Windows Provisioning made Easy!

Hello,
This work that you have done can really help my organization simplify our windows deployments. Thank you @UXabre

I was able to get all the way through the process however I am experiencing the same issue as a previous user. The provisioning template with the unattended.xml file will throw an error if I try to encode the Administrator password with base64 or base64-windows.

When I change the password to plain text, the system starts up with no issues. It is worth noting that I am testing this on Red Hat Satellite 6.6 and not Foreman. I am hoping that is not the cause of the issue.

I had a similar issue in vSphere 6.7u2, make sure that you select ‘LSI Logic SAS’ as the SCSI controller in Foreman. My vm was boot looping because the virtual disk was not visible to the installer when I selected the paravirtual adapter. If you want to use the other SCSI controllers, you will need to load the drivers before installing.

thank you, that worked. For me it worked using base64 (Windows) for the password.
I am using foreman, installed through the foreman-installer.

But right now I now try to get the puppet installation working. Because Puppet is not getting installed per default. It seems the extras folder with the puppet installation files are not present after the installation. Like specified in the finish script. Perhaps the script needs to be changed, to previously download the .msi files to be able to execute them.

Hey @llxp,

That could be true; I’ve only gone as far as installing windows but I too have a use-case to copy other installers as well; I’ll be working on that topic soon and update the scripts accordingly. My use-case, btw, is to install openssh for windows and install SSH keys for my Ansible roles to work.

Kind regards!

I haven’t checked if sattelite already contains all the latest greatest patches (because there was a bug in the creation of windows base64-encoded passwords); so might be that this patch simply isn’t in which would explain why it didn’t work straight of the bat.

Thanks for sharing your solution on Sattelite though!

Kind regards!

In our environment with vSphere 6.7 and Microsoft DHCP, legacy(BIOS) provisioning works great with the PXELinux chain load.

I have been trying to get UEFI provisioning working but I’m stumped now. Here are all of the modifications I have made thus far:

1. When creating the host, select “iPXE Chain UEFI” as the PXE Loader.

2. The partition table needs to be set to gpt with efi: https://github.com/theforeman/community-templates/blob/develop/partition_tables_templates/windows_default_gpt_efi.erb

3. In order for iPXE to boot with UEFI, I had to compile an ipxe.efi binary embedded with an iPXE script that points to foreman:

   #!ipxe
   dhcp
   chain http://FOREMAN.KATELLO.URL:8000/unattended/iPXE?mac=${netX/mac} || shell
   exit 0
   

The script will drop into an iPXE shell if the chain command does not work. This script needs to be inbeded into an efi binary so here is what I did:

git clone http://git.ipxe.org/ipxe.git
cd ipxe/src
vim script.ipxe #This contains the ipxe script above
make bin-x86_64-efi/ipxe.efi EMBED=script.ipxe
scp bin-x86_64-efi/ipxe.efi FOREMAN.KATELLO.URL:/var/lib/tftpboot/
#Then on foreman:
restorecon -RvF /var/lib/tftpboot

After copying the new binary to foreman, I create a host and I get all the way to the winpe shell where I am met with the following sad message:

I am stumped now because iPXE seems to grab all of the files but peSetup.cmd is missing in the winpe shell. I added a step in the iPXE template to check all of the files loaded into initrd and they are all present:

I was able to run wget64.exe http://FOREMAN.KATELLO.URL:8000/unattended/script?token=foobar -O peSetup.cmd followed by .\peSetup.cmd which ran through the install process ending with a UEFI bootable windows vm.

If anyone has any ideas on why the setup script is not being copied to the windowspe shell please let me know!

I had added UEFI support to the WIMan templates in this PR. Sadly the repo got archived before it could be merged.
Please see the changes and modify accordingly.

The templates got merged into core, so you can do the same there: https://github.com/theforeman/foreman/tree/develop/app/views/unattended

Hi, This is good stuff, i am Unix guy and using foreman for all Linux builds and want to utilize for windows as well, but i would like to undestand workflow,

so for Linux using PXE it downloads kickstart bootfile and that points to kickstart file which then configure’s yum repositories and installation starts…

How it works for windows … So WinPE will be downloaded via TFTP and XML template will be copied to do the configurations, but how packages are getting installed … what’s size of winPE, is that enough ? what should be used to install other things as post install … Do we have any workflow diagram ?

