You’ve spent hours perfecting your MDT Task Sequence. You’ve implemented extensive guides, read the best books, and tested everything in your virtual environment. When you first start imaging, some of your machines mysteriously stop during the Task Sequence. Each broken machine had the same error message: Dirty Environment Found.
What does this message mean? How can we fix it? And most importantly, how can we stop it from ever coming back?
What Does Dirty Environment Found Error Actually Mean?
MDT is an amazingly flexible imaging solution! One of the biggest features is it’s ability to self repair. As a machine processes a task sequence, it records its progress. One indication of this progress is the MININT folder in the root of C:\. This is great until something like an unexpected reboot happens. When this occurs, you will receive the Dirty Environment Found error message. Your client will ask you whether you would like to start a new deployment or pick up where the other one left off.
The Dirty Environment Found error can occur in two places: in the pre-installation environment (PE) and in Windows. When you see this message in Windows PE, you can be fairly certain that the machine did successfully finish it’s previous Task Sequence. Most of the time, you will want to select Yes to start a new deployment. If you see this message in Windows, something interrupted the current Task Sequence. On production machines, you will probably select No to continue the existing deployment.
How do I fix the Dirty Environment Found error?
If you are regularly receiving the existing in-progress deployment error in the Windows environment, you have something that is breaking your Task Sequence. Here are some possible causes:
- An application in your Task Sequence that is causing an unexpected reboot.
- A MSI being deployed with Group Policy that is causing an unexpected reboot.
- A GPO that is stopping the Task Sequence
If you suspect an application within your Task Sequence, disable that specific task and restart your Task Sequence. If the Task Sequence breaks again, you will need to add a No Restart parameter to your application. This parameter can be found with the Ultimate EXE Silent Switch Finder, by running /? after the setup, or found on IT Ninja.
If you believe Group Policy Software Installation is causing the unexpected reboot, try to find and isolate the offending policy. You can use the Event Viewer to help you find the application that caused the reboot. Once found, you will either need provide a No Restart parameter or apply a WMI filter to the policy that is only true once a Task Sequence has finished. The No Restart parameter is more efficient than a WMI filter.
There are times where you must use a WMI filter. Crafting one is easy though! When a Task Sequence successfully completes, the logs files are moved to C:\Windows\Temp\. This filter will check for the existence of that folder and not apply GPOs until the Task Sequence finishes:
Select * From CIM_Directory Where Name = ‘C:\\Windows\\Temp\\DeploymentLogs’
Certain Group Policy settings can also break a Task Sequence. The three most common culprits are:
- GPOs that change the local administrator password
- Policies that configure automatic logon (such as for a kiosk machine)
- Consent/User Agreement Prompts
You can use the WMI filter above to fix these Group Policy settings. By modifying your Task Sequence and your Group Policy environment, you can prevent the Dirty Environment Found errors and successfully image more machines! If you have seen this message in other places or if you have other solutions, leave a comment and help your IT brethren out!
I am getting this for MDT Offline Media install, it reboots and goes back to USB. How do I fix this?
Does it do this as soon as the task sequence starts?
I am getting dirty environment when PC reboots when performing windows update post application process.
pre application works well.
Argh… Problem here turned out to be so simple. Someone had changed the boot order in the BIOS on the client pc so the USB drive was ahead of the Hard disk. As soon as it rebooted it went straight to the USB drive and booted there thus going back into the litetouch process and discovering there was a process that hadn’t completed. The image had never completed it’s last steps which require it to boot off the newly laid down image on the HD.
Simple fix. Hope this saves someone some time.
Sometimes, the simplest things take the longest to fix! I once spent a summer trying to get MDT to image X64 machines – turned out that I was forcing the X86 boot image to load for X64 machines. I felt really dumb after that (but gained a complete understanding of the boot process). 🙂
Great post. I’m getting Dirty environment messages with my Windows 10 deployments. Where in the task sequence do you stick the WMI query you mentioned above?
Thanks Jason! If you get this every time, you have something breaking in your deployment.
To answer your question, stick the WMI query in your GPO that is breaking the deployment.
I get the same error when I start a LiteTouch Installation without completing it. I have been working on a script to put into my WinPE disk that will delete the MININT folder and “litetouch shortcut” in the “startup folder” BEFORE it kicks off the new installation.
has anyone else done this?
You can modify the startup in WinPE to call a script and then launch LiteTouch. Why are you seeing this message though? Are your deployments failing?
I’m finding that when imaging several machines (ie a lab) with mdt some computers will seem not to have been completed. Example: After htting CTRL-ALT-DEL I get prompted for the administrator password instead of the username/password prompt. Hitting switch user will get the normal login screen but then we are finding that some Office files are missing. When we start Word it complains “The program can’t start because gdiplus.dll is missing from your computer. Try reinstalling..” Excel complains as well.
If we image one computer at a time the problem doesn’t happen.
Hey Jason – it sounds like you are losing a network connection. Do you use multicasting to distribute the content?
I’m having a slightly different problem. I’m getting the Dirty Environment Found Error when i’m trying to capture an image of a Windows 2008 server. The server is an VM and i have removed from the server from AD. It’s running as local group. Removed all the Apps and VMWare tools. I’m running MDT 2013.
Can you email me your zti log? My email is in the top right of this page.
I got this message because, when i am starting the MDT and going to do som other tasks and when the pc-restartes and Windows PE USB drive is still on the pc. The PC choose to start the MDT-process igen.
Just take the USB out and restart the pc. Its all doen.
Thanks for the tip!
I’m a fan of having some kind of “Deployment” or “New PC” OU in Active Directory that doesn’t have any Group Policy applied to it and (if necessary) *gasp* has Inheritance blocked. For smaller scale deployments, you can easily move the computer objects to their permanent home after the OS deployment is done. For larger shops, you can use PowerShell or an Orchestrater Runbook to move the PC as one of the final task sequences.
Great method Kyle! That would be one of the few cases where blocked inheritance wouldn’t be so bad. If you have a script/task to move a pc, would you mind sharing it?
In my case I had to do what Kyle was suggesting because the company’s Disclaimer was stopped the MDT image until someone pressed the OK on the disclaimer. I have seen these Dirty Envirorment message and sometimes it was a mystery because it happened randomly. I run diskpart/clean and all is well. Other times it was software application (Cisco Anyconnect) that was causing it. I had to not make it an application on MDT and have MDT copy all of the cisco content onto the local box then it runs a batch file to install it. Lot of work right.
Kyle’s method is a good one. Because MDT has so many steps, it can have some quirky problems. Still the best free way to image around though!
I have an entry in my unattend that overrides (disables) the security banner, or disclaimer. Then, I have a simple script (WSF) that re-enables it as a Run Command line. I can show it to you if you’d like. Its never once failed.
When you can, post that in a comment here!
I have the same issue with cisco anyconnect and even though I have copied the source files locally and run as a batch file and as a powershell script I still get the same issue. Would you be able to elaborate on what you did?