If I want to deploy an MSI on a client machine, Windows 7, how do I go around the UAC prompt ?
I have to deploy msi packages through SCCM 2012 , and can give one line install command like msiexec /i "abc.msi" /qn but , it invokes UAC prompt and have to hit yes button everytime I install any application, so, how do I go around and suppress this UAC prompt, which command to use in the same line with the install command, so that it elevates the msi deployment and does not ask for UAC permission. Any help will be appreciated.
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
SMal.tmcc
11 years ago
If you are in a domain
You can create a GPO to turn off the UAC
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"AlwaysInstallElevated"=dword:00000001
here is another link on MSI and UAC
http://csi-windows.com/blog/all/27-csi-news-general/335-how-to-silence-the-uac-prompt-for-msi-packages-for-non-admins
Comments:
-
Would like to thank you for your input first. Alright ... so, what you are asking basically is to create a task for a group ... but I was asking if there is any other way means code based way around, like we use ACCEPTEULA=yes or REBOOT=ReallySuppress (just trying to give examples) at the end of the install command line on batch file, so, is there a way we create some kind of batch file or any VBS that we can incorporate to the MST, please let me know. - aridutt007 11 years ago
-
That's very useful, SMal.tmcc! Thanks for that registry tip for disabling UAC! - awingren 11 years ago
-
Disabling UAC may be problematic. https://support.quest.com/productinformation.aspx?pr=268447870
Leave UAC enabled and use privileged management software to disable it when you want to deploy something needing it. - myltonpalmer 10 years ago-
It works okay here because they way we operate. Been turned off since day one in all images. Besides our budget does not allow for many extra products.
The acad machines have deepfreeze on them so it does not matter. Reboot and software/virus goes away.
On the admin machines, everyone is locked down so they cannot install software useless helpdesk allows it. - SMal.tmcc 10 years ago
Posted by:
jagadeish
11 years ago
Install your msi through System Account using PSExec.exe instead of using normal cmd prompt..
You have mentioned that you will be deploying msi using SCCM 2012.. SCCM will install applications through System or Currently logged in user..
Comments:
-
Hey Jagadeish , wise friend ... hope you are doing well ... would you please elaborate and explain exact steps on how to do it ... I am not really familiar with SCCM , and I have been trying to learn, so, any input will be really helpful. - aridutt007 11 years ago
-
What jagadeish means by "System" or "Currently logged in user".
When msi is deployed with SCCM, the CCM Agent (aka Client Configuration Manager agent) can run in two modes. Either under the "SYSTEM" context which has more rights than the local Administrator, or as "the logged on user", which will probaly have no rights.
For example, when you open Task Manager you will see SYSTEM (if you view proccess from all users). Windows Services will normally run in SYSTEM context as well. - rileyz 11 years ago -
If you are getting a UAC confirmation prompt then your package is not running as SYSTEM. I n KACE you have an option to run as SYSTEM or User logged into Console. There should be similar options in SCCM. - josh.marshall 11 years ago
Posted by:
awingren
11 years ago
aridutt007,
That's a great question! I ran into a permission issue deploying UltraVNC last week to some Windows 7 machines. The x86 machines that didn't have UAC enabled worked fine, but the x64 machines didn't. I would like to know the answer too.
Thanks for posting the question, aridutt007!
-awingren
Posted by:
myltonpalmer
10 years ago
Disabling UAC may be problematic. https://support.quest.com/productinformation.aspx?pr=268447870
Leave UAC enabled and use privileged management software to disable it when you want to deploy something needing it.
Posted by:
SnowLyric
11 years ago
Choose the option to run program under Administrative privileges.
Comments:
-
If I had the easiest option available, I would not ask, but thanks for your input. - aridutt007 11 years ago
-
I do have to ask, is there a reason you can not run this as "administrative privileges", as mentioned by 007? (lol, had to use that). There is no way around UAC through the MSI/MST beacuse it runs in the context of the envoker, this is what you are having issues with, this case it sounds like the envoker does not have administrative rights, so this means you are running the installer as the user context through SCCM?
