diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index a7bd8fb1..b6cc3fbc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -29,19 +29,19 @@ jobs:
           submodules: true
 
       - name: Restore from cache and install vcpkg
-        uses: lukka/run-vcpkg@d42250cb2f1d4b925fe4e8abbdc9753dd3b53056 # v11.3
+        uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
         with:
           vcpkgDirectory: '${{ github.workspace }}/src/vcpkg'
           vcpkgJsonGlob: '**/src/openvpn/contrib/vcpkg-manifests/windows/vcpkg.json'
 
       - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@4865386b66955d11be0abf8c112d0230023e742a # v3.27.9
+        uses: lukka/get-cmake@139aae96315b496d9af1b5e9abe53b15ca7eece8 # v3.28.3
 
       - name: Install rst2html
         run: python -m pip install --upgrade pip docutils
 
       - name: Setup MSVC prompt
-        uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1
+        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
 
       - name: Install Wix 3.14
         run: |
@@ -77,7 +77,7 @@ jobs:
           echo "DATETIME=${dt}" >> $Env:GITHUB_ENV
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: openvpn-master-${{ env.DATETIME }}-${{ env.OPENVPN_COMMIT }}-${{ matrix.arch }}
           path: ${{ github.workspace }}\windows-msi\image\*-${{ matrix.arch }}.msi
@@ -93,7 +93,7 @@ jobs:
 
     steps:
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: arn:aws:iam::217307881341:role/GitHubActions
           role-session-name: githubactions
@@ -107,13 +107,13 @@ jobs:
           path: openvpn-windows-test
 
       - name: Install SSH key for tclient host
-        uses: shimataro/ssh-key-action@38b53cb2f445ea2e0eb8872407e366677c41dbc6 # v2.6.1
+        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
         with:
           key: ${{ secrets.SSH_KEY_FOR_TCLIENT_HOST }}
           known_hosts: unnecessary
 
       - name: Get artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
         with:
           path: msi
 
@@ -126,7 +126,7 @@ jobs:
           .\Start-AWSTest.ps1 -SSH_KEY ~/.ssh/id_rsa -MSI_PATH $(Get-ChildItem ../msi/*-amd64/*.msi | select -ExpandProperty FullName)
 
       - name: Archive openvpn logs
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: ${{ always() }}
         with:
           name: t_client_openvpn_logs
@@ -143,7 +143,7 @@ jobs:
         run: sudo apt install knockd
 
       - name: Get artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
         with:
           path: msi
 
@@ -207,7 +207,7 @@ jobs:
 
       - name: Restore cached chroots
         id: chroots-restore
-        uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache/restore@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             debian-sbuild/chroots
@@ -230,7 +230,7 @@ jobs:
       - name: Save chroots
         if: steps.chroots-restore.outputs.cache-hit != 'true'
         id: chroots-save
-        uses: actions/cache/save@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             debian-sbuild/chroots
@@ -247,7 +247,7 @@ jobs:
           sg sbuild ./scripts/build-all.sh
 
       - name: Archive packages
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: openvpn-debian
           path: |
diff --git a/debian-sbuild/openvpn-dco-dkms/changelog-0.2.20231117 b/debian-sbuild/openvpn-dco-dkms/changelog-0.2.20231117
index 9ed1e880..156a57ea 100644
--- a/debian-sbuild/openvpn-dco-dkms/changelog-0.2.20231117
+++ b/debian-sbuild/openvpn-dco-dkms/changelog-0.2.20231117
@@ -5,4 +5,4 @@ openvpn-dco-dkms (0.2.20231117-debian0) stable; urgency=medium
   * ovpn-dco: warn if peer is dead in ovpn_tcp_read_sock() (Antonio Quartulli, 0613e71)
   * ovpn-dco: fix refcount imbalance upon RX in case of full ring (Antonio Quartulli, 7b7a28f)
 
