O/S Deployment Thread, Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package in Technical; A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". ...
Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package
A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". If you let this run it sets the security too high to use NTLM with proxies and probably some Samba shares as well. I tried undoing some of the settings in the local policy but it didn't do any good.
I found this out after building a new reference image and I couldn't get the internet to work on IE, Chrome or Firefox. Firefox actually gave me the error message I needed to investigate further though. My Smoothie did look like it was authenticating in the log but obviously not.
Solutions
Disable the step in all your task sequences or set
Code:
ApplyGPOPack=NO
under the rules tab for the deployment share (Customsettings.ini)
Hopefully this will save some people the serious hair pulling session I had yesterday
Last edited by ChrisH; 18th October 2012 at 10:06 AM.
2 Thanks to ChrisH:
Duke5A (18th October 2012), morganw (19th October 2012)
You just saved a good number of people from one big headache. I've got a couple Squid proxies that we use with NTLM for logging. I haven't had time to experiment with it, but I wonder if dropping NTLM for Kerberos would work well.
I think once there is a viable alternative I will be changing over the auth method. I need to experiment with the new smoothwall features as they have some new features for auth.
I suffered this in the middle of my chaos summer (hence not posting anything given I've been locked away in a building site since after BETT....) and it took me hours of bashing my head and frustration as I had to re-build from scratch. In the end I moved back to MDT2010 as 2012 was just doing my head in with its "helpfulness" that was stopping things just working as they did in 2010 which was strange given I wasn't doing anything complex.
out if interest i see that you can modify/create GPO packages but it appears to require SSCM to do it, is there a another way to edit these to use within MDT.
**edited to say that i have found the MS security compliance Manager kit, tho by the sounds of it i only need one part of it.
yay another instance of SQL lite.....
Last edited by SHimmer45; 22nd November 2012 at 11:52 AM.
Re-opening this thread - we have been deploying with MDT2012(u1) for the past few months and all has been well. 64 bit and 32 bit Windows 7 have been working fine.
Over Easter the LEA implemented Smoothwall and now we see that machines built with 2012 are not working due to this GPO pack being applied as part of the task sequence.
Can anyone advise what I need to change back? What does this GPO pack change that doesn't allow our Win7Ent machines to use SmoothWall? I need to send out a setting to possiblt between 100-200 machines that suddenly do not work. I want to try and avoid rebuilding them.
Worth mentioning that NTLM appears to be disabled when connecting to Squid.
Any help appreciated.
Gareth
Last edited by garethedmondson; 15th April 2013 at 06:35 PM.
You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.
You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.
Thanks Tom - I'll pass this to our LEA team tomorrow. Who is the LEA contact with you guys? Perhaps they could contact the LEA. Why are we using NTLM in the LEA if Kerberos is better?
I know - but I've got between 100 and 150 computers to rebuild and no time to do it. Only today this started happening. I've rebuild one machine to test the MDT setting but will not find out how that goes until tomorrow morning.
I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.
Agreed never managed to fix it despite hacking reg keys and settings files across the machine was much quicker to re-do the entire image from scratch and re-do the test machines.
The GPOPacks that MDT 2012 uses are located in the folder below. If you import the Win7SP1-MDTGPOPack folder into Microsoft's Security Compliance Manager you can view and/or modify the settings. It looks pretty easy to reverse the changes via Group Policy.
Just to let you guys know that we've fixed the issue without rebuilding the affected machines. After hours of scouring Google I managed to find a website that listed some NTLM settings that we could try. I tested them with Local settings and they worked. So I've now sent them out to my room and they worked. They've been sent to a room where the machines were NOT affected - they worked.
So we have now sent the setting out sitewide (or we will at 10:42 - break time).
LinkBack URL
About LinkBacks
Originally Posted by tom_newton 
