Apply MSP at logon - Locked down computer
Posted on 2012-09-06
I'm sure by now I've over-thought/over-complicated this however, here is what I need to accomplish followed by what I have done so far:
Here is what I need: I have 500 computers that have a specific application installed, fortunately it is identical same GUID/Patch level etc. I have an MSP file that now needs to be applied to all of these systems. I also have a requirement to do this as silently as possible as the users in our organization like to pretend that their computers are magical devices that never need updating. ALL of these computers are locked down, the local user does not have local administrative rights. I also need to ensure that the MSP file runs at logon and that the program and all programs that use (the microsoft office suite for example) are not running during the apply of the MSP. I also need to ensure this ONLY runs on Windows 7 Machines
Here is what I have: I have created a VBS script that calls a BAT file. The VBS script specifically looks to make sure two things are true:
1: The patch has not already been applied (looks in the registry for this)
2: The computer is Windows 7
If both are true it calls the BAT file otherwise it terminates.
The BAT file then launches, taskills explorer.exe (our users are click happy and can launch a million applications in a blink of an eye, killing this kills the desktop and taskbar) and all necessary applications that cannot be running and displays a friendly message to the user while applying the msp, it then launches explorer.exe.
Here's the catch... the scripts above, what I currently have WORK GREAT!! as long as the user is a local admin on his/her machine otherwise; we get an error message: Product: [Product Name]' could not be installed. Error code 1625.
Error Code 1625: ERROR_INSTALL_PACKAGE_REJECTED This installation is forbidden by system policy. Contact your system administrator.
So.. I need to know how I can use the method I already have OR I need a suggestion on a better way of doing it. The sad part is I DO HAVE SCCM 2012, just stood it up. I know it inside and out... for inventory and remote control... Still learning my way around the whole package deployment thing... So, I'm open to any way of doing this and I would truly prefer not to have to use a script... if I can get away from it.
Thank you in advance