Prevent users from logging on while installing software RRS feed

  • General discussion

  • Before SCCM, we used to use a software deployment solution which would prevent users from logging while a package is being installed. It would also display on screen what is being installed and once finished, the PC would restart if required or just present the logon screen.

    Can something similar be done in SCCM? The "Only when no user is logged on" option is not much use to situations where the users log on straight after they power on their machines or for software updates that need to be installed urgently while no user is logged on (like software that requires that internet browsers or office applications are closed).

    Tuesday, December 21, 2010 9:23 AM

All replies

  • Hi,

    There is no such built-in feature in SCCM. MIght be done by running a script that locks the keyboard during the installation process.

    Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
    Tuesday, December 21, 2010 9:33 AM
  • This is so strange not to have such a fundamental feature. We used to have a package that wouldn't work properly if a user logged on in the middle of the silent installation.

    Locking the keyboard is not an option for us as we have hundreds of users who used to call us asking what their computer was doing when we rolled out software with our previous system (even though it would say "Installing xyz"). I need something to tell the users what is going on, preferably with giant red letters!

    Tuesday, December 21, 2010 9:45 AM
  • You could run the install while showing the progresbar, or inform the user that an installation job is starting, and then again inform the user when the job is done.
    Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
    Tuesday, December 21, 2010 9:48 AM
  • Thanks Kent. Unfortunately showing messages to users during installations is beyond me. Willing to learn if you point me to some guides though!

    Showing the progress bar is not available to a lot of our packages and I also hide it since it would confuse anyone who may be writing an email at the time for example.

    Tuesday, December 21, 2010 11:08 AM
  • This happens to be asked about every 6 months.  The only way to prevent users from logging in is to lock out the keyboard or explorer process while the install occurs.  Many people have asked for this feature.  The problem is that just as many people will tell you that after they tried it people would just hold the power button down and restart the machine because they think something is wrong with the computer.

    This comes down to a user training issue and the package at hand.  If possible you can set the install window to occur late at night when the user shouldn't be logging in.  Otherwise you need to turn on interaction and let the see the task bar.  I have an application that really should be intstalled when no user is logged on.  Since this must be done at night (and when the computer is on :{ ) It can take a while to roll out the application. 

     If you want them to install it then you can set the first program to do a restart of the machine (with count down) and then have it install when no user is logged on.  Then have it do another restart so the user understands that it is done. 

    Really there is no good solution to this problem short of the ability to show a popup that an install is occuring and they keyboard will be disabled while this is occuring.  Then remove the popup. 

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Tuesday, December 21, 2010 11:27 AM
  • ... The problem is that just as many people will tell you that after they tried it people would just hold the power button down and restart the machine because they think something is wrong with the computer.


    Really there is no good solution to this problem short of the ability to show a popup that an install is occuring and they keyboard will be disabled while this is occuring.  Then remove the popup.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    I would have to disagree on those points slightly. Although some people might try to switch off their computers if they feel something is wrong, from experience with our old system, most users get used to the software deployment message box and let it do its job. We did get calls from newer staff asking what was going on but it wasn't as big of a problem as it is now. Also, Microsoft do this all the time with Windows updates, yet somehow it is not ok if technicians try to do it with 3rd party software.

    I think SCCM should have an OPTION to display an appropriate and highly visible message box (while hiding the logon box) informing the user what should be done. Also this could be even more effective if it is done on shut down. Anyone that believes that an application can be installed silently in the background then they can switch of the message box.

    Having said that, my questions now are:

    1. Is it possible to display messages on the logon screen. To keep it simple, is it possible to display a label with the computer's hostname?

    2. Can I submit a feature request to the SCCM team?
    Tuesday, December 21, 2010 1:36 PM
  • You can use connect.microsoft.com to submit feedback to the product group.
    Tuesday, December 21, 2010 1:40 PM
  • Yes for all OS's you can change the background screen, we do for imaging purposes.  The problem is that the change is only visible after a reboot.  So you would change the background, reboot, do the install, then reboot and put the background back in place.

