A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". If you let this run it sets the security too high to use NTLM with proxies and probably some Samba shares as well. I tried undoing some of the settings in the local policy but it didn't do any good.
I found this out after building a new reference image and I couldn't get the internet to work on IE, Chrome or Firefox. Firefox actually gave me the error message I needed to investigate further though. My Smoothie did look like it was authenticating in the log but obviously not.
Disable the step in all your task sequences or set
under the rules tab for the deployment share (Customsettings.ini)Code:ApplyGPOPack=NO
Hopefully this will save some people the serious hair pulling session I had yesterday
Last edited by ChrisH; 18th October 2012 at 10:06 AM.
You just saved a good number of people from one big headache. I've got a couple Squid proxies that we use with NTLM for logging. I haven't had time to experiment with it, but I wonder if dropping NTLM for Kerberos would work well.
I think once there is a viable alternative I will be changing over the auth method. I need to experiment with the new smoothwall features as they have some new features for auth.
I suffered this in the middle of my chaos summer (hence not posting anything given I've been locked away in a building site since after BETT....) and it took me hours of bashing my head and frustration as I had to re-build from scratch. In the end I moved back to MDT2010 as 2012 was just doing my head in with its "helpfulness" that was stopping things just working as they did in 2010 which was strange given I wasn't doing anything complex.
out if interest i see that you can modify/create GPO packages but it appears to require SSCM to do it, is there a another way to edit these to use within MDT.
**edited to say that i have found the MS security compliance Manager kit, tho by the sounds of it i only need one part of it.
yay another instance of SQL lite.....
Last edited by SHimmer45; 22nd November 2012 at 11:52 AM.
Re-opening this thread - we have been deploying with MDT2012(u1) for the past few months and all has been well. 64 bit and 32 bit Windows 7 have been working fine.
Over Easter the LEA implemented Smoothwall and now we see that machines built with 2012 are not working due to this GPO pack being applied as part of the task sequence.
Can anyone advise what I need to change back? What does this GPO pack change that doesn't allow our Win7Ent machines to use SmoothWall? I need to send out a setting to possiblt between 100-200 machines that suddenly do not work. I want to try and avoid rebuilding them.
Worth mentioning that NTLM appears to be disabled when connecting to Squid.
Any help appreciated.
Last edited by garethedmondson; 15th April 2013 at 06:35 PM.
You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.
I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.
I know - but I've got between 100 and 150 computers to rebuild and no time to do it. Only today this started happening. I've rebuild one machine to test the MDT setting but will not find out how that goes until tomorrow morning.
There must be a setting somewhere...
uses are located in the folder below. If you import the Win7SP1-MDTGPOPack folder into Microsoft's Security Compliance Manager you can view and/or modify the settings. It looks pretty easy to reverse the changes via Group Policy.
Attached is a screenshot showing all 145 policies (with SCM you can export them to an Excel spreadsheet).Code:%ProgramFiles%\Microsoft Deployment Toolkit\Templates\Distribution\Templates\GPOPacks
I saw this last night so was going to try it today - but which policy is causing it might take a while.
I'll let you know how I get on.
Just to let you guys know that we've fixed the issue without rebuilding the affected machines. After hours of scouring Google I managed to find a website that listed some NTLM settings that we could try. I tested them with Local settings and they worked. So I've now sent them out to my room and they worked. They've been sent to a room where the machines were NOT affected - they worked.
So we have now sent the setting out sitewide (or we will at 10:42 - break time).
So, the website? Here you go:
Enabling of NTLM on Windows 7 and Windows Server 2008 R2 - Damir Dobric Posts - developers.de
Seems simple now.
I've also turned the setting off in MDT2012 :-) I think MDT is great but annoying at the moment.
How did you do this?! Its literally driving me nuts! No idea why they decided to add this in the 2012 MDT, I can't reset the settings to 'Not Configured' as half of them don't have a setting for that in local policy! Thanks MS for that!
Don't suppose you still have the list of settings anywhere?
There are currently 1 users browsing this thread. (0 members and 1 guests)