Moving away from Golden Images: A dynamic, Zero-Touch Windows Deployment approach

[tekdt]

I’ve spent a lot of time in the home lab (and at work) wrestling with the "standard" way we handle Windows deployments. We’ve all been there: maintaining WIM files, keeping driver injection scripts updated, and the endless cycle of "re-capturing" images every time a new Windows build drops.

​

I started wondering if we could flip the script. Instead of optimizing the image, why not optimize the engine?


I’ve been developing something I call SEZOY. It’s a lightweight, zero-touch deployment engine that basically aims to make the "USB stick and manual setup" workflow extinct.

​

The core philosophy:

• Zero Image Maintenance: It uses clean, untouched Windows ISOs. No pre-capturing, no bloated WIMs.
• Runtime Logic: Everything happens in WinPE at runtime. It detects the hardware, loads the necessary storage/RAID drivers dynamically, and handles the setup on the fly.
• Network-First: I’ve focused heavily on PXE and HTTP Boot. In supported environments, I’ve even managed to get it running HTTP Boot over Wi-Fi (need firmware support), which has been a game changer for deployment in spots where I can't drop a copper line.

​

The goal was to create a hardware-agnostic system that doesn't care if I'm deploying to an old Optiplex or a modern NVMe-based workstation. It just boots, connects, and finishes the job without me touching the keyboard.


I'm curious how the STH crowd is handling mass deployments these days? Are you still sticking with MDT/WDS, or have you moved toward more dynamic, network-based provisioning?


I’m looking for some feedback from people who deal with mixed hardware environments. If anyone wants to take it for a spin and see how it handles your specific setup, let me know and I’ll be happy to share the details!

Note: TekDT BMC Pro was renamed to SEZOY. Read document at https://tekdt.xyz/en/docs

 

[tekdt]

To see how far this idea could be pushed, I recorded a raw demo of the process.
The video focuses on one of the more extreme scenarios — not because it’s the most common, but because it’s where the system is most likely to break.
In the demo:

• A deployment server is started in a few simple steps (select network interface, choose a standard Windows 11 ISO, start)
• The system automatically brings up both wired services and a temporary Wi-Fi access point
• A client machine boots using HTTP Boot and connects through the wireless network
• It enters a stock WinPE environment, where the network connection initially drops as expected
• The system then re-establishes connectivity inside WinPE, reconnects to the server, and continues the deployment process
• Required storage drivers (RST/RAID) are loaded dynamically, and the installation proceeds automatically

This wireless scenario is not something every system supports, and it’s definitely not the most stable path.

But it turned out to be a useful way to stress-test the entire pipeline — because if the process can recover and continue under those conditions, the more conventional paths (PXE and wired HTTP Boot) become much more predictable.

 

[Phence]

This is a great idea, I think just the name needs to be simpler. I won't remember it and it is clear why BMC, or Pro. Is there a standard version?

I know I'm picking on the icing on the cake, but it's really important if it takes off.

 

[tekdt]

This is a great idea, I think just the name needs to be simpler. I won't remember it and it is clear why BMC, or Pro. Is there a standard version?

I know I'm picking on the icing on the cake, but it's really important if it takes off.

I’ve thought about renaming it a few times, but I was worried people might forget it since it’s still so new and hasn’t really stuck yet

There’s a standard open-source version available at that GitHub link, which only supports basic USB boot creation. The network deployment features I’m talking about are only available in the current version from this post.

Thanks for noticing those small details though. I’ll definitely rename it, since there’s already a tech company with a similar name, and I’d rather avoid any unnecessary legal issues.

 

[kapone]

I'm curious how the STH crowd is handling mass deployments these days? Are you still sticking with MDT/WDS, or have you moved toward more dynamic, network-based provisioning?

I don't do much of Windows these days (for reasons we all are pretty well aware of), but Linux auto provisioning is easy.

