0

The objective is basically to install the app for the first time (using admin privileges, for all users), but thereafter let non-admins update/upgrade it (for all users), given that the new installers are signed with the same certificate as the original installer.

It can be a patch or a whole new installer. Either way, is this possible, and if so, how?

PhilDW
  • 20,260
  • 1
  • 18
  • 28
user5521
  • 3
  • 4

1 Answers1

1

The concept is called UAC Patching (or LUA Patching in the verbose log), and is documented in detail on MSDN. The crux of it is a matching certificate that is both stored in the MsiPatchCertificate table, and used to sign the patch.

There are a lot of caveats, including certificate expiration, that you have to account for if avoiding subsequent UAC prompts is critical. See the PatchCertificates element for ensuring the certificate is stored in the MsiPatchCertificate table.

Michael Urman
  • 15,737
  • 2
  • 28
  • 44
  • Do you know how to add a new PatchCertificates element to the wxs file? Also, does this need to be added to the patch wxs as well? I can't find anything on this and all my patches still require admin permissions even if signed by the same certificate as the original installer. – user5521 Jul 27 '16 at 08:29
  • It's hard to assess something of this complexity via comments. Consider updating your question (or asking another) to clarify which of the items on [User Account Control (UAC) Patching](https://msdn.microsoft.com/en-us/library/windows/desktop/aa372388.aspx) you have confirmed you have satisfied, and which are you having trouble confirming. – Michael Urman Jul 27 '16 at 11:56
  • I followed this guide (http://wixtoolset.org/documentation/manual/v3/patching/wix_patching.html) . Ok here's what I've done so far. Added `PatchCertificates` and `PackageCertificates` tags to my main wsx. After the MSI is built I sign it using the same certificate. After the patch is build I sign it using the same certificate as well. I run try to install the app, works as expected. I then try to install the patch. Unfortunately UAC pops up. If I accept it, the patch ends up installing perfectly. My problem is that the patch still requires admin rights. – user5521 Jul 27 '16 at 12:04
  • I peek at the 2 installers using Orca and also during the UAC dialog and they are both signed with the valid certificate. – user5521 Jul 27 '16 at 12:07
  • Please check this question out. Thanks http://stackoverflow.com/questions/38614931/wix-installing-patches-without-admin-rights – user5521 Jul 27 '16 at 13:52