How to Create an Offline MDT USB Drive

“MDT on a Stick”

MDT is excellent at deploying operating system images over the network, but in some cases, the network is not good enough for reliable deployment. Air-gapped networks or others with limited bandwidth can prevent MDT deployments from succeeding. I have a couple of spaces like this and in those areas I use a complete self-contained MDT deployment share on a single USB drive. Fortunately, USB drive prices have come down enough to make a large-capacity drives easily affordable. In this case, I would focus more on the USB drive’s speed in addition to capacity.

This process is pretty straight forward, it just needs a bit of time and a decent amount of free hard drive space.

The first thing needed (obviously) is a working MDT deployment share. If the share isn’t working properly, those issues will transfer to the offline deployment share/USB drive. Secondly, the MDT share needs to be laid out in detail and organized. The more it is, the better options will be for the offline MDT USB drive.

The offline share’s definition is based on an MDT selection profile. This determines what components of the MDT deployment share get incorporated into the offline USB drive.

 

To create, right-click the Selection Profiles folder and choose “New selection profile.”

 

Most of the deployment share contents need to be selected for the offline USB to work. The differences available depend on how many levels of organization are built into the deployment share. I have everything broken down by operating system. This allows me to create an offline USB drive for just Windows 10, Windows 11 or both with the matching ISOs, task sequences and drivers.

Once created, you can choose to add/remove components to the offline share via that selection profile. Here I have just the items needed to deploy Windows 11. Windows 10 isn’t long for my network.

To contain all of this a media file is created which will hold an exact copy of the source MDT deployment share, as defined by the selection profile. This is where the decent amount of free HDD space is needed. If the deployment share is 200GB, the drive where the media file lives will need at least that amount.

The media file’s properties is a replica of the deployment share’s properties and would be configured as a regular MDT deployment share.

To create the media file, right-click the Media folder and choose “New media.” It will ask where to create and store the media file and which selection profile it should use. Quick video showing how to create the selection profile and media file.

As one would for a regular MDT deployment share, options can be configured for the configuration.ini and bootstrap.ini files as well as regular preferences. Changes made to the media file properties do not propagate back to the source MDT deployment share. Changes made to the source MDT deployment share DO propagate down to the media file when the media file is updated.

Quick video about editing the media file.

The directory where the media file lives holds a copy of the deployment share in the “Content” directory as well as the resulting ISO that is created. If the intention is to have multiple media files, house each in their own directory.

After everything has been created and configured, the media file needs to be updated. This is the same as updating the deployment share with the differences being that a new ISO is created each time the media file is updated. The entire deployment share will be copied into a Windows PE ISO. This happens in its entirety each time the media file is updated. The are no deltas incorporated. Given the size of the selection profile and the speed of the storage media, this can take a bit of time.

After that, the ISO can be tested in virtualization or written to a USB key. Test it all out before writing to a USB drive. Keep in mind all of the software, ISOs and scripts that are on the MDT deployment share, now reside on that USB drive.

Enjoy!

 

 

 

 

 

 

 

 

 

 

 

Deploying Images with MDT/WDS

The main point of MDT and WDS is to place Windows on a computer’s disk drive. To do this, MDT uses a series of steps in a task sequence that perform the necessary operations to facilitate installation. The crucial point to all of this is the network. Networking between the MDT/WDS server and the target clients must be clear and working. DHCP, DNS, and even WINS (if you’re feeling nostalgic) all must be working properly or else what could seemingly be an MDT/WDS problem, could actually be a network problem. MDT uses two ways to connect to the server over the network, USB key, and PXE. Pre-execution Environment (PXE) requires the use of a Windows Server configured with the Windows Deployment Services (WDS) role. MDT USB keys are copies of Windows PE, designed to connect to MDT and pull an image from the server. This is where the focus of this post will reside.

The good thing is that MDT has a provision for creating it’s boot sources built-in. Each time a deployment share is updated in MDT the drivers and settings contained within that share are added to a boot WIM and a boot ISO that is used to connect to the MDT server. These are located in the Boot folder of the deployment share. The WIM is used for copy to an WDS server and served-up via PXE. The ISO is meant for a CD-ROM, or the modern USB key. Simply booting a PC to that disc or key, and with DHCP working, the PC will connect to the MDT server. MDT does support the use of static IP addresses at the welcome screen, but DHCP is better and essential if PXE booting is desired.

Creating the MDT (Windows PE) boot volume…

Drivers are the biggest issue with regards to MDT’s Windows PE boot volume. Many times I have had to troubleshoot a connection to MDT that wasn’t connecting only to find out a driver was the issue. Like the target images, MDT’s PE needs network and system drivers to run on the clients to/for connecting. OEMs like Dell and Lenovo make Windows PE drivers available for their hardware, which makes it easy to organize those resources. Another place I go for network drivers is Intel’s web-site and their PRO LAN drivers.

Once I download and extract the drivers, I import them into MDT the normal way, but into their own folder within the driver store. Just like I create folders for the operating system and platform, I also create a Windows PE folder at the same level.

WinPE driver foldersOnce the drivers are added, I create a selection profile for just the PE drivers. This is so I can assign them to the MDT Windows PE boot device. Selection profiles are found under the “Advanced Configuration” folder, under task sequences. Simply, right-click the folder to create a new selection profile and drill-down the driver list to select only the Windows PE drivers. I create a separate profile for 32-bit and 64-bit platforms.

WinPE Selection ProfileNow, from the properties of the deployment share, choose the Windows PE tab and then choose the “Drivers and Patches”  sub-tab. From the drop-down list, any selection profile can be used with all or some of the drivers. This is where I choose my WinPE selection profile. With this, only the WinPE drivers will be used to connect to the MDT server. Note: there are two options on the WinPE tab, one for x86 and x64.

WinPE tab optionsOther details can be set on the Windows PE tab, though the defaults are usually sufficient. For example, I change the wallpaper Windows PE uses to display a message on the screen, while the computer is imaging.

General tab optionsThe image description for the WIM file is what WDS displays to the end user when they PXE boot to that server and are prompted to select a boot volume. I rename the WIM description and the ISO file name to follow suit with the deployment share.

When everything is as-desired, the deployment share must be updated to generate/regenerate the Windows PE WIM and ISO files. This process takes a few moments to complete, so grab a drink…

Once the deployment share has been successfully updated and has generated the Windows PE volumes in the desired configurations, we need to get those onto the WDS server, or portable media. Even with extreme customization, the ISO for the deployments share’s Windows PE volume is pretty small (by today’s standards). I’ve been using a legacy 512MB USB key for my 64-bit MDT Windows PE, which has to be over ten years old by now. Of course, later USB keys can be used. Use whatever method is best suited to place the ISO on the USB key as a bootable volume. I like to use a piece of freeware, called “Rufus“, but again use whatever works for you.

