Here is a step-by-step quick guide on building the perfect Windows 10 21H2 reference image using Microsoft Deployment Toolkit (MDT) 8456.
Real World Note: Since Windows Vista, there is no technical requirement to create reference images in order to deploy Windows. After all, the ISO that you download from Microsoft contains WIM images that are in a deployable state. The main reason for creating reference images, meaning images with one or more applications in them, is often just deployment speed, and to some extent network efficiency (WIM images are highly compressed). However, in a world with better and better peer to peer solutions, better networking, better hardware, you can make deployments go quite fast even without a reference image. While more and more organizations are moving to use a thin image, and deploy settings and applications at deployment time instead, if you still need a reference image. Here is how to create one.
Block Internet Access
Due to how aggressive Windows 10 is regarding updating its native applications, which is known for breaking Sysprep, make sure the virtual machine does not have Internet access during the build and capture process.
Registry and state.ini Options
Tip: Daniel Barras (thank you), commented about a solution I was not aware of, removing the need for blocking Internet access. And then Steyrs (also, thank you) provided the below steps:
Adding a registry key.
Add a "Run command line" in your task sequence.
Enter this as your Command line:
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState /t REG_SZ /d "IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE" /f
Replace state.ini file
Add a "Run command line" in your task sequence.
Enter this as your Command line:
xcopy "%SCRIPTROOT%\State.ini" %windir%\setup\state\ /H /Y
Place your modified State.ini file in your "scripts" folder (e.g.: C:\DeploymentShare\Scripts).
That way it will get copied to your client when running the task sequence.
Add those two command lines before the Sysprep step.
I added them in my State Restore section of the task sequence.
Software Requirements
MDT can be installed either on a file server, or on your own laptop, but in this scenario, I use a file server named MDT01. Windows 10 21H2 requires Windows ADK 10 2004 or later, but since you likely want to evaluate Windows 11 as well, I recommend using Windows ADK for Windows 11 21H2 that supports both Windows 10 21H2 and Windows 11 21H2.
Note: Please don't use the newly released (May 2022) Windows ADK for Windows 11 22H2. It's not fully compatible with MDT 8456 since it no longer contains the x86 version of WinPE which MDT expects to find.
For this guide you need the following software.
- Windows 10 Enterprise 21H2 (make sure to use the latest media).
- Windows ADK for Windows 11 21H2: Download and install the Windows ADK | Microsoft Docs
- WinPE Addon for Windows ADK for Windows 11 21H2: Download and install the Windows ADK | Microsoft Docs
- Microsoft Deployment Toolkit (MDT) 8456: Microsoft Deployment Toolkit documentation | Microsoft Docs
- MDT 8456 HotFix: Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware
- Script to relax default deployment share permissions: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Set-MDTBuildLabPermissions.ps1
Step-by-Step Guide
The entire process for creating a Windows 10 image using MDT takes about 20 – 30 minutes, fully automated. This guide covers the following seven steps:
- Step 1 – Install Windows ADK for Windows 11, and MDT 8456
- Step 2 – Create the MDT Build Lab Deployment Share
- Step 3 – Import the Windows 10 operating system
- Step 4 – Add applications
- Step 5 – Create the MDT Task Sequence
- Step 6 – Configure the deployment share
- Step 7 – Create Windows Reference Images
Step 1 – Install Windows ADK for Windows 11, and MDT 8456
In this example I have a virtual machine named MDT01, running Windows Server 2022 LTSC (Windows Server 2016 LTSC or Windows Server 2019 LTSC is fine too). The VM has 2 vCPUs and 4 GB RAM.
1. On MDT01, install Windows ADK for Windows 11, and select the following components:
- Deployment Tools
- Imaging and Configuration Designer (ICD)
- Configuration Designer
- User State Migration Tool (USMT

2. Install WinPE Addon for Windows ADK for Windows 11, and select the following component:
Windows Preinstallation Environment (Windows PE)

