Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 or in Windows XP: "Error 1718. File was rejected by digital signature policy" (925336)

SYMPTOMS

When you try to install a large Microsoft Windows Installer (.msi) package or a large Microsoft Windows Installer patch (.msp) package on a computer that is running Microsoft Windows Server 2003 or Microsoft Windows XP, you receive the following error message:

Error 1718. File FileName was rejected by digital signature policy.

WORKAROUND

To work around this problem, follow these steps:

Click Start, click Run, type control admintools, and then click OK.
Double-click Local Security Policy.
Click Software Restriction Policies.

Note If no software restrictions are listed, right-click Software Restriction Policies, and then click Create New Policy.
Under Object Type, double-click Enforcement.
Click All users except local administrators, and then click OK.
Restart the computer.

Important After you follow the previous steps, local administrators can install the .msi package or the .msp package. After the package is installed, reset the enforcement level by following the previous steps. In step 5, click All users instead of All users except local administrators.

MORE INFORMATION

Digital signatures help make sure that a package has not been tampered with. Windows Server 2003 and Windows XP use an additional level of security, Software Restriction Policies, when Windows Installer calls the SaferIdentifyLevel function.

When Windows Installer calls the SaferIdentifyLevel function together with the SAFER_CRITERIA_IMAGEHASH flag, the whole package is loaded into memory on the computer. The computer must have sufficient contiguous memory for the package size. If the computer has insufficient contiguous memory, an error occurs. Because an error occurs, Windows Installer cannot verify that the package is correctly signed. Therefore, you receive the error message that is mentioned in the "Symptoms" section.

The following log data shows the sequence of events when this problem occurs:

MSI (s) (BA:AD) [12:00:00:000]: SOFTWARE RESTRICTION POLICY: Verifying object --> 'D:\WINDOWS\Installer\50baad.msp' against software restriction policy
MSI (s) (BA:AD) [12:00:00:000]: SOFTWARE RESTRICTION POLICY: D:\WINDOWS\Installer\50baad.msp has a digital signature
MSI (s) (BA:AD) [12:00:00:000]: SOFTWARE RESTRICTION POLICY: SaferIdentifyLevel reported failure. Assuming untrusted. . . (GetLastError returned 5)
MSI (s) (BA:AD) [12:00:00:000]: The installation of D:\WINDOWS\Installer\50baad.msp is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 or in Windows XP: "Error 1718. File was rejected by digital signature policy" (925336)

SYMPTOMS

CAUSE

WORKAROUND

MORE INFORMATION