Password for USB Deployment Media


  • How does one password protect the USB stick that is being used for remote deployments.  All content (tasks and wims) are located on the USB stick.  It will not be connecting to the deployment server.  Our security department wants to be certain that if a USB stick is lost that the contents are protected and or that no one can use the USB stick without being promted for a username and password.  I was thinking of adding these two lines to the bootstrap.ini




    Friday, December 10, 2010 1:08 AM

All replies

  • Hi Anthony,

    Do you have anything on the USB key that would require protection? ie - is there any sensitive data or is there any security information? Are there any corporate apps included on the usb key? Any corporate policies should be stored on the corporate network not on the usb key.

    I guess my question is -> why does the key require protection.


    Paul Jorgensen
    Friday, December 10, 2010 2:55 AM
  • I don't even think this is possible without encrypting the usb key, but then it can't be used for deploying an OS (pretty sure about this at least, just not 100%)

    Thing is, even if you were to specify that user credentials are needed for running a setup, everyone could still access the files on it by simply browsing through the directories, if they know what they are doing then they simply can take out all sensitive information from there, like product keys etc..

    If you one of these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be so kind to click on the "Vote as helpful" button :)
    Friday, December 10, 2010 10:03 AM
  • No special apps.  Basically, our Security Dept. was hoping for a prompt for creditials, similiar to the network deployment when you are prompted for your domain credentials.  We wouldn't like someone to get a hold of a "lost" usb stick and then have to ability to image/reimage machines, (a free version of windows). The usb stick contains a clean install of XP and Win7 and several images of XP boxes.  You're right Stephan, all the WIMS can easily be browsed to on the stick and installed using ImageX anyways.  Even if you consider that the images have an admin and password, one could still easily reset the admin user name and password with a boot to some well know cd's.  Well, thanks for the input. 
    Friday, December 10, 2010 6:50 PM
  • Hi guys,

    It seems that it would depend on your setup and configuration as to whether you had a need to secure it.If your only deploying windows 7 you shouldn't have a problem if your using KMS for your licensing, because windows would be installed unactivated. I would say you should be able to setup the key so no sensitive data would be on the key, that would depend on how you configured the key and the deployment.

    It would also seem though that you should be able to encrypt the key and still have it function as a bootable key. I know for the disk encryption we have used it allows you to boot with the encrypted disk, so it seems like you should be able to setup a WinPE boot disk the same way, but there may be network complications with that depending on your encryption system, or OS complications, I obviously have never tried to encrypt WinPE. I would say you can possibly do this, but it would be a specialized setup that may require more resources and support.

    If you could setup the key so that no license keys or corporate passwords/data were on it, then you could probably convince your security department that nothing is on it that anyone could use without licensing. You could also possibly have a script located elsewhere ( say on the network somewhere hopefully - even though its remote ) that could update the installed OS with changes that you could not include on the key - for example a script that would setup the local accounts once a network login took place, install the applications that were copied from the key, or activate/ register the applications if needed, etc, etc. 

    Also, could you possibly store the sensitive information on a separate partition on the same key and require that to be decrypted before it could be used. That would mean you would have a WinPE partition, and a separate partition with images, applications could add a task into the deployment that would run the command required to decrypt the secondary partition before that data was needed, or you could setup a WinPE customization to do that. This would mean that an unauthorized person should only have access to the WinPE part of the key, and they couldn't do anything with that without the images etc - which would require authentication and decryption to access. 

    I know I am kind of rambling away here, but it seems like there are a lot of possibilities, its an interesting subject..

    Your main issue is probably more about being able to convince your security department that there is no security vulnerability, security departments are notoriously hard to convince of anything..LOL...

    Paul Jorgensen
    Friday, December 10, 2010 11:46 PM
  • Hi guys,

    It would be nice if the readers of this post could let me know if the below is useful or if a possible remote secure media deployment is something people may want, because I don't want to waste my time on something that wouldn't be useful. It may still be useful in my own setup, but there isn't much point publishing the information if no one would want it I suppose -  see below.

