Vista UAC in a Corporate Environment
My company needs to deploy Windows Vista with SP1 to a variety of workstations. Currently we are a 2000/XP environment of about 20,000 employees. Since we are an engineering company we have developers that need to create sofware drivers and such to suport Vista, thus we cannot avoid the OS.
The powers that be currently want to deploy Vista with UAC enabled, and from a packaging standpoint, that has been a nightmare for us so far, I am not happy with how UAC interferes with poorly coded vendor installs. We don't repackage everything in sight, so we do rely on these vendor installs from time to time.
I personally think that since we are in a corporate environment with strong patch management, hardware firewalls, mandatory Antivirus, and even software firewalls on our laptops, I am seeing less of a need for UAC.
I know that this is a baited topic, but I want to get some professional opinion on Windows Vista UAC pertaining to my situation. I know most companies out there will not use Vista to begin with, and this was my best bet to connect with those companies that will or are using Vista. How does your Company handle UAC, what size is your company, and what support do you have for that choice?
Thanks!!
The powers that be currently want to deploy Vista with UAC enabled, and from a packaging standpoint, that has been a nightmare for us so far, I am not happy with how UAC interferes with poorly coded vendor installs. We don't repackage everything in sight, so we do rely on these vendor installs from time to time.
I personally think that since we are in a corporate environment with strong patch management, hardware firewalls, mandatory Antivirus, and even software firewalls on our laptops, I am seeing less of a need for UAC.
I know that this is a baited topic, but I want to get some professional opinion on Windows Vista UAC pertaining to my situation. I know most companies out there will not use Vista to begin with, and this was my best bet to connect with those companies that will or are using Vista. How does your Company handle UAC, what size is your company, and what support do you have for that choice?
Thanks!!
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
anonymous_9363
16 years ago
I presume you've seen the first Google hit for 'packaging +vista +uac'? http://msipackagingforvista.com/how-will-an-msi-deployment-handle-vista-uac-elevation.html
Also, http://juice.altiris.com/book/3758/vista-repackaging-best-practices-with-wise-package-studio may be useful.
Also, http://juice.altiris.com/book/3758/vista-repackaging-best-practices-with-wise-package-studio may be useful.
Posted by:
Digitalweezil
16 years ago
Hey VB, I have of course researched it deeply, I've even done a presentation to my other team members about issues with UAC ect especially with WPS compatabilities.
My whole point with this Thread is to see, 'What is your Company doing?'
My goal so far is aimed at disabling it in our environment, I just want to see how others are handling this situation in their environments.
My whole point with this Thread is to see, 'What is your Company doing?'
My goal so far is aimed at disabling it in our environment, I just want to see how others are handling this situation in their environments.
Posted by:
anonymous_9363
16 years ago
I appreciate that you probably would have done. The purpose of posting the links was more or less to support the stance, "If a White Paper on a web site supported by a packaging tool vendor suggests that UAC be disabled for corporate deployments, why would we [i.e. your company] do something different?"
Posted by:
Digitalweezil
16 years ago
What I have seen about UAC typically is this - Windows Vista UAC is recommended even in corporate environments. We use Alitiris Distribution, and truthfully when we deploy via the System account, we generally have no problems with UAC.
But, what we have been facing problems with are those software that do Not want to deploy via the System account, or just plain state to disable UAC prior to installing. It is because of these software that we have considered turning off UAC, rather than going with the recommended leaving it on.
Some software that we have had difficulties with deploying to Vista include:
Autocad 2008 Electrical with SP1
Autocad TrueView 2008
Checkpoint Firewall Software
Even WPS needs it turned off to Install :)
There are a few others, but off the top of my head I can't recall them. The vendor support typically states that they are Vista 'Capable' which is a far step from being Vista 'Compliant' IMO.
But, what we have been facing problems with are those software that do Not want to deploy via the System account, or just plain state to disable UAC prior to installing. It is because of these software that we have considered turning off UAC, rather than going with the recommended leaving it on.
Some software that we have had difficulties with deploying to Vista include:
Autocad 2008 Electrical with SP1
Autocad TrueView 2008
Checkpoint Firewall Software
Even WPS needs it turned off to Install :)
There are a few others, but off the top of my head I can't recall them. The vendor support typically states that they are Vista 'Capable' which is a far step from being Vista 'Compliant' IMO.
Posted by:
llsmsadmin
15 years ago
The problem I am having is when deploying to a Vista machine with UAC via SMS when the package must run as the user. For example, the package has to update HKCU. This fails.
Posted by:
jib
15 years ago
Just to add a little to this ..
What we are seeing are that since we were already using limited user accounts only on XP (no local administrators) we're alreday used to handling the same kind of "UAC / elevation problems" (in Vista-ish talk) that we do when packaing for XP "LUA". When testing packages for Vista most of the changes we need to deal with are related to custom actions and the msidbCustomActionTypeNoImpersonate bit .. from packages authored by us or vendors before Vista came into consideration.
There are a few apps like AutoCAD and others .. hmm apps that bind to some sort of specialized hardware and actually has hardcoded checks to check for local admin in XP .. that carries these problems over to Vista.
In your situation I would leave UAC on and then disable it only when needed.
What we are seeing are that since we were already using limited user accounts only on XP (no local administrators) we're alreday used to handling the same kind of "UAC / elevation problems" (in Vista-ish talk) that we do when packaing for XP "LUA". When testing packages for Vista most of the changes we need to deal with are related to custom actions and the msidbCustomActionTypeNoImpersonate bit .. from packages authored by us or vendors before Vista came into consideration.
There are a few apps like AutoCAD and others .. hmm apps that bind to some sort of specialized hardware and actually has hardcoded checks to check for local admin in XP .. that carries these problems over to Vista.
In your situation I would leave UAC on and then disable it only when needed.
Posted by:
jmcfadyen
15 years ago
one of the key issues with UAC is that is was designed with the express intention that MSI's would only modify the system during the deferred phase.
as there is a myriad of developers / software houses that do not follow this UAC appears to fail installs etc.
if you have some kind of magic bullet that will force vendors to follow this simple rule I think you will find the UAC can be used successfully in enabled mode.
the problem there is we all know very well not many vendors design the installers to fit the UAC principals. I think it will be a long time before UAC is adopted heavily be the packagers needs to upskill first to meets its requirements.
Robert Flaming one of the designers on the Vista programme has a comprehensive blog on UAC requirements pre/req's etc (from a non official microsoft stance)
as there is a myriad of developers / software houses that do not follow this UAC appears to fail installs etc.
if you have some kind of magic bullet that will force vendors to follow this simple rule I think you will find the UAC can be used successfully in enabled mode.
the problem there is we all know very well not many vendors design the installers to fit the UAC principals. I think it will be a long time before UAC is adopted heavily be the packagers needs to upskill first to meets its requirements.
Robert Flaming one of the designers on the Vista programme has a comprehensive blog on UAC requirements pre/req's etc (from a non official microsoft stance)
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.