Partilhar via


MDT 2010 Update 1: Fix to re-enable System Restore in ConfigMgr task sequence

Some people noticed that during an OS deployment task sequence, performed either by MDT 2008 Lite Touch or by ConfigMgr, could capture sensitive information (from unattend.xml, variables.dat, etc.) as part of the automatic System Restore snapshot process that happens whenever a new driver, application, security update, etc. is installed.

To address that issue, we added some logic in MDT 2010 to disable System Restore by configuring the default unattend.xml template:

<component name="Microsoft-Windows-SystemRestore-Main" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance">
    <DisableSR>1</DisableSR>
</component>

We then added logic to re-enable that at the end of the deployment process – but only for Lite Touch.  (You can see that logic in LTICleanup.wsf.)  We discovered later that this was left out of the ConfigMgr scripts.  So as a result, machines deployed using ConfigMgr and an MDT 2010 task sequence template ended up with System Restore disabled.

In MDT 2010 Update 1, we added logic to address this.  Now, System Restore will be re-enabled at the end of the deployment even with ConfigMgr.  (Because we don’t have the equivalent of LTICleanup.wsf in a ConfigMgr task sequence, the logic was added to ZTICopyLogs.wsf, the last script to run during an OSD task sequence.)

(10527)

Comments

  • Anonymous
    January 01, 2003
    You don't even need to rename the "GetObject" function, just delete it altogether.  I'm not sure how that one slipped through...

  • Anonymous
    August 10, 2010
    Does this exclude servers such as Windows Server 2008 / Windows Server 2008 R2 where System Restore is disabled?

  • Anonymous
    November 05, 2010
    We're still getting Win7 deploys with SystemRestore turned off. After reading this post I took a look at the EnableSystemRestore function in LTICleanup.wsf, grabbed it and ran it as a standalone VBS - still nothing. Then I commented out the On Error statements and got the following: Microsoft VBScript runtime error: Type mismatch: 'oEnv' I am currently testing with the following code for Function EnableSystemRestore (yeah its probably ugly, if it works I don't care): Dim iRetVal, oSRP strComputer = "." On Error Resume Next Set objWMIService = GetObject("winmgmts:&quot; & strComputer & "rootdefault") Set oSRP = objWMIService.Get("SystemRestore") iRetVal = oSRP.Enable("") On Error Goto 0 EnableSystemRestore = iRetVal

  • Anonymous
    November 05, 2010
    The comment has been removed

  • Anonymous
    November 29, 2010
    We've just been troubleshooting the LTICleanup.WSF script and discovered that there is a FUNCTION declared called GetObject which is breaking the script. We've renamed the function to LTIGetObject and now the script does more of the things it's supposed to... :-) The GetObject function doesn't actually seem to be called by anything, so as far as I can tell it was only put in to ruin my day...

  • Anonymous
    December 30, 2010
    Are there any side effects after changing the name of that function? i am having the same problem and i am testing your theory now.

  • Anonymous
    December 30, 2010
    Craig Walls Post worked for me. Thanks! i have been trying to figure this out all day...

  • Anonymous
    March 31, 2011
    What is the fix for those machines that have already been deployed before catching that System Restore is disabled.  To my knowledge, there is no option via GPO to "enable" system restore - only an option to disable it. Any ideas on that guys?

  • Anonymous
    July 08, 2011
    Is there any easy way to turn it back on to systems I've already pushed out?  I have probably 30 machines out there before I figured it out and found this thread :(

  • Anonymous
    November 21, 2013
    We have this exact issue in SCCM 2012 SP1 with MDT 2012 integrated.  I see in the sms log that zticopylogs.wsf runs; however system restore is not turned back on.