Search

Deploying without MDT or SCCM\MECM....

The best methods for deploying Windows is SCCM and then MDT, hands down.


However what if you don't have either deployment services..... no seriously...... Despite the step by step guides and the script to deploy MDT in 45 minutes (here) some still chose to manually deploy or clone Windows, maybe they haven't progressed passed RIS either.....


Question is, can Windows 10 and a host of applications including Office be automated without fancy tooling?


The following isn't pretty, there's issues that MDT and SCCM just make disappear, I'm not happy with issues...period. Its a faff and takes way more time, prep, less functional and is only a benefit if there's more than a couple of Windows clients to deploy. Should it ever be done, there maybe some limited scenarios, my suggestion, use the correct deployment services designed for deploying Windows.


#Pre-requisites

16Gb USB3 as a minimum, preferably 32Gb

Windows 10 media

MS Office 2019

Chrome, MS Edge, Visual C++, Notepad++

Windows ADK


#Windows Media

Download Windows 10 ISO and double click to mount as D:\


Create a directory at C:\ named "Version of Windows" eg C:\Windows21H2\. Don't copy the contents of D:\ directly to the USB due to install.wim being larger than the permitted supported file size for Fat32, greater than 4Gb.


Copy the files from D:\ (Windows ISO) to C:\Windows21H2\


Split install.wim into 2Gbs files to support Fat32.


Dism /Split-Image /ImageFile:C:\Window21H2\sources\install.wim /SWMFile:C:\Window21H2\sources\install.swm /FileSize:2000


Delete C:\Window21H2\sources\install.wim.


Insert USB pen and format as Fat32, in this case, it will be assigned as E:\


Copy the entire contents from C:\Windows21H2\ to E:\.


#Applications

Create directory E:\Software, this is the root for all downloaded software to be saved to.


Create the following sub-directories under E:\Software, download the software to the relevant sub-directory.


7Zip

& cmd.exe /c 7z2107-x64.exe /S


Chrome

& cmd.exe /c msiexec.exe /i GoogleChromeStandaloneEnterprise64.msi /norestart

/quiet


Drivers

& cmd /c pnputil.exe /add-driver Path/*.inf /subdirs /install


MS-VS-CPlus

& cmd.exe /c vcredist_x86_2013.exe /S


MS-Win10-CU

& cmd /c wusa.exe windows10.0-kb5011487-x64.msu /quiet /norestart


MS-Win10-SSU

& cmd /c wusa.exe ssu-19041.1161-x64.msu /quiet


MS-Edge

& cmd.exe /c msiexec.exe /i MicrosoftEdgeEnterpriseX64.msi /norestart /quiet


MS-Office2019

& cmd.exe /c MS-Office2019\Office\Setup64.exe


NotepadPlus

& cmd.exe /c npp.8.3.3.Installer.x64.exe /S


TortoiseSVN

& cmd.exe /c msiexec.exe /i TortoiseSVN-1.14.2.29370-x64-svn-1.14.1.msi /qn

/norestart


WinSCP

& cmd.exe /c WinSCP-5.19.6-Setup.exe /VERYSILENT /NORESTART /ALLUSERS


I've provided the unattended commands with extension, its important the correct file type is downloaded for the script to work correctly.


Place any driver files in the 'Drivers' directory unpacked as *.inf files.


#AutoUnatteneded

Download ADK for Windows (here).


Install only the 'Deployment Tools'.


From the Start Menu open 'Windows System Image Manager' and create a 'New Answer File' and save to the root of the E:\ (USB), name the file 'AutoUnattend.xml'.


I cheated at this point, didn't fancy creating the AutoUnattend.xml from scratch, I "borrowed" a pre-configured unattend.xml from MDT. To save you the pain download the 'AutoUnattend.xml' from Github (here).


Save to the Root of E:\ (USB).


Within the autounattend.xml the following line is referenced to execute 'InstallScript.ps1' at first logon.


<CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file D:\software\InstallScript.ps1</CommandLine>


Not that the PartitionID is '3' and the InstallFrom is updated from 'install.wim' to 'install.swm'.


<OSImage>

<WillShowUI>OnError</WillShowUI>

<InstallTo>

<DiskID>0</DiskID>

<PartitionID>3</PartitionID>

</InstallTo>

<InstallFrom>

<Path>install.swm</Path>


To select a different edition, the default is Education run the following command with Admin rights.


dism /Get-WimInfo /WimFile:"d:\sources\install.wim"


Index : 1

Name : Windows 10 Education

Description : Windows 10 Education


Index : 2

Name : Windows 10 Education N

Description : Windows 10 Education N


Index : 3

Name : Windows 10 Enterprise

Description : Windows 10 Enterprise


Index : 4

Name : Windows 10 Enterprise N

Description : Windows 10 Enterprise N


Index : 5

Name : Windows 10 Pro

Description : Windows 10 Pro


Edit the AutoUnattend.xml and update the MetaData value under OSImage to reflect the desired index value.


#The Script

Download 'InstallScript.ps1' from (here) and save to E:\Software.


#A Brief Script Overview

The first action is to copy the Software directory to C:\ so it can be referenced between reboots.


The script adds Registry settings to Autologon as 'FauxAdmin' with a password of 'Password1234'. I strongly suggest changing the hardcoded password to something more secure.


Warning: During the installation of Windows its prompts for a new account ensure it reflects the hardcoded name and password in the InstallScript.ps1 'FauxAdmin', 'Password1234'.


A Scheduled Task is added that will execute at logon with 'FauxAdmin'.


The default host name is Desktop-####, you'll be asked to enter a new hostname.


Pre-Create a Computer object in AD, with the planned hostname of the client being deployed. Domain credentials will be required with delegated permissions to add computer objects to the domain.


Update the InstallScript.ps1 with the correct FQDN and OU path

$DomainN = "trg.loc"

$ouPath = "OU=wks,OU=org,DC=trg,DC=loc"


Windows 10 CU and Apps will install with various reboots.


A bit of a tidy to removes the AutoLogon and Scheduled Task and then a final reboot.


To prevent an attempted re-installation or repeat action a 'check.txt' file is updated at the end of each step. If validated $true then the step will be skipped.


#Deployment

Boot PC and enter Bios\UEFI.


Set UEFI to boot or initial boot to USB, F10 to save and exit.


Insert USB and boot.


Setup will start and prompt for disk partitioning, delete the volumes and create new default partitions.


OK Cortana.


Create an account of 'fauxadmin' + 'Password1234' - these account details are hardcoded in the script.


At initial logon the PowerShell will launch.


The process is completed when the client has been added to the domain and rebooted.


Warning. Now reset the FauxAdmin accounts password, don't forget its hardcoded in the script and could allow an attacker to gain access if the password isn't updated.


#Notes:

The unattended disk partitioning proved to be unreliable and required manual intervention some of the time. This step is now manual.


It is assumed that the USB during deployment will map to D:\ this is hardcoded for the Scheduled Task.


Hiding Cortana resulted removing the prompt for a new admin account, its considered a security benefit to create a new admin account and disabling Administrator with SID 500.









4 views0 comments