3. Install MDT 8456 using the default settings.

4. Install the MDT 8456 HotFix by extracting MDT_KB4564442.exe and extract it to a folder. In my lab, I extracted it to the E:\Setup\MDT 8456 HotFix folder.
4a. Copy the x86 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x86 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86. Replace the existing file.
4b. Copy the x64 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x64 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. Replace the existing file.
Step 2 – Create the MDT Build Lab Deployment Share
- On MDT01, using the Deployment Workbench (available on the start screen), right-click Deployment Shares and select New Deployment Share. Use the following settings for the New Deployment Share Wizard (my data volume on MDT01 is E:)
a. Deployment share path: E:\MDTBuildLab
b. Share name: MDTBuildLab$
c. Deployment share description: MDT Build Lab
d. Options: (default)

2. Once the deployment share is created you also want to relax the security a bit. MDT locks it down to hard by default. Use the following PowerShell script (named Set-MDTBuildLabPermissions.ps1) to set some better permissions (modify script to fit your environment):
#Requires -RunAsAdministrator
# Configure NTFS Permissions for the MDT Build Lab deployment share
$DeploymentShareNTFS = "E:\MDTBuildLab"
icacls $DeploymentShareNTFS /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(RX)'
icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'
# Configure Sharing Permissions for the MDT Build Lab deployment share
$DeploymentShare = "MDTBuildLab$"
Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force
Note: In my environment the MDT01 server is joined to a domain, and my service account used for the deployments is VIAMONSTRA\MDT_BA. If using a different domain, or if using a workgroup server for your build and capture modify the Set-MDTBuildLabPermissions.ps1 script to reflect that.

Step 3 – Import the Windows 10 operating system
Note: Make sure to always download the latest version of Windows 10 Enterprise 21H2. Microsoft releases new media monthly.
On MDT01, mount the Windows 10 Enterprise x64 21H2.iso media (or whatever you named it). On my server it was mounted to the D: drive.
- Using the Deployment Workbench, expand the Deployment Shares node, expand MDT Build Lab, select the Operating Systems node and create a folder
named Windows 10. - Right-click the Windows 10 node, and select Import Operating System. Use the following settings for the Import Operating System Wizard.
- Full set of source files
- Source directory: D:\
- Destination directory name: REFW10X64-21H2
- After adding the operating system, in the Windows 10 node, remove the indexes/images you don't need, and rename the remaining operating system to Windows 10 Enterprise x64 21H2
Note: The Windows 10 media comes with many Windows version, in the below example I simply removed all but the Enterprise version, and gave it a better name.

Step 4 – Add applications
In this example you add Microsoft 365 Apps for enterprise (formerly named Microsoft Office 365 ProPlus) to MDT. Use the Office Deployment Toolkit (ODT) to create a package of Microsoft 365 Apps for enterprise before continuing with these steps.
1. On MDT01, download the Office Deployment Toolkit (ODT), and extract it to E:\Setup\ODT.
2. Using an elevated Command prompt, download the installers by running the following command:
setup.exe /download configuration-Office365-x64.xml

3. Using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications and create a folder named Microsoft.
4. Right-click the Microsoft folder, and select New Application. Use the following settings for the New Application Wizard:
- Application with source files
- Publisher:
- Application name: Install – Microsoft 365 Apps for enterprise
- Version:
- Source Directory: E:\Setup\ODT
- Specify the name of the directory that should be created: Install – Microsoft 365 Apps for enterprise
- Command Line: setup.exe /configure configuration-Office365-x64.xml
- Working directory: (default)

