I want to thank everyone who attented my webcast on designing Windows Installer packages for UAC on Windows Vista. We had over 150 attendees and Robert Flaming did a great job handing Q & A during the webcast (Q & A log is later in this posting.) For those of you who missed the webcast, the webcast will be made available for on-demand viewing.
I have also scheduled another webcast on Monday, October 30 at 11:00 AM Seattle (US Pacific) time. This webcast is entitled Designing Software Installations for Windows Vista using Windows Installer 4.0 and is an updated version of the webcast I gave several months ago on the same topic. This webcast will cover some of our great features in Windows Installer 4.0, such as integration with Restart Manager, enhanced logging functionality and (of course) our integration with UAC. We will be taking Q & A during the webcast since that formula seemed to work really well for the UAC one.
Now, for the Q & A from the UAC webcast. This is pretty-much a raw dump of the chat that many of you asked for. Please let us know (via posting comments) if you require clarification on any of these topics...
Question: I've read that the Privileged property should be used instead of AdminUser. I also read that Vista lies and indicates that AdminUser is True all the time. In my testing it seems that it lies about Privileged too. In the UI sequence both were True even though I was logged on as a standard user and there was nothing special done to the installation or the system to always elevate privileges. Can you explain more about Privileged and what we can check in the UI sequence to make sure that the installation is really allowed to be run? Can we use this check as an Install Condition that LaunchConditions checks?
Answer: This has two questions 1) background on pivileged and 2) something about allowed to run. On 1) Privileged was designed for lockdown corporate environments that predate Vista. Yes, it was by design that it was set to 1 during the InstallUISequence but had the valid value for the InstallExecuteSeqeunce. On 2) I'm not sure which scenario you are asking about. Can you provide me a bit more detail on what is meant by "really allowed to be run"?
Question: What about Installshield Installations that are pro "setup.exe"?
Answer: By pro-setup.exe I think you are asking: what is the preferred behavior for bootstrapper based packages?. We recommend setting a manifest on your setup.exe to set the RunLevel to asInvoker. This way, the UAC elevation prompt will be prompted from inside the Windows Installer service. Our testing has shows this method provides better compatability for Over The Sholder cases as well as secure first launch of the application from the installer itself. There are some cases where setup.exe needs to actually do admin level work itself so those cases would require the setup.exe have a manifest that has a RunLevel of requiresAdministrator. As with a lot of setup, it's dependent on your specific scenario but we recommend a RunLevel of asInvoker.
Question: just out of interest, does windows installer in Vista allow multiple installers to run Simultaneously or is it like the previous versions where you have to wait for one to finish to start another
Answer: No, we have not changed the mutex behavior from the Windows 2003 server generation
Question: where could i find the detailed documentation about vista changes in the Installer
Answer: The Windows Installer documentation exists on http://msdn.microsoft.com at the Windows Installer Start Page at http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp. The MSI.CHM also comes in the Windows Vista Platform SDK.
Question: We don't want to make the customer go through the UI and then abort in the Execute sequence if Privileged is False. What can we check in the UI sequence to abort?
Answer: The UAC credential prompt is a one way door. There is no way to tell in advance whether the user will approve the credential prompt. Once the credential prompt is approved you are running as administrator. This is a constraint of UAC.
Question: Is Windows Installer 4.0 included in Visual Studio 2005?
Answer: You could be asking a couple of questions: 1) is there a redistributable and 2) does VS 2005 support Vista? On 1) Windows Installer 4.0 does not have a downlevel redistributable. It is only available on Windows Vista. On 2) Visual Studio is evaluating their Vista compatability now. They are known to have some issues on Vista. Follow-up with Visual Studio would be wise.
Question: I have heard that the version of Windows Installer in Vista uses resource dll's for translation. Is this correct, and is there any documentation on this functionality?
Answer: Sorry, can you clarify the context of the term "translation"? Are you talking about Windows Vista Multilingual User Interface support available to applications from inside their packages? If Vista MUI is the question, our support is documented in the Shortcut table in the Windows Vista update to the MSI portion of the platform SDK.
Question: On Vista, is there a way to run an elevated install silentley? i.e: When using /qb Vista do shows the elevation dailog request - but also shows the progress bar. When using /qn - nothing happens ... Is'nt a way of metigation between the two switches ??
Answer: The UAC functionality does not allow elevate silently. The recommendation from the UAC team is to 1) run from a managability tool such as SMS, Altiris, Tivoli, etc 2) run from an elevated command line 3) (for automated testing in development only) write a service that elevates a command line when passed.
