Symptom
You’re deploying Windows (any version from client to server) using MDT. After formatting the disk, applying WIM, patches and drivers, the machine reboot to Windows and continue to install stuffs. Another planed reboot occurs, but after entering Windows, nothing more happened ! No MDT progress bar, no CPU movement…Nothing !
A quick check on the C: drive let figure that the deployment has stopped suddenly:
Reading the log file located in C:\MININT\SMSOSD\OSDLOGS\BDD.log indicate that last line is RUN: regsvr32.exe /s "C:\Users\ADMINI~1\AppData\Local\Temp\1\Tools\x64\Microsoft.BDD.Utility.dll" or SMS Task Sequencer already found on C:\MININT\Tools\X64 depending on your deployment method.
What the hell went wrong here ? Presumably an attack of the syndicate against weak filtered token… or maybe a cumulative update…
Remediation
To quickly remediate your stuck deployment, open Regedit.exe and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
if the value is set 1 change it back to 0, then reboot !
Drum rolls.. Bang !!!! MDT is Back on track !
MDT integration
To make sure MDT won’t stop anymore, we will add the registry key into our failing task sequence. I can not recommend a particular place to inject it as I have no idea of what is responsible of this registry change.
But to be really safe, place your command just before the failing reboot.
Click on the Add button and pick Run Command Line in the General sub menu
The command to insert is : cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /d 0 /f
After doing this you should be safe running you task sequence without stopping issue. Just sit back, relax and enjoy !
What happened behind the scene
Since Microsoft introduced UAC back in the Vista days, Windows account are all build around two tokens. The standard token (Non admin) and the elevated (admin) token. Even if you are an admin, UAC will prompt you if you need to do something that requires elevated privileges. Once you validate the UAC, it will switch your account to the elevated token and launch the requested task.
As you may know MDT use the administrator account to deploy Windows. To avoid UAC prompt, the registry key we used before is included in the Unattend.xml and executed during the first Windows Boot.
In most cases this is enough, but from time to time something during the deployment change back the registry value to 1, pulling back the administrator account to his standard non admin token ! With a standard token, MDT is unable to register his own .dll and fail silently…