Building a Windows 10 1709 (Fall Creators Update) Reference Image with Microsoft Deployment Toolkit

Update 16/01/2018: Updated this post to reflect the release of Microsoft Deployment Toolkit 8450, which fully supports Windows 10 1709.

Update 30/10/2017: If SysPrep is consistently failing when building your Windows 10 1709 image, it is most likely due to the Windows Store update process updating the built in UWP apps. This issue is a known issue, but one I’ve managed to dodge when building previous versions of Windows 10. With 1709, I’ve had SysPrep fail every time. More information on this issue is available directly from Microsoft here.

Solution: The best way to prevent SysPrep from failing is to disable the Store update process or to disable internet access.

For more information on how to disable the Windows Store update process, please read this blog post from Johan Arwidmark’s Deployment Research.

If the fix above isn’t working for you (it didn’t work for me either), or you would rather disable internet access without resorting to editing your network configuration, check out this post from Peter Löfgren’s System Center Ramblings, where he has created a PowerShell script to use Windows Firewall to block internet access for the duration of the image build process. The PowerShell script is included below in this walk through.

 

Original Post

This post is designed to walk through installing and configuring Microsoft Deployment Toolkit to build a reference image of Windows 10 1709 (better known as the Fall Creators Update) using a Hyper-V Virtual Machine. Some useful links before we get started:

 

Installing & Configuring Microsoft Deployment Toolkit and Dependencies.

We’ll be using Microsoft Deployment Toolkit (MDT) version 8450,which fully supports Windows 10 1709.

Here’s the links to download the software we’ll be installing:

First we’ll install the Windows 10 1709 ADK. The setup will need to download additional files so it may take some time depending on your internet connection.

On the Select the features you want to install screen select:

  • Deployment Tools
  • Windows Preinstallation Environment (Windows PE)
  • Imaging And Configuration Designer (ICD)
  • Configuration Designer
  • User State Migration Tool (USMT)

Now install MDT by running the setup file downloaded earlier. There is no specific configuration during the install wizard. After it’s installed we need to create the Deployment Share.

 

Create the Deployment Share

  1. Open the Deployment Workbench from the Start Menu.
  2. Right click on Deployment Shares.
  3. Select New Deployment Share.
  4. Enter the path for the Deployment Share: E:\BuildShare.
  5. Enter the Share nameBuildShare$.
  6. Give the share a descriptive name.
  7. On the Options screen, accept the defaults as you can change them later.
  8. Complete the wizard to create the share.

We now need to add an Operating System to work with.

 

Add an Operating System

  1. Mount the Windows 10 1709 .iso in File Explorer.
  2. Go to Deployment WorkbenchOperating Systems.
  3. Right click and select New Folder.
  4. Enter the name Windows 10 1709 x64 and click through the wizard to create the folder.
  5. Right click again and select Import Operating System.
  6. In the wizard, select Full set of source files and then enter the root of the mounted .iso as the Source directory.
  7. For the destination directory name enter Windows 10 1709 x64 and complete the wizard.
  8. Go to the Operating Systems/Windows 10 1709 x64 node and rename the new entries you just added to Windows 10 1709<Edition>x64.

 

Next we’ll be adding the latest Cumulative Update for Windows 10 1709 downloaded earlier, to do this we’ll be adding it to the Packages section of MDT. The reason we do this is so the CU will be installed with the Operating System, rather than relying on WSUS or Windows Updates to download and install it. The advantage of doing it this way is the entire Task Sequence will be faster and Windows will be up to date when it is installed.

 

Importing Packages

  1. Go to Deployment Workbench > Packages.
  2. Create a folder named Windows 10 1709 x64.
  3. Right click on the folder and select Import OS Packages and go through the wizard to add the package. The downloaded update .msu file must be in a folder by itself.

Now we create a selection profile so that the Task Sequence only attempts to install the update for Windows 10 1709 x64.

 

Creating A Selection Profile

  1. Expand the Advanced Configuration node.
  2. Right click on Selection Profiles and select New Selection Profile.
  3. Name it Windows 10 1709 x64.
  4. On the Folders page, tick the Windows 10 1709 x64 folder under Packages and complete the wizard.

 

Importing Applications (Optional)

You may want to add some applications to be a part of your reference image, here I’ll cover how to add Microsoft Office. MDT recognises Microsoft Office and provides automated/silent install options.

  1. Go to Deployment WorkbenchDeployment Share > Applications.
  2. Right click on Applications and select New Application.
  3. In the New Application Wizard, choose Application with source files.
  4. Give the application the name: Microsoft Office.
  5. Enter the Source directory of the installation files.
  6. Enter the Destination directory: Microsoft Office.
  7. For the Command line enter anything – we’ll revisit this soon.
  8. On the summary page, click Next and after the files are copied click Finish to complete the wizard.

 

Configure the Application – Microsoft Office

  1. Right click on Microsoft Office, go to the Office Products Tab.
  2. Choose the desired Office Product to Install from the drop down menu.
  3. Check the desired Office language.
  4. Enter a product key, unless you will be activating Office via KMS in which case leave the Product Key option unchecked.
  5. Check the Customer name option and enter the desired information.
  6. Check the Display level option and select None in the drop down menu.
  7. Check the Accept EULA option.
  8. Check the Always suppress reboot option.
  9. Click Apply.
  10. Go to the Details tab and the Quiet install command should now read:
    setup.exe /config proplus.ww\config.xml

Microsoft Office is now set up to be installed silently by a Task Sequence. If you wish to customise the installation to a greater degree, the Office Customization Tool can be launched from the Office Products tab. This process can also be done for Microsoft Visio and Project applications.

We need to now create the Task Sequence that will create our reference image of Windows 10 1709.

 

Create a Task Sequence

  1. In Deployment Workbench, go to Task Sequences.
  2. Right click and select New Task Sequence.
  3. For the ID enter: W10-1709.
  4. Name it Build Windows 10 1709.
  5. Select Standard Client Task Sequence.
  6. Select the Operating System Windows 10 1709 x64.
  7. Do not specify a product key at this time.
  8. Enter an Organization name.
  9. Do not specify an Administrator password at this time.
  10. Complete the wizard.

Now we’ll configure the Task Sequence.

 

Configure the Task Sequence

  1. Right click on the Task Sequence just created and select Properties.
  2. Go to the OS Info tab and click Edit Unattend.xml. It will take sometime to generate the catalog.
  3. When the Unattend.xml opens, go to 7 oobesystemamd64_Microsoft-Windows-Shell-Setup__neutral > OOBE.
  4. Change the ProtectYourPC setting to 3. This will prevent the image from randomly checking for updates whilst it is being built.
  5. Save the Unattend.xml, you can safely ignore an warnings.
  6. Go to the Task Sequence tab on the Properties window of the Task Sequence.
  7. Expand the Preinstall folder, and select the Apply Patches item.
  8. Change the Selection Profile to Windows 10 1709 x64.
  9. Go to the State Restore folder and select Windows Update (Pre-Application Installation).
  10. On the right side of the Properties window, go to the Options tab.
  11. Uncheck the Disable this step tick box and do the same with Windows Update (Post-Application Installation).
  12. If you skipped the Importing Applications section, please disable the Install Applications item and go to step 16, if not please continue.
  13. Go to the Install Applications item.
  14. In the right side of the Properties box, select the Install a single application option and click the Browse… button.
  15. Select Microsoft Office and change the name Install Applications to Microsoft Office.
  16. Click Apply and close the Task Sequence.

 

Blocking Internet Access to prevent Windows Store App Updates

To block internet access to the VM whilst the image is building, we’ll use the script from Peter Löfgren’s System Center Ramblings post. First create a PowerShell script called Internet-Access.ps1 with the following code:

## Creates the disable option used by the script
param (
   [Parameter(Mandatory=$False,Position=0)]
   [Switch]$Disable
)

## If the Disable command line option is not added, the script adds a Firewall Rule to block traffic on ports 80 (http) and 443 (https).
If (!$Disable)
{
   Write-Output "Adding internet block"
   New-NetFirewallRule -DisplayName "Block Outgoing 80, 443" -Enabled True -Direction Outbound -Profile Any -Action Block -Protocol TCP -RemotePort 80,443
}

## If the Disable command line option is added, the script removes the Firewall Rule created above.
If ($Disable)
{
   Write-Output "Removing internet block"
   Get-NetFirewallRule -DisplayName "Block Outgoing 80, 443" | Remove-NetFirewallRule
}

Save the script in your MDT share, where the Task Sequence will be able to access it. I save my custom scripts in a folder called _scripts the Applications folder.

Now, in the Task Sequence created above, we’ll add the items required to run the PowerShell script to enable and disable the internet blocking firewall rules.

  • Go to the Task Sequence tab on the Properties window of the Task Sequence.
  • Go to State Restore and click on the Add button.
  • Go to General > Run PowerShell Script.
  • Name the new item PS Script – Disable Internet Access.
  • Enter Z:\Applications\_scripts\Internet-Access.ps1 or your own path to the PowerShell script we just created.
  • Scroll down the Task Sequence to just above the Imaging folder.
  • Once again, add a new Run PowerShell Script item.
  • Name it PS Script – Enable Internet Access.
  • Again, enter Z:\Applications\_scripts\Internet-Access.ps1 or or your own path to the PowerShell script.
  • Important: Add -Disable to the Parameters section.
  • Click Apply and OK to close the Task Sequence.

Now just after booting up, a firewall rule will be added to block traffic on ports 80 and 443, and just before starting the SysPrep and capture process the firewall rule will be removed.

Next we’ll create a domain user account for MDT.

 

Create an Active Directory User for MDT

  1. Go to Active Directory Users and Computers.
  2. Create a user called mdt_admin.
  3. On the server where the deployment share is hosted, give mdt_admin Full Control share permissions and Full Control permissions to all the files and folders under the deployment share.

Now we’ll configure the Bootstrap.ini and the Rules.ini files to control certain aspects of the deployment environment. The settings below enable auto log in and skip the welcome screen, so these should only be used for lab/closed environments.

 

Configure Bootstrap.ini

  1. In Deployment Workbench, right click the Deployment Share and select Properties.
  2. Select the Rules tab and click the Edit Bootstrap.ini button.
  3. Add the settings below to the Bootstrap.ini.
  4. Close and Save the Bootstrap.ini
[Settings]
Priority=Default

[Default]
DeployRoot=\\SERVERNAME\BuildShare$
UserDomain=contoso.com
UserID=mdt_admin
UserPassword=p@ssw0rd
SkipBDDWelcome=YES

 

Configure Rules/CustomSettings.ini

On the Rules tab of the Deployment Share properties window, add the settings below. A lot of the settings are specific to my demo environment such as my location in the world.

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
SkipBitLocker=YES
SkipLocaleSelection=YES
SkipTimeZone=YES
SkipDomainMembership=YES
SkipSummary=YES
SkipFinalSummary=YES
SkipComputerName=YES
SkipUserData=YES

_SMSTSORGNAME=Build Share
_SMSTSPackageName=%TaskSequenceName%
DoCapture=YES
ComputerBackupLocation=\\SERVERNAME\BuildShare$\Captures
BackupFile=%TaskSequenceID%_#year(date) & "-" & month(date) & "-" & day(date) & "-" & hour(time) & "-" & minute(time)#.wim
WSUSServer=http://SERVERNAME:8530
FinishAction=SHUTDOWN
SLShare=\\SERVERNAME\BuildShare$\Logs
EventService=http://SERVERNAME:9800

Now it’s time to create the boot media to boot into the deployment environment.

 

Creating The Boot Media

  1. In Deployment Workbench, right click on the Deployment Share.
  2. Select Update Deployment Share.
  3. Select Completely regenerate the boot images.
  4. Complete the wizard. It will take some time to create the boot images.

 

Testing The Boot Media

To test the boot media, copy the LiteTouchPE_x64.iso from \\SERVERNAME\BuildShare$\Boot to a location where a Hyper-V Virtual Machine will be able to access it.

Create a new VM in Hyper-V and configure it as such:

  • 2x vCPUs
  • 4GB of RAM
  • NIC with access the MDT server and WSUS server.
  • Virtual Hard Drive of at least 80GB, preferably on an SSD.
  • Boot from DVD Drive using the LiteTouchPE_x64.iso from MDT.

Start the VM and it should boot from the LiteTouchPE_x64.iso into the deployment environment. You should be presented with a wizard and the name of the Task Sequence you created earlier. Select it and click Next.

The Task Sequence will now run, install Windows 10 1709, update from the WSUS server, install Microsoft Office applications (if you added them) and then run Windows Update from the WSUS server again to update the Office apps, run SysPrep and the reboot back into the MDT environment and capture the image.

When this process completes the VM will be shutdown and a file named W10-1709_YEAR_MONTH_DAY_HOUR_MINUTE.wim will be in \\SERVERNAME\BuildShare$\Captures.

You may also want to add scripts and tweaks to your Task Sequence, such as this PowerShell script to uninstall any UWP apps which aren’t needed or these common applications, depending on your environment.

Google Chrome – Enterprise Installer

msiexec /I googlechromestandaloneenterprise64.msi /qn

Adobe Reader – Enterprise Installer

AdobeReaderDC.exe /sAll

You now have a functioning Microsoft Deployment Toolkit server, with a Deployment Share specifically configured for building reference images, and a Task Sequence to build and capture a Windows 10 1709 reference image.

I hope this has helped you out in some way. If you’d like to get in touch with me, please leave a comment or tweet me.

-Mike

Follow Mike on Twitter – @Digressive

111 Comments Add yours

  1. Bruce McDonald says:

    Mike,

    Excellent walk-through as usual.

    I just received my 1709 iso from MSDN – but the images available are all “multi-image” where the WIM looks like this:

    Image Name Index
    Windows 10 Education 1
    Windows 10 Education N 2
    Windows 10 Enterprise 3
    Windows 10 Enterprise N 4
    Windows 10 Pro 5
    Windows 10 Pro N 6

    How do I handle these image indexes within a standard MDT task sequence?

    Michael Niehaus talks about 1709 here:

    https://blogs.technet.microsoft.com/windowsitpro/2017/10/13/windows-10-version-1709-coming-soon/

    But does not offer any insight as to how to target a specific index within an MDT task sequence. Appreciate any info if you have any experience with it.

    Cheers,

    Bruce

    Like

    1. Mike Galvin says:

      Hi Bruce,
      I did see that there’s now multiple editions in one WIM, which is good. As for deploying them, seeing as they are in MDT as separate OS’s all I’ve been doing is creating a task sequence for each one I want to deploy. So I’ve not needed to target a specific index. Not sure if that really answers your question?

      -Mike

      Like

  2. Bruce McDonald says:

    Mike,

    Just building a TS now – and just read that I should see 6 different OS types when importing the OS image. Should have no issues with it now 🙂 Will report back after I give this a go.

    B

    Liked by 1 person

  3. Bruce McDonald says:

    Mike

    Worked great. As expected – MDT listed 6 separate OS flavors – I just selected ENT and was good to go.

    B

    Liked by 1 person

  4. josh says:

    Hi
    Have you been able to try removing the preprovisioned apps in the OS such as mail, people, solitaire, camera etc?
    When i tried it then they still appear once the wim is reconstructed into an ISO

    Like

    1. Mike Galvin says:

      Hi there,
      I do indeed remove those apps with some images, but I do it in a Task Sequence when building the image. I’ve not personally done it with the WIM. If you are using 1709, there are multiple indexes, so you’ll need to take that into account. Check out this blog post for more info: https://blogs.technet.microsoft.com/windowsitpro/2017/10/13/windows-10-version-1709-coming-soon/
      -Mike

      Like

      1. josh says:

        Ah thanks, I didnt know about that indexes bit! I was removing the apps from index 2, not index 1
        Hopefully it will work when i get to try it on monday!

