How To Remediate An Incorrectly Deployed OSD Task Sequence In System Center Configuration Manager 2007

How To Remediate An Incorrectly Deployed OSD Task Sequence In System Center Configuration Manager 2007

  • Comments 7
  • Likes

The below article outlines the steps that should be taken if a Task Sequence is deployed to an incorrect set of computers. Since mistargeting a Task Sequence could result in total data loss on the computers that were mistargeted, time is of essense to remedy the problem. It is also important to know not only what steps to take to remedy the problem, but also what steps not to take. Some steps which at first may seem as good steps to take, such as deleting the Advertisement for the Task Sequence, end up actually hindering efforts to remediate the issue.

For these reasons it may be a good idea to review this article and become familiar with the overall process at a high level. In this way if the issue ever occurs, you will be able to quickly and correctly respond to the issue.

 

How To Remediate An Incorrectly Deployed OSD Task Sequence In System Center Configuration Manager 2007

 

Symptoms

If one of the following actions occurs:

  1. An OSD Task Sequence is targeted to the incorrect Collection

  2. Incorrect computers are added to a Collection where an existing OSD Task Sequence is targeted to

  3. A Collection is made a subcollection of another Collection, and the parent Collection is the target of an OSD Task Sequence

then an OSD Task Sequence can accidentally start running on unintended computers. This can possibly cause total data loss on the computers that the Task Sequence runs on.

In order to remediate the situation there are several actions that need to be taken and also several actions should also NOT be taken. The actions not to be taken are equally as important as those that should be taken, so it is important to understand both sets of actions and follow the actions accordingly. This article outlines and details those actions.

 

Resolution

IMPORTANT!
For time sensitive remediations where immediate preventative actions need to be taken, take ONLY the following two actions:

  1. Disable the affected Task Sequence.

  2. Delete the Boot Image associated with the Task Sequence from all Distribution Points in the environment.

For detailed instructions on the above two actions, follow the two corresponding sections:

  • Stop A Task Sequence From Running On Computers That Have Not Received Policy For The Task Sequence

  • Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence

As soon as the above actions have been taken, make sure to review the section "Steps NOT To Take To Remediate An Accidental OSD Task Sequence Deployment" to make sure certain actions are NOT taken that may make the situation worse.

Steps NOT To Take To Remediate An Accidental OSD Task Sequence Deployment

Before taking steps to remediate an accidental OSD Task Sequence deployment, the following actions should NOT be taken to try and remediate the situation:

  1. DO NOT delete the advertisement for the Task Sequence

  2. DO NOT delete the Task Sequence itself

  3. DO NOT delete the Collection that the Task Sequence is advertised to

  4. DO NOT delete affected PC objects from the ConfigMgr 2007 admin console (although they may be removed from the Collection that the Task Sequence is targeted to)

  5. DO NOT delete the Boot Image associated with the Task Sequence in the ConfigMgr 2007 admin console

The above actions will not always stop the Task Sequence on computers that have already received the policy to run the Task Sequence. More importantly, the first four actions will cause some or all of the history of the Task Sequence advertisement to be lost. This will result in loss of reporting information including what computers received the Task Sequence policy and what computers ran the Task Sequence. This information is needed to help remediate computers.

The last action, deleting the Boot Image from the ConfigMgr 2007 admin console, should not be taken so that there is a record of how the Boot Image is configured and what Distribution Points the Boot Image is on. This information is also important and used during remediating tasks.

If any of the above actions have already been taken, continue following the below sections. The majority of the actions will still apply. The main limitation caused by taking any of the above actions is that computers that have received policy for the Task Sequence may not be able to be identified for possible remediation.

Stop A Task Sequence From Running On Computers That Have Not Received Policy For The Task Sequence

The first steps to take to stop a Task Sequence from running on additional computers are DISABLE (not delete) the Task Sequence and change the properties of the Advertisement for the Task Sequence

  1. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Software Distribution" --> "Advertisements".

  2. In the right hand "Advertisements" pane of the ConfigMgr 2007 admin console, locate the Advertisement for the affected Task Sequence. Right click on it and choose "Disable Task Sequence".

    Note: To help find the Advertisement for the affected Task Sequence, the name of the Task Sequence is listed under the "Package" column. The "Program" column will be listed as "[Task sequence] ".

  3. Carefully read over the "Disable Task Sequence" window message which contains some important information:

    You have chosen to disable the advertised task sequence. The task sequence will not be displayed on computers where it was advertised. However, the client may or may not detect the change immediately, depending on the rate of ConfigMgr communications and the frequency with which the clients check for new task sequences.

    Note: All advertisements of this task sequence will be affected, not just the advertisement you selected.

    Are you sure you want to disable this task sequence?

  4. Once the message has been read and understood, click on the "Yes" button.

  5. In the right hand "Advertisements" pane of the ConfigMgr 2007 admin console, right click on the Advertisement for the affected Task Sequence once again and choose "Properties".

