Walkthrough: Building a Windows 10 1709 (Fall Creators Update) Reference Image with Microsoft Deployment Toolkit

Update 16/01/2018: Updated this post to reflect the release of Microsoft Deployment Toolkit 8450, which fully supports Windows 10 1709.

Update 30/10/2017: If SysPrep is consistently failing when building your Windows 10 1709 image, it is most likely due to the Windows Store update process updating the built in UWP apps. This issue is a known issue, but one I’ve managed to dodge when building previous versions of Windows 10. With 1709, I’ve had SysPrep fail every time. More information on this issue is available directly from Microsoft here.

Solution: The best way to prevent SysPrep from failing is to disable the Store update process or to disable internet access.

For more information on how to disable the Windows Store update process, please read this blog post from Johan Arwidmark’s Deployment Research.

If the fix above isn’t working for you (it didn’t work for me either), or you would rather disable internet access without resorting to editing your network configuration, check out this post from Peter Löfgren’s System Center Ramblings, where he has created a PowerShell script to use Windows Firewall to block internet access for the duration of the image build process. The PowerShell script is included below in this walk through.

Original Post

This post is designed to walk through installing and configuring Microsoft Deployment Toolkit to build a reference image of Windows 10 1709 (better known as the Fall Creators Update) using a Hyper-V Virtual Machine. Some useful links before we get started:

Installing & Configuring Microsoft Deployment Toolkit and Dependencies.

We’ll be using Microsoft Deployment Toolkit (MDT) version 8450,which fully supports Windows 10 1709.

Here’s the links to download the software we’ll be installing:

First we’ll install the Windows 10 1709 ADK. The setup will need to download additional files so it may take some time depending on your internet connection.

On the Select the features you want to install screen select:

  • Deployment Tools
  • Windows Preinstallation Environment (Windows PE)
  • Imaging And Configuration Designer (ICD)
  • Configuration Designer
  • User State Migration Tool (USMT)

Now install MDT by running the setup file downloaded earlier. There is no specific configuration during the install wizard. After it’s installed we need to create the Deployment Share.

Create the Deployment Share

  1. Open the Deployment Workbench from the Start Menu.
  2. Right click on Deployment Shares.
  3. Select New Deployment Share.
  4. Enter the path for the Deployment Share: E:\BuildShare.
  5. Enter the Share nameBuildShare$.
  6. Give the share a descriptive name.
  7. On the Options screen, accept the defaults as you can change them later.
  8. Complete the wizard to create the share.

We now need to add an Operating System to work with.

Add an Operating System

  1. Mount the Windows 10 1709 .iso in File Explorer.
  2. Go to Deployment WorkbenchOperating Systems.
  3. Right click and select New Folder.
  4. Enter the name Windows 10 1709 x64 and click through the wizard to create the folder.
  5. Right click again and select Import Operating System.
  6. In the wizard, select Full set of source files and then enter the root of the mounted .iso as the Source directory.
  7. For the destination directory name enter Windows 10 1709 x64 and complete the wizard.
  8. Go to the Operating Systems/Windows 10 1709 x64 node and rename the new entries you just added to Windows 10 1709<Edition>x64.

 

Next we’ll be adding the latest Cumulative Update for Windows 10 1709 downloaded earlier, to do this we’ll be adding it to the Packages section of MDT. The reason we do this is so the CU will be installed with the Operating System, rather than relying on WSUS or Windows Updates to download and install it. The advantage of doing it this way is the entire Task Sequence will be faster and Windows will be up to date when it is installed.

Importing Packages

  1. Go to Deployment Workbench > Packages.
  2. Create a folder named Windows 10 1709 x64.
  3. Right click on the folder and select Import OS Packages and go through the wizard to add the package. The downloaded update .msu file must be in a folder by itself.

Now we create a selection profile so that the Task Sequence only attempts to install the update for Windows 10 1709 x64.

Creating A Selection Profile

  1. Expand the Advanced Configuration node.
  2. Right click on Selection Profiles and select New Selection Profile.
  3. Name it Windows 10 1709 x64.
  4. On the Folders page, tick the Windows 10 1709 x64 folder under Packages and complete the wizard.

Importing Applications (Optional)

You may want to add some applications to be a part of your reference image, here I’ll cover how to add Microsoft Office. MDT recognises Microsoft Office and provides automated/silent install options.

  1. Go to Deployment WorkbenchDeployment Share > Applications.
  2. Right click on Applications and select New Application.
  3. In the New Application Wizard, choose Application with source files.
  4. Give the application the name: Microsoft Office.
  5. Enter the Source directory of the installation files.
  6. Enter the Destination directory: Microsoft Office.
  7. For the Command line enter anything – we’ll revisit this soon.
  8. On the summary page, click Next and after the files are copied click Finish to complete the wizard.

