How to do an unattended install of Windows 10 via PXE with UEFI SecureBoot enabled

A few months ago, a subscriber to The Sizzle that runs a computer shop in Papua New Guinea selling refurbished laptops to local businesses, asked me for help sourcing laptops because their usual supply chain dried up due to COVID-19. I love bargain hunting so said I can grab some laptops locally off Gumtree and Facebook and send them to PNG. I'll clean them up, install Windows 10 Pro and add a few bucks margin on each one. The first shipment sold quickly so my new PNG based friend asked for more.

When it came time to install Windows 10 on this latest batch, I thought it would be a good opportunity to move on from using USB flash drives containing Windows 10 made with the Media Creation Tool like a bloody caveman and get all fancy and shit with a PXE server that kicks off a complete unattended install. It's what the cool kids do and I want to be cool. Here's what I want to achieve:

  • Install Windows 10 Professional
  • UEFI & SecureBoot enabled
  • Unattended install
  • Keep the Out Of Box Experience

First step is getting a Windows 10 ISO and preparing it for deployment. If you visit Microsoft's Windows 10 download website on a Mac or Linux computer (or set your browser to fake being a Mac/Linux machine) it has a direct download link.

I don't need anything special like drivers or a slim install for this deployment, so what Microsoft refers to as an "Unattended Install" will do me fine. You add stuff to an XML file that the Windows installer looks at and accepts as input to the questions the installer asks. This way you don't have to sit there and click "next", enter a serial, partition the disk, choose a language etc:


You can use an unattended install file to complete the entire install and drop you directly into the Windows desktop, but because these computers are gonna end up in random people's hands, I want to keep what Microsoft refers to as the Out of Box Experience (aka OOBE). OOBE is the bit of the Windows Install where Cortana starts shouting at you and you create a user account, enable OneDrive and so on.

Because I'm getting paid for this job and really couldn't be stuffed figuring out the unattended install file syntax, I plonked down A$74 for a copy of NTLite. Not only does it make unattended install stuff easier, it also lets me integrate the latest Windows updates (handy for PNG as internet access there isn't that shit hot). NTLite's full feature list is pretty amazing and might come in handy for me one day, so it's worth $74 to support the developer. Here's the unattended install settings I used:

The serial listed (VK7JG-NPHTM-C97JM-9MPGT-3V66T) is actually a generic serial that is used when your copy of Windows is activated via the hardware in your computer instead of a unique serial - I don't know how it works, but it does. Don't quote me on this either, but if your devices come with Windows 10 from the factory I think you can use the value "[KEY]" and the Windows installer will grab the serial from the computer's BIOS.

I chucked the ISO onto a USB stick (Ventoy kicks arse for this - dump a bunch of ISOs onto a USB drive and it gives you a menu to select the ISO you want to boot from, very handy) and tested it out on a PC. To my surprise it worked perfectly the first time. I'm suspicious, but hey, don't look a gift horse in the mouth.

Now to serve my unattended ISO up over the network! My gut reaction was to use a Linux box of some sort (probably a Raspberry Pi as I've got 2 of them sitting idle right now) as a PXE, TFTP & DHCP server, but after a bit of research I discovered this won't work for my needs due to SecureBoot.

SecureBoot is a feature on pretty much all modern laptops that prevents the booting of an operating system unless that operating system's boot loader has an "acceptable digital signature" (i.e: verified by Microsoft). It's designed to prevent malware fucking with a boot loader and making itself persistent on a machine even if you re-install the OS. Some nerds turn it off because it gets in the way of installing different operating systems on their computer, but I like to make sure it's enabled as for most people SecureBoot is useful layer of protection from dodgy malware and it also means BitLocker (Windows native full disk encryption) works seamlessly. This is a good video explaining what the go is with SecureBoot:

Unfortunately many PXE bootloaders haven't gone through the signing process with Microsoft, so they don't work on when trying to PXE boot a computer with SecureBoot enabled. iPXE, the core of stuff like the FOG Project and for example isn't SecureBoot compatible. US$500 every three years is a bit much for most open source projects. During my research I read some stuff about using Ubuntu/CentOS bootloaders instead (which are SecureBoot signed) and then launching the Windows installer from there but I lost the forum thread and didn't pay much attention because those yaks looked way too big to shave for little old me.

The only two options I could find for PXE booting that are SecureBoot compatible are Microsoft's Windows Deployment Services (WDS) and Serva Pro.

Most people doing this in a business scenario would just use WDS as they probably already have a computer running Windows Server somewhere on their premises. I could have downloaded the 180-day trial of Windows Server 2019 but I wanted a solution I could use sporadically (maybe only a few times a year) without having to set it up from scratch every time. Because the Windows Server licence is only a trial, I'd have to set it up again every time the trial expires - or pay for a licence for $609.

That leaves ServaPro, an app that runs on basically any version of Windows and acts as a full stack solution for PXE booting basically anything you can think of. It hasn't been updated since 2018 and costs A$114, but I took the plunge anyways. The good news is that Serva Pro is fantastic and well worth the $114!

I installed it on an old laptop running Windows 7 I had lying around (see my Brother scanner antics for why I still have a Win7 machine at home), following a mix of the official documentation and this random dude's blog post - thank you random dude! Here's some screenshots of my config:



The only gotcha here is to set the BINL BM-Mode (whatever the fuck that is) to 3, as that makes Serva push out the SecureBoot enabled bootloader instead of the default one. I didn't use proxyDHCP because I these were going on their own totally separate network to my home network.

Everything worked perfectly except for one catch - this prompt for a username and password so Serva's Windows PE thingy that kicks off the Windows install process knows which shared folder to suck the files down from. It's easy to type the username and password, but I wanted to plug the laptop in, turn it on, tell it to PXE boot, walk away and return with a completed Windows install.

Luckily all you have to do is create a file called Unattend.ini in the WIA_WDS directory that contains the share's username and password even if you make the share totally anonymous, it will still come up with a prompt you'll need to press Enter on to continue - so using the ini file is the only way for a proper unattended install. The ini file syntax is located in ServaReadme.txt.

I ended up spending almost $200 on software to do this when if it wasn't for SecureBoot, I could have used a simple Linux solution but hey, it was worth it to get the job done right. Technically I can image hundreds of laptops at once, but I came up against a physical limit of 6 laptops at once as that's all I could fit on a table. Next time I'll get a bigger table and use both sides of the table with all the cables and shit running down the middle and try do 16 or more simultaneously.