    I would like to add to this discussion that I have a couple of possible solutions for you. In the Graphical Quickstart Guide to the Microsoft Deployment toolkit 2010, I mention running a Media deployment utilizing the mapdrive program. The guide does not yet provide any further instructions, but I have run tests and it is possible to setup a Media deployment that is not on the actual deployment USB key. You could probably also run a standard network deployment by setting the DeployRoot= ( nothing ), and sending the remote user a network deployment key ( you would have to copy the deployment share to a local system and share it, etc, and the remote user would have to be given the remote deployment share information ) - or you would have to use the deployment location setup ( locationserver.xml ), etc to send a key which would allow the user to select a local deployment share from a prepopulated list.

    In either case this would mean that you could distribute a USB key for remote deployments that would not contain any sensitive data.

    The way the Mapdrive Media deployment is done, is that you setup your MDT workbench with a Media deployment ( under Advanced ). You then copy this Media deployment to a locally accessible share at the remote site, or include in on some secured media in some way.
    You then distribute the Mapdrive USB key network deployment, which accesses the Media deployment share/secured media at the remote site.
    There are reasons to use either the remote network method or the Mapdrive Media deployment, which would be dependent on personal preferences.

    The Mapdrive USB key would only contain the network deployment setup for the key and does not contain any OS's, any applications, any drivers, etc, etc, so you would not have to secure the USB key itself.

    I plan to release an updated version of the Guide - which is available at - soon, I am just in the process of writing the updates and integrating them into the guide, and troublshooting any issues with this setup, although I have run tests that show that it will work - ie a remote Media deployment from a network share or other drive source. Currently a remote network Media deployment works great for me, but I still have to test it with some extended tasks to see how it performs, and test using a DVD disk, Blu-ray disk or alternate disk of some kind as a source drive.

    The main problem for you would be encrypting and decrypting the deployment data, but I would think you could encrypt it on some media, and then somehow allow the user to decrypt it at their end, and then run the mapdrive media deployment to access the decrypted drive/share/media. Another thing I have not tried, is setting up a USB key with 2 partitions, that could also possibly work - you could decrypt the second partition, and then possibly specify that decrypted drive as the deployroot for a Mapdrive Media deployment or even just with the standard setup.

    As a side note, the newer version of the guide ( version 2.0 ) will also contain other updates, but I still have a lot of work to do on it.

    It would be great if you could let me know if you are interested in this solution, because I am worried that I may be working on something that no one may be interested in. You can e-mail me at if you want,
    I could send you the information I have now probably although it is definitely still in the development phase, and I need to thoroughly test it before releasing any kind of possible final solution. In other words, I just want to ensure that anyone reading this or who wants to request information understands that this is completely in testing stage, and I do not yet guarantee that it will work as needed.


    Paul Jorgensen
    Tuesday, December 21, 2010 4:23 AM
  • Im very interested.  I was hoping of approaching the security differently though, because I would still like the ability to perform off-site deployments.  If you split the USB media into two parts, one open which boots and starts litetouch.  Once initiated, it prompts for password to connect to 2nd partition, which would be encypted, possibly with TrueCrypt or equivalent free Encryption.

    Your thoughts?

    Like I said though, I would still be very interested in your approach.

    Tuesday, December 21, 2010 4:49 AM
  • Hi Brian,

    yes, I think the usb key splitting idea may be the way to go for off-site deployments, if that way could work, then you could have one key that was secured and would allow a completely portable solution.

    It would be great if you could let me know if you have done this in anyway, or if you have more information on it..

    I will see if I can do some more testing on the mapdrive setup,and release some documentation on it in the guide..!

    Paul Jorgensen
    Tuesday, December 21, 2010 1:21 PM
  • I agree it is interesting topic, but right now I don't have this requirement coming from the people I service.

    If I had this requirement, I would think along these lines...

    1. Use WAIK only and script partition creation and image apply phases.
    2. Use 7-zip or some other archiving utility (that works from command line) and password protect the wim file.
    3. During deployment phase, unzip password protected wim file to hard disk and apply wim image from hard disk.
    4. Delete unzipped wim file at the end of deployment.

    I'd be glad to implement these steps with MDT, but my skills are not up to this task. The most I could think of is to wrap these steps in hta.


    Tuesday, December 21, 2010 2:57 PM