this post was submitted on 25 Oct 2023
17 points (81.5% liked)

Sysadmin

7717 readers
5 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]

founded 1 year ago
MODERATORS
 

I'm new to Windows deployments, and I need some help. I've gotten as far as setting up a new system from a Windows 11 image downloaded from MS, configuring it/installing software, and then running sysprep. I made a WinPE boot thumbdrive, but I'm stuck at capturing the Windows image part. Part of my problem is that I'm trying to make this in a VM. Is that more trouble than it's worth?

Is there an easier way to do this? I've seen people saying I can use Linux tools like Clonezilla, which sounds good to me, since I'm very comfortable with Linux-- but I read that might cause problems. One thing mentioned was licensing.

I would be deploying these images 100% onto Lenovo machines that we purchase from CDW, so I'm not sure how licensing would work. Is the license tied to the MAC? Will they auto-register once I boot them with the new image?

Thanks for anyone that takes the time to help me understand this :)

all 20 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 year ago (1 children)

Just to add more confusion, we are removing MDT from all customers and replacing with intune using the already created json templates we have plus then also deploying chocolatey with intune then calling powershell from intune to install other software. I'd say only 20% of our customers have on-premise AD the other 80% are all Microsoft Business Premium licensed unless over 300 staff, and that's why we have been transitioning customers to only that for the last few years.

MDT is the right tool for AD on premises though so don't be dissuaded from that, just more, you should know.

[–] [email protected] 1 points 1 year ago (1 children)

Can I ask why chocolatey and not just installed via policy/company portal? I'm not our Intune guy so I don't know much about the limitations.

[–] [email protected] 2 points 1 year ago

Oh because if an application doesn't exist natively in azure, ie not a MS Store app, then you can only deploy by uploading the msi which of course is one version. At an MSP with thousands of devices in dozens if not a hundred tenancies, and new software versions being released daily, you need something that will update all that.

Chocolatey is just for the poorer customers, a best effort, immybot for soe management though if the customer is full. Whenever Microsoft finishes getting their own repository fixed though, using winget could be the new chocolatey. Right now it doesn't do patching or at least it didn't 12 months ago. It could install and report but not update.

So thinking of solution life cycle you want something that doesn't need tons of manual innervation, and you can use PDQ or chocolatey or immybot or whatever. Microsoft can handle its first party software suites and rmm deployment but 3rd party at this stage is just not good enough.

Hope that helps

[–] PutangInaMo 3 points 1 year ago

You can use MDT to capture the image, it provides the scripts to do so. Just deploy a windows 11 image on a VM and use said script to capture it to the deployment share.

You'll need WDS to install the captured image on the network though but it's all not as difficult as it may appear.

[–] SheeEttin 3 points 1 year ago (1 children)

I haven't done imaging for a few years now, but it used to be that you needed at least one volume license for imaging rights. (The license center only allows you to buy five licenses, but you can do one VL and four of the cheapest thing you can find.) I think you should be able to use the builtin OEM licenses for activation.

Personally, I wouldn't bother messing with custom images, unless there's a particular setup you want them all to have right away. I'd just use a plain image and script everything else. I'd use WDS if you want to use the full Windows stack, or FOG if you prefer.

[–] [email protected] 1 points 1 year ago (3 children)

Thanks, I'll look into the feasibility of scripting. I don't think I can use WDS since we use a local AD.

[–] cyber_admin 2 points 1 year ago

WDS runs on a local server, so it would work with local AD.

[–] TheBSGamer 2 points 1 year ago* (last edited 1 year ago) (1 children)

Also to piggy back off the WDS thing, SCCM (I believe) is included with Windows Volume Licensing so you could also use Task Sequences as a route to image. I built our whole imaging setup with it and only had to build one baked image because the OS needed like 120 pieces of software or something crazy like that. That's obviously not all that it does but I prefer the flexibility of SCCM's management alongside the imaging.

Edit: yeah it's included if you use Microsoft 365.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks, that does look powerful, but also big and complicated. We are at most provisioning a few boxes a week, and I am really just looking for the easiest way to not have to set them all up from scratch. As the company grows, I can see the benefit to learning and utilizing a tool like SCCM.

[–] TheBSGamer 2 points 1 year ago

Agreed. Wasn't sure of your work load. I would stick with WDS in that case then.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I think you might be referring to pulling out the install.wim file from inside the ISO, no? If so, I think it's located in the sources folder of the ISO. It's 3am and I'm still up cause I can't sleep, so forgive me if I'm totally off base.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

There are different solutions depending on the scale and scope.

At the minimum, you can look at just modifying the unattend.xml file to automate a USB install. This will give some simple features like configuring licensing and generally being able to skip the oobe (out of box experience) wizard.

Next level up is modifying the install.wim file on that USB install. This will afford some more customisability like taking a sysprepped captured image, like what you're describing. You don't need a WDS server for this, but if you're going this deep you might as well move up to one for the automation it brings to that captured image workflow.

Next level up is setting up a WDS (Windows Deployment Services) server, which can just be a dedicated VM or a dedicated physical machine somewhere on the network. This has all the benefits of the above but with better automation and network booting (which replaces your USB with just needing a network connection) and automatic AD join.

At the top of those enterprise scale solutions is SCCM (now called MECM) or InTune, depending how you want to work things. Setting up one of these is probably way beyond your scope though.

Things get more complicated the further up you go, but come with more benefits. If you're looking for a minimum effort solution, I'd just build a bootable USB with rufus and modify the unattend.xml, save that file somewhere so you don't have to do it again and just copy it onto any new drive you build.

I might be forgetting something so hopefully something in the comments here helps you in your current situation. cheers

[–] [email protected] 2 points 1 year ago (1 children)

Everyone suggesting WDS or MDT is overlooking something very important- both are being phased out, and have limited or no support for Win 11.

If you are building a new workflow, you should not build on these tools. You should build on something supported going forward.

Thick/captured WIMs are generally not recommended anyway due to their higher maintenance needs. What are you trying to do in the first place? There are probably better approaches to solve that instead of capturing an image.

[–] [email protected] 1 points 1 year ago (1 children)

I'm trying to save myself some time. I have a few boxes to setup per week. They are all either Lenovo ThinkCentres or Lenovo laptops. They all need uodates, a few things uninstalled, and a minimum set of things installed, including: Office365, Adobe Reader, OoenVPN, a remote desktop connection, etc. Some of the software requires manual registry edits.

[–] [email protected] 2 points 1 year ago (1 children)

What's your endpoint management/MDM? It sounds like your org has about 500 PCs, which means you definitely need something to manage them after deployment. That's where I would start.

If you don't have an MDM, you need to push upper management that you do. Intune or PDQ are probably right for your size. Each comes with strings and complications, but they will save you a significant amount of time and money in the long run

[–] [email protected] 1 points 1 year ago

Yeah... We don't use any endpoint management. We probably have closer to 150 PCs, but we are growing. I am half the IT dept and I've been here about 6 months. This is my first IT job, so I'm learning as I go, and the other guy did the same. I will definitely look into implementing Intune.

[–] [email protected] 2 points 1 year ago (1 children)

Really depends on your scale and needs, but when we were in the process of transitioning from Ivanti to Intune we had a gap between them. I set up a FOG project server and a couple remote nodes and that worked really well as an interim solution. I actually started using it at home even though I don't really need imaging too often.

[–] [email protected] 1 points 1 year ago

I just learned about FOG. I'll look into it.