Building a Windows 10 21H2 Reference Image using Microsoft Deployment Toolkit (MDT)

Here is a step-by-step quick guide on building the perfect Windows 10 21H2 reference image using Microsoft Deployment Toolkit (MDT) 8456.

Real World Note: Since Windows Vista, there is no technical requirement to create reference images in order to deploy Windows. After all, the ISO that you download from Microsoft contains WIM images that are in a deployable state. The main reason for creating reference images, meaning images with one or more applications in them, is often just deployment speed, and to some extent network efficiency (WIM images are highly compressed). However, in a world with better and better peer to peer solutions, better networking, better hardware, you can make deployments go quite fast even without a reference image. While more and more organizations are moving to use a thin image, and deploy settings and applications at deployment time instead, if you still need a reference image. Here is how to create one.

Block Internet Access

Due to how aggressive Windows 10 is regarding updating its native applications, which is known for breaking Sysprep, make sure the virtual machine does not have Internet access during the build and capture process.

Tip: Daniel Barras (thank you), commented about a solution I was not aware of, removing the need for blocking Internet access: Set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State
ImageState key to IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE, and then update the State.ini file at C:\Windows\Setup\State to read:
[State]
ImageState=IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE

Software Requirements

MDT can be installed either on a file server, or on your own laptop, but in this scenario, I use a file server named MDT01. Windows 10 21H2 requires Windows ADK 10 2004 or later, but since you likely want to evaluate Windows 11 as well, I recommend using Windows ADK for Windows 11 21H2 that supports both Windows 10 21H2 and Windows 11 21H2.

Note: Please don't use the newly released (May 2022) Windows ADK for Windows 11 22H2. It's not fully compatible with MDT 8456 since it no longer contains the x86 version of WinPE which MDT expects to find.

For this guide you need the following software.

Step-by-Step Guide

The entire process for creating a Windows 10 image using MDT takes about 20 – 30 minutes, fully automated. This guide covers the following seven steps:

  • Step 1 – Install Windows ADK for Windows 11, and MDT 8456
  • Step 2 – Create the MDT Build Lab Deployment Share
  • Step 3 – Import the Windows 10 operating system
  • Step 4 – Add applications
  • Step 5 – Create the MDT Task Sequence
  • Step 6 – Configure the deployment share
  • Step 7 – Create Windows Reference Images

Step 1 – Install Windows ADK for Windows 11, and MDT 8456

In this example I have a virtual machine named MDT01, running Windows Server 2022 LTSC (Windows Server 2016 LTSC or Windows Server 2019 LTSC is fine too). The VM has 2 vCPUs and 4 GB RAM.

1. On MDT01, install Windows ADK for Windows 11, and select the following components:

  • Deployment Tools
  • Imaging and Configuration Designer (ICD)
  • Configuration Designer
  • User State Migration Tool (USMT    
Windows ADK 1Setup

2. Install WinPE Addon for Windows ADK for Windows 11, and select the following component:

Windows Preinstallation Environment (Windows PE)

Installing WinPE Addon for Windows ADK

3.  Install MDT 8456 using the default settings.

Installing MDT.

4. Install the MDT 8456 HotFix by extracting MDT_KB4564442.exe and extract it to a folder. In my lab, I extracted it to the E:\Setup\MDT 8456 HotFix folder.

4a. Copy the x86 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x86 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86. Replace the existing file.

4b. Copy the x64 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x64 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. Replace the existing file.

Step 2 – Create the MDT Build Lab Deployment Share

  1. On MDT01, using the Deployment Workbench (available on the start screen), right-click Deployment Shares and select New Deployment Share. Use the following settings for the New Deployment Share Wizard (my data volume on MDT01 is E:)

a.    Deployment share path: E:\MDTBuildLab
b.    Share name: MDTBuildLab$
c.    Deployment share description: MDT Build Lab
d.    Options: (default)

MDT Build Lab deployment share created

2. Once the deployment share is created you also want to relax the security a bit. MDT locks it down to hard by default. Use the following PowerShell script (named Set-MDTBuildLabPermissions.ps1) to set some better permissions (modify script to fit your environment):

#Requires -RunAsAdministrator

# Configure NTFS Permissions for the MDT Build Lab deployment share
$DeploymentShareNTFS = "E:\MDTBuildLab"
icacls $DeploymentShareNTFS /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(RX)'
icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'

# Configure Sharing Permissions for the MDT Build Lab deployment share
$DeploymentShare = "MDTBuildLab$"
Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force

Note: In my environment the MDT01 server is joined to a domain, and my service account used for the deployments is VIAMONSTRA\MDT_BA. If using a different domain, or if using a workgroup server for your build and capture modify the Set-MDTBuildLabPermissions.ps1 script to reflect that.

