17 October 2017

SCCM and MDT Master Kill Switch

With the advent of mass deployment errors such Emory University and CommBank, there needs to be a master kill switch. I also read several months ago about a University in one of the Scandinavian countries that did the same thing. The last two years at Microsoft Ignite, I have also talked to SCCM professionals who experienced the same thing, one in Oklahoma at an oil company and another in Michigan at a financial services company. The last company with more than 100,000 systems abandoned SCCM for imaging purposes and went to MDT to assure this would never happen again.

Over the past three years, I have contemplated a new method for resolving this. At first, I started writing a tool that would shut down all pertinent services on machines such as windows installer and would kill certain task sequences, along with several other things. While having partially written this, a much easier solution came to my mind. This solution is very basic but is also most effective. 

I also want to point out one thing here. My solution does not compete with Adaptiva's. Adaptiva has a much more robust solution, but if you choose to not use their solution, this solution can do a good job at stopping an image or even an application from installing. 

The solution I have come up with uses a simple text file. In the task sequence list, you will want this to be before the system partitions are wiped. I took a screenshot of this in MDT, which you obviously would not need this fuse unless you have a team that images machines and you want the process to stop right now. In SCCM, you would make sure it is before the system reboots into WinPE to wipe the partitions.

As you can see from the pic, I used a command line task sequence. I used a PowerShell one-liner to test if the file is present. If it is not present, then it returns an error code 1. This error code kills the build.

powershell.exe -command "&{if ((Test-path <Directory>\BUILDFUSE\BUILDFUSE) -eq $false) {Exit 1}}"

The file I created is an empty text file which I removed the .TXT extension.

When I started my image, the picture below shows what happened when the file was not present.

This could also be incorporated into a software deployment in the event you accidentally deploy an application and realize it needs to stop NOW! If you deploy apps like I do using script files (PowerShell), you could add a line in the script to check for the file before proceeding. This would kill the installation if it has started, but not reached the point of installation yet.

It is obvious that if the admin does not realize there was a mistake made, the image will continue.


Post a Comment