Golden Deployment Image

I wrote a post in sysadmin about a year ago about my MDT script and how they build fresh, shiny golden images for me every week. With the new almost-SP2 release for Windows 7, I thought I'd polish up the script and update my guide.

The purpose of this guide is to get you to stop building your golden images by hand. That's dumb, you have better things to do than a) build images by hand and b) wait for those images to get updated at deployment time. At the end of this guide you will have an environment that is fully scripted and can create new images for you weekly. Microsoft has Patch Tuesday, you can have Image Thursday to integrate those patches. You'll never be more than a week behind.

Why is it important to integrate patches into your golden images? The more patches integrated, the less time you'll spend waiting for PCs to update during deployment. Pretty simple.

I'm standing on the shoulders of giants. The majority of the work is done in another guide, which I'll link to later. My script has two main functions: Build WIMs, Build VMs. Windows 7 and up ISOs use a file called install.wim that contains a disk image of sorts. The installer extracts this file to your C drive and then does a bunch of juju on top of it to get it ready. The WIM that came on your install ISO is way out of date. Instead of adding a ton of patches to it during MDT every time, we use DISM to load patches in once to save that time next time. We'll put the updated WIMs back into the reference build share in MDT so that when you build the VM, you have a head start. Then we build the reference VMs, capture the images, and put the fully updated WIM into the deployment share for easy deployment to real hardware. Here we go! Once installed, approve the following:

Windows 7 updates Feature Packs (to get Microsoft .NET Framework updates) Developer Tools, Runtimes and Redistributables Visual Studio* (to get updates to Visual C++ runtimes)

Deployment Research - in case this breaks and goes away. here is a pdf of the guide.

Ignore the part in “Software Requirements” about downloading KBs and hotfixes, we'll handle them differently.

Step 7 is key. Make sure you name the task sequence with the same names you see in the CustomSettings.ini below and in my script. I share the names across task sequences, directories, etc, to make life easy (maybe).

Create a task sequence for every OS you want to build

W7PROX64 = Windows 7 Professional x64
W7HOMEPREMX64 = Windows 7 Home Premium x64
W10PROX64 = Windows 10 Pro x64
W10HOMEX64 = Windows 10 Home x64
S2012R2STDX64 = Server 2012 R2 Standard x64
S2012R2ESSX64 = Server 2012 R2 Essentials x64

In step 9, use my CustomSettings.ini file here: local copy Note the task sequence names. Those names are going to be used everywhere.

Update it for your environment, server names, WSUS server, etc.

Here's where my magic comes in. Instead of using the install.wim from the ISO, we'll take it and update it first. To really speed things up, put all of this on an SSD.

Here's the main powershell script that does everything for us: local ps script

Instead of manually importing and applying patches in MDT, I like to dump them into a folder and let DISM install them. Here's what I have, google and download these patches to match this structure: needed patches

Some notes on that: S2012R2STDX64 has the same patches as S2012R2ESSX64, I just copy them over because, unlike Windows 7/100 which has all of its editions on 1 WIM, Server 2012 STD and Essentials uses different ISOs. If you don't want to build essentials, don't, and just delete that shit. Read through the script (collapse Connect-VM, it's not interesting) and change the variables to suit your environment as needed. I've commented it a lot, but it could probably be clearer in parts. Let me know if anything is confusing. I was able to turn the install.esd file I found on a combination Windows 10 Home+Pro ISO into an install.wim that MDT can use with this command:

dism /export-image /SourceImageFile:install.esd /SourceIndex:1 /DestinationImageFile:install.wim /CheckIntegrity/LogPath:e:\W10X64\Logs\DISM.log /ScratchDir:e:\w10x64\wim-scratch

just to make sure everything works. Make sure that you can build, patch, and capture without errors.

Step 4.5 - Build your Deployment Share

At this point, you might also want to create a Deployment share in MDT for deploying to real hardware. Here's where you'll put in your machine-specific drivers according to this guide: Import your manually created WIM as an Operating System for deployment and make note of the folder the WIM gets sent to. You'll want to update the script with that path later. (specifically line 206, Copy-Items the WIM from the Reference Build Capture directory to the Deployment Share OS directory). Again, make sure you use the OS naming convention to make sure everything gets put in the right place.

Once you have your task sequences ironed out and your patches in the right places, we can build! Here's what will happen when you run the script:

  • If you've elected to build WIMs it will copy a virgin-from-ISO WIM to your SSD, use DISM to apply a bunch of updates, then copy the WIM back to the OS folder in the Build share. In doing this, you replace the old WIM you imported when you imported the OS in step 3 of the Deployment Research guide with a hot new WIM.
  • If you've elected to build reference VMs it will create a new VM (2 vcpu, 4gb ram by default) with the name of the OS Task Sequence you're building. It will give that machine a special MAC address that MDT will use to identify it with my CustomSettings.ini file. MDT will run the correct task sequence, deploy the WIM to the VM, install IE11, .NET Framework, etc, install more patches, clean up, capture the image and then deposit your new fully updated WIM in your Deployment Share.

