With a default installation of Microsoft Deployment Toolkit (MDT) the Deployment Share is not secure. All users are allowed to read / write which makes it vulnerable to unauthorized access and possibly exposes access to (installation) passwords.
The default permissions on a folder are:
- Administrators – Full Control
- CREATOR OWNER – Full Control
- SYSTEM – Full Control
- Users – Read & Execute + Create file / write data + Create Folders / append data
Active Directory Groups
It is recommended to change the ACL of the Deployment Share to limit access for a selection of users. The easiest way to achieve this is to create Active Director groups. Access to the MDT Deployment Share is then maintained via Active Directory, which is managed centrally, instead of each object individually.
For example the following groups can be used:
| Group name | Description |
| MDT01_DeploymentShare_Administrators | Members of this group are MDT administrators on the server “MDT01”,. |
| MDT01_DeploymentShare_Deploy | Members of this group are allowed to execute task sequences to deploy machines (either unattended or image deployments) |
| MDT01_DeploymentShare_ImageCapture | Members of this group are allowed to capture images |
Permissions
Permissions on the Deployment Share can be granted to Active Directory groups, below you will find an example based on the example groups.
I’m assuming the Deployment Share is stored in the root of drive D:.
Block inheritance
First start with disabling inheritance to avoid permissions from parent objects to propagate to the Deployment Share folders. 
The screenshot if of a Windows Server 2012 machine, but the same applies to other Windows operating systems.
D:\DeploymentShare
| Group or user name | Permission | Inherited from |
| Administrators | Full control | None |
| SYSTEM | Full control | None |
| MDT01_DeploymentShare_Administrators | Full control | None |
| MDT01_DeploymentShare_Deploy | Read & execute | None |
| MDT01_DeploymentShare_ImageCapture | Read & execute | None |
D:\DeploymentShare\Capture
| Group or user name | Permission | Inherited from |
| Administrators | Full control | D:\DeploymentShare |
| SYSTEM | Full control | D:\DeploymentShare |
| MDT01_DeploymentShare_Administrators | Full control | D:\DeploymentShare |
| MDT01_DeploymentShare_Deploy | Read & execute | D:\DeploymentShare |
| MDT01_DeploymentShare_ImageCapture | Modify | None |
| MDT01_DeploymentShare_ImageCapture | Read & execute | D:\DeploymentShare |
The ImageCapture group needs sufficient privileges to create a new image capture.
D:\DeploymentShare\Logs
| Group or user name | Permission | Inherited from |
| Administrators | Full control | D:\DeploymentShare |
| SYSTEM | Full control | D:\DeploymentShare |
| MDT01_DeploymentShare_Administrators | Full control | D:\DeploymentShare |
| MDT01_DeploymentShare_Deploy | Read & execute | D:\DeploymentShare |
| MDT01_DeploymentShare_Deploy | Modify | None |
| MDT01_DeploymentShare_ImageCapture | Read & execute | D:\DeploymentShare |
| MDT01_DeploymentShare_ImageCapture | Modify | None |
Both the Deploy and ImageCapture groups require write access to the log files. Without write access the deployment will fail.
Disclaimer
I’m pretty sure the permissions can be more tight then the example I provided in this article. However, it is more secure then a default installation without any modification. Feel free to provide me with detailed privileges and I’m more then happy to update the article.
.
Nederlands 
English
Thanks a million!! This caught us unexpectedly and was exactly what I was looking for. This way if a machine somehow boots unexpectedly into PXE, an “ordinary” user can’t reimage their machine!
Is your D:\deploymentshare\capture example correct? Shouldn’t the imagecapture group have the modify rights rather than the deploy group?
Good article though, looking at deploying MDT and being able to secure it is a pre-req
Yup I think you’re right! I updated the article 🙂
this creates an unsupported configuration. so don’t follow the steps in this blog post as the author has simply guessed.
Well built critisism “D” You’re a great help…
Enough of the sarcasm…
I like to clear the “Users” and “creator Owner” from the root. Should anybody mess with the inherritance you’ll be a little safer.