Configure the Application – Microsoft Office

  1. Right click on Microsoft Office, go to the Office Products Tab.
  2. Choose the desired Office Product to Install from the drop down menu.
  3. Check the desired Office language.
  4. Enter a product key, unless you will be activating Office via KMS in which case leave the Product Key option unchecked.
  5. Check the Customer name option and enter the desired information.
  6. Check the Display level option and select None in the drop down menu.
  7. Check the Accept EULA option.
  8. Check the Always suppress reboot option.
  9. Click Apply.
  10. Go to the Details tab and the Quiet install command should now read:
    setup.exe /config proplus.ww\config.xml

Microsoft Office is now set up to be installed silently by a Task Sequence. If you wish to customise the installation to a greater degree, the Office Customization Tool can be launched from the Office Products tab. This process can also be done for Microsoft Visio and Project applications.

We need to now create the Task Sequence that will create our reference image of Windows 10 1709.

Create a Task Sequence

  1. In Deployment Workbench, go to Task Sequences.
  2. Right click and select New Task Sequence.
  3. For the ID enter: W10-1709.
  4. Name it Build Windows 10 1709.
  5. Select Standard Client Task Sequence.
  6. Select the Operating System Windows 10 1709 x64.
  7. Do not specify a product key at this time.
  8. Enter an Organization name.
  9. Do not specify an Administrator password at this time.
  10. Complete the wizard.

Now we’ll configure the Task Sequence.

Configure the Task Sequence

  1. Right click on the Task Sequence just created and select Properties.
  2. Go to the OS Info tab and click Edit Unattend.xml. It will take sometime to generate the catalog.
  3. When the Unattend.xml opens, go to 7 oobesystemamd64_Microsoft-Windows-Shell-Setup__neutral > OOBE.
  4. Change the ProtectYourPC setting to 3. This will prevent the image from randomly checking for updates whilst it is being built.
  5. Save the Unattend.xml, you can safely ignore an warnings.
  6. Go to the Task Sequence tab on the Properties window of the Task Sequence.
  7. Expand the Preinstall folder, and select the Apply Patches item.
  8. Change the Selection Profile to Windows 10 1709 x64.
  9. Go to the State Restore folder and select Windows Update (Pre-Application Installation).
  10. On the right side of the Properties window, go to the Options tab.
  11. Uncheck the Disable this step tick box and do the same with Windows Update (Post-Application Installation).
  12. If you skipped the Importing Applications section, please disable the Install Applications item and go to step 16, if not please continue.
  13. Go to the Install Applications item.
  14. In the right side of the Properties box, select the Install a single application option and click the Browse… button.
  15. Select Microsoft Office and change the name Install Applications to Microsoft Office.
  16. Click Apply and close the Task Sequence.

Blocking Internet Access to prevent Windows Store App Updates

To block internet access to the VM whilst the image is building, we’ll use the script from Peter Löfgren’s System Center Ramblings post. First create a PowerShell script called Internet-Access.ps1 with the following code:

## Creates the disable option used by the script
param (
   [Parameter(Mandatory=$False,Position=0)]
   [Switch]$Disable
)

## If the Disable command line option is not added, the script adds a Firewall Rule to block traffic on ports 80 (http) and 443 (https).
If (!$Disable)
{
   Write-Output "Adding internet block"
   New-NetFirewallRule -DisplayName "Block Outgoing 80, 443" -Enabled True -Direction Outbound -Profile Any -Action Block -Protocol TCP -RemotePort 80,443
}

## If the Disable command line option is added, the script removes the Firewall Rule created above.
If ($Disable)
{
   Write-Output "Removing internet block"
   Get-NetFirewallRule -DisplayName "Block Outgoing 80, 443" | Remove-NetFirewallRule
}

Save the script in your MDT share, where the Task Sequence will be able to access it. I save my custom scripts in a folder called _scripts the Applications folder.

Now, in the Task Sequence created above, we’ll add the items required to run the PowerShell script to enable and disable the internet blocking firewall rules.

  • Go to the Task Sequence tab on the Properties window of the Task Sequence.
  • Go to State Restore and click on the Add button.
  • Go to General > Run PowerShell Script.
  • Name the new item PS Script – Disable Internet Access.
  • Enter Z:\Applications\_scripts\Internet-Access.ps1 or your own path to the PowerShell script we just created.
  • Scroll down the Task Sequence to just above the Imaging folder.
  • Once again, add a new Run PowerShell Script item.
  • Name it PS Script – Enable Internet Access.
  • Again, enter Z:\Applications\_scripts\Internet-Access.ps1 or or your own path to the PowerShell script.
  • Important: Add -Disable to the Parameters section.
  • Click Apply and OK to close the Task Sequence.

