Non-Administrator Patches

InstallShield 2013

Project: This information applies to the following project types:

Basic MSI
InstallScript MSI

Windows Installer 3.0 and later enables you to create patches that can be installed by non-administrators. Non-administrator patches can be used if all of the following criteria are met:

The target machine must be running Windows Installer 3.0 or later on the Microsoft Windows XP or later client platform. Server platforms are not supported.
The application was installed from a removable media such as a CD-ROM or DVD.
The application was installed in a per-machine context.

Note: If the ALLUSERS property is overwritten at the command line, non-administrator patches will fail.

The base installation must include the certificate that will be used to sign all subsequent patches.
The base installation must include the MsiPatchCertificate table. This table provides the signer certificate that will be used to verify the digital signature of subsequent patches when they are applied by a non-administrator. If necessary, this table can contain multiple certificates, and subsequent patches would need to be able to verify at least one of the certificates. For more information, see Preparing Installations for Non-Administrator Patches.
The non-administrator patch must contain the MsiDigitalCertificate table. This table contains the signing certificates for the signed patches. For more information, see Signing a Patch Package or Signing a QuickPatch Package.

If any of the above criteria are not met, end users cannot install the digitally signed patch in a locked-down environment.

A typical scenario in which non-administrator patches are used is the computer game industry. Some computer game users are children who might not have access to areas of the system other than folders in their own user profile and registry keys under HKEY_CURRENT_USER. Their parents would have administrative access to the machines so that they can control what is installed and what their children can access. Parents would install any and all applications. If patches are available for the installed software, children would be able to download and install non-administrator patches without help from their parents, as long as all of the above criteria have been met.

See Also