Unable to Install ClickOnce Application due to Security Settings (Windows 10)

Question

When attempting to install a Microsoft-signed ClickOnce application, an error appears stating "Your administrator has blocked this application because it potentially poses a security risk to your computer" and "Your security settings do not allow this application to be installed on your computer".

As the administrator who would have set said policies, I cannot for the life of me figure out why this is being blocked for just one user and not other users whose PCs are based off the same image and why it works for other users who should be enjoying the same privileges as the user who is receiving the following message. Note that the exact same domain group policies are applied to this user that is experiencing the error and to users who are not receiving the error.

Imgur

Even attempting to run the application "as an administrator" does not solve the issue. The event logs show no errors, and I cannot otherwise find any logs to help diagnose the issue.

What local policies or settings would allow or deny this application?

It requires Internet or Intranet Zone (Full Trust for CD-ROM installation) according to https://msdn.microsoft.com/en-us/library/142dbbz4(v=vs.90).aspx — , Sep 21 '17 at 19:43
This warning happening on a single user's machine or are multiple user's across multiple machines, having this problem? — Ramhound, Sep 21 '17 at 22:12
I noted, though possibly not quite clearly, in the original question that it was being blocked for 'just one user'. — Beems, Sep 22 '17 at 18:49
This seems like a big problem (34,438 views). How can I stop this from happening on another person's computer if I'm a developer? This problem arose from making programs in Visual Studio and trying to run the Setup.exe for my program. — Daniel, Jul 31 '18 at 12:43
@Daniel If your application doesn't require escalation, you can try to set the registry value under HKCU instead: HKCU\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\Internet to Enabled (Full disclosure: I've not tested this). Otherwise, if that does not work, you can try to include an escalatable process that will set it under HKLM — Beems, Aug 01 '18 at 13:19

Thomas Sturzenegger · Accepted Answer · 2020-01-07T07:58:17.330

155

This is caused by the "ClickOnce Trust Prompt Behavior": https://msdn.microsoft.com/en-us/library/ee308453.aspx

To adjust this, simply change the values in the Registry and you should be able to install the application.

To enable the ClickOnce trust prompt by using the registry editor Open the registry editor:

Click Start, and then click Run.

In the Open box, type regedit, and then click OK.

Find the following registry key:

\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

If the key does not exist, create it.

Add the following subkeys as String Value, if they do not already exist, with the associated values shown in the following table.

On my computer, the values were set to "Disabled" and I have no clue which application did that. I changed the values to default and now everything works again like it should.

Or you can just delete the key "TrustManager" itself and everything is working as well.

edited Jan 07 '20 at 07:58

answered Sep 22 '17 at 12:00

Thomas Sturzenegger

1,666
1
9
4

19

Thanks, this was indeed the problem. I changed "HKLM\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\Internet" to Enabled and it works as-intended now. – Beems Sep 22 '17 at 19:15
3

I would like to mention that default option is "Enabled" for all but Untrusted sites. – Hooch Nov 06 '17 at 08:03
3

In my case i need to change \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevelto Enabled – MaciejLisCK Jan 06 '18 at 01:36
3

There are different entries for different zones, such as Internet, LocalIntranet, MyComputer, TrustedSites, UntrustedSites. Pick the one that fits your scenario and change its value to Enabled. – smwikipedia Aug 01 '18 at 02:14
8

how they hell is a normal user supposed to do this? ok well I mean if someone isn't stupid they can google and find this answer and do it.. but you know what I mean, what a pain in the ass. If windows wasn't the best OS for productivity I wouldn't put up with this crap (and the auto-updating forced reboot) – Mikey Apr 03 '19 at 09:54
Had to dig out the old notes, but to get the "Enabled" to apply without restarting or logout, run this from Admin CMD: RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 – semtex41 May 30 '21 at 21:58
After making these registry additions, closing and reopening Edge v93, setup.exe is still being sequestered by the browser, not launched. – Tim Sep 14 '21 at 16:27

Aleksandar Pavić · Answer 2 · 2020-04-24T20:11:47.413

Here is a powershell script that will update the values:

Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'Internet' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'LocalIntranet' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'MyComputer' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'TrustedSites' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'UntrustedSites' -value 'Disabled'

It's enough just to copy/paste above code, at "elevated" powershell, (right click run as administrator).

And if you get some errors, it's probably because path does not exist, then run this commands

New-Item "HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel" -force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'Internet' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'LocalIntranet' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'MyComputer' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'TrustedSites' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'UntrustedSites' -value 'Disabled'

I can confirm this works. Used only first part (1909 versioin of WIN10 PRO) — Comodore, Feb 03 '20 at 22:10
It works and helps in Windows PowerShell, do not confuse it with cmd.exe (select command prompt), they are different. — Yevgeniy Afanasyev, Feb 15 '20 at 02:10
It is important to run Windows PowerShell as Administrator. — Yevgeniy Afanasyev, Feb 15 '20 at 02:11
I wouldn't set the value to Enabled for UntrustedSites. As stated in the other answer, the default setting is Enabled for all except for UntrustedSites. — brz, Apr 24 '20 at 12:43
@breez Agreed, I didn't observer it, will update my answer! However what happens if someone doesn't have proper SSL? — Aleksandar Pavić, Apr 24 '20 at 20:10

Unable to Install ClickOnce Application due to Security Settings (Windows 10)

2 Answers2

Linked