none
Deploy from USB Flash Drive stops due to GPO RRS feed

  • Question

  • Greetings,

    Long time reader, first time poster.

    My deployment server works fine.  However, recently I was tasked with deploying to sites where PXE is not allowed. 

    I task option of deploying via USB.  This works with out issues depending the OU I select.

    We have a few OUs where GPO is set to deny the use of storage devices.

    If I deploy and select an OU without the GOP, the process completes without issues.

    If I deploy and select an OU which has the GPO in place, shortly after the workstation is joined to the domain, the UBS is blocked.

    On the screen the error is -> Please insert the media (CD, DVD or USB) needed to complete the deployment.

    The BDD log shows (I don't have access to the logs to upload, however) ->

    • Found existing task sequence state information in C:\_SMSTaskSequence, will continue
    • Not running within WinPE.
    • Unable to find media, prompting to have it reinserted

    Would it complete if the move the domain join to the end as I read on forums ?

    Is there another way to overcome this such as changing permissions to whatever it needs to be changed then undoing the change?

    Is there another solution to my issue?

    I have not tried using a USB SSD, however, the GPO does block anytype of storage USB CD so I don't think that will work either.

    Thank you for your time

    Saturday, October 31, 2015 9:47 PM

Answers

  • You could try using Johan's Final Configuration script as a way to join the domain at the very end. Since you are changing the local administrator's name, be sure to do that after any reboots that might occur or just before the Final configuration.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Tuesday, November 3, 2015 3:21 PM

All replies

  • If you don't do a media deployment, you can still boot to USB and deploy over the network because then your UFD isn't needed after the initial wizard. If you have to stick to media deployments, then delay joining to the domain until the very end.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Saturday, October 31, 2015 11:26 PM
  • Dan, thank you for the response.

    I can't (although I would love to) image over the network with the USB.  I've done it because I know I can get away by doing a couple at a time, however, the location where this will be used, it will be noticeable as the network is monitored for high bandwidth usage and they'll come after me.

    Yes, I was thinking of joining the domain later, I was not sure if I could cheat my taking ownership of something within the system to overcome my dilemma.  .  So here are my additional questions.

    • After which task can I join the domain?

    Actually I had another but I realized what I should search on my own for the best tutorial.

    Thank you

    Monday, November 2, 2015 7:38 AM
  • Hi,

    You have 2 choices.

    1) Join the domain but make it a Quarantine/build OU rather than a live OU with lockdown.

    2) Join the domain as the last action in the build. Add the variable

    FinishAction=RESTART
    To you customsettings, this means that the machine will be completely joined to the domain by the time the login screen is displayed but theres no chance of MDT needing to access the USB stick in order to run any more config/install actions.

    The main thing is that you don't perform a reboot after joining the domain otherwise the lockdown will come into play. You could have a load of actions after the join domain, just no reboot.

    Monday, November 2, 2015 9:18 AM
  • Our networks are monitored for high bandwidth usage as well, but that's only for external traffic and system deployments would mostly or completely generate internal traffic. How do they expect you to setup new computers if a bunch of updates need to be downloaded and installed?

    You can find info on delaying domain join in the MDT documentation - https://technet.microsoft.com/en-us/library/dn781089.aspx (scroll to the very bottom)


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, November 2, 2015 2:14 PM
  • Dan, thank you for the link that help.  I will try this later, however, here is a question incase I don't get to test this until later.

    Since I remove the "credentials" from the unattended.xml, I'm guessing that the credentials the tech types are still cached, and used later in the task sequence called "Recover from Domain" 

    If that is the case, do I use the "Auto Recover" option ?

    Andrew - I already have restart for the finish action.  I wish I could use an OU like that, however, unfortunately, most of my-coworkers (due to laziness) won't move the system to the proper OU.

    Thank you

    Monday, November 2, 2015 9:05 PM
  • If the credentials entries don't exist in the unattend then they can't be updated to join the domain.  Which is one part of delayed join.

    The other part is:

    Move 'Recover From Domain' near the end of 'State Restore' Task Sequence group.

    I guess YES would have said the same thing ;)


    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.


    Monday, November 2, 2015 9:27 PM
    Moderator
  • Add and populate these values in your customsettings.ini file.