Step 5 – Create and Configure the MDT Task Sequence
- On MDT01, using the Deployment Workbench, in the MDT Build Lab deployment share, select the Task Sequences node, and create a folder named Windows 10.
- Expand the Task Sequences node, right-click on the Windows 10 node, and select New Task Sequence. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: REFW10-X64-001
- Task sequence name: Windows 10 Enterprise x64 21H2
- Task sequence comments: Reference Build
- Template: Standard Client Task Sequence
- Select OS: Windows 10 Enterprise x64 21H2
- Specify Product Key: Do not specify a product key at this time
- Full Name: ViaMonstra
- Organization: ViaMonstra
- Internet Explorer home page: about:blank
- Do not specify an Administrator password at this time
- Edit the task sequence by navigating to the Task Sequences / Windows 10 folder, right-click the Windows 10 Enterprise x64 21H2 task sequence, and select Properties.
- On the Task Sequence tab, configure the Windows 10 Enterprise x64 21H2 task sequence with the following settings:
- In the State Restore / Custom Tasks group, add a new Install Application action with the following settings:
Name: Install – Microsoft 365 Apps for enterprise
Install a Single Application: Install – Microsoft 365 Apps for enterprise
- In the State Restore / Custom Tasks group, add a new Install Application action with the following settings:

Step 6 – Configure the deployment share
To configure the deployment settings, you modify the two rules files (Bootstrap.ini and CustomSettings.ini). You can do the either via the MDT Build Lab deployment share properties, or directly in the file system, in the E:\MDTBuildLab\Control folder. Below you find the configurations I used in this guide.
Bootstrap.ini
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=VIAMONSTRA
UserID=MDT_BA
UserPassword=P@ssw0rd
SkipBDDWelcome=YES
CustomSettings.ini
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=ViaMonstra
UserDataLocation=NONE
ComputerBackupLocation=NETWORK
DoCapture=YES
OSInstall=Y
AdminPassword=P@ssw0rd
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=NO
FinishAction=SHUTDOWN
ApplyGPOPack=NO
BackupShare=\\MDT01\MDTBuildLab$
BackupDir=Captures
BackupFile=%TaskSequenceID%_#month(date) & "-" & day(date) & "-" & year(date)#.wim
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
- On MDT01, modify the Bootstrap.ini and CustomSettings.ini per the preceding examples.
- Using the Deployment Workbench, right-click the MDT Build Lab deployment share and select Properties.
- In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
- Image description: MDT Build Lab x86
- ISO file name: MDT Build Lab x86.iso
- Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
- In the Windows PE tab, in the Platform dropdown list, make sure x64 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
- Image description: MDT Build Lab x64
- ISO file name: MDT Build Lab x64.iso
- Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
- Selection profile: Nothing
- Select the Include all drivers from selection profile option
- Click OK.
- Update the deployment share, by right-clicking the MDT Build Lab deployment share and select Update Deployment Share. Use the default Options for the Update Deployment Share wizard.
- In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:

Step 7 – Create Windows Reference Images
Now it is time to create a Windows 10 Reference WIM Image, fully automated.
Note: To make sure Sysprep does not fail during the build and capture process, make sure the virtual machine you are using does not have Internet access during the entire process.
- On MDT01, copy the E:\MDTBuildLab\Boot\MDT Build Lab x64.iso file to your VMware or Hyper-V machine.
- Create a virtual machine named REF001, assign it 2 vCPUs and 4 GB RAM. Then mount MDT Build Lab x64.iso on the virtual machine.
- Start the REF001 virtual machine, and allow it to boot. Then complete the Deployment Wizard using the below settings:
- Select a task sequence to execute on this computer: Windows 10 Enterprise x64 21H2
- Specify whether to capture an image: Capture an image of this reference computer.
- Location:
- File name:
The task sequence will now do the following:
- Install the Windows 10 Enterprise operating system.
- Install the added applications, roles, and features.
- Stage WinPE on the local disk.
- Run Sysprep and reboot into WinPE.
- Capture the Windows 10 installation to a WIM file.

