1 Reply Latest reply on Jan 2, 2013 12:54 PM by Lawrence Garvin

    Pushing Custom MSI Packages with UAC Turned On



      We are using Patch Manager to tie into WSUS so we can push our application updates via Windows Update.  I created the installer for our application.  The installer is in the form of a setup.exe... basically an MSI wrapped with the executable.  We are pushing our updates to multiple clients, all running Windows 7.  When we "go live" with our software the clients will be required to run with UAC turned on.  I have successfully tested my installer with UAC on, but that was a manual install on the local client. 


      Where I am having trouble is pushing our updates with Patch Manager when UAC is enabled on the clients receiving the update. We are able to deploy our updates without an issue when UAC is turned off, but when it is turned on I notice some very strange behavior. Below are a couple of scenarios I see with UAC turned on...

      - Scenario 1: Deploying an update with UAC on and the installation UI visible to end users

      The clients still see the update as available in Windows Update. When you click install the download occurs and completes successfully, but then the install just hangs. The installation UI never shows itself to the end user. It's like Windows Update "holds" onto the update, because even restarting the computer causes it to infinitely loop through the Windows Update process. It usually takes me manually pushing the power button on the client and then removing the update from the WSUS server before it is fixed. Ultimately the
      update is never installed.  There are no meaningful messages in the system logs either.

      - Scenario 2: Deploying an update with UAC on and the installation UI suppressed to end users (Silent Install)

      The clients still see the update as available in Windows Update. When you click install the download occurs and completes successfully. The difference is that the installation process returns a successful code... but then a few sconds after it will show the update as still available. The update is never installed, although the Windows Update logs show otherwise. I have to basically do the same steps as scenario 1 to fix the problem, and like scenario 1, the update is never installed.  Again, there are no meaningful errors or messages in the system logs.

      I have narrowed this down to UAC because it's the only control I have changed when I experience this. In fact, both scenarios I laid out will actually properly install the update, but only if UAC is turned off.

      My question is this... Is there a setting in Patch Manager/WSUS I am missing? Is this a missing parameter in my installer? Could it have anything to do with signatures?  I'm a bit confused as to why this happens when I am pushing through Patch Manger and not when I am manually installing the update on the local client.

      Any help would be greatly appreciated.... I am stumped!  I will be more than happy to provide further information if necessary.

      Kind Regards,

        • Re: Pushing Custom MSI Packages with UAC Turned On
          Lawrence Garvin

          Stephen, the interactions of UAC and a product installer are the purview of the product vendor and/or specific installer. Neither Patch Manager, WSUS, nor the Windows Update Agent have any involvement in this interaction. Best case scenario, the installer should provide a SILENT installation option, and when executing in the SYSTEM context provided by the Windows Update Agent, there should be no need to invoke a UAC prompt in the user context. The presence of the UAC prompt would imply that user interactivity is required for the product installation.


          Now, that may also be the case. If a product requires user interaction, then [a] the package needs to be defined in Advanced Options as requiring user-interaction, and hopefully that portion of the product has been coded to run in the standard user context, and not actually require elevated privileges (in which case the UAC prompt should not be presented).


          Also noteworthy, and I believe this is the case with your Scenario #1, if the update package requires user-interactivity, then you cannot launch the product/update installation using a Patch Manager Update Management task; it must be launched by the end-user with the Control Panel WU applet.


          In Scenario #2, if the update is not actually being installed, as you've suggested, then it may be that the installation does, in fact, require user-interactivity to complete. However, if it is UAC that is causing the installation to fail, then there's nothing in the WSUS/WUAgent/PatchManager infrastructure that you can do to workaround that. The question would be for the product vendor as to how their installer needs to be configured to be installed in silent/unattended mode within the context of the Windows Update Agent (i.e in the SYSTEM context) to install successfully.


          However, also relevant here is that if the installation actually did complete successfully, but the WUAgent still (incorrectly) reports the update as NotInstalled, then this is likely an issue with the rulesets in the package definition -- most commonly the rules defined in the Installed Ruleset that are used to detect whether the package is actually installed. I would direct you to my recent PatchZone blog posts for more insight on this question.


          Some of this process will involve diagnosing the actual installer behavior and determining where it quits working (and that it actually does quit working), and why it's returning SUCCESS codes if the product is not actually being installed. Enabling MSI Logging on the client may help in this regard, and you can do this with an option on the Check and Manage Computer Connectivity tool in Patch Manager.