Apply MSP at logon - Locked down computer

Posted on 2012-09-06
Last Modified: 2012-11-15
I'm sure by now I've over-thought/over-complicated this however, here is what I need to accomplish followed by what I have done so far:

Here is what I need: I have 500 computers that have a specific application installed, fortunately it is identical same GUID/Patch level etc.  I have an MSP file that now needs to be applied to all of these systems.  I also have a requirement to do this as silently as possible as the users in our organization like to pretend that their computers are magical devices that never need updating.  ALL of these computers are locked down, the local user does not have local administrative rights.  I also need to ensure that the MSP file runs at logon and that the program and all programs that use (the microsoft office suite for example) are not running during the apply of the MSP.  I also need to ensure this ONLY runs on Windows 7 Machines

Here is what I have: I have created a VBS script that calls a BAT file.  The VBS script specifically looks to make sure two things are true:
1: The patch has not already been applied (looks in the registry for this)
2: The computer is Windows 7
If both are true it calls the BAT file otherwise it terminates.
The BAT file then launches, taskills explorer.exe (our users are click happy and can launch a million applications in a blink of an eye, killing this kills the desktop and taskbar) and all necessary applications that cannot be running and displays a friendly message to the user while applying the msp, it then launches explorer.exe.

Here's the catch... the scripts above, what I currently have WORK GREAT!! as long as the user is a local admin on his/her machine otherwise; we get an error message: Product: [Product Name]' could not be installed. Error code 1625.

Error Code 1625: ERROR_INSTALL_PACKAGE_REJECTED This installation is forbidden by system policy. Contact your system administrator.

So.. I need to know how I can use the method I already have OR I need a suggestion on a better way of doing it.  The sad part is I DO HAVE SCCM 2012, just stood it up.  I know it inside and out... for inventory and remote control... Still learning my way around the whole package deployment thing... So, I'm open to any way of doing this and I would truly prefer not to have to use a script... if I can get away from it.

Thank you in advance
Question by:LouSch7
    LVL 21

    Accepted Solution

    Because you are Windows 7, why not use a scheduled task that runs as an administrator? The scheduled task could run the script at a specific time (or at user logon).

    You can use Group Policy preferences to install it.
    LVL 52

    Expert Comment


    You cannot use logon scripts here. For installations, you can take Startup scripts, those use "god mode" (=the System account) to execute your script.

    For more comfort, I recommend to use the freeware LUP that integrates into WSUS and can rollout any 3rd-party .msp file. See

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    EXCH2013 Migration tasks 6 20
    poor IIS performance on VM 6 28
    active directory 9 19
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now