description | ms.assetid | title | ms.topic | ms.date |
---|---|---|---|---|
If this per-machine system policy is not set, only administrators can patch existing products that were installed using elevated privileges. |
cd07dcb0-b9b5-4186-a916-604c40f88b5f |
AllowLockdownPatch |
article |
05/31/2018 |
If this per-machine system policy is not set, only administrators can patch existing products that were installed using elevated privileges. If AllowLockdownPatch is set to "1", nonadministrative users can, in some cases, apply patches to products while running an installation using elevated privileges. With the policy set, the patch can install minor upgrades while running an installation using elevated privileges, the patch cannot install major upgrades. Setting this policy also enables nonadministrative users to run programs at LocalSystem privileges during an elevated installation.
The default setting is recommended to ensure a secure environment.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
REG_DWORD
Any user can apply a patch during a nonelevated installation. Setting this per-machine system policy to "1" gives nonadministrative users the additional flexibility of applying patches to any product during an elevated installation. If this policy is not set, nonadministrative users cannot apply a patch to assigned or published applications.
Setting this policy also enables nonadministrative users to run arbitrary programs at LocalSystem privileges if they have a Windows Installer patch package that installs or launches those programs.