For WDS, the WIM file, created by updating the MDT deployment share, and placed in the “Boot” folder, along with the Windows PE ISOs, must be copied to the WDS server (if WDS, and MDT are on different computers), and used to “replace”, or create the WDS boot volume.

Go into WDS, right-click the desired boot image, and choose “Replace Image…”

After replacing the WDS boot image, it is not a bad idea to restart WDS on that server, just in case.

Deploy Time…

Get the target computer or VM ready by making sure it can either boot to the NIC, and get a DHCP address, or boot to USB. If you’re PC is using UEFI for its BIOS/firmware, booting to the NIC will most-likely have to be enabled in the BIOS setup (at least for Dell hardware anyway). Most of the PCs shipping from OEMs today will boot to a USB drive without any configuration needed. While in the BIOS setup, you might want to check that too. Pressing F12 on both Dell and Lenovo hardware will interrupt the boot sequence, and allow one to change the boot device for this particular boot, or enter the BIOS. Either way, boot to the USB to use a WinPE USB boot drive, or to the NIC for WDS. Also, keep in mind that complete network connectivity is required throughout the whole imaging process, from start to finish. If MDT’s WinPE volume cannot get an IP address, or see the computer/VM’s hard drive, the correct drivers need to be added. I think 85% of MDT imaging problems are driver-related.

I like to do my imaging off of the production network. First reason, is to not interfere with bandwidth that other computers may need during the day. However, MDT is a good network citizen. I’ve imaged dozens of computers over the production network, at the same time, without any negative impact. Second reason is that after imaging completes, you may have an unpatched copy of Windows on the network. This depends on the steps enabled in your task sequence, whether Windows Update is enabled or not, and how old the image being deployed actually is. Keeping the newly-imaged isolated from everyone else until it has had a chance to get the latest updates from WSUS, and get the latest virus definitions from SEP is a good idea. Since I am the only one using my MDT/WDS server, I keep that behind the NAT as well. My imaging traffic never even sees the production network, usually…

If MDT will deploy an image to a PC that already has a copy of Windows installed, and is not going to be performing an upgrade, wipe the target hard drive first. I use diskpart, and its “clean” command to quickly prepare disk drives on existing installations. Backup any and all data on the target PC before cleaning. If any doubt exists as to whether or not the data might be needed later on, back it up. Adding the following text to a simple txt file, called “clean.txt” will automatically clean any disk that is listed as disk zero.

select disk 0
clean

From a Windows PE command prompt, run the script by executing:

diskpart.exe /s clean.txt > diskpart_log.txt

Boot the computer, and connect to the MDT server. If things start going wrong at this point, there are few things, which are most-likely the culprit.

Can’t boot to USB drive, or the NIC? Check the BIOS, and modify the boot sequence, if necessary. Most new PCs are not set to boot to the NIC in the BIOS, so if that is your goal, check that setting and enable it. While in the BIOS, make sure ALL USB ports are enabled, and configured to allow boot. If the PC is set to successfully boot to either option, check the USB flash drive by using it to boot a known-good PC, which has been demonstrated to boot to USB or NIC in the past. For the hell of it, try a different USB port. I’ve only ever had one USB flash drive completely die on me. If the PC will not boot to the NIC, make sure that option is enabled in the BIOS, and that DHCP is working on your network. Make sure the WDS server is available over the network through ping via IP address and host name.

Successfully booted into MDT WinPE, but cannot connect to the deployment share? Start simple, make sure the WinPE session has received an IP address from DHCP. Press F8, in WinPE, and run the usual ipconfig command from the resulting command prompt. If DHCP is not available, find out why and fix it, or enter a static IP address at BDD Welcome screen (The first MDT screen, asking what is to be done). If a static IP address doesn’t work, then the problem is probably driver related. Add the drivers for the target hardware to the MDT driver store, and update the deployment share with complete regeneration (not the default option). Then, re-copy the WinPE ISO the USB flash drive, or replace the boot WIM on WDS with the updated copy, and restart WDS services on the server.

If the deployment share is accessed through a username and password, then make sure the correct set of credentials is being used. For domain use, I create a global group in active directory, and add those users that require access to the deployment share. Test access by having those users connect to the deployment share from Windows Explorer via:

\\server.domain.com\DeploymentShare$

If they cannot do that, they’ll never get in through Windows PE. Check the permissions… If the BDD Welcome screen, or a login prompt for the deployment share are not being displayed, the BootStrap.ini file is configured to bypass the welcome screen and automatically log users into the deployment share. That has to be done intentionally, and is not a default. Whether or not this is desired is up to the administrator of the deployment share. Having these steps pre-configured is essential for automating the imaging process, but not required for every MDT scenario.

Choose the option to deploy a new operating system on the BDD Welcome page, and select the desired task sequence. The steps given will all depend on how the deployment share’s CustomSettings.ini file is configured. I have one deployment share that is completed automated, without prompts. All the tech or whomever is imaging the computer sees is the actual process of MDT imaging the computer.

If the task sequence fails before it can re-partition and format the internal disk drive, there is most-likely a driver issue with either the chipset or storage controller in Windows PE. Again, add the latest WinPE drivers for your particular hardware. Even if you updated the drivers last week, check again. There may be an even newer update waiting. If that does happen, restart the image deployment from the beginning. Reboot the computer and “clean” the disk again with diskpart, or the new deployment will produce an error stating that a deployment is already in progress, and ask if you would like to continue that deployment, or start a new one. Chances are if the internal disk drive can be accessed, from Windows PE, by diskpart, and cleaned, there will be no issues accessing that drive to re-partition and format.

Once the task sequence has started, it will run by itself until something breaks, or asks for input. This again depends on the CustomSettings.ini, and specifically how the task sequence is configured. By default, all task sequences have an “Install applications” step, which will prompt the user to select which applications should be installed during deployment. Some task sequences will prompt for user data backup and restore, and some will prompt to capture an image of the computer, after deployment has finished. It all depends on how MDT is configured. If the deployment is running, just leave it alone and wait. Do not use either the computer receiving the image, or the one providing the image. For the wallpaper I use on my MDT Windows PE boot volumes, I have a Penn logo with a detailed inscription of what the computer is currently doing, and my contact information. The wallpaper image also asks that the computer not be used while the sign is present, and that interrupting the imaging process would require it to start all over again. Depending on network speed, the speed of the hardware at both ends, and the image size, the whole deployment process could be relatively quick, or could last a few hours. Just wait, and see until something breaks. If the task sequence fails in deploying Windows to that computer, MDT will indicate that with a pink-colored window. Completion, but with errors is indicated by a yellow-colored window, and success is indicated by a white window, indicating such. The MDT error messages are completely nondescript and far from helpful. The true key to identifying and fixing problems with MDT are the copious log files it generates.