Question: Can you add the shield icon to an InstallShield hybrid MSI package?
Answer: Depends on where the UI is coming from. We support a shield attribute on the buttons from the native UI inside a package. IF the UI is elsewhere in your InstallShield based experiance, please check with InstallShield.
Question: If by signing the package can you automate that admin password be provided to this app? If so what are the steps to provide the admin elevation to the app?
Answer: The Credential-Free experiance is specific to patching. We do not have the same experiance for the initial MSI install or the terminating uninstall.
Question: Are there any changes in COM in vista, which the installer should be aware off..
Answer: Nothing has been brought to my attention specifically. The one I've run into is a way to invoke your com control that will include a UAC prompt which is documented in the UAC whitepapers on how to support UAC
Question: What protection is there against spy-ware? Can Vista detect whether an app being installed is going to be reporting data back to a third party?
Answer: This is not a specific feature of Windows Installer in Vista. There has been efforts in that direction from Microsoft but I can't speak authoratatively to them.
Question: can we make a generalized installer for vista and 2003 and xp
Answer: Windows Installer has been baked into the Windows operating system since Windows 2000. Packages can be written such that they run on all the OSes. Windows Installer is designed to both degrade gracefully and light up as appropriate to the authoring in the package and engine on the machine.
Question: By translation I mean changing the text on the MSI's dialogs to another language.
Answer: We have not enhanced our functionality for Windows Vista in this dimension. The Windows Installer section of the platform sdk contains guidance on how to use language transforms to generate this functionality.
Question: There's some confusion about whether the "no impersonate" bit can be used in the UI sequence. Docs imply it only applies to deferred custom actions.
Answer: NoImpersonate can not be used in the UI Sequence or in the InstallExecuteSequence outside of the script. To have a custom action run inside the script, one needs to mark their custom action deferred.
Question: We don't use a setup.exe so we can't use a manifest. Is there a Windows Installer property or something that can be set in a .msi to indicate the installation should ask to "Run as an Administrator" if it isn't already before the UI begins?
Answer: We did not provide this functionality specifically due to the fact that this model does not work across the full spectrum of distribution. Corporate and OEM deployment experiances will not run the InstallUISequence so any behavior attempted in the InstallUISequence will not run for those customers. System changes should occur inside the transaction which is inside the script.
Question: when developing a package for vista, and XP SP2, which should be the development platform?
Answer: If you mark the Windows Installer schema as 2.0 but include 4.0 related features, the Windows Installer engine on XP and Win2k3 will do the right thing on those engines and then light-up on Vista
Question: Will a recording of this web conferemce be available on MS's website?
Answer: Yes the recording should be available within 24 hours at: http://www.microsoft.com/events/webcasts/ondemand.mspx
Question: At which point during the install will a user get the UAC elevation pop-up?
Answer: Technically we call the credential prompt at the start of the service. This is in the transition between the InstallUISequence and the InstallExecuteSequence. In the user experiance, this is after the user sees all of their selction dialogs. One would add the shield to their "install" button that is the last click in the dialog sequence.
Question: Can we use VS 2005 to create setup project for Vista? If not, when can we expect a visual installer in VS that is compatible with Vista? Before Vista release?
Answer: Visual Studio 2005 is one of the authoring tools vendors that need to make decisions on how to support Vista in their product. Unfortunately I do not know the current status. You may want to check with formal support or try contacting VS persons via http://blogs.msdn.com/heaths or http://blogs.msdn.com/astebner
Question: So where does ALLUSERS=2 bounce to?
Question: Will the standard RegisterTypeLibraries action write its values into HKCU in a true "Per-User" package or should we expect values to be stored in the virtualized store?
Answer: The Windows Installer does not redirect writes from the TypeLib table. If a TypeLib intents to support a StandardUser install, that is code that will need to be written in TyleLib itself.
Question: when will patching be added to AD Group Policy Assigments of MSI packages with transforms?
Answer: Group Policy deployment of patches is a frequently requested feature. The Group Policy team and Windows Installer team are seperate entities within Microsoft. The latest update I received from the Group Policy team still recommended customers use WSUS or SMS.
Question: How should I redestribute a multi language UI support installation? Is'nt using bootstrapper the only way?
Answer: Yes, the official support is via a bootstrapper. There is a unsupported method noted on a number of installer focused web sites. That path has worked for some but it is undocumented and officially unsupported.
