ConfigMgr 2007: How to have an Configuration Manager 2007 OSD Task Sequence only work from PXE & Task Sequence Bootable Media & Not From The Full Windows OS

In certain scenarios, a customer may want to advertise an Configuration Manager 2007 OSD Task Sequence to a Collection of existing client PCs, but they may not want the users of the client PCs to be able to actually initiate or run the Task Sequence from the Full Windows OS by using the "Run Advertised Programs" control panel. They only want the Task Sequence to be initiated if the PC was booted from PXE or Task Sequence Bootable Media.

In most cases, customers want this functionality because they want to be able to reimage any client PC in a Collection at any time without having to first copy the client PC to a Collection where the Task Sequence is advertised to. In other words, they always want to have the option to reimage the client PC at any time without having to do any adminsitrative work first, similar to how stand alone WDS and PXE booting works. At the same time, they do not want a user to accidentally start a Task Sequence in the Full Windows OS via the "Run Advertised Programs" control panel, causing their PCs to be reimaged and the user to lose all of their data.

Back to the top | Give Feedback

This functionality is not built into Configuration Manager 2007, but there is a workaround with some limitations. The main limitation is that the Task Sequence will still show up in the "Run Advertised Programs" control panel and the user will be able to initiate it and run it, but due to a condition that will be added to the Task Sequence, the Task Sequence will actually not do anything and fail.

WARNING!!!!
========
Regardless of the below solution, it is never recommended that a Task Sequence that deploys an OS be advertised to a Collection that has existing client PCs (ESPECIALLY the "All Systems" collection) as this can be VERY dangerous. Setting the Task Sequence advertisment to mandatory (even by accident) would cause the Task Sequence to run on the client PCs WITHOUT warning, completely wiping the client PCs and losing ALL data. The recommended implementation for Task Sequences is to Advertise the Task Sequence to a Collection with no PCs in it, and only add client PCs to the Collection as the client PCs need to be reimaged. However this recommended implementation requires some administrative work, which some customers are trying to avoid.

The below solution should only be implemented by the customer after thorough and complete testing to a test collection of existing PCs that they do not mind losing data on, ESPECIALLY if their intention is to advertise to the "All Systems" collection. Please give the customer all disclaimers before giving them the below workaround solution.

1) Right click on the Task Sequence and choose "Edit"

2) Click on the very first task/group item in the Task Sequence and then choose "Add" --> "New Group"

3) Move the newly created Group to the top of the Task Sequence so that it is the very first item in the Task Sequence

4) In the "Properties" of the newly created Group, next to the "Name:" text field box, give the Group the name of "Run Only In WinPE" (without the quotes) and then click on the "Apply" button.

5) In the "Run Only In WinPE" group, click on the "Options" tab.

6) Click on "Add Condition" --> "If statement". Select "All conditions".

7) Click on "Add Condition" --> "Task Sequence Variable"

8) Next to the "Variable:" text field box, enter in "_SMSTSInWinPE" (without the quotes). Make sure to include the underscore (_).

9) Next to "Condition:", choose "equals".

10) Next to the "Value:" text field box, enter "true" (without the quotes), then click on the "OK" button.

11) Move all other groups and tasks in the Task Sequence so that they are all in and fall under the "Run Only In WinPE" group. Make sure that the order of Task Sequence tasks and groups remains the same and that the order is not modified or changed. There should no groups or tasks flush on the left with teh "Run Only In WinPE" task.

For a basic deploy Task Sequence that was created using the wizards, the Task Sequence should look something as follows:

Notice that all groups and tasks are now in and fall under the "Run Only In WinPE" task, and that there is nothing flush on the left with the "Run Only In WinPE" group.

What this solution does is only allows the Task Sequence to run if it is started from within WinPE. If it is started in the Full Windows OS, then it will do nothing since no tasks fall outside of the "Run Only In WinPE " group. Since both PXE and Task Sequence Bootable Media start the Task Sequence while in WinPE, then the Task Sequence will run when booting from either PXE or Task Sequence Bootable Media.

In cases where the Task Sequence is initiated from WinPE via PXE or Task Sequence Bootable Media, any tasks that do need to run in the Full Windows OS after the image is applied (any task after the "Setup windows and ConfigMgr" task) will still run since the tasks fall under the group "Run Only In WinPE", and the "Run Only In WinPE" was INITIALLY started from WinPE. The condition to only run in WinPE will no longer apply once it has reached any tasks after the "Setup windows and ConfigMgr" task.

Another use of the above solution is to prevent Task Sequences that deploy an OS from running on existing client PCs while they are in the Full Windows OS in the event that the Task Sequence is accidentally advertised to the incorrect Collection, even in instances where the advertisment was set to be Mandatory. This solution could be added to any Task Sequence as a safety precaution.

An optional way of accomplishing the same goal as described above is under the "Advanced" tab of the Properties of the Task Sequence, set the option "This task sequence can run only on the specified client platforms" to a Windows OS that does not exist in their environment. This will prevent it from running on a Windows OS that does exist in their environment, but will still allow it to run if initiated from a PXE boot or from Boot Media. However, in some customer environments, this solution has caused a high amount of status messages to be generated. In a large environment with many clients, this could cause the site server to be flooded with status message and could cause the site server to stop responding and even crash.

Back to the top | Give Feedback