 

 

MDT and Drivers

Drivers are a big part of getting Windows to work properly. Anyone who has ever had to troubleshoot a piece of hardware on Windows knows this. When generalizing an installation of Windows for capture with sysprep, all but the most basic drivers are removed. This makes the captured image applicable to many different types of hardware. During a task sequence, MDT runs a plug and play check, for hardware at a couple of different points to determine what drivers, if any, are needed. When a matching driver is found, it is injected into the image before it is applied to the computer’s hard drive. To do this, MDT has a folder/section in the deployment share that is dedicated to organizing and storing drivers. It is called “Out-of-Box-Drivers” (OOBD).

The basic INF files are what MDT needs for driver injection. Many drivers are distributed as packages, which come in the form of an executable. This is not what we need. If an executable is the only way a driver is available, it must be imported as an application into MDT, and installed via task sequence. Fortunately, OEMs like Dell, Lenovo, HP, and even Microsoft make bulk downloads of model-specific drivers available from their sites. Dell hardware drivers come in the form of a CAB file, which can be opened with the expand command, or with a compression/decompression utility like 7-zip.

Bulk-driver Download Sites for Dell, Lenovo, HP, and Microsoft (Surface)

I create a folder structure on the MDT server similar to “Drivers\Windows ##\Vendor\Model.” For example: D:\Drivers\Windows 7\Dell\OptiPlex 990

I do not delineate between x86 and x64 versions of drivers in my folder path because nearly all of my OS deployments are 64-bit. Dell combines x86 and x64 drivers in the same download. Many Dell drivers can be used on both platforms. Lenovo drivers will try to extract to their own, specified path, but that can be changed at runtime. Complete, downloaded driver packs can be between 300MB and 1,000MB in size, except for WinPE driver packs which are very small.

Using the expand command, I’ll extract the drivers to my folder structure.

expand C:\Users\jasonrw\Downloads\990-OptiPlex-ABCDE.cab -f:* “D:\Drivers\Windows 7\Dell\OptiPlex 990”

The command prompt window will scroll really quickly and end with the prompt returning. Now, we can import them into MDT. MDT is able to handle drivers in different manners. The basic default option is to throw all drivers into the same folder at the root OOBD directory. With that, a deployment task will search the entire OOBD store for the right drivers. This increases the chance of the wrong driver being selected. WMI is great, but it is not perfect. Another option is to break down the OOBD store by manufacturer/vendor or by operating system version. Creating folders for Windows 7 and Windows 10, respectively can help minimize the chance of a wrong driver being installed. I take it one step further, actually a couple of steps further. I still use MDT’s WMI hardware-querying capabilities, but I tell it exactly where to look.

I create a specific folder structure under OOBD that matches a specific WMI query I pass on to the deployment task. For example, Windows 7: Out-of-box-drivers\Windows 7\Dell Inc.\OptiPlex 990

OOBD Folder Hierarchy

The bottom two folder tiers each correspond to variable in a WMI query, Make and Model. To find the make or manufacturer of an OEM PC, run the following command from a command prompt.

wmic computersystem get manufacturer

The returns for Dell and Lenovo are “Dell Inc.” and “Lenovo

To get the model, run the same command as above, but replace “manufacturer” with “model” Top that off with a folder for OS version and platform, and you have something to use. In the task sequence, a task variable can be inserted into the PreInstall phase, before the inject drivers step to tell the task sequence exactly where to look. The variable is “DriverGroup001”, and the value is “Windows 7 x64\%Make%\%Model%” This will allow a task sequence to correctly use a WMI query to find the drivers for the exact make and model being imaged.

Task Sequence Variable

The Inject Drivers step has its own settings that needs to be configured. For our purpose, the selection profile has to be set to “Nothing” with all drivers from the selection profile being used.

Selection Profile

Selection profiles are the ultimate step toward driver control. They are a pre-defined selection of drivers that may encompass and individual model, or manufacturer. MDT ships with a few pre-defined selection profiles, but more can be created to suit any need. Given the exact control this approach provides, there is one detraction, it limits task versatility. Since a selection profile tells a task sequence exactly which drivers to use, MDT doesn’t query for them. The default setting for Inject Drivers is to query the entire OOBD store, but when “Nothing” is set, they querying is off. If it is desired that a task sequence only serve one or two makes of computers, this might be a good approach. I support about a dozen different models from two manufacturers, and I’d like my task sequences to be applicable to all.

I do use a selection profile to organize the drivers I use for my MDT Windows PE ISO/WIM files. Dell and Lenovo make drivers just for Windows PE available as a download too. I use the same approach as above to download, extract, and import the Windows PE drivers into MDT. Then, I create a selection profile for the Windows PE drivers and use that for my ISO/WIM file drivers.

Selection Profiles

To import drivers into OOBD, make your folders as desired, right-click the folder for the computer model, and choose “Import drivers.” A wizard will open, walking you through the process of importing the drivers from where they were extracted. It is real easy.

Import Drivers Wizard

After the driver import, the deployment share must be updated. By default, MDT uses the all network and system drivers it has in the OOBD store for the Windows PE ISO/WIM file. This can be changed, as I described above, with a custom selection profile, but it is not mandatory. Still, note, that each time drivers are added and removed, the deployment share should be updated for those new drivers to be used. Some drivers are clearly depicted whether or not they are x86 or x64. In reality, many single drivers can be used on both platforms, but the descriptor files do not always indicate that to MDT. Thus, MDT will import the driver and override the specified platform. This is noted after all of the drivers have been imported for that operation.

screen-shot-2016-09-25-at-15-06-54

I, personally, write down the name of each driver with a warning, and disable them after the wizard ends. Disabling/deleting a driver is easy, just right-click it in the MDT workbench and choose the appropriate option. Drivers must be disabled from their property sheet. Disabling a driver is a safe approach before it is determined that deletion is necessary. Only ever delete a driver from the MDT workbench. DO NOT go into the driver store via the file system and delete it that way.

Disable Driver

Again, when disabling or deleting a driver, you must update the deployment share to take it out of Windows PE.

Finding, downloading, extracting, and importing drivers into MDT is a big part of MDT configuration, which takes a great deal of time. If it is done with forethought and planning, it can minimize the driver problems a deployment share might have, and need only be done once. I note the name and date of the driver files that I download and import into MDT. Then, I can periodically check for updates from the vendor’s web-sites. The older a model is with the manufacturer, the less-frequent they tend to update the drivers packs for that model. If the manufacturer does not make a driver pack available for your model, it is possible, though very tedious, to download each driver, and extract them individually. I try to avoid doing that.