    SkipDomainMembership=NO
    JoinDomain=
    DomainAdmin=
    DomainAdminDomain=
    DomainAdminPassword=
    MachineObjectOU=
    DomainOUs1=
    DomainOUs2=
    DomainOUs3=

    The OU you provide for "MachineObjectOU" will become your default OU value. The "DomainOUs1" and so on can be populated with different OUs that you might need to a join a computer to. Then when you get to this part of the wizard you simply choose the right OU that you need the machine to be added to. Note: the domain account you provide must have the rights to join machines to the domain. If you don't have one, get a domain join service account created. By service account I mean an account created solely for the purpose of joining machines to the domain. Look at the last subheading here - http://www.windowsnetworking.com/articles-tutorials/windows-7/Deploying-Windows-7-Part21.html


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, November 2, 2015 9:29 PM
  • Yes, I pretty much have all that configured "except" for the service account info.

    I've been trying to get permission to use a service account for a while but because my manger does not understand, he won't allow it.  This, however, changes everything as he'll have no choice.

    Now I see why the task sequence does not have a box for credentials.

    I'm testing now (finally) and will use my credentials in the custom settings ini.  If it all works I'll request a service account.

    Monday, November 2, 2015 10:47 PM
  • Great disappointment

    I moved the recover to the very end, however, it does not join the domain.

    I also added my credentials to the custom settings ini.

    I'm looking at the logs to see if I can figure it out, but if you know why, please let me know.

    Thank you

    Monday, November 2, 2015 11:40 PM
  • Great disappointment, its not joining the domain

    I added my credentials to the custom setting .ini I basically filled out the items below as the rest is already in use.

    DomainAdmin=
    DomainAdminDomain=
    DomainAdminPassword=

    I'm looking at the logs now to see why but if anyone can tell me what's causing t I would appreciate it.

    Monday, November 2, 2015 11:43 PM
  • Not without logs.

    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.

    Tuesday, November 3, 2015 12:32 AM
    Moderator
  • Okay I figured part of the issue

    In my custom settings I had -> JoinWorkGroup=WORKGROUP ( removed this)

    It now seems to work, except that I had a task to rename the local admin account (yup irritating) at the end of the task sequence.

    So, currently I have the rename local account then recover from domain.  I forgot that It needs to get into windows once more to join the domain which of course failed because the account was already renamed.

    New dilemma,

    Which do I put first, recover from domain, then rename the local admin?  Doing this will cause the original error which is that the USB can't be found because its blocked.

    If I have rename the local admin account then recover from the domain, the process can't log back in to join the domain because the account is already renamed.

    What should my next step be ?

    Thank you to all those who are helping by the way.

    Below is a copy of my CustomSettings.ini incase its needed.

    I'm sorry if it look not as good as it can't.  I taught my self and tweak it when I learn something new.

    [Settings]
    Priority=TaskSequenceID,Default
    Properties=MyCustomProperty
    
    [Default]
    OSInstall=Y
    SkipCapture=YES
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipComputerBackup=YES
    SkipBitLocker=YES
    AdminPassword=PASSWORD
    
    SkipBDDWelcome=YES
    
    DeploymentType=NewComputer
    
    SkipUserData=YES
    UserDataLocation=NONE
    
    
    
    SkipDomainMembership=NO
    DomainAdmin=MY-Account
    DomainAdminDomain=MY-DOMAIN
    DomainAdminPassword=MY-PASSWORD
    JoinDomain=MY-DOMAIN
    DomainOUs1=OU1
    DomainOUs2=OU2
    DomainOUs3=OU3
    DomainOUs4=OU4
    
    
    SkipFinalSummary=YES
    FinishAction=RESTART
    
    
    ; SLShareDynamicLogging=\\WS-2k8-OSDEPLOY\MDT-Logs$\%OSDComputerName%
    ; SLShare=\\WS-2k8-OSDEPLOY\MDT-Logs$\%OSDComputerName%
    
    ; EventService=http://WS-2K8-OSDEPLOY:9800
    _SMSTSOrgName=UPGRADE IN PROGRESS DO NOT TOUCH
    
    Home_Page=http://Intranet
    
    
    BitsPerPel=32
    VRefresh=60
    XResolution=1
    YResolution=1
    
    
    DriverGroup001=Windows 7\x64\%make%\%model%
    
    SkipApplications=Yes
    SkipAppsOnUpgrade=YES
    
    
    [DEP-SALES-X64-01]
    MandatoryApplications001={f0bf17a9-7635-45d5-8626-abb55fdc63f5}
    
    ;[DEP-NONSALES-X64]
    ;MandatoryApplications001={a945af05-2cc1-4c48-bf5b-9087ee851b9c}
    
    [DEP-NONSALE2-X64]
    MandatoryApplications001={a945af05-2cc1-4c48-bf5b-9087ee851b9c}
    
    
    


    Tuesday, November 3, 2015 1:38 AM
  • You could try using Johan's Final Configuration script as a way to join the domain at the very end. Since you are changing the local administrator's name, be sure to do that after any reboots that might occur or just before the Final configuration.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Tuesday, November 3, 2015 3:21 PM
  • I'll give that a try and report back.

