Policy

Prohibit non-administrators from applying vendor signed updates

This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates.

Policy
Pack Microsoft Windows
Category Windows Components / Windows Installer
Policy ID 8092be3afce8
Internal name MSI_DisableLUAPatching

Registry

Copy registry mappings

HKLM\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching (enabled) = 1
HKLM\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching (disabled) = 0

Policy notes

This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates.

Related policies

Allow user control over installsAllow users to browse for source while elevatedAllow users to patch elevated productsAllow users to use media source while elevatedAlways install with elevated privilegesControl maximum size of baseline file cacheEnforce upgrade component rules