- I run a self hosted Netboot.xyz with a dedicated VLAN for provisioning. Netboot.xyz handles the TFTP/HTTP part of delivering the boot loader and iPXE.
- The switches are setup to use that VLAN as the access/dual-mode port and then allow whatever other traffic is supposed to flow on the ports.
- My dnsmasq is set for PXE booting and to point to the netboot installation as part of the DHCP offer, and handles the differentiation between BIOS/UEFI, and pointing to the right boot loader.
- There's another nginx instance setup, that delivers the auto install files for Linux installations.
- netboot.xyz runs a few (heavily) customized ipxe files that deliver the right auto install files based on my inventory (which lives in source control) using hostnames and Mac-ids.
- Local mirror for the distributions that I'm using. Everything is on my network, nothing gets downloaded from the web.

Essentially, when I need to provision a machine:
- I create the config in my inventory/version control it,
- it gets picked up by Ansible that powers on the machine using IPMI, sets the boot to PXE for the first run
- The installation runs, configures the machine, network, storage links, IDs, ssh keys, node exporters etc etc, with a few reboots in the middle. The whole process takes ~5 minutes or so.
- The newly provisioned machine shows up on my observability dashboards and is ready to rock and roll.

I think the devil is in setting up the base infrastructure, scripting, maintaining inventory of IDs/Mac addresses etc. The actual provisioning is a piece of cake.

 

[tekdt]

I don't do much of Windows these days (for reasons we all are pretty well aware of), but Linux auto provisioning is easy.

- I run a self hosted Netboot.xyz with a dedicated VLAN for provisioning. Netboot.xyz handles the TFTP/HTTP part of delivering the boot loader and iPXE.
- The switches are setup to use that VLAN as the access/dual-mode port and then allow whatever other traffic is supposed to flow on the ports.
- My dnsmasq is set for PXE booting and to point to the netboot installation as part of the DHCP offer, and handles the differentiation between BIOS/UEFI, and pointing to the right boot loader.
- There's another nginx instance setup, that delivers the auto install files for Linux installations.
- netboot.xyz runs a few (heavily) customized ipxe files that deliver the right auto install files based on my inventory (which lives in source control) using hostnames and Mac-ids.
- Local mirror for the distributions that I'm using. Everything is on my network, nothing gets downloaded from the web.

Essentially, when I need to provision a machine:
- I create the config in my inventory/version control it,
- it gets picked up by Ansible that powers on the machine using IPMI, sets the boot to PXE for the first run
- The installation runs, configures the machine, network, storage links, IDs, ssh keys, node exporters etc etc, with a few reboots in the middle. The whole process takes ~5 minutes or so.
- The newly provisioned machine shows up on my observability dashboards and is ready to rock and roll.

I think the devil is in setting up the base infrastructure, scripting, maintaining inventory of IDs/Mac addresses etc. The actual provisioning is a piece of cake.

You are truly an expert in this field, and your solution is genuinely impressive. I’m also working on adapting my program to support Linux booting as well (I have a Linux-based hardware diagnostic module, though not for automated deployment like Windows).

What you’re doing right now is extremely complex and requires very deep experience to set up properly. I’m taking a simpler approach—for both myself and other users—so my interface is highly minimalistic, intentionally hiding much of the complexity to avoid discouraging users . I’m also focusing on portability and compatibility, so that any Windows 10/11 64-bit machine can instantly become a server without requiring complicated configuration or advanced knowledge.

At the same time, we share a similar vision regarding offline capability. I’ve designed my program to run entirely offline—once the ISO files or driver packages are prepared during the initial run, no further internet connection is required from the second run onward.

Currently, I’m struggling with getting Linux to boot over HTTP Boot via wireless (running into an overlay issue), and I haven’t been able to overcome it for over two weeks now. Although I can reconnect to the server during stage 1 of the Linux boot process to fetch the necessary files and construct a virtual disk—essentially tricking Linux into booting from RAM—the problem is that once HTTP Boot over wireless hands off to the Linux kernel, the Wi-Fi connection is completely lost. This forces me to prepare everything in advance before the handoff.