    I'm curious though, I can manually rename the account by hand and I know I need to restart for the change to take place, however, where is no "force" restart or prompt. Since this is the case, why does the task sequence restart the computer. It should be nice if I could prevent that restart, then perform the recover from domain at the very end which would solve (I think) my issues.

    Tuesday, November 3, 2015 6:55 PM
  • Due to other projects "deemed" more important I had to stop working on this, however, I'm now back on trying to work on my issue.

    I still need to review the scripts which will take me a bit since I'm in the still learning stages.

    Question -> Since I have to use a USB flash drive at certain remote sites, can the technician credentials be used instead of a Service Account to take advantage of the delay domain join ?

    I'm asking because now I'm being asked to show how the service account is going to be used and I can't find anything on how to mask it.  I've found out that the password can't be encrypted (unless there is a way), however, I have to at least mask it and I found some methods, however, there seems to be missing steps in the sites I found.

    Thank you


    Thursday, November 19, 2015 2:01 AM
  • Kind of a worthwhile tangent to create a new thread for.  However here are a few links on share security:

    http://www.windowsnetworking.com/articles-tutorials/windows-7/Deploying-Windows-7-Part20.html

    https://keithga.wordpress.com/2015/01/06/security-week-locking-down-your-deployment/

    Although I think ultimately you might want to use this:

    http://blogs.technet.com/b/mniehaus/archive/2012/06/27/encoding-sensitive-information-in-customsettings-ini-and-bootstrap-ini.aspx


    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.


    Thursday, November 19, 2015 2:12 AM
    Moderator
  • Ty, thank you for your response.  yes, I was actually thinking about opening a new thread for the masked/encrypted credentials.

    I think my question should be been asked better.

    To summarize, I have to use a USB flash drive to deploy OS on remote sites.  GPO blocks USB, local admin account needs to be rename.  I used my own credentials to as a service account in the customsetting.ini.  This works.

    With what I explained above, I can delay the domain join (Recover From Domain at the end), along with run once reg keys to rename the admin account all using my USB flash drive.

    So, when using the delayed join to the domain (Recover From Domain) at the very end, does it require a service account in the customesetting.ini?

    I'm asking because if its not required I want to remove it, then have the wizard prompt the technician  account when prompted at the very beginning to join the domain at the very end.  Unless I made a mistake somewhere, it did not work but it "did" when I used a service account.

    I hope it makes sense, my brain hurts, they just added a Surface 3 and 4 image.  Management promise the Surfaces but I don't even have the equipment yet.   :(

    Thursday, November 19, 2015 3:11 AM
  • As to the question about the service account. Did you read the tutorial I referenced? http://www.windowsnetworking.com/articles-tutorials/windows-7/Deploying-Windows-7-Part21.html

    Specifically the heading Performing Domain-Joins Securely

    I like method 5 because you can automate joining a domain but you don't give up security because the service account only has user rights.

    You don't have to store the service account credentials in custom settings, but then you will either have to write a script (with the credentials stored in it) to join the domain or have a technician manually join the machine to the domain.

    Honestly though, if you've secured your deployment share, even with the service account credentials being stored in custom settings, no one can see it but those who have been given access to the deployment share.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Thursday, November 19, 2015 2:37 PM
  • Thank Dan, yes I read those and my service account was approved by one of the may approval layers that I have to go though, still waiting for it though.

    While reading all that I could, pretty much said that to delay joining the domain to use a service account. 

    So in my head, I had the though of needing a service account because it would be the only way to make it work.

    But in reality, after simulating with my own account as a service account (in my lab) I found that if I removed my credentials from the custom setting and typed my credentials when prompted by the wizard, I was still able to join the domain as expected as the last step.

    For some reason I though that delaying the domain would break something that the only way to join the domain was to use a service account. 

    I unless it was a fluke that I was able to join the domain at the very end with my credentials typed when prompted by the wizard, then I'm all set.

    From the link you provided, I was able to use my own work around.  I added run once reg keys to rename the admin account in the step prior to joining the domain.  I should of though about this as I used it plenty of times.  I guess it's why I used the forum as a second set of eye.

    Thursday, November 19, 2015 7:25 PM
  • If your account has the rights to do the domain join it would work.  MDT is pretty good about storing those sorts of things as variables.

    Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.

    Thursday, November 19, 2015 7:33 PM
    Moderator