Share via

How to avoid UAC prompt when msp is signed with latest security updates

Shumway, Duane 0 Reputation points
2025-08-26T15:39:47.04+00:00

With the August 12, 2025 Windows update (KB5063709, KB5063878), Microsoft fixed this security vulnerability. Previously, if a patch (.msp file) was signed with the same certificate as the original installation, the patch could be applied without needing administrative permissions. Our patches can no longer be applied after users apply this Windows update without entering admin credentials. Further, the silent mode we are using does not prompt, so even admins see an error and the patch fails. The msi log still shows that the patch can run 'unrestricted':

MSI (s) (E4:C4): SOFTWARE RESTRICTION POLICY: Verifying patch --> 'C:\...\patch.msp' against software restriction policy
MSI (s) (E4:C4): SOFTWARE RESTRICTION POLICY: C:\...\patch.msp has a digital signature
MSI (s) (E4:C4): SOFTWARE RESTRICTION POLICY: C:\...\patch.msp is permitted to run at the 'unrestricted' authorization level.

On the one hand, it appears that the patch is running in admin mode:

MSI (s) (04:F0): MSI_LUA: Setting AdminUser property to 1 because the product is already installed managed and per-machine
MSI (s) (04:F0): PROPERTY CHANGE: Adding AdminUser property. Its value is '1'.
MSI (s) (04:F0): MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (04:F0): PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (04:F0): PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (E4:C4): Product is admin assigned: LocalSystem owns the publish key.
MSI (s) (E4:C4): Product is managed.
MSI (s) (E4:C4): Running product with elevated privileges: Product is assigned.
MSI (s) (E4:C4): Validating digital signature of file 'C:\...\d99c0.msp'
MSI (s) (E4:C4): File 'C:\...\d99c0.msp' is a validly signed file and validates according to authoring of MSI package
MSI (s) (E4:C4): Patch C:\...\patch.msp will be applied because it meets the LUA patch criteria

But then there are the effects of the new restrictions that are part of the latest Windows updates:

MSI (s) (C4:00): MSI_LUA: Installation UI level is silent but Credential prompt required as the user is running repair and deployment compliance state is 3 so failing in future

And later:

MSI (s) (C4:00): MSI_LUA: Credential prompt is required now as the user is running repair
MSI (s) (C4:00): MSI_LUA: Elevation prompt disabled for silent installs
MSI (s) (C4:00): Note: 1: 1730 
MSI (s) (C4:00): Error 1730. You must be an Administrator to remove this application. To remove this application, you can log on as an Administrator, or contact your technical support group for assistance.

Logs of the same patch on machines that don't have the update do not say anything about a 'repair' or 'remove' operation and refer to it only as a 'minor upgrade patch'.

Other software vendors have seen similar issues and the AutoDesk support is suggesting a registry change. That does work, but it seems to be too broad and too permissive and also seems that it shouldn't be necessary for signed patches. Besides DisableLUAInRepair, I have also considered AllowLockdownPatch, but that didn't work . It also has security risks and is not likely a good solution.

With the changes from the latest Windows update, is there a better way to apply signed patches in silent mode without requiring admin credentials?

Windows for home | Windows 11 | Windows update
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hendrix-V 1,430 Reputation points Microsoft External Staff Moderator
    2025-08-27T03:18:41.15+00:00

    Hi Shumway, Duane,

    I'm Hendrix, here to help with your query on the Microsoft Q&A forums.

    Apologies for any inconvenience you are experiencing. I am happy to help you today.

    Even if an MSP is signed with a trusted certificate, UAC prompts appear because the installer requires elevated privileges to modify system-level settings.

    Here’s my suggested step-by-step guide for deploying an MSP file silently on Windows Home:

    1 - Prepare the MSP File

    • Make sure your MSP file is digitally signed and from a trusted source.
    • Verify the signature: 
        Get-AuthenticodeSignature "C:\Path\YourPatch.msp"

    2 - Use msiexec for Silent Installation

    Windows Installer supports applying patches silently using msiexec.

    • Open Command Prompt as Administrator:

    Press Win + S, type cmd, right-click Command Prompt, select Run as administrator.

    msiexec /p "C:\Path\YourPatch.msp" /qn /norestart

    Switches explained:

    • /p → Apply patch
    • /qn → Quiet mode (no UI)
    • /norestart → Prevent automatic restart

    3 - Automate with a Batch File

    • Create a .bat file for convenience: 
        @echo off
  msiexec /p "C:\Path\YourPatch.msp" /qn /norestart
    • Save as install_patch.bat.
    • Right-click → Run as administrator.

    4 - Optional: Use Task Scheduler for Elevated Execution

    If you want to avoid manual elevation:

    • Open Task Scheduler → Create Task.
    • Check Run with highest privileges.
    • Set Action → Start a program → msiexec /p "C:\Path\YourPatch.msp" /qn /norestart.
    • Trigger on Log on or One time.
    • Run the task.

    5 - Verify Installation

    • Check Control Panel → Programs and Features → Installed Updates.
    • Or run: 
        Get-HotFix | Where-Object {$_.Description -like "*Update*"}

    To assist others who might have similar questions and to help us improve our support system, we kindly encourage you to "Accept the answer" if it successfully addressed your concern. Accepting an answer lets other users know that this solution worked for you, and it also helps us track the effectiveness of our support efforts.

    Warm regards,

    Hendrix Vu | Microsoft Q&A Support Specialist

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.