Building a Windows 10 21H2 Reference Image using Microsoft Deployment Toolkit (MDT)

Here is a step-by-step quick guide on building the perfect Windows 10 21H2 reference image using Microsoft Deployment Toolkit (MDT) 8456.

Real World Note: Since Windows Vista, there is no technical requirement to create reference images in order to deploy Windows. After all, the ISO that you download from Microsoft contains WIM images that are in a deployable state. The main reason for creating reference images, meaning images with one or more applications in them, is often just deployment speed, and to some extent network efficiency (WIM images are highly compressed). However, in a world with better and better peer to peer solutions, better networking, better hardware, you can make deployments go quite fast even without a reference image. While more and more organizations are moving to use a thin image, and deploy settings and applications at deployment time instead, if you still need a reference image. Here is how to create one.

Block Internet Access

Due to how aggressive Windows 10 is regarding updating its native applications, which is known for breaking Sysprep, make sure the virtual machine does not have Internet access during the build and capture process.

Registry and state.ini Options

Tip: Daniel Barras (thank you), commented about a solution I was not aware of, removing the need for blocking Internet access. And then Steyrs (also, thank you) provided the below steps:

Adding a registry key.
Add a "Run command line" in your task sequence.
Enter this as your Command line:

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState /t REG_SZ /d "IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE" /f

Replace state.ini file
Add a "Run command line" in your task sequence.
Enter this as your Command line:
xcopy "%SCRIPTROOT%\State.ini" %windir%\setup\state\ /H /Y

Place your modified State.ini file in your "scripts" folder (e.g.: C:\DeploymentShare\Scripts).
That way it will get copied to your client when running the task sequence.

Add those two command lines before the Sysprep step.
I added them in my State Restore section of the task sequence.

Software Requirements

MDT can be installed either on a file server, or on your own laptop, but in this scenario, I use a file server named MDT01. Windows 10 21H2 requires Windows ADK 10 2004 or later, but since you likely want to evaluate Windows 11 as well, I recommend using Windows ADK for Windows 11 21H2 that supports both Windows 10 21H2 and Windows 11 21H2.

Note: Please don't use the newly released (May 2022) Windows ADK for Windows 11 22H2. It's not fully compatible with MDT 8456 since it no longer contains the x86 version of WinPE which MDT expects to find.

For this guide you need the following software.

• Windows 10 Enterprise 21H2 (make sure to use the latest media).
• Windows ADK for Windows 11 21H2: Download and install the Windows ADK | Microsoft Docs
• WinPE Addon for Windows ADK for Windows 11 21H2: Download and install the Windows ADK | Microsoft Docs
• Microsoft Deployment Toolkit (MDT) 8456: Microsoft Deployment Toolkit documentation | Microsoft Docs
• MDT 8456 HotFix: Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware
• Script to relax default deployment share permissions: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Set-MDTBuildLabPermissions.ps1 

Step-by-Step Guide

The entire process for creating a Windows 10 image using MDT takes about 20 – 30 minutes, fully automated. This guide covers the following seven steps:

• Step 1 – Install Windows ADK for Windows 11, and MDT 8456
• Step 2 – Create the MDT Build Lab Deployment Share
• Step 3 – Import the Windows 10 operating system
• Step 4 – Add applications
• Step 5 – Create the MDT Task Sequence
• Step 6 – Configure the deployment share
• Step 7 – Create Windows Reference Images

Step 1 – Install Windows ADK for Windows 11, and MDT 8456

In this example I have a virtual machine named MDT01, running Windows Server 2022 LTSC (Windows Server 2016 LTSC or Windows Server 2019 LTSC is fine too). The VM has 2 vCPUs and 4 GB RAM.

1. On MDT01, install Windows ADK for Windows 11, and select the following components:

• Deployment Tools
• Imaging and Configuration Designer (ICD)
• Configuration Designer
• User State Migration Tool (USMT    

2. Install WinPE Addon for Windows ADK for Windows 11, and select the following component:

Windows Preinstallation Environment (Windows PE)

3.  Install MDT 8456 using the default settings.

4. Install the MDT 8456 HotFix by extracting MDT_KB4564442.exe and extract it to a folder. In my lab, I extracted it to the E:\Setup\MDT 8456 HotFix folder.

