sb/Image-Deployment
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Image Deployment is a WinPE-based Windows deployment toolkit supporting both USB and network boot scenarios. It provides an interactive menu for deploying FFU or WIM images, with Autopilot registration and multi-tenant support.
80 commits 1 branch 0 tags 62 MiB
  • PowerShell 78.2%
  • Rich Text Format 18.9%
  • Batchfile 2.9%
Find a file
Exact
Stewart Bennell d724d4853c
 Delete _DOWNLOAD/WINPEFILES_USB/Windows/System32/mdmregistration.dll
2026-04-17 07:15:50 +10:00
_DOWNLOAD Delete _DOWNLOAD/WINPEFILES_USB/Windows/System32/mdmregistration.dll 2026-04-17 07:15:50 +10:00
_FUNCTIONS Rename USB partition volume labels 2026-03-24 14:54:10 +11:00
_GLOBAL_PARAM Rename debug flag/function and adjust network user 2026-04-14 12:58:06 +10:00
.gitignore Update .gitignore 2026-04-16 14:01:11 +10:00
Publish-ImageToNET.ps1 Use GLOBAL_PARAM_USB.json; remove adapter wait 2026-04-14 11:10:35 +10:00
Publish-ImageToUSB.ps1 Update Publish-ImageToUSB.ps1 2026-04-16 14:00:28 +10:00
README.md Use GLOBAL_PARAM_USB.json; remove adapter wait 2026-04-14 11:10:35 +10:00

README.md

Summary

Image Deployment is a WinPE-based Windows deployment toolkit supporting both USB and network boot scenarios. It provides an interactive menu for deploying FFU or WIM images, with Autopilot registration and multi-tenant support.

Based on Powers-Hell's module https://github.com/tabs-not-spaces/Intune.USB.Creator, this is an advanced version with:

  • FFU and WIM image deployment
  • WinRE (Windows Recovery Environment) with WiFi support as an alternative to WinPE (USB only)
  • Network boot ISO deployment via mapped network share (wired Ethernet only)
  • Autopilot v1 (hash-based) registration via Microsoft Graph
  • Multi-tenant configuration for MSP/enterprise scenarios
  • Automatic driver detection by manufacturer and model

References:

Deployment Methods

USB Deployment (Publish-ImageToUSB.ps1)

Creates a bootable USB drive. Supports WinPE (wired) or WinRE (WiFi + wired). All deployment data (images, scripts, drivers) lives on the USB drive.

Network Boot (Publish-ImageToNET.ps1)

Creates a bootable WinPE ISO. When booted (ISO or PXE), connects to a network share and runs deployment from there. Wired Ethernet only — no WiFi support.

Main Scripts

Script Description
Publish-ImageToUSB.ps1 Builds deployment share and writes to USB
Publish-ImageToNET.ps1 Builds WinPE boot ISO for network deployment
_DOWNLOAD\SCRIPT_USB\Main.ps1 USB boot menu — detects USB drive, handles WiFi fallback
_DOWNLOAD\SCRIPT_NET\Main.ps1 Network boot menu — receives mapped drive, wired only
_DOWNLOAD\SCRIPT\deploy-ffu.ps1 Interactive FFU image deployment
_DOWNLOAD\SCRIPT\deploy-wim.ps1 Interactive WIM image deployment
_DOWNLOAD\SCRIPT\Autopilot-v1.ps1 Extracts hardware hash and registers device via Microsoft Graph

Script Folder Structure

Folder Contents Used By
_DOWNLOAD\SCRIPT\ Shared scripts (deploy-ffu, deploy-wim, Autopilot) Both USB and Network
_DOWNLOAD\SCRIPT_USB\ USB-specific scripts (Main.ps1) USB only
_DOWNLOAD\SCRIPT_NET\ Network-specific scripts (Main.ps1) Network only

Both publish scripts copy SCRIPT\* first, then the platform-specific folder on top — files in SCRIPT_USB or SCRIPT_NET override the shared version.

