Back to Basics – Building a Windows 7 SP1 Reference Image using MDT 2013 Update 2

A little while ago, a good friend (you know who you are 🙂 ) asked for help on creating a new Windows 7 reference image. So here it is: A Step-by-step guide to create the perfect Windows 7 reference image using MDT 2013 Update 2.

Heads up: Putting the Windows 7 SP1 April 2016 Convenience Update (KB3125574) in your image, using the instructions in this post, will show one failed update (KB3037623) once Windows update runs on the machine. Does not seem to be a very critical update (update to Hyper-V integration components), but I have asked the WU team to confirm.

Optional workaround:  If you really must have the above update, you can just install the July 2016 rollup to get a working Windows Agent, and allow the MDT windows update action to install the 300+ updates. However that will increase your build time with 1 – 2 hours.

The trick

The below changes to the CustomSettings.ini are critical if you want to install the Windows 7 SP1 April 2016 Convenience Update as part of your Windows 7 reference image build. These changes makes sure to exclude multiple-reboot updates that are already in the convenience update, but flagged incorrectly on Microsoft Update.

; Exclude updates that are already included in W7 Convenience update, but flagged incorrectly on Microsoft Update
WUMU_ExcludeKB1=2965788
WUMU_ExcludeKB2=2984976
WUMU_ExcludeKB3=3126446
WUMU_ExcludeKB4=3075222
WUMU_ExcludeKB5=3069762
WUMU_ExcludeKB6=3036493
WUMU_ExcludeKB7=3067904
WUMU_ExcludeKB8=3035017
WUMU_ExcludeKB9=3003743
WUMU_ExcludeKB10=3039976
WUMU_ExcludeKB11=2862330
WUMU_ExcludeKB12=2529073

Step-by-Step Guide

The entire process for creating a Windows 7 reference image using MDT 2013 Update 2 takes about 1,5 – 2 hours if you have a fast Hyper-V or VMware host, fully automated. The initial setup of the solution takes about 30 – 45 minutes if done manually, and about 10 minutes if scripted. This guide covers the following steps:

• Step 1 – Install Windows 10 ADK v1607 and MDT 2013 Update 2
• Step 2 – Create the MDT Build Lab Deployment Share   
• Step 3 – Import the Windows 7 operating system
• Step 4 – Import critical hotfixes
• Step 5 – Add Visual C++ runtimes, .NET Framework, and Internet Explorer 11
• Step 6 – Add LOB applications (Optional)
• Step 7 – Create the MDT Task Sequence
• Step 8 – Modify the Windows 7 unattend.xml file
• Step 9 – Configure the deployment share
• Step 10 – Create Windows Reference Images

Software Requirements

MDT 2013 Update 2 can be installed either on a file server, or on your own laptop, but in this scenario I use a file server named MDT01. MDT 2013 Update 2 requires Windows ADK 10 (use v1607 or later). In this guide I also assume that you have a local WSUS server in your network, to which you have approved Windows 7 updates, Feature Packs (to get Microsoft .NET Framework updates) and Developer Tools, Runtimes and Redistributables / Visual Studio* (to get updates to Visual C++ runtimes). If adding in Office 2013 or Office 2016 to your reference image (optional), make sure to approve those updates too.

Note 1: In addition to the Windows 7 Updates available directly in WSUS, and the Internet Explorer 11 prerequisites, you also add the following hotfix for Windows 7 that is not included in the Windows 7 SP1 convenience update:

KB2728738, imported to WSUS via WSUS import from Microsoft Update Catalog feature, and approved manually

KB3172605 the Windows 7 SP1 July 2016 Rollup, which includes the latest Windows update agent. THIS IS A MUST!

For this guide you need the following software.

• Windows 7 SP1 Enterprise (Windows 7 SP1 Pro also works if you are using that).
• Windows ADK 10 v1607. Here is the direct download link. For more info, see the Windows ADK 10 page on MSDN:
• MDT 2013 Update 2
• Visual C++ runtimes (2005,2008,2010,2012,2013 and 2015) available on Microsoft Download Center.
• Visual C++ runtimes install wrapper (install script really. Optional, but helpful)
• Internet Explorer 11 and it’s prerequisites. See the Adding Internet Explorer 11 to your Windows 7 SP1 reference image post on how to create a package of IE 11.   
• The Windows 7 SP1 Convenience Update (http://support.microsoft.com/kb/3125574).

Note: The convenience update requires your WSUS Server having the http://support.microsoft.com/en-us/kb/2938066 update installed since the update contains the new Windows Update agent.  Also, you need to add a few exclusions to the CustomSettings.ini file, or updates will fail to install.