Now just after booting up, a firewall rule will be added to block traffic on ports 80 and 443, and just before starting the SysPrep and capture process the firewall rule will be removed.

Next we’ll create a domain user account for MDT.

Create an Active Directory User for MDT

  1. Go to Active Directory Users and Computers.
  2. Create a user called mdt_admin.
  3. On the server where the deployment share is hosted, give mdt_admin Full Control share permissions and Full Control permissions to all the files and folders under the deployment share.

Now we’ll configure the Bootstrap.ini and the Rules.ini files to control certain aspects of the deployment environment. The settings below enable auto log in and skip the welcome screen, so these should only be used for lab/closed environments.

Configure Bootstrap.ini

  1. In Deployment Workbench, right click the Deployment Share and select Properties.
  2. Select the Rules tab and click the Edit Bootstrap.ini button.
  3. Add the settings below to the Bootstrap.ini.
  4. Close and Save the Bootstrap.ini
[Settings]
Priority=Default

[Default]
DeployRoot=\\SERVERNAME\BuildShare$
UserDomain=contoso.com
UserID=mdt_admin
UserPassword=p@ssw0rd
SkipBDDWelcome=YES

Configure Rules/CustomSettings.ini

On the Rules tab of the Deployment Share properties window, add the settings below. A lot of the settings are specific to my demo environment such as my location in the world.

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
SkipBitLocker=YES
SkipLocaleSelection=YES
SkipTimeZone=YES
SkipDomainMembership=YES
SkipSummary=YES
SkipFinalSummary=YES
SkipComputerName=YES
SkipUserData=YES

_SMSTSORGNAME=Build Share
_SMSTSPackageName=%TaskSequenceName%
DoCapture=YES
ComputerBackupLocation=\\SERVERNAME\BuildShare$\Captures
BackupFile=%TaskSequenceID%_#year(date) & "-" & month(date) & "-" & day(date) & "-" & hour(time) & "-" & minute(time)#.wim
WSUSServer=http://SERVERNAME:8530
FinishAction=SHUTDOWN
SLShare=\\SERVERNAME\BuildShare$\Logs
EventService=http://SERVERNAME:9800

Now it’s time to create the boot media to boot into the deployment environment.

Creating The Boot Media

  1. In Deployment Workbench, right click on the Deployment Share.
  2. Select Update Deployment Share.
  3. Select Completely regenerate the boot images.
  4. Complete the wizard. It will take some time to create the boot images.

Testing The Boot Media

To test the boot media, copy the LiteTouchPE_x64.iso from \\SERVERNAME\BuildShare$\Boot to a location where a Hyper-V Virtual Machine will be able to access it.

Create a new VM in Hyper-V and configure it as such:

  • 2x vCPUs
  • 4GB of RAM
  • NIC with access the MDT server and WSUS server.
  • Virtual Hard Drive of at least 80GB, preferably on an SSD.
  • Boot from DVD Drive using the LiteTouchPE_x64.iso from MDT.

Start the VM and it should boot from the LiteTouchPE_x64.iso into the deployment environment. You should be presented with a wizard and the name of the Task Sequence you created earlier. Select it and click Next.

The Task Sequence will now run, install Windows 10 1709, update from the WSUS server, install Microsoft Office applications (if you added them) and then run Windows Update from the WSUS server again to update the Office apps, run SysPrep and the reboot back into the MDT environment and capture the image.

When this process completes the VM will be shutdown and a file named W10-1709_YEAR_MONTH_DAY_HOUR_MINUTE.wim will be in \\SERVERNAME\BuildShare$\Captures.

You may also want to add scripts and tweaks to your Task Sequence, such as this PowerShell script to uninstall any UWP apps which aren’t needed or these common applications, depending on your environment.

Google Chrome – Enterprise Installer

msiexec /I googlechromestandaloneenterprise64.msi /qn

Adobe Reader – Enterprise Installer

AdobeReaderDC.exe /sAll

You now have a functioning Microsoft Deployment Toolkit server, with a Deployment Share specifically configured for building reference images, and a Task Sequence to build and capture a Windows 10 1709 reference image.

I hope this has helped you out in some way. If you’d like to get in touch with me, please leave a comment or tweet me.

-Mike

Follow Mike on Twitter – @Digressive

62 thoughts on “Walkthrough: Building a Windows 10 1709 (Fall Creators Update) Reference Image with Microsoft Deployment Toolkit

  1. Mike,

    Excellent walk-through as usual.

    I just received my 1709 iso from MSDN – but the images available are all “multi-image” where the WIM looks like this:

    Image Name Index
    Windows 10 Education 1
    Windows 10 Education N 2
    Windows 10 Enterprise 3
    Windows 10 Enterprise N 4
    Windows 10 Pro 5
    Windows 10 Pro N 6

    How do I handle these image indexes within a standard MDT task sequence?