Pre-Requisites

Core:

  • PowerShell 7
  • Windows ADK + WinPE add-on
  • A copy of PCPKsp.dll from C:\Windows\System32 on a Windows 10/11 machine (place in _DOWNLOAD\WINPEFILES_USB\Windows\System32\)
  • oa3tool.exe from Windows ADK Deployment Tools (place in _DOWNLOAD\SCRIPT\): 
    .\adksetup.exe /installpath C:\temp\adk /features OptionId.DeploymentTools /quiet
# Copy from: C:\Temp\adk\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30\oa3tool.exe

For USB WinRE (WiFi support):

  • No extra tools — WinRE is extracted from the Windows ISO
  • WiFi drivers are automatically included from install.wim

For Network Boot:

  • A network share accessible from WinPE boot environment
  • Configure share path in _GLOBAL_PARAM\GLOBAL_PARAM_NET.json

For Autopilot Registration:

  • Entra ID Enterprise App with:
    • DeviceManagementServiceConfig.ReadWrite.All permission
    • Admin consent granted
    • Client secret added to config JSON

USB Deployment

Quick Start

# 1. Build deployment share (once)
.\Publish-ImageToUSB.ps1 -createDataFolder

# 2. Write to USB sticks (repeat as needed)
.\Publish-ImageToUSB.ps1

With WinRE + WiFi

# Build with WinRE (extracts from Windows ISO, includes WiFi drivers)
.\Publish-ImageToUSB.ps1 -createDataFolder -useWinRE

# Write USB sticks (WiFi configured automatically each time)
.\Publish-ImageToUSB.ps1

Force Rebuild

.\Publish-ImageToUSB.ps1 -createDataFolder -force
.\Publish-ImageToUSB.ps1 -createDataFolder -useWinRE -force

All commands require Administrator privileges.

Configuration — _GLOBAL_PARAM\GLOBAL_PARAM_USB.json

Copy GLOBAL_PARAM_USB.json.example to GLOBAL_PARAM_USB.json and fill in your settings:

{
  "iudwelcomebanner": "Base64 encoded ASCII art banner",
  "windowsIsoPath": "C:\\ISO\\Windows11.iso",
  "imageIndex": 6,
  "iucversion": 1.0,
  "wifinetworks": [
    {
      "ssid": "YourNetwork",
      "password": "YourPassword",
      "security": "WPA2PSK"
    }
  ],
  "tenants": [
    {
      "name": "Tenant1",
      "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "clientId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
      "clientSecret": "your-client-secret",
      "groupTagPrefix": "T1-WIN-AP",
      "defaultDomain": "@tenant1.org"
    }
  ]
}

Parameters:

  • windowsIsoPath — Path to Windows 11 ISO
  • imageIndex — Windows edition index (e.g. 1=Home, 4=Pro, 6=Enterprise). Omit to be prompted.
  • iudwelcomebanner — Custom ASCII art banner (base64 encoded). Use https://www.asciiart.eu/text-to-ascii-art then encode.
  • wifinetworks — Array of WiFi networks for WinRE deployments. Multiple networks supported; WinPE connects to whichever is available.
  • tenants — Autopilot tenant configurations (multi-tenant MSP support)

USB Drive Label

The USB drive must be labeled Deploy. The WinPE boot environment searches for this volume label at startup.