• The Windows 7 SP1 July 2016 Rollup (http://support.microsoft.com/en-us/kb/3172605 )
• .NET Framework 4.6.1 ( http://www.microsoft.com/en-us/download/details.aspx?id=49982 )
• Office 2013 or Office 2016 if you want to add that to your reference image.

Step 1 – Install Windows 10 ADK v1607 and MDT 2013 Update 2

1. On MDT01, install Windows ADK 10 v1607, and select the following components:

Deployment Tools

Windows Preinstallation Environment (Windows PE)

Imaging and Configuration Designer (ICD). Optional, not needed for reference image builds.

Configuration Designer. Optional, not needed for reference image builds.

User State Migration Tool (USMT). Optional, not needed for reference image builds.              

2. Install MDT 2013 Update 2 using the default settings.

Step 2 – Create the MDT Build Lab Deployment Share

On MDT01, using the Deployment Workbench (available on the start screen), right-click Deployment Shares and select New Deployment Share. Use the following settings for the New Deployment Share Wizard (my data volume on MDT01 is E:)

Deployment share path: E:\MDTBuildLab
Share name: MDTBuildLab$
Deployment share description: MDT Build Lab
Options: (leave at default)

Step 3 – Import the Windows 7 operating system

1. On MDT01, mount the Windows 7 Enterprise SP1 x64.iso media. On my server it was mounted to the D: drive.
2. Using the Deployment Workbench, expand the Deployment Shares node, expand MDT Build Lab, select the Operating Systems node and create a folder named Windows 7.
3. Right-click the Windows 7 node, and select Import Operating System. Use the following settings for the Import Operating System Wizard.

   a.   Full set of source files
   
   b.   Source directory: D:\
   
   c.   Destination directory name: W7X64
   
   d.   After adding the operating system, using the Deployment Workbench, in the Windows 7 node, change the operating system name to Windows 7 Enterprise SP1 x64.         

Step 4 – Import critical hotfixes, rollup updates and new Windows Update Agent

Not all updates that you need are available to be installed via WSUS, so therefor it’s recommended to install them via the MDT offline servicing function. That also goes for the Internet Explorer 11 prerequisites.

1. On MDT01, using Deployment Workbench, expand MDT Build Lab / Packages, and create a folder named Windows 7 x64.
2. Right-click the Windows 7 x64 folder, and import the Windows 7 SP1 Convenience Update Prerequisite (April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2). http://support.microsoft.com/en-us/kb/3020369

   Note: Do not import the Windows 7 SP1 Convenience Update into packages, the servicing update must be installed first. See instructions on how to add it later.

3. Right-click the Windows 7 x64 folder, and import the Internet Explorer 11 prerequisites:             

KB2670838. http://support.microsoft.com/en-us/kb/2670838
KB2729094. http://support.microsoft.com/en-us/kb/2729094       
KB2834140. http://support.microsoft.com/en-us/kb/2834140       

Note: Internet Explorer 11 has more prereqs, but they are already included in the new convenience update. if you don’t add the above updates the IE 11 Setup will download them. See below snippet from IE11_main.log which is located in the C:Windows folder.

Download for KB2834140 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=303935 -> KB2834140_amd64.MSU.

Download for KB2670838 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=272391 -> KB2670838_amd64.CAB.

Download for KB2729094 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258385 -> KB2729094_amd64.MSU.   

1. using Deployment Workbench, expand MDT Build Lab / Advanced Configuration.
2. In the Selection Profiles node, create a selection profile named Windows 7 x64, and select the Packages / Windows 7 x64 folder when creating it.

Step 5 – Add Visual C++ runtimes, .NET Framework, Internet Explorer 11, April 2016 Convenience Update, and July 2016 Rollup Update

For reference images, it make sense to add the various Visual C++ runtimes and Microsoft .NET Framework… After all, you are installing Windows 7 to run apps, and many apps are depending on one or more of these runtimes. As you probably know, there are x86 and x64 versions of the runtimes, and for Windows 7 x64, you need both. Also, since Internet Explorer 11 is the only supported version of Internet Explorer these days, you should install that too. Finally, the July 2016 Rollup Updates is a must, or Windows update installations will take forever.

For the Visual C++ runtimes, you make the install a bit easier by using a VBScript wrapper that installs all of them.

1. On MDT01, extract the Visual C++ runtimes install wrapper to C:Setup.
    
2. Download each runtime from Microsoft Download Center, and copy to the corresponding folder in C:SetupInstall – Microsoft Visual C++ – x86-x64source.

   Each runtime folder.

