Share via

WDS deployment with UEFI prevents domain join due to 'domain admins' having 'deny' permissions to the computer object 'change password' and 'reset password'

Anonymous
2025-02-10T09:56:53+00:00

When a WDS deployment is performed using unattend to automatically domain join a computer, and the devices has booted via UEFI/PXE, the pre-staged computer object created by WDS has 'deny' permissions for 'Domain Admins' on 'change password' and 'reset password'. This prevents the unattend/deployment from completing the domain join of the newly deployed computer. The work around is to remove those permissions on the pre-staged computer object after it is created, or to delete the AD object after deployment and manually join the computer. This issue is not apparent when using Legacy/PXE boot.

This issue has existed for some time, and although WDS is partially deprecated customers are still using it to deploy Windows 10 and Windows 11. It seems logical a bug fix would be simple enough for this (i.e. do not add the deny permission).

My question is, is there a fix in the pipeline, or is WDS development/bug fixing frozen?

Windows for business | Windows Server | Devices and deployment | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-02-12T11:22:39+00:00

    Hello,

    Unfortunately, as of now, there doesn't seem to be a specific fix in the pipeline for this particular problem with WDS. WDS is indeed partially deprecated, especially for workflows that rely on boot.wim from installation media or running Windows Setup in WDS mode.

    Given this deprecation, active development and bug fixing for WDS are limited. Microsoft is encouraging users to transition to alternatives like Microsoft Configuration Manager, which offers a more flexible and feature-rich experience for deploying Windows images.

    Have a nice day.

    Best Regards,

    Hania

    0 comments
  2. Anonymous
    2025-02-26T05:02:59+00:00

    Very old, long forgotten config bug.

    Try wdsutil /Set-Server /PendingDeviceSettings /Architecture:x64uefi /User:"Domain Admins" /JoinRights:Full

    0 comments
  3. Anonymous
    2025-02-26T08:38:59+00:00

    Thanks Dmitry,

    In the end I used the DnsUpdateProxy group, made the server a member and applied the cretae/write permissions in AD to the group to create the workstation object. This seems to work.

    At some point in the future I'll probably take a look at FOG to replace WDS.

    Rob

    0 comments