In Cloud OS Deployment, Part 1, you learned how to run MDT task sequences via Microsoft Intune for Computer Refresh and Inplace Upgrade / Windows 10 Servicing scenarios. In this part you learn how to do bare metal deployments over Internet (http/https), with, or without any other corporate infrastructure.
Update September 25, 2022: This post has been updated to reflect changes in PSD 0.2.2.8 or later.
TL;DR
By setting up a VM in Azure/AWS, install Windows ADK and MDT on it, extend MDT with the open source PowerShell Deployment (PSD) extension and boot from WinPE, you can do bare metal deployments over Internet.
The Cloud OSD Challenge – Starting the deployment
While setting up a VM in Azure or AWS with MDT and PSD is somewhat straight forward, simply follow the PSD setup guide, the challenge is how to actually start the deployment without any local infrastructure. Using native Microsoft technologies, you are currently more or less limited to creating a USB stick holding the MDT boot media and boot the computer on that one. Once booted, the MDT boot media will connect to the MDT server in Azure or AWS and start the deployment.
Step 1 – Setting up the MDT Server and Extend it with PSD
Extend MDT with PSD is quick to setup, and if you know MDT already you have a good head start in terms of requirements for OSD.
Disclaimer: The PSD extension for MDT is a community solution and does not currently support every scenario that MDT supports. PSD currently only supports bare metal deployment scenarios with no domain join for deployments over Internet (but will join the domain if you're running the PSD server on your network, or if the client has line-of-sight to a domain controller).
Anyway, and again, for details of setting up MDT with the PSD extension, follow the guides in the PSD Documentation. Below are the high-level steps you need to do.
- Create a Windows Server 2016/2019/2022 VM in Azure/AWS. Pick at a VM template with at least 2 CPUs, 4 GB RAM, and 200 GB disk. This VM is the MDT Server, and can either be a standalone workgroup VM, or part of a larger infrastructure in Azure/AWS.
- In the Azure/AWS firewall, open port 443 (https) inbound.
- Install MDT, Windows ADK and the WinPE Addon for Windows ADK the MDT Server
- Download the PSD GitHub repository, and follow the installation guides in the PSD Documentation.
- Start with getting the PSD deployment share created using the steps in the PowerShell Deployment – Installation Guide document.
- Then enable HTTP or HTTPS (recommended) via the PowerShell Deployment – IIS Configuration Guide document.
- Optional – Configure the optional BranchCache (P2P) support by following the steps in the PowerShell Deployment – BranchCache Installation Guide document.
- Using the MDT Deployment Workbench, import an operating system, import some applications, drivers, and create a task sequence using one of the PSD templates.
Note: Unlike the normal MDT behavior, for PSD, after importing drivers to the Deployment Workbench, you need to run the New-PSDDriverPackage.ps1 script to generate the compressed driver packages used by PSD.
Step 2 – Creating the boot media
Once the MDT server setup is done, you need to create a USB stick and send the location where machines should be deployed. Or even better, have the staff/user on the location just download the boot image ISO, and create the USB stick themselves via tools like Rufus or plain PowerShell.
Going Fancy #1 – Booting via Wireless
While WinPE does not support wireless by default, limited support can be added with some creativity 🙂 See this post by Brooks Peppin: https://brookspeppin.com/2019/06/06/enable-full-wifi-support-in-winpe-for-dell-systems-in-mdt/
Going Fancy #2 – Adding Internet PXE and P2P Support
Its a shameless plug for sure (since I work there), but via solutions from 2Pint Software you can extend the MDT/PSD platform with an Internet-based PXE server (not free), as well as P2P support via BranchCache (free).
Having central PXE support simplifies updates and downloads of the MDT boot image and adding support for BranchCache reduces the network impact if you are deploying a few machines at the same location. Basically, only one client needs to download the image, and then it can share that image with others in that location.
