Kaseya Community

Agent Procedure to configure BCDedit does not work

This question has suggested answer(s)

We have several hundred Windows 10 computers on campus Frozen with Deepfreeze to prevent unauthorized changes.  We turned off Deepfreeze and let updates run over the holidays, so they would be on Win10 Version 1809.  Windows now displays a startup repair prompt that requires user intervention to proceed to the OS.  According to DeepFreeze, the fix is to thaw, run the command "bcdedit /set {current} bootstatuspolicy ignoreallfailures" and then freeze.  I was able to verify this appears to fix the issue by manually entering this command.

I am having major difficulty creating an agent procedure to run this command on all machines.

What Works:

  • Locally right clicking on CMD, running as administrator, and entering "bcdedit /set {current} bootstatuspolicy ignoreallfailures" works
  • Locally right clicking on CMD, running as administrator, and entering "powershell.exe -command bcdedit /set '{current}' bootstatuspolicy ignoreallfailures;" works
  • In Kaseya LiveConnect Command Prompt entering "bcdedit /set {current} bootstatuspolicy ignoreallfailures" works
  • In Kaseya LiveConnected PowerShell entering "bcdedit /set '{current}' bootstatuspolicy ignoreallfailures" works

These 3 Procedures Don't Work:

  • executeshellcommand ("bcdedit /set {current} bootstatuspolicy ignoreallfailures", "Execute as System", "All Operating systems", "Continue on Fail")
  • executeshellcommand ("powershell.exe -command bcdedit /set '{current}' bootstatuspolicy ignoreallfailures;", "Execute as System", "All Operating systems", "Continue on Fail")
  • executePowershell (" ", "bcdedit /set '{current}' bootstatuspolicy ignoreallfailures", false, "All Operating systems", "Continue on Fail")

Assuming it may not be able to run as system, needs to run with local admin rights, and needs to bypass UAC I also tried the following large procedure:

  • setRegistryValue ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin", "0", "REG_DWORD", "All Operating systems", "Continue on Fail")
  • pauseProcedure (10, "All Operating systems", "Continue on Fail")
  • impersonateUser ("UserWithLocalAdminRights", "******", "Our.Domain.TLD", "All Operating systems", "Continue on Fail")
  • executeshellcommand ("bcdedit /set {current} bootstatuspolicy ignoreallfailures", "Execute as User", "All Operating systems", "Continue on Fail")
  • setRegistryValue ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin", "5", "REG_DWORD", "All Operating systems", "Continue on Fail")

The majority of the time these procedures say they completed with a status of "Success", but the setting "bootstatuspolicy" has not actually been created with a value of "ignoreallfailures" when I manually enter "bcdboot" via local command line, powershell, or LiveConnect in CMD or PS.

Does anybody know what am I doing wrong here?  Thanks in advance for any help you can give.

All Replies
  • I believe I found the answer, and wanted to post it in case others need this information.  I was able to find a somewhat similar script by Craig Allen, called KRC to Safe Mode.  Apparently it needs to run in a 64-bit shell.  It appears the procedure runs as expected when written as below.  I will attempt to validate this configuration and verify it works on more than 1 test system.

    executeshellcommand ("bcdedit /set {current} bootstatuspolicy ignoreallfailures", "Execute as System in 64-bit shell", "All Operating systems", "Continue on Fail")

  • Thanks for following up with more info on this -- I've also run into issues with Deep Freeze causing Windows to boot to an Automatic Repair screen that results in nothing but an unusable computer.  I just used psexec to run the bcdedit fix remotely on all of our machines running DF, but it's good to know that this can be done with a Kaseya procedure if needed.