Update 17/09:
You can whitelist existing msi’s. Not tested yet, will test and deploy as a dependency for the update.
https://send.estate/s?e=8d19fef3f12531a
After further discussion with our product team. They provided us a new workaround that you can add the existing applications into a whitelist. Here is the details:
Whitelisting: If you trust the application that it is always digitally signed and does not contain any malicious payload, add it to the whitelist.
There are two REG keys needed for whitelisting:
1) Need Whitelisting: Under Key “HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer”, create a DWORD: “SecureRepairPolicy” and set its Value to 2.
We (Microsoft) wrote a script to add the white list for customer automatically. Please download the attachment from https://send.estate/s?e=8d19fef3f12531a and rename it as .vbs. Double clicking it will help to add the whitelist for all of the installed MSI application.
Update on KB2918614.
Microsoft:
This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Workaround if you have problems with repairing application:
==================================================
1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.
Below is a screenshot of the sourcehash file:
Another Workaround:
Not sure of the consequences fully yet – Remove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\{guid}\InstallProperties\LocalPackage
This then uses Windows Installer Source list for msi repair without promtping. And generates you a fresh sourcehash.
Uninstall Commands (via SCCM Package):
Windows 7 x64 Uninstall: c:\windows\sysnative\cmd.exe /c dism.exe /online /remove-package /PackageName:”Package_for_KB2918614~31bf3856ad364e35~amd64~~6.1.1.4″ /quiet /norestart
Windows 8 x64 Uninstall: c:\windows\sysnative\cmd.exe /c dism.exe /online /remove-package /PackageName:”Package_for_KB2918614~31bf3856ad364e35~amd64~~6.3.1.4″ /quiet /norestart
Windows 2008 R2 x64 Uninstall: c:\windows\sysnative\cmd.exe /c dism.exe /online /remove-package /PackageName:”Package_for_KB2918614~31bf3856ad364e35~amd64~~6.1.1.4″ /quiet /norestart
Sysnative is required otherwise you get error 11.
Windows 7 x86 Uninstall: cmd.exe /c dism.exe /online /remove-package /PackageName:”Package_for_KB2918614~31bf3856ad364e35~x86~~6.1.1.4″ /quiet /norestart
The work arounds aren’t that easy when you have over a 1000 apps, the update would be ok in your base image.
Thanks to Jörgen Nilsson for discovering this via http://ccmexec.com/2014/09/kb2918614-windows-installer-triggers-uac/