If you’re using AppLocker in your Windows 7 environment as I’m, you sometimes maybe want to verify that AppLocker is not the culprit. Today I ran into a problem where a custom MSI package would’nt install and exited with error code 1625. The error was:

The installation of <MSI-file> is not permitted due to an error in software restriction policy processing. The object cannot be trusted."

My instinct lead me to believe that there were some AppLocker policy blocking the installation. Here’s an easy PowerShell command to test just that.

Open up a PowerShell prompt as the user you want to verify AppLocker rules for, you could shift + right-click on the PowerShell icon in order to Run as another user.

Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path 'C:\Windows\ccmcache\t\file.msi' | fl

The output should look something like:

FilePath : C:\Windows\ccmcache\t\file.msi
PolicyDecision : Allowed
MatchingRule : C:\Windows\ccmcache\*

In this case the problem was clearly not an AppLocker policy, since the PolicyDecision shows Allowed. The problem was when I choose Install for user in the Deployment properties, the logged on user didn’t have read rights on C:\Windows\ccmcache and recursive folders. In order to change that, I ran the following command.

icacls C:\Windows\ccmcache /grant "Users":(OI)(CI)R /inheritance:r

The MSI installation for the user now completed without any problems.

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.


There are no comments.

Leave a Reply