0X0000066C

Fix ERROR_INSTALL_TRANSFORM_REJECTED (0x0000066C)

Windows Errors Intermediate 👁 1 views 📅 May 28, 2026

Windows blocks the MSI transform file (MST) via Software Restriction Policy. Quick fix: whitelist the transform or run the installer without it.

Quick answer: This error means Windows Software Restriction Policies or AppLocker blocked the .MST transform file during installation. Fix: move the MST to a trusted path (like Program Files) or disable the offending policy.

Why this happens

You're deploying an MSI package with a transform file (MST) — probably via Group Policy, SCCM, or a manual msiexec command. The Windows Installer engine checks every transform against Software Restriction Policies (SRP) or AppLocker. If those policies flag the MST as untrusted — because it's on a network share, a temp folder, or lacks proper digital signing — you get error 0x0000066C.

The culprit here is almost always a blanket "Disallowed" policy in SRP or an AppLocker rule that covers the MST's source location. I've seen this most often when admins deploy transforms from UNC paths like \server\share\app.mst without adding that share to SRP's trusted paths.

Step-by-step fix

  1. Check local or GPO software restriction policies.
    Open gpedit.msc (local) or check your domain GPO. Go to Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies. If no policies are defined, SRP isn't your issue — skip to step 3.
  2. Whitelist the transform path.
    Under Additional Rules, right-click → New Path Rule. Enter the full path to the MST file (or the folder containing it). Set Security Level to Unrestricted. Apply and run gpupdate /force on the target machine.
  3. Check AppLocker instead.
    If SRP isn't configured, check AppLocker → Windows Installer Rules. Look for a rule that blocks all MSI files from *.mst or from specific publisher conditions. Create an exception for your transform's path or sign it with a trusted cert.
  4. Run the transform from a local temp folder.
    Copy the MST to C:\Windows\Temp\ or %ProgramFiles% — paths that SRP usually treats as trusted. Then run your msiexec command referencing the local copy:
    msiexec /i "app.msi" TRANSFORMS="C:\Windows\Temp\app.mst"
  5. Verify the transform's digital signature (if any).
    Right-click the MST → Properties → Digital Signatures. If it's signed by an untrusted cert, either remove the signature (bad idea) or add the cert to Trusted Publishers via GPO.

Alternative fixes if the above fails

  • Disable Software Restriction Policies temporarily for testing. Set the SRP Security Level to Unrestricted, deploy, then re-enable. Not a long-term fix, but good for isolating the issue.
  • Embed the transform settings directly into the MSI using a tool like Orca or InstEd. Remove the MST dependency entirely. This bypasses SRP checks but requires re-packaging.
  • Use Msiexec /z to log transform issues. Run msiexec /i app.msi TRANSFORMS=app.mst /l*vx c:\msi.log — the verbose log will show exactly which rule rejected the transform.

Prevention tip

Never store MST files on user-writable paths like Desktop, Downloads, or %TEMP%. Always deploy them from a hardened network share with proper SRP/AppLocker exceptions before rollout. If you're managing many machines, add the transform folder as a trusted path in your baseline GPO — saves you a dozen tickets down the road.

Was this solution helpful?

ERROR_INSTALL_TRANSFORM_REJECTED 0x0000066C MSI transform blocked software restriction policy MST file blocked Windows Installer error group policy blocks transform fix transform rejected whitelist MST MSIEXEC transform error Windows 10 transform blocked Windows 11 installation error