Thanks!

 

 

How to Create a Windows Image for Mass Deployment

Requirements: Windows install media (7 or 10. 8.x?), desired apps for the image (Office, PDF viewer, web browsers, plugins), virtual machine software (VMware Workstation, Microsoft Hyper-V, or Oracle Virtual Box), and image creation and deployment software (ImageX.exe, MDT, SCCM).

Almost every place I have ever worked, IT had or needed a method to clone and deploy a specific Windows configuration and application set. From a few PCs, to hundreds, the requirements were the same, to deploy the same configuration with as little, repetitive work as possible. The ideal target being what Microsoft calls “zero-touch” deployments that require no interaction on the target computer whatsoever. This is offered by Microsoft System Center (SCCM) along with the Deployment Toolkit (MDT). Many shops do not operate that way, and have some level of interaction required during the imaging process. This piece will discuss creating a Windows install for distribution.

 

What you’ll need…

Windows and software install media (obviously)

Virtual machine software for the creation workspace. Why? Two reasons. First, virtual machines provide the option to create hardware-neutral images which can be applied anywhere, regardless of what is actually in the target computer. One image becomes possible for multiple hardware configurations. This also involves less work in mainatining the image as any work only needs to be done once and not x-times per different type of hardware. Second, most virtual machine software (I’m not sure about Virtual Box) have the ability to save a VM’s state, and revert back to that state, should it become necessary. VMware calls these “snapshots”, and Microsoft uses the term “checkpoint” in Hyper-V. Should a screw-up occur, it can be undone without loosing work or have to re-do everything. These are two facets that are simply not available with building images on real hardware. Test on real hardware, but build in a virtual environment.

  • VMware Workstation is pricey, but well worth the cost IMHO.
  • Hyper-V comes with Windows Server 2008 and later, Pro and Enterprise versions of Windows 8, 8.1, and 10 as “Client Hyper-V.”. The build computer’s CPU must support hardware assisted virtualization for Windows to install the Hyper-V role. Intel Core 2 Duo/Quad CPUs won’t muster.
  • Virtual Box, now owned by Oracle, is a freebie. I haven’t used Virtual Box very much outside of general curiosity.

The build workstation has to have some power to it. Nothing extravagant like an Alienware, or Falcon Northwest gaming rig, but above average. Try to avoid using a laptop as a VM build station. Laptops are great for testing, but a desktop PC is optimal. Don’t use a Mac. I love my MacBook Pro, but it isn’t meant for making Windows images. A quad-core CPU (Intel Core i5/i7, or AMD Phenom series) will work for starters. The more powerful, the better. RAM is the key. The more the better. I routinely work with 16GB of RAM on my workstation (the most it’ll take), and it can handle three running VMs and the host OS before going wacky. 32GB of RAM is not ridiculously expensive today, and well-worth the couple-hundred extra bucks. VMs take up storage space quickly. Working on several VMs, it is not difficult to fill a 2TB HDD (I’ve done it). Those are not that expensive either, and 2TB is the starting point I’d go with for a virtualization rig. Anything more, and you have to make sure your PC supports UEFI vs. BIOS, or else all of the drive’s space will not be recognized by the firmware, and Windows. Working from USB storage might fly, but the throughput won’t match that of internal storage, and you’ll have a bottleneck. My VM creation setup, however, is backed-up every night to my trusty 4TB WD USB HDD. If you can get large-capacity SSDs instead of traditional rotational drives, do it, but don’t sacrifice space for speed. An SSD for the boot volume with Windows and apps along with a large 2TB+ traditional HDD for VM storage is a nice setup, and not fiscally unrealistic.

Virtual Machine Setup…

Create a new VM that will become your Windows image. For Windows 7 and later, I recommend 4GB of RAM, 1 CPU with 2 virtual cores (if possible), and a virtual hard drive the size of the smallest drive that will ever receive the image. We have some 128GB SSDs out there, so 128GB is my vHDD size. That’ll assure the image will fit everywhere you intend to deploy it. Now, it is easy to see how fast space will go on your drives. Everything else is fine with the defaults. Bridged vs. NAT network adapter? It doesn’t really matter even for network-based capture/deployment. I’ve used both and have noticed no speed differential.

Install and Configure Windows…

Install Windows onto the VM with all of the default settings. If you’re lazy like me, you can use an unattend file to answer all of those pesky setup questions. This site, the Windows Answer File Generator, has a GREAT web UI for creating unattend.xml files that WORK. Place the unattend file at the root of your install media and let Windows install itself. The whole process for Windows 7-10 should be 20-30 minutes. Don’t bother with the product key and activation. Sysprep will just strip that out in the end. If your build process takes longer than a month, you might need the key and activation. I’ve never run into that problem. Don’t join any active directory domains. Sysprep will quit if it is run on a domain-joined PC.

Next, power-down (not sleep, hibernate, or pause) the VM and create a snapshot or checkpoint. This will save you 20-30 minutes of re-installing should a foul-up occur. Power back on and go into Programs and Features (Windows 7) and add/remove all of the stuff that is not needed. I get rid of the tablet components, XPS printer/viewer, Windows Media Center, Windows Fax and Scan. All of the stuff I know the end users will not touch.

Update Windows/Office…

Before getting into the nitty-gritty of configuration, completely update Windows through Microsoft Update. The older your version of Windows, the more updates it will need, and the longer the update process will take. A fresh install of Windows 7 Enterprise SP1 x64 from MS VLC ISO required 296 updates before no  more were required (as of February 2016). This will take about a day (8+ hours) to complete. One might think about adding MS Office into this process to allow it to join in the update process, but there is a reason not. Take this opportunity of having a clean install of Windows, updated, and use it as a template for other VMs. VMware Workstation allows VMs to be cloned and copied, so a patched copy of Windows can serve as a starting point for other virtual machine projects. A MAJOR time saver. Completely update Windows until it screams “no more” and shut down, then take a snapshot.

Clone or continue? That’s up to you, but whatever is chosen, the next part is installing MS Office (if needed. I can’t imagine it wouldn’t), and completely updating that through Microsoft Update. I do a custom install of Office to not include the programs users won’t need, like Infopath, and Lync, Skype for Business, and OneDrive for Business. YMMV. Microsoft Office 2013 Pro Plus needed 151 updates to be complete from a fresh install of the MS VLC ISO. Again, I wouldn’t bother with product keys or activation for Office. Shut down and take a snapshot when that part is done.