4a. Copy the x86 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x86 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86. Replace the existing file.

4b. Copy the x64 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x64 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. Replace the existing file.

Step 2 – Create the MDT Build Lab Deployment Share

1. On MDT01, using the Deployment Workbench (available on the start screen), right-click Deployment Shares and select New Deployment Share. Use the following settings for the New Deployment Share Wizard (my data volume on MDT01 is E:)

a.    Deployment share path: E:\MDTBuildLab
b.    Share name: MDTBuildLab$
c.    Deployment share description: MDT Build Lab
d.    Options: (default)

2. Once the deployment share is created you also want to relax the security a bit. MDT locks it down to hard by default. Use the following PowerShell script (named Set-MDTBuildLabPermissions.ps1) to set some better permissions (modify script to fit your environment):

#Requires -RunAsAdministrator

# Configure NTFS Permissions for the MDT Build Lab deployment share
$DeploymentShareNTFS = "E:\MDTBuildLab"
icacls $DeploymentShareNTFS /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(RX)'
icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'

# Configure Sharing Permissions for the MDT Build Lab deployment share
$DeploymentShare = "MDTBuildLab$"
Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force

Note: In my environment the MDT01 server is joined to a domain, and my service account used for the deployments is VIAMONSTRA\MDT_BA. If using a different domain, or if using a workgroup server for your build and capture modify the Set-MDTBuildLabPermissions.ps1 script to reflect that.

Step 3 – Import the Windows 10 operating system

Note: Make sure to always download the latest version of Windows 10 Enterprise 21H2. Microsoft releases new media monthly.

On MDT01, mount the Windows 10 Enterprise x64 21H2.iso media (or whatever you named it). On my server it was mounted to the D: drive.

1. Using the Deployment Workbench, expand the Deployment Shares node, expand MDT Build Lab, select the Operating Systems node and create a folder
   named Windows 10.
2. Right-click the Windows 10 node, and select Import Operating System. Use the following settings for the Import Operating System Wizard.
   1. Full set of source files
   2. Source directory: D:\
   3. Destination directory name: REFW10X64-21H2
   4. After adding the operating system, in the Windows 10 node, remove the indexes/images you don't need, and rename the remaining operating system to Windows 10 Enterprise x64 21H2

Note: The Windows 10 media comes with many Windows version, in the below example I simply removed all but the Enterprise version, and gave it a better name.

Step 4 – Add applications

In this example you add Microsoft 365 Apps for enterprise (formerly named Microsoft Office 365 ProPlus) to MDT. Use the Office Deployment Toolkit (ODT) to create a package of Microsoft 365 Apps for enterprise before continuing with these steps.

1. On MDT01, download the Office Deployment Toolkit (ODT), and extract it to E:\Setup\ODT.

2. Using an elevated Command prompt, download the installers by running the following command:

setup.exe /download configuration-Office365-x64.xml

3. Using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications and create a folder named Microsoft.

4. Right-click the Microsoft folder, and select New Application. Use the following settings for the New Application Wizard:

• Application with source files
• Publisher:
• Application name: Install – Microsoft 365 Apps for enterprise
• Version:
• Source Directory: E:\Setup\ODT
• Specify the name of the directory that should be created: Install – Microsoft 365 Apps for enterprise
• Command Line: setup.exe /configure configuration-Office365-x64.xml
• Working directory: (default)