        Liked by 1 person

  5. Gary Davis says:

    Mike, I am having a terrible time getting MDT to import an OS. I downloaded the Installation Media from MS and had it put on a usb-stick for installation on another PC. I copied the iso to the hd and then mounted it (saw it as if it was a dvd) … no luck. Get a fix all errors message with no detail. Tried to decompress the iso … no luck.
    Copied a win10 1703 dvd to the hd (just as a test) and it worked. I did install the new adk. Since I am not a business, I haven’t been able to download the OS from the site you have in the document. I build the clones for a charitable group that refurbs PC’s and gives them to needy kids for free. We are part of the MS MRR program, so we get the licenses for a reduced rate …. but are having a tough time getting installation media.
    Any help / ideas would be greatly appreciated ….

    Gary D

    Like

    1. Mike Galvin says:

      Hi there Gary,

      Sorry to hear you’re having trouble. The one point that stands out to me is where you download the OS from, although you mentioned that it works fine 1703, so I assume you downloaded that from the same place. Just to be clear, I am not in any way insinuating that you are obtaining Windows from a dodgy site, you mentioned downloading it from MS, so we’re all good there. The only thing I can think of is that the ISO you have, is it for the Professional/Education/Enterprise editions of 1709? I think MDT only supports those editions and won’t work with some others, although I haven’t actually tried myself. Also, just the standard checks: could it be the the ISO is corrupted in some way? Another possibility could be that, with the changes in how 1709 is packaged, it could be causing you these issues that you didn’t get with 1703 when importing. I’m sorry I can’t give you a solid answer, it sounds like you’re doing great work.

      -Mike

      Like

      1. Gary Davis says:

        Thanks for the quick reply …. yep, we are legal. We do a google search on download windows 10 installation media. Get a copy of the media to be installed on another PC (puts it on a usb stick or dvd-iso). Like some of the other post … I think it has to do with MS putting all versions plus 32 and 64 bit on the same installation media. I will go back to the site and try to download only a 64bit install and see if that is the problem.
        Gary D

        Like

  6. Daniel says:

    We upgraded some of our images that we host on VMWare from 1703 to 1709, then attempted to capture them like we always do, but the capture fails with the same error each time. Panther logs state: “Package Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy was installed for a user, but not provisioned for all users”. The way we’ve gotten around it in the past is running a few powershell commands:
    get-appxpackage | remove-appxpackage
    get-appxprovisionedpackage -online | remove-appxprovisionedpackage

    It shows that it looks like it’s removing the app packages including Miracast, however the error persists. I did a test though: I installed a 1709 fresh install on a VM, then immediately attempted a capture, and it worked perfectly. I didn’t even have to run the powershell commands. The research I’ve been doing has turned up that we needed a registry key to block certain appx packages from automatically downloading/updating while we worked on the image:

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 00000002 /f
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v SilentInstalledAppsEnabled /t REG_DWORD /d 00000000 /f
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 00000001 /f

    I’m wondering… do we need to build our images fresh and put in the registry key? This would waste a lot of time for other images that are already pre-built…

    Other thought: should we just put in these registry keys before we upgrade the rest of our images to 1709 from 1703? (Then maybe we won’t have this issue with trying to capture later on again?)

    Thanks,
    Daniel

    Like

    1. Mike Galvin says:

      Hi there,
      The problem is when building the image, access to the internet needs to be disabled, or auto updating needs to be disabled – as you mentioned.

      I also noticed that building an image which basically just installs Windows then captures works totally fine.

      Personally I build fresh images when a new version of Windows 10 comes out, and I do that using VM’s with internet access disabled. I have a script that automates the process, which I’ve written about here: https://gal.vin/2017/08/26/image-factory/

      But you can set registry keys to disable auto updating after installing Windows, but before doing any other tasks. Johan Arwidmark wrote about how to do that here: https://deploymentresearch.com/Research/Post/615/Fixing-why-Sysprep-fails-in-Windows-10-due-to-Windows-Store-updates

      -Mike

      Like

    2. I’m having this same issue. I’ve tried adding these keys and also the PS script with no luck.

      Below is the error that I am getting –

      2018-01-29 09:28:05, Error SYSPRP Package CortanaListenUIApp_10.0.15063.0_neutral__cw5n1h2txyewy was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.

      2018-01-29 09:28:05, Error SYSPRP Failed to remove apps for the current user: 0x80073cf2.

      2018-01-29 09:28:05, Error SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.

      2018-01-29 09:28:05, Error SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing ‘SysprepGeneralizeValidate’ from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
      2018-01-29 09:28:05, Error SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
      2018-01-29 09:28:05, Error SYSPRP RunPlatformActions:Failed while validating Sysprep session actions; dwRet = 0x3cf2
      2018-01-29 09:28:05, Error [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
      2018-01-29 09:28:05, Error [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2

      Any other ideas? This is starting to drive me insane.

      Thanks, Kaleb

      Like

      1. Mike Galvin says:

        Hi Kaleb,

        Couple of things I’d like to check: Can you confirm that the internet access is disabled. I’m just wondering if the PS script to block the internet is running successfully?

        Also do you remove any UWP apps, and if so when in the Task Sequence does that happen?

        Cheers,
        -Mike

        Like

  7. Dan says:

    Great article – thank you

    Options like changing the lock screen background, start menu modifications, task bar modifications, do they all need to be completed by capturing a reference image ?

    Or if I was to follow your aticle, is there a need to use a reference image ?

    Like

    1. Mike Galvin says:

      Hi there,
      No they don’t need to be done by capturing a reference image. They can be done in a Task Sequence when deploying a new Windows installation, or with Group Policy.

      -Mike

      Like

      1. Dan says:

        Awesome – thanks Mike

        Once an image has been captured ( we don’t have SCCM ) is it most efficient to then manage the updates moving forward from within MDT ?

        Like

      2. Mike Galvin says:

        I assume you mean the next “big” Windows 10 update, the feature updates? Yes, MDT is best I think. WSUS/Windows Update can push them out and get you on the latest version of the OS, but you have no control over them, or at least not like with MDT.

        -Mike

        Like

  8. Paul Morrison says:

    Hey Mike,

    For me, using the local group policy editor and disabling the store as well as updates from the store has worked for me with Syspreping 1709. For my client, they have the windows store disabled anyways so it works out in the end,but for those who actually use the store in the enterprise, you can just set up a domain GPO to enable the store if needed, which will take place after the image has been deployed.

    Like

  9. Scott Shockley says:

    I am using the Windows 10 volume licensing ISO (SW_DVD5_Win_Pro_Ent_Edu_N_10_1709_64BIT_English_MLF_X21-50143) which now bundles Windows 10 Enterprise, and Windows 10 Education, and Windows 10 Pro together.
    I am trying to perform a “Standard Client Upgrade Task Sequence” using MDT 6.3.8443.1000 and WADK 10.1.16299.15. I have selected the “Windows 10 Enterprise” OS in the “New Task Sequence Wizard” but I am getting the error “Setup failed to upgrade OS from Windows10v1709\setup.exe, rc = -1047526912″ followed by “ZTI ERROR – Non-zero return code by LTIApply, rc = 1”, and then “Litetouch deployment failed, Return Code = -2147467259 0x80004005”. I assume this is because of the ISO contains multiple images but do not see a way to select the Image Index in the “Upgrade Windows” Task Sequence. The “Upgrade Windows” Task Sequence displays the “Windows 10 v1709 Enterprise install.wim”.

    Like

    1. Mike Galvin says:

      Hi there,
      That’s really odd, I’ve done pretty much what you said and I’ve not had those issues, at least with upgrading from 1607 and 1703 to 1709. It shouldn’t be because of the multiple images in the ISO because, when you import it into MDT, you should get all the separate editions as separate OS’s. I’ve seen the error you posted many times for many different reasons, so I’m afraid based of what you said, nothing stand out to me. I’m assuming your running the upgrade Task Sequence from MDT using the LiteTouch.vbs or using SCCM? Here’s some screenshots from my upgrade task sequence, hopefully it helps.

