Search

Deploying without MDT or SCCM\MECM....

Updated: Jun 30

The best methods for deploying Windows are SCCM and then MDT, hands down.


However what if you don't have either deployment service..... no seriously...... Despite the step-by-step guides and the script to deploy MDT in 45 minutes (here) some still chose to manually deploy or clone Windows, maybe they haven't progressed past RIS either.....


Question is, can Windows 10 and a host of applications including Office be automated without fancy tooling?


The following isn't pretty, there are issues that MDT and SCCM just make disappear, I'm not happy with issues...period. It's a faff and takes way more time prep, is less functional and is only a benefit if there are more than a couple of Windows clients to deploy. Should it ever be done, there may be some limited scenarios, my suggestion, use the correct deployment services designed for deploying Windows.


#Pre-requisites

16Gb USB3 as a minimum, preferably 32Gb

Windows 10 media

MS Office 2019

Chrome, MS Edge, Visual C++, Notepad++

Windows ADK


#Windows Media

Download Windows 10 ISO and double click to mount as D:\


Create a directory at C:\ named "Version of Windows" eg C:\Windows21H2\. Don't copy the contents of D:\ directly to the USB due to install.wim being larger than the permitted supported file size for Fat32, greater than 4Gb.


Copy the files from D:\ (Windows ISO) to C:\Windows21H2\


Split install.wim into 2Gbs files to support Fat32.


Dism /Split-Image /ImageFile:C:\Window21H2\sources\install.wim /SWMFile:C:\Window21H2\sources\install.swm /FileSize:2000


Delete C:\Window21H2\sources\install.wim.


Insert USB pen and format as Fat32, in this case, it will be assigned as E:\


Copy the entire contents from C:\Windows21H2\ to E:\.


#Applications

Create directory E:\Software, this is the root for all downloaded software to be saved to.


Create the following sub-directories under E:\Software, and download the software to the relevant sub-directory.


7Zip

& cmd.exe /c 7z2107-x64.exe /S


Chrome

& cmd.exe /c msiexec.exe /i GoogleChromeStandaloneEnterprise64.msi /norestart

/quiet


Drivers

& cmd /c pnputil.exe /add-driver Path/*.inf /subdirs /install


MS-VS-CPlus

& cmd.exe /c vcredist_x86_2013.exe /S


MS-Win10-CU

& cmd /c wusa.exe windows10.0-kb5011487-x64.msu /quiet /norestart


MS-Win10-SSU

& cmd /c wusa.exe ssu-19041.1161-x64.msu /quiet


MS-Edge

& cmd.exe /c msiexec.exe /i MicrosoftEdgeEnterpriseX64.msi /norestart /quiet


MS-Office2019

& cmd.exe /c MS-Office2019\Office\Setup64.exe


NotepadPlus

& cmd.exe /c npp.8.3.3.Installer.x64.exe /S


TortoiseSVN

& cmd.exe /c msiexec.exe /i TortoiseSVN-1.14.2.29370-x64-svn-1.14.1.msi /qn

/norestart


WinSCP

& cmd.exe /c WinSCP-5.19.6-Setup.exe /VERYSILENT /NORESTART /ALLUSERS


I've provided the unattended commands with an extension, its important the correct file type is downloaded for the script to work correctly.


Place any driver files in the 'Drivers' directory unpacked as *.inf files.


#AutoUnatteneded

Download ADK for Windows (here).


Install only the 'Deployment Tools'.


From the Start Menu open 'Windows System Image Manager' and create a 'New Answer File' and save it to the root of the E:\ (USB), name the file 'AutoUnattend.xml'.


I cheated at this point, didn't fancy creating the AutoUnattend.xml from scratch, so I "borrowed" a pre-configured unattend.xml from MDT. To save you the pain download the 'AutoUnattend.xml' from Github (here).


Save to the Root of E:\ (USB).


Within the autounattend.xml the following line is referenced to execute 'InstallScript.ps1' at first logon.


<CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file D:\software\InstallScript.ps1</CommandLine>


Not that the PartitionID is '3' and the InstallFrom is updated from 'install.wim' to 'install.swm'.


<OSImage>

<WillShowUI>OnError</WillShowUI>

<InstallTo>

<DiskID>0</DiskID>

<PartitionID>3</PartitionID>

</InstallTo>

<InstallFrom>

<Path>install.swm</Path>


To select a different edition, the default is Education to run the following command with Admin rights.


dism /Get-WimInfo /WimFile:"d:\sources\install.wim"


Index : 1

Name : Windows 10 Education

Description : Windows 10 Education


Index : 2

Name : Windows 10 Education N

Description : Windows 10 Education N


Index : 3

Name : Windows 10 Enterprise

Description : Windows 10 Enterprise


Index : 4

Name : Windows 10 Enterprise N

Description : Windows 10 Enterprise N


Index : 5

Name : Windows 10 Pro

Description : Windows 10 Pro


Edit the AutoUnattend.xml and update the MetaData value under OSImage to reflect the desired index value.


#The Script

Download 'InstallScript.ps1' from (here) and save it to E:\Software.


#A Brief Script Overview

The first action is to copy the Software directory to C:\ so it can be referenced between reboots.


The script adds Registry settings to Autologon as 'FauxAdmin' with a password of 'Password1234'. I strongly suggest changing the hardcoded password to something more secure.


Warning: During the installation of Windows it prompts for a new account to ensure it reflects the hardcoded name and password in the InstallScript.ps1 'FauxAdmin', 'Password1234'.


A Scheduled Task is added that will execute at logon with 'FauxAdmin'.


The default hostname is Desktop-####, you'll be asked to enter a new hostname.


Pre-Create a Computer object in AD, with the planned hostname of the client being deployed. Domain credentials will be required with delegated permissions to add computer objects to the domain.


Update the InstallScript.ps1 with the correct FQDN and OU path

$DomainN = "trg.loc"

$ouPath = "OU=wks,OU=org,DC=trg,DC=loc"


Windows 10 CU and Apps will install with various reboots.


A bit of a tidy to remove the AutoLogon and Scheduled Task and then a final reboot.


To prevent an attempted re-installation or repeat an action a 'check.txt' file is updated at the end of each step. If validated $true then the step will be skipped.


#Deployment

Boot PC and enter Bios\UEFI.


Set UEFI to boot or initial boot to USB, F10 to save and exit.


Insert USB and boot.


Setup will start and prompt for disk partitioning, delete the volumes and create new default partitions.


OK, Cortana.


Create an account of 'fauxadmin' + 'Password1234' - these account details are hardcoded in the script.


At initial logon, the PowerShell will launch.


The process is completed when the client has been added to the domain and rebooted.


Warning. Now reset the FauxAdmin account's password, don't forget it's hardcoded in the script and could allow an attacker to gain access if the password isn't updated.


#Notes:

The unattended disk partitioning proved to be unreliable and required manual intervention some of the time. This step is now manual.


It is assumed that the USB during deployment will map to D:\ this is hardcoded for the Scheduled Task.


Hiding Cortana resulted in removing the prompt for a new admin account, it's considered a security benefit to create a new admin account and disable Administrator with SID 500.









7 views0 comments