  6. In the Advertisement "Properties" window, click on the "General" tab:

    • Uncheck the option "Include members of subcollections".

  7. In the Advertisement "Properties" window, click on the "Schedule" tab:

    • Check the option "Advertisement expires:". Set the date and time under "Advertisement expires:" as far back in the past as possible, preferably one minute after the date and time listed under "Advertisement start time:". Make sure the expired time is in the past.
      The expire time cannot be at or before the Advertisement start time, so the farthest time back that this date and time can be set to is one minute after the start date and time.

    • Under "Mandatory assignments:", highlight a mandatory assignment and then click on the red X button to delete it. Repeat until all mandatory assignments are deleted and nothing shows under "Mandatory assignments:".

  8. In the Advertisement "Properties" window, click on the "Distribution Points" tab:

    • If the option "Download all contents locally before start task sequence" is selected, change it to either "Download content locally when needed by running task sequence" or "Access content directly from a distribution point when needed by the running task sequence".

      This is done to prevent additional issues that can be caused by selecting this option. For further information, see the sections "Identify Computers That May Need Additional Remediation" and "Remediating Computers When the Advertisement Is Set To "Download all contents locally before start task sequence"".

  9. In the Advertisement "Properties" window, click on the "OK" button to save the properties of the advertisement.

Steps 1-4 are the equivalent as disabling the Task Sequence by checking the option "Disable this task sequence on computers where it is advertised" under the "Advanced" tab in the properties of the Task Sequence. Steps 5-9 are not absolutely necessary once the Task Sequence has been disabled but added as an extra precaution.

As the message in Step 2 above indicates, the above actions will prevent the Task Sequence from running on computers that have not yet received the policy to run the Task Sequence or that receive updated policy not to run the Task Sequence. However it does not prevent the Task Sequence from running on any computers that have already received the policy to run the Task Sequence but which have not received updated policy. To prevent these computers from being wiped by the Task Sequence, additional actions are necessary.

Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence

Unfortunately for computers that have already received the policy to run the Task Sequence there may not be a reliable way to stop the Task Sequence from running. The computer may receive updated policy that disables the Task Sequence, but there are no guarantees that the computer will receive updated policy before the Task Sequence actually runs.

As a workaround, instead of relying on the policy on the computer to be updated, the Task Sequence can be set to fail purposely on the computer before it is wiped. This will cause the computer not to be wiped.

In order to cause the Task Sequence to fail on these computers, the Boot Image associated with the Task Sequence can be removed from all Distribution Points (DPs). As long as the Boot Image has not yet downloaded on the computer, either as part of the current Task Sequence OR another past Task Sequence, deleting the Boot Image from the Distribution Point will cause the Task Sequence to fail on any computer that tries to run the Task Sequence .

The wipe of the computer's hard drive occurs either at the "Format and Partition Disk" task or the "Apply Operating System Image" task, both which take place when the computer is in WinPE. The computer does not reboot into WinPE until the Boot Image has been downloaded and staged locally on the hard drive. Downloading and staging of the Boot Image takes place at the "Restart Computer" task (sometimes labeled as "Restart in Windows PE"). If the Boot Image associated with the Task Sequence is deleted from the Distribution Points, when the "Restart Computer" ("Restart in Windows PE") task runs, it will fail to download the Boot Image, causing the "Restart Computer" task to fail, and subsequently, the Task Sequence to fail.

To delete the Boot Image associated with the Task Sequence from all the DPs:

  1. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Task Sequences".

  2. Right click on the affected Task Sequence and choose "Properties".

  3. In the "Properties" window for the Task Sequence, click on the "Advanced" tab:

    • Under the option "Use a boot image:", make a note of which Boot Image is being used by the Task Sequence.

  4. In the "Properties" window for the Task Sequence, click on the "OK" button.

  5. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Boot Images".

  6. Expand the Boot Image notated in Step 3 and then click on "Distribution Points".

  7. On the right hand pane labeled "Distribution Points", under the "Name" column, notate all of the Distribution Points that the Boot Image is on. This information will be needed later.

  8. After recording all of the Distribution Points that the Boot Image is on, in the right hand "Distribution Points" pane, select and highlight ALL of the Distribution Points, and then right click and choose "Delete".

  9. In the "Confirm Delete" window, click on the "Yes" button.

  10. Refresh the ConfigMgr 2007 admin console. In the right hand "Distribution Points" pane, confirm that there are no Distribution Points listed under the "Name" column. If any do appear, follow Steps 8 and 9 again.

  11. In the left hand pane of the ConfigMgr 2007 admin console, under the expanded Boot Image from Step 6, expand "Package Status", and then click on the second "Package Status" node that appears under the first one.

  12. Monitor the second "Package Status" node to ensure that the Boot Image is deleted from all of the Distribution Points. Refresh the node every few minutes to obtain updated status.

    The Boot Image will be completely deleted from all of the Distribution Points when the columns "Source Version", "Targeted", and "Installed" are all equal to 0.
    Additional information on the delete status of the Boot Image package can be seen by expanding the second "Package Status" node and then clicking on the site code. This will display the Distribution Points for that site. The delete status of the Boot Image package for each Distribution Point will be shown on the right hand pane under the column "State".

