Applocker with Windows Installer rules and SCCM 2012

Hi,
We have been running Applocker since two years on Windows 7 Enterprise clients with SCCM 2007 as management and distribution tool.
This setup was working fine until we migrated to SCCM 2012 and started to encounter problems with msi-packages not being able to self-heal when the source was the sccm client cache.
We have recreated this scenario in a lab environment.
Our setup is this:
Windows 2008 R2 (DC)
Windows 7 Enterprise SP1 (Client)
Standard user (not admin)
SCCM 2012 R2 (upgraded from 2007)
Applocker with these rules:
Executable Default rules enabled (Enforced)
Windows Installer Default rules enabled (Enforced)
Exception for %WINDIR% (where SCCM cache is located)
Script Default Rules enabled (Enforced)
Application msi-package with self-heal (omus) and advertised shortcuts
We install the application from the sccm cache (%windir%\ccmcache) and then trigger a self-heal (user components being copied to the user profile).
What we see on the client is: Error 1718. File C:\Windows\ccmcache\54\application.msi was rejected by digital signature policy.
Event log is showing: Event 1008: The installation of
C:\Windows\ccmcache\54\application.msi
is not permitted due to an error in software restriction policy processing. The object cannot be trusted.
It looks like the file cannot be evaluated by Applocker and therefore is not trusted. We get an Access Denied error when testing AppLocker-policy with the following PS-command,
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\ccmcache\54\application.msi. This command works fine when accessing files in the cache-folder on a SCCM2007-client.
For testing purposes we recreated a similar folder structure: C:\Windows\Folder1\Folder2\application.msi where the user has no permissions on Folder2 and read on the other folders and the File.msi.
This is how the permissions look like in SCCM 2012 (no user permissions on %Windir%\ccmcache). Applocker cannot evaluate the trust-level of application.msi.
The GPO setting “Bypass traverse checking” is set to everyone.
As we can see, the permissions are the same on SCCM 2007 client cache (%Windir%\syswow64\ccm\cache) but we do not have this issue there.
Has anyone got Applocker (with windows installer rules actived) to work with SCCM 2012 and windows installer self-heal?

More info. I found some people also encounter this same issue, but specific msi, take a look at
http://social.technet.microsoft.com/Forums/windowsserver/en-US/2ad92754-f01e-410e-97db-7a9bc81586db/msiinstaller-event-1008-when-trying-to-install-3ds-max-2011-after-group-policies-apply-on-domain?forum=winserverGP
Juke Chou
TechNet Community Support

Similar Messages

  • Digital Filing broken with windows 8.1 and Server 2012 R2?

    Hello
    Recently upgraded my machines so now I have Windows 8.1 and Server 2012 R2 running. The scanning from my Officejet L7680 to a network share on one of these machines is no longer working. 
    Looking into it with network monitors I can see that the login of the user and password is working but then the save of the file on the share gives and error.
    In windows 8.1 it starts creating the file but cannot add content to it (so the file is 0 Bytes in size) on Server 2012 R2 the creation of the file already gives and error.
    Searching around the web seems to indicate that changes in the SMB protocol on the latest windows versions are the cause of this and other MFP suppliers are providing firmware updates to fix this. There seems no way to fix this at the Windows side.
    Can HP confirm this issue and indicate which all in ones will be able to connect to network shares on these latest windows version ? With or without a firmware update.

    I can confirm that I'm experiencing the same issue on my Windows 8.1 x64 machine and Windows 2012 R2 Essentials. Will there ever be a firmware update for the L7680 printer so we can get this functionality working again?

