When performing Lite-Touch Deployments MDT will need to connect to shares for various purposes. For example, to access a deployment share, backup share or a user state migration share. Naturally, this process will require credentials. The account can be either a domain or local account. Below is an example on how to automate this:
UserDomain=scriptimus.local UserID=ScriptimusPrime UserPassword=V3ry_H4rd_p4$$w0rd
To start your Lite-Touch deployments automatically, enter the credentials in the bootstrap.ini file. This will automate the initial deployment share login.
To automate login to the backup share or user state migration shares during deployments, enter the credentials in the customsetting.ini file.
In a workgroup environment you would use a local account, like in this example:
In this workgroup scenario UserDomain can be omitted.
Remember, if you use the bootstrap.ini setting these credentials are stored in clear text format of every LiteTouchPE_x86.wim. Also, if you use the customsettings.ini settings, the credentials are visible in the deployment share, so just be aware of the security risk. I would try to work around the principle of least privilege.
For a successful deployment the service account will only need to access the user shares and in some cases to join machines to the domain. The account can be restricted in AD to only log on to the specific deployment server.