3. Using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications and create a folder named Microsoft.
    
4. Right-click the Microsoft folder, and select New Application. Use the following settings for the New Application Wizard:

   • Application with source files

   • Publisher: Microsoft

   • Application name: Install – Microsoft Visual C++ – x86-x64

   • Version: (leave blank)

   • Source Directory: C:\Setup\Install – Microsoft Visual C++ – x86-x64

   • Specify the name of the directory that should be created: Install – Microsoft Visual C++ – x86-x64

   • Command Line: cscript Install-MicrosoftVisualC++x86x64.wsf

   • Working directory: (leave default value)

5. Repeat the above step to create applications for Internet Explorer 11, Microsoft .NET Framework 4.6.1 and Rollup Updates. Use the following command lines for the applications:

   Install – Internet Explorer 11 for Windows 7 – x64: IE11-Setup-Full.exe
   
   Install – Microsoft .NET Framework 4.6.1 – x64: NDP461-KB3102436-x86-x64-AllOS-ENU.exe /passive /norestart
   
   Install – Windows 7 SP1 April 2016 Convenience Rollup (KB3125574) – x64: wusa.exe Windows6.1-kb3125574-v4-x64.msu /quiet /norestart
   
   Install – Install – Windows 7 SP1 July 2016 Rollup (KB3172605): wusa.exe AMD64-all-windows6.1-kb3172605-x64.msu /quiet /norestartNote: For details on the IE 11 package, see the Adding Internet Explorer 11 to your Windows 7 SP1 reference image post.

Step 6 – Add LOB applications

Not a hard requirement, but if for example everybody in your organization is using Office 2013 (and the same version of it), it make sense to add that to your reference image. After all it’s a fairly big application, and it can also be updated from WSUS during the task sequence. In this example I assume you have used the Office 2013 customization wizard to create a transformation file (MSP), and added it to the updates folder of your Office 2013 installation files.

1. On MDT01, using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications / Microsoft.         
2. Right-click the Microsoft folder, and select New Application, Use the following settings for the New Application Wizard:

   • Application with source files

   • Publisher: Microsoft

   • Application name: Install – Microsoft Office 2013 Pro Plus – x86

   • Version: (leave blank)

   • Source Directory: <path to your Office 2013 setup folder, including custom MSP file in the Updates folder>

   • Specify the name of the directory that should be created: Install – Microsoft Office 2013 Pro Plus – x86

   • Command Line: Setup.exe

   • Working directory: (leave at default)

Step 7 – Create the MDT Task Sequence, add the applications, and enable Windows Updates

1. On MDT01, using the Deployment Workbench, in the MDT Build Lab deployment share, select the Task Sequences node, and create a folder named Windows 7.
2. Expand the Task Sequences node, right-click on the Windows 7 node, and select New Task Sequence. Use the following settings for the New Task Sequence Wizard:
   • Task sequence ID: REFW7-X64-001
   • Task sequence name: Windows 7 Enterprise SP1 x64
   • Task sequence comments: Reference Build
   • Template: Standard Client Task Sequence
   • Select OS: Windows 7 Enterprise SP1 x64
   • Specify Product Key: Do not specify a product key at this time
   • Full Name: ViaMonstra
   • Organization: ViaMonstra
   • Internet Explorer home page: about:blank
   • Do not specify an Administrator password at this time
3. Edit the task sequence, by navigating to the Task Sequences / Windows 7 folder, right-click the Windows 7 Enterprise SP1 x64 task sequence, and select Properties.
4. On the Task Sequence tab, configure the Windows 7 Enterprise SP1 x64 task sequence with the following settings:
   • Preinstall. Configure the Apply Patches action to use the Windows 7 x64 selection profile.
   • State Restore. After the Tattoo action, add a new Group action with the following setting:

     Name: Custom Tasks (Pre-Windows Update)

   • State Restore. Enable the Windows Update (Pre-Application Installation) action.
   • State Restore. Enable the Windows Update (Post-Application Installation) action.
   • State Restore. After the Windows Update (Post-Application Installation) action, rename the existing Custom Tasks group to Custom Tasks (Post-Windows Update).

State Restore – Custom Tasks (Pre-Windows Update). Add a new Install Application action with the following settings:

?    Name: Install – Windows 7 SP1 Convenience Rollup (KB3125574) – x64

?    Install a Single Application: Install – Windows 7 SP1 Convenience Rollup (KB3125574) – x64

 

1. 1. After the Install – Windows 7 SP1 Convenience Rollup (KB3125574) – x64 action, add a Computer Restart action.
   2. Then add the following application:

      Install – Windows 7 SP1 June 2016 Rollup (KB3161608)

   3. After the Install – Windows 7 SP1 June 2016 Rollup (KB3161608) action, add a Computer Restart action.
   4. Then add the following applications:

      Install – Microsoft Visual C++ – x86-x6
      
      Install – Internet Explorer 11 for Windows 7       
           

   5. After the Install – Internet Explorer 11 for Windows 7 action, add a Computer Restart action. Then add the following applications.
       

