Windows system administrators have been using Microsoft Deployment Toolkit (MDT) for some time now, often alongside Systems Center Configuration Manager (SCCM) to deploy Windows OSes to their devices. I'm a huge proponent of this method of deployment over other methods that rely on thick-images, and have written extensively about MDT.
While this process has remained mostly the same through the years, Microsoft's annual release schedule may sometimes require a change to the underlying foundation - the Assessment and Deployment Kit (ADK) - so that it can meet the demands of the newer, modernized version of Windows it's capable of deploying. Other times however, some changes come from the way in which a system handles certain privileged files, or even new technologies themselves, such as Secure Boot.
Those that have migrated their MDT repositories to Windows Server 2016, and run them as virtual machines have been particularly affected by the recent changes in both Secure Boot being enabled by default, and the use of signed drivers within MDT. The point of contention affects the generation of boot images, since the handling of a required driver causes the process to fail due to it not being signed properly.
Some organizations have worked around the issue by rolling back to an older version of ADK or even disabled Secure Boot - neither of which are long-term solutions as they don't resolve the issue per se. However, if you look below, there are two solutions to resolve this problem for good.
SEE: Securing Windows policy (Tech Pro Research)
1. Alternative driver path
1. With the MDT app closed, launch Regedit.exe to access the local registry settings on the computing instance with MDT installed.
2. Navigate to the following path:
3. Locate and double-click the string titled "ImagePath" to edit the value. Modify the value data to the following, and click the OK button to commit the changes.
4. With the value changed to reflect the alternate path, launch the MDT workbench and perform the task to Update Deployment. It should now mount the WIMs again, and successfully complete the boot image generation.
2. Update signed driver
1. Download the updated signed driver from Microsoft's TechNet website and extract the contents of the ZIP file to your computer.
Note: Make sure that the MDT app is closed before proceeding to copy the signed drivers to their proper locations. The driver files are architecture-specific and must be copied to their correct locations or the process will not work.
2. In most cases, Windows Server 2016 users will likely be using the 64-bit version. For this example, locate the AMD64 directory, and copy the winmmount.sys and wofadk.sys drivers to the following default path where the ADK was installed:
"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\"
3. Repeat step #2 until all the signed drivers are copied for both the x86 and arm64 directories respectively.
4. Once all files are successfully copied, launch the MDT workbench and perform the task to Update Deployment. It should now mount the WIMs again, and successfully complete the boot image generation.
Note: Though not a requirement if the ADK was initially installed and rebooted once prior, you may wish to reboot the instance once to ensure that the driver files are fully recognized by the OS before trying update the deployment.
- How to configure the Microsoft Deployment Toolkit (TechRepublic)
- How to deploy Windows using MDT and WDS (TechRepublic)
- MDT: How to automate deployments using CustomSettings.ini (TechRepublic)
- MDT: How to automate deployments using BootStrap.ini (TechRepublic)
- Microsoft delivers first test build of Windows Server 2019 (ZDNet)
- A giant botnet is forcing Windows servers to mine cryptocurrency (ZDNet)
Does your organization utilize MDT for Windows deployments? How happy (or unhappy) are you with this solution? Share your thoughts on MDT below in the comment section.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.