Running the Set-MDTBuildLabPermissions.ps1 script

Step 3 – Import the Windows 10 operating system

Note: Make sure to always download the latest version of Windows 10 Enterprise 21H2. Microsoft releases new media monthly.

On MDT01, mount the Windows 10 Enterprise x64 21H2.iso media (or whatever you named it). On my server it was mounted to the D: drive.

  1. Using the Deployment Workbench, expand the Deployment Shares node, expand MDT Build Lab, select the Operating Systems node and create a folder
    named Windows 10.
  2. Right-click the Windows 10 node, and select Import Operating System. Use the following settings for the Import Operating System Wizard.
    1. Full set of source files
    2. Source directory: D:\
    3. Destination directory name: REFW10X64-21H2
    4. After adding the operating system, in the Windows 10 node, remove the indexes/images you don't need, and rename the remaining operating system to Windows 10 Enterprise x64 21H2

Note: The Windows 10 media comes with many Windows version, in the below example I simply removed all but the Enterprise version, and gave it a better name.

The Windows 10 Enterprise x64 operating system imported to deployment workbench.

Step 4 – Add applications

In this example you add Microsoft 365 Apps for enterprise (formerly named Microsoft Office 365 ProPlus) to MDT. Use the Office Deployment Toolkit (ODT) to create a package of Microsoft 365 Apps for enterprise before continuing with these steps.

1. On MDT01, download the Office Deployment Toolkit (ODT), and extract it to E:\Setup\ODT.

2. Using an elevated Command prompt, download the installers by running the following command:

setup.exe /download configuration-Office365-x64.xml

Microsoft 365 Apps for enterprise (well, Office) downloaded via setup.exe from ODT.

3. Using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications and create a folder named Microsoft.

4. Right-click the Microsoft folder, and select New Application. Use the following settings for the New Application Wizard:

  • Application with source files
  • Publisher:
  • Application name: Install – Microsoft 365 Apps for enterprise
  • Version:
  • Source Directory: E:\Setup\ODT
  • Specify the name of the directory that should be created: Install – Microsoft 365 Apps for enterprise
  • Command Line: setup.exe /configure configuration-Office365-x64.xml
  • Working directory: (default)
Microsoft 365 Apps for enterprise (Office) added as an application.

Step 5 – Create and Configure the MDT Task Sequence

  1. On MDT01, using the Deployment Workbench, in the MDT Build Lab deployment share, select the Task Sequences node, and create a folder named Windows 10.
  2. Expand the Task Sequences node, right-click on the Windows 10 node, and select New Task Sequence. Use the following settings for the New Task Sequence Wizard:
    1. Task sequence ID: REFW10-X64-001
    2. Task sequence name: Windows 10 Enterprise x64 21H2
    3. Task sequence comments: Reference Build
    4. Template: Standard Client Task Sequence
    5. Select OS: Windows 10 Enterprise x64 21H2
    6. Specify Product Key: Do not specify a product key at this time
    7. Full Name: ViaMonstra
    8. Organization: ViaMonstra
    9. Internet Explorer home page: about:blank
    10. Do not specify an Administrator password at this time
  3. Edit the task sequence by navigating to the Task Sequences / Windows 10 folder, right-click the Windows 10 Enterprise x64 21H2 task sequence, and select Properties.
  4. On the Task Sequence tab, configure the Windows 10 Enterprise x64 21H2 task sequence with the following settings:
    1. In the State Restore / Custom Tasks group, add a new Install Application action with the following settings:
      Name: Install – Microsoft 365 Apps for enterprise
      Install a Single Application: Install – Microsoft 365 Apps for enterprise
Task Sequence configured for the reference image build and capture.

Step 6 – Configure the deployment share

To configure the deployment settings, you modify the two rules files (Bootstrap.ini and CustomSettings.ini). You can do the either via the MDT Build Lab deployment share properties, or directly in the file system, in the E:\MDTBuildLab\Control folder. Below you find the configurations I used in this guide.

