Invoking PDQ Deploy from MDT

Hey all, here’s a slick little script that I use to start PDQ Deploy deployments during an MDT imaging. PDQ Deploy does not currently have an officially sanctioned and documented way to kick off deployments remotely (ask their support team for more info on that), but it can be done.

Caveat: the script in its current state does expose credentials over the network, a malicious attacker could use Wireshark or any packet sniffer, blah blah blah you don’t care; let’s get down to business.

netsh advfirewall set allprofiles state off
ipconfig /registerdns
\\<mdt_server_fqdn>\DeploymentShare$\Scripts\psexec.exe \\<pdq_server_fqdn> -h -u <domain>\<user that can psexec> -p <password> -accepteula ipconfig /flushdns
\\<mdt_server_fqdn>\DeploymentShare$\Scripts\psexec.exe \\<pdq_server_fqdn> -h -u <domain>\<user that can psexec> -p <password> -accepteula "c:\program files (x86)\Admin Arsenal\PDQ Deploy\pdqdeploy.exe" Deploy -Package "New PC Setup" -Targets $env:COMPUTERNAME
start-sleep 30
while(test-path "C:\Windows\AdminArsenal\PDQDeployRunner\service-1.lock"){
 start-sleep 30
}

So, let’s look at this step-by-step:

netsh advfirewall set allprofiles state off
ipconfig /registerdns

This disables the firewall of the machine you’re imaging. This ensures that it’s not going to block PDQ Deploy from connecting. Then it tells the machine to register itself with DNS. This is so PDQ Deploy can look it up via hostname for the deployment. If your DNS is broken you have bigger issues.

\\<mdt_server_fqdn>\DeploymentShare$\Scripts\psexec.exe \\<pdq_server_fqdn> -h -u <domain>\<user that can psexec> -p <password> -accepteula ipconfig /flushdns
\\<mdt_server_fqdn>\DeploymentShare$\Scripts\psexec.exe \\<pdq_server_fqdn> -h -u <domain>\<user that can psexec> -p <password> -accepteula "c:\program files (x86)\Admin Arsenal\PDQ Deploy\pdqdeploy.exe" Deploy -Package "New PC Setup" -Targets $env:COMPUTERNAME

This section flushes the DNS cache on the PDQ Deploy server so that it has a fresh and accurate DNS entry (which we just registered prior) for the target machine. Then, it uses psexec to start pdqdeploy.exe, telling it to deploy a package by the name of “New PC Setup” (you can change this to whatever package you want), targeting¬†$env:COMPUTERNAME, which is the machine being imaged.

Notes here:

  • You need a copy of psexec in the Scripts folder of your DeploymentShare.
  • <mdt_server_fqdn> should be the FQDN of your MDT server. This can be the same as the next variable…
  • <pdq_server_fqdn>, which should be the FQDN of the server that has PDQ Deploy.
  • <domain>, <user that can psexec>, and <password> should be self-explanatory.
start-sleep 30
while(test-path "C:\Windows\AdminArsenal\PDQDeployRunner\service-1.lock"){
 start-sleep 30
}

Lastly, this is the cute part. The script sleeps for 30 seconds while the deployment is going on. This gives the PDQ Runner service time to connect and start doing its thing. Part of its thing is creating a file called¬†service-1.lock that is present as long as the PDQ deployment is still in progress. We watch for this file to exist and re-check every 30 seconds. Once it’s gone, that means the PDQ deployment is complete and MDT can move onto the next step.