The Microsoft Deployment Toolkit (MDT), build 8450, is now available on the Microsoft Download Center. This update supports the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1709, available on the Microsoft Hardware Dev Center(adksetup.exe file version 10.1.16299.15).
Here is a summary of the significant changes in this build of MDT:
Supported configuration updates
Windows ADK for Windows 10, version 1709
Windows 10, version 1709
Configuration Manager, version 1710
Quality updates (titles of bug fixes)
Win10 Sideloaded App dependencies and license not installed
CaptureOnly task sequence doesn’t allow capturing an image
Error received when starting an MDT task sequence: Invalid DeploymentType value “” specified. The deployment will not proceed
ZTIMoveStateStore looks for the state store folder in the wrong location causing it to fail to move it
xml contains a simple typo that caused undesirable behavior
Install Roles & Features doesn’t work for Windows Server 2016 IIS Management Console feature
Browsing for OS images in the upgrade task sequence does not work when using folders
MDT tool improperly provisions the TPM into a Reduced Functionality State (see KB 4018657 for more information)
Updates to ZTIGather chassis type detection logic
Upgrade OS step leaves behind SetupComplete.cmd, breaking future deployments
Includes updated Configuration Manager task sequence binaries
The Microsoft Deployment Toolkit (MDT), build 8443, is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, available on the Microsoft Hardware Dev Center (adksetup.exe file version 10.1.14393.0).
You may notice that we are not tagging this release with a year or update version. To better align with the current branches of Windows 10 and Configuration Manager, and to simplify the branding and release process, we are now just referring to it as the “Microsoft Deployment Toolkit”, using the build number to distinguish each release. This is not necessarily a “current branch” of MDT; we are committed to updating MDT as needed with revisions to Windows, the Windows ADK, and Configuration Manager.
Here is a summary of the significant changes in this build of MDT:
Supported configuration updates
Windows ADK for Windows 10, version 1607
Windows 10, version 1607
Windows Server 2016
Configuration Manager, version 1606
Quality updates
Deployment Wizard scaling on high DPI devices
Johan’s “uber bug” for computer replace scenario
Multiple fixes for the Windows 10 in-place upgrade scenario
Several fixes to Configure ADDS step
Removed imagex/ocsetup dependencies, rely solely on DISM
Includes the latest Configuration Manager task sequence binaries (version 1606)
This will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
To configure your environment for BitLocker, you will need to do the following:
Configure Active Directory for BitLocker.
Download the various BitLocker scripts and tools.
Configure the rules (CustomSettings.ini) for BitLocker.
Configure Active Directory for BitLocker
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
Add the BitLocker Drive Encryption Administration Utilities
The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
On the Before you begin page, click Next.
On the Select installation type page, select Role-based or feature-based installation, and click Next.
On the Select destination server page, select DC01.contoso.com and click Next.
On the Select server roles page, click Next.
On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
On the Confirm installation selections page, click Install and then click Close.
Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
Create the BitLocker Group Policy
Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
Assign the name BitLocker Policy to the new Group Policy.
Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:
Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
Allow data recovery agent (default)
Save BitLocker recovery information to Active Directory Domain Services (default)
Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This )
Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.
Enable the Turn on TPM backup to Active Directory Domain Services policy.
(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)
Set permissions in Active Directory for BitLocker
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.
On DC01, start an elevated PowerShell prompt (run as Administrator).
Configure the permissions by running the following command:
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
Add BIOS configuration tools from Dell, HP, and Lenovo
If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
Add tools from Dell
The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
And the sample content of the TPMEnable.REPSET file:
English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo
The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
DC1; MDT01 and DHCPServer all in Subnet1. (IP Helper is set for DHCPServer for DHCP and for DC01 & MDT01 for DHCP and BootP – I checked serveral times if everything is right here) UEFI Client and BIOS Client in Subnet2.
Situation1 — Using no DHCP Options and WDS running (IP HELPER-ADDRESS): UEFI Client – Boots perfectly (contacting Server MDT01) BIOS Client – Boots perfectly (contacting Server MDT01)
Situaion2 — Using no DHCP Options and WDS just running on MDT01: UEFI Client – Does not boot (no error information is provided) BIOS Client – Does not boot (no Bootfilename recieved)
Situation3 — Using DHCP Options(Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01: UEFI Client – Does not boot (no error information is provided) BIOS Client – Boots perfectly (contacting Server DP1)
Situation4 — Using DHCP Options(Option 60=”PXEClient” Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01: UEFI Client – Boots perfectly (contacting Server DP1) BIOS Client – Does not boot (taking hours to recieve dhcp options..)