Hi @Unix_SA,

At this point there is no dedicated windows flowchart yet but I can make this.
The (compatible) flow is as follows:

1. PXE starts iPXE (because we need HTTP support, this can be skipped if you’re running in another PXE environment which supports HTTP)
2. iPXE fetches wimboot, winPE.cmd (downloaded over http and injected into winpe image, this script is just a Foreman script-template), bootmgr, … and last but not least, the actual winpe image (generated via WIMan). It finishes with starting wimboot which loads the winPE image
3. Once WinPE has booted, it will execute the winpe.cmd script that was injected which does a whole heap of things, but basically: fetches updates & drivers from your dedicated HTTP server, fetches the actual windows image (which CAN also be created using wiman, but it doesn’t yet allow pre-installation of tools/programs etc, at this point there a apps which do a far better job at bootstrapping).
4. after this, foreman gets notified that the build is done, however, windows still needs a fair amount to actually boot the first time around.

At this point it gets “muddy” as there is no single route to rome, you could for instance, inject a runonce script in windows which installs apps or configures some additional stuff (the finish script, this is already used to set-up things like WinRM (which is kinda like SSH but nothing like it).

What we do, is configure some ansible roles which configures the system as this gives us a lot of freedom (we have a very wide array of systems that we need to set-up).

Hi @UXabre
Thanks for the detailed description.
now with iPXE Chain BIOS, I’m able to load the install.wim and it’s written to disk.
somehow… the unattended.xml fails (see screenshot)

And it throws the error…
I have no idea what could be wrong, since the WSIM accepts the xml file without problems and everything seems to be correct (no blanks at the end of strings etc)
I checked the dism.log file but there is noting i can get out of it. Was not able to extract it from the VM

Can you give me a hint please where I possibly can find the root of the error? I tried most of the solutions i found above and somewhere else.

Hi @Elektromane,

Great to hear that you got a bit further down the line!
Perhaps, if you’re willing, can you send me the dism log in PM?
If you want I can also check out your unattend.xml but keep in mind that this contains your administrator password (so change the password to something that you would never use in the wild) as well as your product key (I advice to change all the letters to xxxxx but only the letters).
If I find anything, I’ll share it here, in plain sight, for future references.

Kind regards!

Thanks for your Reply… took me a while but now i could extract the dism.logfile
they are all KMS keys and random PW, so no worry.
unattended_test.log (7.4 KB)
dism.log (84.9 KB)

In addition…I thought this would be a ‘LSI Logic SAS’ Problem because of the drivers with VMWare, but the same happens on a laptop or normal PC now.
I’m totally stuck now, since I cannot read anything useful out of the dism.log

fetching files in pxelinux over http is only supported since syslinux 5.10 and with lpxelinux.0

fetch all needed files with:
wget https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/Testing/6.04/syslinux-6.04-pre1.tar.xz
tar -xf syslinux-6.04-pre1.tar.xz
cp syslinux-6.04-pre1/bios/com32/elflink/ldlinux/ldlinux.c32 syslinux-6.04-pre1/bios/com32/lib/libcom32.c32 syslinux-6.04-pre1/bios/com32/libutil/libutil.c32 syslinux-6.04-pre1/bios/com32/menu/menu.c32 syslinux-6.04-pre1/bios/com32/modules/linux.c32 /var/lib/tftpboot/
cp syslinux-6.04-pre1/bios/core/lpxelinux.0 /var/lib/tftpboot/pxelinux.0
rm -r syslinux-6.04-pre1/
rm syslinux-6.04-pre1.tar.xz

Hi, big fan of this setup. One thing with Puppet that I’m sort of puzzled with.

Puppet is installed in windows_default_finish. After foreman has already been told the host has been built. Therefore foreman removes the autosign entry, causing a failure on puppets 1st run where it requests certificates.

Installing puppet and doing the 1st run in windows_default_script seems more appropriate. An reason why this isnt done?

Thanks

Anyone have tested this tutorial on KVM ?
I have follow this tutoroial and doing some troubleshoot but failed and stuck on below step.

Thanks before

Hi @odhub,

I’d start by installing the latest version of PXELinux (version >v6); which is BTW the only one supported for windows installations. I’m guessing this is where things went wrong as I see the version currently used is v4.

Also, good to know perhaps, is that you, in case of KVM, don’t need to chainload iPXE per se as KVM already uses iPXE.

Good luck and let me know how it went

A great post, thank you. Could you please share how you are handling the post install steps? For example, creating a computer account in Active Directory for the new machine, joining the server to Active Directory Domain, Install software’s, like backup tool and Anti virus etc ?

ive stated to write a documentation in the git repo
please extend it if you find something missing

for post install tasks create a new provisioning template in foreman with type user script. this than can be assigned to the operating system. the script is parsed as powershell. for install tasks i find https://chocolatey.org/ quite handy