Application Installs…

Add all of the applications that need to be deployed with the image. Here is where the question of thin image vs. thick image is contemplated. A thin image contains just the bare essentials needed to get started with many other apps installed at distribution. Programs that change often, and would require updating/re-capturing the image are best left to installation at deployment. Candidates for this include Adobe Flash Player, Shockwave, AIR, and antivirus software. Software that has first-run settings which must be answered for the end user should be placed into the image, and not installed at deploy time. We install many apps with our image, so this process takes us about as long as it does to update Windows and Office. A good example set to start would be: Mozilla Firefox ESR, Google Chrome Enterprise, Adobe Acrobat Reader, Quicktime Player, VLC Media Player, Microsoft Silverlight, Visual C++ Redistributables 2005-2015, Skype and 7-zip. Run each and every newly-installed application to make sure they work as intended, and then delete the downloaded installers. The plugins, and antivirus (SEP) will be installed when the image is deployed. Power-down the VM and take another snapshot.

By this point, we have a basic working install of Windows which is moderately useful and could probably be distributed to end users. One question does arise which is substantial in nature, and determines how next to proceed. Does a custom default user profile need to be created and configured? If yes, we need to do that before capture.

Customizing a default user profile…

Windows, by itself, works pretty well out of the box, but comes with a myriad of first-run dialogs and prompts which can be confusing. My target audience is public computing, classrooms, kiosks and labs. For privacy reasons, user profiles are not kept on the computers. As soon as a user logs off from Windows, their profile is removed. Each time someone logs into one of the computers I am responsible for administering, they are logging in for the first time. Any and all first-run dialogs/prompts that can appear will. The option to spend 10-15 minutes of a 60 minute class, getting the software to work as desired, and out of the way is just not an option. To prevent this, I try to configure as much for the end user in advance as possible. Group policy is my hero in this effort. Almost anything can be set for the computer or a user through a GPO. The exceptions being non-Microsoft software like MATLAB, Maple, and Stata that all have first-run issues which often require administrative intervention. I don’t let users run as admins.

Sysprep is the utility Microsoft has made available for generalizing an installation of Windows since Windows 2000. Starting with Windows Vista, Microsoft changed to an image-based installation and mmaintenance process. Sysprep changed too, and became much more difficult to use (for me anyway). It is at this time that copying a customized user profile to the default required the use of an unattend.xml file. With Windows 2000 and XP, you could actually just copy it and everything would be fine. In the specialize pass (No. 4) of the unattend.xml file there is an option to add a pass called “CopyProfile” to the “Microsoft-Windows-Shell-Setup” setting that will copy the built-in administrator account’s profile to the default. The trick is when to apply this, during capture, or during deployment? That depends on how you’re capturing and deploying, but either way the built-in administrator account is what I use as a template for my custom default user profile.

Enable the built-in administrator account and give a password you’ll be comfortable with entering dozens of times. Log in as the admin, and immediately delete the profile for the other account setup asked you to make after installing Windows. The reason for this is that CopyProfile will not copy the admin’s profile if another profile exists on the file system at the time the copy takes place (experience speaking here). Delete the profile from the advanced system properties window, and not by just deleting the folder under C:\Users. Other accounts can remain, they just cannot have profiles.

As the built-in admin, configure the Windows environment they way you want the end users to have it. Again, most of these tasks can be accomplished with a domain-based GPO. Run each and every program the end users are likely to use and answer any first-run dialogs and prompts. DO NOT surf the web as the built-in administrator on a Windows PC without antivirus software for obvious reasons, but an important another is profile size. Surfing with Chrome or Firefox even on just a couple of sites and will add megabytes of data to the profile. You could probably get away with not even running any of the browsers at all with a good GPO in place. Google, Mozilla, and of course Microsoft make GPO settings available to completely configure each piece of software and eliminate any first-runs. Adobe recently made an admx template for configuring Acrobat Pro and Reader via GPO. GPO templates exist for Microsoft Office 2007-2016, with a dizzying array of possible configuration options. Those and the settings for Windows will get 95% of end user configuration done in a customized profile.

Things that are easily set include the desktop wallpaper and icons, the start menu, screensaver, power options, and remote desktop settings. Take your time and run through each usage scenario, if possible, without puffing up the profile’s size. Large user profiles take a while to create at log in, and lengthen the log in time required to get started. In my case, every is logging in for the first time, so their profile will be created when the need to use the PC. A 500MB profile will slow that entire process down. Once things are as desired, power the VM down and take a snapshot. This snapshot is a failsafe point for return after the image has been captured.

Capturing the Image…

There are several different ways to get an image of Windows. Traditionally, Norton (Symantec) Ghost was the standard for deploying Windows operating system images. After acquisition, Symantec let the product stagnate over a period of years as Microsoft developed successive versions Windows, and it became necessary for us to switch to a solution that would natively support later versions of Windows PE. We adopted MDT a couple of years ago for a few reasons, and that allowed us to change the way we made operating system images. Driver support in Ghost is not real versatile. The option to create one image for multiple hardware configurations required substantial tweaks and endless trial and error testing Ghost was designed to have one image per hardware type, with all of the drivers included in the image. This is not that big of a deal since many large IT outfits only support a few different types of hardware models and configurations. For us, that was six different images for a single type of Windows install (Windows 7 Pro x64). Needless to say the images did not get updated too often due to the amount of work involved.

Removing the hardware dependence and creating hardware-neutral images was a requirement for our new imaging software. An install in a virtual machine allows that type of neutrality.

Boot the VM to be captured an log on as the built-in administrator, the one that was pre-configured before. From the advanced system properties, delete every other user profile on Windows. The accounts can stay, but the profiles cannot. If there are any VM-dependent software like VMware Tools, or Hyper-V Integration services installed, uninstall them. If there are mapped drives between the host and guest OS, power-down the VM, remove them, and restart.

I like to clean Windows before capture by running a few command prompt executables.

Go to %TEMP% from the Run dialog and delete everything there that can be deleted.

Open an administrative command prompt and run the following commands.

Delete any and all shadow copies.

vssadmin delete shadows /All /Quiet

Get rid of any downloaded software updates.

del c:\Windows\SoftwareDistribution\Download\*.* /f /s /q

Delete any hidden Windows install files. Chances are there are none, but it cannot hurt to check.

del %windir%\$NT* /f /s /q /a:h

Delete the Windows prefetch files. There also probably none of those either.

del c:\Windows\Prefetch\*.* /f /s /q

Run disk cleanup.

c:\windows\system32\cleanmgr /sagerun:1

Defragment the C:\ drive (It shouldn’t be that fragmented).

defrag c: /U /V

Clear the Event Logs. Execute one command on each line.

wevtutil el 1>cleaneventlog.txt
for /f %%x in (cleaneventlog.txt) do wevtutil cl %%x
del cleaneventlog.txt

Flush the DNS cache.

ipconfig /flushdns

NOW! We’re ready to capture. The question is how?

We use MDT for imaging. MDT has a special type of task sequence called “Sysprep and Capture.” To kick this off, from the install of Windows to be captured, navigate to \\mdtserver.domain.com\DeploymentShare$\Scripts and run LightTouch.vbs. This will connect to the deployment share, and start the process. Enter any credentials required, select the appropriate task sequence, and give the image a name, then begin. Capturing from a VM to an actual MDT server, over the network, will take a while. Even for small images, it is best to just let the task run and not use the build computer for anything else until it is finished. I do this at the end of the day, when I’m not going to be needing to use the computer.

Once the image has been captured, the VM will restart and wait for further action. At that point, power-down the VM, and roll back to the last snapshot taken before the VM was captured. Back to not-so-square-one, and ready to re-capture, update, or whatever when necessary.

Outside of MDT, it is possible to capture with just a Windows PE boot disk with ImageX.exe. This process is not a clean and automatic as MDT, but it works. Going that way, the pre-capture setup process goes a little differently. In its most basic form, you need to only run sysprep from the VM about to be captured, and shut down, then restart to the WinPE boot disk and run ImageX.exe. To copy the default user profile this way, an unattend.xml file needs to be used with sysprep and the CopyProfile option must be set to “True.” The unattend file is only needed if there are any customizations that need to be applied when the image is applied to a computer. Large capacity USB flash drives are very affordable. I have a 128GB USB drive, that I purchased for $29.99, configured as a WinPE boot drive, and can be used to capture images directly to the drive instead of over the network, as it is usually done.

Enjoy!

Automate the Install of Microsoft Office 2016 with an MSP File

Microsoft Office is probably the flagship product for Microsoft, aside from Windows itself. There are more installs of Office out there than there are installs of Windows (all versions). Microsoft Office is available for Windows, Mac OS X, iOS, and Android. Enterprises use Office to such an extent that a computer isn’t really useful without Office installed.

Deploying Office to multiple computers over the network, at the time of imaging, or after, is a made simple with the use of an unattended install file (MSP). These files are created using a tool built in to enterprise releases of Microsoft Office. Consumer builds of Office, Office 365, do not include this tool, the “Office Customization Tool.”

To run the tool, execute the Office setup.exe command with the “/admin” modifier/switch.

setup.exe /admin

If Office has been imported into MDT, the application’s property sheet contains an “Office Products” tab where the customization tool can be launched. The tool contains no wizards, just an explorer-style interface with categories to the left and individual settings to the right.

Welcome

The welcome page for the Office Customization Tool, which comes with Office 2016.

There are a dizzying array of settings that could be configured with the tool, but only a few stand out to make deployment easier across the enterprise. During any Office deployment, the product key, registered user and organization, and product activation must be considered into the process to prevent prompts for end users, and reduced product functionality.

First is the “Install location and organization name” setting under “Setup.” The default install location is fine, just enter the appropriate organization name.

Next, is the “Licensing and user interface” settings a couple of lines down. Select the appropriate licensing scheme for your organization, accept the licensing agreement, and choose the display level of “None” with the “Suppress modal” check box selected.

Licensing

Choose the correct licensing and make sure to suppress any dialog boxes that may appear during the install.

Go to the “Modify setup properties” a couple of lines down. Here, we need to add two settings that will allow Office to auto-activate and prevent setup from rebooting the computer. The two properties are called “AUTO_ACTIVATE” and “SETUP_REBOOT.” SETUP_REBOOT is simply set to “Never”, and the AUTO_ACTIVATE option is set to 1.

Modify Setup Properties

Add the two settings illustrated and their prescribed values.

Under the “Features” section, choose “Modify user settings.” This will change things for the end user experience in Office applications. The settings we’re focusing on are the “Microsoft Office 2016 \ Privacy \ Trust Center \ Disable Opt-in Wizard on First Run“, and “Microsoft Office 2016 \ First Run \ Disable First Run Movie/Disable Office First Run on application boot.” these will get rid of the annoying first-run prompts a user sees whenever they open Office for the first time. Who actually a thought a movie would be what a user wants to see the first time they run Word?

Disable First Run Settings

Turn off all of the annoying first-run things that Office throws at the user.

Next, choose the option underneath “Set feature installation states.” This is where Office would ask what components should be installed. The computers I administer are in public locations, like classrooms, so Microsoft Outlook is not needed.

Office Features

Choose what you do not want installed with Office.

The last thing I do is create desktop shortcuts for Office applications. Choose the “Configure shortcuts” option under the “Additional options” section. Click the “Add” button to create a new shortcut. Choose the desired application for the “Target:” value. Choose the value “[DesktopFolder]” for the “Location:” property. One thing that must be done or this will not work is to add an open bracket “[” to the “Start in:” field. If this is not done, an error stating the start in folder is invalid will appear.

Desktop Shortcut

Create new desktop shortcuts the users should have for their Office applications.

We’re done! Now, the settings must be saved into an MSP file and placed in the “updates” directory of the Office installer. Choose “File” \ “Save as” from the menu at the top and choose a name for the MSP file. Microsoft recommends placing the numeral “0” at the front of the file’s name to guarantee it is the first to be read when Office is installed. Save the file in the updates folder of the Office installation directory. Now, each time setup.exe is run from that Office media, the setup parameters selected will be applied.

Enjoy!

Jason Watkins

11/3/15

 

MDT, Getting Ready for Deployments

As stated before, MDT needs an operating system before it can start deploying Windows. In addition to that, deployment tasks are needed to coordinate the deployment activities. One tenet put forth by Microsoft is to use MDT to create a “reference image” to be customized and captured as a custom image (WIM) later.

Having MDT create the reference image as much as possible will save a great deal of working updating Windows and installing applications. If it is preferred that all of the work for creating a reference image be done manually, that is possible too. A virtual machine is the best choice for creating a reference image for mass deployment. Virtual machines allow the creation of a true hardware-neutral installation of Windows. No hardware-specific driver or applications are installed, with the exception of things like VMware tools and the Hyper-V client software. Those can be removed prior to capture.

No install of Windows is very useful, out of the box, without additional software. In businesses, software such as Microsoft Office, Adobe Reader, and antivirus software are used to provide functionality. MDT can install applications as part of a deployment task in addition to connecting to a WSUS server for updates. WSUS offers a closer point for updates rather than going all the way to Microsoft Update over the Internet.

To add applications to MDT for installation with a deployment task…

Open the MDT Deployment Workbench and go to the Applications folder. Like the operating systems folder, I like to organize the Applications folder by manufacturer, product, and version. This approach is completely optional and not required. To create folders, just right-click the Applications folder and choose “New Folder.” Folders can be nested inside of one another.