However, the Stage 1 environment is extremely limited—using BusyBox with very minimal debugging capabilities. I can’t even write logs to a USB device due to missing libraries, so for debugging, I’ve had to resort to taking photos of the screen with my phone just to analyze where things go wrong.

Based on what you’ve described, your approach is excellent, and I’ll definitely learn from some of your ideas and try to apply them to my project.

Thank you for providing such a high-quality and insightful response.

 

[kapone]

What you’re doing right now is extremely complex and requires very deep experience to set up properly. I

It does, but it's a necessary evil. If you're managing a fleet of machines, then...manual provisioning is just painful, and the complexity is worth it. On the other hand, if you only have a machine or two, there's no need for provisioning at all, the complexity is just not worth it.

Currently, I’m struggling with getting Linux to boot over HTTP Boot via wireless

I'm not even sure why you're doing this. Who does auto provisioning over wireless?? If the intent is to auto provision/configure a laptop...the standard "enterprisey" way is to plug in an ethernet cable... provision it with everything, and then it can run wired or wireless.

once HTTP Boot over wireless hands off to the Linux kernel, the Wi-Fi connection is completely lost

Exactly. PXE and wireless don't really play well together, the Nic firmware in these wireless cards is pretty much trash. Once the Linux squashfs loads (into RAM), it gets its initial settings from...PXE/iPXE that did the handoff. I can't recall any mechanism in the kernel cmdline to connect to an SSID/WPA etc during the initram phase.

 

[tekdt]

It does, but it's a necessary evil. If you're managing a fleet of machines, then...manual provisioning is just painful, and the complexity is worth it. On the other hand, if you only have a machine or two, there's no need for provisioning at all, the complexity is just not worth it.

At the moment, I’m only focusing on running within a local network (with the possibility of expanding a bit further in the future), so IP assignment is entirely handled by the existing DHCP infrastructure at the workplace. Only when booting over Wi-Fi do I need to build a dedicated DHCP management module via a Wi-Fi hotspot.

I'm not even sure why you're doing this. Who does auto provisioning over wireless?? If the intent is to auto provision/configure a laptop...the standard "enterprisey" way is to plug in an ethernet cable... provision it with everything, and then it can run wired or wireless.

Because my job is in quality control at a computer motherboard repair workshop, I’ve noticed that some Dell models support HTTP Boot (both wireless and wired). Even though Wi-Fi connections are slower, I want to fully leverage these capabilities. And as you said, up to now I haven’t really seen anyone “crazy” enough to go this route Maybe I just want to challenge myself—and I’ve managed to do that.
In my working environment, as well as in the technical landscape in Vietnam, there aren’t many dedicated system administrators. Most people just need something portable and as simple as possible to carry out deployments. That’s exactly why my goal is strongly oriented toward portability.

Exactly. PXE and wireless don't really play well together, the Nic firmware in these wireless cards is pretty much trash. Once the Linux squashfs loads (into RAM), it gets its initial settings from...PXE/iPXE that did the handoff. I can't recall any mechanism in the kernel cmdline to connect to an SSID/WPA etc during the initram phase.

As you know, when the bootloader hands control over to the OS kernel, all connections are dropped—the kernel has no awareness that the machine was previously connected to a Wi-Fi network (this applies to both Microsoft Windows and Linux). Therefore, it’s necessary to prepare certain components in advance to reinitialize connectivity, so the system can reconnect to the server and establish a path to larger files such as the Windows install.wim or Linux system.squashfs. From there, the installation can proceed onto the disk, or additional drivers (like Intel Rapid Storage Technology drivers, for example) can be loaded during the setup process.

 

[kapone]

In my working environment, as well as in the technical landscape in Vietnam, there aren’t many dedicated system administrators.

