Microsoft Deployment Toolkit (MDT) build 8443

The Microsoft Deployment Toolkit (MDT), build 8443, is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, available on the Microsoft Hardware Dev Center (adksetup.exe file version 10.1.14393.0).

You may notice that we are not tagging this release with a year or update version. To better align with the current branches of Windows 10 and Configuration Manager, and to simplify the branding and release process, we are now just referring to it as the “Microsoft Deployment Toolkit”, using the build number to distinguish each release. This is not necessarily a “current branch” of MDT; we are committed to updating MDT as needed with revisions to Windows, the Windows ADK, and Configuration Manager.

Here is a summary of the significant changes in this build of MDT:

  • Supported configuration updates
    • Windows ADK for Windows 10, version 1607
    • Windows 10, version 1607
    • Windows Server 2016
    • Configuration Manager, version 1606
  • Quality updates
    • Deployment Wizard scaling on high DPI devices
    • Johan’s “uber bug” for computer replace scenario
    • Multiple fixes for the Windows 10 in-place upgrade scenario
    • Several fixes to Configure ADDS step
    • Removed imagex/ocsetup dependencies, rely solely on DISM
    • Includes the latest Configuration Manager task sequence binaries (version 1606)

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

MDT 2013 Update 2 (6.3.8330) Released

The Microsoft Deployment Toolkit (MDT) 2013 Update 2 (6.3.8330) is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Note that there are known issues with the v1511 release of the Windows 10 ADK and System Center Configuration Manager; these issues do not directly affect MDT although may still impact ZTI or UDI scenarios.)

MDT 2013 Update 2 is primarily a quality release; there are no new major features. The following is a summary of the significant changes in this update:

  • Security- and cryptographic-related improvements:
    • Relaxed permissions on newly created deployment shares (still secure by default, but now also functional by default)
    • Creating deployment shares via Windows PowerShell adds same default permissions
    • Updated hash algorithm usage from SHA1 to SHA256
  • Includes the latest Configuration Manager task sequence binaries
  • Enhanced user experience for Windows 10 in-place upgrade task sequence
  • Enhanced split WIM functionality
  • Fixed OSDJoinAccount account usage in UDI scenario
  • Fixed issues with installation of Windows 10 language packs
  • Various accessibility improvements
  • Monitoring correctly displays progress for all scenarios including upgrade
  • Improvements to smsts.log verbosity

There are no other new release notes or significant known issues. See the previous post for more information as much of it is still applicable (other than the fix list above).

See the following post on How to get help with MDT.

Frequently Asked Questions

In anticipation of some questions that you may have about this release (or MDT in general):

Q: Should I expect a release of MDT with every new Windows 10 and/or Configuration Manager build release?

No. We shipped multiple MDT releases this year due to the timing of Windows 10 and Configuration Manager releases, but do not intend to keep that same cadence going forward.

Q: What branches of Windows 10 does MDT support?

MDT supports both the current branch of Windows 10 as well as the long-term servicing branch.

Q: What branches of System Center Configuration Manager does MDT support?

For ZTI and UDI scenarios MDT 2013 Update 2 supports the current branch of System Center Configuration Manager (currently version 1511) for an integrated solution for deploying Windows 10 current branch as well as prior Windows versions.

Q: When is the next planned release of MDT?

We do not currently have a timeframe. We will release any tactical changes as needed which may be required to support new builds of Windows 10 or Configuration Manager, but do not currently expect this to be needed.

Q: Is this the last release of MDT?

No, we will continue to iterate and invest in the product.

Q: Why is it still “MDT 2013” when the year is almost 2016?

Two primary reasons. First, we have only made minor changes to MDT which in our opinion does not constitute a major version revision. Second, per the MDT support lifecycle, a new major version will drop support for MDT2012 Update 1 which still supports legacy platforms.

