PXE Boot Windows 11 Deployment WDS Standalone Guide

Yes, you can set up automatic PXE boot deployment for Windows 11 without buying software or needing a domain—WDS in standalone mode handles it perfectly. Clients connect via PXE boot, pick a hostname from a custom menu, trigger an unattended Windows 11 install using that name, and run post-install scripts to drop in software like Kaspersky. And yes, it works with Secure Boot enabled if you use signed boot images like a Windows 10 boot.wim.

Contents

• PXE Boot Windows 11 Deployment Overview
• Requirements and Prerequisites
• Setting Up WDS in Standalone Mode
• Configuring DHCP and Network for PXE
• Custom PXE Menu for Hostname Input
• Unattended Windows 11 Installation
• Post-Install Automation with Kaspersky
• Secure Boot Compatibility
• Troubleshooting Common Issues
• Sources
• Conclusion

PXE Boot Windows 11 Deployment Overview

Picture this: a fresh PC powers on, hits the network, and boom—PXE boot kicks in. No USB sticks, no manual imaging. You’re deploying Windows 11 across dozens of machines, each with its own hostname, all automated, and Kaspersky ready to install right after. Sounds ideal for a lab, small office, or test fleet, right?

WDS (Windows Deployment Services) makes this free and native since it’s baked into Windows Server. Run it standalone—no Active Directory domain required. Clients PXE boot over UEFI, see a menu to enter a hostname, grab a tailored autounattend.xml, install Windows 11 silently, then fire off scripts for extras like antivirus. But Microsoft tweaked things for Windows 11: the default boot.wim won’t play nice in WDS mode due to TPM/Secure Boot checks. No sweat—grab a Windows 10 boot.wim instead.

This setup skips paid tools like SCCM. Total cost? Zero software licenses.

Requirements and Prerequisites

Before diving in, check your gear. You’ll need:

• Server: Windows Server 2019/2022 (Standard or Datacenter; eval works for testing). At least 4GB RAM, 100GB free disk (separate drive for RemoteInstall folder is smart).
• Network: DHCP server (router or server role). Clients on same subnet or VLAN with IP helpers pointed to your WDS server.
• Clients: UEFI firmware enabled for PXE boot. Secure Boot? Supported—more on that later. Windows 11 ISO (official download).
• Files: Windows 10 boot.wim (from ISO), Windows 11 install.wim/install.esd, autounattend.xml template.

Download the ISOs from Microsoft. Extract boot.wim from Win10 ADK or ISO—it’s signed and Secure Boot-friendly per Microsoft’s WDS boot support docs.

Why Windows 10 boot.wim? Windows 11’s default skips WDS mode to enforce hardware reqs, but Win10 boot loads it fine and chains to your Win11 image. Tested workflows confirm this.

Setting Up WDS in Standalone Mode

WDS without a domain? Totally doable in workgroup mode. Here’s the quick path:

1. Install WDS role: Server Manager > Add Roles > Remote Server Administration Tools > Deployment Tools, then full WDS.
2. Move RemoteInstall to D:\RemoteInstall (faster, per best practices).
3. Console: Right-click server > Configure Server > Standalone (not Integrated).
4. Response settings: “Respond to all client computers” or known clients only.

No AD means no multicast or prestaged devices, but PXE unicast works great. Server Fault confirms standalone WDS runs smooth for this.

Restart the Deployment Server service. Boom—your server listens on PXE ports.

Configuring DHCP and Network for PXE

PXE boot needs DHCP to point clients right. Two options:

• DHCP Options (preferred): Set option 66 (next-server) to WDS IP, 67 (bootfile) to \Boot\x64\wdsnbp.com.
• IP Helpers: On router/L3 switch, forward UDP 67/68/69/4011 to WDS IP.

Enable UEFI PXE in client BIOS: Network Boot > UEFI PXE first. For cross-subnet, helpers are key.

Test: Boot a client. Should grab IP, then hit WDS. If not, check firewall (open those ports).

Custom PXE Menu for Hostname Input

Default WDS menu’s basic. For hostname entry, inject iPXE or pxelinux. Free and flexible.

Download iPXE (ipxe.org), build undionly.kpxe (UEFI chainloader). Drop into RemoteInstall\Boot\x64.

Custom menu.ipxe script (embed or HTTP-serve):

#!ipxe
menu PXE Deployment Menu
item win11-auto Windows 11 Auto Install
choose --default win11-auto option && goto ${option}
:win11-auto
read hostname
set net0/mac ${hostname}
chain http://yourserver/boot.ipxe?hostname=${hostname} || goto menu

This prompts “Enter hostname:”, passes to a dynamic handler. Serve via IIS/HTTP on server. WDS chains to it.

iVentoy alternative: Free tool bundles TFTP/HTTP/DHCP. Drop Win11 ISO, edit menu.cfg for hostname prompt. 4sysops tutorial covers it.

