Windows Workstation Deployer for Offline Environment

Windows Workstation Deployer for Offline Environment

Builds a deployer LXC which can be taken to offline environmment and used to deploy Windows workstations from a sysprepped golden image. Uses Proxmox for the workflow.

Getting Started

Before running the setup you will need:

Proxmox cluster/node with SSH access (the setup will ask for credentials)
Windows Server 2025 - WinPE builder VM (Windows Server) with ADK/WinPE tooling and WinRM access.
- You will need to manually build and setup Windows Server 2025 somewhere in your environment and record the credentials
- Need to build out the Windows Server identity host / domain controller too? The sibling project Configure-WindowsIdentityServices automates that buildout (AD DS, DNS, DHCP, time, GPO baseline, optional PKI) from a single YAML file. It is standalone and not part of this deployer’s workflow.
Golden image VM (Source VM)
- This is a running version of your Windows client from which you want to build a golden image. It must have WinRM enabled!
Controller
- This is the thing from which the Ansible will run. You’ll pull your code down onto the controller and it will then orchestrate everything. Doesn’t matter where or what it is as long as it has IP connectivity to Proxmox, Windows Server, the Golden Image VM, and it’s running Ubuntu.
Intel RST/NVMe driver package pre-cached on the controller for first run:
- Put Intel-RST-7WNN0.exe in artifacts/drivers/ before running the pipeline.
- Download URL: Intel Rapid Storage Technology Driver and Application 7WNN0 (Dell)
  - You must manually download this. Dell blocks automation against this website

FOR A FULL OFFLINE TEST

If you want to run a full offline test you will additionally need:
- Proxmox configured with a separate bridge not connected to the internet
- a Domain Controller
- An administrator workstation joined to the domain with a domain-valid user that has permissions to do things like add computers to the domain

This project builds for you:

Deployer LXC on Proxmox (PXE, iPXE, DHCP/TFTP/HTTP/SMB services).
- This is the LXC container that will ultimately get tar’d up and you can go anywhere with it and deploy N workstations.
WinPE boot artifacts and published deployment artifacts.
- All the things you need to build and boot windows
Target workstation VM(s) booted over PXE and installed from deploy.wim.
- At the end, the code will do a test against a secureboot-enabled, UEFI, Proxmox VM from Deployer LXC just to make sure everything is working

Before you start make sure you have the Windows Server box, the golden image VM, and what will become your controller, up and running.

Quickstart

Clone repository

On your controller:

git clone https://github.com/grantcurell/projects.git
cd projects/"Windows Workstation Deployer for Offline Environments"

Run setup wizard

./setup

Follow the instructions and at the end it will kick off the deployment.

If you want to rerun the setup, follow the instructions in Manually run full pipeline without using setup

Manually run full pipeline without using setup

./scripts/run-full-deploy.sh

Expected artifacts

Controller artifacts/ should contain:

boot.wim
bootmgr
boot/BCD
boot/boot.sdi
efi/microsoft/boot/BCD
efi/boot/bootx64.efi
winpe_capture.iso
vzdump-lxc-<deployer-vmid>-*.tar.zst

deploy.wim is kept on deployer LXC at /srv/deploy/images/deploy.wim.

Offline Restore and Use

When you are ready to export the deployer LXC container and bring it to an offline environment, you have two options: the guided field script (recommended) or the manual pct steps.

Option 1 (recommended): guided field deployment script

Carry the exported tarball (artifacts/vzdump-lxc-<deployer-vmid>-*.tar.zst) and scripts/offline-deploy-deployer.sh to a machine on the offline network that can reach the offline Proxmox host, then run:

./scripts/offline-deploy-deployer.sh

Follow the prompts.

Requires sshpass, jq, and an SSH client on the machine running the script. After the BASH script finishes, run the offline setup TUI (the BASH script will tell you what to do)

Option 2: fully manual restore

Copy the exported deployer backup from controller:

artifacts/vzdump-lxc-<deployer-vmid>-*.tar.zst

Put that file onto the offline Proxmox host (example destination):

/var/lib/vz/dump/

Restore as an LXC on offline Proxmox:

pct restore <new-vmid> /var/lib/vz/dump/vzdump-lxc-<deployer-vmid>-<timestamp>.tar.zst --storage <target-storage>

Configure offline network settings on the restored container:

pct set <new-vmid> --hostname <offline-deployer-hostname>
pct set <new-vmid> --net0 name=eth0,bridge=<offline-bridge>,ip=<offline-ip>/<prefix>,gw=<offline-gateway>

Start container and verify core services:

pct start <new-vmid>
pct exec <new-vmid> -- systemctl status nginx dnsmasq smbd

Verify deploy artifacts inside restored container:

pct exec <new-vmid> -- ls -lh /srv/deploy/images/deploy.wim
pct exec <new-vmid> -- ls -lh /srv/deploy/winpe/boot.wim
pct exec <new-vmid> -- ls -lh /srv/deploy/winpe/EFI/Microsoft/Boot/BCD

Run the on-deployer offline setup TUI (configures network + optional domain join). Run it from an interactive shell on the node (Proxmox web console or ssh root@<node>):

pct exec <new-vmid> -- offline-setup

If you run it as a one-shot SSH command instead, you MUST pass -t so the TUI gets a real terminal (otherwise the screen fills with escape codes and input breaks):

ssh -t root@<node> "pct exec <new-vmid> -- offline-setup"

Deploy in offline site:

Ensure target network can PXE boot from the restored deployer.
Boot target workstation(s) on that network.
They should chain through iPXE/wimboot and install from /srv/deploy/images/deploy.wim.

How to Force Rebuild

Set force_rebuild to true in the inventory file

windows:
  winpe_builder:
    force_rebuild: true