My company uses SCCM 2007 and Windows 7. I have a rather complicated application deployment that I need to do. To make a long story short, I have to automatically install this while no users are logged on because the installer demands that Word and Outlook not be running. This install takes about 10 minutes. Right now I have it set in SCCM to "Install as soon as possible" but to "Run when no users are logged on". This has the installer kicking off when users are on the logon screen. However, we've found that this is not a great solution, as people do things like logging on while the installer is running in the background, and then they launch Word and Outlook.
What I would like to do is run this with the same mechanism that Windows updates use, so I can hold the PC at log on or log off while I deploy this update. (Please do not power off or unplug your machine. Installing Update X of Y) But I am not sure how to hook into this, if it is even possible.
For compliance reasons, I cannot rely on users installing this themselves. I also cannot have my IT staff do it manually (far too many PCs).
Any other suggestions are more then welcome. I'm more then happy to RTFM, I just need to be pointed to which manual to read.
If the main problem is that Word and Outlook run, then you can install the software after hours. You can write a script that displays a gui and informs the user that the software will install in x minutes, and Word and Outlook will close. It helps credibility if the gui is branded with some 'official' Corporate/IT logo or similar. That way nobody calls the helpdesk and says 'There is a virus on my computer!'. The countdown gives people time to save their work. Force closing Word and Outlook isn't that bad off hours because of autosave, Word docs come back at startup and Outlook drafts are saved in.....drafts. I've used the same approach with Java in the past seeing as how it will fail if browsers are open and tuned to a page that happens to be using Java.
You are stepping into customization territory that may leave you with more problems that you have now. You could wrap the install in a script that renames the Outlook and Word executables temporarily ("winword.exe" -> "winword.exe.disabled") to disable them and rename them back when done. You would want to notify users that Word and Outlook will be disabled and notify them when it is re-enabled.
We frequently configure these types of update to run after hours, when nobody is logged on, about an hour after WSUS critical updates are set to deploy and reboot. This maximizes the number of people that are logged off their machines after hours. It's never 100%, but I don't think I've ever gotten 100% under any circumstances, ever. After a round or two of this behavior, machines that aren't getting updated get put into a special collection, managed with a heavier hand (e.g. killing off Word/Outlook and running the update anyway), at least for the purpose of this update.
If you have WSUS is possible use WSUSPackagePublisher. They push to wsus' database for deploy to users.
WSUS Package Publishet @ Codeplex