2

Over the next few months I will have the need to image windows laptop with our customized windows image. Normally WDS is fantastic for this, but these laptops (30-60 at a time) could pop up anywhere in the world, with little notice, and only last a few months. Right now I have a heavily customized install.wim on a flash drive, that when you boot to it, auto-images computers. This works for now, but I'm up to my ears in flash drives and it is impossible to keep them updated after I send them out. I foresee 12 different versions out there by years end. Now, here's my idea...

Public facing password protected file share, holding the normal windows install files. Have a script mount the share as a drive, and start the unattended install. Running windows setup from a local network share worked fine in my tests. I know this will be far slower than our current solution, but I feel the ability to update the image when needed outweighs the extra time it takes. Plus now we are limited by bandwidth instead of by the number of flash drives we have.

I wanted to know your ideas and opinions, is this crazy and never going to work? Is there a better way? How would you implement this?

Geostude
  • 23
  • 3

1 Answers1

3

It's not completely crazy. This is a bit near and dear to my heart, because prior to WDS I used a cobbled-together PXE-based Windows imaging system which sounds eerily similar to what you describe.

I am wary of using SMB over the Internet, partially for security reasons, but more because I worry about reliability.

  • In my cobbled-together system I cached the WIM locally, in a separate hidden partition, after retrieving it via HTTP. (I also used udpcast for distribution, besides HTTP, but that's not really appropriate for anything besides a LAN.)

  • In my cobbled-together system I used a Win32 version of wget to pull down the WIM, which allowed the download to continue if it was interrupted. In your scenario I would use HTTPS, within which using basic authentication would be reasonably secure. Authentication of the sever certificate would give a degree of trust that the image hosting server wasn't being impersonated.

  • You could host the WIM with HTTP on a commodity CDN, rather than with HTTPS. That would get you more bandwidth. As an alternative to basic authentication (since many CDNs don't support authentication or HTTPS) you could encrypt the WIM with something like GPG (probably pulling it from STDOUT on wget into STDIN in GPG before dumping it on disk).

  • If you're going to update images I'd consider using something like xdelta to publish "diffs" of the image such that you wouldn't need to re-download the entire updated image when re-imaging a client (if, presumably, you cache the WIM locally).

Since you've already gotten the hang of deploying a WIM "manually" I think you'd have no trouble pulling this off.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331