The code in this blog post is the tidied-up script which I used in my sessions at TechEd New Zealand and TechEd Australia, on deploying multiple Windows to Go devices in parallel.
Because I work quite a bit with Ironkey, and Ironkey Windows to Go devices have the nice feature of each having a unique serial number, I wanted to create a script which would produce fully customised deployments, but each deployment had to happen in parallel.
The script is designed for use with the Ironkey W300 device, which is a certified Windows to Go device which does not have an encrypted secure disk, unlike the W500. The script was initially designed to cater for both W300 and W500 devices at the same time, but the process of unlocking the secure disk on the W500 in such a way as to keep the PowerShell script robust still needs some refining. When I’m happy with it, I’ll update the script.
Of course, not everyone is going to be using Ironkey W300 devices. Never fear, this script will work on pretty much any certified Windows to Go device. If your device of choice doesn’t have a unique identifier which can be queried programatically, then you’ll need to strip out or disable the sections of the script which deal with extracting the serial number, setting the device type and creating a unique computer name. If your device does, then all you’ll need to is modify the Get-W300Serial function to something appropriate for your hardware platform.
Alternatively, try using an Ironkey W300, because all the work has been done for you
A few more points about the script functionality:
- The script incorporates Offline Domain Join, so it assumes that it is being run from a domain-joined workstation which has the Active Directory PowerShell module installed and available for import;
- The Offline Domain Join section also brings in the necessary GPO for DirectAccess. If you don’t have DA in your environment, remove this bit;
- Because the W300 has no embedded cryptochip, the script enables BitLocker for drive encryption. However this method precludes the use of MBAM management, which is preferable. To perform the encryption using MBAM, import the GPO as part of the Offline Domain Join.
The script has been a significant undertaking for me, as I had to learn a lot of PowerShell to bring it this far. Many thanks to David O’Brien for handling my questions at all hours of day and night.
I’m sure that there are parts of the script which could be handled with better logic or greater elegance, and I’m more than happy for feedback and suggestions. One thing I’d really like to get working is a better way of monitoring the active PowerShell jobs than simply running Get-Job ever five minutes – if anyone has some good ideas for this, I’m all ears.
Download the script here: Create-WTGDevice