locked
Disable GPO during MDT process RRS feed

  • Question

  • Is there a way to temporarily disable our domain level GPO's during the image process?  We are basically using a litetouch deployment with zero touch from the user :) after the computer images and gets all its drivers, etc.. it gets stuck on a GPO screen we have configured displaying a legal notice and the user has to hit enter.  after the enter key is hit, the custom applications get installed and then a reboot and life is good.. however, we are trying to avoid that enter key being hit.  can I run a script to hit the enter key automatically or delay GPO from hitting the machine?  if we go to image a machine and walk away, it will sit at the legal notice screen and not finish with the applications being installed until enter is selected.
    Wednesday, October 15, 2014 3:54 PM

Answers

All replies

  • Yep, there is a way to do this. Please see http://blogs.msdn.com/b/alex_semi/archive/2009/08/28/avoiding-legan-notice-that-breaks-mdt-autologon.aspx for an explanation. I've used this method at a previous employer and it worked very well.

    -Nick O.

    • Proposed as answer by Keith GarnerMVP Wednesday, October 15, 2014 4:56 PM
    • Marked as answer by rodgerkrau Wednesday, October 15, 2014 7:56 PM
    Wednesday, October 15, 2014 4:24 PM
  • My recommendation is to create two OU groups. One that can contain policies that break autologon, and the second that is your existing process (with the legal notice), that can contain breaking policies.

    By default when you join to the domain, new computers will be placed into the non-breaking OU by default, so MDT can run automation. Then sometime later, you can move the computer to the new OU either from the client or from a regular batch job on the server.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    • Proposed as answer by Keith GarnerMVP Wednesday, October 15, 2014 4:59 PM
    Wednesday, October 15, 2014 4:59 PM
  • My recommendation is to create two OU groups. One that can contain policies that break autologon, and the second that is your existing process (with the legal notice), that can contain breaking policies.

    By default when you join to the domain, new computers will be placed into the non-breaking OU by default, so MDT can run automation. Then sometime later, you can move the computer to the new OU either from the client or from a regular batch job on the server.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com


    I considered making 2 OU groups.. however, we are using linked deployment shares with 20+ sites and we want the least amount of physical interaction possible.  We automatically name the computer, add to specific OU for the required site, join domain..etc... the remote admin never even has to go into AD.
    Wednesday, October 15, 2014 5:17 PM