Update 16/01/2018: Updated this post to reflect the release of Microsoft Deployment Toolkit 8450, which fully supports Windows 10 1709.
Update 30/10/2017: If SysPrep is consistently failing when building your Windows 10 1709 image, it is most likely due to the Windows Store update process updating the built in UWP apps. This issue is a known issue, but one I’ve managed to dodge when building previous versions of Windows 10. With 1709, I’ve had SysPrep fail every time. More information on this issue is available directly from Microsoft here.
Solution: The best way to prevent SysPrep from failing is to disable the Store update process or to disable internet access. For more information on how to disable the Windows Store update process, please read this blog post from Johan Arwidmark’s Deployment Research. If the fix above isn’t working for you (it didn’t work for me either), or you would rather disable internet access without resorting to editing your network configuration, check out this post from Peter Löfgren’s System Center Ramblings, where he has created a PowerShell script to use Windows Firewall to block internet access for the duration of the image build process. The PowerShell script is included below in this walk through.
This post is designed to walk through installing and configuring Microsoft Deployment Toolkit to build a reference image of Windows 10 1709 (better known as the Fall Creators Update) using a Hyper-V Virtual Machine. Some useful links before we get started:
- Rufus - Useful for doing a clean install on the admin PC.
- Remote Server Administration Tools for Windows 10
Installing & Configuring Microsoft Deployment Toolkit and Dependencies
We’ll be using Microsoft Deployment Toolkit (MDT) version 8450,which fully supports Windows 10 1709. Here’s the links to download the software we’ll be installing:
- Windows 10 1709 Assessment and Deployment Kit (ADK)
- Microsoft Deployment Toolkit (8450)
- Windows 10 1709 x64 (Volume Licensing Service Center
- The Cumulative update for Windows 10 1709 x64 KB4093112, released April 10th 2018, bringing Windows 10 1709 to OS Build 16299.371. More information is available here. Please note: Don’t download the Delta update for adding to MDT.
First we’ll install the Windows 10 1709 ADK. The setup will need to download additional files so it may take some time depending on your internet connection.
On the Select the features you want to install screen select:
- Deployment Tools
- Windows Preinstallation Environment (Windows PE)
- Imaging And Configuration Designer (ICD)
- Configuration Designer
- User State Migration Tool (USMT)
Now install MDT by running the setup file downloaded earlier. There is no specific configuration during the install wizard. After it’s installed we need to create the Deployment Share.
Create the Deployment Share
- Open the Deployment Workbench from the Start Menu.
- Right click on Deployment Shares.
- Select New Deployment Share.
- Enter the path for the Deployment Share: E:\BuildShare.
- Enter the Share name: BuildShare$.
- Give the share a descriptive name.
- On the Options screen, accept the defaults as you can change them later.
- Complete the wizard to create the share.
We now need to add an Operating System to work with.
Add an Operating System
- Mount the Windows 10 1709 .iso in File Explorer.
- Go to Deployment Workbench > Operating Systems.
- Right click and select New Folder.
- Enter the name Windows 10 1709 x64 and click through the wizard to create the folder.
- Right click again and select Import Operating System.
- In the wizard, select Full set of source files and then enter the root of the mounted .iso as the Source directory.
- For the destination directory name enter Windows 10 1709 x64 and complete the wizard.
- Go to the Operating Systems/Windows 10 1709 x64 node and rename the new entries you just added to Windows 10 1709 Edition x64.
Next we’ll be adding the latest Cumulative Update for Windows 10 1709 downloaded earlier, to do this we’ll be adding it to the Packages section of MDT. The reason we do this is so the CU will be installed with the Operating System, rather than relying on WSUS or Windows Updates to download and install it. The advantage of doing it this way is the entire Task Sequence will be faster and Windows will be up to date when it is installed.
- Go to Deployment Workbench > Packages.
- Create a folder named Windows 10 1709 x64.
- Right click on the folder and select Import OS Packages and go through the wizard to add the package. The downloaded update .msu file must be in a folder by itself.
Now we create a selection profile so that the Task Sequence only attempts to install the update for Windows 10 1709 x64.
Creating A Selection Profile
- Expand the Advanced Configuration node.
- Right click on Selection Profiles and select New Selection Profile.
- Name it Windows 10 1709 x64.
- On the Folders page, tick the Windows 10 1709 x64 folder under Packages and complete the wizard.
Importing Applications (Optional)
You may want to add some applications to be a part of your reference image, here I’ll cover how to add Microsoft Office. MDT recognises Microsoft Office and provides automated/silent install options.
- Go to Deployment Workbench > Deployment Share > Applications.
- Right click on Applications and select New Application.
- In the New Application Wizard, choose Application with source files.
- Give the application the name: Microsoft Office.
- Enter the Source directory of the installation files.
- Enter the Destination directory: Microsoft Office.
- For the Command line enter anything - we’ll revisit this soon.
- On the summary page, click Next and after the files are copied click Finish to complete the wizard.
Configure the Application - Microsoft Office
- Right click on Microsoft Office, go to the Office Products Tab.
- Choose the desired Office Product to Install from the drop down menu.
- Check the desired Office language.
- Enter a product key, unless you will be activating Office via KMS in which case leave the Product Key option unchecked.
- Check the Customer name option and enter the desired information.
- Check the Display level option and select None in the drop down menu.
- Check the Accept EULA option.
- Check the Always suppress reboot option.
- Click Apply.
- Go to the Details tab and the Quiet install command should now read:
setup.exe /config proplus.ww\config.xml
Microsoft Office is now set up to be installed silently by a Task Sequence. If you wish to customise the installation to a greater degree, the Office Customization Tool can be launched from the Office Products tab. This process can also be done for Microsoft Visio and Project applications. We need to now create the Task Sequence that will create our reference image of Windows 10 1709.
