In Cloud OS Deployment, Part 1, you learned how to run MDT task sequences via Microsoft Intune for Computer Refresh and Inplace Upgrade / Windows 10 Servicing scenarios. In this part you learn how to do bare metal deployments over Internet (http/https), with, or without any other corporate infrastructure.
By setting up a VM in Azure/AWS, install Windows ADK and MDT on it, extend MDT with the open source PowerShell Deployment (PSD) extension and boot from WinPE, you can do bare metal deployments over Internet.
The Cloud OSD Challenge – Starting the deployment
While setting up a VM in Azure or AWS with MDT and PSD is somewhat straight forward, simply follow the PSD setup guide, the challenge is how to actually start the deployment without any local infrastructure. Using native Microsoft technologies you are currently more or less limited to creating a USB stick holding the MDT boot media, and boot the computer on that one. Once booted, the MDT boot media will connect to the MDT server in Azure or AWS and start the deployment.
Step 1 – Setting up the MDT Server and extend with PSD
It's been a little while since we (a few deployment geeks from 2Pint Software and TrueSec) created the open source PSD extension, but it's quick to setup, and if you know MDT already you have a good head start.
Disclaimer: The PSD extension in its current state is experimental at best, and the docs is kind of in worse shape than the code, but it does extend MDT to allow for bare metal deployment via http/https, supports driver injection, and applications. Also, PSD currently only supports bare metal deployment scenarios with no domain join for deployments over Internet.
Anyway, and again, for details of setting up MDT with the PSD extension, follow the guides in the PSD Documentation. Below are the high-level steps you need to do.
- Create a Windows Server 2016 or Windows Server 2019 VM in Azure/AWS. Pick at a VM template with at least 2 CPUs, 4 GB RAM, and 200 GB disk. This VM is the MDT Server, and can either be a standalone workgroup VM, or part of a larger infrastructure in Azure/AWS.
- In the Azure/AWS firewall, open port 443 (https) inbound. And yes, http is also supported, but please use https for deployment over Internet.
- Install MDT, Windows ADK and the WinPE Addon the MDT Server
- Download the PSD GitHub repository, and follow the installation guides in the PSD Documentation.
- Start with getting the PSD deployment share created using the steps in the PowerShell Deployment – Installation Guide document.
- Then enable HTTP or HTTPS (recommended) via the PowerShell Deployment – IIS Configuration Guide document.
- Optional – Configure the optional BranchCache (P2P) support by following the steps in the PowerShell Deployment – BranchCache Installation Guide document.
- Using the MDT Deployment Workbench, import an operating system, import some applications, drivers, and create a task sequence using one of the PSD templates.
Note: Unlike the normal MDT behavior, for PSD, after importing drivers to the Deployment Workbench, you need to run the New-PSDDriverPackage.ps1 script to generate the compressed driver packages used by PSD.
Step 2 – Creating the boot media
Once the MDT server setup is done, you need to create a USB stick and send the location where machines should be deployed. Or even better, have the staff/user on the location just download the boot image ISO, and create the USB stick themselves via tools like Rufus or plain PowerShell.
Going Fancy #1 – Booting via Wireless
While WinPE does not support wireless by default, limited support can be added with some creativity 🙂 See this post by Brooks Peppin: https://brookspeppin.com/2019/06/06/enable-full-wifi-support-in-winpe-for-dell-systems-in-mdt/
Going Fancy #2 – Adding Internet PXE and P2P Support
Its a shameless plug for sure (since I work there), but via solutions from 2Pint Software you can extend the MDT/PSD platform with an Internet-based PXE server (not free), as well as P2P support via BranchCache (free).
Having central PXE support simplifies updates and downloads of the MDT boot image, and adding support for BranchCache reduces the network impact if you are deploying a few machines at the same location. Basically only one client need to download the image, and then it can share that image with others in that location.
The PSD open source extension for MDT was developed by the following people:
- Michael Niehaus
- Mikael Nystrom
- Johan Arwidmark
- Andreas Hammarskjold
- Steve Campbell
- Jordan Benzing