Windows 11 • Release: 6 Benchmark Date: 05 Jan 2026
CAT I V-253411 WN11-CC-000315
The Windows Installer feature "Always install with elevated privileges" must be disabled.
Discussion
Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.
Check Procedure
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value Type: REG_DWORD Value: 0
Fix Action
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".