While you are installing through Group policy, there's an option of "Always install with elevated privileges". Please ensure that the option is being checked. You can find that option under,
1. Edit the Policy, where you have created the package
2. "Group Policy Management Editor" opens up
3. Navigate to Computer Configuration > Policies > Administrative Template > Windows Components > Windows Installer
4. On the right pane, there's a setting called "Always install with elevated provileges"
5. Double click on it and select the "Enabled" option and Click on "Ok"
Hope, it helps.
Sorry, but it doesn't help. It applies to all programs. I need that only Adobe Reader 10.1 could autoupdate without elevation prompt. I know it can. Because... when it is installed manually, users can update Adobe Reader without administrator rights. So... I think, there is something in MSI file. Something like an internal check if it's installed manually or automaticaly by GPO. If the last, then standard users are prohibited to install updates (i.e. without administrator password). If not, then they could install updates without administrative privileges - silent update.
I think I got your point. There are two things to it.
A. While we have Reader 10.1 installed manually and we see that standard users can auto update to 10.1.1 without elevation prompt. It's becuase the patch is an MSP and and if it's certificates matches with the installed MSI, it does not ask for elevation.
B. Whereas in case of pushing patch via GPO. We create AIP (i.e. the package) for 10.1.1. And the patch we push is actually an MSI. So MSI installation on a standard users would always ask for elevation.
I have tried to install 10.1 MSI on a standard user also 10.1.1 AIP on a standard user, in both the cases, it asked me for admin credentials.
So the underlying reasoning behind the two different behavior is MSP vs MSI.
I install 10.1 manualy and have ability to silent update (without administrator rights) via help>check for updates.
And I install 10.1 by GPO and have no such ability (help>check for updates), I must enter admin password for update.
I do not want install update 10.1.1 msp via GPO. Really, I tired to combine msp updates and msi programs. I want install it (msi program) once by GPO. And then users can install update mannually... themselfs. But now I shuold install it manually 300 times, that users can update it without problem later.
So I want to install program (10.1.0) automatically and not to install updates (10.1.1) by me via GPO (I'm a systam administrator). I think it's possible.
Well, Let me rephrase, so you want to push the Reader 10.1 via GPO and then afterwards you want the users machines get updated automatically. i.e. Post 10.1, you want the users to receive updates via (Help>Check for updates) silent update and not via GPO. Am I right?
If this is the case, am not sure if this is an supported scenario, because you are installing an AIP first and then the next updates are coming from an Non AIP installation. As far as I know, if we have deployed any patch via GPO then the next updates must be pushed via GPO only. Since, their underlying technology is AIP. We should not be mixing both the ways of installation.
I do not think, there's any solution available for your problem via GPO right now. Though I would like to see your Cust Wizard option once. But what I can suggest you to resolve the issue with SCCM (if possible)
Yes, you're absolutely right. I do not want to install msp updates manually or via GPO, if user can do it itself.
I use SCCM for update Adobe Flash Player via System Center Update Publisher (but it also not so easy, you should deploy certificate, open network ports on terget computers, manualy aprove publisher, then aprove every single update....), but it's simplier to deploy it via GPO because I do not need to use MSP. I just can update MSI via GPO. But I can't do it similar with Reader (I do not know why, but SCUP do not deploy updates for Reader.).
And I think my way is optimal. But I need some help from Adobe. I understand security issues and problems with untested updates, but they simply can do a checkbox for this ability. If I'm a system admin and understand this issues I can allow users to update Reader without elevation prompt.
@sch1024: Did you ever solve this problem?
I had the same idea, my goal was to install 10.1.0 on all clients and then let them autoupdate themselves.
Unfortunately this doesn't work because the users (no admin rights) get the update icon and then have to enter the admin password :-(.
I tried to deploy the original 10.1.0 msi file via Powershell script (no AIP!) but the result is the same, no silent update...
No, I haven't solved it yet. I think it will be worth installing 10.1.3 and see what will happen. Maybe Adobe's solved this problem in 10.1.3.
At the moment I used to install Adobe Reader through the SCCM. Also I've disabled auto update at all. In this case standard users don't receive annoying message about update availability, but I should manually check it out.
Message was edited by: sch1024