Windows service account and upgrades

[vpodans]

Our application installs the Windows service along with install process. By default we configure the service to run under "Network Service" account, it is configured in AI project.

However, we treat this as default installation and recommend (though not requiring) customers to use gMSA service accounts to increase security. We can manually configure the host and service to utilize gMSA, no problems with it. The problem arises when we deploy an upgrade and MSI resets custom identity back to default identity (Network Service). Is it possible to retain the identity configured in service during upgrade?

If it is relevant, here is actions configuration:

Capture.PNG (4.67 KiB) Viewed 2126 times

[Catalin]

Hello,

Please note that the behavior is quite normal, as it is not possible for the setup package to know what changes are done outside of the installation process. Besides that, a major upgrade basically means the removal of the older version (service included) which will automatically "reset" the options to the default ones.

Please have a look over the following forum thread in which a solution is proposed:

Update service without changing its logon details

Hope this helps!

Best regards,
Catalin

[vpodans]

This is very unfortunate behavior. Major upgrade strategy for smaller products is the most convenient way to update the product.

And for many aspects in AI it is possible to define task execution conditions. Services are not changed often even during major upgrades. Service executables -- they may change, but the service itself (registration) -- seldom. Having execution conditions would eliminate such problems. With current state of AI we cannot support custom service identities.

I've checked related post you suggested, unfortunately, it doesn't solve this issue in convenient way. It seems we have to drop service configuration from AI native settings to custom actions where we configure the service on install based on a condition: if service exist, leave it as is and install with default settings if absent.

[Catalin]

Hello,

Please note that Advanced Installer, through the predefined support for services, is using the "ServiceInstall" and "ServiceControl" tables which are proprietary to the Windows Installer technology.

Unfortunately, your scenario is not possible through the predefined support of Windows Installer.

In your specific scenario, I believe that it might be better to follow a custom approach, as you mentioned.

Best regards,
Catalin

[vpodans]

Understood. Anyway, thanks for assistance!

[Catalin]

You are always welcome!

Best regards,
Catalin