MDT is a solution accelerator for operating system and application deployment. The current version of Microsoft Deployment Toolkit is MDT 2013 update 1. Or, you can automate your whole deployment process using Microsoft System Center Configuration Manager.This is how to easily install ADK and MDT in Windows Server 2016 for Windows Deployment. Even better: Why not use Windows Deployment Services, a server role in Windows Server 2008 R2, to eliminate the need for such boot media entirely? When using Windows Deployment Services, all you need is someone to turn on the client computers, which will PXE-boot from the network and start the install automatically. You need to ensure that only trusted people handle such media. If you start the deployment process manually on client computers by inserting Lite Touch boot media (whether CD, DVD or USB flash drive), this media contains Bootstrap.ini and the information stored in the file. The file may also contain the password for this account. Use Windows Deployment Services instead of Lite Touch mediaīootstrap.ini is a plaintext file that contains the user name of the account used to connect to the deployment share ( see Figure 1). Ideally, your production deployment should work 100 percent, partly so you don't have to walk around later fixing things, and partly so you can sleep better at night. While this information would be difficult to find and interpret for most users, a sophisticated user wouldn't have any problem ferreting it out. Another reason is that a failed deployment can leave sensitive information on the computer, such as the name of the user account used to connect to the deployment share. That’s one reason you should test your deployments thoroughly in a lab environment before deploying to your production network. Test thoroughly before final deploymentĪ little time spent preparing saves lots of time spent troubleshooting. You can join the computers to the domain afterwards. If you're extra paranoid about security (and who isn't nowadays?), you can use MDT to deploy client computers into a workgroup instead of your Active Directory domain. For even greater peace of mind, disable these accounts when deployment is not being performed. So always use ordinary Domain User accounts and complex passwords for your deployments, and use a separate account for accessing deployment shares and joining the domain. A sophisticated user running a sniffing program could grab the password and wreak havoc if the build account is admin-level. Generally speaking, using admin accounts for deployment is risky because if the account is compromised, your entire IT infrastructure is effectively compromised.įor example, during refresh deployments (but not bare-metal deployments) MDT transmits credentials over the network in plaintext form. Similarly, the account used to join client computers to the domain doesn’t need to be an admin account, provided you delegate to that account the ability to create computer objects in Active Directory. The account used by client computers to connect to your deployment shares doesn't need to be an admin account it can be an ordinary user account. While MDT 2010 lets you create, test, build and produce deployment shares on a single machine, it's best if you keep your test-bed network (which should mirror your production network), your build lab (where you configure, deploy and capture your reference images) and your production network (where your users live and breathe) all isolated from each other. If your deployment servers aren't physically secure - and if the captured images of the reference computers you've built aren't stored securely - your IT infrastructure isn't secure. Here are five tips for deploying Windows 7 quickly and securely. The Microsoft Deployment Toolkit 2010 is easy to configure and use, but is your deployment process secure? While this latest version of MDT includes numerous improvements, including some important security improvements, there are still some steps you can take to safeguard your IT infrastructure during deployment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |