run “net stop msiserver” (without quotes) or simply reboot your machine
  4. Install the patch
  5. Reset the registry value from step 2
  6. Re-join your domain if you previously belonged to a domain and reboot

This can be automated rather easily, as shown in the following batch script example.

rem It is recommended you leave a domain and reboot before running this script

rem Backup the registry key before changing it to save the current values
reg export HKLMSOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers “%TMP%safer.reg” /y

rem Set the new value and stop Windows Installer, which will automatically restart when the patch gets installed
reg add HKLMSOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers /v PolicyScope /t REG_DWORD /d 1 /f
net stop msiserver

rem Replace the name of the patch below according to which patch you downloaded
rem This exmple silently installs the patch with verbose logging enabled
start /wait VS80sp1-KB926601-X86-ENU.exe /L*v+ “%TMP%VS80sp1-KB926601-X86-ENU.log” /quiet

rem Delete the new value and restore previous registry values for SAFER
reg delete HKLMSOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers /v PolicyScope /f
reg import “%TMP%safer.reg”