Thursday, February 3, 2011

Windows 7 Startup Repair Disjoining System From Domain

We have recently run into the following issue :

Startup Repair : The Startup Repair tool can solve many common startup problems automatically. Startup Repair performs an exhaustive analysis to diagnose your startup problems, including analyzing boot sectors, the Boot Manager, disk configuration, disk integrity, BCD registry file integrity, system file integrity, registry integrity, boot logs, and event logs. It will then attempt to solve the problem, which may involve repairing configuration files, solving simple disk problems, replacing missing system files, or running System Restore to return the computer to an earlier state. Because Startup Repair performs these tasks automatically, you can solve startup problems much faster than performing the analysis and repair manually.

In our case, this behavior is disjoining our systems from the domain because it is restoring the system back to it's original image. It blows away most if not all of the installed software. I'm not convinced Startup Repair is making the right choice.

How can this be disabled if we choose to do so and can it be disabled globally (bcdedit ?) ? If it is disabled would the systems then just "Blue Screen" when a similar event occurs ?

Let me know if any of you have had to deal with this issue, or what really is the best practice here. I would hate for a large power failure etc to cause 100 systems to invoke startup repair and disjoin themselves.

Thanks

From serverfault Kev

  • This should do the trick:

    bcdedit /set {default} bootstatuspolicy ignoreallfailures

    or

    bcdedit /set {default} recoveryenabled No

    Also, you can clear the registry key here: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ BootExecute

    (Haven't tried this yet, but it looks promising)

    Windows self-repair... never quite what I was hoping for.

    As for automating, it looks like bcdedit has /save and /import flags - so if that export is transferrable to another system, you should be able to roll that into a login script easily.

    (pre-edit idealistic thinking) Sorry if I'm oversimplifying, but if you take a system snapshot after the system is completely setup (or update your image to include that snapshot), I'd think that would cause the automatic rollback to revert to the state you're hoping for.

    Kev : You make a good point, however I still would not want the system ever to do a System Restore on it's own. I would like to prevent the ability for the Startup Repair to be able to invoke any rollback without administrator intervention.
    Kara Marfia : I'm curious about what you'd be worried would happen? This seems like it would generally be helpful, but maybe I'm missing something about how it works?
    Kev : I am worried about this happening in large numbers, such as a power event which hard powers downs say 500 systems. A percentage of them with boot issues may run the System Restore, which will : 1. Disjoin the machine from the domain, Roll Back Software, Updates, Antivirus etc. 2. Even if we take a snapshot going forward after the domain is joined or as a part of the image, if this happens the secure channel between the machine and the domain may not auth depending how long it's been. 3. It just seems like the potential is there for a messy situtation requiring admin intervention
    Kara Marfia : Thanks, I can see that now. Especially since my home system lost power yesterday and I got to experience this firsthand... I'll be editing the settings in once I finish reading. SRT seems a bit *overaggressive* in its desire to back up to restore points.
    Kev : So basically this is an all or nothing setting ? If the change is made with bcdedit, then will you lose all of the benefits that Statup Repair could provide ? I wish this was tuneable so that you could just prevent startup repair from invoking the rollback, but it could still do "Other" repairs etc.
    Kara Marfia : I couldn't find anything in group policy, other than denying user access to system restore. I agree it seems ridiculous to leave this feature un-manageable, but maybe they wanted to save something for win8.
    Kev : I am suprised to not see much about this "Problem" out there on the 'Net. I think it could become a larger issue for admins. Is there anyway to escalate this so that it gets more attention ?
    Kev : I may need to see if there is a script that I can write that will invoke the command above.
    Kev : http://www.reddit.com/r/geek/comments/c7oa4/ill_just_run_windows_7_startup_repair_since_i/
    Kev : bcdedit /set {current} bootstatuspolicy ignoreallfailures - I had to use this command - FYI
    From Kara Marfia
Posted by Mu Cat at 8:52 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)