Elevate MSI Files on the Network Share

A wizard generated UNC or Network Share Path Elevation Policy elevates .exe files but not .msi files.

When launching an .msi file, the following command line is executed:

Copy
C:\Windows\System32\msiexec.exe /i "\\[path-to-network-share]\[file]"

This means that the application is not elevated because the msiexec.exe file is not in the elevated Network Share directory.

This topic details two options for elevating .msi files from a network share.

Option 1

In order to enable elevation for .msi files on the network share, a command line filter can be created and added to the Elevation Policy.

  1. In the Privilege Manager, navigate to Admin | Filters.

  2. Click Add Filters.

  3. From the Platform pull-down menu, select Windows.

  4. From the Filter Type pull-down menu, select Commandline Filter.

  5. Give this filter a custom name and description.

  6. Click Create.

  7. Under Settings | Match Type, select Partial Match.

  8. In the Command line field, enter the network share path that needs to be elevated (such as \\share\folder_path).

    path

  9. Click Save Changes.

  10. Navigate to your Elevation Policy. Under Conditions for Application Targets add the command line filter you just created.

Now MSI files in the network share will be elevated.

Option 2

An application control policy can be created that targets "msiexec.exe" and uses a secondary file filter as an include only filter.

  1. Navigate to Computer Groups | Windows Computers.

  2. Select Application Policies.

  3. Click Create Policy.

  4. In the policy wizard select Controlling, click Next Step.

  5. In the policy wizard select Elevate, click Next Step.

  6. In the policy wizard select Run Silently, click Next Step.

  7. In the policy wizard select Installer Packages, click Next Step.

  8. In the policy wizard select File Upload.

    1. On the Upload a File modal, Click Choose File.
    2. Select the file(s) you wish to be targeted.
    3. Click Upload File.
    4. On the Manage Application dialog, check File Name.
    5. Click Create Filter.
    6. Click Next Step.
  9. On the Finalize the Policy page, enter a name for your new policy. The policy will be created with a default priority of 50, since it is a silent elevation policy.

  10. Click Create Policy.

    final

  11. Click the Packages for 'msi Elevate Process Rights Policy' Filter and under Settings search for and add the \share\to-path filter previously created.

    add filter

  12. Click Save Changes.

  13. Set the Inactive switch to Active.

MSI files in the network share will be elevated.

Adding the Secondary File Filter created to the Applications Targets under Conditions of the Policy will catch all instances where .msi files are run from \\share\folder_path. Only msiexec.exe will run .msi files, so the Secondary File Filter can be added to an Elevation Policy that has other Application Targets.

An Elevation Policy can be built with this Secondary File Filter as the Application Target and add the built-in Microsoft Installer File Filter as an Inclusion Filter to specifically target msiexec.exe runs an .msi from \\share\folder_path\.