Question: When I uninstall my signed msi, I get a UAC prompt that says "Unknown publisher". All of the UAC prompts during the install display my signed information fine. Is this a Vista problem, or a problem with my msi.
Answer: We have a KB pending for this behavior and are considering this for a fix. The reason this happens is that when we cache the MSI we strip out some data, making the certificate invalid. We're looking at mitigations but we do not have a solution at this time. Nothing is wrong with the package.
Question: I'm not familiar with the nomenclature: bootstrapper. Care to provide a brief definition?
Answer: generally a bootstrapper is the file setup.exe that most folks have learned to invoke to install an applicaiton. A basic bootstrapper does a few checks and then launches the MSI. The basic boostrappers should not be needed. Advanced bootstrappers, sometimes called chainers, can do a lot of work in addition to installing one MSI. Office 2007 and VS 2005 are examples of complex bootstrappers.
Question: Using Iexpress as a bootstrapper, how do I add a manifest?
Answer: I don't have that data at my finger tips. Please examine the UAC developer documentation for further details on how to add a manifest to an existing exe.
Question: If the UAC pop-up comes at the beginning of the InstallExecuteSequence, will custom actions in the install execute sequence would be a child process that can inherit the elevated privileges from the parent? What about the custom actions after installfinalize which need elevation?
Answer: Two details here: 1) only deferred custom actions marked with the NoImpersonate bit can run elevated 2) by running elevated, the custom action runs as Local System not as the user that provided credentials. Outside of a deferred and NoImpersonate custom action there is no way to run elevated.
Question: When an installation does not require a UAC prompt (signed patch, already elevated, etc.), will the shield icon be displayed on a dialog button with the shield attribute?
Answer: One can use the controlcondition table to condition the shielded button as enabled or disabled depending on the state of the install. I believe all the conditions one needs are available and no one has said they've had problems with this (yet ;^)
Question: If I go to Best Buy or Comp USA and buy 4 - 5 Microsoft SKU's and try to install them on VISTA will they be good examples of what the user experience should be during installation in a properly configured application installation?
Answer: The choices that Microsoft Applications make are dependent on their business. As with other ISVs, Microsoft Applications need to consider their behavior on Windows Vista. Windows Vista logo is the best guidance I know of for designing ones application for Vista.
Question: Vista a OS message pops up asking if the program was installed correctly. After running through the Cust Wizard on Windows Vista a OS message pops up asking if the program was installed correctly. After running through the Cust Wizard on Windows Vista a OS message pops up asking if the program was installed correctly. After running a wizard in the form of a self-contained exe that does not require installation, is signed and was copied locally from a network, Vista pops up a msg asking whether this program was installed correctly. Why? Is this expected behavior?
Answer: This is not a Windows Installer behavior but it is the Application Compatability assistant behavior. As I understand their behavior, they have a heuristic for determining if it's a setup and they watch to see if an Add/Remove Programs entry is written. There is more online in the Vista compatability section of the Vista developer and admin documentation.
Question: is there a reason why you only allow one installer to run at a time?
Answer: Yes - in order to maintain the transaction we can only allow one installation to occur at a time. (You can imagine rollback would be hard if multiple installations changed the same resource on the system and one failed.)
Question: A thread in the msi platform sdk recently talked about a deferred noimpersonation CA that failed on Vista because the MSIServer service didn't list the SeBackupPrivilege right. Is this by design or a mistake? I've not seen any talk about restricting rights when running with noimpersonation in the system context.
Answer: I have not seen this thread. Can you go to the windows installer blog and send a comment with more data. http://blogs.msdn.com/Windows_installer_team
Question: Can you please describe web install scenario if elevated privs are required. For example, can you download msi to user's temporary folder, then inside the msi request elevated privileges? I would love to see a flowchart or demo describing this workflow.
Answer: The SDK provides documentation (and a sample) on this topic. Please check the SDK -- Generally speaking, installing from the temp folder is a bad idea.
Question: Which version of MSI is used by the latest MS 2005?
Answer: I don't understand the question - can you clarify what "MS 2005" is?
Question: I may have missed some of the presentation, but what happens if ALLUSERS=2? I see you want ALLUSERS set to 1. We want to install all users on the system by default...
Answer: Under UAC ALLUSERS=1 and ALLUSERS=2 is essentially the same.
Question: How do I get the shield icon on my custom bootstrapper?
Answer: That is covered in the UAC Whitepaper listed in the resources slide.
Question: Can you tell me how to emmulate a Group Policy install outside of group policy to debug issues with installs?