Source

MDT 2013 Update 1 Now Available

The Microsoft Deployment Toolkit (MDT) 2013 Update 1 is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Scroll to the bottom of the page to the section, “Customize, assess, and deploy Windows on your hardware.” The page also includes other Windows kits; remember for deployment you only need the Windows ADK for Windows 10.)

Significant changes in MDT 2013 Update 1:

  • Support for the Windows Assessment and Deployment Kit (ADK) for Windows 10
  • Support for deployment and upgrade of Windows 10
  • Support for integration with System Center 2012 R2 Configuration Manager SP1 with the Windows 10 ADK (seethis post on the Configuration Manager Team blog for more information on using the Windows 10 ADK with Configuration Manager)

Here is a more detailed list of some specific changes in this release:

  • Support for new Enterprise LTSB and Education editions of Windows 10
  • Support for modern app (.appx) dependencies and bundles
  • Improved support for split image files (.swm)
  • Switched to using DISM for imaging processes (instead of deprecated ImageX)
  • Deployment Workbench revisions for deprecated content
  • Enhanced accessibility within the Deployment Workbench
  • Revised lists of time zones, regions and languages in the Deployment Wizard
  • Removed Start menu shortcut for “Remove PXE Filter”
  • Several MVP recommended fixes for Windows Updates, password handling, and PowerShell cmdlets
  • Added missing OOBE settings to Unattend.xml
  • Unattend.xml default screen resolution changed to allow for automatic scaling
  • Updated task sequence binaries from System Center 2012 R2 Configuration Manager SP1
  • New GetMajorMinorVersion function for integer comparison of Windows version numbers

Windows ADK for Windows 10

ownload the Windows Assessment and Deployment Kit (ADK) for Windows 10 to get the new and improved deployment tools used to automate a large-scale deployment of Windows 10. The Windows ADK includes:

  • Windows Imaging and Configuration Designer (Windows ICD) to customize Windows 10 images
  • The Windows Assessment Toolkit and the Windows Performance Toolkit to assess the quality and performance of systems or components
  • Several tools that are designed to help you deploy Windows

Learn about what’s new in the Windows ADK for Windows 10

Download the Windows ADK for Windows 10

Microsoft Deployment Toolkit 2013 Update 1 Preview Now Available

The Enterprise Client Management team is happy to announce the availability of the Microsoft Deployment Toolkit (MDT) 2013 Update 1 Preview!

What’s new with MDT 2013 Update 1 Preview:

  • Support for the Windows 10 Technical Preview (LTI only) and the Windows Assessment and Deployment Kit (ADK) for Windows 10 Technical Preview
  • Split WIM support for UEFI media scenarios
  • Completely revised Windows version logic including changes from string to integer comparison (“10” !> “6” but 10 > 6) and a new ZTIUtility function, GetMajorMinorVersion
  • Minor revisions to Deployment Workbench console interface

To Do List:

  1. Download the installer from the MDT Connect portal.
  2. Download the prerequisite Windows ADK for Windows 10 Technical Preview from the Microsoft Download Center.
  3. Try MDT 2013 Update 1 Preview (lab only!) and then submit suggestions, bugs and feedback via the Connect portal. (You are welcome to post comments here, but make your feedback actionable by posting on Connect.)

(New members must first join the MDT group of the Client Management program on Connect.)

MDT Create your own Default Task Sequence

MDT is a greate tool, You can create your own Default Task Sequence for Clients Servers!!

Normal i need to customize every Task Sequence that i create and that is so boring!!

I Create in this example a task sequence (ID & NAME) Server and Changed some things things like Windows Update.

image

So now go to to that Folder \\DeploymentShare\Control\Server
image

Copy the TS.XML

Go to: C:\Program Files\Microsoft Deployment Toolkit\Templates & save the TS.XML File

image

Rename the TS.xml file. I my demo Ward Server Deployment.xml

Edit the Name and the Description:image

image

When you maken now what to make a new Task Sequence, You will see Ward Server Deployment Listed. Freaking Awesome!!

image

Exchange Administrator’s toolkit

There are lots of tools for Exchange Server available, you can find most of them at the Exchange Server Wiki (some of the tools listed are for previous versions of Exchange).