Step 5 – Create and Configure the MDT Task Sequence

1. On MDT01, using the Deployment Workbench, in the MDT Build Lab deployment share, select the Task Sequences node, and create a folder named Windows 10.
2. Expand the Task Sequences node, right-click on the Windows 10 node, and select New Task Sequence. Use the following settings for the New Task Sequence Wizard:
   1. Task sequence ID: REFW10-X64-001
   2. Task sequence name: Windows 10 Enterprise x64 21H2
   3. Task sequence comments: Reference Build
   4. Template: Standard Client Task Sequence
   5. Select OS: Windows 10 Enterprise x64 21H2
   6. Specify Product Key: Do not specify a product key at this time
   7. Full Name: ViaMonstra
   8. Organization: ViaMonstra
   9. Internet Explorer home page: about:blank
   10. Do not specify an Administrator password at this time
3. Edit the task sequence by navigating to the Task Sequences / Windows 10 folder, right-click the Windows 10 Enterprise x64 21H2 task sequence, and select Properties.
4. On the Task Sequence tab, configure the Windows 10 Enterprise x64 21H2 task sequence with the following settings:
   1. In the State Restore / Custom Tasks group, add a new Install Application action with the following settings:
      Name: Install – Microsoft 365 Apps for enterprise
      Install a Single Application: Install – Microsoft 365 Apps for enterprise
      

Step 6 – Configure the deployment share

To configure the deployment settings, you modify the two rules files (Bootstrap.ini and CustomSettings.ini). You can do the either via the MDT Build Lab deployment share properties, or directly in the file system, in the E:\MDTBuildLab\Control folder. Below you find the configurations I used in this guide.

Bootstrap.ini

[Settings]
Priority=Default

[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=VIAMONSTRA
UserID=MDT_BA
UserPassword=P@ssw0rd
SkipBDDWelcome=YES

CustomSettings.ini

[Settings]
Priority=Default

[Default]
_SMSTSORGNAME=ViaMonstra
UserDataLocation=NONE
ComputerBackupLocation=NETWORK
DoCapture=YES
OSInstall=Y
AdminPassword=P@ssw0rd
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=NO
FinishAction=SHUTDOWN
ApplyGPOPack=NO

BackupShare=\\MDT01\MDTBuildLab$
BackupDir=Captures
BackupFile=%TaskSequenceID%_#month(date) & "-" & day(date) & "-" & year(date)#.wim

SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES

1. On MDT01, modify the Bootstrap.ini and CustomSettings.ini per the preceding examples.
   
2. Using the Deployment Workbench, right-click the MDT Build Lab deployment share and select Properties.
   1. In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
      1. Image description: MDT Build Lab x86
      2. ISO file name: MDT Build Lab x86.iso
   2. Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
      1. Selection profile: Nothing
      2. Select the Include all drivers from selection profile option
         

         

         Configuring the deployment share not to add the Windows 10 CU into the boot image.
         
   3. In the Windows PE tab, in the Platform dropdown list, make sure x64 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
      1. Image description: MDT Build Lab x64
      2. ISO file name: MDT Build Lab x64.iso
   4. Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
      1. Selection profile: Nothing
      2. Select the Include all drivers from selection profile option
         
   5. Click OK.
   6. Update the deployment share, by right-clicking the MDT Build Lab deployment share and select Update Deployment Share. Use the default Options for the Update Deployment Share wizard.

Step 7 – Create Windows Reference Images

Now it is time to create a Windows 10 Reference WIM Image, fully automated.

Note: To make sure Sysprep does not fail during the build and capture process, make sure the virtual machine you are using does not have Internet access during the entire process.

1. On MDT01, copy the E:\MDTBuildLab\Boot\MDT Build Lab x64.iso file to your VMware or Hyper-V machine.
2. Create a virtual machine named REF001, assign it 2 vCPUs and 4 GB RAM. Then mount MDT Build Lab x64.iso on the virtual machine.
3. Start the REF001 virtual machine, and allow it to boot. Then complete the Deployment Wizard using the below settings:
   1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 21H2
   2. Specify whether to capture an image: Capture an image of this reference computer.
      1. Location:
      2. File name:

The task sequence will now do the following:

• Install the Windows 10 Enterprise operating system.
• Install the added applications, roles, and features.
• Stage WinPE on the local disk.
• Run Sysprep and reboot into WinPE.
• Capture the Windows 10 installation to a WIM file.

Resources

Note: Please also check these posts:

Image Factory
Automate this process even further (you still need to do the step in this guide first), check out the Image Factory for Hyper-V solution by Mikael Nystrom (@mikael_nystrom).
http://github.com/DeploymentBunny/ImageFactoryV3ForHyper-V