Hi,

Hopefully someone can help me with this, it's been causing problems for the last year.

I have a Win2k domain with 300ish XP clients. I have a software restrictions policy which basically prevents the running of executables from anywhere other than the local HDD.

I'm using an education specific tool for application deployment, which just basically uses the system account to execute the msiexec command with switches to do per machine installs before logon.

When workstations are pulling apps from the servers, the software restrictions policy will sometimes prevent installation on a couple of workstations. If I reboot the workstation and set it to reattempt install, the installation will be successful. I've also noticed (once) that while a user was logged on and caused an MSI to heal, it was prevented by software restrictions. Logging off and logging on again allowed the heal to complete successfully.

On a typically failed machine, I will see in event logs that it loads Windows, starts installing apps, will apply policy successfully then prevent apps from installing.

I've tried tweaking the GP update interval and these sort of settings. As far as I can tell it's not a network load problem as I've tested out of hours and still see 2 out of 30 computer do this. If I disable the software restrictions policy, the problem goes away. I've also tried deleting and recreating the policy manually.

My support providers seem to be at a loss in finding what the cause is. Any help would be much appreciated.

Here's a couple of examples of failure messages. The latter is less common but have seen it enough times.:

Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 1007
Date: 11/08/2004
Time: 12:33:10
User: N/A
Computer: F6ST07
Description:
The installation of \\server\share\Applications\MS Office XP SP2\v1.1.0.0\Laptop XP Pro.mst is not permitted by software restriction policy. The Windows Installer only allows execution of unrestricted items. The authorization level returned by software restriction policy was 0x0 (status return 0x0).

------------------------------------------------------------------------------------
Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11718
Date: 14/04/2005
Time: 16:48:51
User: NT AUTHORITY\SYSTEM
Computer: CC3CLEAN
Description:
Product: RM CD Burning Helper -- Error 1718.File C:\WINDOWS\Installer\b4fd.msi was rejected by digital signature policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 35 33 44 44 39 46 35 (53DD9F5
0008: 39 2d 39 45 30 30 2d 34 9-9E00-4
0010: 32 38 31 2d 41 43 35 41 281-AC5A
0018: 2d 41 34 36 41 46 32 46 -A46AF2F
0020: 30 46 34 45 39 7d 0F4E9)
------------------------------------------------------------------------------------