Resources
Note: Please also check these posts:
Image Factory
Automate this process even further (you still need to do the step in this guide first), check out the Image Factory for Hyper-V solution by Mikael Nystrom (@mikael_nystrom).
http://github.com/DeploymentBunny/ImageFactoryV3ForHyper-V
Step 6 will fail because of this :
The 32-bit versions of Windows PE in the Windows PE add-ons for Windows 11 and Windows Server 2022 aren't supported. The last supported version of 32-bit Windows PE is available in the Windows PE add-on for Windows 10, version 2004.
If using Windows ADK for Windows 11 21H2, that step will work fine. If using a later ADK, you can configure your deployment share to not support x86 images. Note: You still need to have an x86 folder in your ADK, but you can just make a copy of the amd64 folder and name it x86. It just needs to be there, MDT won't use.
Hi! Ive got an error during my Build and Capture TS and i dont know how to fix it. At the finale step when .wim is creating, after sysprep and reboot, system dont load into WinPE automaticly but loading to Windows and i got first boot preparation (and "cant load Bootstrap.vbs" error at the end) . But if i go to pxe boot into my Build and Capture share – TS is continues and starting create .wim (but not always it can do it successfully). Previously i have already used this TS to create image with Windows 21H2, now i… Read more »
Sorry for the late reply, but it sounds like the BCD entry doesn't get created correctly. If you create a tiny task sequence that only boots into WinPE from a workgroup joined machine with 22H2, does it reboot into WinPE? (without running Sysprep)
Hello!
Oh, i figured it out – just use previous model of laptop that i used to build and capture. HP Probook 450 G5 instead 450 G8. Thats all. Cant say what was the problem. Maybe drivers, maybe something else.
Good catch, but you should never capture a physical device. Always run the build and capture on a virtual machine (Hyper-V or VMware).
/ Johan
One should still remove drivers from created .WIM file at least if you use VMware. Otherwise the image will include vmware drivers. Most people forget this step. Once I had installed a laptop with my created image and it alwas had vmware pointing device listed under device manager.
Hello Johan,
I am having a similar issue. After Sysprep is completed. The device is restarted. After a few minutes, it shows the error message "can not find script file C:\LTIBootstraps.vbs". When clicked OK. It goes to Windows and does nothing until you restart the device. Once restarted, it starts the capturing process.
How can I fix this error message?
My guess is that it don't boot into WinPE, but I would have to debug the setup to see what's going on. Did you apply th MDT 8456 HotFix for UEFI to your deployment share, and update your boot image? Do you see the same issue with Gen 1 and Gen 2 VMs?
sysprep runs fine and completes without error but during the create wim phase it will start to copy the wim file to mdt but always stops. It will just sit there, sometimes at 2% sometimes it makes it to 20% but it never finishes creating the wim file and never errors out or times out.
can you mention a few things that may be causing the wim creation to stop?
Hi Eric,
For me, it's been many years since I have seen that. And then it was only when either the VM is configured for a single vCPU, or on a too weak/overcommitted VM platform, or when the network is really slow.
A temporary workaround is to simply attach a second disk to the VM, and modify the backup path to save the WIM on that one.
Hi Johan, thanks for this. very informative. You mentioned downloading the latest win 10 version and also disabling the internet connection for the VM so Sysprep becomes more reliable. my question how do you update the latest security updates and CU from the last main download of 21H2. do you do it when you do the production image? cheers K
You do that prior to importing the image to MDT, or offline via for example OSDBuilder.
Thanks for the post, really struggling with MDT and newer versions of Windows 10, coming across errors at every turn. Have seen elsewhere the suggestion to disable Internet access, but I'm finding this difficult, as I run MDT on a different machine than I do the capture on. Making Hyper-V network run Internal Only of course cuts access to the network for this capture. Just wondering if you had come across any other solutions?
Hi Martin,
Daniel Barras (thank you), commented about a solution for the Windows 11 ref image I was not aware of, removing the need for blocking Internet access: Set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State
ImageState key to IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE, and then update the State.ini file at C:\Windows\Setup\State to read:
[State]
ImageState=IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE
Hopefully that works with Windows 10 as well, but I haven't verified.
Thanks very much Johan (and Daniel), I'll give that a try!
Are you setting this registry key in the task sequence or somewhere else?
Sorry for the very late reply, I have updated the post with instructions
Johan, if we don’t see any sysprep issues, any reason not to build connected to the Internet? Do you typically create your images offline ?
I've started to create the images offline since Sysprep is failing so frequently. Just makes the process more reliable.
/ Johan