I do something similar, but I don't join the domain. I thought after Windows 8, Audit Mode would no longer allow you to install updates. I usually install the LANDESK agent, install all the updates, uninstall the agent, and remove the registry entries. After that I do quite a bit of customization then sysprep /oobe /generalize /shutdown /unattend:unattend.xml. Then capture the image.
This is how I built our Windows 7, Windows 8.1, and Windows 10 images and it seems to work well for us.
That is unfortunate about the Windows updates. I was hoping to get them built into our base image so the techs do not have to wait for updates to install.
Thanks for your feedback.
You can, just use LANDESK to do it and then completely remove the agent and registry entries. Or there's a PowerShell script out there called PSWindowsUpdate (I think) that works. After I've built my reference image, I use DISM and WSUSOffline to service the image and inject the updates each month.
I will give that a shot. Thanks again.
We don't use Patch Manager. We have a WSUS server. I will add the machine to domain and WSUS should push down all updates I need, then I can disconnect from domain, reboot, do any last config changes and then capture.
Is joining a computer to the domain a bad idea? It's the only way I know how to easily update windows.
As far as I know you should be able to do that. I think sysprep will automatically remove the machine from the domain, but don't quote me on that.
If that doesn't work, look into that PSWindowsUpdate PowerShell script. It's fairly easy to use.
I don't believe sysprep will process if the computer is joined to the domain, though I could be wrong; it's been years since I've even attempted it, and that was when we were an MDT shop and used an MDT capture template, which syspreps for you. Personally, I believe domain joining to be bad practice as policies can follow the machine after a sysprep. If your GPO changes, this could cause conflicts. The only real solution to this scenario would be to have no policies applied to the AD OU "Computers" (which is the default group in AD), and have all your live production machines in a separate, custom directory that get moved (either joined to the domain in that particular OU, or moved there after deployment).
If you use WSUS to handle updates, you should be able to get the WSUS share path and inject the packages into a reference WIM using DISM. You'd simply extract a base Windows 7 installation WIM from an ISO, mount it, add packages, save and unmount the WIM:
net use Z: \\path\to\WSUS\share /user:domain\user
dism /mount-wim /wimfile:C:\path\to\install.wim /mountdir:C:\path\to\mount
dism /image:C:\path\to\mount /add-package /packagepath:Z:\
dism /unmount-image /mountdir:C:\path\to\mount /commit
This process may take a while, as DISM has to look at every single msu to see if it's compatible, but this should work.
Our organization uses LANDesk to handle patching, so we have a virtual machine with Windows installed and a LANDesk agent. We simply process the patches, uninstall the agent, remove unique ID's from the registry, delete the %programdata%\LANDesk folder, sysprep /generalize /ootb /shutdown, and then mount the virtual disk and capture with ImageX.
You can also find a bunch of handy information (such as reasons why NOT to include an imaged PC in a domain) and various hacks / fixes, in the following video & materials:
Hope that helps.