MDT 2013 Update 2 RRS feed

  • Question

  • I have just completed a fresh install of MDT 2013 Update 2 (build 6.3.8330) and the Windows 10 ADK on a Server 2012 R2 box..  I was able to create the deployment shares with no issue.  However, I am unable to update the deployment shares to create the WinPE.wim.  The script errors out when I it is beginning to start to create the x64 .wim and reports an error:

    System.Management.Automation.CmdletInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

    I have confirmed that the following key value is set to 0 - HKLM\System\CurrentControlSet\Control\LSA\FipsAlgorithmPolicy. Since we are bound by govt security policies, I thought that might be the issue, but it was not. 

    I've completely uninstalled and reinstalled both MDT and ADK.

    I have another server running MDT 2013 Update 1 that is working just fine with my Windows 7 image captures.  I am hesitant to upgrade that server to Update 2.  We've encountered issues in the past with upgrades breaking components.  Which is why this time we are standing up one separately.

    Friday, February 24, 2017 10:00 PM

All replies

  • SHA256Managed is not FIPS validated and so hashing in MDT 2013 Update 2 is now broken if the following setting is enabled in Group Policy:

    System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

    Make certain that FIPS is not enabled as the error suggests that it still is
    Monday, February 27, 2017 10:49 PM
  • Confirmed the Group Policy had it set to disabled.  Even checking Local policy settings.  Ended up removing the server from the domain.  Then when I checked the local policy settings, it showed it as enabled.  Disabled it and was able to update the Deployment Share.  Joined it back to the domain and checked the setting via RSOP, it's set to not configured.  Looked at local group policy and it is set to Disabled.  Registry value for the correlating key is set to 0.

    I've alternated it from enabled to disabled and rebooted.  Still not working.  At this point, looks to be more an issue with the policy application on the server than an issue with the MDT install.  This issue can be closed, need to review further with our security team.  This is an oddity.

    Tuesday, February 28, 2017 7:11 PM