Configuration Manager OSD Post Action and the Evil Twin

There are many great reasons to run a script to perform actions at the end of your OS Deployment after the Task Sequence engine has shut down.  You may the client check in to get policy right away, trigger an AV signature update, or refresh Group Policy.  You can do this by setting the action to run using the SMSTSPostAction variable.

If you have written a PowerShell script with logging to perform this you may have noticed that your script runs TWICE! Depending on what your script is doing this can cause undesired side effects and result in general tomfoolery.

This is not a new issue, in searching the interwebs, it seems this issue has existed since the feature was introduced in the Configuration Manager 2012 SP1 release. A user on Microsoft’s support forum thread aptly dubbed this the “Evil Twin”.  He also posted his proposed fix for this on the same forum thread you can find at https://social.technet.microsoft.com/Forums/en-US/2244fb88-0443-4c94-bf7a-b42cc4ee5c21/smstspostaction-running-twice.

Spotting the Evil Twin

In the below screenshot of the SMSTS.LOG you can see the post action is executed by the TSManager at 1:12:10 PM and then three seconds later by the OSDSetupHook at 1:12:13 PM.

Vanquish the Evil Twin

The proposed fix in the Microsoft forum leverages a flag file to determine duplicate instances of the script. This is not an approach I like to use unless I have no other method as it does not feel clean.  I took the approach of leveraging WMI to detect all instances of PowerShell.exe where the OSD.ps1 script was running in memory and checked the creation time stamp to determine which instance was created first.  If the current process was not the first, then it gracefully exits out and avoids the potential unsaid chaos caused by the evil twin.


#// Check for multiple instances - and exit if not first created instance
$process = gwmi -query "Select ProcessId, CreationDate, Commandline From WIn32_Process Where Name = 'powershell.exe' and CommandLine like '%osd.ps1%'"
If ($process.Count -gt 1) {
    #// Get current script process creation time stamp
    $p1 = [Management.ManagementDateTimeConverter]::ToDateTime(($process | Where ProcessID -eq $pid).CreationDate)

    #// Compare start timestamp against other scripts
    ForEach ($p in $process | Where ProcessID -ne $pid) {
        $p2 = [Management.ManagementDateTimeConverter]::ToDateTime($p.CreationDate)
        If ($p2 -lt $p1) {
            Write-Host "DUPLICATE: ($($p.ProcessId)) [$p2] duplicate of ($pid) [$p1]"
            Exit 52
        }
    }
}

Configuring Your Post Action

When building OS Deployment Task Sequences for my clients, I avoid setting TS variables as steps and set them as part of my UI++ implementation when configuring the LTI experience. I leverage the OSD Helper Script for configurations, including the post action step setting the SMSTSPostAction variable as follows:

<Action Type=”TSVar” Name=”SMSTSPostaction”>Powershell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -File C:\WINDOWS\CCM\Scripts\OSD.ps1 -mode:config -submode:postaction</Action>

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=