Windows 11 24H2 (and beyond) PXE Image Deploymenet for Intune Provisioning
Posted by jimphreak@reddit | sysadmin | View on Reddit | 41 comments
In our network we've been deploying Windows 10 and 11 devices via USB installers that have autounattend files and provisioning packages. Our techs can simply boot to the USB and it will install windows, reboot, enroll into Azure AD, run all our setup scripts, and get to the Ctrl + Alt + Del screen pretty much ready to go. This all works wonderfully.
However, I'd really love to remove the necessity to rely on USB installers. I want to be able to PXE boot the custom Windows image ISOs (mainly just embedding network drivers so enrollment succeeds) I create. Is anyone doing this and if so, what is your setup like? All the current Windows 11 deployment software options out there seem to only support Windows 11 unofficially or not at all. And since I'll be setting this up from scratch, I'd like to set up something that will have long term support.
HJForsythe@reddit
ipxe + wimboot + wimlib on a linux machine or MDT (unsupported/shit on by Microsoft) + wds
PolygonError@reddit
how do you deal with secure boot? just disable it, run, then re enable?
HJForsythe@reddit
Well,
In either case, you boot into a WinPE image which actually fully installs Windows through the installer. The same way your USB image works (presumably).
PolygonError@reddit
yeah but you need to boot into iPXE first, then that loads wimboot and loads WinPE, since iPXE isn't signed secure boot needs to be disabled...?
HJForsythe@reddit
Like I said you can just use WDS if you want.
Secure boot works on our devices that install via IPXE so... idk
CryptographerLow7987@reddit
I use WDS service on a server with MFT. Al free and tons of documentation on setting it up.
jimphreak@reddit (OP)
And WDS with MDT is still well supported for Windows 11 24H2 and beyond. I've read it's not officially supported and Microsoft seems to be killing it off. Not what I love to hear for something I'm just setting up from scratch.
Engineered_Tech@reddit
Yes, MDT is being "killed off" in the near future.
Yes, Windows 11 "is not supported" officially.
Yes, Microsoft is removing VBscript from all new Windows OS's in the near future and MDT relies heavily on that to function.
I am sure someone will some up with a way around most of those "issues", but I would stick with the USB method and not worry about WDS or MDT.
You could even incorporate the packages and scripting into the Intune/autopilot enrolment and cut out a big piece of your process.
Yes, when using autopilot, you can have the PC automatically enroll, update itself, install drivers, application and run scripts while it auto enrolls into Intune for your tenant.
Sai_Wolf@reddit
https://github.com/FriendsOfMDT/PSD is a Powershell rewrite of the various VBScript functions of MDT.
jimphreak@reddit (OP)
Is there any easy way to setup Autopilot for just a small set of test devices without affecting any of our current production devices?
Engineered_Tech@reddit
Short answer.... Yes, this is possible.
Autopilot will only run if the following criteria is met.
The Windows OS will only reach out to 365 during the OOBE stage to check if it should be managed and configured by a tenant policy. No currently running Windows OS will trigger autopilot. You can still enroll it into Intune manually.
Reference: https://learn.microsoft.com/en-us/autopilot/requirements
Guidelines: https://learn.microsoft.com/en-us/autopilot/autopilot-device-guidelines
Guide: https://www.prajwaldesai.com/new-windows-autopilot-setup-guide/
Autopilot is designed to take a new vanilla Windows OS and bend it to your will.
Essentially this means, you remove, add, change whatever you want through remote management (Intune), policies (aGPO), powershell scripting and package deployments when the new Windows OS adds itself to your tenant.
There are two ways this can be done, one is using autopilot OOBS automated computer and the other is end user initiated.
Now I am not in any way an Intune or Autopilot guy. This is all told to me by people who know it better than I do.
Do you research and test thoroughly before putting anything into a production environment.
BlackV@reddit
autopilot is NOT retroactive it ill not touch existing machines, it only applies at install OS stage
sexybobo@reddit
People are rewriting all the VBScript for mdt in powershell to keep it working.
