Installing from Application Catalogue fails on Windows 7 computers
All,
Has anyone else experienced this issue with installing apps from the application catalog. The applications do not install won Windows 7 computers and UAC prompts for admin credentials. The same apps work fine on XP computers.
I tried using a silent switch and get the following error "The software change returned error code 0x643(1603)." Again, with XP computers there are no issues.
The command line I used was msiexec /i "application.msi" /qb and msiexec /i "application.msi" /q. I have used the default options when setting up the app in SCCM. The application catalogue has been added to the trusted sites and the install permissions
is set to All Users in the Computer Agent policy.
I have also allowed users to define their primary device in the User Settings.
Any help would be appreciated.
Thanks
Mahesh
October 19th, 2012 12:23am
UAC won't have any inpact since applications are installed using the SYSTEM account running elivated. MSI exit code 1603 =
Fatal error during installation. I would first try manually installing the MSI on the computer it may be a compatibility or need a prerequisit installed.
October 19th, 2012 12:30am
Hi Justin,
I can manually install this on the Win 7 computer. So the pre requisites are fine. I dont think it is using the SYSTEM account when trying to install the application from application catalog. The same application works fine on the XP machine (both
manually and through application catalog). Do I need to specify the account SCCM needs to use when installing the apps from the application catalog.
The event logs generate the follwoing error on the Win 7 computers, there are no such logs generated on the XP machine though:
Product: Test Application -- Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files (x86)\Test Application. The installation cannot continue. Log on as administrator or contact your system administrator.
October 19th, 2012 12:38am
Is the deployment type set to "Install for user" for it's installation behavior? If so, this definitely uses the users credentials to install the application and should initiate a per-user install. However, if the MSI was not created correctly, it still
may try to drop files in privileged areas that normal users should not have access to (like Program files(x86) above) and will cause UAC to kick in. There is no way to get around UAC; if there were, it would be useless. Thus, this is due to a bad installer
that does not know how to perform a per-user install.
October 19th, 2012 1:14am
Hi Jason,
The deployment is set to Install for user. There seems to be no issues when installing the same app on XP machines. Refer below for the error I get in Software Center. Any ideas?
October 19th, 2012 3:01am
Have you tried to manually install the same application with same command line on Windows 7 machine ( I know, you've already tried this but NOT sure using same command line and same use
October 19th, 2012 3:45am
You cannot blame ConfigMgr. It just started the command line, but the installer returned 1603. Just examine the msi logfiles for that product.
October 19th, 2012 6:50am
That error code is from msiinstaller, it just means that installation was "cancelled by user" - which I did when it prompted for admin credentials.
October 19th, 2012 6:55am
Yes, I am going to look at my application catalog server now. Will update my findings.
October 19th, 2012 6:56am
XP doesn't have UAC thus there's nothing to prevent a user from doing privileged things if there are a local admin.
October 19th, 2012 7:37pm
Guys,
I work with Mahesh. This was previously working with some of our MSI's and now doesn't. As best I can tell these MSI's (which have been compiled for "Everyone" without any pre-requisites) are being executed as the users account as opposed to the client install
account. We've confirmed that "Install permissions" is set to "All users" under our Computer Agent settings, and the client install account is still pushing out clients without an issue.
Is there any other SCCM logs that we should be looking at? As Mahesh has stated all we get back from the MSI logs is what's below which is logged against the current logged in users account:
Product: Test Application -- Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files (x86)\Test Application. The installation cannot continue. Log on as administrator or contact your system administrator.
Regards,
Ryan.
October 21st, 2012 11:57pm
The client installation account is *never* used for software distribution; the client installation account is only used to connect to remote systems during client agent push and has nothing to do with application deployment.
There's nothing more that's needed. The account running the installation does not have permissions to access the specified directory. Per-user installations should not ever try to access C:\Program Files (or c:\program files (x86)) because users do not have
permissions to do so. Thus, these are poorly created MSIs that violate basic standards.
The "Install Permissions" setting simply controls "who" can initiate a deployment on the client. It in no way elevates the user's permissions (it can't do this BTW as the user's permissions are controlled by Windows) or enable a non-admin user account to
do privileged things or bypass UAC (both of which are again controlled by the OS).
ConfigMgr runs the command-line that you give, nothing more. It has no magical ability to bypass core Windows security.
October 22nd, 2012 1:13am
Thanks Jason.
So than am I correct in thinking that you can only publish MSI's that install to user directories via the application catalog?
Ryan.
October 22nd, 2012 3:23am
Can someone what settings I need to verify in the "Client Settings" for the application catalog. I know we need to check the "Computer Agent" and "User and Device Afiinity" - is there anything else I need to go through.
October 22nd, 2012 4:56am
I was able to install the apps on a Windows 2008 R2 server using a non admin account. This does not have Forefront endpoint protection and the default client settings is applied to this test server. Any suggestions?
October 22nd, 2012 5:48am
Just examine the msi logfile to get an idea what's failing. You might have to add /l*v c:\whateverlog.log to the install command line.
October 22nd, 2012 6:39am
No. Apps are published to the App catalog if they are deployed to users. That is independent from "installation behavior" setting in the deployment type.
October 22nd, 2012 2:58pm
Admin privileges are not required to install a per-user app. Admin privileges are required to do privileged things like writing to Program Files.
October 22nd, 2012 3:00pm
Looks like the .msi you are trying to install will check the prerequisites as Admin Privileges before triggers the installation. But sorry i'm not expert in .MSI technology however just a one suggestions i would also prefer in this
way to do it creating a customized .mst file for that .msi. Then deploy it to Per-User Application.
October 23rd, 2012 10:38am
This looks to be more of an Endpoint Protection issue. After removing it from the client we're able to install the MSI's without any additional changes. Further investigation required.
October 25th, 2012 5:14am
All,
We have got around this issue by using packages rather than applications.
With packages trageted to user collections, they seem to appear in the application catalogue. I can run the run the programs using administraor rights and seems to install fine.
I will leave it like this until SP1 and I have more time to troubleshoot the issue using applications.
Cheers
Mahesh
November 29th, 2012 2:11am
Mahesh,
Do you got solution for this issue. Right now i'm experiencing an same issue from software center.
October 15th, 2014 12:14pm
Hi mate,
You need to deploy these applications to devices using the software center itself.
Using the application catalog requires the user admin's access. There is no proper documentation that I could find about it. The nearest what I found was : http://blog.thesysadmins.co.uk/sccm-2012-allow-end-user-to-run-application-as-administrator.html.
So to deploy an application to a normal user, I target the application to a collection that contains the users computer and deploy through software center.
Good luck.
Cheers,
Mahesh
October 15th, 2014 10:22pm
Hi mate,
You need to deploy these applications to devices using the software center itself.
Using the application catalog requires the user admin's access. There is no proper documentation that I could find about it. The nearest what I found was : http://blog.thesysadmins.co.uk/sccm-2012-allow-end-user-to-run-application-as-administrator.html.
So to deploy an application to a normal user, I target the application to a collection that contains the users computer and deploy through software center.
Good luck.
Cheers,
Mahesh
May 23rd, 2015 8:46am
Other recent topics
