IT Connect
Information technology tools and resources at the UW

Lite Touch Installation: network based OS deployment

This image deployment solution will be retired on October 31, 2019.

Managed Workstation recommends a new method for image deployment.

UW Managed Workstation Windows OS images

For use by Managed Workstation eligible users with Managed Workstation service computers.

Before you start:
  • If you are rebuilding an existing Managed Workstation computer, be sure to send email to to request the removal of the existing computer name from the domain BEFORE you begin.
  • You must be connected to a wired Ethernet network connection.
  • If you are reusing the computer name, do a complete shut-down of the workstation before you begin the rebuild to prevent any problems.
Recommended system configuration:
  • To enable the best boot support and security features, you should apply the latest firmware for your system provided by the manufacturer.  See your manufacturer’s support page for instruction.
  • Use the UEFI boot mode instead of BIOS to enable faster boot times and modern security features.    Using UEFI enables several security features that will otherwise be unavailable.  Select UEFI or UEFI native, not UEFI hybrid or UEFI+CSM.
  • For Windows 8 and newer, enable Secure Boot to protect your system from certain types of malware called rootkits.
  • Enable the Trusted Platform Module and any TPM options to support BitLocker or other volume encryption.
  • Enable the virtualization options for your computer to support Device Guard, Credential Guard, and Measured Boot.


Step 1: Create a bootable Lite Touch Network Deployment USB drive [1]
Step 2: Boot from your Lite Touch Flash Drive [2]
  • Power off the computer and insert the Lite Touch Network Deployment USB drive.
  • On boot up, force the boot choice menu (usually F12 on Dell and Lenovo, F9 for HP).
  • Select and boot from your USB device.
Step 3: Choose the right OS option from the menu
  • When the Lite Touch menu has loaded, choose “Run the Deployment Wizard to install a new Operating System”
  • Remove the USB drive so it does not interfere during a reboot.
  • Select the Task Sequence that contains the Operating System and image version that you want to deploy.
    • See Task Sequence for image details to choose most appropriate one.
    • Task sequences marked TEST should be used with caution.
  • Computer Details:
    • Leave Computer Name field with the computer’s serial number. Or you may change this to a new, unique name with a maximum of 15 characters, including letters, numbers and the hyphen – character.
      NOTE: Do not use an underscore _ in computer names. It is not a valid character for MWS devices.
Step 4: Start the OS deployment
  • Process begins.  Installer takes about 60-90 minutes, depending on computer speed and network conditions. The computer may reboot several times.
  • Do not log in with your credentials or manually reboot until you see the Operating System Deployment (OSD) successful screen or an OSD warning message 
  • The computer will boot into the local Administrator profile
    • If you get an error that the username or password is incorrect, you can continue by changing the username to NebulaAdm and using the Administrator password above.
  • OSD continues to run silently for a few minutes.
Step 5: OS Deployment completion
  • You should get a message that OSD has completed successfully. If you get a yellow warning screen, it is often safe to continue.  If you get a pink error screen, usually the deploy has failed in a way that should not be used.  In either case copy down the error(s) and email the information to
    • Common Failures that are safe to ignore:
      • Failure: ValidateDeployRootWithRecovery
  • Click Finish
  • You are now logged into the computer with the local administrator account
  • You will be asked to choose type of network (home, work, public). Click “Work”. A screen will appear indicating the network has been named; you can Accept and Close this window.
Step 6: Claim Managed Workstation computer
  1. Enable your new workstation for Managed Workstation services. Note: This step pre-creates a workstation account in the NETID domain so you can join it.
    1. Create a request using the Enable Computer for MWS services form and wait for confirmation. If you don’t wait for confirmation before joining your workstation to the NETID domain, the workstation will end up in an unusable state which will require assistance. If you’d like to request that specific UW NetIDs be added to the Local Admin Group, just include that info in the request follow-up.
  2. Join the workstation to the NETID Domain:
    1. Windows 10 1703 and later:
      1. Press the Windows Key + X to bring up the selection menu.  Click “System”.
      2. Click: Connect to work or school and then click the Connect button
      3. Under Alternate actions: Click “Join this device to a local Active Directory domain”.
      4. Join a domain: Domain name:, then click “Next”.
      5. Enter (enter your own UW NetID in place of the words your UWNetID) and your netid password.
      6. To add an admin account, enter an account: user account\account type
    2. Restart the workstation.
    3. Log in using your UW NetID credentials: netid\your UW NetID.
  3. Completing MWS workstation configuration
    1. Allow a few hours or overnight for Managed Workstation settings to complete. Restarting the computer a couple of times to ensure settings are applied correctly is strongly encouraged. Alternatively, you can use this command to force the settings update and reboot:
        gpupdate /force /boot
    2. After this, you can use the myIT page to make these further changes:
      • the primary user
      • the technical contact
      • your note in the inventory field
Review this checklist before deploying to the end user:
  • Sophos: Sophos AntiVirus should automatically push out from the server and install on your computer within a couple of days.  Verify that Sophos is installed: check for white and blue “S” shield in the System Tray.  Right-click on shield and click “Update now”.
    • Windows 10 comes with built in antivirus software and it is safe to wait for Sophos to auto-install
  • Get Programs/Run Advertised Programs/Software Center should populate within 2-24 hours of being claimed by Managed Workstation.
  • Device Manager: open Device Manager and make sure there are no errors or missing drivers.
    • If the computer is missing drivers, or the build fails for lack of network drivers, contact and we can help get those drivers imported into the deployment server
  • Windows Update: click “check on-line for updates from MS Update” to check for driver updates under Optional Updates.  (Don’t need the Optional language updates.)
  • For best performance: even though they are listed as installed, you may find that you need to reinstall TPM drivers, touchpad drivers, video drivers, and “hotkey/quick-key” software from the manufacturer (especially true of laptops.)
  • Update BIOS from vendor website when a newer version is available.


