Warning MDT 2012 Issues with NTLM If You Allow Apply Local GPO Package

A warning for everyone looking at MDT 2012, there is a new task sequence step called "Apply Local GPO Package". If you let this run it sets the security too high to use NTLM with proxies and probably some Samba shares as well. I tried undoing some of the settings in the local policy but it didn't do any good.
I found this out after building a new reference image and I couldn't get the internet to work on IE, Chrome or Firefox. Firefox actually gave me the error message I needed to investigate further though. My Smoothie did look like it was authenticating in the log but obviously not.

Solutions

Disable the step in all your task sequences or set

Code:

---

ApplyGPOPack=NO

---

under the rules tab for the deployment share (Customsettings.ini)

Hopefully this will save some people the serious hair pulling session I had yesterday :doh:

You just saved a good number of people from one big headache. I've got a couple Squid proxies that we use with NTLM for logging. I haven't had time to experiment with it, but I wonder if dropping NTLM for Kerberos would work well.

I think once there is a viable alternative I will be changing over the auth method. I need to experiment with the new smoothwall features as they have some new features for auth.

I suffered this in the middle of my chaos summer (hence not posting anything given I've been locked away in a building site since after BETT....) and it took me hours of bashing my head and frustration as I had to re-build from scratch. In the end I moved back to MDT2010 as 2012 was just doing my head in with its "helpfulness" that was stopping things just working as they did in 2010 which was strange given I wasn't doing anything complex.

out if interest i see that you can modify/create GPO packages but it appears to require SSCM to do it, is there a another way to edit these to use within MDT.

**edited to say that i have found the MS security compliance Manager kit, tho by the sounds of it i only need one part of it.
yay another instance of SQL lite.....

Re-opening this thread - we have been deploying with MDT2012(u1) for the past few months and all has been well. 64 bit and 32 bit Windows 7 have been working fine.

Over Easter the LEA implemented Smoothwall and now we see that machines built with 2012 are not working due to this GPO pack being applied as part of the task sequence.

Can anyone advise what I need to change back? What does this GPO pack change that doesn't allow our Win7Ent machines to use SmoothWall? I need to send out a setting to possiblt between 100-200 machines that suddenly do not work. I want to try and avoid rebuilding them.

Worth mentioning that NTLM appears to be disabled when connecting to Squid.

Any help appreciated.

Gareth

You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.

I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.

Quote:

---

Originally Posted by tom_newton

You could try Kerberos: like NTLM only better (if, by better, you mean Java doesn't work with it). Kerberos is more modern/secure and MS aren't trying to get rid of it like they are NTLM.

---

Thanks Tom - I'll pass this to our LEA team tomorrow. Who is the LEA contact with you guys? Perhaps they could contact the LEA. Why are we using NTLM in the LEA if Kerberos is better?

I'll check all my facts tomorrow.

Gareth

I know - but I've got between 100 and 150 computers to rebuild and no time to do it. Only today this started happening. I've rebuild one machine to test the MDT setting but will not find out how that goes until tomorrow morning.

There must be a setting somewhere...

Thanks

Gareth

Quote:

---

Originally Posted by ChrisH

I gave up trying to undo the changes I just rebuilt the image and disabled the task sequence step.

---

Agreed never managed to fix it despite hacking reg keys and settings files across the machine was much quicker to re-do the entire image from scratch and re-do the test machines.

Quote:

---

Originally Posted by garethedmondson

There must be a setting somewhere...

---

The GPOPacks that MDT 2012 uses are located in the folder below. If you import the Win7SP1-MDTGPOPack folder into Microsoft's Security Compliance Manager you can view and/or modify the settings. It looks pretty easy to reverse the changes via Group Policy.

Code:

---

%ProgramFiles%\Microsoft Deployment Toolkit\Templates\Distribution\Templates\GPOPacks

---

Attached is a screenshot showing all 145 policies (with SCM you can export them to an Excel spreadsheet).

I saw this last night so was going to try it today - but which policy is causing it might take a while.

I'll let you know how I get on.

Gareth

Morning

Just to let you guys know that we've fixed the issue without rebuilding the affected machines. After hours of scouring Google I managed to find a website that listed some NTLM settings that we could try. I tested them with Local settings and they worked. So I've now sent them out to my room and they worked. They've been sent to a room where the machines were NOT affected - they worked.

So we have now sent the setting out sitewide (or we will at 10:42 - break time).

So, the website? Here you go:

Enabling of NTLM on Windows 7 and Windows Server 2008 R2 - Damir Dobric Posts - developers.de

Seems simple now.

I've also turned the setting off in MDT2012 :-) I think MDT is great but annoying at the moment.

Gareth