      -Mike

      Like

      1. Scott Shockley says:

        Yes I am using MDT LiteTouch.vbs only, and my envuironment looks like your swcreen shots. I am using the “Standard Client Upgrade Task Sequence” and it worked fine with “Windows 10 Creators update 1703”, but broke when I changed the “Operating system to install” to “Windows 10 1709 Enterprise x64”.
        Since the multiple images was the only major change to the imported media, I assumed thats what broke it.
        I did change the display name for the operating system but I have done that before with the preious imported images with no problems.
        I will download new media and see if re-importing it keeping the default names makes a difference.

        Liked by 1 person

  10. Hey Mike,

    Just wondering if you have ever seen this oddball behavior within an MDT layout.

    Suddenly today – out of the blue – when I run an upgrade of 1709 into an existing VM of 1607 – I get this bizarre error with about a minute before the install is actually complete:

    Onscreen – Windows is still running it’s last update cycle (Spinning circle light blue screen saying Working On Updates 100% Don;t turn off your PC. This will take a while) and then suddenly this dialog pops up as if it’s trying to “reoffer” me a selection of task sequences to run?

    I wish I could post a few screen caps up here but the dialog is titled Windows Deployment Wizard with the words Task Sequence in large print cross the top. Inside the border I see “Select a task sequence to execute on this computer”. Inside the dialog panel is another weird error “No task sequences are available (Tasksequences.xml does not exist, is empty or is inaccessible”)

    Overlaid upon the Task Sequence dialog is another small messagebox with an OK button that displays this:

    A VBScript Runtime Error has occurred:

    Error: 500 = Variable is undefined

    VBScript Code:
    ——————-
    InitializeTSList

    If click Ok on the box – I get another message asking if I want to quit the wizard. I then click Yes and go right back into the Messagebox. I do the OK/yes dance a couple more times and then the wizard finally redisplays my global list of task sequences again.I finallt hit Cancel one last time and the mess goes away and install stumbkles to completion.

    My setuperr.log is full of bizarre entries that make little sense to me (and I am a programmer!).

    Would appreciate any sort of push in a general direction to figure out what is going on?

    Cheers,

    Bruce

    Like

    1. Mike Galvin says:

      Hi Bruce,
      I have seen that, also with 1703. No fix as of yet I’m afraid.

      -Mike

      Like

      1. Mike,

        This is most bizarre. I did an upgrade to 1703 using the same MDT share, layout etc and it completed perfectly?

        At first I thought maybe my OS source files were messed up so I completely dumped everything and re-imported a fresh set of 1709 files from the iso – but that did not work either.

        From what I can see so far – it may have something to do with the name of the Task Sequence or some other obscure thing in the bowels of the MDT install.

        I will keep hunting.

        B

        Like

      2. Mike Galvin says:

        Yes, it’s sporadic. I’ve had it work fine with both 1607 and 1703 and not other times.

        Like

      3. Mike,

        Just found out that I am not the only one with this..

        https://social.technet.microsoft.com/Forums/en-US/96b5c809-a59d-4d90-9136-69ecec101c05/upgrade-task-sequence-not-working-on-windows-adk-10-v1709-and-mdt-8443?forum=mdt

        I am going to stand down on any in-place upgrades to 1709 until MS gets MDT properly updated for all 1709 scenarios.

        1709 works great with MDT 8443 as long as I am doing a clean install TS. But the upgrade is a problem…

        B

        Like

      4. Mike Galvin says:

        It’s been the same in all my tests too but I hadn’t found the article, so thanks for posting that!

        Like

  11. Ryan Nagy says:

    Thank you for the write up! Super helpful…running into one issue though. When the image is applying settings I get an error stating that the install cannot proceed and that it failed at the specialized portion of the unattend.xml. The exact same task sequence will work with an older version of Win10. Just not Fall Creators. Have you seen something like this?

    Like

    1. Mike Galvin says:

      Hi there,
      I have had some issues before with the unattend.xml, but it can be many things. My common problem is that, because I automate the computer name, sometimes it’s too long. Outside of that, I’ve not had many issues with it I’m afraid.
      -Mike

      Like

      1. Ryan Nagy says:

        Mike and anyone else who comes across this,

        It appears to be an issue with my Hyper-V VM. I am able to successfully image a laptop and a VMWare workstation VM. I am not going to dig any further on this, but if anyone does run across this issue and finds a solution it might be helpful to the next guy!

        Like

    2. Ville says:

      Hi Ryan. As this issue happened during Windows Setup, you should check the setupact.log in %WinDir%\panther (OOBE phase) or %WinDir%\panther\UnattendGC (Specialize phase) for more information. SetupErr.log is rarely useful. I did run into an interesting issue, where it seems that Device Guard (or WDAC in 1709) is enabled out of the box and somehow blocks the execution of reg.exe, which is being used in the unattend file to execute some RunSynchronous commands. Check if you are seeing error 0x800711c7 in the log.

      Like

  12. Bruce McDonald says:

    Ryan,

    Would be helpful to see exactly what the error message is? If you have altered a few other parts of unattend.xml – would be interested to see what you changed.

    And the Hyper-V thing – that’s all I use here – just build a stock VM (Gen 2) with 2048 RAM, 4 CPU and at least 40GB hard disk – have never had an issue with unattend.xml. (The only thing I ever change is the Protect your PC setting).

    And have you updated the Deployment share and created some fresh iso’s lately?

    B

    Like

  13. Brent Mason says:

    Mike,

    Thanks for the great write up!

    Wanted to see if you have any suggestions about deploying larger programs such as ACAD? We were making use of audit mode in Windows 7 so the application itself was included on the image. This helped speed up the process since there is some customization we must do to the application manually. Seems like with the newer versions of 10, Audit mode isn’t really an option anymore.

    Like

    1. Mike Galvin says:

      Hi Brent,
      Thanks for the kind words. As of this week, I’ve moved onto a new project at a much larger organisation, and I will absolutely be dealing with large applications and Windows 10 deployment. I’ll post about any findings and improvements as I come across them. I’ve no time frame for this at the moment though as I’m currently re-building the team and infrastructure.
      -Mike

      Like

      1. Brent Mason says:

        That would be great!

        Thanks Mike!

        Liked by 1 person

    2. Hey, Brent.

      We use Audit Mode in Windows 10. I’ve even used it in 1709.

      What issue are you having with it?

      Like

    3. loosus456 says:

      Hey, Brent.

      We use Audit Mode in Windows 10. I’ve even used it in 1709.

      What issue are you having with it?

      Like

  14. Lukáš Maršálek says:

    Can I ask for explanation of this guide? If I understand it, you will make bootable ISO, which installs system on machine, installs office, updates all and syspreps machine and saves captured image to MDT storage ? And then what? I need to deploy 20 same HW machines, how do I do that with this? Do I have to configure WDS and deploy captured image via pxe boot? Thanks for any details, MDT is new for me, I was working only with WDS capture and deploy before.

    Like

    1. Mike Galvin says:

      Hi there,
      You use this guide to create a clean image with Hyper-V, then you use MDT, with PXE boot and WDS to image all the devices you need to. Here’s some posts I wrote on PXE booting with WDS and deploying images:

      PXE booting for MDT: https://gal.vin/2016/11/28/pxe-booting-for-mdt/
      Advanced PXE booting for UEFI and BIOS: https://gal.vin/2017/05/05/pxe-booting-for-uefi-bios/
      Deploying a Windows 10 1607 image with MDT: https://gal.vin/2017/01/21/deploying-a-windows-10-reference-image-with-microsoft-deployment-toolkit/

      Hope it helps,
      -Mike

      Like

      1. Lukáš Maršálek says:

        Oh, seems like you have all covered. Thank you so much, very good articles.

        Like

  15. Lukáš Maršálek says:

    I was able to capture reference image, which had only Windows, cumulative update and MS Office 2016 pro in it. However after capturing and deploying, it has MS Office missing. I am sure, there were no errors during deploying ref image and capturing it afterwards. So why would install of MS Office be skipped? Any ideas welcomed, thanks.