Client boots, types “PC-001”, menu subs it into autounattend.xml URL.

Unattended Windows 11 Installation

Core magic: autounattend.xml. Place in install share (D:\RemoteInstall\Images\Win11\Sources$OEM$$$\Setup\Scripts) or generate dynamically.

Basic template (Microsoft Learn example):

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
 <settings pass="windowsPE">
 <component name="Microsoft-Windows-International-Core-WinPE">
 <SetupUILanguage><UILanguage>en-US</UILanguage></SetupUILanguage>
 <InputLocale>en-US</InputLocale>
 <SystemLocale>en-US</SystemLocale>
 <UILanguage>en-US</UILanguage>
 <UserLocale>en-US</UserLocale>
 </component>
 <component name="Microsoft-Windows-Setup">
 <ImageInstall>
 <OSImage>
 <InstallTo><DiskID>0</DiskID><PartitionID>1</PartitionID></InstallTo>
 </OSImage>
 </ImageInstall>
 <UserData>
 <AcceptEula>true</AcceptEula>
 <ProductKey><Key>YOURKEY</Key></ProductKey>
 </UserData>
 </component>
 </settings>
 <settings pass="oobeSystem">
 <component name="Microsoft-Windows-Shell-Setup">
 <ComputerName>${HOSTNAME}</ComputerName> <!-- Injected from PXE -->
 <OOBE>
 <HideEULAPage>true</HideEULAPage>
 <SkipMachineOOBE>true</SkipMachineOOBE>
 <SkipUserOOBE>true</SkipUserOOBE>
 </OOBE>
 </component>
 </settings>
</unattend>

iPXE script fetches http://server/unattend.php?hostname=PC001 (PHP gen: str_replace(‘${HOSTNAME}’, $_GET[‘hostname’], ‘template.xml’)).

Import Win11 image to WDS, link boot.wim. Client PXE boots, installs hands-free.

Post-Install Automation with Kaspersky

Installs done? Now software. Use FirstLogonCommands in autounattend.xml:

<FirstLogonCommands>
 <SynchronousCommand wcm:action="add">
 <CommandLine>powershell -ExecutionPolicy Bypass -File C:\Windows\Setup\Scripts\PostInstall.ps1</CommandLine>
 <Description>Install Kaspersky</Description>
 <Order>1</Order>
 </SynchronousCommand>
</FirstLogonCommands>

PostInstall.ps1 (drop in $OEM$$$\Setup\Scripts):

# Download/install Kaspersky (use offline MSI for airgapped)
Invoke-WebRequest -Uri "http://server/kaspersky.msi" -OutFile "$env:TEMP\kaspersky.msi"
Start-Process msiexec.exe -ArgumentList "/i $env:TEMP\kaspersky.msi /quiet /norestart" -Wait
# Add more: Chocolatey, drivers, etc.

Kaspersky’s enterprise MSI supports silent deploys. GitHub UnattendedWinstall has ready debloat/post-install examples.

Secure Boot Compatibility

Secure Boot enabled? Yes, it works—but picky. UEFI PXE stack must be signed.

• Use Win10 boot.wim: Microsoft-signed, chains fine.
• Client BIOS: Enable Secure Boot + UEFI Network Boot.
• iPXE: Grab signed EFI build (ipxe.org builds).

Microsoft Q&A notes Win11 boot.wim quirks, but Win10 workaround nails it. Test on one machine first.

Troubleshooting Common Issues

PXE boot failed? Check DHCP options, firewall, subnet. “No boot filename”? Wrong bootfile name.

Win11 skips? Wrong boot.wim—swap to Win10.

Hostname not sticking? Verify iPXE var pass-through.

Slow? SSD for RemoteInstall, IP helpers tuned. Danny Moran’s MDT+WDS guide has perf tips.

iVentoy as backup: Simpler for menus, no WDS.

Sources

1. Windows Deployment Services boot.wim support
2. Windows 11 deployment via WDS Q&A
3. WDS without a domain
4. iVentoy PXE for Windows 11
5. Unattend.xml docs
6. UnattendedWinstall GitHub
7. MDT and WDS for Win11

Conclusion

PXE boot for Windows 11 deployment via standalone WDS delivers exactly what you need: client connects, enters hostname, auto-installs with post-Kaspersky scripting, all free and domain-free. Secure Boot? Covered with signed images. Start small—test on two machines—then scale. Tweak the scripts, and you’ve got a powerhouse for mass deploys. Questions on your setup? Dive into the sources or tweak for your network.