We’re finally getting to be in a position where we can upgrade more old PCs to IE11. The problem is, how best to do so via SCCM (2007). As on previous occasions, we want to use the IEAK to do a little customisation such as stripping out Accelerators, adding a Search Engine, killing off First-Run Wizards, etc.
One thing we found previously when we upgraded to IE9 from IE8, was that after installing an IEAK-derived package and rebooting, you have to log in once as an administrative user for Windows to process some RunOnce settings, as otherwise you end up in a bit of a mess. We once had to remote to a number of machines just to log in once as admin to complete a failed IEAK v9-based upgrade. The subsequent fix for later installs was to daisy-chain the IEAK SCCM package with a second package that ran after reboot and used some VBScript to parse the RunOnce registry key and run (and then remove) all the things in there! Messy but successful. There’s more info on this issue (which is also seen with OSD) here: “Deploying IE9 with SCCM OSD Task Sequence“. The RunOnce Runner script I use is based on the mechanism of this one here: “OSD and RunOnce“. It may be this problem no longer exists with IEAK v11, but I’m playing it safe…
On to IE11 specifically. I made the usual package with the IEAK and tried it out but it soon became clear (as I half-expected) that it was trying to download and install pre-requisites, but since SCCM packages run under the System context, this was not getting through our web filtering software. The list of pre-requisites (both required and recommended) is in the following Microsoft KB article: “Prerequisite updates for Internet Explorer 11“.
Reading around some articles online saved me further pain as it turns out that just installing those updates followed immediately by the IEAK package without a reboot via a batch file won’t work as it still goes looking online. The reference for this is on the Technet forums here: ” Packaging IE11 prerequisite updates with IEAK“.
There’s also a nice fix in that discussion for an install of IE11 and pre-requisites without an intervening reboot, for if you’re using the normal IE installer and not an IEAK-derived one. On the same subject, see also Microsoft’s KB article here: “How to create an all-inclusive deployment package for Internet Explorer 11“.
My solution is three SCCM packages that run one after the other with a reboot after each. The third is the one that is actually advertised to the PCs and it contains the setting to make it run package two first and that in turn contains the setting to run package one! Part 1 is the pre-requisite patches and a reboot. Part 2 is the IEAK package and a reboot. Part 3 is the RunOnce Runner followed by an IE cumulative update and a final reboot!!
I discovered one complication with the above solution. If the pre-requisites package tries to install a patch that is already installed, this returns an error which makes SCCM count package one as having failed and then doesn’t attempt to run parts two and three. I therefore use an explicit exit 0 to end the first batch file. I’m also letting SCCM handle the reboots, rather than putting a shutdown.exe command in.
The packages will be set to run when no user is logged on and I suspect we will set it for out-of-hours too. Longer term, I hope we can just push out the pre-requisites with WSUS separately and then deploy a simpler IEAK-based installer with SCCM.
Here is the batch code I’ve used. Note I’ve copied in filever.exe to look for an already-upgraded IE. I also use it in the final package to look for a failed upgrade and force a specific return code to flag that up in the SCCM advertisement report.
rem Exit if already has IE11. filever.exe /B /A /D "C:\Program Files\Internet Explorer\iexplore.exe" | find " 11." >nul if '%errorlevel%'=='0' exit 0 rem Install pre-requisites. wusa.exe Windows6.1-KB2533623-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2639308-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2670838-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2729094-v2-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2731771-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2786081-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2834140-v2-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2882822-x86.msu /quiet /norestart wusa.exe Windows6.1-KB2888049-x86.msu /quiet /norestart exit 0
rem Exit if already has IE11. filever.exe /B /A /D "C:\Program Files\Internet Explorer\iexplore.exe" | find " 11." >nul if '%errorlevel%'=='0' exit 0 rem Install IEAK package. start /wait msiexec.exe /i IE11-Setup-Full-x86.msi /quiet /norestart exit 0
rem Return an error if upgrade has been unsuccessful. filever.exe /B /A /D "C:\Program Files\Internet Explorer\iexplore.exe" | find " 11." >nul if '%errorlevel%'=='1' exit 666 rem Run the IEAK Run-Once tasks as admin. c:\Windows\System32\cscript.exe //nologo RunOnceRunner.vbe rem Apply May 2016 cumulative update. c:\Windows\System32\wusa.exe IE11-Windows6.1-KB3154070-x86.msu /quiet /norestart exit 0
I hope all the above proves useful for someone else!