Install – Microsoft .NET Framework 4.6.1 – x64

Install – Microsoft Office 2013 Pro Plus – x86      

1. After the Install – Microsoft Office 2013 Pro Plus – x86 action, add a Computer Restart action.
        
2. Click OK.

 
Task Sequence configured for the reference image build and capture.

 

Step 8 – Modify the Windows 7 unattend.xml file

During the task sequence, the Windows 7 deployment will start to run Windows update automatically which will interfere with the installation of the runtimes and other components. To prevent that, and to only run Windows update when instructed by the task sequence, you need to modify the Windows 7 unattend.xml file.

1. Using Notepad, open the E:MDTBuildLabControlREFW7-X64-001Unattend.xml file.
2. Locate , and change the setting from 1 to 3. This will turn off Windows Update Automatic Updates until the MDT Windows Update action runs.

Editing the Windows 7 unattend.xml file.

 

Step 9 – Configure the deployment share

To configure the deployment settings, you modify the two rules files (Bootstrap.ini and CustomSettings.ini). You can do the either via the MDT Build Lab deployment share properties, or directly in the file system, in the E:MDTBuildLabControl folder. Below you find the configurations I used in this guide.

Note: In my environment, my WSUS server is named WSUS01, and I’m using the default WSUS port in Windows Server 2012 R2 which is 8530.

Bootstrap.ini

[Settings]
Priority=Default

[Default]
DeployRoot=MDT01MDTBuildLab$
UserDomain=VIAMONSTRA
UserID=MDT_BA
UserPassword=P@ssw0rd

SkipBDDWelcome=YES

CustomSettings.ini

[Settings]
Priority=Default

[Default]
_SMSTSORGNAME=ViaMonstra
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
AdminPassword=P@ssw0rd
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=NO
FinishAction=SHUTDOWN
WSUSServer=http://wsus01.corp.viamonstra.com:8530
ApplyGPOPack=NO

; Exclude updates that are already included in W7 Convenience update, but flagged incorrectly on Microsoft Update
WUMU_ExcludeKB1=2965788
WUMU_ExcludeKB2=2984976
WUMU_ExcludeKB3=3126446
WUMU_ExcludeKB4=3075222
WUMU_ExcludeKB5=3069762
WUMU_ExcludeKB6=3036493
WUMU_ExcludeKB7=3067904
WUMU_ExcludeKB8=3035017
WUMU_ExcludeKB9=3003743
WUMU_ExcludeKB10=3039976
WUMU_ExcludeKB11=2862330
WUMU_ExcludeKB12=2529073

SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES

    

1. On MDT01 in the E:MDT Build LabControl folder, modify the Bootstrap.ini and CustomSettings.ini per the above examples.
    
2. Using the Deployment Workbench, right-click the MDT Build Lab deployment share and select Properties.   
   1. In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
      1. Image description: MDT Build Lab x86
      2. ISO file name: MDT Build Lab x86.iso
   2. In the Windows PE tab, in the Platform dropdown list, make sure x64 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
      1. Image description: MDT Build Lab x64
      2. ISO file name: MDT Build Lab x64.iso
   3. Click OK.       
3. Update the deployment share, by right-clicking the MDT Build Lab deployment share and select Update Deployment Share. Use the default Options for the Update Deployment Share wizard.

 
The contents of the E:MDTBuildLabBoot folder after updating the deployment share.

 

Step 10 – Create Windows Reference Images

Create a Windows 7 Reference WIM Image, fully automated.

1. On MDT01, copy the E:MDTBuildLabBootMDT Build Lab x64.iso file to your VMware or Hyper-V machine.
2. Create a Gen 1 (BIOS-based) virtual machine named REF001, assign it two vCPUs and 4 GB RAM. Then mount MDT Build Lab x64.iso on the virtual machine.

   

   
   
   VM settings, two vCPU’s and 4 GB of RAM.

3. Start the REF001 virtual machine, and allow it to boot. Then complete the Deployment Wizard using the below settings:
   1. Select a task sequence to execute on this computer: Windows 7 Enterprise SP1 x64         
      
   2. Specify whether to capture an image: Capture an image of this reference computer.
      1. Location:
      2. File name:

The task sequence will now do the following:    
Install the Windows 7 Enterprise operating system.    
Install the added applications

Run Windows Update    
Stage WinPE on the local disk.    
Run Sysprep and reboot into WinPE.    
Captured the Windows 7 installation to a WIM file.    

Done 🙂

MDT 2013 Update 2 capturing a Windows 7 Image, and since you are using Windows 10 ADK v1607, you also get a nice progress bar.

      
This is what a Windows 7 machine looks like after installing the KB3125574 convenience update plus running the MDT windows update action, note the failed KB3037623 update.