MSI: The System Administrator has set policies to prevent this installation

Hi everyone

Today I wanted to talk a problem I seen on newer Windows Server 2019 in a RD setup.

Some user were having problem with a GPO for software installation (per user).

After some diagnostic I found on all my 2019 that the MSI system is restircted now by default.

If you stumble upon this bug;

enter image description here

Then you must be like me, and you have a registry to change.


Now it should work.


Windows RDS | Publishing RADC shortcut on the DesktoP (part 2)


Today I will talk a small tip to be transparent to the users, and thus to enhance a tip I already gave in the past, as seen there; Windows 2019 RDS | Publishing RADC shortcut on the Desktop

In my older blog post I was creating a shortcut to only the RADC’s folder from the start menu, but on the desktop.

Today I wanted to be more granular and create shortcut for each applications on the user desktop. The user experience is greatly enhanced that way.

It’s a 3 steps GPO to do, but first we need to generate our .ico and .rdp’s files to use.

Go inside a computer that as the RADC’s farm installed correctly, and navigate inside the folder; %AppData%\Microsoft\Windows\Start Menu\Programs\Work Ressources (RADC)

From there select the shortcut you want to deploy, like Word, and click property.

From the property windows, check the path of the argument, it’s where our .rdp and .ico are. The shortcut created are just mstsc.exe “path/to/local profile/”. It should be a path liks, %AppData%\Roaming\Microsoft\Workspaces\{….-….-….-….}\Ressources\Word.rdp”

Copy the .RDP you want and the associated .ICO, which are cached there too.

I usually copy them to a folder where all computer can read, like a sub folder in NETLOGON.

From there we start our GPO.

1. Create a GPO, in my example, “RADC – Desktop Word shortcut”

2. Create a file copy to copy the .rdp. Under user\Preference\Windows parameters\Files. The source is like \\dc\netlogon\source\Word.rdp, the destination is a administrative folder on the computer, like c:\it\word.rdp.

3. Create a file copy to copy the .ico. Same source and destination’s folder as the previous one.

4. After that we create a shortcut, under preference too.

We use target as %DesktopDir%\Word, target; c:\it\Word.rdp, and we select the the target icon as c:\it\Word.ico.

I use to copy the files for a reason, if you DC become available for a short period of time, it’s more efficient to simply copy the files locally and create a shortcut to those local’s files.

5. After that we use the same security to apply this GPO’s to as the group you make Word visible with in your RADC’s console.

Voila, the shortcut should be visible easily after that. It’s more work in the start, but after that it’s less call to find the resource in my own opinion.

Thanks for the reading

Push Acrobat Reader via GPO

Hi everyone

Today I will share some step necessary to push by GPO Acrobat Reader if you need it in your environment.

You can download the latest Acrobat Reader installer for offline installation.

For that you need to get to the enterprise portal;

After that you need to extract the .exe, as installation GPO need a .MSI.

Go in a command prompt where your download is, and type such command;

AcroRdrDCxxxxxxxxxx_en_US.exe -sfx_o”C:\Temp\Acrobat” -sfx_ne

After that we got our folder with the correct files. Copy that where your computer can access it. I tend to use the netlogon subfolder on my side, but it can be anywhere.

Next step is to modify the .MST to include the correct’s option. For that you need to use the Acrobat Wizard, available there; (Direct download;

With the wizard please open Acrobat.MST that you have in your folder where you uncompressed the data (c:\temp\acrobat from my example)

In the first section I click to Accept the EULA, and in the next section I click to enable silent’s mode, to have the GPO per machine. Click save.

Now we need create the GPO, click in advanced mode. Point the software installation package to your Acrobat.MSI, and after that go in the deployment option, and click to add the .MST.

Make sure the other files from the download are in the same folder.

After that it should work 🙂