<displayName>enter display name here</displayName>
<description>enter description here</description>
<resources>
<stringTable>
<string id="AllowLockdownBrowse">Enable user to browse for source while elevated</string>
<string id="AllowLockdownBrowse_Help">Allows users to search for installation files during privileged installations.
This setting enables the Browse button in the "Use feature from" dialog box. As a result, users can search for installation files, even when the installation program is running with elevated system privileges. By default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow.
This setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" setting.</string>
<string id="AllowLockdownMedia">Enable user to use media source while elevated</string>
<string id="AllowLockdownMedia_Help">Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during privileged installations.
This setting permits all users to install programs from removable media, even when the installation program is running with elevated system privileges. By default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
This setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.
Also, see the "Prevent removable media source for any install" setting in User Configuration\Administrative Templates\Windows Components\Windows Installer.</string>
<string id="AllowLockdownPatch">Enable user to patch elevated products</string>
<string id="AllowLockdownPatch_Help">Allows users to upgrade programs during privileged installations.
This setting permits all users to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.
By default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
This setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" setting.</string>
<string id="AlwaysInstallElevated">Always install with elevated privileges</string>
<string id="AlwaysInstallElevated_Help">Directs Windows Installer to use system permissions when it installs any program on the system.
This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.
Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure.</string>
<string id="LegacyAutomaticApplicationShutdownOff">Restart Manager Off for Legacy App Setup</string>
<string id="DisableAlways">Always</string>
<string id="DisableAutomaticApplicationShutdown">Prohibit Use of Restart Manager</string>
<string id="DisableAutomaticApplicationShutdown_Help">The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. This setting controls Windows Installer's interaction with the Restart Manager.
If you enable this setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior.
-- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible.
-- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used.
-- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection.
If you disable this setting or do not configure it, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible.</string>
<string id="DisableBrowse">Remove browse dialog box for new source</string>
<string id="DisableBrowse_Help">Prevents users from searching for installation files when they add features or components to an installed program.
This setting disables the Browse button beside the "Use feature from" list in the Windows Installer dialog box. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures.
This setting applies even when the installation is running in the user's security context.
If you disable this setting or do not configure it, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
This setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as Windows Explorer or Network Locations, to search for installation files.
Also, see the "Enable user to browse for source while elevated" setting.</string>
<string id="DisableFlyweightPatching_Help">This setting controls the ability to turn off all patch optimizations.
If you turn on this policy setting (set to 1), all Patch Optimization options are turned off during the installation.
If you turn off this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing..</string>
<string id="DisableLoggingFromPackageOff">Disable logging via package settings off</string>
<string id="DisableLoggingFromPackageOn">Disable logging via package settings on</string>
<string id="DisableLoggingFromPackage">Disable logging via package settings</string>
<string id="DisableLoggingFromPackage_Help">The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. This setting controls Windows Installer's processing of this property.
If you enable this setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior.
-- The "Logging Via Package Settings On" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property.
-- The "Logging Via Package Settings Off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.
If you do not configure this setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property.</string>
<string id="DisableMedia">Prevent removable media source for any install</string>
<string id="DisableMedia_Help">Prevents users from installing programs from removable media.
If a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears, stating that the feature cannot be found.
This setting applies even when the installation is running in the user's security context.
If you disable this setting or do not configure it, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
Also, see the "Enable user to use media source while elevated setting" in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.
Also, see the "Hide the 'Add a program from CD-ROM or floppy disk' option" setting in User Configuration\Administrative Templates\Control Panel\Add or Remove Programs.</string>
<string id="DisableMSI">Disable Windows Installer</string>
<string id="DisableMSI_Help">Disables or restricts the use of Windows Installer.
This setting can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator.
If you enable this setting, you can use the options in the Disable Windows Installer box to establish an installation setting.
-- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.
-- The "For non-managed apps only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured.
-- The "Always" option indicates that Windows Installer is disabled.
This setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.</string>
<string id="DisablePatch_Help">Prevents users from using Windows Installer to install patches.
Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.
Note: This setting applies only to installations that run in the user's security context. By default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs.
Also, see the "Enable user to patch elevated products" setting.</string>
<string id="DisableRollback_Help">Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
This setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this setting unless it is essential.
This setting appears in the Computer Configuration and User Configuration folders. If the setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.</string>
<string id="EnableAdminTSRemote">Allow admin to install from Terminal Services session</string>
<string id="EnableAdminTSRemote_Help">Allows Terminal Services administrators to install and configure programs remotely.
By default, system administrators can install programs only when system administrators are logged on to the computer on which the program is being installed. This setting creates a special exception for computers running Terminal Services.
