Prepare for deployment with MDT

Applies to

  • Windows 10

This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.


The procedures in this guide use the following names and infrastructure.

Network and servers

For the purposes of this topic, we will use three server computers: DC01, MDT01, and HV01.

  • All servers are running Windows Server 2019.
    • You can use an earlier version of Windows Server with minor modifications to some procedures.
    • Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide.
  • DC01 is a domain controller, DHCP server, and DNS server for, representing the fictitious Contoso Corporation.
  • MDT01 is a domain member server in with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
    • A second MDT server (MDT02) configured identically to MDT01 is optionally used to build a distributed environment for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
  • HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image.

Client computers

Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.

  • PC0001: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the domain.
    • Client name: PC0001
    • IP Address: DHCP
  • PC0002: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the domain. This computer is referenced during the migration scenarios.
    • Client name: PC0002
    • IP Address: DHCP
  • PC0003 - PC0007: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.

Storage requirements

MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive.

Hyper-V requirements

If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the Verify support and install Hyper-V section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.

Network requirements

All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the domain. Internet connectivity is also required to download OS and application updates.

Domain credentials

The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.

Active Directory domain name:
Domain administrator username: administrator
Domain administrator password: pass@word1

Organizational unit structure

The following OU structure is used in this guide. Instructions are provided below to help you create the required OUs.

figure 2

Install the Windows ADK

These steps assume that you have the MDT01 member server running and configured as a domain member server.

On MTD01:

Visit the Download and install the Windows ADK page and download the following items to the D:\Downloads\ADK folder on MDT01 (you will need to create this folder):


You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).

  1. On MDT01, ensure that you are signed in as an administrator in the CONTOSO domain.
    • For the purposes of this guide, we are using a Domain Admin account of administrator with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
  2. Start the ADK Setup (D:\Downloads\ADK\adksetup.exe), click Next twice to accept the default installation parameters, click Accept to accept the license agreement, and then on the Select the features you want to install page accept the default list of features by clicking Install. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
  3. Start the WinPE Setup (D:\Downloads\ADK\adkwinpesetup.exe), click Next twice to accept the default installation parameters, click Accept to accept the license agreement, and then on the Select the features you want to install page click Install. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
  4. Extract the WSIM 1903 update (D:\Downloads\ADK\ and then run the UpdateWSIM.bat file.
    • You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\WSIM and verifying that the Details tab displays a File version of 10.0.18362.144 or later.

Install and initialize Windows Deployment Services (WDS)

On MDT01:

  1. Open an elevated Windows PowerShell prompt and enter the following command:
Install-WindowsFeature -Name WDS -IncludeManagementTools
WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All

Optional: Install Windows Server Update Services (WSUS)

If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment.

To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:

Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS

To use the WSUS that you have installed on MDT01, you must also configure Group Policy on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.

Install MDT


MDT installation requires the following:

  • The Windows ADK for Windows 10 (installed in the previous procedure)
  • Windows PowerShell (version 5.1 is recommended; type $host to check)
  • Microsoft .NET Framework

On MDT01:

  1. Visit the MDT resource page and click Download MDT.
  2. Save the MicrosoftDeploymentToolkit_x64.msi file to the D:\Downloads\MDT folder on MDT01.
    • Note: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
  3. Install MDT (D:\Downloads\MDT\MicrosoftDeploymentToolkit_x64.exe) with the default settings.

Create the OU structure

Switch to DC01 and perform the following procedures on DC01:

To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.

To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.

$oulist = Import-csv -Path c:\oulist.txt
ForEach($entry in $oulist){
    $ouname = $entry.ouname
    $oupath = $entry.oupath
    New-ADOrganizationalUnit -Name $ouname -Path $oupath
    Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"

Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt

Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"

Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts

This will create an OU structure as shown below.

OU structure

To use the Active Directory Users and Computers console (instead of PowerShell):

On DC01:

  1. Using the Active Directory Users and Computers console (dsa.msc), in the domain level, create a top-level OU named Contoso.
  2. In the Contoso OU, create the following OUs:
    1. Accounts
    2. Computers
    3. Groups
  3. In the Contoso / Accounts OU, create the following underlying OUs:
    1. Admins
    2. Service Accounts
    3. Users
  4. In the Contoso / Computers OU, create the following underlying OUs:
    1. Servers
    2. Workstations
  5. In the Contoso / Groups OU, create the following OU:
    1. Security Groups

The final result of either method is shown below. The MDT_BA account will be created next.

Create the MDT service account

When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":

New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true

If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the Contoso\Accounts\Service Accounts OU as shown in the screenshot above.

Create and share the logs folder

By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see Create a Windows 10 reference image.

On MDT01:

  1. Sign in as CONTOSO\administrator.

  2. Create and share the D:\Logs folder by running the following commands in an elevated Windows PowerShell prompt:

    New-Item -Path D:\Logs -ItemType directory
    New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
    icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)'

See the following example:

Logs folder

Use CMTrace to read log files (optional)

The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part of the Microsoft System 2012 R2 Center Configuration Manager Toolkit. You should also download this tool.
You can use Notepad (example below):

figure 8

Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:

figure 9

After installing the ConfigMgrTools.msi file, you can search for cmtrace and pin the tool to your taskbar for easy access.

Next steps

When you have completed all the steps in this section to prepare for deployment, see Create a Windows 10 reference image.


Sample files

The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell.

  • Gather.ps1. This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
  • Set-OUPermissions.ps1. This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
  • This sample web service shows you how to configure a computer name dynamically using MDT.