About Windows Installer, the .NET Framework, and Visual Studio.
When installing Visual Studio 2005 Service Pack 1, you may see an error like the following (file name will vary):
Error 1718.File D:\WINDOWS\Installer\50baad.msp was rejected by digital signature policy.
Knowledge Base article 925336 had originally documented instructions using the Local Security Policy UI to work around this issue based on my previous blog post. While both Windows XP and Windows Server 2003 are theoretically susceptible to this issue, to date it's only been observed on Windows Server 2003 – particularly on machines in an Active Directory domain.
Investigations showed that when there's a conflict with domain policy, the UI instructions I documented won't set the registry value that SAFER – the software restriction policy API introduced in Windows XP – uses to determine whether to validate all files.
To reliably workaround this issue, you should follow the instructions below. It is highly recommended that you remove your machine from any domain while installing Visual Studio 2005 Service Pack 1 if you've encountered this problem. Otherwise a domain policy refresh could override the registry value during installation and block the installation.
This can be automated rather easily, as shown in the following batch script example.
rem It is recommended you leave a domain and reboot before running this scriptrem Backup the registry key before changing it to save the current valuesreg export HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers "%TMP%\safer.reg" /yrem Set the new value and stop Windows Installer, which will automatically restart when the patch gets installedreg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers /v PolicyScope /t REG_DWORD /d 1 /fnet stop msiserverrem Replace the name of the patch below according to which patch you downloadedrem This exmple silently installs the patch with verbose logging enabledstart /wait VS80sp1-KB926601-X86-ENU.exe /L*v+ "%TMP%\VS80sp1-KB926601-X86-ENU.log" /quietrem Delete the new value and restore previous registry values for SAFERreg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers /v PolicyScope /freg import "%TMP%\safer.reg"
There are several known issues when installing Visual Studio 2005 Service Pack 1 . I've documented these
To prevent domain policy refresh, can I simply unplug my network cable to LAN while I'm installing?
Heath, for some reason I don't have PolicyScope. Do I need to create it or am I missing something?
Patrick, yes, you will need to create the value if it doesn't exist.
Heath, thanks for that workaround. I was finally able to install VS 2005 SP1 on Windows 2003.
After much frustration trying to get Visual Studio 2005 Service Pack 1 installed on a Windows Server...
Si certains d'entre vous ont installé la beta du SP1 sur leur Team Foundation Server, vous aurez certainement
Thank you. I tried KB925336 with no luck. I'm glad I found your solution worked for me.
Glad it helped, Toad. Funny thing is that I created the basis for the KB article in a previous blog entry and reviewed the KB before it was publishd. At the time, no testing uncovered the problems exhibited with domain machines because our domains didn't have an active policy set, so the local override was effective.
When and how can one delete the contents of the $PatchCache$ directory?
What about the contens of the Installer directory?
The above two are taking up several GBs of space on a rather small system drive; I have all the CDs so could easily provide them whenever an installation or patch requires them.
John, you can delete the $PatchCache$ directory anytime but your patch uninstall and binary delta patching scenarios will require original source for any products for which you deleted the baseline cache.
NEVER delete the contents directly under %WINDIR%\Installer, though. See http://blogs.msdn.com/heaths/archive/2007/01/17/the-patch-cache-and-freeing-space.aspx.
Wow, yes, if your machine is in a domain, remove from domain and reboot. After several 20 minute install attempts including the details laid out in 925336, thank god I finally found this site :)
This worked like a charm. Thanks for the batch file. That made updating several machines very simple.
Worked a treat for me after 925336 failed to solve the problem. Note that I didn't bother with the domain removal though.