Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note: that the User Configuration version of this setting is not guaranteed to be secure. Countermeasure: Configure the "Always install with elevated privileges" setting to "Disabled. Potential Impact: Windows Installer will apply the current user's permissions when it installs programs, this will prevent standard users from installing applications that affect system-wide configuration items.

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated