Dan Cunningham

So I promised that I’d try to post more frequently with tips and tricks for the variety of technologies I encounter and I figured I’d start with the Microsoft Deployment Toolkit, as I’ve gained quite a bit of hands-on experience with this as of late.

MDT is used to build and deploy both workstation and server OSes, install all drivers and applications and configure the relevant OS for use in your environment. You can find more information on it at the Microsoft Deployment TechCenter.

At the heart of MDT are Task Sequences, which controls each operation in building your OS. Although the default task sequences provided by Microsoft are a great starting point – let’s face it, every business operates differently and has their own requirements for how an OS is built and configured.

In my company, we have a strict requirement that every workstation is fully encrypted (by Utimaco Safeguard Easy) before ever hitting our network and joining the domain. Our MDT Deployment Task Sequence allows us to fully configure the workstation, encrypt it while off the network and then shut down. At this point it can be brought onto the network and joined to the domain. What’s also nice about this is that we can have a 3rd party vendor pre-image and encrypt the workstations before sending them into us for final configuration.

So I thought I’d share with you the script I’ve built to monitor the disk encryption process. It uses an SGE tool called SGEState which is installed as part of the client. It uses the information returned from SGEState to determine whether the encryption is in-progress or complete, and return progress information to MDT.

It’s very simple to use in your Task Sequence, and you can use the returned error-levels to act on certain situations. Simply:

• Download the MDT script here
• Rename the file from .txt to .wsf
• Copy the file to the Scripts folder in your Distribution folder
• Create a new TS ‘Run Command Line’ item, with the following command-line: cscript.exe “%SCRIPTROOT%\zCFG-MonitorSGEEncryption.wsf”

In this simple example TS, we’re just installing SGE, restarting and then monitoring the encryption until it completes:

MDT Task Sequence: Safeguard Easy Monitoring

You can of course, do more advanced things here. I use the same script to verify that Safeguard Easy is installed and encryption is completed before starting our Domain joining process. If it’s not installed, the installation will start, and an “IPConfig /Release” on the NIC adaptor will ensure that the workstation does not have an IP address until encryption completes.

Anyway, hope this helps someone out. More to come :)