cancel
Showing results for 
Search instead for 
Did you mean: 
eltonito
Level 8

Advice on policy config for .msi files?

Jump to solution

Aloha,

I'm generally comfortable with updaters, binaries, installers, etc but I've run into a snag whitelisting an msi that we need to execute in the field.  Since the msi itself isn't truly an executable, it shouldn't be able to function as an updater.

Examing the event logs,  I see that explorer.exe calls msiexec.exe when the msi in question is double-clicked.  Granting updater status to explorer.exe is an obviously bad idea and I'm not too fond of giving msiexec.exe such status either, so I'm trying to determine the best strategy.  I've toyed with parent and library settings, but none seem to achieve the granularity I'd prefer in regards to the specific msi. 

Does anyone have any suggestions/feedback on Application Control policies and msi's?

Thanks,

T.

0 Kudos
1 Solution

Accepted Solutions
aacordoba
Level 9

Re: Advice on policy config for .msi files?

Jump to solution

Hi,

Try running the following command

sadmin features enable pkg-ctrl

you need to reboot the system, after that you will be able to run msi from an autorized share folder

0 Kudos
5 Replies
aacordoba
Level 9

Re: Advice on policy config for .msi files?

Jump to solution

Hi,

Try running the following command

sadmin features enable pkg-ctrl

you need to reboot the system, after that you will be able to run msi from an autorized share folder

0 Kudos
CIPHENT.com
Level 11

Advice on policy config for .msi files?

Jump to solution

How about adding the msi as an installer...?

0 Kudos
eltonito
Level 8

Advice on policy config for .msi files?

Jump to solution

@Ciphent - I experimented with the msi as an installer/updater, but utlimately an msi functions as a document, not an executable.

@aacordoba - Good info, I will look into that.  Is there a way to translate that into a policy or would I have to run that as a command line task through ePO?

0 Kudos
aacordoba
Level 9

Advice on policy config for .msi files?

Jump to solution

So far now I just run a command in ePO.

But what I can´t know if what system already have this feature enable, If you are able to find some query regarding this please let me know.

Regards.

0 Kudos
eltonito
Level 8

Advice on policy config for .msi files?

Jump to solution

Hmm...

I can setup a Solidcore Command Line task to enable or list features, but the results are only viewable in ePO on a per system basis in a similar manner to an 'xray' command line task.  Reviewing the data I can query, I don't believe there is a way to create a query of the status of Solidcore features via ePO 4.5.

I enabled the package control feature and it appears to have given me a lot more flexibility with the MSI's, but the required reboot is a deal killer in the short term.

Thanks again for the info!

-T.

0 Kudos