+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
O/S Deployment Thread, Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package in Technical; A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". ...
  1. #1
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106

    Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package

    A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". If you let this run it sets the security too high to use NTLM with proxies and probably some Samba shares as well. I tried undoing some of the settings in the local policy but it didn't do any good.
    I found this out after building a new reference image and I couldn't get the internet to work on IE, Chrome or Firefox. Firefox actually gave me the error message I needed to investigate further though. My Smoothie did look like it was authenticating in the log but obviously not.

    Solutions

    Disable the step in all your task sequences or set

    Code:
    ApplyGPOPack=NO
    under the rules tab for the deployment share (Customsettings.ini)

    Hopefully this will save some people the serious hair pulling session I had yesterday
    Last edited by ChrisH; 18th October 2012 at 10:06 AM.

  2. 2 Thanks to ChrisH:

    Duke5A (18th October 2012), morganw (19th October 2012)

  3. #2
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    795
    Thank Post
    81
    Thanked 130 Times in 113 Posts
    Blog Entries
    8
    Rep Power
    31
    You just saved a good number of people from one big headache. I've got a couple Squid proxies that we use with NTLM for logging. I haven't had time to experiment with it, but I wonder if dropping NTLM for Kerberos would work well.

  4. #3
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    I think once there is a viable alternative I will be changing over the auth method. I need to experiment with the new smoothwall features as they have some new features for auth.

  5. #4

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,513
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302
    I suffered this in the middle of my chaos summer (hence not posting anything given I've been locked away in a building site since after BETT....) and it took me hours of bashing my head and frustration as I had to re-build from scratch. In the end I moved back to MDT2010 as 2012 was just doing my head in with its "helpfulness" that was stopping things just working as they did in 2010 which was strange given I wasn't doing anything complex.

  6. #5

    Join Date
    Sep 2010
    Posts
    548
    Thank Post
    26
    Thanked 62 Times in 58 Posts
    Rep Power
    19
    out if interest i see that you can modify/create GPO packages but it appears to require SSCM to do it, is there a another way to edit these to use within MDT.

    **edited to say that i have found the MS security compliance Manager kit, tho by the sounds of it i only need one part of it.
    yay another instance of SQL lite.....
    Last edited by SHimmer45; 22nd November 2012 at 11:52 AM.

  7. #6

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,260
    Thank Post
    965
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    Re-opening this thread - we have been deploying with MDT2012(u1) for the past few months and all has been well. 64 bit and 32 bit Windows 7 have been working fine.

    Over Easter the LEA implemented Smoothwall and now we see that machines built with 2012 are not working due to this GPO pack being applied as part of the task sequence.

    Can anyone advise what I need to change back? What does this GPO pack change that doesn't allow our Win7Ent machines to use SmoothWall? I need to send out a setting to possiblt between 100-200 machines that suddenly do not work. I want to try and avoid rebuilding them.

    Worth mentioning that NTLM appears to be disabled when connecting to Squid.

    Any help appreciated.

    Gareth
    Last edited by garethedmondson; 15th April 2013 at 06:35 PM.

  8. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.

  9. #8
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.

  10. #9

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,260
    Thank Post
    965
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    Quote Originally Posted by tom_newton View Post
    You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.
    Thanks Tom - I'll pass this to our LEA team tomorrow. Who is the LEA contact with you guys? Perhaps they could contact the LEA. Why are we using NTLM in the LEA if Kerberos is better?

    I'll check all my facts tomorrow.

    Gareth

  11. #10

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,260
    Thank Post
    965
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    I know - but I've got between 100 and 150 computers to rebuild and no time to do it. Only today this started happening. I've rebuild one machine to test the MDT setting but will not find out how that goes until tomorrow morning.

    There must be a setting somewhere...

    Thanks

    Gareth

  12. #11

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,513
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302
    Quote Originally Posted by ChrisH View Post
    I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.
    Agreed never managed to fix it despite hacking reg keys and settings files across the machine was much quicker to re-do the entire image from scratch and re-do the test machines.

  13. #12


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,770
    Thank Post
    222
    Thanked 2,631 Times in 1,939 Posts
    Rep Power
    779
    Quote Originally Posted by garethedmondson View Post
    There must be a setting somewhere...
    The GPOPacks that MDT 2012 uses are located in the folder below. If you import the Win7SP1-MDTGPOPack folder into Microsoft's Security Compliance Manager you can view and/or modify the settings. It looks pretty easy to reverse the changes via Group Policy.

    Code:
    %ProgramFiles%\Microsoft Deployment Toolkit\Templates\Distribution\Templates\GPOPacks
    Attached is a screenshot showing all 145 policies (with SCM you can export them to an Excel spreadsheet).
    Attached Images Attached Images

  14. #13

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,260
    Thank Post
    965
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    I saw this last night so was going to try it today - but which policy is causing it might take a while.

    I'll let you know how I get on.

    Gareth

  15. #14

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,260
    Thank Post
    965
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    Morning

    Just to let you guys know that we've fixed the issue without rebuilding the affected machines. After hours of scouring Google I managed to find a website that listed some NTLM settings that we could try. I tested them with Local settings and they worked. So I've now sent them out to my room and they worked. They've been sent to a room where the machines were NOT affected - they worked.

    So we have now sent the setting out sitewide (or we will at 10:42 - break time).

    So, the website? Here you go:

    Enabling of NTLM on Windows 7 and Windows Server 2008 R2 - Damir Dobric Posts - developers.de

    Seems simple now.

    I've also turned the setting off in MDT2012 :-) I think MDT is great but annoying at the moment.

    Gareth

  16. #15
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Quote Originally Posted by garethedmondson View Post
    Morning

    Just to let you guys know that we've fixed the issue without rebuilding the affected machines. After hours of scouring Google I managed to find a website that listed some NTLM settings that we could try. I tested them with Local settings and they worked. So I've now sent them out to my room and they worked. They've been sent to a room where the machines were NOT affected - they worked.

    So we have now sent the setting out sitewide (or we will at 10:42 - break time).

    So, the website? Here you go:

    Enabling of NTLM on Windows 7 and Windows Server 2008 R2 - Damir Dobric Posts - developers.de

    Seems simple now.

    I've also turned the setting off in MDT2012 :-) I think MDT is great but annoying at the moment.

    Gareth

    How did you do this?! Its literally driving me nuts! No idea why they decided to add this in the 2012 MDT, I can't reset the settings to 'Not Configured' as half of them don't have a setting for that in local policy! Thanks MS for that!

    Don't suppose you still have the list of settings anywhere?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [MDT] Issue with MDT unattand.xml
    By agarabaghi in forum O/S Deployment
    Replies: 0
    Last Post: 22nd June 2012, 02:18 PM
  2. If you're with Virgin Media check your bill
    By Jobos in forum General Chat
    Replies: 8
    Last Post: 30th March 2011, 09:23 PM
  3. [Website] See if you can't come up with something funny on the t-shirt
    By mattx in forum Jokes/Interweb Things
    Replies: 3
    Last Post: 19th February 2010, 07:10 PM
  4. "if you can't work with them, work round them"
    By djm968 in forum General Chat
    Replies: 45
    Last Post: 30th June 2008, 11:13 AM
  5. Could you please sign this if you agree with it ?
    By mattx in forum General Chat
    Replies: 0
    Last Post: 4th April 2007, 08:04 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •