How to lock out normal (non-admin) users during software installs?

windows scripting login embedded sccm

Before we get going I want to make a pedantic point, more for the benefit of the general readership than yourself.

we just push it via SCCM

SCCM is a pull-based technology. I know what you meant but I find that with my tier-1 guys, every opportunity I get to emphasize that SCCM is not a push-based technology helps them understand it quicker.


I've contacted the vendor about it, but they just say it's a known issue and there is no fix or workaround for it

That is too bad as it sounds like the cause of this issue is the embedded card authentication program. Keep on the vendor, maybe they will actually fix their software.



On to a real answer - I see a few possible solutions for you, none of them particularly good.

  • Configure a Maintenance Window for these clients so your initial reboot to remove the clients from their write filter, your actual payload and the resulting reboot all happen off-hours when employees are not present at the terminals. This seems like the least painful option. No need to make SCCM more complicated than it already is.
  • Create a Local Group Policy template that adds a security group to the Deny Logon User Right and then assign/un-assign it as part of your application deployment.
  • Use PowerShell to set the Deny Logon User Right. I believe the PowerShell Community Extensions (PSCX) has the Set/Get-Privileges cmdlets which will let you manipulate User Rights Assignments
  • You can use the API if you want. Here's an example.

It seems no one touched on the possibility of using a task sequence to handle this, so allow me to list the benefits (assuming you're not really familiar with them in general, but please read even if you are):

If everything you install and configured is handled w/ SCCM, you should be able to use a task sequence to accomplish this. Primarily for OSD, using a TS is not only for OSD and can provide the following benefits:

No logging onto the workstation

A TS executes before winlogon.exe runs, so there is no possibility of a user inadvertently logging on, as there is no log on window. Which brings me to my second point:

Custom background screen

You can provide a splash screen that says maintenance is being performed, or whatever you want it to say really.

A TS is really just a glorified script, but it has a lot of functionality and is put together in a way as to decrease development time, and I've found use cases beyond OSD.

It sounds like you already have a script to do what you need done, so you should be able to put that into a TS with minimal debugging and get going.


You haven't specified if the SSO software uses Active Directory credentials, so a solution would be to make use of Active Directory's "Logon Hours" function. It's at a per-user level, but can easily be scripted in Powershell (this being an example). Basically, set the logon hours to "deny" logon at your SCCM update window and the users will be unable to log into the clients while SCCM does its thing. You'll need to have that first forced reboot which will log them out (the logon hours function doesn't work on logged-in users), but it would otherwise be painless to implement.

Related

How to disable TLS 1.0 in Windows 2012 RDP
Why is ZFS on Linux unable to fully utilize 8x SSDs on AWS i2.8xlarge instance?
Updating AWS CLI on Ubuntu 14.04
downgrade cluster functional level
Nginx defaults to /usr/share/nginx/html
Racktables/Rackmonkey any usefull rack management Software out there? [closed]
How to do central home directories and user accounts on Ubuntu?
Running router as virtual machine, can it be realible?
What is the maximum number of TCP connections I can have in Windows Server 2008?
Make Adobe fonts work with CSS3 @font-face in IE9
Byte[] to InputStream or OutputStream
Pure Javascript listen to input value change