    Michael Niehaus talks about 1709 here:

    https://blogs.technet.microsoft.com/windowsitpro/2017/10/13/windows-10-version-1709-coming-soon/

    But does not offer any insight as to how to target a specific index within an MDT task sequence. Appreciate any info if you have any experience with it.

    Cheers,

    Bruce

    Like

    1. Hi Bruce,
      I did see that there’s now multiple editions in one WIM, which is good. As for deploying them, seeing as they are in MDT as separate OS’s all I’ve been doing is creating a task sequence for each one I want to deploy. So I’ve not needed to target a specific index. Not sure if that really answers your question?

      -Mike

      Like

  2. Mike,

    Just building a TS now – and just read that I should see 6 different OS types when importing the OS image. Should have no issues with it now 🙂 Will report back after I give this a go.

    B

    Liked by 1 person

  3. Hi
    Have you been able to try removing the preprovisioned apps in the OS such as mail, people, solitaire, camera etc?
    When i tried it then they still appear once the wim is reconstructed into an ISO

    Like

      1. Ah thanks, I didnt know about that indexes bit! I was removing the apps from index 2, not index 1
        Hopefully it will work when i get to try it on monday!

        Liked by 1 person

  4. Mike, I am having a terrible time getting MDT to import an OS. I downloaded the Installation Media from MS and had it put on a usb-stick for installation on another PC. I copied the iso to the hd and then mounted it (saw it as if it was a dvd) … no luck. Get a fix all errors message with no detail. Tried to decompress the iso … no luck.
    Copied a win10 1703 dvd to the hd (just as a test) and it worked. I did install the new adk. Since I am not a business, I haven’t been able to download the OS from the site you have in the document. I build the clones for a charitable group that refurbs PC’s and gives them to needy kids for free. We are part of the MS MRR program, so we get the licenses for a reduced rate …. but are having a tough time getting installation media.
    Any help / ideas would be greatly appreciated ….

    Gary D

    Like

    1. Hi there Gary,

      Sorry to hear you’re having trouble. The one point that stands out to me is where you download the OS from, although you mentioned that it works fine 1703, so I assume you downloaded that from the same place. Just to be clear, I am not in any way insinuating that you are obtaining Windows from a dodgy site, you mentioned downloading it from MS, so we’re all good there. The only thing I can think of is that the ISO you have, is it for the Professional/Education/Enterprise editions of 1709? I think MDT only supports those editions and won’t work with some others, although I haven’t actually tried myself. Also, just the standard checks: could it be the the ISO is corrupted in some way? Another possibility could be that, with the changes in how 1709 is packaged, it could be causing you these issues that you didn’t get with 1703 when importing. I’m sorry I can’t give you a solid answer, it sounds like you’re doing great work.

      -Mike

      Like

      1. Thanks for the quick reply …. yep, we are legal. We do a google search on download windows 10 installation media. Get a copy of the media to be installed on another PC (puts it on a usb stick or dvd-iso). Like some of the other post … I think it has to do with MS putting all versions plus 32 and 64 bit on the same installation media. I will go back to the site and try to download only a 64bit install and see if that is the problem.
        Gary D

        Like

  5. We upgraded some of our images that we host on VMWare from 1703 to 1709, then attempted to capture them like we always do, but the capture fails with the same error each time. Panther logs state: “Package Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy was installed for a user, but not provisioned for all users”. The way we’ve gotten around it in the past is running a few powershell commands:
    get-appxpackage | remove-appxpackage
    get-appxprovisionedpackage -online | remove-appxprovisionedpackage

    It shows that it looks like it’s removing the app packages including Miracast, however the error persists. I did a test though: I installed a 1709 fresh install on a VM, then immediately attempted a capture, and it worked perfectly. I didn’t even have to run the powershell commands. The research I’ve been doing has turned up that we needed a registry key to block certain appx packages from automatically downloading/updating while we worked on the image:

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 00000002 /f
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v SilentInstalledAppsEnabled /t REG_DWORD /d 00000000 /f
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 00000001 /f

    I’m wondering… do we need to build our images fresh and put in the registry key? This would waste a lot of time for other images that are already pre-built…

    Other thought: should we just put in these registry keys before we upgrade the rest of our images to 1709 from 1703? (Then maybe we won’t have this issue with trying to capture later on again?)

    Thanks,
    Daniel

    Like

    1. Hi there,
      The problem is when building the image, access to the internet needs to be disabled, or auto updating needs to be disabled – as you mentioned.

      I also noticed that building an image which basically just installs Windows then captures works totally fine.