This setting affects system administrators only. Other users cannot install programs remotely.</string>
<string id="EnableUserControl">Enable user control over installs</string>
<string id="EnableUserControl_Help">Permits users to change installation options that typically are available only to system administrators.
This setting bypasses some of the security features of Windows Installer. It permits installations to complete that otherwise would be halted due to a security violation.
The security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.
This setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.</string>
<string id="MSI">Windows Installer</string>
<string id="MSI_AllowUser">Allow User Installs</string>
<string id="MSI_DisableLUAPatching">Prohibit non-administrators from applying vendor signed updates</string>
<string id="MSI_DisableLUAPatchingHelp">This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users.
If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based application.
If you disable this policy setting, users without administrative privileges will be able to install non-administrator updates.</string>
<string id="MSI_DisablePatchUninstall">Prohibit removal of updates</string>
<string id="MSI_DisablePatchUninstallHelp">This setting controls the ability for users or administrators to remove Windows Installer based updates.
This setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.
If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.
If you disable this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether Disable Windows Installer and Always install with elevated privileges policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context.</string>
<string id="MSI_DisableSRCheckPoints">Turn off creation of System Restore Checkpoints</string>
<string id="MSI_DisableSRCheckPoints_Help">System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
If you enable this setting, the Windows Installer does not generate System Restore checkpoints when installing applications.
If you disable this setting or do not configure it, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed.</string>
<string id="MSI_DisableUserInstalls">Prohibit User Installs</string>
<string id="MSI_DisableUserInstalls_Help">This setting allows you to configure user installs. To configure this setting, set it to enabled and use the drop-down list to select the behavior you want.
If this setting is not configured, or if the setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.
If this setting is enabled and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.</string>
<string id="MSI_EnforceUpgradeComponentRulesHelp">This setting causes the Windows Installer to enforce strict rules for component upgrades - setting this may cause some updates to fail.
If you enable this policy setting strict upgrade rules will be enforced by the Windows Installer. Upgrades can fail if they attempt to do one of the following:
(1) Remove a component from a feature.
This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component.
(2) Add a new feature to the top or middle of an existing feature tree.
The new feature must be added as a new leaf feature to an existing feature tree.
If you disable this policy setting, the Windows Installer will use less restrictive rules for component upgrades.</string>
<string id="MSI_HideUser">Hide User Installs</string>
<string id="MSI_MaxPatchCacheSize">Baseline file cache maximum size</string>
<string id="MSI_MaxPatchCacheSizeHelp">This policy controls the percentage of disk space available to the Windows Installer baseline file cache.
The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.
If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache.
If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed.
If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache.
If you disable this policy setting or if it is not configured the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.</string>
<string id="MSILogging">Logging</string>
<string id="MSILogging_Help">Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.
When you enable this setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want.
To disable logging, delete all of the letters from the box.
If you disable this setting or do not configure it, Windows Installer logs the default event types, represented by the letters "iweap."</string>
<string id="SafeForScripting">Disable IE security prompt for Windows Installer scripts</string>
<string id="SafeForScripting_Help">Allows Web-based programs to install software on the computer without notifying the user.
By default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. This setting suppresses the warning and allows the installation to proceed.
This setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this setting can pose a security risk, it should be applied cautiously.</string>
<string id="SearchOrder">Search order</string>
<string id="SearchOrder_Help">Specifies the order in which Windows Installer searches for installation files.
By default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
To change the search order, enable the setting, and then type the letters representing each file source in the order that you want Windows Installer to search.:
-- "n" represents the network;
-- "m" represents media;
-- "u" represents URL, or the Internet.
To exclude a file source, omit or delete the letter representing that source type.</string>
<string id="SUPPORTED_MSI15">Microsoft Windows XP or Windows 2000 with Windows Installer v2.0</string>
<string id="TransformsSecure">Cache transforms in secure location on workstation</string>
<string id="TransformsSecure_Help">Saves copies of transform files in a secure location on the local computer.
Transform files consist of instructions to modify or customize a program during installation.
If you enable this setting, the transform file is saved in a secure location on the user's computer. Because Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. This is the default behavior on Windows Server 2003 family when the policy is not configured.
This setting is designed for enterprises to prevent unauthorized or malicious editing of transform files.
If you disable this setting, Windows Installer stores transform files in the Application Data directory in the user's profile. When a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. This is the default behavior on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.</string>
</stringTable>
<presentationTable>
<presentation id="AlwaysInstallElevated_1">
<text> </text>
<text>This setting must be set for the machine and the user to be enforced.</text>
</presentation>
<presentation id="AlwaysInstallElevated_2">
<text> </text>
<text>This setting must be set for the machine and the user to be enforced.</text>
