[gotenks98]

I posted this on neowin but got no answer. I thought I might try here since there are more people who know more about MDT on this site.

I am needing assistance with 2 things for newly deployed systems. One is for windows 7 and the other is for windows 8. For the first issue I wanted to know how can you update the trusted root certificates in a wim file? We recently had a change to our wifi network and the add trust cert is not there by default. So I want to ensure that it is from now on for all future installs.

My second issue is with windows 8 and MDT 2012. The files for our MDT share are located on a NAS server. In windows 8 there was something done to the security which prevents you from connecting to the NAS server unless I run this command from power shell. Set-SmbClientConfiguration -RequireSecuritySignature $true from powershell, Once I do that it can connect just fine. The problem is if I am doing a new deployment from scratch the install goes ok until first bootup. At that point unless I do that command the rest of the deployment can not proceed. So what I am requesting is a way to turn that security setting off in deployment or have a way that it will run at first bootup using the task sequence.

[allen2]

Certificate deployment should be done through GPO to ensure the deployment of the certificate and that it will be added back in case of removal. Of course this is only for an Active directory environment.

[gotenks98]

allen2, on 28 August 2012 - 12:59 PM, said:

Certificate deployment should be done through GPO to ensure the deployment of the certificate and that it will be added back in case of removal. Of course this is only for an Active directory environment.

Unfortunately these are standalone workstations that are not going to be on AD so using GPO is not an option. The issue is the certs is needed for the wifi only.

[allen2]

Then adding the certificate with a batch using certmgr.exe using runonce key might be your only solution.

[cluberti]

For your 1st question, certutil works and is designed for something like this assuming you have the certificate to install:
http://blogs.msdn.co...er-example.aspx

For the 2nd issue, it sounds like your NAS doesn't understand or isn't configured to accept secure SMB signing on SMB connections. You might want to see if your NAS actually supports this and see if it can be enabled. Otherwise, you need to set this in WinPE 4.x (or use WinPE 3.x and the WAIK in MDT instead to deploy Win8 - it's slower, but it doesn't have this enabled by default). Note that your Win8 installs are going to have a problem with the NAS too unless you run this there or set the RequireSecureNegotiate value to 0 in the LanmanWorkstation service parameters too, so fixing the NAS is probably the best first step, if it can be done.

[MrJinje]

This is how I import my self signed cert to trusted root.

certutil -addstore -f -enterprise -user root C:\pathto\mycert.cer

This post has been edited by MrJinje: 02 September 2012 - 04:26 AM