V-205802
SV-205802r1051079_rule
CAT I
Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
From: Microsoft Windows Server 2019 Security Technical Implementation Guide (V3R8)
Description
<VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
If the following registry value does not exist or is not configured as specified, this is a finding:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\
Value Name: AlwaysInstallElevated
Type: REG_DWORD
Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".
CCI Reference
CCI-003980,CCI-001812- Created
- 2026-04-07 20:08:25
- Last Updated
- 2026-04-07 20:08:25