That's it. Let me know how it works for you. Enjoy!

Known Issue: DISM 6.X had this lovely progress bar that would run just fine in the PowerShell window. DISM 10.X has a dumb progress bar that makes a new line for every increment, and you end up with logs that look like this:

Mounting image
[ 1.0% ]
[= 2.0% ]
[= 3.0% ] ... snipped the rest... 
[===========================98.0%======================== ]
[===========================99.0%========================= ]
The operation completed successfully.

Does anyone know how to fix that?

Importing a lot of drivers all at once for testing

Disclaimer: You don't need to put drivers into MDT just for image creation. You will need them for deployment, though. This isn't the ideal way to use drivers with MDT. It's not even a very good way. The best method for managing drivers is "Scenario #3: Total Control". This quick guide here is provided to get you up on your feet quickly with a set of drivers to cover a lot of different equipment for testing purposes. You can run into issues with incorrect driver selection with this method. For production usage, it's recommended to use better driver management such as the guide linked above.

  1. Get the DRP.SU DriverPack Full ISO image torrent, not the installer.
  2. Extract all driver archives to their own folder (DP_Biometric_16000, DP_LAN_Intel_16000, etc)
  3. You'll want to pare this down a ton, since it has every driver for everything.
  4. Consider getting rid of shit like touchpads, webcams, printers and other devices that you're might not see a ton of, or that are at least easily gotten via a Windows Update. At the bare minimum, keep LAN, Chipset, MassStorage.
  5. If you're not building x86 images, search the extracted archives for *x86 and get rid of all the 5×86, 6×86, 7×86, etc folders you see.
  6. If you're not building XP, Vista or 8, also get rid of 5×64, 6×64 and 8×64/81×64.
  7. Even though Server 2012 uses the same drivers as 8, I get rid of 8 drivers anyways because I'm much pickier about server drivers and will import those manually in a more organized fashion, since the range of servers I have to image is much smaller than the range of desktops.
  8. Be careful with Allx64, Allx86x64 and similar, I leave them in just in case
  9. Delete *.url, *.nfo, try to get all non-driver files out of there so it doesn't pollute your MDT driverstore
  10. Once pared down, make a folder in your MDT OOB Drivers folder called DRP-X where X is the version of the ISO you downloaded.
  11. Point this script at your folder full of cleaned up DP_* folders:
  12. If you're a masochist and you want to import everything, I suggest moving groups of extracted driver folders, 5 or 6 folders at a time, into a staging folder and running the script against that staging folder. Move the imported drivers out, and move new ones in. rinse and repeat. Use WinDirStat to see which folders are the largest and import them individually. See which ones are the smallest and do them all at once.
  13. When you're done, it'll look like this: (MDT on left, extracted driver folders on right)

Some comments pulled from the original post.

Could you explain what the custom MAC is for in the CustomSettings.ini?


You bet. You can define certain settings to apply to a TaskSequence based on environmental variables. You could define a certain backup server based on what default gateway the machine gets, for example. In this case, I'm using the MAC address to define which task sequence and product key I want to use. When I build the VMs, I make them with a certain MAC address In my powershell, I do this:

Build-RefVM -VMname S2012R2STDX64 -MAC 00155DE1C810

so the machine boots up with the MAC address of 00155DE1C810. When MDT loads, it sees this MAC address, checks CustomSettings.ini and sees this entry

TaskSequenceID = S2012R2STDX64
OverRideProductKey = D2N9P-3P6X9-2R39C-7RTCD-MDVJX

Then automatically loads the Server 2012 Standard TaskSequence and uses this product key. I do this to keep it all automated, so I don't need to pick task sequences when MDT boots, I just change the flags in the script and it boots and runs everything for me.

Why are there so many patches in the Windows 7 build?

short: I took out all of the updates that I could see were included in the new convenience rollup. What's left are either IE11 pre-reqs, or hotfixes that were not included in the rollup (as best as I could tell).

long: The rollup does not upgrade Internet Explorer, so you'll need that and it's updates, updates to .NET other than the ones that shipped with 7, Platform updates and a minimal of three KB's before you can install the update via DISM. Most people average needing about 50 more updates after installing the rollup on a clean install. At least on the bright side you'll probably end up with a significantly smaller wim if you are recreating a image. It took at least an extra gig off of mines.