In this blog post, I would like to talk about running Lync 2013 Webapp in Windows Terminal server environments. Lync 2013 Webapp feature has a client side plug-in which provides audio/video/application sharing functionality and this plug is installed per user, in other words installation program installs files and creates registry settings in user specific areas of the system. Most of terminal server environments are locked down in production networks and users are generally not allowed to install softwares.
I recently dealt with a couple of cases where it was required to find a solution to this problem. One possible solution is to create exceptions in your software restriction softwares (it could be a 3rd party software or it could be a Microsoft solution (Software restriction policies or Applocker)). You will find steps below to create such exceptions in Software restriction policies and applocker:
Software Restriction policies (That could be applied if the Terminal server is Windows 2003 and later)
Note: Please note that we don't support Lync Webapp on Windows 2003, it's supported on Windows 2008 or later. Please see the below link for more details:
http://technet.microsoft.com/en-us/library/gg425820.aspx Lync Web App Supported Platforms
a) First of all, Lync webapp plugin (LWAPlugin64BitInstaller32.msi) file includes a number of executables each of which needs to be defined within software restriction policy rules. You can extract the MSI file itself with 7zip or a similar tool. Once the msi file is extracted, we have the following executables:
b) So we need to create 5 additional rules (1 MSI rule and 4 executable file rules) in Software restriction policies in addition to your existing software restriction policy rules as given below:
Note: It’s best to create File hash rules for the MSI file itself or the other 4 executables that are extracted from MSI file
So if Software restriction policies is already deployed on your network, there could be an exception created for the Lync web app plugin so users will still comply with the application installation/execution policies
Applocker: (That could be applied if the Terminal server is Windows 2008 R2 or later)
a) As mentioned in previous scenario, Lync webapp plugin (LWAPlugin64BitInstaller32.msi) file includes a number of executables each of which needs to be defined within applocker rules. You can extract the MSI file itself with 7zip or a similar tool. Once the msi file is extracted, we have the following executables:
b) So we need to create 1 MSI rule and 4 executable file rules in applocker as given below:
So if Applocker is deployed on your network, there could be an exception created for the Lync web app plugin so users will still comply with the application installation/execution policies
The only drawback in regards to file hash rules is that once Lync server Web components are updated with a cumulative update on Lync server side, you’ll have to create those file hash rules one more time (because probably the content of msi file that is shared from FE server will be different and hence the file hash will change) but considering that the web components are not frequently updated this may need to be done 2 or 3 times in a year. Alternatively there could be file path rule or publisher rule created instead of a file hash rule to avoid such maintenance.
Hope this helps
hi there, i have configured all the Software restriction policies and Applocker policies, however my users still receive the error message "the system administrator has set policies to prevent this installation"
Hi I am exactly the same as the above person. I have created the Hash rule tried as an unrestricted security level still says 'The System administrator has set policies to prevent this installation'.
Next tried with security level 'Basic User' still get the same message.
Any thoughts on how I can get this sorted?
Thank you for the feedbacks. Actually the steps were taken from my lab repro and it was working fine there and I tested it a number of times. Having said that I would suggest focusing on Applocker troubleshooting but I'm not an expert on this area unfortunately.
how Lync URL will interact with plugin,i need that URL. how to get it from other application
I am having the same results as the first two users on here. I have turned off all policy inheritance and have just the policy with the hash rules on the (4) executables and (1) msi file. Same error message that the administrator has set policies to restrict......
blah, blah, blah....
I think you have to allow your Users generally to install msi Packages on your machines and manage the installation restrictions via Applocker (define the Standard Installation rules for Administrators and local System, and the Lyncplugin msi for Everyone).
Windows Server disable the perUser-Installation of a .msi per default.
The Solution is:
Add a Registry Key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" with the Entry "DisableMSI" with the Value 0. (https://msdn.microsoft.com/en-us/library/aa368304.aspx?f=255&MSPPError=-2147217396).