Back to basics #1 – Locking the computer during deployment

This is the first post in a series that will cover some of the more simple/basic tricks that you can do with MDT, but that are often overlooked.  I’ll be the first to admit that a couple of them I only learnt recently, even though I have been using BDD/MDT for years.

During the deployment of a computer, MDT will auto-logon Windows using the local Administrator account in order to run its task sequence; during this time, the computer is left logged on as administrator with the desktop unlocked for all to see.  Consequently, anyone who happens to walk past the computer during its deployment can use it with full administrative access.

The best way to protect your computer systems from any unwanted access is to simply lock the computer during the Windows phase of the deployment.  To do this, just add a “Run Command Line” action to your task sequence, and place the following command in the command line of this action:

rundll32 user32.dll,LockWorkStation



You can place the action at any point in the task sequence, as long as it is executed from within Windows rather than during any Windows PE stage.  It doesn’t matter if you have any reboot actions in the task sequence because, even though the workstation is locked, it will still reboot; just remember that you’ll need to execute the command again after reboot in order to lock the computer again.  Bear in mind though that you won’t be able to see the summary screen at the end of deployment so you won’t know when it has finished.


This post was contributed by Daniel Oxley a consultant with Microsoft Services Spain