I have a one-way trust with two separate domains. I also have WINS on each of the DNS and I am able to ping back and forth using Netbios. My issue is, I have 352 clients, but only 72 of them are now assigned. When I try to do a manual install from the SCCM console it fails. The files from the CLIENT folder are all copied to the PC, but the msi fails. If i do the install manually from the PC I have to create an i386 folder and copy the wimgapi.msi file to it and the install works fine. I am using the same account for the client push installation and the local logon install so it isn't an issue with user privileges. I can access the client\admin$ from the SCCM server. Here are some log excerpts: Client ccmsetup.log- Updated security on object C:\WINDOWS\system32\ccmsetup\. ccmsetup 8/2/2012 3:18:48 AM 652 (0x028C) Sending Fallback Status Point message, STATEID='100'. ccmsetup 8/2/2012 3:18:48 AM 652 (0x028C) Request failed: 404 Not Found FSPStateMessage 8/2/2012 3:18:48 AM 652 (0x028C) Running as user "SYSTEM" ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) Detected 66211 MB free disk space on system drive. ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) DetectWindowsEmbeddedFBWF() Detecting OS Version ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) Client OS Version is 5.1, Service Pack Version 3 ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) Client OS is not a supported Windows Embedded Platform ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again. ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) Deleted file C:\WINDOWS\system32\ccmsetup\client.msi ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) Successfully ran BITS check. ccmsetup 8/2/2012 3:18:48 AM 1688 (0x0698) IsFileMicrosoftTrusted Verified file 'C:\WINDOWS\system32\ccmsetup\ccmsetup.cab' is MS signed. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Successfully extracted manifest file C:\WINDOWS\system32\ccmsetup\ccmsetup.xml from file C:\WINDOWS\system32\ccmsetup\ccmsetup.cab. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Loading manifest file: C:\WINDOWS\system32\ccmsetup\ccmsetup.xml ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Successfully loaded ccmsetup manifest file. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Couldn't get directory list for directory 'http://SRV-SCCM.SERVICES.GOV/CCM_Client/ClientPatch'. This directory may not exist. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Adding file 'http://SRV-SCCM.SERVICES.GOV:80/CCM_Client/i386/wimgapi.msi' to BITS job, saving as 'C:\WINDOWS\system32\ccmsetup\wimgapi.msi'. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Adding file 'http://SRV-SCCM.SERVICES.GOV:80/CCM_Client/i386/client.msi' to BITS job, saving as 'C:\WINDOWS\system32\ccmsetup\client.msi'. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Couldn't get directory list for directory 'http://SRV-SCCM.SERVICES.GOV/CCM_Client/i386/00000409'. This directory may not exist. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Starting BITS download for client deployment files. ccmsetup 8/2/2012 3:19:19 AM 1688 (0x0698) Download Update: Connecting to the server. ccmsetup 8/2/2012 3:19:20 AM 1688 (0x0698) Successfully completed BITS download for client deployment files. ccmsetup 8/2/2012 3:21:53 AM 1688 (0x0698) Successfully downloaded client files via BITS. ccmsetup 8/2/2012 3:21:53 AM 1688 (0x0698) Updated security on object C:\WINDOWS\system32\ccmsetup\. ccmsetup 8/2/2012 3:21:53 AM 1688 (0x0698) Couldn't verify 'C:\WINDOWS\system32\ccmsetup\wimgapi.msi' authenticode signature without revocation ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) SSL Registry key Software\Microsoft\CCM not found, assuming Client SSL is disabled. ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) Certificate doesn't have EKU, meaning good for all usages. ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) IsMSSignedByFileHash Verified file 'C:\WINDOWS\system32\ccmsetup\wimgapi.msi' is MS signed. ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) Running installation package Package: C:\WINDOWS\system32\ccmsetup\wimgapi.msi Log: C:\WINDOWS\system32\ccmsetup\wimgapi.msi.log Properties: REBOOT=Suppress ALLUSERS=1 ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) Installation failed with error code 1625 ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) Sending Fallback Status Point message, STATEID='311'. ccmsetup 8/2/2012 3:22:23 AM 1688 (0x0698) Request failed: 404 Not Found FSPStateMessage 8/2/2012 3:22:23 AM 1688 (0x0698) Client wimgapi.msi.log - MSI (c) (AC:20) [03:22:23:638]: Resetting cached policy values MSI (c) (AC:20) [03:22:23:638]: Machine policy value 'Debug' is 0 MSI (c) (AC:20) [03:22:23:638]: ******* RunEngine: ******* Product: C:\WINDOWS\system32\ccmsetup\wimgapi.msi ******* Action: ******* CommandLine: ********** MSI (c) (AC:20) [03:22:23:638]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (AC:20) [03:22:23:638]: Grabbed execution mutex. MSI (c) (AC:20) [03:22:23:684]: Cloaking enabled. MSI (c) (AC:20) [03:22:23:684]: Attempting to enable all disabled priveleges before calling Install on Server MSI (c) (AC:20) [03:22:23:700]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (F8:54) [03:22:23:716]: Grabbed execution mutex. MSI (s) (F8:C8) [03:22:23:716]: Resetting cached policy values MSI (s) (F8:C8) [03:22:23:716]: Machine policy value 'Debug' is 0 MSI (s) (F8:C8) [03:22:23:716]: ******* RunEngine: ******* Product: C:\WINDOWS\system32\ccmsetup\wimgapi.msi ******* Action: ******* CommandLine: ********** MSI (s) (F8:C8) [03:22:23:716]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (F8:C8) [03:22:23:731]: File will have security applied from OpCode. MSI (s) (F8:C8) [03:22:23:731]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\WINDOWS\system32\ccmsetup\wimgapi.msi' against software restriction policy MSI (s) (F8:C8) [03:22:23:731]: SOFTWARE RESTRICTION POLICY: C:\WINDOWS\system32\ccmsetup\wimgapi.msi has a digital signature MSI (s) (F8:C8) [03:22:23:747]: SOFTWARE RESTRICTION POLICY: C:\WINDOWS\system32\ccmsetup\wimgapi.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (F8:C8) [03:22:23:747]: End dialog not enabled MSI (s) (F8:C8) [03:22:23:747]: Original package ==> C:\WINDOWS\system32\ccmsetup\wimgapi.msi MSI (s) (F8:C8) [03:22:23:747]: Package we're running from ==> C:\WINDOWS\Installer\1c69a2c.msi MSI (s) (F8:C8) [03:22:23:747]: APPCOMPAT: looking for appcompat database entry with ProductCode '{721ABC3B-5F12-4332-9C0C-C11424EF666C}'. MSI (s) (F8:C8) [03:22:23:747]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (F8:C8) [03:22:23:747]: MSCOREE not loaded loading copy from system32 MSI (s) (F8:C8) [03:22:23:747]: Machine policy value 'TransformsSecure' is 0 MSI (s) (F8:C8) [03:22:23:747]: User policy value 'TransformsAtSource' is 0 MSI (s) (F8:C8) [03:22:23:747]: Machine policy value 'DisablePatch' is 0 MSI (s) (F8:C8) [03:22:23:747]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (F8:C8) [03:22:23:747]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (F8:C8) [03:22:23:747]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (F8:C8) [03:22:23:747]: APPCOMPAT: looking for appcompat database entry with ProductCode '{721ABC3B-5F12-4332-9C0C-C11424EF666C}'. MSI (s) (F8:C8) [03:22:23:747]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (F8:C8) [03:22:23:747]: Transforms are not secure. MSI (s) (F8:C8) [03:22:23:747]: Note: 1: 2205 2: 3: Control MSI (s) (F8:C8) [03:22:23:747]: Command Line: REBOOT=Suppress ALLUSERS=1 CURRENTDIRECTORY=C:\WINDOWS\system32 CLIENTUILEVEL=3 CLIENTPROCESSID=1964 MSI (s) (F8:C8) [03:22:23:747]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2DFC4520-E3CA-41C7-9217-032E026B3AC2}'. MSI (s) (F8:C8) [03:22:23:747]: Product Code passed to Engine.Initialize: '' MSI (s) (F8:C8) [03:22:23:747]: Product Code from property table before transforms: '{721ABC3B-5F12-4332-9C0C-C11424EF666C}' MSI (s) (F8:C8) [03:22:23:747]: Product Code from property table after transforms: '{721ABC3B-5F12-4332-9C0C-C11424EF666C}' MSI (s) (F8:C8) [03:22:23:747]: Product not registered: beginning first-time install MSI (s) (F8:C8) [03:22:23:747]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (F8:C8) [03:22:23:747]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (F8:C8) [03:22:23:747]: Policy value 'SearchOrder' is '' MSI (s) (F8:C8) [03:22:23:747]: Warning: rejected invalid source type for source 'C:\WINDOWS\system32\ccmsetup\' (product: {721ABC3B-5F12-4332-9C0C-C11424EF666C}) MSI (s) (F8:C8) [03:22:23:747]: Note: 1: 1708 MSI (s) (F8:C8) [03:22:23:747]: Note: 1: 2729 MSI (s) (F8:C8) [03:22:23:747]: Note: 1: 2729 MSI (s) (F8:C8) [03:22:23:747]: Product: WIMGAPI -- Installation failed. MSI (s) (F8:C8) [03:22:23:747]: MainEngineThread is returning 1625 This installation is forbidden by system policy. Contact your system administrator. C:\WINDOWS\system32\ccmsetup\wimgapi.msi MSI (c) (AC:20) [03:22:23:747]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (AC:20) [03:22:23:747]: MainEngineThread is returning 1625 === Verbose logging stopped: 8/2/2012 3:22:23 === I know that the 1625 error indicates a group policy restriction, but I have eliminated each GPO, run GPupdate /force and even rebooted (not necessary, but I was getting frustrated). I am researching each of the local security policies but I am running out of ideas. Each PC is XP w/ SP3. Some work but most do not.