- -- Yuriy Darnobyt <yuriy.darnobyt@openvpn.net>  Thu, 16 Nov 2023 15:11:55 +0100
+ -- Frank Lichtenheld <frank.lichtenheld@openvpn.net>  Thu, 16 Nov 2023 15:11:55 +0100
diff --git a/debian-sbuild/openvpn/changelog-2.6.9 b/debian-sbuild/openvpn/changelog-2.6.9
new file mode 100644
index 00000000..e7d93518
--- /dev/null
+++ b/debian-sbuild/openvpn/changelog-2.6.9
@@ -0,0 +1,49 @@
+openvpn (2.6.9-debian0) stable; urgency=medium
+
+  * preparing release 2.6.9 (Gert Doering, 6640a10b)
+  * dco-freebsd: dynamically re-allocate buffer if it's too small (Kristof Provost, d8faf568)
+  * documentation: Fixes for previous fixes to --push-peer-info (Frank Lichtenheld, 6bed72d0)
+  * documentation: Update and fix documentation for --push-peer-info (Frank Lichtenheld, 18fb30f7)
+  * README.cmake.md: Document minimum required CMake version for --preset (Frank Lichtenheld, 9ec52461)
+  * --http-proxy-user-pass: allow to specify in either order with --http-proxy (Frank Lichtenheld, 1141e750)
+  * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' (Frank Lichtenheld, 68b00a54)
+  * proxy-options.rst: Add proper documentation for --http-proxy-user-pass (Frank Lichtenheld, 7b1f2009)
+  * Remove conditional text for Apache2 linking exception (Arne Schwabe, 20bc8bd5)
+  * Enable key export with mbed TLS 3.x.y (Max Fillinger, 001950d1)
+  * Disable TLS 1.3 support with mbed TLS (Max Fillinger, 7fa534db)
+  * Update README.mbedtls (Max Fillinger, 1aa2995e)
+  * Add support for mbedtls 3.X.Y (Max Fillinger, 2942ef5d)
+  * NTLM: increase size of phase 2 response we can handle (Frank Lichtenheld, 62d14fcf)
+  * NTLM: add length check to add_security_buffer (Frank Lichtenheld, 7a9670df)
+  * Implement the --tls-export-cert feature (Arne Schwabe, d27cb148)
+  * fix uncrustify complaints about previous patch (Gert Doering, 9fb62e2b)
+  * Fix IPv6 route add/delete message log level (Steffan Karger, 9abf74c9)
+  * Clarify that the tls-crypt-v2-verify has a very limited env set (Arne Schwabe, 322b11ab)
+  * Make it more explicit and visible when pkg-config is not found (Arne Schwabe, d602fc03)
+  * Check PRF availability on initialisation and add --force-tls-key-material-export (Arne Schwabe, b29ada31)
+  * get_default_gateway() HWADDR overhaul (Gert Doering, bfd5b12e)
+  * OpenBSD: repair --show-gateway (Gert Doering, 77376fc5)
+  * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr (Arne Schwabe, 5380fe02)
+  * documentation: improve documentation of --x509-track (Frank Lichtenheld, cbcecdb3)
+  * fix(ssl): init peer_id when init tls_multi (yatta, 6dffbf6a)
+  * Extend the error message when TLS 1.0 PRF fails (Arne Schwabe, cfaf82d5)
+  * tun.c: don't attempt to delete DNS and WINS servers if they're not set (Lev Stipakov, 030afe64)
+  * unit_tests: remove includes for mock_msg.h (Frank Lichtenheld, e2a9c1ba)
+  * Remove superfluous x509_write_pem() (David Sommerseth, 5552391a)
+  * Remove --tls-export-cert (David Sommerseth, 031fe882)
+  * vcpkg-ports/pkcs11-helper: bump to version 1.30 (Marc Becker, 77b2e940)
+  * documentation: remove reference to removed option --show-proxy-settings (Frank Lichtenheld, 8b9a3378)
+  * Remove compat versionhelpers.h and remove cmake/configure check for it (Arne Schwabe, 19bfb702)
+  * Add check for nice in cmake config (Arne Schwabe, cc81f014)
+  * configure.ac: Remove unused AC_TYPE_SIGNAL macro (Frank Lichtenheld, 64703e72)
+  * Add missing check for nl_socket_alloc failure (Arne Schwabe, aa19a6a9)
+  * Fix check_session_buf_not_used using wrong index (Arne Schwabe, 5def8d93)
+  * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway (Arne Schwabe, 3168e1af)
+  * Document tls-exit option mainly as test option (Arne Schwabe, 350bdd85)
+  * GHA: clean up libressl builds with newer libressl (Frank Lichtenheld, 1a6aef37)
+  * Log SSL alerts more prominently (Arne Schwabe, 94cd53c7)
+  * sample-keys: renew for the next 10 years (Frank Lichtenheld, c1a983e8)
+  * Remove unused function prototype crypto_adjust_frame_parameters (Arne Schwabe, d25b408d)
+  * protocol_dump: tls-crypt support (Reynir Björnsson, 0a39d1c1)
+
+ -- Frank Lichtenheld <frank.lichtenheld@openvpn.net>  Mon, 12 Feb 2024 12:30:06 +0100
diff --git a/release/vars.example b/release/vars.example
index 775112a1..746e855f 100644
--- a/release/vars.example
+++ b/release/vars.example
@@ -19,13 +19,13 @@ GIT_AUTHOR="Frank Lichtenheld <frank.lichtenheld@openvpn.net>"
 WINDOWS_SIGNING_KEY_FP="31DA19926259519C9EA312C71935B13C33FC6E7E"
 
