' Windows Installer utility to manage installer policy settings ' For use with Windows Scripting Host, CScript.exe or WScript.exe ' Copyright (c) Microsoft Corporation. All rights reserved. ' Demonstrates the use of the installer policy keys ' Policy can be configured by an administrator using the NT Group Policy Editor ' Option Explicit Dim policies(21, 4) policies(1, 0)="LM" : policies(1, 1)="HKLM" : policies(1, 2)="Logging" : policies(1, 3)="REG_SZ" : policies(1, 4) = "Logging modes if not supplied by install, set of iwearucmpv" policies(2, 0)="DO" : policies(2, 1)="HKLM" : policies(2, 2)="Debug" : policies(2, 3)="REG_DWORD" : policies(2, 4) = "OutputDebugString: 1=debug output, 2=verbose debug output, 7=include command line" policies(3, 0)="DI" : policies(3, 1)="HKLM" : policies(3, 2)="DisableMsi" : policies(3, 3)="REG_DWORD" : policies(3, 4) = "1=Disable non-managed installs, 2=disable all installs" policies(4, 0)="WT" : policies(4, 1)="HKLM" : policies(4, 2)="Timeout" : policies(4, 3)="REG_DWORD" : policies(4, 4) = "Wait timeout in seconds in case of no activity" policies(5, 0)="DB" : policies(5, 1)="HKLM" : policies(5, 2)="DisableBrowse" : policies(5, 3)="REG_DWORD" : policies(5, 4) = "Disable user browsing of source locations if 1" policies(6, 0)="AB" : policies(6, 1)="HKLM" : policies(6, 2)="AllowLockdownBrowse" : policies(6, 3)="REG_DWORD" : policies(6, 4) = "Allow non-admin users to browse to new sources for managed applications if 1 - use is not recommended" policies(7, 0)="AM" : policies(7, 1)="HKLM" : policies(7, 2)="AllowLockdownMedia" : policies(7, 3)="REG_DWORD" : policies(7, 4) = "Allow non-admin users to browse to new media sources for managed applications if 1 - use is not recommended" policies(8, 0)="AP" : policies(8, 1)="HKLM" : policies(8, 2)="AllowLockdownPatch" : policies(8, 3)="REG_DWORD" : policies(8, 4) = "Allow non-admin users to apply small and minor update patches to managed applications if 1 - use is not recommended" policies(9, 0)="DU" : policies(9, 1)="HKLM" : policies(9, 2)="DisableUserInstalls" : policies(9, 3)="REG_DWORD" : policies(9, 4) = "Disable per-user installs if 1 - available on Windows Installer version 2.0 and later" policies(10, 0)="DP" : policies(10, 1)="HKLM" : policies(10, 2)="DisablePatch" : policies(10, 3)="REG_DWORD" : policies(10, 4) = "Disable patch application to all products if 1" policies(11, 0)="UC" : policies(11, 1)="HKLM" : policies(11, 2)="EnableUserControl" : policies(11, 3)="REG_DWORD" : policies(11, 4) = "All public properties sent to install service if 1" policies(12, 0)="ER" : policies(12, 1)="HKLM" : policies(12, 2)="EnableAdminTSRemote" : policies(12, 3)="REG_DWORD" : policies(12, 4) = "Allow admins to perform installs from terminal server client sessions if 1" policies(13, 0)="LS" : policies(13, 1)="HKLM" : policies(13, 2)="LimitSystemRestoreCheckpointing" : policies(13, 3)="REG_DWORD" : policies(13, 4) = "Turn off creation of system restore check points on Windows XP if 1 - available on Windows Installer version 2.0 and later" policies(14, 0)="SS" : policies(14, 1)="HKLM" : policies(14, 2)="SafeForScripting" : policies(14, 3)="REG_DWORD" : policies(14, 4) = "Do not prompt when scripts within a webpage access Installer automation interface if 1 - use is not recommended" policies(15, 0)="TP" : policies(15,1)="HKLM" : policies(15, 2)="TransformsSecure" : policies(15, 3)="REG_DWORD" : policies(15, 4) = "Pin tranforms in secure location if 1 (only admin and system have write privileges to cache location)" policies(16, 0)="EM" : policies(16, 1)="HKLM" : policies(16, 2)="AlwaysInstallElevated": policies(16, 3)="REG_DWORD" : policies(16, 4) = "System privileges if 1 and HKCU value also set - dangerous policy as non-admin users can install with elevated privileges if enabled" policies(17, 0)="EU" : policies(17, 1)="HKCU" : policies(17, 2)="AlwaysInstallElevated": policies(17, 3)="REG_DWORD" : policies(17, 4) = "System privileges if 1 and HKLM value also set - dangerous policy as non-admin users can install with elevated privileges if