Here is a short selection from the vast collection available:

MDT v.Next Coming….

New core tools

Windows 10 ADK supports Windows 7, Windows 8.1 and Windows 10 deployments.

Windows Image Configuration Designer (WICD), pronounced Wicked ?   🙂  Is supposed to be able to build a customized mobile or desktop image, and also create provisioning packages that allow you to customize a Windows device, without re-imaging.

Microsoft Deployment Toolkit v.Next (MDT) (standalone)

New upcoming version of MDT is in development, not much info presented yet, but a few items were mentioned in the session:

Windows 10 Deployment and Upgrade Support, as well as updated Task Sequence binaries

Removed deprecated components from Deployment Workbench, and making OSD more accessibility compliant.

MDT documentation will be on TechNet (removed legacy help file and DOCX)

Hyper-V Configuration Toolkit

Mark Scholman has been working on a new script project to configure Hyper-V hosts.

This tool allows you to configure hyper-v hosts. It is using the converged network setup as described in this blog post. What it does is the following:

  • Rename Adapters
  • Create Teams
  • Create Tnics
  • Set Network Config (MGT,LM,CSV)
  • Join Server to the Domain
  • Create a server-local administrators group in the domain
  • Allows you to create a new or join an existing cluster
  • Configure Cluster network names
  • Configure Cluster Live migration subnet

On the to-do list is the following and will be added with upcoming releases:

  • Configure Storage network (iSCSI & SMB3)
  • Use of different topologies for converged networking as described here
  • Using Jea or PSCustomSessionConfiguration for deployment of Hyper-V hosts

How to use the tool:

On the newly provisioned Hyper-V Server start the Deploy-HyperVHost.ps1. On the Configure Nic’s tab select the adapters you want to use for Management (MGT / LM / CSV) and click “Set Management Adapters”:

Notice the list box will refresh with the new names for the adapters. Next select the adapters you want to use for VM Network and click “Set VMNet Adapters”

Finally configure Storage adapters:

Result is that we have configured all adapters now with a logical name we can use in the rest of the deployment:

Side note: I used 2 adapters for each team configuration, but you can use for example 3 adapters or 4 adapters for Management and 2 or 3 for the VMNet. The script is intelligent on using the logical names and reusing them in the Team setup.

Next part is to setup the host parameters and start the deployment of the host. Go to the tab “Configure host”

We need to specify the next parameters:
Host Name
The name of the server.
Domain Name
The domain to join the server to.
Management IP
The ip address for the management interface.
Management VLAN
If you’re using vlans specify the vlan id. Untagged is vlan 1.
Management gateway
The gateway for the management network.
Live Migration IP
The ip address for live migration (LM) communication
Live Migration VLAN
The VLAN id used for the LM network.
CSV IP
Cluster IP Address.
CSV VLAN
Cluster VLAN ID.
Primary DNS
The Primary DNS server to use for management network.
Secondary DNS (optional)
If applicable: The second DNS server for the management network.
Domain Controller Name
The Name of a Domain Controller. (needs remote Powershell enabled)
Local Admin Group Name (optional)
Name of a Domain group what is configured to be Local Administrator on the host
Group OU Path (optional)
The OU DN where the group needs to be created.
LAB: Build HyperV on HyperV

Used for demo purposes when you want to run this tool in a Hyper-V Virtual Machine. (Team settings and Hyper-V Role modification in the VM)

Next click on the “Deploy Host” button and enter domain admin credentials

Now wait until the server automatically reboots. While server is rebooting you can verify that the computer is in the domain and the local group is created:

When the server is rebooted login as the domain admin and start the Deployment tool again.

The last tab is for Configure the Cluster. You can create a new cluster:

Or add the node to an existing cluster:

Download the script http://gallery.technet.microsoft.com/Hyper-V-Deployment-Tool-419679d3