    If the "State" column is at "Removal Pending" for an unusually long time for any of the Distribution Points, the deletion of the Boot Image may be taking a long time. This could be caused by several factors, but in most instances is caused by a slow link to the Distribution Point. Since the faster the Boot Image is deleted from the Distribution Point the less likely additional computers will be wiped, the best course of action may be to manually delete the Boot Image from the Distribution Point. To manually delete the Boot Image from Distribution Points, see the section "How To Manually Delete And Verify Deletion Of The Boot Image From The Distribution Points".

Once the Boot Image is deleted from all Distribution Points, the Task Sequence should no longer run successfully on any computer as long as the computer has not already downloaded the Boot Image.

IMPORTANT! DO NOT put the Boot Image back on ANY Distribution Point again at any point, even in the future. For further information, see the section "Setting Up The Task Sequence Again".

As an extra precaution, the steps in the next section "How To Manually Delete And Verify Deletion Of The Boot Image From The Distribution Points" may want to be followed to ensure that the Boot Image has been completely deleted from the Distribution Points.

How To Manually Delete And Verify Deletion Of The Boot Image From The Distribution Points

Since time is of essence to prevent any additional computers from running the Task Sequence successfully, if the Boot Image is taking a long time to delete from the Distribution Points, or if the Distribution Points are at sites with slow links, then it may be best to delete the Boot Image manually from the Distribution Points. The longer the Boot Image stays on the Distribution Points, the greater the risk that additional computers may run the Task Sequence and possibly cause data loss on the computers.

Manual deletion of the Boot Image from the Distribution Points may also be needed under certain scenarios where the ConfigMgr 2007 site server is one of the computers that has been wiped by the Task Sequence. At this point it may not be possible to delete the Boot Image from Distribution Points via the ConfigMgr 2007 admin console, so a manual deletion of the Boot Image will be necessary.

To manually delete and verify deletion of the Boot Image from the Distribution Points:

  1. Determine the Boot Image being used by the Task Sequence by following Steps 1-4 of the section "Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence".

  2. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Boot Images".

  3. On the right hand pane labeled "Boot Images", locate the Boot Image being used as determined in Step 1.

  4. Under the column "Image ID", make a note of the Package ID of the Boot Image.

  5. Log onto the server hosting the Distribution Point role and which contains the Boot Image that needs to be manually deleted.

  6. Locate the directory on the server that contains the Distribution Point content:

    • For standard Distribution Points and Branch Distribution Points, browse the root level of every drive on the server for a directory called:

      SMSPKG<Drive_Letter>$

      where <Drive_Letter> is the drive letter of the drive currently being browsed (without the brackets <>). For example, if the directory was on the D: drive of the server, the directory would be called:

      SMSPKGD$

      There may be more than one drive that contains this directory.

    • For a PXE Distribution Point (DPs designated as SMSPXEIMAGES$), browse the root level of every drive on the server for a directory called:

      RemoteInstall

      Once this directory is located, navigate to the directory:

      SMSIMAGES\SMSPKG

      within the RemoteInstall directory.

    • For a server share Distribution Point, navigate to the directory that the server share points to.

  7. Once the directory containing the Distribution Point content is located on the server, navigate into that directory.

  8. Locate the directory that contains the Boot Image to delete. Once this directory has been located, manually delete the directory.
    If the directory cannot be located, the Boot Image has already been deleted off of the Distribution Point.
    In the case of standard Distribution Points or Branch Distribution Points, if the server had multiple SMSPKG<Drive_Letter>$ directories, make sure to check each directory.

  9. Repeat steps 5-8 for each Distribution Point server where the Boot Image needs to be manually deleted or verified that it has been deleted.

Identify Computers That May Need Additional Remediation

Although disabling the Task Sequence and deleting the Boot Image from the Distribution Points may stop the majority of computers from being wiped, it may not stop 100% of the computers in the environment from being wiped. For example, if the computer has already downloaded the Boot Image before the Boot Image was deleted off the Distribution Point, the Task Sequence may still run on the computer. The following are scenarios where this could happen:

  1. The Task Sequence has started and the "Distribution Points" setting in the properties of the Advertisement for the Task Sequence was set to either:

    Download content locally when needed by running task sequence

    or

    Access content directly from a distribution point when needed by the running task sequence

  2. The "Distribution Points" setting in the properties of the Advertisement for the Task Sequence was set to:

    Download all contents locally before start task sequence

    In this scenario, the Task Sequence may have NOT started yet.

  3. The computer has the Boot Image in its local ConfigMgr client cache from a previous deployment. In this scenario, the Task Sequence may have NOT started yet.

To help identify computers that may possibly be in this state, the report "Status summary of a specific task sequence advertisement" (Report ID 145) can be run. Please note that if the Task Sequence, Advertisement for the Task Sequence, Collection, or Computer Objects have been deleted, this report may no longer be available or may not be accurate. This is the reason why it is important NOT to delete these items.

To run the report "Status summary of a specific task sequence advertisement" (Report ID 145):

  1. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Reporting" --> "Reports".

  2. In the right hand "Reports" pane, scroll down and find the report "Status summary of a specific task sequence advertisement" (Report ID 145).

  3. Right click on the report "Status summary of a specific task sequence advertisement" (Report ID 145) and choose "Run".

  4. In the right hand pane "Status summary of a specific task sequence advertisement" window, click on the "Values. . ." button.

  5. In the "Select Value" windows, click on the Advertisement for the affected Task Sequence.

  6. In the right hand pane "Status summary of a specific task sequence advertisement", click on the "Display" icon.

A report window will come up showing the current status of the Task Sequence deployment.

IMPORTANT NOTE! Although ConfigMgr reports are a good resource to help identify computers that are in a state that need remediation, it is NOT a real time system. The report is only as good as the last status message sent by a computer. Please keep this in mind when identifying computers that may need remediation.

The following are statuses that will be seen in the report, what they mean, and whether the computer will need further remediation:

  • No Status - The computer has not received policy to run the Task Sequence, so therefore content for the Task Sequence has not started downloading nor has the Task Sequence itself started running.

    Computers with the "No Status" status will not need further remediation once the Task Sequence has been disabled and the Boot Image has been removed from the Distribution Points.

  • Accepted - The computer has received policy to run the Task Sequence, but content for the Task Sequence has not started downloading and the Task Sequence has not yet started running.

    Computers with the "Accepted" status will not need further remediation once the Task Sequence has been disabled and the Boot Image has been removed from the Distribution Points.

  • Waiting - The computer has received policy to run the Task Sequence and content for the Task Sequence has started downloading, but the Task Sequence has not yet started running.

    This status will be most often seen when the "Distribution Points" setting in the properties of the Advertisement for the Task Sequence is set to:

    Download all contents locally before start task sequence

    The "Waiting" status is usually not seen when the "Distribution Points" setting in the properties of the Advertisement for the Task Sequence was set to either:

    Download content locally when needed by running task sequence

    or

    Access content directly from a distribution point when needed by the running task sequence

    In these scenarios content is downloaded or accessed DURING the Task Sequence instead of downloading BEFORE the Task Sequence starts, therefore it does not ever "wait" to start. Therefore the "Waiting" status message is not seen in these scenarios.

    Computers with the "Waiting" status have not been wiped yet but MAY be wiped if the proper remediation steps are not taken. Please follow the section "Remediating Computers When the Advertisement Is Set To "Download all contents locally before start task sequence"".

  • Running - The computer has received policy to run the Task Sequence and the Task Sequence has started running.

    Although some of these computers may have already been wiped, depending on WHERE in the Task Sequence the computer is currently at, some may still not have been wiped. For this reason all computers with the "Running" status should be inspected.

    Drilling down in the report may reveal if the computer has been wiped or not. Computers that show that they have already ran and not skipped either the "Format and Partition Disk" task or "Apply Operating System Image" task will have already been wiped and are not recoverable. However computers that have not yet run either of these tasks may still be recoverable.

    If the computer has not been wiped, to prevent the computer from being wiped please follow the section "Remediating Computers Where The Boot Image Has Already Downloaded But The Task Sequence Has Not Wiped The Computer".

  • Succeeded - The computer has completed running the Task Sequence successfully.

    Computers with the "Succeeded " status have already ran the Task Sequence to completion and have been wiped. Unfortunately they cannot be recovered, so no further remediation is possible.

  • Failed - The computer started running the Task Sequence, but the Task Sequence failed.

    Computers with the "Failed " status have started the Task Sequence, but for some reason failed at some point in the Task Sequence. Depending on where in the Task Sequence the computer failed, the computer may or may not have been wiped. If the Task Sequence failed before the computer was wiped then the computer should still be intact.

    Drilling down in the report may indicate if the computer was wiped or not. Computers that show that they have already ran and not skipped either the "Format and Partition Disk" task or "Apply Operating System Image" task will have already been wiped and are not recoverable. However those computers that did not run either of these tasks and failed before or at these tasks may still be intact.

    Since the Task Sequence is no longer running on these computers, no further action or remediation steps are necessary.

    Please note that computers that are remediated using the sections:

    Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence
    Remediating Computers Where The Boot Image Has Already Downloaded But The Task Sequence Has Not Wiped The Computer
    Remediating Computers When the Advertisement Is Set To "Download all contents locally before start task sequence"

    may end up reporting a status of "Failed".

Please keep in mind that all of the above statuses are based on the last time that the computer reported up its status. It should NOT be considered real time. The report should be refreshed regularly to ensure up to date reporting. Please also remember that computers that were shut off or taken off the network may have taken a particular action (i.e. started the Task Sequence) but have not had the chance to report up their current status. Since the computers are currently off or disconnected from the network, they will not report up their status until they are turned back on or plugged back into the network.

Remediating Computers Where The Boot Image Has Already Downloaded But The Task Sequence Has Not Wiped The Computer

Although there is a very short window of opportunity, there may be scenarios where a computer had downloaded the Boot Image, but not yet wiped the contents on the hard drive. In these scenarios the computer has already run the "Restart Computer" ("Restart in Windows PE") task, but not the "Format and Partition Disk" task or the "Apply Operating System Image" task. Such a scenario could have occurred if the computer was manually shut off at the correct moment to prevent the computer from continuing the Task Sequence. In these scenarios there is not a way to resolve the issue centrally from a site server, but the issue can be resolved locally at the computer through manual intervention.

To resolve the issue, a file can be deleted off of the hard drive of the computer that will cause the Task Sequence to fail before the computer is wiped. Once the Task Sequence fails, it will clean up after itself, including restoring the boot manager from WinPE back to the preexisting Windows OS.

If the Boot Image is in the local ConfigMgr client cache, the Task Sequence could possibly start up again even after initially causing the Task Sequence to fail. For this reason, in addition to causing the Task Sequence to fail, the contents of the local ConfigMgr client cache directory should also be deleted. This scenario is common if the "Distribution Points" setting in the properties of the Advertisement for the Task Sequence was set to "Download all contents locally before start task sequence". It could also happen if the Boot Image was downloaded to the local ConfigMgr client cache as part of a previous Task Sequence that ran on the computer.

Before running the below steps, make sure that the below two sections have already been followed:

    • Stop A Task Sequence From Running On Computers That Have Not Received Policy For The Task Sequence

    • Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence

To cause the Task Sequence to fail and to delete the contents of the local ConfigMgr client cache, follow the below steps:

  1. If the affected computer is turned off, proceed to Step 4.

  2. If the affected computer is turned on AND in WinPE, shut it off immediately and then proceed to Step 4.

  3. If the affected computer is turned on but still in the full Windows OS, log into the computer with an account that is a local administrator and then immediately run the following two commands from an elevated command prompt to stop and disable the Task Sequence service:

    net stop smstsmgr
    sc config smstsmgr start= disabled

    After running the above two commands, skip the steps in this section and follow the steps in the section "Remediating Computers When the Advertisement Is Set To "Download all contents locally before start task sequence"" instead.

    Notes:

    • If the Task Sequence is not currently running, an error message will appear after running the "net stop smstsmgr" command. This is normal and the error can be ignored.

    • In the second command, there is a space between "start =" and "disabled". Please make sure to include the space.

  4. Manually boot the computer into WinPE from a source other than the WinPE that is installed on the local hard drive of the computer. In addition to ConfigMgr 2007 generated WinPE boot media, this could include a custom WinPE boot media. Guides on how to create several different forms of custom WinPE boot media are outlined in the below TechNet article:

    Windows PE Walkthroughs
    http://technet.microsoft.com/en-us/library/dd799278(WS.10).aspx

    Specifically the following two TechNet articles can be used to build a bootable Windows PE media on either a CD-ROM or a USB Flash Drive:

    Walkthrough: Create a Bootable Windows PE RAM Disk on CD-ROM
    http://technet.microsoft.com/en-us/library/dd799303(WS.10).aspx

    Walkthrough: Create a Bootable Windows PE RAM Disk on a USB Flash Disk
    http://technet.microsoft.com/en-us/library/dd744530(WS.10).aspx

    If a ConfigMgr 2007 generated WinPE boot media is being used, before booting into WinPE make sure that there are no mandatory advertisements for any Task Sequence targeted to the computer. This will prevent the computer from accidentally picking up and running any Task Sequence advertisements, causing the computer to accidentally be wiped.

  5. Once booted into WinPE, a command prompt window needs to be opened:

    • If a custom WinPE boot media is being used, such as those generated in the article from Step 4, a command prompt window will open automatically.

    • If WinPE boot media generated by ConfigMgr 2007 is being used, the option "Enable command support (testing only)" needs to be enabled in the "Windows PE" tab of the properties of the Boot Image. Once this option is enabled, when the computer boots into WinPE, the command prompt window can be opened using the F8 key.

  6. Determine all of the volumes on the computer. At the command prompt window run the following command:

    DISKPART

    Once at the DISKPART> prompt, type in:

    LIST VOLUME

    This should display the drive letters for all of the volumes on the computer. Make a note of all of the volume drive letters.

  7. At the DISKPART> prompt, type in:

    EXIT

  8. In the command prompt window, navigate to one the first drive letter from Step 6.

  9. Determine if the directory _SMSTaskSequence exists at the root level of the volume. If it does exist, navigate into the _SMSTaskSequence directory and delete the file TSEnv.dat via the following command:

    del TSEnv.dat /f /q

  10. In the command prompt window, move on to the next drive letter from Step 6 and then repeat Step 9. Continue this until all of the drive letters have been checked. The only drive letter that does not need to be checked is X:.

