MS14-049: Description of the security update for Windows Installer Service: August 12, 2014

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials More

INTRODUCTION


Microsoft has released security bulletin MS14-049. To learn more about this security bulletin:

How to obtain help and support for this security update

Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

More Information


Known issues with this security update

Known issue 1

After you install this security update and try to install any MSI package that uses a mandatory or temporary user profile, the MSI package installation fails, and you receive an error message that resembles the following:

The profile for the user is a temporary profile


When this problem occurs, the MSI log will contain an error message that resembles the following:

SECREPAIR: A general error running CryptAcquireContext / Crypt Provider not initialized. Error:-2146893813


For more information about how to enable the Windows Installer logging service, click the following article number to view the article in the Microsoft Knowledge Base:
223300 How to enable Windows Installer logging
Resolution
To resolve this issue, install update 3000988:
3000988 "The profile for the user is a temporary profile" error when you install a MSI package in Windows

Known issue 2

After you install this security update, you may receive a User Account Control (UAC) prompt when you try to use remote deployments, centralized deployments, or other local methods to reinstall a program that was already installed before the security update was installed.

Resolution To resolve this issue, use one of the following methods, as appropriate for your situation:
  • Install update 3008627. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    3008627 Unexpected UAC prompt after you install update 2918614 in Windows
    Note  Update 3008627 is not available for Windows Vista. If you are running Windows Vista, use one of the other methods that are listed in this topic.  
  • Uninstall, and then reinstall the program.
  • IT Administrators can opt-out the affected programs by using Group Policy registry settings.

    Note Be aware that this opt-out method effectively removes this defense-in-depth security feature for those programs.

    Steps to opt-out the affected programs

    ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows


    To do this, follow these steps:
    1. Click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following subkey in the registry:
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type SecureRepairPolicy for the name of the DWORD, and then press Enter.
    5. Right-click SecureRepairPolicy, and then click Modify.
    6. In the Value data box, type 2, and then click OK.
    7. Locate and then click the following subkey in the registry:
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    8. On the Edit menu, point to New, and then click Key.
    9. Type SecureRepairWhitelist for the name of the key, and then press Enter.
    10. Double-click the SecureRepairWhitelist key to open it.
    11. On the Edit menu, point to New, and then click String Value. Create String Values that contain the product codes (including braces {}) of the products that have to be added to the Safe Recipients list.

      The NAME of the String Value is the "product code" and the VALUE can be left blank. To obtain the product code for other MSIs, open the MSI by using the ORCA tool that is available in Windows SDK.

      For example:

      2918614 1

      2918614 2

Known issue 3

After you apply this security update, a minor upgrade will display a UAC prompt.

For more information, visit the following Microsoft webpage:
Resolution
To resolve this issue, install update 3000988:
3000988 "The profile for the user is a temporary profile" error when you install a MSI package in Windows

FILE INFORMATION


The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.