 # Version numbers
-OPENVPN_PREVIOUS_VERSION="${OPENVPN_PREVIOUS_VERSION:-2.6.7}"
+OPENVPN_PREVIOUS_VERSION="${OPENVPN_PREVIOUS_VERSION:-2.6.8}"
 OPENVPN_CURRENT_VERSION="${OPENVPN_CURRENT_VERSION:-2.7_git}"
 OPENVPN_CURRENT_TAG="${OPENVPN_CURRENT_TAG:-HEAD}"
 OPENVPN_PREVIOUS_TAG="refs/tags/v$OPENVPN_PREVIOUS_VERSION"
 
 OPENVPN_GUI_CURRENT_MAJ_VERSION=11
-OPENVPN_GUI_CURRENT_MIN_VERSION=46
+OPENVPN_GUI_CURRENT_MIN_VERSION=47
 OPENVPN_GUI_CURRENT_FULL_VERSION="$OPENVPN_GUI_CURRENT_MAJ_VERSION.$OPENVPN_GUI_CURRENT_MIN_VERSION.0.0"
 OPENVPN_GUI_BRANCH="master"
 
diff --git a/src/openvpn-gui b/src/openvpn-gui
index 813916ed..583e48b1 160000
--- a/src/openvpn-gui
+++ b/src/openvpn-gui
@@ -1 +1 @@
-Subproject commit 813916ede535d01b1f5ba45a34ba5ce1a9d37fc0
+Subproject commit 583e48b148ac19037e53a542fb21548ee685a9f0
diff --git a/windows-msi/build.wsf b/windows-msi/build.wsf
index 2c70b2fa..a877907d 100644
--- a/windows-msi/build.wsf
+++ b/windows-msi/build.wsf
@@ -273,6 +273,7 @@ clean	Cleans intermediate and output files</example>
                                 BuildPath("script", "ActiveSetupCA.js"),
                                 BuildPath("script", "PlapReg.js"),
                                 BuildPath("script", "Service.js"),
+                                BuildPath("script", "ACL.js"),
                                 BuildPath(p.buildPath, "license.txt"),
                                 BuildPath(p.buildPath, "tap-windows6.msm"),
                                 BuildPath(p.buildPath, "wintun.msm"),
diff --git a/windows-msi/gui.wxs b/windows-msi/gui.wxs
index 7809776f..288a5e46 100644
--- a/windows-msi/gui.wxs
+++ b/windows-msi/gui.wxs
@@ -303,7 +303,7 @@
                     <Subscribe Event="SelectionPathOn" Attribute="Enabled"/>
                 </Control>
                 <Control Id="Browse" Type="PushButton" X="320" Y="230" Width="60" Height="20" Text="Br&amp;owse" TabSkip="no">
-                    <Condition Action="disable">Installed</Condition>
+                    <Condition Action="hide">WIX_UPGRADE_DETECTED</Condition>
                     <Publish Event="SelectionBrowse" Value="BrowsePage">1</Publish>
                 </Control>
                 <Control Id="Reset" Type="PushButton" X="15" Y="265" Width="60" Height="20" Text="&amp;Reset" ToolTip="Resets feature selection to initial state." TabSkip="no">
diff --git a/windows-msi/msi.wxs b/windows-msi/msi.wxs
index 754b1b70..ed6ec52b 100644
--- a/windows-msi/msi.wxs
+++ b/windows-msi/msi.wxs
@@ -83,13 +83,17 @@
 
         <Binary Id="Service.js" SourceFile="script\Service.js"/>
         <Binary Id="PlapReg.js" SourceFile="script\PlapReg.js"/>
+        <Binary Id="ACL.js" SourceFile="script\ACL.js"/>
 