    Per the "push the power button" I was referring to the locking of the keyboard to keep the user out, not while they are logged on and the install occurs.  These are the situations you would have if you tried to turn off the Control key or lock the user from logging in while the install is going on. 

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Tuesday, December 21, 2010 2:24 PM
  • You can use connect.microsoft.com to submit feedback to the product group.

    When I try to submit a feedback, the only option is to report a bug and only for "registered Open Beta customers only". I'm not sure if I'll be able to do this myself...

    Matthew, how do you suggest I embed personalized information such as the hostname to the background screen. I assume you mean editing the bitmap inside the oobe folder but I don't know how to automate this. Also, changing the background, rebooting, installing the software and rebooting again might work. Do you imagine this being done trough a task sequence? This however would mean that the user still sees the logon box which might tempt them to try to logon (and then phone us to complain that their keyboard is not working)

    Tuesday, December 21, 2010 3:09 PM
  • I know there are applications that save the host information and create an image for you. (We created our own in VB)  Or you can do we what we do.  We have a Red image that says "Imaging in progress with the Date and time that it started"  This gets your attention since it is not the normal Blue color background.



    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Tuesday, December 21, 2010 4:39 PM
  • Thanks Matthew. I see where you are coming from. I guess you only have this background on your freshly created machines and then you reset the background as soon as your TS is over. In terms of standalone software distributions and updates I think the most efficient way would be to just have a template TS which can be copied any time a new application needs to be installed. I don't know if it's just me but I've noticed that more things can go wrong if deployed through a task sequence as opposed to the software distribution method (with the complex chaining). I will do more testing with it when we upgrade to R3.

    Would somoeone be able to submit a feature request for having a "installing software" type screen like windows update for SCCM 2007?

    Tuesday, December 21, 2010 5:21 PM
  • Won't happen for SCCM 2007.

    Additionally the UI surfaces for application deployment are significantly different for Configuration Manager 2012. There is already Beta1 out there if you are curious.

    Tuesday, December 21, 2010 6:07 PM
  • Thanks Eric. Do you suggest that what I'm asking for might be implemented in the next version of Configuration Manager? Even so, it will probably take more than a year before we can make use of whatever 2012 has to offer.
    Wednesday, December 22, 2010 8:50 AM
  • "Not completely" & "things are subject to change" - other than that "no comment".
    Wednesday, December 22, 2010 4:29 PM
  • I've logged a call with Microsoft regarding this and the best I can do is submit feedback to the managers. I've also submitted a bug/feature request in the SCCM Microsoft Connect section (BUG ID: 258743).

    In the meantime, does anyone know if there is a way to check if a computer has pending package installations? I'm looking for something that I can check using a script.

    I think that if I can find or make such a tool, I might be able to use a logon screensaver that can not be closed by the user to display the status of the installation.

    Tuesday, January 11, 2011 4:29 PM
  • Have a look at App-V (Microsoft's application virtualisation solution).  It may solve your issue because the software is never installed, a little hard to explain quickly, but basically you caputre the install (MS's term is "sequence" the appliction) then deploy the virtulised application.  The install doesn't need to run on each machine.  When reading up on App-V ignore all the extra infrastructure that articles on the topic will talk about.  It integrates with SCCM really well and if you have SCCM you don't need the stand-alone App-V infrastructure (or at least you don't in most circumstances).

    I'm sure others here can offer more advice on App-V than I can, but it could well solve your problem.  Down side, it is an extra cost, as you need an MDOP license for each workstation to use it.  I think that is about $10 per client per year.



