In some environments, security concerns are a primary driver, and thus the following questions come up: what can we do to secure the share, and what can we do to validate that the image is not tampered with?
For the first question about securing the share, the following rights are needed to allow MDT to work properly:
\\path\deploymentshare$ rights
:In Sharing, remove
EVERYONE
and add the user account specified specifically in yourBootstrap.ini
andCustomSettings.ini
file forREAD
access onlyNTFS rights would be the following:
Creator Owner: Full control of subfolders and files only
Administrators: Full control of this folder, subfolders and files
System: Full control of this folder, subfolders, and files
Users: Check the following check boxes:
Read and Execute
List Folder Contents
Read
\\path\referenceshare$ rights
:In Sharing, again remove
EVERYONE
and add your user account used in the capture process forREAD
andCHANGE
rightsNTFS no changes needed
For the second part, how do we validate the image integrity?
The simplest way is to use PowerShell to generate a file hash of your WIM file. Use the PowerShell cmdlet get-filehash
. The following command is simple enough to add to your process:
Get-FileHash .\install.wim | format-list
You can then validate the returned value by checking the deployment time or in audit processes in same way as the security requires.