Delaying Domain Join When Legal Notices Break MDT AutoLogin

Sometimes Group Policy Breaks MDT. Policies such as Rename Administrator or a GP Install will break the glorious automation of MDT. Most commonly however, it’s those pesky legal disclaimers that tin foil hat wearers just love. These little warnings will bring your beautiful task sequences to a screeching halt.

See, MDT after imaging will need to login to the default local administrator account to run windows updates, install applications, update those apps, and apply local policies and perform the final cleanup. Often these steps can require several reboots, and having to click okay to some legal disclaimer every reboot kinda defeats the whole purpose of having MDT around in the first place.

There are several documented workarounds for this problem, the simplest of which is to turn off these warnings, because they don’t really do much good, but since they’re usually the idea of management, its not a fight worth having. So the next solution is to disable the domain join until the very end by hacking your unattended.xml file and moving recover to the domain to the very end, which is a little better. I’ve also read about staging OUs and hacks to GP using WMI filters, and all kinds of not so fun stuff, but there’s a pretty simple and easy way to teach MDT to “remember” this information, and join at the end still.

Until today when dealing with this very issue, I forgot about this excellent workaround I found over a year when I was doing IT for a large Business Solutions Provider here in Albuquerque.

Avoiding Legal Disclaimers That Break MDT

The idea here is simple, you’re going to comment out two lines of code from the TZIDomainJoin.wsf file in your MDT Scripts folder, and add logic to your customsettings.ini to store the domain information as a variable, and create a temporary task sequence that you’re going to override with a version that has steps that have logic to deal with this, and then copy those steps to your task sequence, I know it sounds complicated, but it works, and is worth doing.

These and MDT do not play well together.

Find The ZTIDomainJoin.wsf file in your scripts folder.

Comment Out Two Lines, 189 and 190

Create a temporary Task Sequence, and overwrite the xml with the xml provided by the link above.

Copy and Paste the Save Join and Restore Join Steps into your Task Sequence..

Note The save occurs in the Pre-Install Phase just before Configure. Restore Join Domain occurs at the very end of the task sequence, pretty much just before we run Recover From Domain at the very end. This way MDT joins to the domain, and you don’t have to worry about

Click the link below for the complete workaround, and the custom XML to use, but it works like a champ.

See: Avoiding Legal Disclaimers That Break MDT


The Greatest MDT CustomSettings.ini Example Ever Written

No, I didn’t write this example, it’s from a set of samples written by the legendary Mikael Nystrom of TrueSec, and Co – Author of “Deployment Fundamentals”. A few weeks back I published a MDT CustomSettings.ini guide with some tips and tricks geared towards more intermediate MDT 2012 users. However, if you’re just getting started learning about the glory that is the MDT customsettings.ini file, then you need to read Mikael Nystrom’s guide, Back to basics – Customsettings.ini explained. In it, he explains how this file really works, and how to simplify your testing of it. It’s pretty much required reading for anybody who works with MDT.

However, I was reminded of some of his better examples not on that site, I thought I’d share one with you guys.

Last March’s TrueSec Newsletter was loaded with even better examples from Mikael, and my favorite is below.


The beautiful thing about this example is that it’s really doing several things, and creating a set of several rules based on location and device type. Note how the computername is being generated based on Location, Device Type and Serial. Pretty slick huh?

For all of his scrubbed customsettings.ini samples click here:

Much respect to Johan and Mikael, those two guys are my personal heroes! Check out my links page to read their Blogs!

Again, as always if you have any questions, e-mail me.

Download MDT 2013 Preview

If you’re like me, you like to live on the bleeding edge of technology, and you’re one of those people who absolutely has to be testing the latest and greatest. So here is the link to download MDT 2013 Preview. Remember, this is the first version of MDT that DOES not support WAIK or WinXP. If you’re in a hurry to test Win8.1 deployment, this release of MDT and ADK just is for you.

MDT 2013 provides a common console with comprehensive tools and guidance for every organizational role-making it the recommended process and toolset to automate large-scale desktop and server deployments.

•Support for the Windows Assessment and Deployment Kit (ADK) for Windows 8.1 Preview •Deploy Windows 7, Windows 8 and Windows 8.1 families

•Support for deployment of Windows 8.1 Preview and Windows Server 2012 R2 Preview
•Support for zero-touch integration (ZTI) with System Center 2012 R2 Configuration Manager Preview

And of course, I do have to remind you this pre-release software, NOT intended for production, so use at your own risk.