We're dealing with a frustrating issue while trying to update software for a new client. We're encountering a blocked error that says, "The system administrator has set policies to prevent this installation." I've checked both HKLM and WOW6432Node registry settings for Windows Installer policies and found them empty. AppLocker rules are clear, and Software Restriction Policies aren't defined. I also ensured that the Windows Installer service is enabled and checked the registry settings to confirm Windows isn't mistakenly in Safe Mode. I even deleted the leftover MSI product registration tied to "oldadmin" and looked through the C:WindowsInstaller directory for any cached MSI files. Group Policy settings in gpedit.msc seem fine as well, but we still face installation failures with Event Viewer showing errors 1040, 1042, and 1033. I suspect there might be deeper issues like WDAC, hooks from Software Restriction Policies, or Code Integrity rules causing this. We attempted to connect to the domain controller remotely hoping to overwrite settings as a domain admin to no avail. I reset the password for the previous admin account, yet nothing has worked. Interestingly, we can install other software; it's just this specific application that's hitting the policy. The machine is monitored by ThreatLocker, but we're still stuck. Can anyone provide insights?
5 Answers
Try leveraging Sysmon alongside ProcMon. It might give you more context on what’s happening behind the scenes during the install process.
Have you considered reinstalling Windows? It sounds like there are leftover policies or settings that could keep causing issues. Starting fresh could save you from future headaches about potential hidden problems.
Using ProcMon could help you track down what exactly is blocking the installer. Watching the file actions during the installation could reveal the root cause.
Make sure to check the local policy settings. If local policies are set, they might override any group policies you’ve set.
Have you logged in with a local admin account? Sometimes, domain policies can block installations, but local admin access helps work around that.
We've tried both local and domain accounts, but no luck so far.
You might be onto something. I'm hesitant, but if we exhaust all efforts, that could end up being the solution.