      Personally I build fresh images when a new version of Windows 10 comes out, and I do that using VM’s with internet access disabled. I have a script that automates the process, which I’ve written about here: https://gal.vin/2017/08/26/image-factory/

      But you can set registry keys to disable auto updating after installing Windows, but before doing any other tasks. Johan Arwidmark wrote about how to do that here: https://deploymentresearch.com/Research/Post/615/Fixing-why-Sysprep-fails-in-Windows-10-due-to-Windows-Store-updates

      -Mike

      Like

  6. Great article – thank you

    Options like changing the lock screen background, start menu modifications, task bar modifications, do they all need to be completed by capturing a reference image ?

    Or if I was to follow your aticle, is there a need to use a reference image ?

    Like

    1. Hi there,
      No they don’t need to be done by capturing a reference image. They can be done in a Task Sequence when deploying a new Windows installation, or with Group Policy.

      -Mike

      Like

      1. Awesome – thanks Mike

        Once an image has been captured ( we don’t have SCCM ) is it most efficient to then manage the updates moving forward from within MDT ?

        Like

      2. I assume you mean the next “big” Windows 10 update, the feature updates? Yes, MDT is best I think. WSUS/Windows Update can push them out and get you on the latest version of the OS, but you have no control over them, or at least not like with MDT.

        -Mike

        Like

  7. Hey Mike,

    For me, using the local group policy editor and disabling the store as well as updates from the store has worked for me with Syspreping 1709. For my client, they have the windows store disabled anyways so it works out in the end,but for those who actually use the store in the enterprise, you can just set up a domain GPO to enable the store if needed, which will take place after the image has been deployed.

    Like

  8. I am using the Windows 10 volume licensing ISO (SW_DVD5_Win_Pro_Ent_Edu_N_10_1709_64BIT_English_MLF_X21-50143) which now bundles Windows 10 Enterprise, and Windows 10 Education, and Windows 10 Pro together.
    I am trying to perform a “Standard Client Upgrade Task Sequence” using MDT 6.3.8443.1000 and WADK 10.1.16299.15. I have selected the “Windows 10 Enterprise” OS in the “New Task Sequence Wizard” but I am getting the error “Setup failed to upgrade OS from Windows10v1709\setup.exe, rc = -1047526912″ followed by “ZTI ERROR – Non-zero return code by LTIApply, rc = 1”, and then “Litetouch deployment failed, Return Code = -2147467259 0x80004005”. I assume this is because of the ISO contains multiple images but do not see a way to select the Image Index in the “Upgrade Windows” Task Sequence. The “Upgrade Windows” Task Sequence displays the “Windows 10 v1709 Enterprise install.wim”.

    Like

    1. Hi there,
      That’s really odd, I’ve done pretty much what you said and I’ve not had those issues, at least with upgrading from 1607 and 1703 to 1709. It shouldn’t be because of the multiple images in the ISO because, when you import it into MDT, you should get all the separate editions as separate OS’s. I’ve seen the error you posted many times for many different reasons, so I’m afraid based of what you said, nothing stand out to me. I’m assuming your running the upgrade Task Sequence from MDT using the LiteTouch.vbs or using SCCM? Here’s some screenshots from my upgrade task sequence, hopefully it helps.

      -Mike

      Like

      1. Yes I am using MDT LiteTouch.vbs only, and my envuironment looks like your swcreen shots. I am using the “Standard Client Upgrade Task Sequence” and it worked fine with “Windows 10 Creators update 1703”, but broke when I changed the “Operating system to install” to “Windows 10 1709 Enterprise x64”.
        Since the multiple images was the only major change to the imported media, I assumed thats what broke it.
        I did change the display name for the operating system but I have done that before with the preious imported images with no problems.
        I will download new media and see if re-importing it keeping the default names makes a difference.

        Liked by 1 person

  9. Hey Mike,

    Just wondering if you have ever seen this oddball behavior within an MDT layout.

    Suddenly today – out of the blue – when I run an upgrade of 1709 into an existing VM of 1607 – I get this bizarre error with about a minute before the install is actually complete:

    Onscreen – Windows is still running it’s last update cycle (Spinning circle light blue screen saying Working On Updates 100% Don;t turn off your PC. This will take a while) and then suddenly this dialog pops up as if it’s trying to “reoffer” me a selection of task sequences to run?