    A guide around App-V and SCCM is here:  http://download.microsoft.com/download/f/7/8/f784a197-73be-48ff-83da-4102c05a6d44/App-V_and_ConfigMgr_Whitepaper_Final.docx

    • Edited by jsc.19 Thursday, January 13, 2011 6:04 AM added another link
    Thursday, January 13, 2011 5:56 AM
  • Hello,

    Well the best idear would be not to block the keyboard as you say the user will power off the computer thinking something is wrong with the machine, but it would be better to do something like:

    Replacing the Logon Screen and remove all element (image, username textbox, passsword textbox, etc...) and replace this by a message controled by SCCM explaining that a installation is running in the background. The message should be customizable by the IT.

    The solution of installing a software durring the night is just not good anymore. I work for Deloitte and we have no more Desktop machine, only Laptops, about 1300 of them. As all our users a working from the office or elsewhere it is simply IMPOSSIBLE to install at night. If I need to update a mandatory software/update/patch/etc... I need to have this option "when no user is login".

    But to be able that the user understand that the IT is performing a quick installation of a patch or whatever, it would be best to have a "Full Screen" customizable window and maybe even this a counter running down. Imagin the IT could block the machine for 10 minutes and the see te time running down. As soon as the counter hits "0" you have your "login screen" back.

    This is the solution for me, and not anything else. Why is Apple selling so well, because the use the philosophy "As Simple As Possible". If you want that a NON-IT-User understand how to work thinks out without calling the Service Desk, make it for him EASY to understand.

    If you need someone at Microsoft to manage this part of "Simple as possible" you can still offer me a Job on this I would be happy to help out... (If Microsoft is reading this...) :-)

    Tuesday, January 31, 2012 11:21 AM
  • This'is the exact solution Alain. But how could it be possible to perform these steps ?

    Couınting down, Custom background image and locking keyboard and mouse ?

    Monday, June 11, 2012 1:16 PM
  • This is something i'm looking for ..

    would it be possible to share more information on these so that we can try?

    Thanks in advance....

    Tuesday, July 24, 2012 8:38 AM
  • Hi there,

    I know, this is an old fish but has anyone figured out a nice workaround to explain the current logged off user the installation status and block the log on possibility as long as the installation is running?

    I checked the ntrights.exe but it seems not to be working there also the "Deny log on locally" policy is blocked by GPO.



    Edit:I found a site where someone managed it to show a form on the logon screen, of corse, the code has to be touched 100% but than it could be used to show the installation on the users logon screen when a software installation meets the requirements it has to be installed when a user is logged off


    • Edited by Stephannnnn Wednesday, February 13, 2013 7:29 AM edit
    Monday, February 11, 2013 12:55 PM
  • Hi,<o:p></o:p>

    we also are searching for a small util / solution to display upcoming events from sccm agent at logon screen or show message at loged user (although for this also autoinstall warning from coretech is suitable)

    We also found some vendor who is selling a solution called Pkgshell which was as i remember well built for german customers together with MS long time ago but still is working on w7 and sccm 2007 /2012.
    Looks very promising as it uses sms file to configure multiple installation steps,where you can also autom. logoff user and afterwards the logon screen is replaced new background (not just replace backround image)  and detailed information about installation, even has small progress and log status. Don’t know yet excactly how the technical approach behind this is like using security provider and session 0. Keyboard and Ctrl+Alt+Del is blocked during the installation, so user can’t disturbe installation. After installation e.g. the regular logon ui is shown. Also this approach is of course not needed for each installation.

    Example screen when logon screen is blocked:

    Wednesday, September 4, 2013 6:12 PM
  • Certainly interesting.

    To me, it would cause help-desk calls though. And, what's to prevent the user simply powering the system off which in turn would cause all kinds of other issues (like WMI repository corruption)?

    When users need to get their work done and IT prevents it, you will hear about it. Locking a user out of their system solves IT's challenge, but prevents the user from doing their job -- not a good thing for most organizations.

    User-centric and initiated deployments address this though.

    Jason | http://blog.configmgrftw.com

    Wednesday, September 4, 2013 6:36 PM