-        <CustomAction Id="GetInstallDir" BinaryKey="PlapReg.js" JScriptCall="GetInstallDir" />
+        <CustomAction Id="GetInstallDirForPlap" BinaryKey="PlapReg.js" JScriptCall="GetInstallDir" />
         <CustomAction Id="UpdatePlapReg" BinaryKey="PlapReg.js" JScriptCall="UpdatePlapReg" Execute="deferred" Impersonate="no" />
 
         <CustomAction Id="CheckOpenVPNServiceStatus" BinaryKey="Service.js" JScriptCall="CheckOpenVPNServiceStatus" />
         <CustomAction Id="ConfigureOpenVPNService"  BinaryKey="Service.js" JScriptCall="ConfigureOpenVPNService" Execute="deferred" Impersonate="no" />
 
+        <CustomAction Id="GetInstallDirForACL" BinaryKey="ACL.js" JScriptCall="GetInstallDir" Return="check" />
+        <CustomAction Id="SetACL" BinaryKey="ACL.js" JScriptCall="SetACL" Execute="deferred" Impersonate="no" Return="check" />
+
         <!--
             Detect system information
         -->
@@ -101,8 +105,10 @@
             <Custom Action="FindSystemInfo" After="FindRelatedProducts"/>
             <Custom Action="CheckOpenVPNServiceStatus" After="ProcessComponents"/>
             <Custom Action="ConfigureOpenVPNService" After="StartServices">NOT Installed OR REINSTALL</Custom>
-            <Custom Action="GetInstallDir" After="FindRelatedProducts"/>
+            <Custom Action="GetInstallDirForPlap" After="SetProductDirParam"/>
             <Custom Action="UpdatePlapReg" After="InstallFiles"/>
+            <Custom Action="GetInstallDirForACL" After="SetProductDirParam">NOT Installed</Custom>
+            <Custom Action="SetACL" After="InstallFiles">NOT Installed</Custom>
         </InstallExecuteSequence>
         <UI>
             <ProgressText Action="FindSystemInfo">Detecting system information</ProgressText>
@@ -349,7 +355,7 @@
             Action="SetProductDirParam"
             Id="PRODUCTDIR"
             Value="[INSTALLDIR]"
-            Sequence="first">INSTALLDIR AND NOT Installed</SetProperty>
+            Sequence="first">INSTALLDIR AND NOT Installed AND NOT WIX_UPGRADE_DETECTED</SetProperty>
 