    I wish I could post a few screen caps up here but the dialog is titled Windows Deployment Wizard with the words Task Sequence in large print cross the top. Inside the border I see “Select a task sequence to execute on this computer”. Inside the dialog panel is another weird error “No task sequences are available (Tasksequences.xml does not exist, is empty or is inaccessible”)

    Overlaid upon the Task Sequence dialog is another small messagebox with an OK button that displays this:

    A VBScript Runtime Error has occurred:

    Error: 500 = Variable is undefined

    VBScript Code:
    ——————-
    InitializeTSList

    If click Ok on the box – I get another message asking if I want to quit the wizard. I then click Yes and go right back into the Messagebox. I do the OK/yes dance a couple more times and then the wizard finally redisplays my global list of task sequences again.I finallt hit Cancel one last time and the mess goes away and install stumbkles to completion.

    My setuperr.log is full of bizarre entries that make little sense to me (and I am a programmer!).

    Would appreciate any sort of push in a general direction to figure out what is going on?

    Cheers,

    Bruce

    Like

      1. Mike,

        This is most bizarre. I did an upgrade to 1703 using the same MDT share, layout etc and it completed perfectly?

        At first I thought maybe my OS source files were messed up so I completely dumped everything and re-imported a fresh set of 1709 files from the iso – but that did not work either.

        From what I can see so far – it may have something to do with the name of the Task Sequence or some other obscure thing in the bowels of the MDT install.

        I will keep hunting.

        B

        Like

      2. Mike,

        Just found out that I am not the only one with this..

        https://social.technet.microsoft.com/Forums/en-US/96b5c809-a59d-4d90-9136-69ecec101c05/upgrade-task-sequence-not-working-on-windows-adk-10-v1709-and-mdt-8443?forum=mdt

        I am going to stand down on any in-place upgrades to 1709 until MS gets MDT properly updated for all 1709 scenarios.

        1709 works great with MDT 8443 as long as I am doing a clean install TS. But the upgrade is a problem…

        B

        Like

  10. Thank you for the write up! Super helpful…running into one issue though. When the image is applying settings I get an error stating that the install cannot proceed and that it failed at the specialized portion of the unattend.xml. The exact same task sequence will work with an older version of Win10. Just not Fall Creators. Have you seen something like this?

    Like

    1. Hi there,
      I have had some issues before with the unattend.xml, but it can be many things. My common problem is that, because I automate the computer name, sometimes it’s too long. Outside of that, I’ve not had many issues with it I’m afraid.
      -Mike

      Like

      1. Mike and anyone else who comes across this,

        It appears to be an issue with my Hyper-V VM. I am able to successfully image a laptop and a VMWare workstation VM. I am not going to dig any further on this, but if anyone does run across this issue and finds a solution it might be helpful to the next guy!

        Like

    2. Hi Ryan. As this issue happened during Windows Setup, you should check the setupact.log in %WinDir%\panther (OOBE phase) or %WinDir%\panther\UnattendGC (Specialize phase) for more information. SetupErr.log is rarely useful. I did run into an interesting issue, where it seems that Device Guard (or WDAC in 1709) is enabled out of the box and somehow blocks the execution of reg.exe, which is being used in the unattend file to execute some RunSynchronous commands. Check if you are seeing error 0x800711c7 in the log.

      Like

  11. Ryan,

    Would be helpful to see exactly what the error message is? If you have altered a few other parts of unattend.xml – would be interested to see what you changed.

    And the Hyper-V thing – that’s all I use here – just build a stock VM (Gen 2) with 2048 RAM, 4 CPU and at least 40GB hard disk – have never had an issue with unattend.xml. (The only thing I ever change is the Protect your PC setting).

    And have you updated the Deployment share and created some fresh iso’s lately?

    B

    Like

  12. Mike,

    Thanks for the great write up!

    Wanted to see if you have any suggestions about deploying larger programs such as ACAD? We were making use of audit mode in Windows 7 so the application itself was included on the image. This helped speed up the process since there is some customization we must do to the application manually. Seems like with the newer versions of 10, Audit mode isn’t really an option anymore.

    Like

    1. Hi Brent,
      Thanks for the kind words. As of this week, I’ve moved onto a new project at a much larger organisation, and I will absolutely be dealing with large applications and Windows 10 deployment. I’ll post about any findings and improvements as I come across them. I’ve no time frame for this at the moment though as I’m currently re-building the team and infrastructure.
      -Mike

      Like

  13. Can I ask for explanation of this guide? If I understand it, you will make bootable ISO, which installs system on machine, installs office, updates all and syspreps machine and saves captured image to MDT storage ? And then what? I need to deploy 20 same HW machines, how do I do that with this? Do I have to configure WDS and deploy captured image via pxe boot? Thanks for any details, MDT is new for me, I was working only with WDS capture and deploy before.