  • Helix gen.2 very slow with USB 3.0 and SCCM 2012 OSD

    Hello there, i have a problem with our Helix gen.2. i would like deploy the OSD with SCCM 2012 and so i insert the USB 3.0 Dongle driver in WinPE. The Download and WIM installation is very fast but slows down after the OSD TS insert all Drivers for the system an makes a reboot. After the reboot the machine runs very slow over the network (1GB) and over 20 Hours and breaks down with a unsigned Error Message 80004005. i change the driver to an old version for the UBS 3.0 but it doesn´t helps so i need help from you. with best regards andré

    What OS are you deploying on the box, 7 or 8.1?
    Did you import the drivers from the Helix2 SCCM driver pack for the appropriate OS into a Driver Package?
    Did you also add the USB 3.0 drivers specific to the OS being deployed into that same Driver Package?
    Do you have an Apply Drivers task that references this driver package in the task sequence?  If so, you should be able to find the task ID in the SMSTS.log file and verfiy it is running.

  • Can you make Sysprep on Windows 8.1 and Server 2012 R2 Prompt for a Computer Name

    Hi guys,
    Our Windows 7 Unattend.xml has always made Sysprep prompt for Computer Name. I'm struggling to achieve that with Windows 8.1 and Svr 2012 R2.
    Firstly: Is it still possible?
    Secondly: If so, How?
    Thanks

    OOBE will only hide pages that contain the answers in the XML. So if you want OOBE to prompt for a computer name, make sure your XML does not contain the ComputerName object.

  • I have tried to install iTunes 5 but when Windows it starts to install it  says there`s a problem with my Windows installer Paket and cancel the Program

    i have tried to install iTunes 5 but when Windows it starts to install it  says there`s a problem with my Windows installer Paket and cancel the Program. I`ve searched for answears in the web and they said ischould waste my old Itunes version and try it again. But it happend the same again! Now i havent any iTunes version and iAlso can`t Load a new one!!!! Pllease help me !!!

    I solved it myself, after the "note" which came back from FF/Mozilla just as I finished my message, commenting on what it was that my system had , I wnnt back to check my plug-ins etc. I downloaded the latest Java, BOTH 32bit AND 64 bit versions and latest Firefox.
    Now all is working.
    Thanks,
    B.

  • Cost of Intune and SCCM 2012 r2 vs SCCM 2012 r2 ICBM

    Is there any research/info on pros and cons of SCCM 2012 using intune for internet clinet management vs SCCM 2012 r2 and ICBM?  Things like cost, supportabiliy, etc.  I have seen intune vs sccm not Intune & SCCM vs SCCM and Internet Client
    Based Management. 
    Cyndy

    Hi,
    I think the reason is that you cannot manage Windows clients using the WIndows Intune Agent and integrate it with SCCM 2012. The integration with Intune and SCCM 2012 is for Mobile Device Management only so there is no possibility to install the Windows
    Intune Agent on a client and then manage it through the SCCM Admin Console.
    THe only scenario where that would work is if you manage a Windows 8.1 with the OMA-DM agent and enroll them in Intune as a mobile device with a limited set of features.
    So ICBM is still the way to go if you need all the features in SCCM or you want one console to rule them all.
    Regards,
    Jörgen  
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Can't change printer port on Windows 8.1 and Server 2012 R2

    1. Install "Lexmark X646e Class Driver" using a in-box print driver (i.e. one comes with the Windows installation base) .
    2. Go to "Printer properties" -> "Port"
    3. Select a custom monitor port, and the following error occurs in Event Viewer.
    An error occurred while configuring print queue 'Lexmark X646e Class Driver'. Printer driver 'Lexmark X646e Class Driver' may not be used in conjunction with a non-inbox port monitor.
    Same steps applied on Windows 8 and Server 2012, and not issues found. The restriction/limitation is newly added in Window 8.1 and Server 2012 R2. 
    Changing to a custom monitor port after printer driver installation is very important for us.
    How can we solve or workaround the above issue, so it can behave like Windows 8 and Server 2012? 