There aren't dedicated system admins anywhere.. They went the way of the dodo when "cloud" became the buzzword. I'm not a sysadmin, I don't want to be a sysadmin, but...I run a business, and it's all on-prem, because "cloud" would be...well...multitudes more expensive. Like 20x to 40x more expensive. To give you an idea of scale..

Two racks worth of hardware, ~28 machines at present, ~2PB in storage with a 56gb backbone network. And that's just my home/basement, this is the secondary site, the primary site is in a DC in Ashburn, VA.

I don't have a choice, but to be a sysadmin (among other things).

 

[tekdt]

There aren't dedicated system admins anywhere.. They went the way of the dodo when "cloud" became the buzzword. I'm not a sysadmin, I don't want to be a sysadmin, but...I run a business, and it's all on-prem, because "cloud" would be...well...multitudes more expensive. Like 20x to 40x more expensive. To give you an idea of scale..

Two racks worth of hardware, ~28 machines at present, ~2PB in storage with a 56gb backbone network. And that's just my home/basement, this is the secondary site, the primary site is in a DC in Ashburn, VA.

I don't have a choice, but to be a sysadmin (among other things).

Wow, that’s truly impressive. I honestly didn’t expect to have the chance to talk with a business owner who has such deep knowledge and has effectively turned themselves into a real SysAdmin to run their own company.

If you hadn’t set up and managed the system like this yourself, your business would probably have had to spend a significant amount on specialized network infrastructure.

May I ask what industry your business operates in?

 

[kapone]

May I ask what industry your business operates in?

Financial/Capital markets. Stocks, Bonds, Futures, Options, Derivatives...

 

[tekdt]

Financial/Capital markets. Stocks, Bonds, Futures, Options, Derivatives...

Based on the fields you’re operating in, as well as the system you’ve built, your company must be quite large to have the motivation and depth of expertise to develop something like this.

 

[kapone]

Based on the fields you’re operating in, as well as the system you’ve built, your company must be quite large to have the motivation and depth of expertise to develop something like this.

Actually no. What I do is...very compute and storage intensive. I'm consuming the entire market feed on all US exchanges...in realtime. And then running computations on it...on thousands of instruments. And then storing the "outcomes" and then..distributing them... and then...

All this requires a lot of hardware, but not necessarily a lot of people. I certainly could hire people to do it...but why? Automation (especially in the current age of AI) is key to lowering costs, if you're running a business. Hell, Claude code can churn out a full automation script based on my needs, in like a minute or two.

 

[tekdt]

Actually no. What I do is...very compute and storage intensive. I'm consuming the entire market feed on all US exchanges...in realtime. And then running computations on it...on thousands of instruments. And then storing the "outcomes" and then..distributing them... and then...

All this requires a lot of hardware, but not necessarily a lot of people. I certainly could hire people to do it...but why? Automation (especially in the current age of AI) is key to lowering costs, if you're running a business. Hell, Claude code can churn out a full automation script based on my needs, in like a minute or two.

In that case, you must have a very strong grasp of the domestic financial market, and your knowledge must be incredibly broad to cover so many different fields. You’ve likely leveraged the full power and advantages of modern technology in your work.

 

[SnJ9MX]

Actually no. What I do is...very compute and storage intensive. I'm consuming the entire market feed on all US exchanges...in realtime. And then running computations on it...on thousands of instruments. And then storing the "outcomes" and then..distributing them... and then...

All this requires a lot of hardware, but not necessarily a lot of people. I certainly could hire people to do it...but why? Automation (especially in the current age of AI) is key to lowering costs, if you're running a business. Hell, Claude code can churn out a full automation script based on my needs, in like a minute or two.

I lurked EliteTrader back in the day far more than any teenager should've... worked for NinjaTrader during college, etc. came to terms that I'd never be a good trader years ago. But let Claude loose on some ideas last week. Total game changer. Exploring some structural things and/or things that can be done somewhat consistently. Always liked your replies/ideas/input to threads here - had no idea it was for trading!