MDT 2012 and 2013 not always applying domain group policies RRS feed

  • Question

  • What appears to be completely random (but increased in frequency with 2013), after booting into Windows for the first time, MDT will not apply the domain group policies. The way I know this is because we have a logon banner. If I have to manually hit enter to continue past the legal disclaimer logon banner (which is in the default domain policy), the GPs seem to apply correctly. But if it automatically logs into Windows bypassing the logon banner, it seems to be missing other group policies. One such GP missing is the one to backup the BitLocker recovery key to Active Directory.


    Wednesday, November 13, 2013 5:07 PM

All replies

  • This is becoming very frustrating, has anyone else experienced this?

    Friday, November 15, 2013 3:11 PM
  • MDT *itself* does not apply group policy settings. The only thing MDT does is domain joins, the OS should take care of the rest.

    Specifically, how are you verifying that MDT joins the *correct* domains and correct OU's? For machines that appear to be working, and those that are not.

    Keith Garner -

    Sunday, November 17, 2013 10:53 PM
  • Going to the right OU has never been a problem. In the deployment rules I have a line with:

    MachineObjectOU=OU=Computers,OU=Atlanta Office,DC=contoso,DC=local

    The computer objects are always created in that correct OU, with the right policies linked to it.

    I have BitLocker AD backup set 2 ways and all 3 are failing me:

    In task sequence during imaging:

    and in group policy:

    The recovery keys never show up since upgrading to MDT 2013

    Wednesday, November 20, 2013 7:43 PM