    Like

  16. Andrew says:

    Just FYI – This worked for me without having to disable internet access. I think having the image entirely up to date beforehand was the trick, at least for me.

    Thus ends 11 hours of sweat, blood, tears, toil, and gnashing of teeth.

    Like

    1. Lukáš Maršálek says:

      I am trying so hard to make reference machine in VM, I tried everything according to this guide, but at the very end, when Sysprep phase executes and reboots computer, it is auto logged and then I see message “Error “Can not find script file C:\LTIBootstrap.vbs”” and it doesnt continue anymore, it just sits there and no image is captured. Can somebody point me to some info how to solve this? I tried to search very hard for this, I have all tools in latest version, latest Windows and Office instalation files, cannot get it working.

      Like

      1. Lukáš Maršálek says:

        So I probably found why it was failing. I was using Hyper-V gen 2 machine. When I created the same param machine but gen 1, it deployed and captured with no issues.

        Like

  17. marco says:

    Hi Mike, maybe you can help me with this: I have a dell xps 9550 and recently updated to win10 1709 that causes my default profile (with admin power) to have broken permissions: cannot run anything with admin privileges and add to roll back. Now the problem is that I have to periodically roll back to 1703 because 1709 keeps auto installing and breaking the profile. I have Home version so cannot go for the delay trick. Looking forward your magic 🙂

    Like

    1. Mike Galvin says:

      Hi Marco, It’s difficult for me to suggest a fix for this, I’ve never come across it myself. If I personally I had this issue I’d most likely just re-install Windows from scratch. I’m sorry I can’t help more, I usually deal with corporate IT and managed installations of Windows.

      -Mike

      Like

  18. Dan says:

    Hi all

    Fairly new to MDT but I believe I have got my head around most aspects. I’ll quickly describe the environment and then explain the issue.

    I have MDT 2013 Update 2 installed and ADK for Windows 10 on a domain joined computer, with a second laptop with Windows 10 1709 as my reference image ( this is not domain joined )

    I have since taken both computers home ( off the corporate network – on to my home network ) and attempted to capture the image. I have successfully browsed the DeploymentShare on the MDT computer from the reference image. But the moment I attempt to run the LiteTouch.vbs I receive the below error:

    https://imgur.com/86ZiW2A

    I have read a few posts on how to fix this, but I have been unable to do so. I have created two local user accounts to auth against the DeploymentShare, but I get the error with both accounts. Being on my home network, would that have any issues ?

    Below are my bootstrap.ini and customsettings.ini files ( passwords marked out )

    https://imgur.com/tumBcpZ

    https://imgur.com/nptggPh

    Any help would be greatly appreciated!!!

    Like

    1. Mike Galvin says:

      Hi there Dan,

      Moving the computers off the corp network home certainly could be causing some issues to do with authentication. Have you set permissions on the deployment share – both the share ACLs as well as the file ACLs.

      Also more generally, you might have better luck building a reference image using a Hyper-V VM. Using Hyper-V keeps the image clean and driver-less.

      -Mike

      Like

  19. Bruce McDonald says:

    Dan,

    Your problem is not strictly with passwords – most likely with the Security settings on your MDT deployment share.

    I assume you are running LiteTouch manually from the other machine – the Sharing permissions on the actual MDT install folder must allow the acct you are using on the laptop to access the share correctly.

    And I do not understand what this means:

    “I have successfully browsed the DeploymentShare on the MDT computer from the reference image.”

    I think a better explanation of exactly what is where (MDT etc) and how you are attempting to capture is in order…

    Cheers!

    B

    Like

  20. Dan says:

    Hi Bruce

    Thanks for the reply – Correct – I connect to the computer and run the LiteTouch.vbs from the reference computer manually ( UNC to the DeploymentShare ) Sorry this is what I meant when I said “I have successfully browsed the DeploymentShare on the MDT computer from the reference image.”

    I have since brought both computers back into the office – the authentication and running the litetouch.vbs has since worked – I have another issue at hand, but at least the script is running now.

    Must have been some weird issue with not being on my corporate network!

    Like

  21. Dylan says:

    Hey Mike, maybe you can help me out. I have a Reference VM that I capture my company image from. I updated it in place from Windows 10 Enterprise 1703 to 1709, and experienced the failures when i tried to sysprep and capture task sequence in MDT. I decided to start fresh after I fought with it for 2 days. I built a new VM, downloaded the 1709 iso, installed it onto the VM, then ran the LiteTouch.vbs script (before adding any applications), and it worked with zero errors. I then proceed to add all of my applications, installed a windows cumulative update (KB4051963), and tried to capture an image. However this time it failed during execute sysprep. I am using the “Sypsprep and Capture” template. I have the most current versions of ADK and MDT available. I’ve tried adding the Invoke-InternetAccess.ps1 script to my task sequence, even moving it up and down the list, but is not working for me. I was able to capture and create my WIM by disabling the Execute Sysprep from my task sequence, but when I deploy that image to a physical machine, I can not activate Windows. Even though the reference machine was never activated.

    Like

  22. Vince Connick says:

    Greetings All,

    I am just now testing 1709. Does anyone know how to suppress the initial setup screens pertaining to Cortana and the two or three keyboard questions? The OOBE settings don’t appear to fully address these subjects.

    Thanks for any assistance,

    Vince

    Like

    1. Mike Galvin says:

      If deploying the image with MDT you shouldn’t be getting those screens – or at least the Cortana screens.

      In my CustomSettings.ini I have these options set:

      [Default]
      OSInstall=Y
      SkipCapture=YES
      SkipAdminPassword=YES
      SkipProductKey=YES
      SkipComputerBackup=YES
      SkipBitLocker=YES
      TimeZoneName=GMT Standard Time
      KeyboardLocale=0809:00000809
      UILanguage=en-GB
      UserLocale=en-GB
      KeyboardLocale=en-GB
      BitsPerPel=32
      VRefresh=60
      XResolution=1
      YResolution=1
      JoinDomain=adomain
      DomainAdmin=mdt_admin
      DomainAdminPassword=apassword
      SkipUserData=YES
      SkipDomainMembership=YES
      SkipLocaleSelection=YES
      SkipTimeZone=YES
      SkipSummary=YES
      SkipFinalSummary=YES
      FinishAction=SHUTDOWN

      -Mike

      Like

  23. Hello Mike 🙂

    First of all, great website/resource and great article/guide.

    I was wondering if you know how i can add/integrate a new Windows service into the \Windows\System32\config\SYSTEM registry hive. I want to do this without running a live image system as this could create unwanted files that could slip into the final image.

    My idea was to log and recreate the SC.EXE CREATE process and monitoring/logging all file/registry actions it makes using Process Monitor, RegShot or RegistryChangesView, and importing the changes using batch/cmd, via REG ADD and COPY instructions.

    This works to some extend in that i could import all the changes that i could find/log, but the Windows service doesn’t show up in services.msc (also not after a restart), whereas using sc.exe it shows up instantly.

    It really makes me wonder what more sc.exe create does, in which i fail.

    Hopefully you can tell me what’s/where its going (wr)on(g).

    I’m already thinking of trace debugging sc.exe to find out about its internal execution process, but i’m afraid i’ll suck at it since i’ve never debugged any programs in my life.

    Best regards,
    CompletelyLost

    Like

    1. Mike Galvin says:

      Hi there,
      I don’t have an answer for this, it’s not something I’ve come across before. I have some applications that create services, but I just install them silently as part of the task sequence. Sorry.
      -Mike

      Like

  24. Todd Shelton says:

    Thanks, Mike. Detailed and accurate. A perfect start to life in the MDT lane.

    Liked by 1 person

  25. bgibbsartist says:

    So my agency decided to scrap all the work we’ve done for 6 months getting version 1703 up, running and stable, ready for deploying on hundreds of new machines. They want to have 1709 ready to go by the end of the month. So, I have the Build and Capture TS setup currently using 1703. I basically kept it and inserted the 1709 OS, etc. Everything deployed fine to the VM in Hyper-V, it installed applications, it paused for me to run a few scripts to remove bloat-ware apps and a few other things, and resumed the TS just fine. After the reboot where it starts the Capture WIM portion, it just stalls at 1%. The BDD.log file doesn’t show any errors because the Capture never moves forward. Any ideas?

    Like

    1. Mike Galvin says:

      Hi there, firstly sorry to hear about the 1703 work being scrapped. It could be that your using the previous Task Sequence, but I doubt it. For Win 10 1709, you should make sure you’ve got the 1709 ADK installed. MDT got updated to version 8450 recently and I’ve updated the download links in this guide. Backup your deployment share(s) and upgrade to MDT 8450, but make sure you have ADK 1709 installed first. After upgrading, or if you have already upgraded – completely regenerate the boot media and try the task sequence again.

      This is all that comes to mind at the moment. Hope it helps.

      Mike

      Like

      1. bgibbsartist says:

        Well I’ve actually created a brand new Task Sequence for the Build and Capture of 1709. I basically mirrored everything I had for 1703, but also included your step about Disabling the Internet Access. ADK and MDT are both on the current version. Still the same scenario at the Capture WIM step in this process. Just hangs at 1% and the log doesn’t say anything.

        Like

      2. Mike Galvin says:

        It could possibly be a permissions issue. Check the share permissions as well as file permissions on the deployment share where the .wim is being written back to.

        Like

  26. sinirgi says:

    Hi Mike,
    Great job on the write up.

    I’m having an issue where the reference image is complaining about:
    WARNING: PowerShell was not detected. ZTIPowerShell 1/22/2018 11:44:32 AM 0 (0x0000)
    ZTI ERROR – Unhandled error returned by ZTIPowerShell: Type mismatch (13) ZTIPowerShell 1/22/2018 11:44:32 AM 0 (0x0000)
    Command completed, return code = -2147467259 LiteTouch 1/22/2018 11:44:32 AM 0 (0x0000)
    Litetouch deployment failed, Return Code = -2147467259 0x80004005 LiteTouch 1/22/2018 11:44:32 AM 0 (0x0000)

    I’m not running the ADK that you are, but I have used the one I am running to make reference images of previous Windows 10 builds.

    Any thoughts?

    Like

    1. sinirgi says:

      I chose “Continue on Error,” on both Task Sequences and it seems to be working. Firewall shows blocked during creation. I’d still like to hear what you have to say about it.

      Like

    2. Mike Galvin says:

      Hi there,

      If you are building Windows 10 709 images, you really need to be running ADK 1709. That’s probably why you are getting that error. The ADK version really is critical.

      Mike

      Like

  27. Shakti says:

    Hi Mike,

    Any suggestions on moving user’s documents, downloads, desktop, etc to a different drive? It will help in reimaging. Any experience? Will it cause any issue during an upgrade?

    Like

  28. Stefan says:

    Hey Mike,

    thanks for your excellent guide. I face an error, however, that I don’t find any hints or searches on. I built a lab using VirtualBox (1 DC running AD, DNS & DHCP | 1 Server running WDS & MDT | 1 Client). I can boot the client using the LiteTouchPE_x64, but it keeps stopping with the following error:
    LoopIteration:0
    Get Machine Metadata from Relax
    Firmware:BIOS
    Error: Get machine failed, retrying in 30 seconds
    Error: Get machine failed, retrying in 30 seconds
    Error: Get machine failed, retrying in 30 seconds
    Get Machine failed for Machine with GUID:3206FE93-FAA7-1E41-AFE8-8FCFFF08A51C, MAC:080027319FE5!
    Error: There was an error communicating with the endpoint at ‘http://MDT.test.local:8000/Relax/Service’.
    Error: The operation timed out
    “Get Metadata from Relax Server Failed -2143485946.”.
    Error: Failed to Log Message : 803d0006
    Error: There was an error communicating with the endpoint at ‘http://MDT.test.local:8000/Relax/Service’.
    Error: The operation timed out

    Any hints? Would really appreciate any help!

    Regards,
    Stefan

    Like

    1. Mike Galvin says:

      Hi Stefan,

      Wow, that’s some error. I haven’t used Virtual Box in a good long time (I test all my scripts and image creation in Hyper V). It looks like it might be something to do with network connectivity – you might have to include the drivers for the Virtual Box NIC in the LiteTouchPE boot media?

      -Mike

      Like

  29. bgibbsartist says:

    Well now I’m having an issue with the Auto-Logon function after the first reboot. This only just came up because some people decided they wanted a bunch of new stuff in the image and changes had to be made. So it captured just fine, but stops the deployment right at the Login screen and even when I manually login, it doesn’t resume the task sequence.

    Like

  30. Pulytr says:

    All my try to capture reference image 1709 Pro edittion end with stuck on “just a moment” in finall part where executing sysprep. Could be there for severals days and not change.

    When I edit OOBE skip machine/user settings to TRUE than move a little bit far, but then end with error C:\LTIBootstrap.vbs did not find.

    Like

    1. Mike Galvin says:

      Hi there,

      I’ve haven’t had the “Just A Moment” problem myself (yet?), but I am aware that it’s been discussed online recently on reddit/twitter etc. I’m mobile right now so don’t have any links to give you, but I’m sure a google might reveal some possible solutions.

      -Mike

      Like

  31. Leigh says:

    Please Help!
    2018-03-01 15:11:20, Info DISM PID=1472 TID=2012 Scratch directory set to ‘X:\windows\TEMP\’. – CDISMManager::put_ScratchDir
    2018-03-01 15:11:20, Info DISM PID=1472 TID=2012 DismCore.dll version: 10.0.16299.15 – CDISMManager::FinalConstruct

    Like

    1. Mike Galvin says:

      Hi Leigh,

      I’ve edited down your comment as that log file is….huge…… Can you be more specific as to what problem you are having?

      -Mike

      Like

      1. Leigh says:

        Thanks and sorry for that was having trouble posting for some reason.

        The proccess seems to fail with the DISM failing to call some DLL files. I had uninstalled everything and started from scratch and still the same issue. My DISM version is also the latest.

        2018-03-01 15:13:10, Warning DISM DISM Provider Store: PID=2468 TID=2472 Failed to load the provider: X:\windows\SYSTEM32\Dism\SiloedPackageProvider.dll. – CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)

        2018-03-01 15:13:10, Warning DISM DISM Provider Store: PID=2468 TID=2472 Failed to load the provider: X:\windows\SYSTEM32\Dism\MetaDeployProvider.dll. – CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)

        2018-03-01 15:13:11, Warning DISM DISM OS Provider: PID=2496 TID=2520 Unable to set the DLL search path to the servicing stack folder. E:\Windows may not point to a valid Windows folder. – CDISMOSServiceManager::Final_OnConnect

        2018-03-01 15:13:12, Warning DISM DISM Provider Store: PID=2496 TID=2520 Failed to load the provider: E:\MININT\Scratch\42282A68-5671-4CE5-A643-D596156F2123\PEProvider.dll. – CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)

        2018-03-01 15:13:36, Info DPX Failed to Expand Delta, IpdParent amd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.16299.248_none_e8a0c8931944455a\searchui.exe
        2018-03-01 15:13:36, Info DPX Failed to expand delta. hr = 0x80070008
        2018-03-01 15:13:38, Error DISM DISM.EXE: DISM Unattend Manager processed the command line but failed. HRESULT=800706BE
        2018-03-01 15:13:38, Error DISM DISM Manager: PID=2468 TID=2472 Failed to get the IDismImage instance from the image session – CDISMManager::CloseImageSession(hr:0x800706ba)
        2018-03-01 15:13:38, Error DISM DISM.EXE: – CDismWrapper::CloseSession(hr:0x800706ba)

        Like

      2. Mike Galvin says:

        Hi Leigh,
        Thanks for posting, unfortunately nothing really jumps out at me from the log (other than it’s not working).
        A couple of things to check:
        What version of MDT and the ADK are you running?
        Is this happening during deployment in Windows 10, or in the deployment environment?
        Try regenerating the boot image, without drivers or any additional plugins.

        -Mike

        Like

      3. Gregor says:

        Hi guys.
        Is there anything new to this error? I’m also having same issue.

        Like

  32. Arti Gangwar says:

    Hi Mike, I am new to OS deployment process. Can you clarify few things?

    1) Can you confirm the Hyper V Virtual machine specifications? Also I assume it should be without an OS?
    2) My WSUS server is on the SCCM primary site server. When you say local WSUS server, what do you exactly mean? If we disable internet access, how virtual machine will receive updates?
    3) which applications are advisable to keep in the wim image apart from all the MS Visual C++ ?

    Like

    1. Mike Galvin says:

      Hi Arti, Sure thing:

      1) Yes the Hyper-V Virtual Machine should be without an OS. The specs I use are: Generation 1, 2 vCPUs, 4GB RAM (non dynamic), 100GB dynamically expanding VHD, a standard virtual NIC that can access your LAN.
      2) By local WSUS I mean a WSUS server on your LAN, so the SCCM server will be fine. I probably should be more specific in my write up. The VM should get Windows Updates from the LAN WSUS and not the Windows Update servers on the internet because, as you correctly say; removing internet access would prevent this.
      3) If I understand you question correctly (?) I build images with everything from just Windows to Office, Visual Studio, SQL Management Tools, Remote Server Administration Tools, Adobe Creative Cloud… and so on. It depends on your needs, but you shouldn’t have any problems with most applications being a part of the WIM.

      I hope this helps.

      -Mike

      Like

      1. Ankit P says:

        Thanks Mike, I created the reference image but when i try to boot the VM from the LiteTouchPE_x64.iso, i get error “A connection to the deployment share (\\ xxx\deploymentshare$) could not be made. The following networking device did not have a driver installed. pci ven_15ad&dev_07b0 subsys_07b015ad&rev_01

        Can you please assist. As per my understanding Win PE already has necessary drivers built-in for Hyper V VM??

        Like

      2. Mike Galvin says:

        Hi Ankit,

        That’s correct, the drivers for Hyper-V are included by default.
        It looks like the VM is unable to connect to the MDT deploy share, which is likely to be down to the VM’s network access. Do you have a DHCP server available to the VM, and does the VM have a virtual NIC able to connect to the DHCP server?

        -Mike

        Like

  33. Dan Christ says:

    Hey Mike!

    Great article. Really great stuff. I’m struggling at getting MDT to find the PS script to disable Internet Access that you wrote about in this article.
    In the logs I see that it mounts the MDT build share as this shown in this snippet here:
    Found Existing UNC Path Z: = \\MDT01\MDTBuildLab$]LOG]!><time="09:27:52.0…….

    Though later in the log is says the Internet-Access.ps1 could not be found as shown here:

    I have verified that the correct credentials are entered in the Bootstrap.ini file and I can successfully login to a machine as that AD user and hit the \\MDT01\MDTBuildLab$ share via the UNC path. And of course, pinging to that machine also works.

    I’m not sure what else to try at this point in time. It was originally pointing to C:\… and of course the VM can’t see C drive on the MDT01 machine.
    What about %DeployRoot%\Scripts ? Or %ScriptRoot%\Internet-Access.ps1 Those are things I’ve come across.

    Thanks for any help you can provide!
    Dan

    Like

    1. Mike Galvin says:

      Hi Dan,

      Thanks for the kind words.
      In my MDT build share I have the script in \\mdt01\buildshare$\Applications\_scripts\Internet-Access.ps1
      In my Task Sequence I have the Run PowerShell Script item set to Z:\Applications\_scripts\Internet-Access.ps1

      The MDT share is by default also mapped to Z:\ which can be handy for some things. It sometimes seems to be a little inconsistent as to which path to use for what though.

      Hope this helps,
      -Mike

      Like

  34. Sourabh K says:

    Hey Mike
    Hope you are doing good. Thanks for your article, it’s very helpful.

    However, I am facing issue after upgrading MDT to 8450 and ADK 1709
    I had a working environment with MDT 2013 Update 2 version 6.3.8330.1000
    Supporting Win7 and Windows 10 1607.

    To support Windows 10 1709, I upgraded my infrastructure.

    1. I uninstalled older ADK.
    2. Uninstalled MDT 2013 Update 2 version 6.3.8330.1000
    3. Reboot server.
    4. Installed ADK 1709 with required features.
    5. Installed MDT 8450.
    6. Opened existing Deployment share and checked update.
    7. Completely​ regenerated boot image.
    8. It’s not working on some models, once it boot from new boot image, and gets rebooted immediately. And nothing progress further.
    9. While the boot image from older deployment share before upgrade works fine. Same set of drivers before and after the upgrade.

    Could you please help, ?

    Like

    1. Mike Galvin says:

      Hi Sourabh,

      Thanks, I’m glad it’s helped.
      Nothing is coming to mind re: the issue you are having, I’ve not had that myself at this time, but just a thought – do you have any drivers being added to the boot image? It could it be a compatibility issue with 1709, but I’m not certain of that.

      -Mike

      Like

      1. Ankit P says:

        Thanks Mike, I created the reference image but when i try to boot the VM from the LiteTouchPE_x64.iso, i get error “A connection to the deployment share (\\ xxx\deploymentshare$) could not be made. Connection OK. Possible cause: invalid credentials.
        I followed your steps. I created Active Directory user for MDT name mdt_admin. gave full permissions to deploymentshare folder and sub folders.
        thats my BootStrap.ini
        [Settings]
        Priority=Default

        [Default]
        DeployRoot=\\ipaddress of the mdt server\DeploymentShare$
        UserDomain=our domain
        UserID=mdt_admin
        UserPassword=password
        SkipBDDWelcome=YES

        Like

      2. Mike Galvin says:

        Hi Ankit, I’m sorry I think I misunderstood. If it’s an authentication issue, it might be due to permissions on the Deployment Share on the MDT server. The account you are using: MDT_Admin should be created in Active Directory if it isn’t already and you can either give the account access to the Deployment Share or make it a member of an AD group and give the group access to the share.

        -Mike

        Like

  35. ersatyle says:

    great article thanks! After capturing the reference image I import it in SCCM and deploy it from there. Now I’m seeing some (not all) computers reaching out and contacting the local WSUS server (not in the domain, no gpo pointing to it) specified during the MDT TS after imaging, can’t understand why. Do you see this behavior? Do you just shut it down after your ref images are created? thanks

    Like

    1. Mike Galvin says:

      Hi Ersatyle, I don’t see this behaviour often myself. My MDT Custom Settings have a WSUS server set for all builds running, but after the build is completed Group Policy takes over and WSUS is then configured via GPO. But as there are no GPO’s overriding the settings, I could see that perhaps some PCs are still contacting
      the WSUS server configured via MDT (or SCCM in this case).

      -Mike

      Like

  36. Ankit P says:

    Thanks Mike, I checked the account MDT_Admin. it has full permission to DeploymentShare$. my MDT and ADK version are correct too. I am using ipaddress to connect to MDT server as it cant connect using FQDN of the server

    Like

    1. Ankit P says:

      also i tried to manually mao drive using cmd net use \\ipaddress\deploymentshare$ but i am getting error:
      System error 1231 has occurred.
      The network location cannot be reached.

      can you please advise. i have been scratching my head for last 2 days

      Like

      1. Mike Galvin says:

        Hi Ankit,

        Thanks for the replies. It seems like there is some connection issues between the VM and the MDT server. If you boot the VM to the point where it errors and press F8 a command prompt should open and you can do some basic diagnostics. If you run “ipconfig /all” does the IP configuration information look like it should for your network? If not, that is probably why it can’t connect to the MDT server.

