OSD

Installing, Configuring, Securing and Using MDT Webservices – Part 3

by

In Part 1 we walked through the installation and configuration of Deployment Webservices.

In Part 2 we walked through securing the Webservice.

In this part I will demonstrate how to use the Webservice via a PowerShell script to securely move a computer object during the operating system deployment (OSD) task sequence using Microsoft Deployment Toolkit (MDT).

To achieve the end result we need to:

  • Create some deployment share rules in MDT (CustomSettings.ini)
  • Add two “Run PowerShell Script” tasks to the Task Sequence
  • Download and place the PowerShell Script into the deployment share Scripts folder

Read more

Installing, Configuring, Securing and Using MDT Webservices – Part 2

by

In Part 1 we walked through the installation and configuration of Deployment Webservices. In this part we will focus on securing the Webservice.

There are five (5) main areas that I focus on to lock down the Webservice, and I’ll include two (2) optional areas for consideration:

  1. Use Request Filtering, which is basically what the old URL Scan morphed into from IIS 7 (Windows 2008) and above. Request Filtering gives a tighter level of control over the settings and where they are applied than URL Scan ever did.
  2. Authentication – Disable anonymous authentication. That should be a no-brainer!
  3. Authorization Rules – Only allow specific users access.
  4. Changing the authenticatedUserOverride serverRuntime setting to UseWorkerProcessUser. IIS 7.5 (Windows 2008 R2) and above allows us to configure IIS so that the worker process identity is used for accessing resources, such as the file system, whilst the authenticated user is only used for authorization purposes. This means that you only need to set NTFS permissions for the worker process identity.
  5. Setting NTFS Permissions on the DeploymentWebservice folder for the worker process identity.
  6. Optionally, you can also exclude some of the higher risk AD Functions.
  7. Optionally, you can also SSL enable the site with a certificate.

Read more

Installing, Configuring, Securing and Using MDT Webservices – Part 1

by

This will be a three part article on installing, configuring, securing and using Maik Koster’s Deployment Webservice.

I’m a massive fan of Microsoft Deployment Toolkit (MDT) and use it for all customer deployments that don’t already have a modern and/or mature deployment model.

The Deployment Webservice is required to complement MDT for two main reasons:

  1. The Active Directory Net Framework classes are NOT supported in WinPE, which means that WinPE does not support the use of ADSI. So when you rebuild a device/image, you are unable to easily automate moving of the computer object to a build/staging OU before the Domain Join process. This is important when there is an existing object in Active Directory because you don’t want it to join to an existing object where unwanted Group Policy Objects may apply, that may in-turn break the build process, or at least make it unreliable.
  2. The MDT task sequence does not run as a Domain User with permissions to easily achieve this task. Whilst in MDT you can run a script as a different user, I don’t like using those configuration fields, as it means my task sequences end up being hard coded with credentials. I wanted a far more flexible approach so that I could pass it existing variables or derive them directly from the Task Sequence variables.

Read more

Script to Change the Drive Letter of all CDROM and DVD Drives

by

CD

This PowerShell script will change the drive letter of all CDROM & DVD Drives found starting from whatever is set as $LastDriveLetter variable, working backwards until it finds an available drive letter.

Too many IT Pros leave CDROM/DVD Drives as the drive letter Windows assigns them when first detected, which is typically usually either D: or E:. Then when adding new volumes they choose the next available drive letter instead of moving the CDROM/DVD Drive(s) out of the way. I’m a stickler for this, as I like to see consecutive drives letters used for the logical disks.

The easiest way to ensure all builds are standardised is to run a script during the build process that assigns a new drive letter to the connected CDROM/DVD Drive(s).

Read more

Custom MDT Wizard For Network Settings

by

Setting a fixed IP Address during the MDT task sequences has always been ugly. It’s an area that I believe needs to be revisited by Microsoft.

  • I don’t like the concept behind the “Apply Network Settings” task action. I don’t find it dynamic enough. In my opinion it’s too cumbersome and involved.
  • The old “NICSettings_Definition_ENU.xml” custom pane no longer works from MDT 2012 and above as pointed out by a commenter on Michael Niehaus article about Customizing Wizards with MDT 2012.
  • I don’t like the way the ZTINicUtility.vbs and ZTINICConfig.wsf scripts have been constructed. Too messy and too hard to follow. I appreciate that these have ended up the way they are over time, but a fresh start would be my recommendation.

I just found that everything out of the box was too messy and static. There are a couple of different blogs by others on this, but they also seemed quite awkward.

Of course if you’re looking to automate as much as possible, which is what I strive for, then some back-end apps require a fixed/static IP address set before they’re installed. Sure you can reserve addresses in DHCP, but that’s a management touch point I wanted to avoid. I prefer to allocate in the design and build out based on that.

I wanted something slick and simple so I created my own.

Read more