Bootstrap.ini

[Settings]
Priority=Default

[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=VIAMONSTRA
UserID=MDT_BA
UserPassword=P@ssw0rd
SkipBDDWelcome=YES

CustomSettings.ini

[Settings]
Priority=Default

[Default]
_SMSTSORGNAME=ViaMonstra
UserDataLocation=NONE
ComputerBackupLocation=NETWORK
DoCapture=YES
OSInstall=Y
AdminPassword=P@ssw0rd
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=NO
FinishAction=SHUTDOWN
ApplyGPOPack=NO

BackupShare=\\MDT01\MDTBuildLab$
BackupDir=Captures
BackupFile=%TaskSequenceID%_#month(date) & "-" & day(date) & "-" & year(date)#.wim

SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
  1. On MDT01, modify the Bootstrap.ini and CustomSettings.ini per the preceding examples.
  2. Using the Deployment Workbench, right-click the MDT Build Lab deployment share and select Properties.
    1. In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
      1. Image description: MDT Build Lab x86
      2. ISO file name: MDT Build Lab x86.iso
    2. Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
      1. Selection profile: Nothing
      2. Select the Include all drivers from selection profile option
        image
        Configuring the deployment share not to add the Windows 10 CU into the boot image.
    3. In the Windows PE tab, in the Platform dropdown list, make sure x64 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
      1. Image description: MDT Build Lab x64
      2. ISO file name: MDT Build Lab x64.iso
    4. Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
      1. Selection profile: Nothing
      2. Select the Include all drivers from selection profile option
    5. Click OK.
    6. Update the deployment share, by right-clicking the MDT Build Lab deployment share and select Update Deployment Share. Use the default Options for the Update Deployment Share wizard.
The contents of the E:\MDTBuildLab\Boot folder after updating the deployment share.

Step 7 – Create Windows Reference Images

Now it is time to create a Windows 10 Reference WIM Image, fully automated.

Note: To make sure Sysprep does not fail during the build and capture process, make sure the virtual machine you are using does not have Internet access during the entire process.

  1. On MDT01, copy the E:\MDTBuildLab\Boot\MDT Build Lab x64.iso file to your VMware or Hyper-V machine.
  2. Create a virtual machine named REF001, assign it 2 vCPUs and 4 GB RAM. Then mount MDT Build Lab x64.iso on the virtual machine.
  3. Start the REF001 virtual machine, and allow it to boot. Then complete the Deployment Wizard using the below settings:
    1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 21H2
    2. Specify whether to capture an image: Capture an image of this reference computer.
      1. Location:
      2. File name:

The task sequence will now do the following:

  • Install the Windows 10 Enterprise operating system.
  • Install the added applications, roles, and features.
  • Stage WinPE on the local disk.
  • Run Sysprep and reboot into WinPE.
  • Capture the Windows 10 installation to a WIM file.
MDT_thumb1_thumb
MDT capturing a Windows 10 Image.

Resources

Note: Please also check these posts:

Image Factory
Automate this process even further (you still need to do the step in this guide first), check out the Image Factory for Hyper-V solution by Mikael Nystrom (@mikael_nystrom).
http://github.com/DeploymentBunny/ImageFactoryV3ForHyper-V

About the author

Johan Arwidmark

5 4 votes
Article Rating
Subscribe
Notify of
guest
9 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Eric
Eric
4 months ago

sysprep runs fine and completes without error but during the create wim phase it will start to copy the wim file to mdt but always stops. It will just sit there, sometimes at 2% sometimes it makes it to 20% but it never finishes creating the wim file and never errors out or times out.
can you mention a few things that may be causing the wim creation to stop?

Kishan
Kishan
4 months ago

Hi Johan, thanks for this. very informative. You mentioned downloading the latest win 10 version and also disabling the internet connection for the VM so Sysprep becomes more reliable. my question how do you update the latest security updates and CU from the last main download of 21H2. do you do it when you do the production image? cheers K

Last edited 4 months ago by Kishan
Martin
Martin
4 months ago

Thanks for the post, really struggling with MDT and newer versions of Windows 10, coming across errors at every turn. Have seen elsewhere the suggestion to disable Internet access, but I'm finding this difficult, as I run MDT on a different machine than I do the capture on. Making Hyper-V network run Internal Only of course cuts access to the network for this capture. Just wondering if you had come across any other solutions?

Martin
Martin
2 months ago

Thanks very much Johan (and Daniel), I'll give that a try!

Brennca
Brennca
5 months ago

Johan, if we don’t see any sysprep issues, any reason not to build connected to the Internet? Do you typically create your images offline ?


>