    Even if one instance of the "TSEnv.dat" has already been deleted, make sure to continue checking all drive letters to make sure multiple copies of "TSEnv.dat" do not exist.

  11. In the command prompt window, locate the local ConfigMgr client cache directory on the computer:

    • For the majority of ConfigMgr client computers, the ConfigMgr client cache directory will be located on the system drive under one of the following directories:

      • Windows\System32\CCM\Cache (32bit Windows OSes)

      • Windows\SysWOW64\CCM\Cache (64bit Windows OSes)

    • For site servers, the ConfigMgr client directory may be in one of the "Program Files" directories instead. If the server has multiple drives or partitions, make sure to check the "Program Files" directory on each drive letter:

      • Program Files\SMS_CCM\Cache (32bit Windows OSes)

      • Program Files (x86)\SMS_CCM\Cache (64bit Windows OSes)

    • For site servers that were upgraded from SMS 2003, the ConfigMgr client cache directory may be under the SMS_CCM directory at the root level of one of the drives of the server.

    • If the local ConfigMgr client cache directory is not located in one of the above directories, refer to local environmental documentation for custom locations that the ConfigMgr client may have been installed to.

  12. Once the location of the local ConfigMgr client cache directory has been determined, in the command prompt window navigate into the directory.

  13. In the command prompt window, delete all of the contents of the local ConfigMgr client cache directory by running the following command:

    rmdir /s /q <TAB>

    where <TAB> is the Tab key on the keyboard (without the brackets <>). The Tab key will auto populate the next folder in the local ConfigMgr client cache directory.

    After the directory to be deleted has been auto populated using the Tab key, hit the Enter key to delete the folder. Continue running the above command until all the contents of the local ConfigMgr client cache directory are deleted.

  14. Once the contents of the local ConfigMgr client cache directory have been deleted, reboot the computer.

When the computer restarts, it will boot into WinPE from the hard drive. Once it finishes booting WinPE, the Task Sequence will continue but will immediately fail due to the missing TSEnv.dat file.

Once the Task Sequence fails it will take the following actions:

  • Restore the boot manager to boot to the preexisting Windows OS
  • Delete the _SMSTaskSequence directory
  • Reboot the computer back to the preexisting Windows OS

These actions should only take a few seconds to occur and there may not be any visual indicators of these actions taking place.

Remediating Computers When the Advertisement Is Set To "Download all contents locally before start task sequence"

If the "Distribution Points" setting in the properties of the Advertisement for the Task Sequence was originally set to "Download all contents locally before start task sequence", then additional actions may be necessary.

In these scenarios, if the computer has both received the policy to run the Task Sequence and downloaded the content for the Task Sequence, primarily the Boot Image, then disabling the Task Sequence on the site server and deleting the Boot Image from the Distribution Points may not prevent the computer from running the Task Sequence.

Unfortunately in these scenarios there is nothing that can be done from the server side that guarantees stopping the Task Sequence from running on these computers. The only way to ensure the computers are remediated is by resolving the issue physically at the local computer and deleting the local ConfigMgr client cache directory.

Before taking the below steps, please make a note of the following two items:

  1. If the computer has started the Task Sequence and restarted into WinPE, but has not yet wiped the computer, then immediately turn off the computer and follow the section "Remediating Computers Where The Boot Image Has Already Downloaded But The Task Sequence Has Not Wiped The Computer" instead.

  2. Make sure that the below two sections have already been followed:

    • Stop A Task Sequence From Running On Computers That Have Not Received Policy For The Task Sequence

    • Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence

To remediate computers that are still in the full Windows OS but have downloaded the Boot Image into the local ConfigMgr client cache:

  1. Log into the computer with an account that is a local administrator.

  2. Stop and disable the Task Sequence service by opening an elevated command prompt and running the following two commands:

    net stop smstsmgr
    sc config smstsmgr start= disabled

    Notes:

    • If the Task Sequence is not currently running, an error message will appear after running the "net stop smstsmgr" command. This is normal and the error can be ignored.

    • In the second command, there is a space between "start =" and "disabled". Please make sure to include the space.

  3. Check the root level of all of the drives on the computer to ensure that there is not a directory called _SMSTaskSequence directory. If any _SMSTaskSequence directories do exist, delete them.

  4. Open the "Configuration Manager" Control Panel on the computer.

  5. In the "Configuration Manager Properties" Control Panel window, click on the "Advanced" tab.

    • If using Windows Vista/Windows Server 2008 or newer, click on the "Configure Settings" button.

    • Under "Temporary Program Download Folder", click on the "Delete Files. . ." button.

    • In the "Delete Files" window, check the option "Delete persisted cache content", and then click on the "Yes" button.

  6. In the "Configuration Manager Properties" Control Panel window, click on the "Actions" tab.

    • Click on "Machine Policy Retrieval & Evaluation Cycle" to highlight it, and then click on the "Initiate Action" button.

    • In the "Machine Policy Retrieval & Evaluation Cycle" message window, click on the "OK" button.

