The following error may occur when attempting to install a program using the MSI installation package on a workstation with local administrator permissions: “The system administrator has set policies to prevent this installation“. I tried running other MSI files, but they did not install either. How can this problem be fixed, and how can these security policies be disabled or bypassed?
The error “The system administrator has set policies to prevent this installation” may appear when installing or updating apps from MSI packages or EXE installers on a Windows computer. This indicates that the computer has software installation restriction policies enabled.
If your account has local administrator privileges, you can install the application using a simple workaround without modifying the system’s security policy settings.
- If it is an installer packaged in an *.EXE file, click on it and select Run as administrator.
- If this is an MSI package, open a Command Prompt window as an administrator and run the installation using the following command:
msiexec.exe /i C:\Install\MyAppInstaller.msi
If the program still does not install, even with elevated privileges, check the computer’s Group Policy settings. You can use the rsop.msc graphical snap-in or the gpresult command to view the resulting GPO settings on a computer. Check if there are any configured policy settings under Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer.
The following GPO options can be used to prevent software installation via the MSISERVER service.
- Turn off Windows Installer
- Prohibit non-administrators from applying vendor-signed updates
- Prevent users from using Windows Installer to install updates and upgrades
If these policies are configured, open the local GPO editor (gpedit.msc), navigate to the section specified above, and change the policy setting:
- Turn off Windows Installer:
Enabledwith optionNever - Prohibit non-administrators from applying vendor signed update:
Disabled - Prevent users from using Windows Installer to install updates and upgrades:
Disabled
- Allow users to patch elevated products:
Enabled
After making changes, run the command to apply the new GPO settings:
gpupdate /force
If a computer is missing a local Group Policy Editor (for example, if it is a Windows Home edition) or if the restrictions are applied directly through the registry, you need to modify the registry. Navigate to the HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer registry key and set the parameter values as follows:
DisableMSI = 0 DisablePatch = 0 DisableLUAPatching=0 AllowLockdownPatch=1
Create these registry items manually if they are missing.
For example, this causes an error when updating some Autodesk products under a user who is not a member of the local Administrators group:
This installation is forbidden by system policy. Contact tour system administrator.
The policy must be disabled to allow non-admin users to install app updates. Or run updates with local administrator permissions.
Restrictions on installing programs can also be implemented using Software Restriction Policies or AppLocker. Check the resulting Group Policy settings under:
- Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies
- Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> Applocker
If this error occurs while installing or updating the Google Chrome browser, reset the browser policy settings by deleting the HKLM\SOFTWARE\Policies\Google registry key.