Workaround for Error 1718

Workaround for Error 1718

Rate This
  • Comments 32

When installing Visual Studio 2005 Service Pack 1, you may see an error like the following (file name will vary):

Error 1718.File D:\WINDOWS\Installer\50baad.msp was rejected by digital signature policy.

Knowledge Base article 925336 had originally documented instructions using the Local Security Policy UI to work around this issue based on my previous blog post. While both Windows XP and Windows Server 2003 are theoretically susceptible to this issue, to date it's only been observed on Windows Server 2003 – particularly on machines in an Active Directory domain.

Investigations showed that when there's a conflict with domain policy, the UI instructions I documented won't set the registry value that SAFER – the software restriction policy API introduced in Windows XP – uses to determine whether to validate all files.

To reliably workaround this issue, you should follow the instructions below. It is highly recommended that you remove your machine from any domain while installing Visual Studio 2005 Service Pack 1 if you've encountered this problem. Otherwise a domain policy refresh could override the registry value during installation and block the installation.

  1. Leave your domain if belong to a domain and reboot
  2. Set the DWORD registry value PolicyScope to 1 in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers registry key
  3. From an elevated command prompt, run "net stop msiserver" (without quotes) or simply reboot your machine
  4. Install the patch
  5. Reset the registry value from step 2
  6. Re-join your domain if you previously belonged to a domain and reboot

This can be automated rather easily, as shown in the following batch script example.

rem It is recommended you leave a domain and reboot before running this script

rem Backup the registry key before changing it to save the current values
reg export HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers "%TMP%\safer.reg" /y

rem Set the new value and stop Windows Installer, which will automatically restart when the patch gets installed
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers /v PolicyScope /t REG_DWORD /d 1 /f
net stop msiserver

rem Replace the name of the patch below according to which patch you downloaded
rem This exmple silently installs the patch with verbose logging enabled
start /wait VS80sp1-KB926601-X86-ENU.exe /L*v+ "%TMP%\VS80sp1-KB926601-X86-ENU.log" /quiet

rem Delete the new value and restore previous registry values for SAFER
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers /v PolicyScope /f
reg import "%TMP%\safer.reg"

Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
  • There are several known issues when installing Visual Studio 2005 Service Pack 1 . I've documented these

  • There are several known issues when installing Visual Studio 2005 Service Pack 1 . I've documented these

  • To prevent domain policy refresh, can I simply unplug my network cable to LAN while I'm installing?

  • Heath, for some reason I don't have PolicyScope. Do I need to create it or am I missing something?



  • Patrick, yes, you will need to create the value if it doesn't exist.

  • Heath, thanks for that workaround. I was finally able to install VS 2005 SP1 on Windows 2003.


  • After much frustration trying to get Visual Studio 2005 Service Pack 1 installed on a Windows Server...

  • Si certains d'entre vous ont installé la beta du SP1 sur leur Team Foundation Server, vous aurez certainement

  • Thank you. I tried KB925336 with no luck. I'm glad I found your solution worked for me.

  • Glad it helped, Toad. Funny thing is that I created the basis for the KB article in a previous blog entry and reviewed the KB before it was publishd. At the time, no testing uncovered the problems exhibited with domain machines because our domains didn't have an active policy set, so the local override was effective.

  • When and how can one delete the contents of the $PatchCache$ directory?

    What about the contens of the Installer directory?

    The above two are taking up several GBs of space on a rather small system drive; I have all the CDs so could easily provide them whenever an installation or patch requires them.

  • John, you can delete the $PatchCache$ directory anytime but your patch uninstall and binary delta patching scenarios will require original source for any products for which you deleted the baseline cache.

    NEVER delete the contents directly under %WINDIR%\Installer, though. See

  • Wow, yes, if your machine is in a domain, remove from domain and reboot.  After several 20 minute install attempts including the details laid out in 925336, thank god I finally found this site :)


  • This worked like a charm.  Thanks for the batch file.  That made updating several machines very simple.

  • Worked a treat for me after 925336 failed to solve the problem.  Note that I didn't bother with the domain removal though.


Page 1 of 3 (32 items) 123