Answer: 1) advertise the package with /jm ALLUSERS=1 2) then go to a Standard User account and invoke the package
Question: Instead of using SecureCustomProperties list for passing properties to Execute, what is your opinion on setting EnableUserControl?
Answer: You can certianly do that - but since it is policy you can't always rely that it will be set.
Question: If a bootstrapper should generally be given invoker permissions, how can the installation source be cached in a secure location?
Answer: You can sign the CAB files associated with the source files and then insert the certificate into the package. This way, the CAB files can be stored in a user accessible location but still be secure.
Question: We have Immediate custom actions that were after InstallFinalize (outside the script) and failed. When we changed them to Deferred in System Context (no impersonate) and moved them before InstallFinalize they worked. If we leave them as Immediate they will work if we ran the .msi from the Command Prompt if the prompt was launched as "Run as Administrator". Is there something that can be set in the .msi that will elevate the privileges so the Immediate custom action will work so the .msi doesn't have to be launched by something that was already "Running as Administrator"?
Answer: This behavior is by design. Were one to have tried the original package under Group Policy deployment to a locked down desktop it would have failed in the same way as under Vista UAC. What's changed here with Windows Vista is that UAC creates the corporate lock down experience as default. The corporate lock down experiance is demonstrably more secure for corporations so with Windows Vista and UAC, we're bring that security goodness to everyone.
Question: Are nested MSI install supported with MSI 4?
Answer: It is supported, but not recommended. Please see the Nested Install topic in the SDK.
Question: What if my MSI package requires elevated privileges but the UAC dialog does not come up?
Answer: Usually this question comes when a package is failing before the credential dialog appears. The mitigation is to move the custom action into the install transaction as a deferred + NoImpersonate custom action. The only way to prevent the credental dialog from displaying is to 1) set bit 3 of the Word Count Summary Information Stream property or 2) run the package from a pre-elevated context.
Question: Is it accepted that "advanced bootstrappers" will set the RunLevel to requiresAdministrator in their manifests? Does Office 2007/VS 2005 bootstrapper do this?
Answer: The VS 2005 bootstrapper was released before Vista so they will not have a manifest associated with it. I have not checked the Office 2007 bootstrapper recently. They have still not shipped and changes can happen through to RTM. By "acceptable" I think what I can say is that "yes, sometimes it is required to get the needed behavior". The caution is that one should not do this without the due diligence to confirm all their scenarios work. A blanket mitigation to elevate all setup.exe boostrapers is not always the right answer. As with the spirit of UAC, one should design for the least privilege needed and there are times, full privilege is required. Test thoroughly though as we've had customers comment that the effects of elevating in the bootstrapper do take some adjustments to get all the scenarios correct.
Question: If I understood correctly do you recommend that install is either per machine or per user but should not selectable be for both? Would that be only for Vista or all platforms?
Answer: The terms used here are kind of fuzzy so I've tried to tease out some of this in my blog series. First, there is a conflicting defintion of per-user (http://blogs.msdn.com/rflaming/archive/2006/09/20/764027.aspx). UAC has altered the precedent definition of per-user from preVista OSes (http://blogs.msdn.com/rflaming/archive/2006/09/20/763960.aspx). We have asked ISVs to consider per-user (UAC definition == Standard User) and a typical conversation looks like: http://blogs.msdn.com/rflaming/archive/2006/09/30/778690.aspx. For ISVs that want to do both per-machine (for manageability) and per-Standard-User (for the easy access by the general populace) I've had this conversation: http://blogs.msdn.com/rflaming/archive/2006/10/01/780096.aspx. It's difficult to make a recommendation for all cases because it is so dependent on the ISV and the application.
Question: Fyi, comment sent to team .. thread is discussed and linked to from http://chrpai.blogspot.com/2006/10/vista-deferred-ca-consideration.html
Answer: That's an architecture question beyond my own capacity to answer. I'll follow-up and see if I can get a blog to the Windows_installer_team site that I can note as a comment in this blog. Did you run that thing to get the privileges on the service on WinXP and Win2k3 too?
Question: Antti Nivala actually reported the problem in the thread. She said the deferred noimpersonate CA worked on XP. I suggested that she confirm my theory by modifying the service parameters for MSIserver, restart the msi service and retest. Her reply seemed to indicate that it solved her problem but I don't know for an absolute fact since I don't have access to the EXE that was causing the problem.
Answer: Thanks for pointing this out. It's the first I've heard of it. I'll review with development.