PSD Credits
The PSD open-source extension for MDT was developed with help from the following people:
- Mikael Nystrom (@mikael_nystrom)
- Johan Arwidmark (@jarwidmark)
- Michael Niehaus (@mniehaus)
- Steve Campbell (@SoupAtWork)
- Jordan Benzing (@JordanTheItGuy)
- Andreas Hammarskjold (@AndHammarskjold)
- Richard "Dick" Tracy (@rick2_1979)
- George Simos (@GSimos)
- Elias Markelius (@emarkelis)
Not sure if this is even possible so wanted to ask the question before the descent to madness. I am currently looking at whether or not the PSD boot wim can be used as recovery media on the local drive, so the user could choose to boot into Windows normally, or launch the Litetouch boot media to rebuild their machine. The devices are not on the LAN, so PXE is out, and most of the devices do not support HTTP boot so looking at creating a dual boot to Litetouch that will wipe the primary Windows partition and reinstall by… Read more »
Hi Ben, I've seen MDT recovery solutions that stages the boot image in the recovery partition, and uses that to re-deploy the device (without delete the partitioning table / recovery partition). Basically, a computer refresh.
So, it's doable, but expect several days of work (at least) to get it going. Our team can probably help out, but then we are talking about some sort of support/consulting engagement.
After configuring the IIS as per the steps you mentioned.
The deployment share in the Listtouch iso is still trying to access the UNC path.
Because of which, the internet deployment is not working
Please suggest how to fix this?
Make sure bootstrap.ini is updated to reflect https://fqdn/virtualdirectory for the DeployRoot variable, for example mine is DeployRoot=https://mdt01.corp.viamonstra.com/mdtproduction. Then update the deployment share, and recreate any USB boot media, or update the boot media on your PXE server.
/ Johan
Hi Johan, I've downloaded OSDToolkit and create a folder: PSDResources\Plugins\OSDToolkit, but on the regular task MDT fails, It cannot find a file. Do you know how this folder structure should look like?
I'm also missing: Set-PSDBootImage2PintEnabled.log when regenerating the boot ISO.
Hi Rene, please contact me on LinkedIn, and I'll help you offline with this one. We've done a number of improvements in this area. We just didn't publish them publicly yet.
/ Johan
Hey Guys! I've been reading and been interested in that kind of solution for a very long time and good I've found it here. Everything is setup and deploying a TS with only OS looks good, but whenever I try to add Application it keeps failing with "Incorrect Function 00000001 Source Windows". I have also noticed that if I want to apply a provisioning package offline, which happens right after OS gets expanded, execution of the command fails with File cannot be found. What I noticed is that PSD stores files in MININT\Cache folder and looks like it gets cleaned… Read more »
Hi Radoslav,
We've had a few bugs in the script that install applications. Please reach out to me on LinkedIn, and I can follow-up offline with you ( https://www.linkedin.com/in/jarwidmark/ )
Johan – Please disregard my last two posts. My issue turned out to be that I had dynamic memory enabled for the Hyper-V VM I was using. Once I turned that off it worked great. Thanks for this series of articles and your contributions to PSD!!!
Johan – please disregard my last post. I pasted a screenshot in and it didn't work. I'm attaching the image so you can see the message I'm getting. I'm able to boot from the ISO in Hyper-V VM, but it gets stuck at "Checking for a valid network configuration". Thanks for creating this post!.
Facing the similar issue now, Is it fixed for you? If yes, how?
After completing the setup instructions, from both here and the Brooks Peppin site, it looks like my PE environment is having an issue loading the PSD tools (ISO Boot Hyper-V Gen 1 Machine). I have tried with FQDN, IP, CERT, no Cert Any advice or pointers would be much appreciated. Thanks in Advance –
The most common reason for failure is using dynamic memory on the VM, or having less than 2 GB RAM assigned to it. Ping me on LinkedIn, and I can help you offline.
ah seen in part 3…sorry
No worries, comments that the blog visitor figures out on their own are the easiest to answer 🙂
Hello Johan, great article, would the same way or similar way ( create bootstick) also work for MECM Cloud management gateway/ dp or might there be a general issue ?
br thomas
I've setup PSD but it does not automatically load the new task sequence menu, i have to manually start the start.ps1 script from a command prompt and it does not complete the full task sequenc, any ideas why?
Sorry for the very late reply, but this issue has been fixed in a later release.
[…] and enables remote re-imaging scenarios which are even more important in today's environment. Johan and Donna have great blogs on this so you should check those out. I'll just be adding more […]
the user state capture step is missing from task sequence because of this user seeting are not transferd when creating new user