I have attempted to search for this on the forums / google with no pertinent results; maybe I don’t have the correct search terms…
During a software deployment that will take a sizeable chunk of time (removing old MS Office installs, deploying O365, cleaning up some third party applications) I want the screen to go blank or black or perhaps a custom background, and prevent commands (ie:Control-Alt-Delete or Control-Shift-Esc) from being run during the install, and then dump the user back at the Windows logon once complete.
Because its Office, I dont want the end users working on other things during the installation.
Tangentially, I understand that I could accomplish this by setting my Baseline to run when no users are logged in, but then I would also need to prevent login until my baseline is complete…
I am open to any thoughts on the topic, and any links to existing resolutions on this.
So far I have only taskkilled Explorer.exe and relaunched it back afterwards, but this only starts to approach what I am looking for.
That’s…pretty interesting and I don’t think I’ve read anyone trying to do anything like that.
In days past (before I was using BigFix), I would do something similar bootstrapped to the end of Windows Setup. This is almost totally undocumented, as far as I have been able to find, only mentioned a single time on a former Microsoft’ers blog; but it’s worked reliably for me on Windows XP through Windows 10.
If you set the following values under HKLM\System\Setup
SetupType:REG_DWORD:2
CmdLine:REG_SZ:c:\myscript.cmd
… then on the next boot, before the logon screen appears, you’ll get the “Setup is configuring Windows” message. It will open the cmd window and execute the myscript.cmd file (under the LocalSystem account). When the script is complete, the logon screen appears.
(SetupType:0 will run no script, SetupType:1 will run your script and then reboot the machine).
Of course, the on-console user can kill the script. Natively, Windows would use this registry key to run OOBE or Sysprep commands, controlling the visible window and removing the close buttons.
You might experiment with using wscript to launch a jscript or vbscript without a visible window. I haven’t tried that, I’m not sure how the job control works - whether Windows would wait for your script to complete. I do know that this shell opens before many of the services have started - I’ve had to manually start services like RPC, WMI, etc. within my batch scripts. You’d almost certainly have to start the BESClient service within your script, and then have some way to know when it’s finished (maybe by having BES reboot the client). I don’t know whether the BESClientUI would launch either, as there’s neither a Logged-On User to detect, nor an Explorer process for it to run beneath, but maybe you can launch the UI manually.
Needless to say, this is Totally Not Supported by the good folks at BigFix, and there’s no telling whether it’ll even work, but I’d be interested to hear whether the idea is useful and whether it works.
…for something way less complicated, you might have your Baseline start when no users are logged on, change the Local Security Policy to “Deny Interactive Logon” to the “Users” group, and change the Logon Warning Banner to a message telling them to shove off
Just be sure to fix the system back when you’re done. There are all sorts of ways to leave the machine unusable if your Baseline gets stuck. (ie, “Users” includes “Administrator”).
We have done similar things (mostly during OS deployment/upgrades) that we FORCE the text3d.scr screen saver in place, and set the “LOCK the SCREEN” to a very low number. In our example the TEXT that shows on the screen saver changes…(again think OS deployment… re-image)
OS Deployment
User State Migration
Software Deployment
etc…
Now this does NOT stop the user from CNTR-ALT-DEL and login, but the screen saver keeps kicking in and they can’t change it. But with proper communication to the end users prior to making such a big change, they should understand what this means and Leave the machine alone until the screen saver goes away (or back to what it was).