It would be good if you gave us the reason why you couldnt run as admin in SCCM, that way we could offer better work arounds/solutions (: - rileyz 11 years ago -
Alright let me explain the situation ... here at my workplace there are two different teams, one SCCM team and another MSI/MST (our) team , and now we have integrated Flexera Adminstudio Application Manager with SCCM 2012 , and the SCCM team is demanding that they should be able to just go and select application from application manager catalog and just deploy it through SCCM. Honestly speaking I don't have much idea about SCCM , so, wondering if the SCCM team will have to face this UAC prompt because whenever I tried to install any msi on a virtual pc it throws that UAC prompt, and the SCCM team is little grumpy, so, before they come and ask us to resolve the issue , I want to do it, so, really wondering how can I work around ... or is there a way that SCCM users can stop the UAC prompt to come up every time without creating any group policy, because there are like 300 different groups at least, as it is a very big company, and I really want to make their work easy. Hopefully I have explained enough and you might have gotten a clear idea , so, please any idea. Thanks for previous input though. - aridutt007 11 years ago
-
Just to clarify, are you using Adminstudio "Application Manager" to export the packages into SCCM 2012 with the "Distribution Wizard".
ie. it will setup the (SCCM) "Package" and (SCCM) "Program".
Ah sucks that the SCCM guys dont help you out, its really handy for you to know how the deployment tool works as it helps so so much when packaging. I really recommened having a play if you can.
Anyway, on with the show.
What I think is happening is when the program gets imported into SCCM2012 through the Adminstudio "Application Manager"/"Distribution Wizard", the (SCCM Program) "run mode" is not being configured correctly.
When a (SCCM) Program is created manually, its normal/standard to choose "Run with administrative rights".
*since users cant install software in a lock down enviroment.
**when "run with administrative rights" is selected, the msiexec.exe process is run under the SYSTEM context. Since its the SYSTEM running the msiexec and it has rights, no UAC prompt.
See this pic here: http://blog.thesysadmins.co.uk/wp-content/uploads/SCCM-Admin-4.png
This what the "run mode" looks like in SCCM2012 in wizard mode when creating a program.
See this video on how "Programs" are created in SCCM: http://youtu.be/NHrS1-_dMXk
Hopefully this will give you the gist of what Im on about.
Resolution:
I cant find the setting anywhere, and I cant even find any documentation the Adminstudio website, how crap is that!
I had a look at the Distribution Wizard help files, it dosent mention ANYTHING about the run mode. I tried to find it in the "Application Manager" programs tab after selection a piece of software. see here http://helpnet.flexerasoftware.com/adminstudio115/Content/ashelplibrary/PVPrograms.png
I just cant find it?!
What I recommened is exporting a package to SCCM2012 as you normally would, then shoulder tap a SCCM guy to check the (SCCM) Programs "run mode" just to double check that "run with administrative rights" is selected. In the (SCCM) Package -> (SCCM) Program, the properties with state what "run mode" is, see here
http://itpro.fi/asiantuntijaryhmat/tyoasemat/Kuvat/SCCM-Program-Environment.png
*this is what it looks like in SCCM2007, it might be differnt in SCCM2012, but you get what i mean.
Comments:
Thats it, hope this helps (:
Sorry if you know how SCCM works, I just wanted to explain fully in case you didnt, and so other people having this program can get what I mean with the full explnation. - rileyz 11 years ago-
awesome rileyz ... thanks a lot ... it is helpful and a very good document for even future use ... and yeah you are right ... I also tried to find the same on Application Manager help files, but in vain ... nevertheless I have gotten an overview now, it's unfortunate that I don't have enough knowledge on SCCM ... I am trying to learn SCCM by myself , do you have any idea that if there is any online resource where I can login and practice SCCM features and what might be the best book for self-teaching ? I know I am asking too much but it seems you are really knowledgeable and a helpful person as well , so, just wondering if you would help. Thanks a lot again :-) - aridutt007 11 years ago
-
Glad a could help. Mail me at my username at hotmail dot com. Should be able to send you some handy reference documents. SCCM is simple once you get the hang of it, but it is always a bit hard going at the start, very cool product though. - rileyz 11 years ago
-
@rileyz ... sent you an e-mail, hope you receive and reply ... thanks a bunch :-) - aridutt007 11 years ago
Posted by:
dugullett
11 years ago
I'm not familiar with SCCM, but with Kace I run as SYSTEM. I would assume you have the same option with SCCM?
