1

My company uses SCCM 2007 and Windows 7. I have a rather complicated application deployment that I need to do. To make a long story short, I have to automatically install this while no users are logged on because the installer demands that Word and Outlook not be running. This install takes about 10 minutes. Right now I have it set in SCCM to "Install as soon as possible" but to "Run when no users are logged on". This has the installer kicking off when users are on the logon screen. However, we've found that this is not a great solution, as people do things like logging on while the installer is running in the background, and then they launch Word and Outlook.

What I would like to do is run this with the same mechanism that Windows updates use, so I can hold the PC at log on or log off while I deploy this update. (Please do not power off or unplug your machine. Installing Update X of Y) But I am not sure how to hook into this, if it is even possible.

For compliance reasons, I cannot rely on users installing this themselves. I also cannot have my IT staff do it manually (far too many PCs).

Any other suggestions are more then welcome. I'm more then happy to RTFM, I just need to be pointed to which manual to read.

Little_Johnn
  • 436
  • 1
  • 4
  • 4
  • kinda of a wag, but you could put it in the system shutdown reg key. The screen to show "please do not power off etc" could be any screen you want. – tony roth Apr 12 '13 at 14:42
  • I apprciate the suggestion, but it doesn't really help, as users tend to forcably power off their PCs if they take more then 60 seconds to log off. I'd really like to do this at bootup. – Little_Johnn Apr 12 '13 at 14:53
  • then put it in the runonce system reg key – tony roth Apr 12 '13 at 15:16
  • That doesn't help, because the program will run in the background while users are logging on. So someone will inevitably launch Outlook and crash the installer. – Little_Johnn Apr 12 '13 at 16:10
  • I guess I didn't explain the shutdown method the screen that shows "Please do not power off or unplug your machine. Installing Update X of Y" is just a screen that the your installer can display thus somewhat preventing them from doing dumb things. – tony roth Apr 12 '13 at 20:10
  • Maybe use some secedit scripting to disable interactive logons while the install is running? Some more info here: http://stackoverflow.com/questions/2910978/script-for-local-security-policy – Trondh Oct 02 '13 at 14:21

4 Answers4

1

If the main problem is that Word and Outlook run, then you can install the software after hours. You can write a script that displays a gui and informs the user that the software will install in x minutes, and Word and Outlook will close. It helps credibility if the gui is branded with some 'official' Corporate/IT logo or similar. That way nobody calls the helpdesk and says 'There is a virus on my computer!'. The countdown gives people time to save their work. Force closing Word and Outlook isn't that bad off hours because of autosave, Word docs come back at startup and Outlook drafts are saved in.....drafts. I've used the same approach with Java in the past seeing as how it will fail if browsers are open and tuned to a page that happens to be using Java.

MDMoore313
  • 5,581
  • 6
  • 36
  • 75
1

You are stepping into customization territory that may leave you with more problems that you have now. You could wrap the install in a script that renames the Outlook and Word executables temporarily ("winword.exe" -> "winword.exe.disabled") to disable them and rename them back when done. You would want to notify users that Word and Outlook will be disabled and notify them when it is re-enabled.

Bin
  • 864
  • 5
  • 15
  • He hasn't said precisely *why* Word and Outlook need not to be running, but it stands to reason that the software update might need both applications to be functional. Otherwise, I like this idea. – mojo Oct 29 '13 at 12:55
  • 1
    @Mojo That is a good observation, he would have to verify those binaries are not needed for the update. A better method would probably be changing NTFS permissions to Admin/System only and then change them back. – Bin Nov 14 '13 at 17:35
1

We frequently configure these types of update to run after hours, when nobody is logged on, about an hour after WSUS critical updates are set to deploy and reboot. This maximizes the number of people that are logged off their machines after hours. It's never 100%, but I don't think I've ever gotten 100% under any circumstances, ever. After a round or two of this behavior, machines that aren't getting updated get put into a special collection, managed with a heavier hand (e.g. killing off Word/Outlook and running the update anyway), at least for the purpose of this update.

mojo
  • 227
  • 1
  • 4
  • 12
0

If you have WSUS is possible use WSUSPackagePublisher. They push to wsus' database for deploy to users.

English : Wsus Package Publisher allows you to publish your own updates as MSI, MSP or EXE files. Hence, you can deploy applications like Adobe Reader, Java, Flash Player or Symantec Endpoint Protection 12.1. and update them.

WSUS Package Publishet @ Codeplex

Ozwaldo Ortiz
  • 51
  • 4