Secure & (Slightly More) Automated MDT Lite Touch 2013 Logins

As Spiderman knows, with great power comes great responsibility, and MDT is no exception. See, when balancing the needs of automation and security you really can have your cake and eat it too. I know some of you may have seen how credentials for an account added to your bootstrap.ini can be used to skip the MDT lite touch wizard login screen which is pretty awesome when you’re kicking off 500+ some deployments, BUT then you’re leaving usernames and passwords in plaintext which is a big no – no to some people.

Half of the problem here is often people don’t use a service account for this. A service account is just an account that doesn’t have access to the entire system, just basic read and write to your deployment share, nothing more, nothing less. I mean you really wouldn’t use YOUR username and password for this? right?, well that is unless you’re okay with leaving your username and password in plaintext on a USB/CD/WIM.

So, what to do? Well, there’s three good solutions, pick whichever you feel most comfortable with. All of these solutions again, should involve a service account NOT your credentials.

  • Use the service account, include the password in the bootstrap file, and disable this account when its not needed. Not the best idea, but it would work.
  • Create two boot images, one that has that username and password and one that doesn’t. switch them on the PXE server when you’re done doing the bulk of your deployments.
  • Only include the service account username and domain NOT the password in the bootstrap.ini, that way you’ll only then be prompted for a password at deploy time.

I prefer the third option, but it’s really up to you.

Also note these boot files will contain passwords, so don’t leave them on the server in the boot folder if you’re really concerned about the password being seen.

Obligatory Side Note on Bootstrap.ini Settings: One of the “old wives’ tales” about MDT is that you need to update your share whenever the customsettings.ini file is updated, this is not true. You ONLY need to update the share when updating bootstrap.ini and/or drivers.

So how do you do this exactly then?

Simply add these three variables to you boot.ini file. It’s that easy. Again, if you’re concerned about security, don’t add the password. MDT will populate the information for username and domain for you and all you need then is a password.


UserDomain=TSLAB
UserID=BuildAccount
UserPassword=P@ssw0rd

The pic below simply is missing the password.

boot

Advertisements