MDT deployment of Dell OEM Windows XP Pro stumped by NTLMv2 requirement

08
2014-07
  • Mike Sol

    We're working on a deployment system that uses iPXE to boot a LiteTouch PE image created by Microsoft Deployment Toolkit (MDT) 2010, which then deploys Windows XP or Windows 7 to the clients. No problems with Windows 7, but XP is causing us headaches.

    Due to decisions beyond my control, our network enforces NTLMv2 at a minimum for connections from machines not joined to the domain (which would use Kerberos, I believe).

    This shouldn't be a problem, except that the Windows XP image that we have to deploy is a Dell OEM version, because we don't want to have to enter serial numbers into the installer (and 99.5% of all PCs on campus are Dell machines with legal XP Pro OEM licenses). The Dell XP Pro SP3 OEM disks don't seem to work on a lot of our machines, dying out with strange driver issues during the text-mode portion of the install, which we haven't been able to troubleshoot.

    Instead, we've had some luck with the Dell XP Pro SP2 OEM disks, which we can slipstream to SP3 and integrate hotfix packs with (the xable one from http://xable.net/xp-sp3-update-pack-download.html works well). So, we end up with an XP image that's mostly SP3, plus all the important updates as of April. Should be good enough, right?

    Now, what happens is that Windows XP gets installed to the point where it first boots, which is good, but then MDT is supposed to begin its Task Sequences. These are run by the client connecting to the MDT server's deployment share to download the order of the task sequence.

    Unfortunately, NTLMv2 is turned off on these client installs, probably due to them being from an SP2 -> SP3 source (as SP3 has this on by default otherwise), so connections to the share are denied, and the MDT task sequence stops, waiting for the problem to be fixed so it can resume. A simple registry change ("lmcompatibilitylevel") fixes the problem nearly instantly with no reboot required.

    So, all we need to do is to get this registry change implemented before MDT runs its task sequences, and we're golden. That means that we can't actually use an MDT task sequence step to do this, because of the catch-22 with that approach.

    So far, we've tried using nLite to put a "registry_addreg" tweak in, but I think that MDT overrides anything nLite wishes to execute post-install, and that these steps aren't running at all. I need to investigate that more, to ensure that our nLite XP image installs and runs the tweak in a non-MDT situation, but we did that by the book so I believe it should work.

    We've also tried adjusting the GPOs that apply to the MDT server itself to drop its requirements down to NTLMv1, but it doesn't seem to help at all, and the same client change up to NTLMv2 still fixes the problem. It's possible I haven't gotten all of the policy settings for this change - we're changing the server's policy to:

    "Network Security: LAN Manager authentication level":"Send LM and NTLM - use NTLMv2 session security if negotiated".

    If there's another setting or two that needs to be changed to make the server more lenient, lay it on me. Clearly this one ain't enough.

    Otherwise, perhaps there's a way to take a vanilla XP Pro SP3 CD and convert it to be effectively the same as the Dell OEM one in regards to serial-free installation? I don't have the key(s) that Dell uses, though of course there are plenty on the sides of machines we could use.

    I'm willing to try just about anything at this point, so, lay your weird ideas on me and I'll give them a shot.

    • Answers
  • paradroid

    Just to sidestep the whole issue, I would just use a vanilla XP Pro SP3 image, as SP3 does not require a serial on installation, just like Vista onwards. You do not need to use the Dell image for the serial-less installation.

  • Simon Sheehan

    You can use use mdt. You just need to mount the hive and make the edit via script, after the install operating system step, but before the reboot.

    Just use a vbscript to mount the system hive from c: and make your edit, but don't forget to unmount the hive.

  • MDT Guy

    Rather than messing with w/ WinXP SP2, Build your WinXP Ref. Image in a VM, that should get you passed these driver problems.

    It really does sound like you're stuck between a rock and a hard place, I would highly recomend not using XP anymore. I never had much luck with it and MDT, MDT and Win7 play quite well together.


    • Related Question

    Cannot reinstall Windows on Toughbook CF-19, OEM or upgrade issue?
  • oeon

    My Toughbook (CF-19) has a 'Windows Vista Business OEMAct, Panasonic' COA on the bottom of the unit. When I extracted the key before reformatting - it was a 'Windows XP Professional' Product Name and the Product ID code has 'OEM' in it...and I can confirm this upgrade was last OS installed (w/ Service Pack 3) - but there was the tablet functionality.

    This extracted product key isn't working with any version of Windows I try installing. XP Pro, XP Pro Tablet 2005 OEM, Tablet XP OEM. Any insights?


    • Related Answers
  • William Hilsum

    Most likely it was licensed for Windows Vista but you/Panasonic used "Downgrade rights" to use XP Tablet Edition / Professional with tablet like programs.

    The edition of Windows was not a straight forward OEM off the shelf copy but limited to disks from Panasonic. I would check to see if they gave you any media or recovery disks and if not, try and get a duplicate one from them.

  • 8088

    To Our Valued Customers,

    Some questions have arisen as to the Panasonic policy on providing “Microsoft Windows Vista including a downgrade right to Windows XP Professional” (Vista downgrade). This will explain our implementation of Microsoft’s program, announced in Sept. 2007 and first implemented by PCSC in November, 2007. This program will be in effect until, at least, April 21, 2010.

    • Panasonic Toughbook laptops no longer come with a Windows XP license. All systems are shipped with a Windows Vista license (and Certificate of Authenticity, or COA). However, Windows XP can be installed on the system prior to being shipped to the customer through the “Vista downgrade” program.

    • Panasonic Toughbook laptops that ship with a “Vista downgrade” will have a Windows XP factory image loaded on the unit’s hard disk drive. They will ship with a Windows Vista Certificate of Authenticity (COA), as well as Windows XP recovery CD and a Windows Vista Recovery CD. This will allow a user to restore the XP image or upgrade to a Windows Vista Business standard factory load.

    • The user license will be for Windows Vista Business (as shown on the COA) but the user is granted downgrade rights to use Windows XP Professional. There will be NO Windows XP license key with these models. Panasonic may not provide an XP license key. Users must use their existing corporate license or contact Microsoft to obtain one, if needed.

    • Customers must use the Panasonic Windows XP recovery CD to install the Windows XP operating system. If the recovery CD is not used, the customer may be prompted to provide a Windows XP license key. Panasonic may not provide a Windows XP license key. Microsoft must be contacted to obtain a Windows XP license key.

    • The Windows logo sticker on the wrist rest of the Toughbook laptop will show Windows Vista as the OS on the unit, but the OS that boots up on the machine will be Windows XP. Units with the Vista downgrade can be identified with a part number that ends in the letters “AM”. (Units loaded with Windows Vista, and without a downgrade, end in “JM”.)

    • All current Panasonic Toughbook laptops are available with either of the Windows operating systems. The Vista downgrade program is being offered by Panasonic in cooperation with Microsoft to meet the needs of users who are not yet ready to transition to Windows Vista and desire a Windows XP solution for the current acquisitions. Panasonic Computer Solutions Company August, 2009