Using Package provisioning to automate deployment


Using package provisioning (PP) to facilitate deployment has been on my mind for some time and I finally figured out how to make PP, SMA and SDA work together.

The idea is to use autopilot to install the Kace agent on a newly received machine to trigger its installation.

There are however some steps to do in preparation (at least in our environment):

  • disable the Secure Boot, this can't be done from the command line
  • get the MAC address of the target machine and add it to the DHCP

You can then use an PP to install the Kace agent, and once the machine is recognized by Kace as a "out of the box" machine start the deployment.

Autopilot configuration

The configuration is basic:

    Machine name : OEM-%SERIAL%
    Disable the wifi
    Create a local administrator account : First Use / passme
    Installation of the Kace agent

Once configured, I create a file " Kace.ppkg ", then I just have to save it in a usb key and connect it to the target machine at startup

Here is the customizations.xml file :

<?xml version="1.0" encoding="utf-8"?>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<Name>D├ęploiement auto Kace</Name>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<User UserName="First Use">
<CommandConfig Name="Agent Kace">
<CommandFile>C:\Users\gilles\Documents\Windows Imaging and Configuration Designer (WICD)\D├ęploiement auto Kace\ampagent-11.0.123-x86.msi</CommandFile>
<CommandLine>msiexec /i "ampagent-11.0.123-x86.msi" /qn /norestart TOKEN=WnS8D8OCDI1WAG5O_qXcO8EQIWdA39g0gmCNl7yWBrTMSA HOST=k1000.maison.fr</CommandLine>

The Kace script

On the SMA, a script is executed every 5 minutes on the machines with the INV-OEM label.

This script :

  • copies a KBE locally (c:\recovery\kbe)
  • adds an entry in the boot loader to this KBE
  • creates a file \k2000\UBS-%adress_mac%.bat containing the path to the deployment script chosen by default (for example y:\scripts\system_image_144.bat)
  • restarts the computer on the KBE

This script is in two parts :

A batch script that add the bcd entry and copy the KBE :

SET BCDUID={6ecbb6c1-1aa7-11e9-b71c-3417ebd7e250}

IF EXIST "c:\Windows\sysnative\bcdedit.exe" (
SET BCD="c:\Windows\sysnative\bcdedit.exe"
ECHO 32 Bits
) ELSE (
SET BCD="c:\Windows\system32\bcdedit.exe"
ECHO 64 Bits

:: Copy KBE files
ROBOCOPY "%~dp0kbe" "c:\Recovery\kbe" /mir

:: clean up
%BCD% /delete %BCDUID%
%BCD% /delete {ramdiskoptions} /F

:: new boot entry
%BCD% /create {ramdiskoptions} /d "KBE Ramdisk options"
%BCD% /set {ramdiskoptions} ramdisksdidevice partition=C:
%BCD% /set {ramdiskoptions} ramdisksdipath \Recovery\kbe\boot.sdi

%BCD% /create %BCDUID% /d "Boot KBE" /application OSLOADER
%BCD% /set %BCDUID% path \windows\system32\winload.efi
%BCD% /set %BCDUID% nx optin
%BCD% /set %BCDUID% device ramdisk=[c:]\Recovery\kbe\boot.wim,{ramdiskoptions}
%BCD% /set %BCDUID% osdevice ramdisk=[c:]\Recovery\kbe\boot.wim,{ramdiskoptions}
%BCD% /set %BCDUID% systemroot \windows
%BCD% /set %BCDUID% winpe yes
%BCD% /set %BCDUID% detecthal yes
%BCD% /default {6ecbb6c1-1aa7-11e9-b71c-3417ebd7e250}

%BCD% /timeout 0

:: Creating scritp in the SDA
powershell -ExecutionPolicy bypass -noprofile -file "%~dp0Gachette.ps1"

:: Reboot en local kbe

shutdown -r -T 10 -d p:2:4 -c "Computer reinstall" -f

A powershell script to find the nic mac address and create the script on the SDA :

# Script to create a deployment script for the current machine in Kace
$pass = ConvertTo-SecureString "yourSDApassword" -AsPlainText -Force
$mycred = new-object System.Management.Automation.PSCredential($User,$pass)
$image = "y:\scripts\system_image_144.bat"

# MAC address recovery
$maca=(Get-NetAdapter|Where-Object {$_.MediaType -eq 802.3}).MacAddress -replace '-',''

# Connection to \\k2000\petemp
New-PSDrive -Name "Petemp" -PSProvider "FileSystem" -Root "\\k2000\petemp" -Credential $mycred

# deployment script writing
echo $image | Out-File -Encoding ascii Petemp:\UBS-$maca.bat

# umount kace
Remove-PSDrive -Name "Petemp"

Preparation of a KBE

For the deployment to be done automatically we add in the file startnet.cmd of the KBE the following command:


On the Kace side, the machine will be registered in the INV-OEM label.

Every 5 minutes the "KBE OEM" script identifies among the machines labeled INV-OEM those that have not been deployed by Kace and deploys a KBE locally before restarting them to launch the deployment.

That's it! I hope this is helpful, feel free to ask questions if it's not clear enough.

The fact that we can snoop under the hood of Kace appliances has been a plus in the feasibility of this deployment. The fact that they are not impenetrable black boxes is really a plus. Thanks Quest.


  • Some hardware vendors support BIOS changes from the CLI/PowerShell. HP for example provides easy access via its Client Management Script Library. So, you could add something like:

    C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -Command "& {Set-HPBIOSSettingValue -Name 'Configure Legacy Support and Secure Boot' -Value 'Legacy Support Disable and Secure Boot Disable' -Password yourbiossetuppassword}"

    Just remember to run another script/task to turn it back on when you're done. - mcnaugha 2 years ago
    • Thanks for this information, I did not know about HP, but Dell does not allow to modify the secure boot with scripts... - gwir 2 years ago
      • You have to use the dell bios tool to modify the secure boot. The same applies to Configuration Manager as well. - Sandra Jane 9 months ago
This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