none
MDT Woes - Windows 1809 & MDT 8456 - Installs freeze / Bitlocker problems

    Question

  • Hello - 

    Been working with MDT since 2013 and used it very successfully to rollout Window 7 without any problems. Enter Windows 10, and my problems began!

    Setup:-

    MDT server running MDT 8456 / ADK 1809. We use a Database connected to MDT so provide the settings. I tend (or used to!) have all settings in the database (apart from credentials to connect to deployment shares) as I find it much more convenient rather than having to rebuild boot images after any bootstrap / customsettings.ini file changes....

    Problem 1.

    I am using the .wim file - unmodified - from the Windows 10 media. Task sequence is a basic deployment - unmodified. I have hit what seems to be a common problem in that after initial boot, database contacted, all settings retrieved. OS downloads, installs, then goes through the "Setting up..." then at the first boot to the desktop - I get a blank screen with just a mouse cursor. Left alone, it sits there indefinately. If I ctrl - alt - del, I can load task manager and launch explorer to get the desktop, but the build doesn't continue. BDD.log shows task sequence is starting the SYSTEMRESTORE section.

    In some cases - not all - modifying the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken and rebooting will give me the blank screen / ctrl-alt-del / task manager /launch explorer problem but after explorer loaded the build will complete (without bitlocker - see below)

    I did try not using the database, and having all the settings in the customsettings.ini, which not only seems to work, but also bitlocker installs - albeit not the way I have set up in the group policy. I am in the process of comparing a BDD.log from an ini file deployment vs database deployment

    Problem 2: Bitlocker

    I am trying to create a ZTI install by pre-configuring all the settings in the MDT database (PIN / Save recovery in AD etc) and I know these are correct as if I enable the Wizard screen for bitlocker, the values are pre-populated in the relevant screens. I have a corresponding GPO that will apply to any computer build in AD. But it never deploys as per the settings. I have configured the use of complex passwords, store recovery key in AD, password length , 256 bit encryption etc) but it never configures a part of the task sequence. 

    Problem 3.

    Capturing a reference image. In my Windows 7 deployment, I used to have a dedicated "capture" deployment share. Took my reference machine, mapped a drive to the share, went to script folder and ran litetouch.vbs and it would create a custom WIM file. This approach just doesn't work with Windows 10. 

    All in all, compared to Windows  7 where i had hardly any issues - Windows 10 rollout id fraught with issues. Any guidance / pointers / recommendations would be very much appreciated - especially as I have a deadline in a week to produce a reliable and Windows 10 build.

    Regards

    Wednesday, May 22, 2019 7:56 AM

All replies

  • Just FYI,

    • You never need to rebuild a boot image if you only make changes to customsettings.ini
    • You always need to rebuild a boot image if you make changes to boostrap.ini (Also for WinPE driver changes)

    I'm with you on the database, I use it to ensure that specific computers always get a particular deployment type, apps, etc.

    Problem 1: Something unanswered here is drivers. Are you injecting Windows 10 drivers for the model computer you are deploying too? Perhaps it's another issue, I'll get to that.

    Problem 2: Make sure you have BDEInstallSuppress=NO set along with the other relevant settings. Example of using TPM

    SkipBitLocker=YES
    OSDBitLockerMode=TPM
    OSBBitLockerCreateRecoveryPassword=AD
    OSDBitLockerWaitForEncryption=FALSE
    BDEInstall=TPM
    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDERecoveryKey=AD
    BDEKeyLocation=\\SERVER\SHARE$\BitLockerKeys
    TPMOwnerPassword=SuperSecurePassword

    Problem 3: That approach does work with Windows 10. I build all my images using a separate deployment share built purely for creating and capturing images and I used to build and capture both Windows 7 and 10, though I stopped making Windows 7 images about 18 months ago.

    I will give you this, Windows 10 does not build out the same way Windows 7 does. You have to learn how to work with the changes introduced in Windows 10.

    If you aren't already doing this, I'd strongly recommend using the Total Control method from MDT 2013 Lite Touch Driver Management

    Here's what you should follow. It's VERY important that you carefully read through it and do not skip things like disable/enable Windows Store updates. Building a Windows 10 v1809 reference image using Microsoft Deployment Toolkit (MDT)

    Once you get the deployment part down and have successfully tested deploying Windows 10, I could give you some guidance on how to customize the start menu, taskbar and theme.


    Daniel Vega



    • Edited by Dan_Vega Wednesday, May 22, 2019 9:40 PM
    Wednesday, May 22, 2019 1:49 PM
  • Hi - 

    thanks for the reply. I am using the "total control" method for drivers... but don't use WinPE ones.

    Yes - I saw that guide and have followed it to the letter.. I find it fails at the capture part - after Sysprep. I get and error about a vbs script missing from C:\ - a reboot into winPE causes the process to continue and it does create a custom .wim... 

    I will try your suggestions for Bitlocker - although unless you have joined the domain or at least read GPO's to set options such as 256bit encryption / complex passwords you can only set a numeric PIN?

    I will delve further - but I'd be interested in the methods to customise the desktop!!

    Regards...

    Ray

    Saturday, May 25, 2019 8:08 PM