Deploy Windows images: Activate and secure PCs

Now you have a Windows® image that you can deploy onto an entire line of model-specific PCs. In this section, you apply the Windows image, prepare Windows for activation, boot the PC to apply any pending updates, and capture all of the changes into a set of customized push-button reset recovery tools.

For UEFI-based PCs, you can use Secure Boot tools to help prevent unauthorized firmware, operating systems, or UEFI drivers from running at boot time. For more information, see your firmware manufacturer.

Certify your images

• Certify your final image by using the Windows Hardware Certification Kit.

Prepare the firmware for secure deployment

• For UEFI-based PCs with Secure Boot capability, set your PC in debug mode. For production PCs, this requires installing a debug policy file for the individual PC. For more info, see the Windows Hardware Certification Kit.

Apply your image to the PC

1. Boot the PC to Windows PE.

2. Determine the current drive letter of the external hard drive (for example, type diskpart, list vol, exit).

3. Format the drive, add your Windows image, and set up the recovery partition; for example:

   diskpart /s E:\Deployment\CreatePartitions-UEFI.txt
   
   E:\Deployment\ApplyImage-UEFI E:\Images\ModelSpecificImage-Updated.wim
   
   diskpart /s E:\Deployment\HideRecoveryPartitions-UEFI.txt
   

   where E is the drive letter of the external drive.

   For more info, see Apply Windows images.

Create an association between a PC and a Windows product key

• Use the OEM Activation 3.0 (OA 3.0) tools to create a hardware association that associates your specific PC with a single product key.

• Use your own BIOS injection tool to inject the product key into the PC.

• Use the OA 3.0 tools to create and submit your PC build report to Microsoft for reconciliation.

For more information, see the OEM Activation Guide on the Microsoft Connect website.

Shut down the PC

• Shut down or reboot your PC, either by holding down the power button for a full five seconds, or by using the following command:

  wpeutil shutdown
  

Secure the firmware

• For UEFI-based PCs with Secure Boot capability, remove the debug policy files to secure the PC. For more information, see the Windows Hardware Certification Kit.

Deliver the PC to your customer

You now have a Windows image that includes your basic branding and customizations that affect each PC that you manufacture. You have developed a process to automatically deploy this image quickly, which includes setting up individual license keys and recovery images.

See Also

Concepts

OEM Windows Deployment and Imaging Walkthrough