    Like

    1. Hi there,
      You use this guide to create a clean image with Hyper-V, then you use MDT, with PXE boot and WDS to image all the devices you need to. Here’s some posts I wrote on PXE booting with WDS and deploying images:

      PXE booting for MDT: https://gal.vin/2016/11/28/pxe-booting-for-mdt/
      Advanced PXE booting for UEFI and BIOS: https://gal.vin/2017/05/05/pxe-booting-for-uefi-bios/
      Deploying a Windows 10 1607 image with MDT: https://gal.vin/2017/01/21/deploying-a-windows-10-reference-image-with-microsoft-deployment-toolkit/

      Hope it helps,
      -Mike

      Like

  14. I was able to capture reference image, which had only Windows, cumulative update and MS Office 2016 pro in it. However after capturing and deploying, it has MS Office missing. I am sure, there were no errors during deploying ref image and capturing it afterwards. So why would install of MS Office be skipped? Any ideas welcomed, thanks.

    Like

  15. Just FYI – This worked for me without having to disable internet access. I think having the image entirely up to date beforehand was the trick, at least for me.

    Thus ends 11 hours of sweat, blood, tears, toil, and gnashing of teeth.

    Like

    1. I am trying so hard to make reference machine in VM, I tried everything according to this guide, but at the very end, when Sysprep phase executes and reboots computer, it is auto logged and then I see message “Error “Can not find script file C:\LTIBootstrap.vbs”” and it doesnt continue anymore, it just sits there and no image is captured. Can somebody point me to some info how to solve this? I tried to search very hard for this, I have all tools in latest version, latest Windows and Office instalation files, cannot get it working.

      Like

      1. So I probably found why it was failing. I was using Hyper-V gen 2 machine. When I created the same param machine but gen 1, it deployed and captured with no issues.

        Like

  16. Hi Mike, maybe you can help me with this: I have a dell xps 9550 and recently updated to win10 1709 that causes my default profile (with admin power) to have broken permissions: cannot run anything with admin privileges and add to roll back. Now the problem is that I have to periodically roll back to 1703 because 1709 keeps auto installing and breaking the profile. I have Home version so cannot go for the delay trick. Looking forward your magic 🙂

    Like

    1. Hi Marco, It’s difficult for me to suggest a fix for this, I’ve never come across it myself. If I personally I had this issue I’d most likely just re-install Windows from scratch. I’m sorry I can’t help more, I usually deal with corporate IT and managed installations of Windows.

      -Mike

      Like

  17. Hi all

    Fairly new to MDT but I believe I have got my head around most aspects. I’ll quickly describe the environment and then explain the issue.

    I have MDT 2013 Update 2 installed and ADK for Windows 10 on a domain joined computer, with a second laptop with Windows 10 1709 as my reference image ( this is not domain joined )

    I have since taken both computers home ( off the corporate network – on to my home network ) and attempted to capture the image. I have successfully browsed the DeploymentShare on the MDT computer from the reference image. But the moment I attempt to run the LiteTouch.vbs I receive the below error:

    I have read a few posts on how to fix this, but I have been unable to do so. I have created two local user accounts to auth against the DeploymentShare, but I get the error with both accounts. Being on my home network, would that have any issues ?

    Below are my bootstrap.ini and customsettings.ini files ( passwords marked out )

    Any help would be greatly appreciated!!!

    Like

    1. Hi there Dan,

      Moving the computers off the corp network home certainly could be causing some issues to do with authentication. Have you set permissions on the deployment share – both the share ACLs as well as the file ACLs.

      Also more generally, you might have better luck building a reference image using a Hyper-V VM. Using Hyper-V keeps the image clean and driver-less.

      -Mike

      Like

  18. Dan,

    Your problem is not strictly with passwords – most likely with the Security settings on your MDT deployment share.

    I assume you are running LiteTouch manually from the other machine – the Sharing permissions on the actual MDT install folder must allow the acct you are using on the laptop to access the share correctly.

    And I do not understand what this means:

    “I have successfully browsed the DeploymentShare on the MDT computer from the reference image.”

    I think a better explanation of exactly what is where (MDT etc) and how you are attempting to capture is in order…

    Cheers!

    B

    Like

  19. Hi Bruce

    Thanks for the reply – Correct – I connect to the computer and run the LiteTouch.vbs from the reference computer manually ( UNC to the DeploymentShare ) Sorry this is what I meant when I said “I have successfully browsed the DeploymentShare on the MDT computer from the reference image.”

    I have since brought both computers back into the office – the authentication and running the litetouch.vbs has since worked – I have another issue at hand, but at least the script is running now.

    Must have been some weird issue with not being on my corporate network!

