Sometimes Group Policy Breaks MDT. Policies such as Rename Administrator or a GP Install will break the glorious automation of MDT. Most commonly however, it’s those pesky legal disclaimers that tin foil hat wearers just love. These little warnings will bring your beautiful task sequences to a screeching halt.
See, MDT after imaging will need to login to the default local administrator account to run windows updates, install applications, update those apps, and apply local policies and perform the final cleanup. Often these steps can require several reboots, and having to click okay to some legal disclaimer every reboot kinda defeats the whole purpose of having MDT around in the first place.
There are several documented workarounds for this problem, the simplest of which is to turn off these warnings, because they don’t really do much good, but since they’re usually the idea of management, its not a fight worth having. So the next solution is to disable the domain join until the very end by hacking your unattended.xml file and moving recover to the domain to the very end, which is a little better. I’ve also read about staging OUs and hacks to GP using WMI filters, and all kinds of not so fun stuff, but there’s a pretty simple and easy way to teach MDT to “remember” this information, and join at the end still.
Until today when dealing with this very issue, I forgot about this excellent workaround I found over a year when I was doing IT for a large Business Solutions Provider here in Albuquerque.
The idea here is simple, you’re going to comment out two lines of code from the TZIDomainJoin.wsf file in your MDT Scripts folder, and add logic to your customsettings.ini to store the domain information as a variable, and create a temporary task sequence that you’re going to override with a version that has steps that have logic to deal with this, and then copy those steps to your task sequence, I know it sounds complicated, but it works, and is worth doing.
Note The save occurs in the Pre-Install Phase just before Configure. Restore Join Domain occurs at the very end of the task sequence, pretty much just before we run Recover From Domain at the very end. This way MDT joins to the domain, and you don’t have to worry about
Click the link below for the complete workaround, and the custom XML to use, but it works like a champ.