Fully Unattended Deployment of Windows Clients Using Limited Resources

July 07, 2012 Category: Windows

Introduction

Anyone who ever installed Windows on a computer by hand must have wished for a solution that automate this task. It's just waiting a lot and pressing a button now and then. But installing the operating system itself is only the beginning. Once installed, you need to apply service packs or at least about a hundred or more security updates. When finished, you need to install all additional software, like an office suite, PDF reader, anti-virus software and the like.

So you need to install:

  1. the operating system
  2. applications
  3. security updates

If you do this all by hand, it will probably take at least half a day, if not even longer. This is a major problem, because sooner or later you may have to hire somebody full time to do just the computer deployments. Expect a high job turnover rate. You definitely want to automate this task, saving money on extra sysadmins but more importantly: quality.

Even if you have to install one computer every week, you must automate this process for the sole reason that if you don't, no two deployed computers are the same. People make mistakes, especially with boring, repetitive tasks. So automation improves quality and reduces the workload significantly.

If you don't deploy your end-user computers through some kind of automation, you need to stop what you are doing right now and build such a solution. It's fundamental to provide good quality service to your users.

It must be fully unattended or as unattended as possible. You may have to press a button to initiate the process at that start, but that must be all that is required to deploy a system. If during deployment, you need to touch the computer in order for it to continue deploying, you have a bug that needs to be fixed asap.

So, in this post I want to show you that with minimal resources, you can create a fully unattended solution for Windows desktop systems. There are probably better ways to do this, but for me, this was enough.

Imaging versus automated deployment

It's very simple. Do not image. Do not use products like Norton Ghost or Clonezilla for system deployment. Imaging is not flexible. For every change, you need to create a new image. For every hardware model, you need to create a new image. Every program update requires a new image. Instead of installing computers by hand, you are maintaining images. It does not scale.

Automated installations on the other hand do scale. They are dynamic. They just use whatever drivers they need during installation, as long as they are available. Just updating the installer of an application is sufficient to make sure that future deployments are up-to-date. Flexibility is key.

Solution overview

  1. Clients use PXE to boot from the network. They boot a special Windows Embedded kernel that bootstraps the Windows installation process.
  2. The operating system and drivers are installed.
  3. All company software is installed.
  4. All security patches are installed.
  5. When ready, a mail is sent to the sysadmins

You will need:

  1. A DHCP server
  2. A WDS server
  3. A KMS server and valid KMS licence
  4. Valid Windows 7 ISO for KMS installation
  5. An unattended configuration created with WAIK
  6. Driver packs for the various desktop an laptop models
  7. A domain account dedicated for deployment
  8. A list + executables of all software required for the client

About KMS and Windows licences

In a larger environment, with 25+ desktops and laptops, it becomes to cumbersome to type in the product licence key and activate the systems by hand. This does not scale. You need a Volume Licence agreement for Windows 7 or higher in order to be able to use a Key Management Server and a special ISO of Windows 7 that does not require a product key. Learn more about this in this blogpost.

Windows Deployment services

The basis for automated deployment is Windows Deployment Services. This software made available for free by Microsoft allows clients to PXE boot and perform unattended operating system installations.

Unattended operating system installations are guided by XML files that describe the configuration for the operatings system. Such a configuration file is authored with the Windows Automated Installation Kit.

WDS uses two images: a boot image and an install image. Because computers need drivers, you need to download and inject the drivers in the boot image. All major vendors supply special complete driver packages for you to download. Just download, extract and import. Create driver groups for every model, to orden your drivers.

You may choose to install all drivers in one image. But that image can grow large and lengten the installation time. To resolve this, create separate boot images for different vendors and differentiate between model lines. This is not much work but it keeps the boot images small. This is not required.

Windows Automated Installation Kit

You need the WAIK to author the XML file used by WDS to configure the unattended installation. You must specify hard disk partitioning, some default settings and the like. This is also where you configure the command to run when the operating system installation has finished. This will start the software installation phase.

Automated silent software deployment

For software installation, I just go back to my MS-DOS 4.11 days and use a simple batch script that installs all software.

Every product, such as Adobe Reader or Java, has an installation batch file. There is one main batch file that calls each program install batch file to install it and log the results for debugging.

It is that simple. And it works perfectly. The most important task is to find out for each product how you can install it silently, without user intervention. Fortunately, almost all products provide command line arguments for unattended installation.

Software is installed by using a domain-based unprivileged user that uses autologon to logon to the system, with local administrative privileges. Once the installation is complete, local admin privileges are revoked.

Installing all security updates

This is the hard part. There are several problems. First, after you install all updates, more updates seem to be available after the next reboot. Furthermore, using Windows 7, a memory leak causes the installation proces to take ages.

The solution is to install smaller batches of patches, such as 30 or 40 at a time. You can use a script for that as supplied by Microsoft. This script must be changed not to install all patches, but a fixed number at a time.

So you need several reboots to install all patches and run the VBS update script several times. The WAIK provides an option for 'autologon'. So you can have a user account logon for like 5 times. After that, no autologon is performed ever again.

So you place a special batch file in the startup folder of the autologon user that triggers the Windows update process every time the autologon is performed. This is the last step of the installation.

After five autologons, the system will boot to the logon screen and the system is done.

Additional resources

Large organisations may use Microsoft System Center Operations Manager but I assume that such a solution has not been setup. I asume, that you are in an environment without any existing solution that may help you out.

I would also investigate the Microsoft Deployment Toolkit 2012. Instead of tinkering with batch files and vbs scripts, this may help you also. However, it seems to focus on creating images or automate the task of creating images, rather than just automate the installation of a client.

Final thoughts

Please note that I had to research this solution within a few weeks, with lots of other things to do. It was just one project of many other projects. There may be better solutions to automate system deployments. Maybe the MDT is a better approach, but I haven't tested it (yet). The current setup is sufficient for now and it frees us to start other much needed projects.

Comments