Unable to Install ClickOnce Application due to Security Settings (Windows 10)

When attempting to install a Microsoft-signed ClickOnce application, an error appears stating "Your administrator has blocked this application because it potentially poses a security risk to your computer" and "Your security settings do not allow this application to be installed on your computer".

As the administrator who would have set said policies, I cannot for the life of me figure out why this is being blocked for just one user and not other users whose PCs are based off the same image and why it works for other users who should be enjoying the same privileges as the user who is receiving the following message. Note that the exact same domain group policies are applied to this user that is experiencing the error and to users who are not receiving the error.

Imgur

Even attempting to run the application "as an administrator" does not solve the issue. The event logs show no errors, and I cannot otherwise find any logs to help diagnose the issue.

What local policies or settings would allow or deny this application?

Beems

Posted 2017-09-21T19:39:36.013

Reputation: 1 067

It requires Internet or Intranet Zone (Full Trust for CD-ROM installation) according to https://msdn.microsoft.com/en-us/library/142dbbz4(v=vs.90).aspx

– None – 2017-09-21T19:43:03.210

This warning happening on a single user's machine or are multiple user's across multiple machines, having this problem? – Ramhound – 2017-09-21T22:12:22.987

I noted, though possibly not quite clearly, in the original question that it was being blocked for 'just one user'. – Beems – 2017-09-22T18:49:32.607

This seems like a big problem (34,438 views). How can I stop this from happening on another person's computer if I'm a developer? This problem arose from making programs in Visual Studio and trying to run the Setup.exe for my program. – Daniel – 2018-07-31T12:43:34.223

@Daniel If your application doesn't require escalation, you can try to set the registry value under HKCU instead: HKCU\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\Internet to Enabled (Full disclosure: I've not tested this). Otherwise, if that does not work, you can try to include an escalatable process that will set it under HKLM – Beems – 2018-08-01T13:19:38.653

Answers

108

This is caused by the "ClickOnce Trust Prompt Behavior": https://msdn.microsoft.com/en-us/library/ee308453.aspx

To adjust this, simply change the values in the Registry and you should be able to install the application.

To enable the ClickOnce trust prompt by using the registry editor Open the registry editor:

Click Start, and then click Run.

In the Open box, type regedit, and then click OK.

Find the following registry key:

\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

If the key does not exist, create it.

Add the following subkeys as String Value, if they do not already exist, with the associated values shown in the following table.

On my computer, the values were set to "Disabled" and I have no clue which application did that. I changed the values to default and now everything works again like it should.

Or you can just delete the key "TrustManager" itself and everything is working as well.

Thomas Sturzenegger

Posted 2017-09-21T19:39:36.013

Reputation: 1 196

16Thanks, this was indeed the problem. I changed "HKLM\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\Internet" to Enabled and it works as-intended now. – Beems – 2017-09-22T19:15:58.670

2I would like to mention that default option is "Enabled" for all but Untrusted sites. – Hooch – 2017-11-06T08:03:47.423

3In my case i need to change \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevelto Enabled – MaciejLisCK – 2018-01-06T01:36:05.157

3There are different entries for different zones, such as Internet, LocalIntranet, MyComputer, TrustedSites, UntrustedSites. Pick the one that fits your scenario and change its value to Enabled. – smwikipedia – 2018-08-01T02:14:37.203

6how they hell is a normal user supposed to do this? ok well I mean if someone isn't stupid they can google and find this answer and do it.. but you know what I mean, what a pain in the ass. If windows wasn't the best OS for productivity I wouldn't put up with this crap (and the auto-updating forced reboot) – Mikey – 2019-04-03T09:54:01.613

Here is a powershell script that will update the values:

Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'Internet' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'LocalIntranet' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'MyComputer' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'TrustedSites' -value 'Enabled'
Set-Itemproperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'UntrustedSites' -value 'Enabled'

It's enough just to copy/paste above code, at "elevated" powershell, (right click run as administrator).

And if you get some errors, it's probably because path does not exist, then run this commands

New-Item "HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel" -force | Out-Null
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'Internet' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'LocalIntranet' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'MyComputer' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'TrustedSites' -value 'Enabled'
New-ItemProperty -path 'HKLM:\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel' -Name 'UntrustedSites' -value 'Enabled'

Aleksandar Pavić

Posted 2017-09-21T19:39:36.013

Reputation: 319

1I can confirm this works. Used only first part (1909 versioin of WIN10 PRO) – Comodore – 2020-02-03T22:10:20.883

It works and helps in Windows PowerShell, do not confuse it with cmd.exe (select command prompt), they are different. – Yevgeniy Afanasyev – 2020-02-15T02:10:28.937

1It is important to run Windows PowerShell as Administrator. – Yevgeniy Afanasyev – 2020-02-15T02:11:01.393