Solution:
On most switches you can configure ip helper-addresses. This is most time al ready configured for the use of DHCP.
Add the IP of the MDT server als ip helper-address:
Example:
interface Vlan100 description GEBRUIKERS VLAN ip address 192.168.101.254 255.255.254.0 show ip helper-address 192.168.25.6 (DC01) ip helper-address 192.168.25.7 (DC02) ip helper-address 192.168.25.30 (MDT01) end
Office 2010/2013/2016 supports integration of Updates by placing the MSP files in the Updates folder of the installation medium.
The challenge is more in getting all the update files. Fortunate there are a few great community users that have created WHDownloader for downloading these files and they also maintain the list of applicable updates for Office 2010 and Office 2013 and 2016
Download the Updates
1. Run WHDownloader.
2. Click the button in the upper left to download all latest update lists.
3. Select the Office 2016 version.
4. Configure a Download Target folder.
5. Select all General Updates and Hotfixes for downloading. Tip, right click and Select All.
The Microsoft Deployment Toolkit (MDT) 2013 Update 2 (6.3.8330) is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Note that there are known issues with the v1511 release of the Windows 10 ADK and System Center Configuration Manager; these issues do not directly affect MDT although may still impact ZTI or UDI scenarios.)
MDT 2013 Update 2 is primarily a quality release; there are no new major features. The following is a summary of the significant changes in this update:
Security- and cryptographic-related improvements:
Relaxed permissions on newly created deployment shares (still secure by default, but now also functional by default)
Creating deployment shares via Windows PowerShell adds same default permissions
Updated hash algorithm usage from SHA1 to SHA256
Includes the latest Configuration Manager task sequence binaries
Enhanced user experience for Windows 10 in-place upgrade task sequence
Enhanced split WIM functionality
Fixed OSDJoinAccount account usage in UDI scenario
Fixed issues with installation of Windows 10 language packs
Various accessibility improvements
Monitoring correctly displays progress for all scenarios including upgrade
Improvements to smsts.log verbosity
There are no other new release notes or significant known issues. See the previous post for more information as much of it is still applicable (other than the fix list above).
In anticipation of some questions that you may have about this release (or MDT in general):
Q: Should I expect a release of MDT with every new Windows 10 and/or Configuration Manager build release?
No. We shipped multiple MDT releases this year due to the timing of Windows 10 and Configuration Manager releases, but do not intend to keep that same cadence going forward.
Q: What branches of Windows 10 does MDT support?
MDT supports both the current branch of Windows 10 as well as the long-term servicing branch.
Q: What branches of System Center Configuration Manager does MDT support?
For ZTI and UDI scenarios MDT 2013 Update 2 supports the current branch of System Center Configuration Manager (currently version 1511) for an integrated solution for deploying Windows 10 current branch as well as prior Windows versions.
Q: When is the next planned release of MDT?
We do not currently have a timeframe. We will release any tactical changes as needed which may be required to support new builds of Windows 10 or Configuration Manager, but do not currently expect this to be needed.
Q: Is this the last release of MDT?
No, we will continue to iterate and invest in the product.
Q: Why is it still “MDT 2013” when the year is almost 2016?
Two primary reasons. First, we have only made minor changes to MDT which in our opinion does not constitute a major version revision. Second, per the MDT support lifecycle, a new major version will drop support for MDT2012 Update 1 which still supports legacy platforms.
The latest Windows 10 ADK update, build 10586, was silently released a few days ago (Thanks deploymentresearch for the download link). In this post you learn about what’s changed.
Warning: Do NOT upgrade your ConfigMgr 2012 R2 SP1 or MDT 2013 Update 1 environments to this build yet. For ConfigMgr, even though it seems to fix the x64 UEFI / PXE and Powershell/.NET issue, which is great, the new ADK does break Computer Refresh scenarios (Bare metal works). The error code is 0x80220014. Research and discussions with the product teams in progress… MDT 2013 Update 1 yet to be validated, but error comments on twitter does not give me a warm and fuzzy feeling.