        -Mike

        Like

  37. Ankit P says:

    Thanks Mike. Couple of more questions. excuse me if i sound silly.
    1) you are putting “Apply Patches” step in your TS before “Install Operating system”. Don’t you think it should be after?
    2) At some point you mentioned “Next we’ll be adding the latest Cumulative Update for Windows 10 1709 downloaded earlier, to do this we’ll be adding it to the Packages section of MDT. The reason we do this is so the CU will be installed with the Operating System, rather than relying on WSUS or Windows Updates to download and install it.”
    but later you mentioned that VM should get updates from local WSUS server?
    If i am already applying patches, can i safely disable the Windows Update step from my TS?
    My VM can ping the WSUS server but when i telnet it on port 8530, it cant connect. Hence I am more focused on applying patches from TS. I am using 1709 build which only needs March cumulative update.

    Like

    1. Mike Galvin says:

      Hi Ankit,

      No problem at all. Before I get to answering your questions specifically, I just want to say that I write these walkthroughs just to show how I generally do it, what works for me and to inform others who perhaps aren’t aware of the software. If you see a different way of doing things that is better for your environment, the needs of your organisation, or just because it works better for you, then by all means go for it, experiment, see what happens! You might be surprised by what you find.

      On to your questions:
      1) The Apply Patches step is built into the default OS install Task Sequence. It’s before the “Install Operating System” item so the patches that are entered into MDT’s “Packages” folder are integrated into the Install.
      2) I understand what you mean. It might seem like duplication. My reason for this is that – the monthly Cumulative Update is often large, and gets larger ever month. It’s take time to download and install via WSUS after the OS has been installed, so I put it in MDT’s Packages folder to essentially ‘slipstream’ it into the OS install, saving time. I keep the WSUS update check to check for and install patches and definitions for Windows Defender and other applications that I add to the image – I’ve not mentioned all these applications in the walkthough as I don’t believe they are relevant to readers. The end result is that the image takes only a small amount of time to build, it’s completely automated and up to date.

      Hope this helps.
      -Mike

      Like

      1. Ankit P says:

        Hi Mike, One more quick question, after i make any changes to MDT deployment share, i need to regenerate the boot images and test it on the fresh VM. the whole process takes more than 2 hrs. Is there any quicker way to test the changes?

        Like

      2. Mike Galvin says:

        Hi Ankit,

        Sure. To speed up the boot image regen, you can remove the option for x86 ISO if you only need to support x64 – and fi you don’t want the ISO’s at all, you can remove the x64 one too.

        Also you can remove the drivers, as the VM shouldn’t require any additional drivers. You can do this like so:
        Deployment Share properties window > on the Windows PE tab > Platform: x86 > untick: “Generate a Lite Touch bootable ISO image”.

        And for the drivers:
        Deployment Share properties window > on the Windows PE tab > Platform: x64 > Drivers and Patches tab > Selection Profile: Nothing

        Hope this helps speed things up.
        -Mike

        Like

  38. Salman says:

    Hi All,
    It was a great write-up and really helped not only by the author but from comments from others as well.

    I have a dilemma and I can’t seem to resolve it.

    I am building reference image for Windows 10 (LTSB-1709) with MDT and made changes to *unattend.XML* file where *CopyProfile=true*. once MDT finished with creating WIM file, i move WIM file from local MDT to SCCM along with unattend file as a package and distributed contents. However, during the OSD process, TS failed while working on unattend file and issue an error message “Windows could not parse or process the unattend answer file for pass [specialize]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].”

    Can anyone please help or assist me?

    All comments are welcome

    Liked by 1 person

  39. Ankit P says:

    Thanks Mike
    I was going through your other post on how to deploy the reference image via MDT. Do you have any guidelines on how to create the deploy Task sequence via SCCM?
    I have captured my wim image via MDT but i would like to deploy it via SCCM.

    Like

    1. Mike Galvin says:

      Hi Ankit,
      Sorry, I have no write ups on deploying images via SCCM currently.

      -Mike

      Like

  40. Mike T says:

    Hi Mike,
    Great write up. I’m still having issues with sysprep after using your guide to disable internet access and removing UWP apps. Some differences are that I’m not automating everything for capture. I’m only deploying Windows 10 1709, and some applications. I verified that both PS scripts are run error free, but I still have some Windows apps leftover that cause sysprep to fail. The list I am seeing- Adobe Photoshop Express, Code Writer, Duolingo, Eclipse Manager, Remote Desktop, MSN News, Network Speed Test, Sway, and Translator. I know that Eclipse for sure is causing the error from the sysprep logs, but the rest will likely also cause this error. How are they installing even though internet access is blocked??? Is there an easy way to get all of these added to the UWP list? From the sysprep error log, they are being installed for the current user, but not provisioned for others. Let me know if you need any other info.

    Like

  41. Lego says:

    I used to create my reference images using MDT which at times was very painful. From having to maintenance Task Sequences, Drivers, Applications, Updates. Seemed like there was always something that went wrong. At one point a windows update was conflicting with one of my driver installs and it would fail on deployment which took me a week to track down.

    With that being said there is a much easier way to accomplish imaging if you are strapped for time and your upper management does not consider imaging a full time position. You can simply install the OS to a VM and then get in Audit Mode. Take a snapshot and then start installing all your apps and make any changes and take plenty of snap shots or checkpoints along the way. When you are finished making all your changes use g-image x in order to capture your image while it is still in audit mode and you can import that to WDS and you are done. No more fighting with all the different silent installs the scripts, drivers and everything else that could possibly go wrong while using MDT.

    Like

    1. Zsolt says:

      I’m still using the same method for creating reference images (install Windows, enter audit mode, install programs and customize them, customize Windows, remove universal apps, and finally do a sysprep with copyprofile), because i can’t find any MDT guides, that would do the same thing.
      From my understanding this guide shows how to automate the process of installing Windows, updates and programs, remove universal apps and customize Windows, and then capture this as a .wim image, which can be installed later. But what’s the point of this, if i need to install Windows again using this reference image, manually enter audit mode, customize programs and Windows, and finally do a sysprep with copyprofile? I must be missing something here.

      Like

      1. Mike Galvin says:

        Hi both, I might be misreading your comments but my response is that, I don’t write these walkthrough’s to convince people that “my way is best”. If you do it a different way and that works for you, that’s totally fine. My way works for me, and how I and my team works. I write these posts to share knowledge.

        -Mike

        Like

  42. Zsolt says:

    How should i change the Internet-Access.ps1 script, if my WSUS server runs on port 80 and 443?

    Like

    1. Mike Galvin says:

      Hi Zsolt,

      The script should only effect internet access. I don’t change the script at all, and my WSUS server is running on 80/443, on a different VLAN but still in the same Active Directory domain.

      -Mike

      Like

  43. Lee Kemp says:

    With MDT 8450 and DISM installed keep getting an issue where DISM keeps failing to apply the large cumlative update.
    throws a funny 1726 error (RPC call not available)
    remove the update and all is well
    any suggestions?

    Like

    1. Mike Galvin says:

      Hi there,

      I’ve updated the guide to use the April 10th Cumulative Update KB4093112, and that works for me. I usually update the page once a month when the big CU’s come out, but have forgotten to recently.

      I’m not sure why you’d be getting that error with the March update – it was working for me when I posted.

      Thanks
      -Mike

      Like

  44. shimmer45 says:

    Funny issue when getting MDT to apply the large update you list in the guide
    DISM throws a 1762 RPC type error and dumps the deployment, remove the big update and its fine.
    any suggestions?

    good post as well

    Like

    1. Mike Galvin says:

      Hi there,

      I’ve updated the guide to use the April 10th Cumulative Update KB4093112, and that works for me. I usually update the page once a month when the big CU’s come out, but have forgotten to recently.

      I’m not sure why you’d be getting that error with the March update – it was working for me when I posted.

      Thanks
      -Mike

      Like

  45. shimmer45 says:

    thanks for the response i might manually apply the update to the image using DISM and work with it from there, as the version numbers etc all seem to line up.
    and i should be able to jump from my ISO of 1709 (downloaded from microsoft license center) to “monthly update” without the need to install anything before hand.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.