  7. In the "Configuration Manager Properties" Control Panel window, click on the "OK" button to close the Configuration Manager Control Panel.

  8. Reenable the Task Sequence service by opening an elevated command prompt and running the following command:

    sc config smstsmgr start= demand

    Note: There is a space between "start =" and "disabled". Please make sure to include the space.

Once the Boot Image has been deleted from the computer's local ConfigMgr client cache and from the Distribution Points, the Task Sequence will not have access to the Boot Image and will fail if it attempts to run.

Setting Up The Task Sequence Again Once Remediation Steps Are Completed

Once all of the remediation tasks have taken place, if the Task Sequence is still needed, it is recommended NOT to reuse the following items:

  • The Boot Image associated with the Task Sequence, even in other Task Sequences
  • The Task Sequence itself
  • The advertisement for the Task Sequence

This is to prevent the possibility of the Task Sequence accidentally running on additional computers. For example, if a computer that was shut down or taken off the network after receiving the policy to run the Task Sequence, it could possibly still run the Task Sequence months later when the computer is turned back on or placed back on the network if the resources for that Task Sequence were once again available. If the resources for that Task Sequence are never made available again, even if months later, then it is still assured that the Task Sequence would fail and the computer would not be reimaged.

Instead of reusing the different components of the Task Sequence, the components can be recreated by taking the following actions:

  1. Create a new Boot Image package based on the previous Boot Image

  2. Recreate the Task Sequence by duplicating the previous Task Sequence, and then specifying the new Boot Image from #1 in the new Task Sequence

  3. Create a new Advertisement for the new Task Sequence

Before taking the below steps, make sure that any of the actions that caused the issue to initially happen have been resolved. For example:

  • Move computers out of the Collection that should not run the Task Sequence
  • Make sure that there are not any unexpected subcollections under the parent Collection

Create A New Boot Image Package

  1. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Task Sequences".

  2. Right click on the affected Task Sequence and choose "Properties".

  3. In the "Properties" window for the Task Sequence, click on the "Advanced" tab:

    • Under the option "Use a boot image:", make a note of which Boot Image is being used by the Task Sequence.

  4. In the "Properties" window for the Task Sequence, click on the "OK" button.

  5. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Boot Images".

  6. Right click on the Boot Image being used as determined in Step 3 and choose "Properties".

  7. In the "Properties" window of the Boot Image, click on the "Data Source" tab.

    • In the text box under "Image path:", highlight the path, right click on it, and choose "Copy".

    • Make a note of the Image index listed in the drop down menu next to "Image index:"

  8. In the "Properties" window of the Boot Image, click on the "Windows PE" tab:

    • Make a note of what drivers are part of the Boot Image.

    • Make a note of what options are chosen for the Boot Image.

  9. In the "Properties" window of the Boot Image, click on the "OK" button.

  10. In the ConfigMgr 2007 admin console, right click on "Boot Images" and choose "Add Boot Image".

  11. In the "Data Source" page of the "Add Boot Image Package Wizard", in the text box under "path: example (\\servername\sharename\path) ", paste the path copied in Step 7.

  12. In the "Data Source" page of the "Add Boot Image Package Wizard", in the drop down menu next to "Boot Image:", select the appropriate image index as determined in Step 7, then click on the "Next >" button.

  13. In the "General" page of the "Add Boot Image Package Wizard", fill in the "Name:", "Version:", and "Comment:" text boxes as desired and then click on the "Next >" button.

  14. In the "Summary" page of the "Add Boot Image Package Wizard", review the information under the "Details:" box to make sure everything is correct, and then click on the "Next >" button.

  15. Once the Boot Image has finished being added, in the "Wizard Completed" page of the "Add Boot Image Package Wizard", click on the "Close" button.

  16. In the ConfigMgr 2007 admin console, under the "Boot Images" node, right click on the newly added Boot Image and choose "Properties". Please note that you may have to refresh the console to see the newly added Boot Image.

  17. In the "Properties" window of the Boot Image, click on the "Windows PE" tab:

    • Reselect any options and add any drivers back as notated in Step 8.

  18. In the "Properties" window of the Boot Image, click on the "OK" button.

  19. If no changes were made in the "Windows PE" tab of the Boot Image properties in Step 17, proceed to Step 20. Otherwise in the "Distribution Point Update Required" window, click on the "Yes" button.

  20. In the "Summary" page of the "Manage Distribution Points Wizard" window, click on the "Next >" button.

  21. Once the Boot Image has finished rebuilding, in the "Wizard Completed" page of the "Manage Distribution Points Wizard" window, click on the "Close" button.

  22. In the ConfigMgr 2007 admin console, under the "Boot Images" node, expand the node of the newly added Boot Image.

  23. Under the node of the newly added Boot Image, right click on "Distribution Points" and choose "New Distribution Points".

