Back in October 2006 I reported about an undocumented security change in MSI 4.0/Vista that prevented Deferred NoImpersonate CA's from having the same security rights as they had previously had on downstream operating systems. The story was picked up by Microsoft's Vista Compatibility blog and justified as an attempt to tighten OS security. Maarten van de Bospoort of the MSFT AppCompat team said that it was `design decision made by the installer folks.`
The argument was naturally pointless since any elevated process ( including MSI CA's themselves or bootstrappers ) could easily tweak the registry and restart the MSI service to get around the restriction. As an aside, my discovery was also cited by Microsoft MVP Stefen Kruger.
Tonight I read on the Windows Installer team blog that after 1 1/2 years, Microsoft is finally correcting this issue an restoring SeBackupPrivilege.