Wednesday, February 18, 2015

Obscure WDS Bug with Joining Domains on UEFI-Based Systems

Today I ran into a very unusual problem with Windows Deployment Services. I had configured the WDS server to join clients to the domain, but after an unattended install the client was not in fact joined to the domain. After going through all manner of documentation and help forums, I discovered that this is actually a bug with WDS.

If:
  • An unattended deployment is being performed,
  • Without an Active Directory prestaged computer account,
  • On a UEFI-based system,
The client will not join the domain. Instead, I now have to figure out the Microsoft-Windows-UnattendedJoin structure in Windows System Image Manager and try not to send my plaintext password over the wire to the PE client.

(UEFI stands for Unified Extensible Firmware Interface and is a new class of BIOS. Some implementations are really snazzy and support high-color and -res graphics and even mouse input!)
Posted by at
Labels:

1 comment:

  1. SimonJuly 28, 2015 at 5:30 PM

    It is a bug in WDS. When you approve a UEFI device it gives the wrong permissions. If you look under the security permissions on the computer object you will see it has set deny for Domain Admins against the 'Change password' and 'Reset password'. Remove the deny for both of these and you are good to go.

    You will need to do this for each UEFI computer you approve through WDS but it is better than nothing.

    ReplyDelete

Subscribe to: Post Comments (Atom)