MDT Webservice - J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist

Installing, Configuring, Securing and Using MDT Webservices – Part 3

September 15, 2025June 28, 2019 by Jeremy Saunders

In Part 1 we walked through the installation and configuration of Deployment Webservices.

In Part 2 we walked through securing the Webservice.

In this part I will demonstrate how to use the Webservice via a PowerShell script to securely move a computer object during the operating system deployment (OSD) task sequence using Microsoft Deployment Toolkit (MDT).

To achieve the end result we need to:

Create some deployment share rules in MDT (CustomSettings.ini)
Add two “Run PowerShell Script” tasks to the Task Sequence
Download and place the PowerShell Script into the deployment share Scripts folder

Installing, Configuring, Securing and Using MDT Webservices – Part 2

June 17, 2023December 22, 2016 by Jeremy Saunders

In Part 1 we walked through the installation and configuration of Deployment Webservices. In this part we will focus on securing the Webservice.

There are five (5) main areas that I focus on to lock down the Webservice, and I’ll include two (2) optional areas for consideration:

Use Request Filtering, which is basically what the old URL Scan morphed into from IIS 7 (Windows 2008) and above. Request Filtering gives a tighter level of control over the settings and where they are applied than URL Scan ever did.
Authentication – Disable anonymous authentication. That should be a no-brainer!
Authorization Rules – Only allow specific users access.
Changing the authenticatedUserOverride serverRuntime setting to UseWorkerProcessUser. IIS 7.5 (Windows 2008 R2) and above allows us to configure IIS so that the worker process identity is used for accessing resources, such as the file system, whilst the authenticated user is only used for authorization purposes. This means that you only need to set NTFS permissions for the worker process identity.
Setting NTFS Permissions on the DeploymentWebservice folder for the worker process identity.
Optionally, you can also exclude some of the higher risk AD Functions.
Optionally, you can also SSL enable the site with a certificate.

Installing, Configuring, Securing and Using MDT Webservices – Part 1

June 17, 2023December 12, 2016 by Jeremy Saunders

This will be a three part article on installing, configuring, securing and using Maik Koster’s Deployment Webservice.

Part 1 – Installing and Configuring Deployment Webservices
Part 2 – Securing Deployment Webservices
Part 3 – Using Deployment Webservices

I’m a massive fan of Microsoft Deployment Toolkit (MDT) and use it for all customer deployments that don’t already have a modern and/or mature deployment model.

The Deployment Webservice is required to complement MDT for two main reasons:

The Active Directory Net Framework classes are NOT supported in WinPE, which means that WinPE does not support the use of ADSI. So when you rebuild a device/image, you are unable to easily automate moving of the computer object to a build/staging OU before the Domain Join process. This is important when there is an existing object in Active Directory because you don’t want it to join to an existing object where unwanted Group Policy Objects may apply, that may in-turn break the build process, or at least make it unreliable.
The MDT task sequence does not run as a Domain User with permissions to easily achieve this task. Whilst in MDT you can run a script as a different user, I don’t like using those configuration fields, as it means my task sequences end up being hard coded with credentials. I wanted a far more flexible approach so that I could pass it existing variables or derive them directly from the Task Sequence variables.