That said if your just installing windows with drivers you don't need MDT you can use WDS to push your custom gold image and have it inject drivers or have them in your gold image already.
CryptographerLow7987@reddit
Not a bad point, If MDT is being Killed then maybe SCCM or just use WDS to push teh golden image. I have also used FOG at https://fogproject.org/ Which is a Ghosting network imaging solution that has a bunch other options for deploying.
wasabiiii@reddit
Enroll them in autopilot?
Ok_Procedure_3604@reddit
Autopilot is fantastic but if you buy and want a clean image (please, please for the love of god do not deploy Dell systems with their Dell crapware), this is the fastest way to get things to a base level.
BlackV@reddit
dell offer a clean image sku (as do HP I think?)
wasabiiii@reddit
Fresh Start should clear those out.
Ok_Procedure_3604@reddit
I will give that a try on our next batch, but I have found Intune fails at enough basic stuff to not trust it for a reimage. I need consistency with our builds so we don't waste tons of time troubleshooting random junk.
wasabiiii@reddit
Intune here does little more than send a signal to Windows 11 to initiate a reinstall. At the end of the day, it's just running the Windows setup app.
Ok_Procedure_3604@reddit
I'll give that a go so our support guy can maybe process these a bit faster. The other issue is making sure we aren't deploying 24H2 or anything like that. We have found it has a few issues with software we are deploying and the overall consensus right now is to wait it out.
jimphreak@reddit (OP)
Exactly my experience. We only deploy clean images.
Ok_Procedure_3604@reddit
The one time I spent hours tracking down an issue to find out it was the Dell "Optimizer" software that decided to nuke the network connection in various strange ways .. I stopped allowing a machine to go out to our end users with the base image installed.
jimphreak@reddit (OP)
I believe this would work for new devices str8 from the vendor (Dell in this case). But doesn't help for re-installing Windows on devices we already have. Also, don't you lose some customization control when using Autopilot?
wasabiiii@reddit
You can enroll your own devices in AutoPilot.
jimphreak@reddit (OP)
How exactly does that work? I haven't looked into Autopilot in quite some time.
So I add all our existing devices into Autopilot and re-install Windows. What happens next?
wasabiiii@reddit
They get Intune and Azure AD joined when they boot.
jimphreak@reddit (OP)
Ok. And with regard to all the Powershell scripts I currently run as part of my provisioining package...How would you recommend replicating that?
jimphreak@reddit (OP)
Is there an easy way to test Autopilot on a small subset of our current devices without affecting all those out in production right now?
wasabiiii@reddit
Yes. You enroll by uploading a CSV of autopilot hash keys. Just don't include everything.
jimphreak@reddit (OP)
Ok I have this going with a test device right now. Do you know how I will collect this info (device serial and hash) for all devices?
wasabiiii@reddit
https://learn.microsoft.com/en-us/autopilot/add-devices
jimphreak@reddit (OP)
I read through this but see nothing about how to do this on mass. I'm already using thousands of devices in Intune.
wasabiiii@reddit
I mean it's PowerShell....
wasabiiii@reddit
Intune.....
jimphreak@reddit (OP)
Ok so just use the typical remediation/platform powershell scripts and Win32 apps.
wasabiiii@reddit
Yup. I mean, you can run a ppkg post install too.
But it tends to be clearer to separate it all out anyways.
fanofreddit-@reddit
Been using PXE+ConfigMgr/OSD+autopilot for years, no issues. We never use the vendor OS, always have the techs reimage:
https://learn.microsoft.com/en-us/autopilot/existing-devices
No-Plate-2244@reddit
Have you tried fog
jimphreak@reddit (OP)
I haven't yet, no. Though I have read about it. I didn't want to go down the road yet until I got some feedback/opinions from those doing something similar to what I'm doing. Is there a recommended guide you could point me towards for FOG?
No-Plate-2244@reddit
Actually believe it or not fog does a pretty good job of an installation guide https://jgoedbloed-docstest.readthedocs.io/en/latest/installation/