 
         <!--
diff --git a/windows-msi/script/ACL.js b/windows-msi/script/ACL.js
new file mode 100644
index 00000000..4635cfff
--- /dev/null
+++ b/windows-msi/script/ACL.js
@@ -0,0 +1,181 @@
+/*
+ *  openvpn-build — OpenVPN packaging
+ *
+ *  Copyright (C) 2024 Lev Stipakov <lev@openvpn.net>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+function InProgramFiles(installPath) {
+    var shell = new ActiveXObject("WScript.Shell");
+    var fso = new ActiveXObject("Scripting.FileSystemObject");
+
+    var programFilesPath = shell.ExpandEnvironmentStrings("%ProgramFiles%");
+
+    installPath = fso.GetAbsolutePathName(installPath).toLowerCase();
+    programFilesPath = fso.GetAbsolutePathName(programFilesPath).toLowerCase();
+
+    return installPath.indexOf(programFilesPath) === 0;
+}
+
+function DirectoryExists(installPath) {
+    var fso = new ActiveXObject("Scripting.FileSystemObject");
+    return fso.FolderExists(installPath);
+}
+
+function ReadFile(filePath) {
+    var fso = new ActiveXObject("Scripting.FileSystemObject");
+
+    try {
+        var file = fso.OpenTextFile(filePath, 1); // 1 indicates reading mode
+        var firstLine = file.ReadLine();
+        file.Close();
+        return firstLine;
+    } catch (e) {
+        return "";
+    }
+}
+
+function DirectoryExists(dir) {
+    var fso = new ActiveXObject("Scripting.FileSystemObject");
+    return fso.FolderExists(dir);
+}
+
+function CanChangeACL(installPath) {
+    // are we in silent mode?
+    var uiLevel = Session.Property("UILevel");
+    if (uiLevel == 2) {
+        return true;
+    }
+
+    var fso = new ActiveXObject("Scripting.FileSystemObject");
+
+    // generate tmp file path
+    var tmpFolder = fso.GetSpecialFolder(2); // 2 is the value for the temp folder
+    var scriptFile = fso.BuildPath(tmpFolder.Path, fso.GetTempName() + ".vbs");
+    var answerFile = fso.BuildPath(tmpFolder.Path, fso.GetTempName());
+
+    var file = fso.CreateTextFile(scriptFile);
+    var content =
+        'text = "You are about to install OpenVPN into an existing directory. For security reasons, the directory\'s inherited permissions will be removed and the following permissions will be granted:" & vbCrLf & vbCrLf & _\n' +
+        '       "- Administrators: Full control" & vbCrLf & _\n' +
+        '       "- System: Full control" & vbCrLf & _\n' +
+        '       "- Users: Read and execute" & vbCrLf & vbCrLf & _\n' +
+        '       "Do you wish to continue?"\n' +
+        'Dim resp: resp = MsgBox(text, vbYesNo Or vbSystemModal Or vbQuestion, "OpenVPN Installer")\n' +
+        'Set fso = CreateObject("Scripting.FileSystemObject")\n' +
+        'Set outputFile = fso.CreateTextFile("' + answerFile + '", True)\n' +
+        'outputFile.WriteLine(resp)\n' +
+        'outputFile.Close';
+    file.Write(content);
+    file.Close();
+
+    var shell = new ActiveXObject("WScript.Shell");
+    var exitCode = shell.Run("cscript //nologo " + scriptFile, 0, true);
+
+    var res = (exitCode == 0) && ReadFile(answerFile) == "6"; // vbYes
+
+    fso.DeleteFile(scriptFile);
+    fso.DeleteFile(answerFile);
+
+    return res;
+}
+
+// returns major << 24 + minor << 16 + build * 100
+// for example 2.6.5 (2.6.501) is 33948149
+function GetPreviousVersion() {
+    var productCode = Session.Property("WIX_UPGRADE_DETECTED");
+    if (productCode == "") {
+        return 0;
+    }
+
+    try {
+        // value of that key is set by MSI infrastucture
+        var key = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + productCode;
+        return parseInt(new ActiveXObject("WScript.Shell").RegRead(key + "\\" + "Version"));
+    } catch (e) {
+        return 0;
+    }
+}
+
+function GetInstallDir() {
+    var installPath = Session.Property("PRODUCTDIR");
+
+    // Do not modify ACL under ProgramFiles
+    if (InProgramFiles(installPath)) {
+        Session.Property("SetACL") = "";
+        return 0;
+    }
+
+    var isOldVersionUpgrade = GetPreviousVersion() < ((2 << 24) + (6 << 16) + 9 * 100); // returns 0 for fresh install
+
+    // install into new directory, change ACL unconditionaly
+    if (!DirectoryExists(installPath)) {
+        Session.Property("SetACL") = installPath;
+        return 0;
+    }
+
+    // install into existing directory
+
+    // upgrade from old version (including clean install)
+    if (isOldVersionUpgrade) {
+        if (CanChangeACL(installPath)) {
+            Session.Property("SetACL") = installPath;
+            return 0;
+        } else {
+            return 1603;
+        }
+    }
+
+    // upgrade from a new version - no need to change ACL
+    Session.Property("SetACL") = "";
+    return 0;
+}
+
+function RunIcacls(cmd) {
+    var shell = new ActiveXObject("WScript.Shell");
+    var exitCode = shell.Run('icacls.exe ' + cmd, 0, true);
+
+    if (exitCode != 0) {
+        throw new Error("icacls exited with code " + exitCode);
+    }
+}
+
+function TrimTrailingSlash(dir) {
+    // trim trailing slash
+    if (dir.charAt(dir.length - 1) === '\\') {
+        dir = dir.substring(0, dir.length - 1);
+    }
+
+    return dir;
+}
+
+function SetACL() {
+    var targetDir = Session.Property("CustomActionData");
+    if (targetDir == "") {
+        // installed in ProgramFiles, not modifying ACL
+        return 0;
+    }
+
+    targetDir = TrimTrailingSlash(targetDir);
+
+    try {
+        RunIcacls('\"' + targetDir + '\" /inheritance:r /grant "Administrators:(OI)(CI)F" /grant "System:(OI)(CI)F" /grant "Users:(OI)(CI)RX"');
+    } catch (e) {
+        Session.Property("CUSTOMACTIONERROR") = e.message;
+        return 1603; // Indicates a fatal error during installation.
+    }
+
+    return 0;
+}