    Like

  20. Hey Mike, maybe you can help me out. I have a Reference VM that I capture my company image from. I updated it in place from Windows 10 Enterprise 1703 to 1709, and experienced the failures when i tried to sysprep and capture task sequence in MDT. I decided to start fresh after I fought with it for 2 days. I built a new VM, downloaded the 1709 iso, installed it onto the VM, then ran the LiteTouch.vbs script (before adding any applications), and it worked with zero errors. I then proceed to add all of my applications, installed a windows cumulative update (KB4051963), and tried to capture an image. However this time it failed during execute sysprep. I am using the “Sypsprep and Capture” template. I have the most current versions of ADK and MDT available. I’ve tried adding the Invoke-InternetAccess.ps1 script to my task sequence, even moving it up and down the list, but is not working for me. I was able to capture and create my WIM by disabling the Execute Sysprep from my task sequence, but when I deploy that image to a physical machine, I can not activate Windows. Even though the reference machine was never activated.

    Like

  21. Greetings All,

    I am just now testing 1709. Does anyone know how to suppress the initial setup screens pertaining to Cortana and the two or three keyboard questions? The OOBE settings don’t appear to fully address these subjects.

    Thanks for any assistance,

    Vince

    Like

    1. If deploying the image with MDT you shouldn’t be getting those screens – or at least the Cortana screens.

      In my CustomSettings.ini I have these options set:

      [Default]
      OSInstall=Y
      SkipCapture=YES
      SkipAdminPassword=YES
      SkipProductKey=YES
      SkipComputerBackup=YES
      SkipBitLocker=YES
      TimeZoneName=GMT Standard Time
      KeyboardLocale=0809:00000809
      UILanguage=en-GB
      UserLocale=en-GB
      KeyboardLocale=en-GB
      BitsPerPel=32
      VRefresh=60
      XResolution=1
      YResolution=1
      JoinDomain=adomain
      DomainAdmin=mdt_admin
      DomainAdminPassword=apassword
      SkipUserData=YES
      SkipDomainMembership=YES
      SkipLocaleSelection=YES
      SkipTimeZone=YES
      SkipSummary=YES
      SkipFinalSummary=YES
      FinishAction=SHUTDOWN

      -Mike

      Like

  22. Hello Mike 🙂

    First of all, great website/resource and great article/guide.

    I was wondering if you know how i can add/integrate a new Windows service into the \Windows\System32\config\SYSTEM registry hive. I want to do this without running a live image system as this could create unwanted files that could slip into the final image.

    My idea was to log and recreate the SC.EXE CREATE process and monitoring/logging all file/registry actions it makes using Process Monitor, RegShot or RegistryChangesView, and importing the changes using batch/cmd, via REG ADD and COPY instructions.

    This works to some extend in that i could import all the changes that i could find/log, but the Windows service doesn’t show up in services.msc (also not after a restart), whereas using sc.exe it shows up instantly.

    It really makes me wonder what more sc.exe create does, in which i fail.

    Hopefully you can tell me what’s/where its going (wr)on(g).

    I’m already thinking of trace debugging sc.exe to find out about its internal execution process, but i’m afraid i’ll suck at it since i’ve never debugged any programs in my life.

    Best regards,
    CompletelyLost

    Like

    1. Hi there,
      I don’t have an answer for this, it’s not something I’ve come across before. I have some applications that create services, but I just install them silently as part of the task sequence. Sorry.
      -Mike

      Like

  23. So my agency decided to scrap all the work we’ve done for 6 months getting version 1703 up, running and stable, ready for deploying on hundreds of new machines. They want to have 1709 ready to go by the end of the month. So, I have the Build and Capture TS setup currently using 1703. I basically kept it and inserted the 1709 OS, etc. Everything deployed fine to the VM in Hyper-V, it installed applications, it paused for me to run a few scripts to remove bloat-ware apps and a few other things, and resumed the TS just fine. After the reboot where it starts the Capture WIM portion, it just stalls at 1%. The BDD.log file doesn’t show any errors because the Capture never moves forward. Any ideas?

    Like

    1. Hi there, firstly sorry to hear about the 1703 work being scrapped. It could be that your using the previous Task Sequence, but I doubt it. For Win 10 1709, you should make sure you’ve got the 1709 ADK installed. MDT got updated to version 8450 recently and I’ve updated the download links in this guide. Backup your deployment share(s) and upgrade to MDT 8450, but make sure you have ADK 1709 installed first. After upgrading, or if you have already upgraded – completely regenerate the boot media and try the task sequence again.

      This is all that comes to mind at the moment. Hope it helps.

      Mike

      Like

      1. Well I’ve actually created a brand new Task Sequence for the Build and Capture of 1709. I basically mirrored everything I had for 1703, but also included your step about Disabling the Internet Access. ADK and MDT are both on the current version. Still the same scenario at the Capture WIM step in this process. Just hangs at 1% and the log doesn’t say anything.

        Like

      2. It could possibly be a permissions issue. Check the share permissions as well as file permissions on the deployment share where the .wim is being written back to.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s