  24. On the "Welcome" page of the "New Distribution Points Wizard", click on the "Next >" button.

  25. On the "Copy Package" page of the "New Distribution Points Wizard", select the Distribution Points to copy the Boot Image to and then click on the "Next >" button. The list of Distribution Points that the previous Boot Image were on was notated in Step 7 in the section "Prevent A Task Sequence From Running Successfully On Computers That Have Received Policy For The Task Sequence".

  26. On the "Wizard Completed" page of the "New Distribution Points Wizard", click on the "Close" button.

  27. Under the node of the newly added Boot Image, expand "Package Status", and then click on the second "Package Status" node that appears under the first one.

  28. Monitor the "Package Status" node to ensure that the Boot Image copies to the selected Distribution Points. Refresh the node every few minutes to obtain updated status. The Boot Image will be properly copied and installed on all of the Distribution Points when the columns "Targeted" and "Installed" are equal.

Recreate The Task Sequence

  1. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Task Sequences".

  2. Right click on the affected Task Sequence and choose "Duplicate".

  3. On the "Task Sequence" message box confirming that the Task Sequence has been successfully duplicated, click on the "OK" button.

  4. The newly created duplicated Task Sequence will contain the same name as the original Task Sequence, followed by a dash (-), and then the Task Sequence ID. Right click on this Task Sequence and choose "Properties".

    IMPORTANT! Make sure to right click on the newly created duplicated Task Sequence and NOT the original Task Sequence. Selecting the incorrect Task Sequence could accidentally reactivate it.

  5. Click on the "General" tab of the Task Sequence "Properties" window:

    • If desired, in the text box next to "Name:", rename the Task Sequence

  6. In the "Properties" window of the Task Sequence, click on the "Advanced" tab.

    • Uncheck the option "Disable this task sequence on computers where it is advertised".

    • Under "Use a boot image:", click on the "Browse. . ." button. In the "Select Boot Image" window, select the Boot Image created under the previous section "Create A New Boot Image Package" and then click on the "OK" button.

  7. In the "Properties" window for the Task Sequence, click on the "OK" or "Apply" button to save the properties for the Task Sequence.

Please note: If the original Boot Image was also used in other Task Sequences, make sure to go into the properties of those Task Sequences and select the newly created Boot Image instead.

Create a new Advertisement for the new Task Sequence

To create a new Advertisement for the newly created duplicated Task Sequence, follow the standard procedures to create a new advertisement for a Task Sequence:

  1. In the ConfigMgr 2007 admin console, navigate to "Site Database" --> "Computer Management" --> "Operating System Deployment" --> "Task Sequences".

  2. Right click on the newly created Task Sequence from the previous section "Recreate The Task Sequence" and choose "Advertise".

  3. Step through the "New Advertisement Wizard" and select the desired options to create the Advertisement for the newly created Task Sequence.

    IMPORTANT! Take special care in the "New Advertisement Wizard" that the same actions that caused the initial issue to happen are not repeated. For example:

    • In the "General" page, targeting the incorrect Collection

    • In the "General" page, leaving the option "Include members of subcollections" checked if the Task Sequence should not be deployed to subcollections.

 

Frank Rojas
Support Escalation Engineer

Comments
  • This is great article Frank, thanks for taking the time to put this together.

  • Wonderful work done !!!

  • Great stuff! One needs a cool head when things go wrong, and this article is the cool head. Need to create a shortcut to this :D

  • Hi there Frank.

    Great article and fab work yet again.  Of course it's rather important that folks read this BEFORE they inadvertently deploy the Task Sequence to the All Systems collection.

    I find that there are a couple of preventative measures that one can take in order to minimise the impact of an incorrectly deployed Task Sequence:

    1.  You can create a "one time" maintenance window in the past on the All Systems Collection and make this apply to just OSD/Task Sequence events.  Now if someone inadvertently deploys a task sequence we'll see lots of status messages saying the the task sequence could not be executed but at least we don't see the issue.  Of course, in order to deploy the OS you now need to create a maint-window for the near future.

    2.  You can create a collection which has a Task Sequence Variable associated with it.  Let's call it "OS installation allowed" and set it to "No".  The first step of the task sequence checks for the value of "OS installation allowed" and throws an error if it is wrong.  

    blogs.technet.com/.../preventing-operating-system-deployment-on-servers-and-other-critical-client-systems.aspx

    3.  If you are in a PXE boot environment then you can take advantage of the MAC ignore list and put in here a list of the sensitive MAC addresses or servers etc.

    blogs.technet.com/.../preventing-pxe-boot-on-servers-and-other-critical-client-systems-using-macignorelistfile.aspx

  • Nice suggestions! I actually consided adding a section to the article on how to prevent the problem from happening again, but the article was already long enough so I'm saving it for a future article.

  • Hey Frank

    I wonder if I can beg some help from you please.  I am writing a DD for SCCM 2012 and I want to prevent inadvertent OS deployment through a MAC ignore list.  I can't see MACIgnoreListFile on my PXE enabled DP and can't find it documented.  Can you point me to where I list these?

  • Thanks Frank for this wonderful article, It was very informative.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment