8 Replies Latest reply on Oct 19, 2016 1:59 AM by phoffmann

    Windows 10 base image

    1977-ITGuy Apprentice

      I know this portion is probably not a preferred LANDesk subject but since we are using LANDesk for OS Provisioning, I figured I would ask.  I am looking for a "best practice" for creating a windows 10 image. Here is my current plan:

       

      1 - Install Windows 10

      2 - At welcome screen, press Ctrl-Shift-F3 to enter Audit mode

      3 - Make any configuration changes to the OS that will fit our business needs (excluding software as I do not want lsoftware loaded on our image.)

      4 - Add to our domain and install all security updates

      5 - Remove from domain

      6 - Select OOBE and Generalize

      7 - Shut down and capture

       

      If anyone agrees or thinks there is a better way to do this, please let me know.  Thanks!

        • 1. Re: Windows 10 base image
          steve.may Apprentice

          I do something similar, but I don't join the domain.  I thought after Windows 8, Audit Mode would no longer allow you to install updates.  I usually install the LANDESK agent, install all the updates, uninstall the agent, and remove the registry entries.  After that I do quite a bit of customization then sysprep /oobe /generalize /shutdown /unattend:unattend.xml.  Then capture the image.

           

          This is how I built our Windows 7, Windows 8.1, and Windows 10 images and it seems to work well for us.

          • 2. Re: Windows 10 base image
            1977-ITGuy Apprentice

            Steve,

             

            That is unfortunate about the Windows updates.  I was hoping to get them built into our base image so the techs do not have to wait for updates to install.

             

            Thanks for your feedback.

            • 3. Re: Windows 10 base image
              steve.may Apprentice

              You can, just use LANDESK to do it and then completely remove the agent and registry entries.  Or there's a PowerShell script out there called PSWindowsUpdate (I think) that works.  After I've built my reference image, I use DISM and WSUSOffline to service the image and inject the updates each month.

              • 4. Re: Windows 10 base image
                1977-ITGuy Apprentice

                I will give that a shot.  Thanks again.

                • 5. Re: Windows 10 base image
                  1977-ITGuy Apprentice

                  We don't use Patch Manager.  We have a WSUS server.  I will add the machine to domain and WSUS should push down all updates I need, then I can disconnect from domain, reboot, do any last config changes and then capture.

                   

                  Is joining a computer to the domain a bad idea?  It's the only way I know how to easily update windows.

                  • 6. Re: Windows 10 base image
                    steve.may Apprentice

                    As far as I know you should be able to do that.  I think sysprep will automatically remove the machine from the domain, but don't quote me on that.

                     

                    If that doesn't work, look into that PSWindowsUpdate PowerShell script.  It's fairly easy to use.

                    • 7. Re: Windows 10 base image
                      jParnell Specialist

                      I don't believe sysprep will process if the computer is joined to the domain, though I could be wrong; it's been years since I've even attempted it, and that was when we were an MDT shop and used an MDT capture template, which syspreps for you. Personally, I believe domain joining to be bad practice as policies can follow the machine after a sysprep. If your GPO changes, this could cause conflicts. The only real solution to this scenario would be to have no policies applied to the AD OU "Computers" (which is the default group in AD), and have all your live production machines in a separate, custom directory that get moved (either joined to the domain in that particular OU, or moved there after deployment).

                       

                      If you use WSUS to handle updates, you should be able to get the WSUS share path and inject the packages into a reference WIM using DISM. You'd simply extract a base Windows 7 installation WIM from an ISO, mount it, add packages, save and unmount the WIM:

                       

                      net use Z: \\path\to\WSUS\share /user:domain\user

                      dism /mount-wim /wimfile:C:\path\to\install.wim /mountdir:C:\path\to\mount

                      dism /image:C:\path\to\mount /add-package /packagepath:Z:\

                      dism /unmount-image /mountdir:C:\path\to\mount /commit

                       

                      This process may take a while, as DISM has to look at every single msu to see if it's compatible, but this should work.

                       

                      Our organization uses LANDesk to handle patching, so we have a virtual machine with Windows installed and a LANDesk agent. We simply process the patches, uninstall the agent, remove unique ID's from the registry, delete the %programdata%\LANDesk folder, sysprep /generalize /ootb /shutdown, and then mount the virtual disk and capture with ImageX.

                      • 8. Re: Windows 10 base image
                        phoffmann SupportEmployee

                        You can also find a bunch of handy information (such as reasons why NOT to include an imaged PC in a domain) and various hacks / fixes, in the following video & materials:

                        - [Tech Brief On-Demand Webinar 2016] Provisioning with LANDESK Management Suite

                         

                        Hope that helps.