MDT Applications Folders

Software folders created under the larger Applications folder.

To import applications into their respective folders, right-click that for and choose “New Application.” A wizard will start, prompting for information. For example, Microsoft Office 2016 Pro Plus.

The first step is to choose the type of application source files, though other options exist to use application files on a network share, and to create an application bundle (more on that later).

Application Type

Select the appropriate application type.

Next, the wizard asks for the application’s details. Only the application name is required. It is best to be as descriptive as possible.

Details

Enter in the appropriate information.

Where the source files are located on the file system is the next question. Provide the correct location and choose “Next.”

Source

Browse to the source for the application’s files.

The next step is to choose the name for the application’s destination directory in the deployment share. The application name and version from the details page are provided as a default. If that should be changed, now is the time to do it, not later.

The “Command Details” page asks for the silent install command for the application and provides the working directory in the deployment share. Microsoft Office’s silent install command is simple, “setup.exe.” However, Office has a customization tool, which is available by running “setup.exe /admin”, that allows an MSP modification package to be created with installation settings and customizations. MDT is aware of this and provides an option to run this customization tool from the application’s property sheet. Placing the final product of the customization tool, an MSP file, in the Updates folder of the Office install directory will have it used each time Office is installed from that location.

Command Details

Microsoft Office uses setup.exe for it’s silent install command, but other applications may vary.

Finish the rest of the wizard with the Summary and Progress screens and Office will be imported into the Applications folder on MDT. After that, further customization can be made to the application. Microsoft Office has the unique “Office Products” tab which is specific to that application.

Office 2016 Properties

The Microsoft Office 2016 property sheet in MDT. Note the Office Customization Tool button.

Many other applications can be added to MDT this way. I’ve had the best results with the MSI version of applications, but those are not always available. To get started with a fully functional install of Windows for my users, I include the following applications. Download link in the name and the silent install commands are in parenthesis.

Microsoft Office (setup.exe)

Microsoft Visual C++ 2005-2012 Redistributable x86 and x64 (vcredist_x64.exe /Q)

Mozilla Firefox (FirefoxSetup.exe -ms)

Google Chrome Enterprise (msiexec /q /I googlechromestandaloneenterprise.msi)

Adobe Reader (msiexec /qb /i AcroRdrDC1500720033_en_US.msi TRANSFORMS=AcroRdrDC1500720033_en_US.mst)

Note: Adobe Reader uses a transforms (MST) file to supply the unattended installation parameters. That file is created with the Adobe Customization Wizard, a separate application that must be downloaded and installed from Adobe. Also, Adobe doesn’t provide the full installer for Reader and other products from its regular download location. To get the full versions, one must apply for a free license to distribute Adobe products in the enterprise. Don’t use the regular consumer download location for Adobe products. Apply for the distribution license here.

Other applications like Flash-player, Shockwave, Java, and Adobe AIR change often. I do not usually include those in the reference image unless an installed application specifically require it. There is a good question around whether or not Flash-player should be included given its common security vulnerabilities. Those applications I choose deploy with the finished image along with the antivirus software. It is not that much of a task to add/update the install packages for Flash-player and such as they become available.

With this all in place, deployment tasks can be created to create a reference image of Windows 10 and Office 2016.

Jason Watkins

11/3/15

 

 

MDT, Importing an Operating System

In order for MDT to do anything, it needs an operating system to capture or to deploy. MDT 2013 Update 1 will use operating system file from the Windows installation ISO, or captured from a custom installation. Either way, the file format for the operating system must be in Windows Image (WIM) format. Starting with Windows Vista, Microsoft switched to WIM format for the files on the original installation media (DVD or ISO). Windows 10 is no different.

To get started, the original installation image for the version of Windows to be deployed must be imported into MDT. For example, we’ll import Windows 10 Enterprise into MDT with the “Import Operating System wizard.” I like to organize the operating systems and other files by category.

Mount the operating system ISO, or insert the operating system DVD into the MDT server.

Open MDT, and navigate to the Operating Systems folder.

Right-click the operating systems folder and choose “New Folder.” Call it “Windows 10.” At this point you could create a sub-folder to Windows 10 after the bit strength of the operating system, x64 or x86, but since I only plan on dealing with 64-bit Windows 10 there is no need.

The new Windows folder under the operating systems folder in MDT.

The new Windows folder under the operating systems folder in MDT.

Right-click the new Windows 10 folder and choose “Import Operating System.” A wizard will appear, guiding the process.The first place determines what kind of image is being imported. Our example will import “Full set of source files.” The “Custom image files” is for a customized install of Windows captured as a WIM file.

Full set of source files is needed to start with MDT.

Full set of source files is needed to start with MDT.

Next, navigate to the drive that contains the source files that are to be imported into MDT. here, it is drive “E:\”

Navigate to the source directory where the operating system files are.

Navigate to the source directory where the operating system files are.

The next step asks for an operating system directory. The default is to take it from the title of the ISO. I added the word “ISO” to the end of the name, so it can be distinguished from other operating system files. This name is the name of the folder the operating system files will go into in the deployment share, under “Operating Systems.”

Give the target directory for the OS a descriptive name.

Give the target directory for the OS a descriptive name.

Continue through the summary, and finish importing the operating system into MDT. The import will take a few moments to complete. After the import is done, the new OS will be in the deployment console, under the name it was given.

The imported OS WIM in the deployment workbench.

The imported OS WIM in the deployment workbench.

 

With Windows 10 into MDT, we can create deployment tasks to install Windows 10 on computers and even capture it back after customization. That will be next.

 

MDT, Getting Started

The Microsoft Deployment Toolkit (MDT), a very nice option for deploying Windows in small to large environments.

Symantec Ghost was the de facto tool we used to deploy Windows to end user computers. One big issue was that Ghost, as a product, wasn’t updated to keep pace with the new versions of Windows. Another issue with Ghost was driver management. There was no easy and reliable way to configure a central driver store that the images could use, so multiples images, one for each hardware type, had to be kept. MDT uses a shared, central store to keep drivers. Initially, Ghost was able to automatically reboot client into an image task via a desktop agent. As Windows progressed in development and Ghost stagnated, the compatibility with Windows PE, the tool used by Ghost to start a computer into an imaging task, became nil. To use Ghost, at the end, each client computer had to be manually started into an imaging task with a USB boot key.

