Make use of Extended IT to bolster your IT Support Offering
Extend your IT

Install Office 2016 (365) as a non-admin user.

I’ve recently been rolling out Office 2016 (365) for a new client with hundreds of workstations that wouldn’t accept either having all the upgrades done at the same time or having them all run at logon for various reasons, instead they wanted each user to call up when ready and we would kick the installation off. Of course this is a bit of a ridiculous situation but as the users couldn’t install the software them selves (due to permissions, sensibly so) we had to come up with another option.

The following article shows how we were able to place a shortcut on a standard users desktop that they could click to automatically uninstall Office 2010 and install Office 2016 without requiring admin details, therefore allowing the users to perform the upgrade at a time to suit them.

A couple of things to note before we begin:

  1. This does involve storing an admin password in a reversibly encrypted format in a share that all your users can access, use a temporary local admin account (you can use group policy to do this) and then delete it as soon as you are finished.
  2. The office uninstall / install process can be as quick as 20 minutes and as slow as 2 hours, I’ve seen it take over an hour on an SSD machine, don’t assume just because you have a quick machine that the process will work quickly for all users. Just make sure you warn them.

I won’t cover the setup of the Office Deployment tool in this article or the VBS script I’m using to uninstall office 2010, there are plenty of articles on both of these topics. This process will work for any install file (silent or not).

  1. Get everything setup
    I will be using the following paths in my example, please update these with the details to your environment
    Office 2016 Install Location \\Server\Office2016$
    Script Files \\Server\OfficeUpgrade$
    Office 2010 VBS Script \\Server\OfficeUpgrade$

    Make sure the above shares have read only access for all users.

  2. Store the Encrypted Version of the Admin password on the server.
    To achieve this we will be running the following, feel free to use a different encryption key but just make sure to keep a note of it for later. DO NOT save this script into either of the shares you created as it contains the plain text admin password.

    #Random Generated Key for Encrypting Password. 
    $Key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
    #Admin Password Goes Here
    $password = "<Password>"
    $tenantPassword = ConvertTo-SecureString -String $Password -AsPlainText -Force
    $secureStringText = $TenantPassword | ConvertFrom-SecureString -Key $Key
    #Check this path is correct
    Set-Content "\\Server\OfficeUpgrade$\admincred.txt" $secureStringText 


  3. Setup the Script that will allow users to run the installer as an admin without credentials.
    To Achieve this we will write a short PowerShell Script to call a cmd file with the actual install commands in as our already created admin user.

    #Same Key as Before
    $Key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
    #Check this path is correct
    $password = get-content "\\Server\OfficeUpgrade$\admincred.txt" | convertto-securestring -Key $key
    #Update UserName here
    $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist ".\username",$password
    #Check CMD Location is Correct
    Start-Process powershell -Credential $credentials -ArgumentList '-noprofile -command &{Start-Process -filepath "\\Server\OfficeUpgrade$\Office2016Install.cmd" -verb runas}' -NoNewWindow

    Save this script in the \\Server\OfficeUpgrade$ Share as nonadmin.ps1

  4. Setup your installer CMD.
    Create a file called Office2016Install.cmd and store it in the \\Server\OfficeUpgrade$ Share. In this cmd file put your install commands for your uninstaller and installer, for example mine contains the following

    start /wait cscript //NoLogo "\\server\OfficeUpgrade$\OfficeUninstall.vbs"
    start /wait \\server\Office2016$\setup.exe /configure \\server\Office2016$\configuration.xml


  5. Setup a shortcut file to launch the nonadmin.ps1 file and bypass execution policy
    We do this to ensure all users regardless of execution policy can run the script.

    %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass  -file "\\server\OfficeUpgrade$\nonadmin.ps1"

    Call the shortcut Office Upgrade and have it run from the %windir%\system32\WindowsPowerShell\v1.0 directory.

  6. Setup a group policy preference to push the shortcut out to all client machines.

And that’s it, your users can now simply double click the shortcut when they are ready to install. They won’t need to enter an admin password.