none
Local administrator logged in during OSD RRS feed

  • Question

  • Hello,

    Apologies if this is a basic question, I've not massively used MDT before, during OSD the local administrator account is logged in whilst applications are being deployed, is this normal behaviour? Device is joined to the domain at this stage.

    Is there anyway of deploying the task sequence without being logged in?

    Thanks,

    Alex.

    Tuesday, June 19, 2018 4:55 PM

All replies

  • Hi Alex,

    As I know! It's MDT default behavior, after Finishing OS phase. When Tasksequence enters into post processing phase, it's installing apps and applying customization after logging into the devices.


    • Edited by JiteshKumar Wednesday, June 20, 2018 3:47 AM
    Wednesday, June 20, 2018 2:42 AM
  • This is one of the differencies between ConfigMgr and MDT: Microsoft System Center Configuration Manager runs command lines in task sequences with Local System account permissions on managed computers. Microsoft Deployment Toolkit runs task sequences with the local administrator account credentials. You could probably work around this by applying several mitigations. You could disable the TaskMgr (DisableTaskMgr=YES in CS.ini), disable Windows Explorer (HideShell=YES in CS.ini) and probably also lock the workstation as first part of your State Restore phase (and after each reboot, in this case it would be advisable to skip the final summary...)

    EDIT: here is the link to a blog post that describes how we used to lock down workstations prior to introduction of HideShell / DisableTaskMgr: https://blogs.technet.microsoft.com/deploymentguys/2008/10/01/back-to-basics-1-locking-the-computer-during-deployment/


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".



    Wednesday, June 20, 2018 6:27 AM
  • Very helpful thankyou.

    I'm from an ConfigMgr background so I was expecting MDT to also use the system account.

    Is there anyway for MDT application stage to use a domain service account? I've got some packages that reference internal file shares for licence keys for example.

    Thanks,

    Alex.

    Wednesday, June 20, 2018 1:36 PM
  • I am aware of two possible options: a) MDT can run "Run Command Line" steps using an alternative account (you need to check the checkbox "Run this step as the following account" and enter the credentials). B) You could also write a PowerShell script which stores your password in a more secure manner and use it to run your scripts/app installs.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, June 21, 2018 11:47 AM