The requirements for any new imaging system included a hardware-neutral image creation process, a central driver store, and the ability to remotely initiate an imaging task on a client computer (zero touch). Two out of three isn’t too bad. MDT offers the ability to use a hardware-neutral imaging process with a central driver store, but it doesn’t specifically offer zero touch imaging. The higher-end product, Microsoft System Center, does. MDT is centered around a lite touch approach which requires a minimal, and manual interaction with the target desktop. Many settings, however, can be automated to the point of complete autonomy. Best of all, unlike Microsoft System Center, MDT is free of charge.

To use MDT version 2013 Update 1, Windows 7 or better is needed as a source platform. I tested with a proper version of Windows Server 2012. Windows Server is required at some point for PXE-booting capability via Windows Deployment Services (WDS). WDS will allow a PC to boot to a network-based Windows PE image, created with MDT, and commence imaging. Windows Server will also support more than ten simultaneous SMB connections unlike a desktop version of Windows. An essential part of setting up MDT on a server is the Windows Assessment and Deployment Kit (ADK) for Windows 10. The ADK contains the tools necessary to create the deployment infrastructure for MDT, most notably Windows PE.

For example:

  1. Install Windows Server 2008 R2 or better and update it to it’s fullest extent (that may take a while), in addition to installing antivirus software and joining an active directory domain (optional).
  2. Then, install the ADK for Windows 10, which covers deployment for Windows 7, 8, 8.1, and 10 as well as the servers. If there are no plans to use the MDT database with the server, SQL Server Express need not be installed with ADK. SQL can always be added later if the requirements change. Reboot the server.
  3. Install MDT 2013 Update 1 on the server. If you’re unsure over which version of ADK or MDT to install, go with the x64 version. In my experience, the x64 version will deploy a 32-bit (x86) operating system, if need be.
ADK for Windows 10 installing on Windows Server 2012 R2

ADK for Windows 10 installing on Windows Server 2012 R2

Now, MDT is set up on a server but it cannot do anything yet. There is much more configuration necessary to get to a working imaging and deployment solution. The first part is to create a deployment share. Everything MDT does is from within one or more deployment shares. Since MDT is very similar to a dedicated file server which shares Windows images and applications, it is best to use a very large storage space for the deployment share. I tried to set up a deployment share on a separate DFS path from the server’s own file system, but it did not work. Windows PE couldn’t find that deployment share during a deployment task sequence. For testing, a 1TB volume was more that sufficient for test and low-level production use. I’d split the 1TB volume into two partitions, one for the operating system, and the other for MDT’s deployment shares.

Should I dedicate an entire server or VM to MDT? It really depends on how much use is planned for it. Even if MDT is used to create and pull custom images of Windows which contain only the bare minimums necessary to create a usable, working Windows install, those images will start to take up space. Use as a traditional file server in addition to MDT is practical, but there may be performance deficits during times of peak imaging. YMMV…

Another important thing to note is that at this point, before the MDT config is set up, make sure the host name for the server is set to the desired name. Windows PE uses the server’s host name in the UNC path to connect to the deployment share during an imaging task. If the server is renamed, post MDT-config, those changes will NOT propagate to the deployment shares. It is not that much of a big deal to modify the deployment share to use the new name, but it is a hassle and best avoided.

To create a deployment share, open up the MDT Deployment Workbench as an administrative user on the server. It might even be a great idea to pin a shortcut to the Deployment Workbench to the task bar or desktop. The deployment workbench is divided into two sections, the Information Center, and the Deployment Shares. Choose the lower-half of the window, and right-click Deployment Shares and choose “New Deployment Share.” A wizard will appear, walking you through the creation process.

The first part of the wizard is to establish the local file path for the new deployment share. The default is “C:\DeploymentShare.” I would make this on a volume that is not shared with the operating system and that has plenty of space available. The new share can be named anything, but it cannot and should not ever be renamed. What name is chosen here is what will be for that share for it’s duration. Since I’m just testing here, I’ll go with the default.

New Deployment Share PathThe next step establishes the new deployment share’s share name, which is just the chosen name of the folder with a dollar sign ($) appended. In this example, the share name is “DeploymentShare$.” This share must be freely available on the network to clients that will be imaged with MDT. As stated before, the name of this share should never be changed once it is established.

After that, the next step is to give the new share a descriptive name. Again, this can be anything. If multiple deployment shares will exist on the same server, this name will be used to differentiate them in the Deployment Workbench. Be succinct and descriptive.

The Options page prompts for information that will form the basis of the deployment share’s configuration file, CustomSettings.ini. Any setting chosen here can be changed later on by editing that file. Usually, the defaults are fine for starters.

New Deployment Share OptionsThe next screen is a summary of the options chosen up to this point. The opportunity to go back and change anything is available here. Once this the wizard has advanced past this screen, the option to go back is no longer available. Make sure everything is as desired and proceed. The wizard will create the share and upon a successful completion will present it in the Deployment Workbench.

Deployment Workbench Image

The new deployment share in the Deployment Workbench

Despite being created, the new deployment share cannot do anything yet. In order for it to become functional, the new deployment share needs one or more operating system images, applications to deploy at the time of imaging (optional), drivers for the deployments, and task sequences to coordinate the deployment process. The deployment share is divided into several folders, each named after it’s intended function. A right-click to any of those folders will provide the option to add content to those folders. Sub-folders can be added under the main folders for further organization. It is a good idea to divide your operating systems folder by the OS being used, the drivers folder by the manufacturer and model of computer holding the drivers. It doesn’t have to be done that way, but organization provides further opportunities for customization down the road.

The deployment share is controlled by a configuration file, a text file called “CustomSettings.ini.” The file resides in the deployment share’s folder, in the Control folder. CustomSettings.ini (CS) can be accessed easily by right-clicking the deployment share in the Deployment Workbench and choosing “Properties” and selecting the “Rules” tab.

A default CustomSettings.ini in the deployment share properties.

A default CustomSetting.ini in the deployment share properties.

Bootstrap.ini is a configuration file that is placed on the Windows PE volume when the deployment share is updated. Some of the configuration changes made to a deployment share are incorporated into Windows PE once the deployment share is updated. Upon update, the Windows PE volumes are created with the Bootstrap.ini file, drivers and any other selected options. The deployment share need only be updated when drivers are added/removed from the deployment share, and changes made to the Bootstrap.ini file. To update the share, right-click it’s folder in the Deployment Workbench and choose “Update Deployment Share.” The first update will take a while to complete as all of the drivers, or just the selection preset, are added to Windows PE. After that, the Windows PE ISO is only updated with the most recent changes made to the deployment share, unless the share (Windows PE) has been selected to be completely rebuilt.

Jason Watkins

10/30/2015

The next step is located here.

Note: Microsoft has a great series of Technet articles on how to deploy Windows 10 with MDT. The information contained in this post is a much simpler version of that information.