[1] How to create a bootable device:

  • UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.
  • Via Disk Management, reformat flash drive.  FAT32 strongly recommended, NTFS or exFAT may not boot successfully in all UEFI/BIOS configurations.
  • Mark partition ‘active’.
  • Copy all of the Lite-Touch Network Installer boot files from I:cac\nebula\sw\apps\LiteTouchNetwork

If that doesn’t work, completely clean the drive and prepare it for use with the following instructions:

  • Launch a cmd window: Run as Administrator
  • Windows 10, right click on the Start button and select Command Prompt (Admin)
  • Launch the DiskPart utility by typing ”diskpart” at the Administrator elevated command prompt.
  • Run the command: “list disk” to check the status of your drive.
  • Run “select disk N” where the “N” is actually the corresponding number of your USB drive.
  • You can most easily tell which is the proper disk by looking at the capacity
  • Run “clean”.  CAUTION: This will erase everything on the disk!  Make sure you select the correct disk!
  • Once the thumb drive is clean, run “create partition primary”.
  • Select the new partition: “select partition 1”
  • Now make the partition active by entering “active”
  • Assign a drive letter with “assign”
  • Format the drive as FAT32 by running “format fs=fat32 quick”
  • Type “exit” to quit
  • If you are still having problems locate and use bootsect with the following command: bootsect /nt60 X: (where X is your flash drive letter)

[2] Boot your computer from a USB drive

In order to successfully boot your computer from a USB drive, you may need to ensure the following steps have been taken in the UEFI/BIOS configuration of the computer.  Each manufacturer and UEFI/BIOS can be different.

  • The best boot support will be available when you are using the latest system firmware for your device.
  • Native UEFI mode is preferred over BIOS emulation.
  • UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.
  • Your USB boot drive should be formatted with the FAT32 file system.
  • Avoid USB 3.0 ports, as the boot support is better for USB 2.0 on many systems.
  • If you have trouble booting from USB, you may instead use the Lite touch ISO to create a bootable optical disc, then boot from an internal or external DVD drive.
  • Only if necessary, switch back to Legacy or BIOS emulation mode from UEFI mode.  This will slow boot times and disable options such as Secure Boot protection, but may be necessary on some older systems without updated firmware support.
  • Remember to enable the TPM and TPM options to enable volume encryption.


Potential errors:

Error: Secure Boot Violation: Invalid signature detected. Check Secure Boot Policy in Setup
Problem: Trying to install Windows 7 with Secure Boot enabled.
Solution: Disable Secure Boot in UEFI/BIOS


Reference material:

Last reviewed November 30, 2018