Community
FAQ Community User guide Contact Customer Info
Post Reply
Zsolt Kollarits
Posts: 342
Joined: Fri May 29, 2015 10:36 am

Product cannot be installed on PCs with strict execution policy settings due to inline PowerShell custom actions

Dear Advanced Installer Support Team,

Few of our customers complained about our installer that they were not able to install our product, because our inline PowerShell script based custom actions cannot be executed on their PCs due to their very restricted (AllSigned level) execution policy settings.

In the meantime we noticed that your product supports inline PowerShell script signing starting from AI version 17.7, so we enabled the "Sign script" checkbox for each of our inline PowerShell script based custom actions and created a new .exe. Unfortunately we are still not able to install our product on PCs which has very strict (AllSigned) execution policy set, I see such errors in the installation logfile:

Action start 8:15:16: <PowerShell based custom action name>.
MSI (s) (28:28) [08:15:16:370]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIE2C5.tmp, Entrypoint: RunPowerShellScript
MSI (s) (28!D8) [08:15:16:376]: PROPERTY CHANGE: Deleting POWERSHELL_EXECUTION_LOG property. Its current value is 'AuthorizationManager check failed.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess'.

Dumping PowerShell invoke log ...
--> Found PowerShell path: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
--> PowerShell Script Execution Result Code: 1
--> PowerShell Script Execution log:
AuthorizationManager check failed.
+ CategoryInfo : SecurityError: (:) , ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
MSI (s) (28!D8) [08:15:19:815]: PROPERTY CHANGE: Adding POWERSHELL_EXECUTION_LOG property. Its value is 'AuthorizationManager check failed.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess'.
CustomAction WriteConfigFilesHashesToRegistry returned actual error code 1603 but will be translated to success due to continue marking

Could you please take a look at the install log file I will send over to you and tell us why the installation is not working?

Thank you in advance. :)

Best regards,
Zsolt
Catalin
Posts: 6585
Joined: Wed Jun 13, 2018 7:49 am

Re: Product cannot be installed on PCs with strict execution policy settings due to inline PowerShell custom actions

Hello Zsolt,

I'm assuming your users have set the "AllSigned" execution policy through a GPO.

If that is the case, please note that even though the script is signed, the digital certificate will need to be present in the "Trusted Publisher" in order for the script execution to succeed.

This is highlighted in our documentation --> Sign script - digitally sign the PowerShell script..

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Zsolt Kollarits
Posts: 342
Joined: Fri May 29, 2015 10:36 am

Re: Product cannot be installed on PCs with strict execution policy settings due to inline PowerShell custom actions

Dear Catalin,

Thank you for your help, your tip has solved our problem, it´s working now. :)

Best regards,
Zsolt
Catalin
Posts: 6585
Joined: Wed Jun 13, 2018 7:49 am

Re: Product cannot be installed on PCs with strict execution policy settings due to inline PowerShell custom actions

You are always welcome, Zsolt!

I am glad to hear it works as expected now. :)

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Post Reply

Return to “Common Problems”