MSI Signing - Software Restriction Policy

Has anyone ever worked somewhere that has implemented a Software Restriction Policy to Manage Software Installation? If so, can you share how it was implemented, bumps/hurdles faced, and how you handled exceptions?

Reason I ask is my company is implementing a SRP that denies all MSIs from installing unless they are signed with out cert. We are signing all of the MSIs we create and also signing any vendor MSIs that we deploy. This way, users can't just download Adobe Reader, for example, and install it. They will only have our customized version of it.

We are now facing an issue with MS Office 2007 where the install has checks and balances to make sure the installation files are not altered. So, when we sign the MSIs with our cert, the install bombs.

When we went to MS about it, they said that we are not implementing the Software Restriction Policy as it was intended.

So, not sure how we would be implemeting it wrong, but just wanted to get other people's feedback and see how they have implemented something like this.


0 Comments   [ + ] Show comments

Answers (1)

Posted by: Logikal1 12 years ago
Yellow Belt
When we started our SRP restrictions it wasn't a major mistake but a small silly item we'd forgotten to check off (forget what) that kept Office from downloading under our cert. Start off from scratch and re-read every word of the documentation for your OS AND Office 07. If that doesn't help, try second tier tech support at Microsoft. You get much better results & explanations.

My company isn't that large, so we keep it simple. Basically, we [IT] set up the computers so only authorized IT can add or remove programs. No software'll download unless it goes through their administrative log-on. There are NO USB ports staff can access & no way to load CDs either as work stations don't have any drives (IT can as needed, but not staff)

Staff on all levels sign contracts on day 1 that spell out the fact anyone downloading any software without IT authorization, accessing any unappoved site or using company computers for personal use is subject to immediate termination. With jobs tough to come by we haven't had any breaches for some time. We explain we must do this, not to be nasty, but because of all the viruses, malware, etc that are all too often hidden in innocent looking ( or look alike ) sites that can shut down a company for hours if not days. Also, we got a monitor systems made by a company in Ohio ( Video Technologies I think) fairly cheap. It's 1984, for sure.

Good luck.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