WinPE Files

Files in _DOWNLOAD\WINPEFILES_USB\ are injected into the WinPE boot image during build:

File Purpose
Windows\System32\start.ps1 WinPE initialization — finds USB drive, loads drivers, launches Main.ps1
Windows\System32\startnet.cmd Entry point called by WinPE, runs wpeinit then start.ps1
Windows\System32\winpe.jpg Custom WinPE background image
Windows\System32\PCPKsp.dll Required for Autopilot hash extraction in WinPE

Build Output — _DATA\

_DATA\
  WinPE\          Boot files written to the FAT32 partition of the USB
  Scripts\        Deploy scripts + pwsh 7 written to the NTFS data partition
  Images\         install.wim (extracted from ISO)
  FFU\            Place FFU images here
  Drivers\        Computer model drivers (organized by Manufacturer\Model)
  Unattend\       Optional unattend.xml and computer naming files
  IUC-log.json   Build metadata (deployment type, versions, cache hashes)

Deployment Share Metadata — _DATA\IUC-log.json

{
  "installdate": "2026-04-14T10:00:00",
  "scriptversion": 1.0,
  "imageindex": 6,
  "deploymentType": "WinPE",
  "isosize": 7754645504,
  "wimsize": 6875518816,
  "winversion": "Windows 11 Enterprise",
  "pwshversion": "v7.5.0",
  "pwshid": 12345678
}

Network Boot Deployment

Quick Start

# 1. Configure _GLOBAL_PARAM\GLOBAL_PARAM_NET.json
# 2. Build WinPE ISO and prepare network share folder (once)
.\Publish-ImageToNET.ps1 -createDataFolder

# 3. Copy network share folder to your server
#    _DATA_NET\NetworkShare\* → \\server\deployshare\

# 4. Boot clients from the ISO (or serve via PXE)

Force Rebuild

.\Publish-ImageToNET.ps1 -createDataFolder -force

Recreate ISO Only (without rebuilding WinPE)

.\Publish-ImageToNET.ps1

Custom ISO Output Path

.\Publish-ImageToNET.ps1 -isoOutput "D:\ISOs\Deploy.iso"

All commands require Administrator privileges.

Configuration — _GLOBAL_PARAM\GLOBAL_PARAM_NET.json

Copy GLOBAL_PARAM_NET.json.example to GLOBAL_PARAM_NET.json:

{
  "iucversion": 1.0,
  "networkSharePath": "\\\\server\\deployshare",
  "networkDriveLetter": "N",
  "networkUser": "",
  "networkPassword": "",
  "tenants": [
    {
      "name": "Tenant1",
      "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "clientId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
      "clientSecret": "your-client-secret",
      "groupTagPrefix": "T1-WIN-AP",
      "defaultDomain": "@tenant1.org"
    }
  ]
}

Parameters:

  • networkSharePath — UNC path to your deployment share (e.g. \\server\deployshare)
  • networkDriveLetter — Single drive letter to map (e.g. N)
  • networkUser — Domain user for share auth (leave blank for domain/anonymous)
  • networkPassword — Password for share auth (leave blank for domain/anonymous)

The network share path and credentials are embedded directly into the WinPE boot image at build time.

Network Boot Flow

  1. Client boots from ISO (or PXE serving the ISO)
  2. startnet.cmd runs wpeinit (initialises network adapters) then start.ps1
  3. start.ps1 waits for a wired Ethernet adapter to come up
  4. Maps N: (or configured letter) to the network share
  5. Loads WinPE drivers from N:\Drivers\WinPE\<Manufacturer>\<Model>\
  6. Launches N:\Scripts\Main.ps1 via pwsh.exe from the share

WinPE Files

Files in _DOWNLOAD\WINPEFILES_NET\ are injected into the WinPE boot image:

File Purpose
Windows\System32\start.ps1 Maps network share and launches Main.ps1
Windows\System32\startnet.cmd Entry point — runs wpeinit then start.ps1

Network Share Layout

After running -createDataFolder, copy _DATA_NET\NetworkShare\ to your share root:

\\server\deployshare\
  Scripts\            Main.ps1, deploy-ffu.ps1, deploy-wim.ps1, Autopilot-v1.ps1
    pwsh\             PowerShell 7 portable (downloaded during build)
  FFU\                Place FFU images here
  WIM\                Place WIM images here
  Drivers\            Computer model drivers
    WinPE\            WinPE NIC/storage drivers (loaded before Main.ps1)
  unattend\           Optional unattend.xml and naming files
  logs\               Created automatically during deployment

