There are many ways to install Office Pro Plus to your client base. You can let the user install it from the web, push it out via SCCM or Intune or simply provide the user with an installation package. However, every now and then you come across some special requirements where security is tight and some options are not available for various reasons. In this post I show you how to deploy Office Pro Plus to client machines where users do not have administrative access.
Problem
In one of my recent projects, I was tasked to help a client deploy a POC for Office Pro Plus via Click-To-Run. The company has a few thousand client machines and these are secured following best practice; users do not have admin rights on their PC’s, PowerShell execution policy is set to restricted and UAC is enabled.
The company uses a non-Microsoft enterprise software distribution tool, however this is managed by a third party and due to time constrains Office Pro Plus should be deployed with a different method. Because of the existing investment in the tool, other deployment tools like SCCM and Intune where also out of the question.
And to make it just a bit more challenging the client wanted to:
- Enable the user to start the Office Pro Plus deployment
- Have an easy and repeatable deployment process
- Not require any administrator intervention for the deployment process
We decided to store the Office binaries on a DFS Share that is accessible by all users. An AD security group would be used to determine who should be able to install Office and adding a user to this security group should be the only step an Administrator needed to do to allow the user to install Office.
Solution
I am assuming that you already know how to download, customize and install Office Click-To-Run. After some testing and several trials we implemented the following Procedure.
Needed components
- A new security group to which the administrator can assign the POC users
- A GPO which creates a link to a batch file on the DFS Share
- A software installation service account that has administrator rights on the client PCs
- Batch File a:
- Copies file to a temporary folder on the client machine
- Elevates a secondary batch file
- Batch File b:
- Starts the deployment process
- Removes temporary data after the installation
- The new security group was quickly created
- For the GPO I chose to create a Group Policy Preference that copies an existing link (pointing to Batch File A) to the desktop of the user.
A new Security Group and GPO was created
Group Policy Object:
A service account was created in AD
The appropriate rights were given to the account via Active Directory / Group Policy.
To be able to use the account within a script I needed to create a password hash with a secure key. This will later allow me to run the 2nd batch file evaluated as the service account.The PasswordHash was created via the below PowerShell commands
Creating Password Hash Key:
[code language=”powershell” gutter=”false”]
$ServiceaccountPassword = "Enter Password for Service Account here"
$SecuredPassword = $ServiceaccountPassword | ConvertTo-SecureString -AsPlainText -Force
$key = (54,33,233,1,34,78,7,6,33,35,99,9,4,12,87,33,34,2,111,1,1,2,23,32)
$PasswordKey = ConvertFrom-SecureString $SecurePassword -Key $key
[/code]
Batch File 1
After the users activates the link on his desktop a batch file while be executed. The first batch file will
- Inform the user what is about to happen
- Copy the following files to the users machine:
- the Office Pro Plus setup.exe from the Office Pro Plus deployment toolkit
- the Office Pro Plus configuration file
- the second batch file discussed in point 5
- execute the second batch file as the service account (i.e. with admin rights)
Note: Initially I wanted to use a PowerShell script instead of the batch file, however this would have presented a UAC prompt for elevation. By using PowerShell –command I was able to get surpress the UAC prompt.
Batch File 1
echo off echo /**************************************************** echo /* We are now installing Office Pro Plus onto your PC echo /* echo /* A Windows pop up will appear shortly, echo /* Please select yes on the installation pop-up echo /* echo /* Please do not close this window echo /**************************************************** copy \\DFSSHARE\OfficeProPlus\setup.exe c:\temp\setup.exe copy \\DFSSHARE\OfficeProPlus\Install-Full_no_Lync.xml c:\temp\Install-Full_no_Lync.xml copy \\DFSSHARE\OfficeProPlus\Install-Full_no_Lync.bat c:\temp\Install-Full_no_Lync.bat powershell -command "$SecurePasswordKey = '$PasswordKey : … UltralongKey from the Step 3'; $key =(54,33,233,1,34,78,7,6,33,35,99,9,4,12,87,33,34,2,111,1,1,2,23,32); $SecurePassword = ConvertTo-SecureString -String $SecurePasswordKey -Key $key; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'domainname\serviceaccount', $SecurePassword; Start-Process -FilePath c:\temp\Install-Full_no_Lync.bat -Credential $cred"
Batch File 2
@echo off echo /**************************************************** echo /* echo /* A Windows pop up will appear shortly, echo /* Please select yes on the installation pop-up echo /* echo /* Please do not close this window echo /**************************************************** c:\temp\setup.exe /CONFIGURE c:\temp\Install-Full_no_Lync.xml del c:\temp\setup.exe del c:\temp\Install-Full_no_Lync.xml del c:\temp\Install-Full_no_Lync.bat del %userprofile%\desktop\Install-Office-2013.lnk
User’s setup experience
After the user was added to the Security Group and GPOs have been refreshed the user will find a new icon on their desktop:
After launching the file the user will see a command prompt
As well as a UAC prompt asking for permissions to change local Data (without the need to supply admin credentials)
Once the user clicks “Yes”, the deployment process will complete within 15-60 minutes depending on PC and network performance.
Michael
About me | Email me | LinkedIn
very interesting.
What happens when an update has to be installed?