Actually, 1625 means "This installation is forbidden by system policy." That does not mean it is a group policy -- although that could be the source, it doesn't have to be. Have you seen this thread: http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/6d62ca65-d555-4589-a3a0-4ff5d2100eb8Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

Yes, I have looked there but there is no DisableMSI string in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer. The only values in that container are: (Default) with no value and EnableAdminTSRemote REG_DWORD with a 1 value.

I have noticed this difference in the logs of successful installs - MSI (s) (9C:24) [08:30:29:704]: User policy value 'SearchOrder' is 'nmu' MSI (s) (9C:24) [08:30:29:704]: Adding new sources is allowed. MSI (s) (9C:24) [08:30:29:704]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (9C:24) [08:30:29:704]: Package name extracted from package path: 'wimgapi.msi' MSI (s) (9C:24) [08:30:29:704]: Package to be registered: 'wimgapi.msi' unsuccessful has this - MSI (s) (B0:F0) [16:01:52:803]: Policy value 'SearchOrder' is '' MSI (s) (B0:F0) [16:01:52:803]: Warning: rejected invalid source type for source 'C:\WINDOWS\system32\ccmsetup\' (product: {721ABC3B-5F12-4332-9C0C-C11424EF666C}) MSI (s) (B0:F0) [16:01:52:803]: Note: 1: 1708 MSI (s) (B0:F0) [16:01:52:803]: Note: 1: 2729 MSI (s) (B0:F0) [16:01:52:819]: Note: 1: 2729 Does this help?

FWIW, I manually changed the registry setting for HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Windows\Installer SearchOrder string to the nmu value. The client push was successful. There has to be an easier way... right?

Why would you change it in HKEY_USERS\.DEFAULT? That's the hive for the local SYSTEM account. Was the value actually present there already? Typically anything in the "Policies" keys comes from group policy but local SYSTEM being a local user and not a domain user shouldn't have anything in there. My initial hunch is that whoever built your images did something weird. Based upon this, http://msdn.microsoft.com/en-us/library/windows/desktop/aa368353(v=vs.85).aspx , that value is completely inert now anyway. Recovering something like this across the board is difficult at best. A couple of options though are a startup script or psexec.Jason | http://blog.configmgrftw.com

Why would you change it in HKEY_USERS\.DEFAULT? That's the hive for the local SYSTEM account. Was the value actually present there already? Typically anything in the "Policies" keys comes from group policy but local SYSTEM being a local user and not a domain user shouldn't have anything in there. My initial hunch is that whoever built your images did something weird. Based upon this, http://msdn.microsoft.com/en-us/library/windows/desktop/aa368353(v=vs.85).aspx , that value is completely inert now anyway. Recovering something like this across the board is difficult at best. A couple of options though are a startup script or psexec.Jason | http://blog.configmgrftw.com

Not sure why Jason's was marked as the answer. I created a script and changed the setting to fix this issue. It was related to fdcc settings applied to the pc's.