O/S Deployment Thread, Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package in Technical; A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". ...
18th October 2012, 10:04 AM #1
Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package
A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". If you let this run it sets the security too high to use NTLM with proxies and probably some Samba shares as well. I tried undoing some of the settings in the local policy but it didn't do any good.
I found this out after building a new reference image and I couldn't get the internet to work on IE, Chrome or Firefox. Firefox actually gave me the error message I needed to investigate further though. My Smoothie did look like it was authenticating in the log but obviously not.
Disable the step in all your task sequences or set
under the rules tab for the deployment share (Customsettings.ini)
Hopefully this will save some people the serious hair pulling session I had yesterday
Last edited by ChrisH; 18th October 2012 at 10:06 AM.
2 Thanks to ChrisH:
Duke5A (18th October 2012), morganw (19th October 2012)
IDG Tech News
18th October 2012, 03:07 PM #2
You just saved a good number of people from one big headache. I've got a couple Squid proxies that we use with NTLM for logging. I haven't had time to experiment with it, but I wonder if dropping NTLM for Kerberos would work well.
18th October 2012, 06:19 PM #3
I think once there is a viable alternative I will be changing over the auth method. I need to experiment with the new smoothwall features as they have some new features for auth.
22nd October 2012, 11:00 PM #4
I suffered this in the middle of my chaos summer (hence not posting anything given I've been locked away in a building site since after BETT....) and it took me hours of bashing my head and frustration as I had to re-build from scratch. In the end I moved back to MDT2010 as 2012 was just doing my head in with its "helpfulness" that was stopping things just working as they did in 2010 which was strange given I wasn't doing anything complex.
22nd November 2012, 11:44 AM #5
out if interest i see that you can modify/create GPO packages but it appears to require SSCM to do it, is there a another way to edit these to use within MDT.
**edited to say that i have found the MS security compliance Manager kit, tho by the sounds of it i only need one part of it.
yay another instance of SQL lite.....
Last edited by SHimmer45; 22nd November 2012 at 11:52 AM.
15th April 2013, 04:41 PM #6
Re-opening this thread - we have been deploying with MDT2012(u1) for the past few months and all has been well. 64 bit and 32 bit Windows 7 have been working fine.
Over Easter the LEA implemented Smoothwall and now we see that machines built with 2012 are not working due to this GPO pack being applied as part of the task sequence.
Can anyone advise what I need to change back? What does this GPO pack change that doesn't allow our Win7Ent machines to use SmoothWall? I need to send out a setting to possiblt between 100-200 machines that suddenly do not work. I want to try and avoid rebuilding them.
Worth mentioning that NTLM appears to be disabled when connecting to Squid.
Any help appreciated.
Last edited by garethedmondson; 15th April 2013 at 06:35 PM.
15th April 2013, 07:19 PM #7
You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.
15th April 2013, 07:27 PM #8
I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.
15th April 2013, 07:29 PM #9
Thanks Tom - I'll pass this to our LEA team tomorrow. Who is the LEA contact with you guys? Perhaps they could contact the LEA. Why are we using NTLM in the LEA if Kerberos is better?
Originally Posted by tom_newton
I'll check all my facts tomorrow.
15th April 2013, 07:31 PM #10
I know - but I've got between 100 and 150 computers to rebuild and no time to do it. Only today this started happening. I've rebuild one machine to test the MDT setting but will not find out how that goes until tomorrow morning.
There must be a setting somewhere...
15th April 2013, 09:43 PM #11
Agreed never managed to fix it despite hacking reg keys and settings files across the machine was much quicker to re-do the entire image from scratch and re-do the test machines.
Originally Posted by ChrisH
16th April 2013, 01:11 AM #12
The GPOPacks that MDT 2012 uses are located in the folder below. If you import the Win7SP1-MDTGPOPack folder into Microsoft's Security Compliance Manager you can view and/or modify the settings. It looks pretty easy to reverse the changes via Group Policy.
Originally Posted by garethedmondson
Attached is a screenshot showing all 145 policies (with SCM you can export them to an Excel spreadsheet).
%ProgramFiles%\Microsoft Deployment Toolkit\Templates\Distribution\Templates\GPOPacks
16th April 2013, 07:16 AM #13
I saw this last night so was going to try it today - but which policy is causing it might take a while.
I'll let you know how I get on.
16th April 2013, 10:24 AM #14
Just to let you guys know that we've fixed the issue without rebuilding the affected machines. After hours of scouring Google I managed to find a website that listed some NTLM settings that we could try. I tested them with Local settings and they worked. So I've now sent them out to my room and they worked. They've been sent to a room where the machines were NOT affected - they worked.
So we have now sent the setting out sitewide (or we will at 10:42 - break time).
So, the website? Here you go:
Enabling of NTLM on Windows 7 and Windows Server 2008 R2 - Damir Dobric Posts - developers.de
Seems simple now.
I've also turned the setting off in MDT2012 :-) I think MDT is great but annoying at the moment.
By agarabaghi in forum O/S Deployment
Last Post: 22nd June 2012, 02:18 PM
By Jobos in forum General Chat
Last Post: 30th March 2011, 09:23 PM
By mattx in forum Jokes/Interweb Things
Last Post: 19th February 2010, 07:10 PM
By djm968 in forum General Chat
Last Post: 30th June 2008, 11:13 AM
By mattx in forum General Chat
Last Post: 4th April 2007, 08:04 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)