Create a Task Sequence
- In Deployment Workbench, go to Task Sequences.
- Right click and select New Task Sequence.
- For the ID enter: W10-1709.
- Name it Build Windows 10 1709.
- Select Standard Client Task Sequence.
- Select the Operating System Windows 10 1709 x64.
- Do not specify a product key at this time.
- Enter an Organization name.
- Do not specify an Administrator password at this time.
- Complete the wizard.
Now we’ll configure the Task Sequence.
Configure the Task Sequence
- Right click on the Task Sequence just created and select Properties.
- Go to the OS Info tab and click Edit Unattend.xml. It will take sometime to generate the catalog.
- When the Unattend.xml opens, go to 7 oobesystem > amd64_Microsoft-Windows-Shell-Setup__neutral > OOBE.
- Change the ProtectYourPC setting to 3. This will prevent the image from randomly checking for updates whilst it is being built.
- Save the Unattend.xml, you can safely ignore an warnings.
- Go to the Task Sequence tab on the Properties window of the Task Sequence.
- Expand the Preinstall folder, and select the Apply Patches item.
- Change the Selection Profile to Windows 10 1709 x64.
- Go to the State Restore folder and select Windows Update (Pre-Application Installation).
- On the right side of the Properties window, go to the Options tab.
- Uncheck the Disable this step tick box and do the same with Windows Update (Post-Application Installation).
- If you skipped the Importing Applications section, please disable the Install Applications item and go to step 16, if not please continue.
- Go to the Install Applications item.
- In the right side of the Properties box, select the Install a single application option and click the Browse… button.
- Select Microsoft Office and change the name Install Applications to Microsoft Office.
- Click Apply and close the Task Sequence.
Blocking Internet Access to prevent Windows Store App Updates
To block internet access to the VM whilst the image is building, we’ll use the script fromPeter Löfgren’s System Center Ramblings post.
First create a PowerShell script called Internet-Access.ps1 with the following code:
Save the script in your MDT share, where the Task Sequence will be able to access it. I save my custom scripts in a folder called _scripts the Applications folder. Now, in the Task Sequence created above, we’ll add the items required to run the PowerShell script to enable and disable the internet blocking firewall rules.
- Go to the Task Sequence tab on the Properties window of the Task Sequence.
- Go to State Restore and click on the Add button.
- Go to General > Run PowerShell Script.
- Name the new item PS Script - Disable Internet Access.
- Enter Z:\Applications\_scripts\Internet-Access.ps1 or your own path to the PowerShell script we just created.
- Scroll down the Task Sequence to just above the Imaging folder.
- Once again, add a new Run PowerShell Script item.
- Name it PS Script - Enable Internet Access.
- Again, enter Z:\Applications\_scripts\Internet-Access.ps1 or or your own path to the PowerShell script.
- Important: Add -Disable to the Parameters section.
- Click Apply and OK to close the Task Sequence.
Now just after booting up, a firewall rule will be added to block traffic on ports 80 and 443, and just before starting the SysPrep and capture process the firewall rule will be removed. Next we’ll create a domain user account for MDT.
Create an Active Directory User for MDT
- Go to Active Directory Users and Computers.
- Create a user called mdt_admin.
- On the server where the deployment share is hosted, give mdt_admin Full Control share permissions and Full Control permissions to all the files and folders under the deployment share.
Now we’ll configure the Bootstrap.ini and the Rules.ini files to control certain aspects of the deployment environment. The settings below enable auto log in and skip the welcome screen, so these should only be used for lab/closed environments.
- In Deployment Workbench, right click the Deployment Share and select Properties.
- Select the Rules tab and click the Edit Bootstrap.ini button.
- Add the settings below to the Bootstrap.ini.
- Close and Save the Bootstrap.ini
On the Rules tab of the Deployment Share properties window, add the settings below. A lot of the settings are specific to my demo environment such as my location in the world.
Now it’s time to create the boot media to boot into the deployment environment.
Creating The Boot Media
- In Deployment Workbench, right click on the Deployment Share.
- Select Update Deployment Share.
- Select Completely regenerate the boot images.
- Complete the wizard. It will take some time to create the boot images.
Testing The Boot Media
To test the boot media, copy the LiteTouchPE_x64.iso from \\SERVERNAME\BuildShare$\Boot to a location where a Hyper-V Virtual Machine will be able to access it.
Create a new VM in Hyper-V and configure it as such:
- 2x vCPUs
- 4GB of RAM
- NIC with access the MDT server and WSUS server.
- Virtual Hard Drive of at least 80GB, preferably on an SSD.
- Boot from DVD Drive using the LiteTouchPE_x64.iso from MDT.
Start the VM and it should boot from the LiteTouchPE_x64.iso into the deployment environment. You should be presented with a wizard and the name of the Task Sequence you created earlier. Select it and click Next. The Task Sequence will now run, install Windows 10 1709, update from the WSUS server, install Microsoft Office applications (if you added them) and then run Windows Update from the WSUS server again to update the Office apps, run SysPrep and the reboot back into the MDT environment and capture the image. When this process completes the VM will be shutdown and a file named W10-1709_YEAR_MONTH_DAY_HOUR_MINUTE.wim will be in \\SERVERNAME\BuildShare$\Captures.
You may also want to add scripts and tweaks to your Task Sequence, such as this PowerShell script to uninstall any UWP apps which aren’t needed or these common applications, depending on your environment.
msiexec /I googlechromestandaloneenterprise64.msi /qn
You now have a functioning Microsoft Deployment Toolkit server, with a Deployment Share specifically configured for building reference images, and a Task Sequence to build and capture a Windows 10 1709 reference image.