Home » Uncategorized » Scripting Win10 system deployment

After streamlining in place upgrade and provisioning package for bringing new systems with OEM image to enterprise standard, customised windows 10 image is the next to meet ongoing requirements like system reinstallation, new systems that doesn’t come with OEM image or image other than windows 10 OS etc. Key considerations and inputs for defining the approach includes

  • UEFI is the way forward
    • UEFI requires GPT disk partition and conversation from earlier MBR to GPT would require disk clean up
    • Boot media to be FAT32 for UEFI to boot from it, be it local disk or installation media. A FAT32 filesystem supports max 4GB file and hence if the windows image is large than that, splitting of the image file is required
  • Windows Preinstallation Environment or WinPE that comes part of Windows 10 installation media (\sources\boot.wim) comes with features sufficient to start windows installation process and complete the OS deployment. However, a custom WinPE can be created to include additional features like PowerShell and thus bring automation and customization to OS deployment, outside the customization done at windows image level.
  • There is one more WIM file, winre.wim, that gives the windows recovery environment. This file can be located inside the mounted folder of windows 10 image at the location C:\Windows\System32\Recovery. Part of the UEFI OS deployment this file is often deployed into a separate partition. The captured image from it might be missing the same. Hence additional steps needed to have it extracted from original installation media and deploy as part of OS deployment.
    • Custom WinPE can also be used for this purpose of WinRE. However, WinRE comes with WinPE-SRT, an Optional component which is not available as an add-on like PowerShell to incorporate into WinPE. WinPE-SRT is required by the MDOP DaRT tool to produce a DaRT recovery image to be used instead of default WinRE image. In such case, instead of using the custom WinPE, default boot.wim or winre.wim is used.
  • Encrypting the disk with bitlocker prior to OS deployment hardly increase overall deployment time and can save hours of user / engineer time that goes in completing the encryption after OS deployment. This is because of lesser time required to write encrypted data sequentially to a blank hard drive partition with no OS activities. Compared to that, encryption after OS deployment has to read data from disk, encrypt and put it back replacing existing data and the running OS overheads like page file activities.
    • This pre-provisioning of bitlocker ensures disk is encrypted but not the data security. Data is not secure till the encryption key is protected by a KeyProtector like TPM and recovery password. Addtional process or tool like Microsoft BitLocker Administration and Monitoring (MBAM) can complete that part at no addition overhead as the disk is already encrypted.
  • Windows imaging format (WIM) brings single-instance storage advantage. So I can pack multiple windows 10 image, like once captured on a HP system with all drivers and tool installed, one on Lenovo on similar way and one on virtual machine with no OEM driver or tool installed. So resultant WIM file would consume space of common files like Windows OS, applications like Office etc. once. Here are three image, first one on VM i.e. no driver and next two having corresponding HP and Lenovo driver. Last one is the WIM file that contains all this three images.

    • This combined with PowerShell scripting from custom WinPE brings the opportunity to use something like a switch statement and apply image specific to the system model. In case of no match, deploy a generic one that has the OS and applications, leaving the scope for many driver installation based on need.
      • If this is the case and we are ok to wipe the hard disk, why ask any question or put some selection overhead? Let it be completely robotic

For custom winpe creation I am using a 64-bit windows 10 VM installed with Windows 10 ADK.

Since this a FAT32 filesystem, it can’t take the 4+GB Windows image file. Using DISM.exe /Split-Image option, win10combined.wim or whatever the combined WIM file, need to be sliced around 4000MB files size and the resultant SWM files to be copied to media\sources folder inside the customwinpe.

Using the MakeWinPEMedia command this custom image can be put a USB. Or just copy the content of media folder inside the customwinpe folder to a fat32 formatted USB. However, care need to be taken to ensure the LABEL of this USB is WINPE as the deployment script depends on that.

Once a system or VM is booted from WinPE, it would start the command inside Windows\System32\startnet.cmd . PowerShell script \WinpeRUN\win10install.ps1 is part of the statnet.cmd and would initiate the OS deployment. Here is the script that I use and it does bellow

  • Prepare the DISK by clean-up, make GPT partition style and create required partitions
    • 500MB NTFS partition for Windows Recovery
    • 100MB FAT32 for EFI
    • 128MB Reserved partition
    • 100GB for OS deployment
    • Remaining space into two equal size volume for data (towards end of script)
  • Bitlocker pre provision
  • Detect the hardware and apply the corresponding image (index number) and sets the boot manager
  • Sets the Winre recovery environment for the installed OS
  • Sets SetupComplete.cmd to configure Direct Access and enable winre on a Laptop or just the winre on a desktop
  • Completes Bitlocker pre provision on additional data drives

Here is the content of SetupComplete_Laptop.cmd and for the desktop, it just the last line which enables the windows recovery



Leave a Reply

Your email address will not be published. Required fields are marked *