AllowLockdownBrowse

Windows Installer

AllowLockdownBrowse

Setting the value of this per-machine system policy to "1" enables nonadministrative users to use a Browse Dialog to locate sources of managed applications. Sources may include media, such as CD-ROM, URLs, and network locations. For more information, see Source Resiliency. The default on Windows Installer is that nonadministrative users cannot browse for new sources of managed applications. The only sources available are those that are already registered in the source list of the product. If this policy is set, a nonadministrative user may browse for new sources of assigned or published applications or applications being installed for all users. Setting AllowLockdownBrowse also enables nonadministrative users to run programs at LocalSystem privileges during an elevated installation.

The default setting is recommended to ensure a secure environment.

Registry Key

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Data Type

REG_DWORD

Remarks

Setting this policy also enables nonadministrative users to run arbitrary programs at LocalSystem privileges if they have a Windows Installer package that installs or launches those programs.

DisableBrowse overrides AllowLockdownBrowse and prevents browsing even if AllowLockdownBrowse is set.

For information about the interaction of this policy with installation sources, see Managing Installation Sources.

See Also

Source Resiliency
AllowLockdownMedia

Send comments about this topic to Microsoft

Build date: 8/13/2009

© 2009 Microsoft Corporation. All rights reserved.