Build Output — _DATA_NET\

_DATA_NET\
  WinPE\            WinPE boot files → becomes the ISO content
  NetworkShare\     Copy this entire folder to your network share root
  IUC-log.json     Build metadata

Deployment Scripts (Shared)

deploy-ffu.ps1

Interactive FFU deployment. At boot it:

  1. Scans the deployment share for *.ffu files
  2. Displays system info dashboard and image selection menu
  3. Detects matching drivers by Manufacturer\Model folder
  4. Checks for unattend.xml and computer naming files
  5. Confirms plan before writing — no data is written until confirmed
  6. Applies FFU image, injects drivers, applies unattend

deploy-wim.ps1

Same interactive flow as FFU but deploys *.wim images.

Autopilot-v1.ps1

Extracts the hardware hash using oa3tool.exe and uploads to Microsoft Intune via Graph API. Supports multi-tenant selection at runtime.

Drivers

Computer Model Drivers (OS Drivers)

Place in Drivers\<Manufacturer>\<Model>\ on the USB data partition or network share. Supports .inf folders, ZIP archives, and WIM files.

Manufacturer Download
Dell https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment
HP https://hpia.hpcloud.hp.com/downloads/driverpackcatalog/HP_Driverpack_Matrix_x64.html
Lenovo https://support.lenovo.com/us/en/solutions/ht074984

WinPE Drivers (NIC / Storage)

Place in Drivers\WinPE\<Manufacturer>\<Model>\ — loaded by start.ps1 before launching Main.ps1.

Manufacturer Download
Dell https://www.dell.com/support/kbdoc/en-us/000107478/dell-command-deploy-winpe-driver-packs
HP https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HP_WinPE_DriverPack.html
Lenovo https://support.lenovo.com/us/en/solutions/ht074984

Optional

Language Packs and Optional Features

Copy the needed CABs to _DATA\Packages:

https://learn.microsoft.com/en-us/azure/virtual-desktop/windows-11-language-packs

Custom Welcome Banner

Use https://www.asciiart.eu/text-to-ascii-art to generate ASCII art, then base64 encode it and add to iudwelcomebanner in GLOBAL_PARAM_USB.json.

Troubleshooting

Force Rebuild (clear cache)

.\Publish-ImageToUSB.ps1 -createDataFolder -force
.\Publish-ImageToNET.ps1 -createDataFolder -force

USB Not Found at Boot

  • Ensure the USB drive is labeled Deploy (case-sensitive)
  • Check _DOWNLOAD\WINPEFILES_USB\ contains start.ps1 and startnet.cmd

Network Share Not Mapping at Boot

  • Confirm the client has a wired Ethernet connection before booting
  • Verify networkSharePath in GLOBAL_PARAM_NET.json is reachable from WinPE
  • If using credentials, test with net use manually from WinPE (Shift+F10)
  • Check WinPE NIC drivers are in Drivers\WinPE\<Manufacturer>\<Model>\ on the share

WiFi Not Connecting (USB WinRE)

  1. Verify wifinetworks array in GLOBAL_PARAM_USB.json
  2. Confirm deployment was built with -useWinRE
  3. Check deployment type: run .\Publish-ImageToUSB.ps1 and verify it shows Deployment Type: WinRE
  4. Export profile from a connected machine if using non-standard security: 
    netsh wlan export profile name="YourNetwork" key=clear folder=C:\Temp
  5. Test manually in WinRE (Shift+F10): 
    net start wlansvc
netsh wlan show networks
netsh wlan connect name=YourSSID

Smart Caching (USB)

The USB build caches files to speed up rebuilds:

  • install.wim — reused if ISO path and image index are unchanged
  • WinRE.wim — reused if install.wim size and date are unchanged
  • Use -force to bypass all caching