Create a custom Deployment Wizard pane for Updates (MDT)

Note: This blogpost is also posted on my personal blog:

One of the great things about the Microsoft Deployment Toolkit (MDT) is that it’s a very open product. All the scripts are customizable, including the Deployment Wizard. We can add new functionality to the deployment procedure and add wizard pages so we can choose to use those new functions (or not) with each new deployment. Microsoft encourages creativity for this particular product. One of the functions I wanted to create a wizard page for was the deployment of updates. I wanted to be able to choose between a quick OS deployment for test purposes (no updates) and a slower, more production worthy deployment (with updates). And since I take my deployment VM on the road with me, I wanted the ability to choose if the updates are downloaded from Microsoft Update or a clients’ WSUS server. The result looks like this:

Result Update Pane

Here’s how it’s done: Read more

Add WSUS Target Group option to MDT deployments

Note: This blogpost is also posted on my personal blog:

One of the great features you get when deploying a Windows operating system using my favorite deployment tool, the Microsoft Deployment Toolkit (MDT), is the ability to update the OS using either Windows Update or a local WSUS server. The latter is obviously preferred because it’s a lot quicker and you have better control over what updates you want to install. WSUS has a feature called Target groups, which you can utilize for managing update approvals for a group of computers. This way you’ll be able to approve or decline specific updates for  Remote Desktop Session hosts or Exchange servers etc. While MDT let’s you specify a WSUS server to get updates from there’s no way to specify the target group you want to receive updates from. Let’s fix that, shall we? Read more

Using special characters in Microsoft Deployment Tool (model name)

Currently we are working at a customer to set up a new environment.
To make this as easy as possible we are using the Microsoft Deployment Tool (MDT)

This will make it very easy to install computers with a new OS and the correct drivers.

However when the targeted computer uses the special characters like “/” in the WMI hostname, MDT runs into problems as the MDT workbench doesn’t allow special characters like “/”

The specified new name must not contain special characters

Read more

MDT: Select operating system based on computer name

Windows VersionsBy default a single operating system is linked to a task sequences in Microsoft Deployment Toolkit (MDT). This means that if you have different operating systems you need to built (and maintain) a task sequence for each operating system.

A customer has different client types and wants to use a single task sequence to deploy different images. For this purpose a custom task is added that selects an operating system based on the prefix of the provided computer’s name.

Read more

MDT: Set default domain in LiteTouch

When a machine boots Microsoft Deployment Toolkit (MDT) LiteTouch via Windows PE it requires credentials to connect to the deployment share. By default the user name, password an domain are required fields. In most environment the domain is equal for most users, making it user friendly to configure a default domain.

User Credentials - DefaultUser Credentials - DOMAIN

Read more

MDT: Secure the Deployment Share

With a default installation of Microsoft Deployment Toolkit (MDT) the Deployment Share is not secure. All users are allowed to read / write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords.

The default permissions on a folder are:

  • Administrators – Full Control
  • CREATOR OWNER – Full Control
  • SYSTEM – Full Control
  • Users – Read & Execute + Create file / write data + Create Folders / append data

Read more

MDT: Filter task sequences on Active Directory group membership

DirectionsBy default task sequences in Microsoft Deployment Toolkit (MDT) are available for all users, there is no access control list (ACL). This means that you can’t filter certain task sequences for a group of users, while you might not want all users to execute all task sequences.

For instance I don’t want all users to run an unattended setup, I only want them to deploy a captured image (MDT can inject model specific drivers, so no harm done). However, the more advanced users Angry smile should be able to run all task sequences, including the unattended installations.


Windows Deployment Wizard - Task Sequence - Deploy onlyWindows Deployment Wizard - Task Sequence - All

Read more

MDT: Force users to supply an OSD computer name (MININT)

Machine that are deployed via Microsoft Deployment Toolkit (MDT) are provided with  a computer name that’s provided during installation. By default this is a generated computer name similar to “MININT-79S84T2”.

Since the GUI of MDT is quite slow – and won’t show an hourglass –  I noticed people tend to click [Next] twice on the previous screen. As a result they automatically accept the generated computer name instead of providing their own. It’s more friendly to block the [Next] button on the Computer Details screen so users are force to provide a proper computer name.

Windows Deployment Wizard - Computer Details - MININT-79S84T2Windows Deployment Wizard - Computer Details - !Invullen

Read more