Wes Miller Systems Management GETTING STARTED WITH WINDOWS PE Chances are you don’t know much about the Microsoft Windows Preinstallation Environment, or Windows PE as it’s usually called, even though it shipped the same day as Windows XP. Windows PE was designed to allow Windows setup or a 32-bit imaging program to run on a PC even with Originally, the Windows setup CD included no version of Windows installed. The idea was to make things easier for OEMs. Windows both a prebuilt version of Windows PE and PE has evolved over the years and, as you’ll see, it can make your life easier as well. a toolset that let you create your own build. For quite some time, MS-DOS® played a big part in Windows installation and setup, Today, Windows PE is shipped only as the but eventually that became problematic. As both Windows and hardware grew more so- toolset; you need to build your own copy. phisticated, MS-DOS couldn’t keep up. Its shortcomings as a setup initiator for doing a Eventually, Windows PE spread beyond custom setup were plentiful. Performance the OEM community it was designed for. • The history of Windows PE was a big issue, so was driver availability. ISVs, enterprise, education and government • How Windows PE can stand in for These problems became the key impetus for customers all took advantage of it, and they MS-DOS replacing MS-DOS for OEMs and eventu- used it for far more than the deployment sce- • How to customise Windows PE ally enterprise customers. narios we initially envisioned. They used it • Windows PE Q&A A developer on the Windows setup team for recovery and diagnostics as well. Today, came up with the idea of integrating the dif- Windows PE is available for customers with Wes Miller is the Product Technology Strategist at Winternals ferent components of setup into one solu- Software Assurance, as well as Enterprise AT A GLANCEAT Software in Austin, Texas, where he focuses on all Winternals products, including Protection Manager, the Winternals Enter- tion so that a simple boot CD could provide Agreements, Campus Agreements, and as a prise Security product. Previously, Wes worked at Microsoft as a minimal environment that would let 32- component of several other licensing agree- a Program Manager and Product Manager for Windows enter- bit setup run, eliminating the problems with ments with Microsoft. prise deployment. MS-DOS. With that, Windows PE was born. When running, Windows PE looks like 36 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine Windows PE Q&A Send your Windows PE questions to [email protected] and I’ll answer them as time allows. Doesn’t using Windows PE Qcompletely violate the NTFS secu- rity of Windows? Under Windows PE, the user runs all tasks as System, which is more powerful than local administrator. It turns out this really isn’t Aan issue. Law number 3 of the 10 Immutable Laws of Security says, “If a bad guy has unrestricted physi- Figure 1 Default Configuration of Windows PE Booted to the Command Shell cal access to your computer, it’s not your computer anymore.” (See micro- Figure 1. You’ll note that it doesn’t include not be available. Windows PE users began soft.com/technet/archive/community/columns/secu- Windows Explorer, and as such does not have to regularly request a number of addition- rity/essays/10imlaws.mspx for the complete any of the regular Windows shell available. al features. We were unable to officially en- It’s truly a bare-bones installation. gineer these features into the product, but article). we did provide a script that would allow a The point is that if someone can What You Get Windows PE admin to add ADO connectiv- physically access your computer, As you can see in the sidebar “Windows ity to a Microsoft SQL Server, and HTML there are numerous other methods PE Releases”, there have been a number for Applications (HTA) and Windows Script besides Windows PE (a parallel install of upgrades. The basic functionality of Host (WSH) support to an image. These of Windows, an NTFS-capable install Windows PE was broadly expanded to al- provided a handy framework of tools that of Linux or even Mac OS X, or physical low OEM partners and enterprise custom- have enabled some creative deployment and removal of the drive to another system ers to perform WMI queries on hardware recovery solutions. Windows PE 2.0, which running Windows) to remove or poten- and to initialise classes of devices that no is scheduled to ship with Windows Vista, tially destroy your data. True, Windows one originally had expected would be used will add notable new capabilities. PE makes this more convenient. under Windows PE. Windows PE was ini- To counter this threat—as well as tially designed to boot from CD; network Booting Windows PE boot via PXE was an afterthought, and the When you’re starting with Windows PE, Law number 3 as a whole—you should hard drive method came very late in devel- one of the first considerations is how you either physically secure your system at opment. The intent with Windows PE was want to boot. Over the years the number of all times or use EFS to at least secure always to allow for a 32-bit environment boot mediums supported by Windows PE your data, or a full disk encryption with TCP/IP networking, hard disk access has grown (see Figure 2). product, which will secure your data to enable imaging or scripted installation of Technically, Windows PE can also boot and even your entire system volume. Windows, and basic video support. Windows from an LS-120/LS-240 disk, though I’d nev- This is something you should be do- PE always uses the same basic VESA mode er recommend it due to serious performance ing with your mobile systems anyway video driver regardless of the card in use. issues. USB Flash Drive boot is something if they are storing any sort of confi- This lets it display very good colour depth we worked hard on for Windows PE 1.6. It dential data. and resolution on modern VESA-compliant works very well, though it’s only supported hardware, though some older hardware may by Microsoft when an OEM provides it with Can I PXE-boot Windows PE default to a very unpleasant (though usable) a new system because there’s no reliable way colour depth and resolution. to ensure that systems would have the nec- Qfrom anything besides RIS? From the beginning Windows PE had essary capabilities. This method requires only very basic Win32® API support, mean- BIOS-specific functionality that must be With the RAMDisk boot ca- ing that the Microsoft .NET Framework, provided by the PC manufacturer, as well Apability in Windows PE 2005, yes DirectX®, TAPI/MAPI/SAPI, audio and as USB 2.0 support. you can. many other high-level Windows APIs would Your particular needs will determine how TechNet Magazine October 2006 37 Systems Management you can best use Windows PE. The impor- family) or the one immediately preceding. tant thing to remember is that you can ba- Figure 2 Windows PE Boot Options So for Windows PE 1.5, the build tools will check for either Windows Server 2003 RTM sically reuse the same technology across PXE (Pre-boot eXecution Environment) multiple boot methods, no matter which using RAMDisk boot technology media (either the Standard or Enterprise one(s) you choose. RIS (the Microsoft proprietary Editions) or Windows XP Service Pack 2 Before you begin creating your build of PXE implementation, which is tradition- (SP2) integrated media. Note that the WMI Windows PE, you’ll need to make some de- ally used to launch Windows setup over features in 1.5 require Windows XP SP2, and the network) the RAMDisk and USB Flash Drive features cisions. A key question you’ll need to answer Hard Disk (either directly or via a is who’s in charge? Will this be a self-service RAMDisk) in 1.6 require Windows Server 2003 SP1. reinstallation solution that non-technical CD (or an ISO-formatted DVD) To create a build of Windows PE 1.6, then, users will execute, or will it be used by your RAMDisk (this allows for some very you will want to have the 1.6 build tools technical or IT support staff? interesting scenarios which I’ll describe as well as a copy of Windows Server 2003 in depth in an upcoming article) SP1 integrated media. Launch a command This is a critical question, since it will dic- USB Flash Drive (UFD) tate whether you’ll have corporate brand- prompt and go to the directory where you ing on the user interface, whether you need copied the Windows PE build tools. At the to build protections in to keep users from partitions, getting build information from prompt, type the following (the last four running the installer accidentally, and many SQL Server or a network share, and mix- arguments are optional): other issues. Here roaming user profiles or a ing and matching PXE and CD/DVD boot mkimg.cmd [source] [destination] [ISO Image] separate user data partition for Documents mechanisms. The best part about Windows [/PNP] [/WMI] [/NOWF] and Settings can come in handy. PE is the countless ways in which you can Let’s say your Windows Server 2003 SP1 in- You’ll also need to decide if you’ll build configure it to do your bidding.