The Microsoft Deployment Toolkit (MDT), build 8443, is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, available on the Microsoft Hardware Dev Center (adksetup.exe file version 10.1.14393.0).
You may notice that we are not tagging this release with a year or update version. To better align with the current branches of Windows 10 and Configuration Manager, and to simplify the branding and release process, we are now just referring to it as the “Microsoft Deployment Toolkit”, using the build number to distinguish each release. This is not necessarily a “current branch” of MDT; we are committed to updating MDT as needed with revisions to Windows, the Windows ADK, and Configuration Manager.
Here is a summary of the significant changes in this build of MDT:
Supported configuration updates
Windows ADK for Windows 10, version 1607
Windows 10, version 1607
Windows Server 2016
Configuration Manager, version 1606
Quality updates
Deployment Wizard scaling on high DPI devices
Johan’s “uber bug” for computer replace scenario
Multiple fixes for the Windows 10 in-place upgrade scenario
Several fixes to Configure ADDS step
Removed imagex/ocsetup dependencies, rely solely on DISM
Includes the latest Configuration Manager task sequence binaries (version 1606)
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.
Features
– Single click to secure your website using best practices – Create custom templates that can be saved and run on multiple servers – Stop DROWN, logjam, FREAK, POODLE and BEAST attacks – Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5 – Enable TLS 1.1 and 1.2 – Enable forward secrecy – Reorder cipher suites – Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates – Site scanner to test your configuration – Command line version
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.
More information about this security update
The following articles contain more information about this security update as it relates to individual product versions.
3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016
On Aug. 25, 2016, Apple announced updates to address security vulnerabilities in iOS version 9.3.4 and earlier. The affected components include the iOS kernel and WebKit.
The vulnerabilities can result in jailbreak, remote code execution, and memory corruption. Security researchers at Lookout, Inc. have identified a high risk malware application, called “Pegasus”, that uses the vulnerabilities to compromise user devices.
MobileIron recommends that users update to iOS version 9.3.5 or later to obtain the necessary security patches. The security researchers have confirmed that the iOS patches prevent the vulnerabilities from being exploited.
Three vulnerabilities were patched in iOS 9.3.5. The vulnerabilities are referred to collectively as “Trident”. The reported CVE identifiers include:
CVE-2016-4655: An application may be able to disclose kernel memory.
CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges.
CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution.
Detection of Pegasus Jailbreak:
According to the security researchers at Lookout, EMM vendors cannot currently detect the Pegasus jailbreak. At this time, the only known method to detect Pegasus is to use products from Lookout.
For those of you who have started deploying Windows 10 1607, you might notice a change in the behavior of the Windows Update agent for PCs that are configured to pull updates from WSUS. Instead of pulling the updates from WSUS, PCs may start grabbing them from peers on your network, leveraging the Delivery Optimization service for referrals to other PCs that have already obtained the content. This change should generally help reduce the amount of network traffic being generated for both quality (monthly) updates and feature updates, offloading that traffic from the WSUS server. It will add some additional traffic between each client PC and the Delivery Optimization service on the internet, as it has to talk to this internet-only service in order to get a list of peers.
If the Windows Update agent can’t talk to the Delivery Optimization service (due to firewall or proxy configurations), or if there are no peers able to provide the content, it will then go ahead and grab the content from the WSUS server.
There is a new Group Policy setting available if you want to disable this behavior, e.g. because you are already using BranchCache for peer-to-peer sharing. To do this, you need to set the “Download Mode” policy under “Computer Configuration –> Administrative Templates –> Windows Components –> Delivery Optimization” to specify “Bypass” mode, which will result in the client always using BITS to transfer the content from WSUS (with BranchCache jumping in to provide the peer-to-peer capabilities through its integration with BITS):
Of course to set this policy, you need the latest ADMX files, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=53430 and are also included in Windows 10 1607 and Windows Server 2016. (The “Bypass” setting wasn’t available in previous versions.) See https://support.microsoft.com/en-us/kb/3087759 for details on how to update the Group Policy central store with these latest ADMX files, if you are using a central store.
This will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
To configure your environment for BitLocker, you will need to do the following:
Configure Active Directory for BitLocker.
Download the various BitLocker scripts and tools.
Configure the rules (CustomSettings.ini) for BitLocker.
Configure Active Directory for BitLocker
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
Add the BitLocker Drive Encryption Administration Utilities
The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
On the Before you begin page, click Next.
On the Select installation type page, select Role-based or feature-based installation, and click Next.
On the Select destination server page, select DC01.contoso.com and click Next.
On the Select server roles page, click Next.
On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
On the Confirm installation selections page, click Install and then click Close.
Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
Create the BitLocker Group Policy
Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
Assign the name BitLocker Policy to the new Group Policy.
Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:
Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
Allow data recovery agent (default)
Save BitLocker recovery information to Active Directory Domain Services (default)
Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This )
Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.
Enable the Turn on TPM backup to Active Directory Domain Services policy.
(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)
Set permissions in Active Directory for BitLocker
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.
On DC01, start an elevated PowerShell prompt (run as Administrator).
Configure the permissions by running the following command:
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
Add BIOS configuration tools from Dell, HP, and Lenovo
If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
Add tools from Dell
The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
And the sample content of the TPMEnable.REPSET file:
English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo
The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
RVTools is a windows .NET 2.0 application which uses the VI SDK to display information about your virtual machines and ESX hosts. Interacting with VirtualCenter. RVTools is able to list information about VMs, CPU, Memory, Disks, Partitions, Network, Floppy drives, CD drives, Snapshots, VMware tools, Resource pools, Clusters, ESX hosts, HBAs, Nics, Switches, Ports, Distributed Switches, Distributed Ports, Service consoles, VM Kernels, Datastores, Multipath info and health checks. With RVTools you can disconnect the cd-rom or floppy drives from the virtual machines and RVTools is able to update the VMware Tools installed inside each virtual machine to the latest version. Version 3.8 (March, 2016)
VI SDK reference changed from 5.5 to 6.0
on vInfo tab page new field: ChangeVersion unique identifier for a given version of the configuration
on vInfo tab page new field: HA VM Monitoring status
on vInfo tab page new fields: Number of supported monitors and Video RAM in KB.
on vInfo tab page new field: Config status.
Config issues are visible on the vHealth tab page
on vInfo tab page new field: OS according to the VMware Tools
on vTools tab page new fields: App state, App heartbeat status and Kernel crash state
on vTools tab page new fields: Operations availability, State change support and
Interactive Guest Operations availability
on vHost tab page new field: NTPD running state.
NTP issues are visible on the vHealth tab page
on vHost tab page new field: Config status.
Config issues are visible on the vHealth tab page
on vCluster tab page new field: Config status.
Config issues are visible on the vHealth tab page
on vDatastore tab page new field: Config status.
Config issues are visible on the vHealth tab page
on vSC+VMK tab page new fields: IP 6 Address and IP 6 Gateway
all VM related tab pages now have a VM Object ID and VM UUID columnsall VM related tab pages now have powerstate and template columns
all tab pages. Now have a vCenter UUID column (= unique identifier for a vCenterServer)
all VM related tab pages. The Custom Attributes columns are now ordered alphabetically
all tab pages. A select is now a full row select so it is easier to follow the information across many columns
bug fix: Refresh data issue on vRP and vCluster tab pages solved
bug fix: Filter issue on vCluster tab page solved
bug fix: On vInfo tab page the HA information was not filled with cluster default values
bug fix: Content Libraries vmdk files are no longer reported as possible zombie files
bug fix: msi installer sometimes installs RVTools in root of c:\ drive. This is solved now.
)
