[Last Call] Learn how to a build a cloud-first strategyRegister Now


Apply MSP at logon - Locked down computer

Posted on 2012-09-06
Medium Priority
Last Modified: 2012-11-15
I'm sure by now I've over-thought/over-complicated this however, here is what I need to accomplish followed by what I have done so far:

Here is what I need: I have 500 computers that have a specific application installed, fortunately it is identical same GUID/Patch level etc.  I have an MSP file that now needs to be applied to all of these systems.  I also have a requirement to do this as silently as possible as the users in our organization like to pretend that their computers are magical devices that never need updating.  ALL of these computers are locked down, the local user does not have local administrative rights.  I also need to ensure that the MSP file runs at logon and that the program and all programs that use (the microsoft office suite for example) are not running during the apply of the MSP.  I also need to ensure this ONLY runs on Windows 7 Machines

Here is what I have: I have created a VBS script that calls a BAT file.  The VBS script specifically looks to make sure two things are true:
1: The patch has not already been applied (looks in the registry for this)
2: The computer is Windows 7
If both are true it calls the BAT file otherwise it terminates.
The BAT file then launches, taskills explorer.exe (our users are click happy and can launch a million applications in a blink of an eye, killing this kills the desktop and taskbar) and all necessary applications that cannot be running and displays a friendly message to the user while applying the msp, it then launches explorer.exe.

Here's the catch... the scripts above, what I currently have WORK GREAT!! as long as the user is a local admin on his/her machine otherwise; we get an error message: Product: [Product Name]' could not be installed. Error code 1625.

Error Code 1625: ERROR_INSTALL_PACKAGE_REJECTED This installation is forbidden by system policy. Contact your system administrator.

So.. I need to know how I can use the method I already have OR I need a suggestion on a better way of doing it.  The sad part is I DO HAVE SCCM 2012, just stood it up.  I know it inside and out... for inventory and remote control... Still learning my way around the whole package deployment thing... So, I'm open to any way of doing this and I would truly prefer not to have to use a script... if I can get away from it.

Thank you in advance
Question by:LouSch7
LVL 22

Accepted Solution

Joseph Moody earned 2000 total points
ID: 38371903
Because you are Windows 7, why not use a scheduled task that runs as an administrator? The scheduled task could run the script at a specific time (or at user logon).

You can use Group Policy preferences to install it.
LVL 57

Expert Comment

ID: 38373700

You cannot use logon scripts here. For installations, you can take Startup scripts, those use "god mode" (=the System account) to execute your script.

For more comfort, I recommend to use the freeware LUP that integrates into WSUS and can rollout any 3rd-party .msp file. See http://localupdatepubl.sourceforge.net/

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question