    What Port Monitor just so I can bubble this information to some others?
    Alan Morris Windows Printing Team
    Hi Alan:
    We developed a custom printing system, which involved the following configurations:
    1. Create a custom port monitor on server 2012 r2.
    2. Change an existing print queue to use this custom port monitor, and share this print queue.
    3. All workstations will print to this shared print queue on the server.
    The goal is to manage/monitor the print information in StartDocPort for all printing for instance.  This is what we've been doing for a long time.
    Now we upgraded our system from server 2012 to server 2012 R2, but we can't change the port monitor to our ones anymore.
    I've tried the Type3 printer driver, such as Brother Color Type3 Class Driver, unfortunately it didn't work if the installation is using "Add a printer", and select the driver from the list.   
    The only way to make it work is to install the printer driver using the one downloaded from the vendor's website, this will bypass Windows "Add a printer". 
    Is there any chance we can make this to behave like server 2012 or earlier? Modify registry keys?
    Cheers
    Steven

  • SCVMM Installation Failed: vmmServer.msi failed with Windows Installer error 1603.

    Error seen when attempting to install Microsoft System Center 2012 R2 Virtual Machine Manager 
    Installing D:\amd64\setup\msi\Server\vmmServer.msi failed with Windows Installer error 1603.
    See C:\ProgramData\VMMLogs\vmmServer.log for more information. After resolving the problem, retry setup.
    Searched the log file for 1603 errors - 
    CustomAction EnableWsmanCredSSP returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (B8:20) [02:00:47:180]: Note: 1: 2265 2:  3: -2147287035 
    MSI (s) (B8:20) [02:00:47:180]: Machine policy value 'DisableRollback' is 0
    Action ended 2:00:47: EnableWsmanCredSSP. Return value 3.
    SI (s) (B8:20) [02:00:47:228]: Windows Installer installed the product. Product Name: Microsoft System Center Virtual Machine Manager Server (x64). Product Version: 3.2.7510.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success
    or error status: 1603.
    I've tried disabling my Firewall and troubleshooting the Enable-WSManCredSSP command-let however nothing has worked and I'm quite stuck. 
    Any help would be appreciated. 

    I had the same problem in my environment.
    Here are the steps how i did solve this issue
    Since VMM 2012 R2 Requires ADK 8.1 and this requires SQL 2012 Express.
    In order SQL Server 2012 to be installed successfully .Net Frame Work 3.5 feature on Windows Server has to be enabled first, in this case it is not not being installed by ADK Installation wizard as a result SQL service fails to start, which results on VMM
    installation to fail.
    Please try to enable .Net Frame Work 3.5 feature on Windows Server 2012 R2 before you install ADK 8.1

  • Error in push sccm client CcmSetup failed with error code 0x80070643 ccmsetup sccm 2012

    i want to push sccm client for all computer i enable automatic side-wide client installation 
     some computer get error code 0x80070643
    ccmsetup sccm 2012 this 
    when i tray manual installation get same error and ccmsetup.exe stopped 

    Duplicate of
    https://social.technet.microsoft.com/Forums/en-US/3bac4677-46b0-4d96-b63d-a819efcc7f35/error-in-push-sccm-client-ccmsetup-failed-with-error-code-0x80070643-ccmsetup-sccm-2012?forum=configmgrgeneral
    Please don't double post.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Top 4 basic issues that are encountered in SCOM 2012 and SCCM 2012

    HI,
    I need to give a presentation on the basic issues that are encountered in SCOM 2012 and SCCm 2012.
    Can anyone help me out with this?
    Thanks in advance
    Rohith Kumar

    Hi,
    I am not familiar with SCCM, so I will give some issue I encounterred in SCOM:
    1. Not monitored and grey agent, here is an article for your reference:
    http://technet.microsoft.com/en-us/library/hh212723.aspx
    2. Failed to discover and install agents, this may caused by the action account or install account does not have proper permissions to install the agents. Some time maybe the discovery rule is not enabled.
    3. Failed to import Management Pack, this may caused by references MPs are not imported to the management group, or sometime the proper referenced MPs are imported, but there may be incorrect typing in the XML file which defines the management pack.
    4. Runas account and Action account fail. If you change password for action account, you may also need to change the password everywhere the account is used in SCOM. For run as account, if the account does not have enough right to run some tasks, we may
    encounter errors. You may refer to the below link which take SQL mp for example:
    http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
    Regards,
    Yan Li
    Regards, Yan Li

  • Has anybody had the following error while trying to download iTunes 10.5? There is a problem with Windows Installer package. A program required for this install to complete could not be run.

