KB925336 Updated with Better Workaround

When installing Visual Studio 2005 Service Pack 1, users may see an error that reads,

Error 1718.File D:WINDOWSInstaller50baad.msp was rejected by digital signature policy.

While the filename will be different, the result is that the patch will not install. We first ran into this problem with the beta internally, and through investigation I found that this was caused by SAFER on Windows XP and Windows Server 2003 attempting to map the whole file into memory. On Windows Vista this operation is properly streamed.

I posted workaround steps using the management snap-in. This was used as the basis for KB925336 which, at the time, contained only those workaround instructions. I also helped mitigate the issue informing users of the support article if they ran into this problem later during installation, with a message that reads,

Error 1718.File D:WINDOWSInstaller50baad.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see http://go.microsoft.com/fwlink/?LinkId=73863.

That link goes to KB925336. When VS 2005 SP1 was released, the workaround didn’t work for everyone. It turns out that active domain policies were overriding the local workaround where default domain policies existed. I helped develop a new workaround that explicitly set the registry value controlling the SAFER check. The existing support article, KB925336, was updated to reflect the new workaround. It does not today, however, document that you should leave the domain. This step is optional, but recommended. If the domain policy is refreshed, your local registry edit could be overwritten and the install might fail later.

Please note that the registry edit is also recommended over the user interface approach, and that the size of the patch should not dictate which approach you use. If you run into the failure with error code 1718 or want to preempt the digital signature check failure, please use the registry edit.

Update: KB925336 was updated to recommend only the registry edit, and to recommend leaving the domain to avoid having the domain overwrite your local policy change.