enabled" policies(18,0)="DR" : policies(18,1)="HKCU" : policies(18,2)="DisableRollback" : policies(18,3)="REG_DWORD" : policies(18,4) = "Disable rollback if 1 - use is not recommended" policies(19,0)="TS" : policies(19,1)="HKCU" : policies(19,2)="TransformsAtSource" : policies(19,3)="REG_DWORD" : policies(19,4) = "Locate transforms at root of source image if 1" policies(20,0)="SO" : policies(20,1)="HKCU" : policies(20,2)="SearchOrder" : policies(20,3)="REG_SZ" : policies(20,4) = "Search order of source types, set of n,m,u (default=nmu)" policies(21,0)="DM" : policies(21,1)="HKCU" : policies(21,2)="DisableMedia" : policies(21,3)="REG_DWORD" : policies(21,4) = "Browsing to media sources is disabled" Dim argCount:argCount = Wscript.Arguments.Count Dim message, iPolicy, policyKey, policyValue, WshShell, policyCode On Error Resume Next ' If no arguments supplied, then list all current policy settings If argCount = 0 Then Set WshShell = WScript.CreateObject("WScript.Shell") : CheckError For iPolicy = 0 To UBound(policies) policyValue = ReadPolicyValue(iPolicy) If Not IsEmpty(policyValue) Then 'policy key present, else skip display If Not IsEmpty(message) Then message = message & vbLf message = message & policies(iPolicy,0) & ": " & policies(iPolicy,2) & "(" & policies(iPolicy,1) & ") = " & policyValue End If Next If IsEmpty(message) Then message = "No installer policies set" Wscript.Echo message Wscript.Quit 0 End If ' Check for ?, and show help message if found policyCode = UCase(Wscript.Arguments(0)) If InStr(1, policyCode, "?", vbTextCompare) <> 0 Then message = "Windows Installer utility to manage installer policy settings" &_ vbLf & " If no arguments are supplied, current policy settings in list will be reported" &_ vbLf & " The 1st argument specifies the policy to set, using a code from the list below" &_ vbLf & " The 2nd argument specifies the new policy setting, use """" to remove the policy" &_ vbLf & " If the 2nd argument is not supplied, the current policy value will be reported" For iPolicy = 0 To UBound(policies) message = message & vbLf & policies(iPolicy,0) & ": " & policies(iPolicy,2) & "(" & policies(iPolicy,1) & ") " & policies(iPolicy,4) & vbLf Next message = message & vblf & vblf & "Copyright (C) Microsoft Corporation. All rights reserved." Wscript.Echo message Wscript.Quit 1 End If ' Policy code supplied, look up in array For iPolicy = 0 To UBound(policies) If policies(iPolicy, 0) = policyCode Then Exit For Next If iPolicy > UBound(policies) Then Wscript.Echo "Unknown policy code: " & policyCode : Wscript.Quit 2 Set WshShell = WScript.CreateObject("WScript.Shell") : CheckError ' If no value supplied, then simply report current value policyValue = ReadPolicyValue(iPolicy) If IsEmpty(policyValue) Then policyValue = "Not present" message = policies(iPolicy,0) & ": " & policies(iPolicy,2) & "(" & policies(iPolicy,1) & ") = " & policyValue If argCount > 1 Then ' Value supplied, set policy policyValue = WritePolicyValue(iPolicy, Wscript.Arguments(1)) If IsEmpty(policyValue) Then policyValue = "Not present" message = message & " --> " & policyValue End If Wscript.Echo message Function ReadPolicyValue(iPolicy) On Error Resume Next Dim policyKey:policyKey = policies(iPolicy,1) & "\Software\Policies\Microsoft\Windows\Installer\" & policies(iPolicy,2) ReadPolicyValue = WshShell.RegRead(policyKey) End Function Function WritePolicyValue(iPolicy, policyValue) On Error Resume Next Dim policyKey:policyKey = policies(iPolicy,1) & "\Software\Policies\Microsoft\Windows\Installer\" & policies(iPolicy,2) If Len(policyValue) Then WshShell.RegWrite policyKey, policyValue, policies(iPolicy,3) : CheckError WritePolicyValue = policyValue ElseIf Not IsEmpty(ReadPolicyValue(iPolicy)) Then WshShell.RegDelete policyKey : CheckError End If End Function Sub CheckError Dim message, errRec If Err = 0 Then Exit Sub message = Err.Source & " " & Hex(Err) & ": " & Err.Description If Not installer Is Nothing Then Set errRec = installer.LastErrorRecord If Not errRec Is Nothing Then message = message & vbLf & errRec.FormatText End If Wscript.Echo message Wscript.Quit 2 End Sub