    Has anybody had the following error while trying to download iTunes 10.5? There is a problem with Windows Installer package. A program required for this install to complete could not be run.

    Go to "control panel" then "add or remove programs".  Highlight "Apple software update"  Choose "change" click "Repair"  This should do the trick.  Then download and install iTunes 10.5 again.

  • Tried to install iTunes 10.5 this morning but an error appeared saying "problem with windows installer package. A program required for this install to complete could not be run." Can someone please help

    I tried to install iTunes 10.5 this morning but an error appeared saying "problem with windows installer package. A program required for this install to complete could not be run." Can someone please help

    Firstly, are you installing iTunes for the first time or are you updating your current version of iTunes?
    If you're installing iTunes for the first time have you tried redownloading the installer package? Perhaps the file you downloaded originally is corrupted...
    http://www.apple.com/itunes/
    If you've tried that, then try installing iTunes as your computer's administrator. To do this right-click the install package and choose "Run as administrator".
    If you're updating iTunes to the most recent version try repairing the Apple Software Update program on your computer. It's under the add/remove programs.
    1. Open the control panel
    2. Open Add/Remove programs (called "Programs and Features" in Windows 7)
    3. Navigate to "Apple Software Update" in the list and click on it
    4. Click on "Change" then select "Repair" (or just select the repair option in Windows 7)
    Once you repair this, try running iTunes and the update again.
    Fingers crossed!

  • Scanning with windows 8.1 and laserjet 3050

    I have had my Laserjet 3050 for many years and all printer functions have worked well for that time using Windows XP.  I have two new computers now. One with Windows 8.1 and the other a Mac with OS 10.9.  I am able to print with the LaserJet from either computer but unable to scan to saving to computer on either computer.  I have checked for HP updates and new drivers but no success.  UIn XP I would go to the Start menu and then programs to the HP folder and there I would click on scan.  There is no such program or application or HP folder on new either computer.  The Windows 8.1 will not read the installation disc that came with the Laserjet 3050.  What do I have to do to be able to scan and save to computer?  

    OK, I figured out how to scan in Windows 8.1 but still unable to do it in OS10.10.  I can print to Laserjet.  My LaserJet 3050 is recognized in System Preferences/Printers & Scanners but to scan my LaserJet and Mac don't see each other.  I am not able to find an app to do this function.  How do I correct this?

  • HT1349 Hi all,I have just purchased new iphone but have difficulty in completing the itunes download with message : problem with Windows installer package. A program run as part of the setup did not finish as expected.

    Hi all,I have just purchased new iphone but have difficulty in completing the itunes download with message : problem with Windows installer package. A program run as part of the setup did not finish as expected.
    Would appreciate help...its driving me up the wall!!

    Perhaps let's first try updating your Apple Software Update.
    Launch Apple Software Update ("Start > All Programs > Apple Software Update"). Does it launch and offer you a newer version of Apple Software Update? If so, choose to install just that update to Apple Software Update. (Deselect any other software offered at the same time.)
    If the ASU update goes through okay, try another iTunes install. Does it go through without the errors this time?

  • Cant download itunes, because ' there is an error with windows installer package' please help?

    cant download itunes, because ' there is an error with windows installer package' please help?

    I am getting the same message when I try to install the latest version of iTunes, I am running on Windows Vista Home Premium. I have tried so many different things to try to correct this and have now completly unistalled it from my laptop..... Now I have no iTunes what-so-ever on it and still can't install it. I found an older versin of iTunes and it installed without any problems, but I can't access it because my library was created on a newer version! Talk about frustrated..... WE NEED HELP!!!!!

Maybe you are looking for