Building the perfect Windows Server 2016 reference image

By Johan Arwidmark / December 13, 2016

Here is a step-by-step quick guide on building the perfect Windows Server 2016 reference image. This guide is divided in two parts: The first part covers how to create a Windows Server 2016 reference image in just a few minutes using offline servicing. The quick-and-dirty method. The second part is about creating a Windows Server 2016 reference image using MDT 8443. The SHINY method.

Creating a Windows Server 2016 reference image using offline servicing (and PowerShell)

If you need to create a Windows Server 2016 reference image very quickly, containing only the latest cumulative update (CU) and .NET Framework 3.5. You can use the below PowerShell script to do so. This script assumes you have downloaded the Windows Server 2016 ISO and KB3201845 to C:\Setup.

Note: KB3201845 is just an example with the December 2016 CU, please download the latest CU and update the script.

Download the Create-WS2016RefImage.ps1 script from GitHub: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Create-WS2016RefImage.ps1

Creating a Windows Server 2016 reference image using MDT 8443

Why using MDT to create the reference image instead of PowerShell? Well, you get so many more options, you can add components that cannot be serviced offline like Visual C++ runtimes, and when using a build and capture process, all components can be easily updated. Also, unlike using offline servicing, when using a build and capture process, all components are completely installed, instead of just staged in the image.

MDT 8443 can be installed either on a file server, or on your own laptop, but in this scenario I use a file server named MDT01. MDT 8443 requires Windows ADK 10, and I recommend using Windows ADK 10 v1607.

In this guide I also assume that you have a local WSUS server in your network, to which you have approved Windows Server 2016 updates, Feature Packs (to get Microsoft .NET Framework updates) and Developer Tools, Runtimes and Redistributables / Visual Studio* (to get updates to Visual C++ runtimes).

Note: If you want to build a Windows Server 2016 reference image for SCVMM 2016, simply follow this guide to get the WIM file, and then use the Convert-WindowsImage.ps1 script on TechNet Script Center / Gallery to convert it to a VHD or VHDX file for VMM.

For this guide you need the following software.

Windows Server 2016.
Windows ADK 10 v1607, here is the direct download link. For more info, see the Windows ADK 10 page on MSDN:
MDT 8443
Visual C++ runtimes (2005,2008,2010,2012,2013 and 2015) available on Microsoft Download Center.
Visual C++ runtimes install wrapper (Optional, but helpful)

Step-by-Step Guide

The entire process for creating a Windows Server 2016 image using MDT 8443 takes about 45 minutes, fully automated. The initial setup of the solution takes about 30 – 45 minutes if done manually, and about 10 minutes if scripted. This guide covers the following eight steps:

Step 1 – Install Windows 10 ADK v1607 and MDT 8443
Step 2 – Create the MDT Build Lab Deployment Share
Step 3 – Import the Windows Server 2016 operating system
Step 4 – Import Packages (KB3201845), or the latest Windows Server 2016 CU (recommended)
Step 5 – Add applications (Optional)
Step 6 – Create the MDT Task Sequence
Step 7 – Configure the deployment share
Step 8 – Create Windows Reference Images

Step 1 – Install Windows ADK 10 v1607 and MDT 8443

On MDT01, install Windows 10 ADK v1607, and select the following components:
1. Deployment Tools
2. Windows Preinstallation Environment (Windows PE)
3. Imaging and Configuration Designer (ICD)
4. User State Migration Tool (USMT

Windows ADK 10 v1607 Setup on Windows Server 2016. When started on an older server, you have fewer options, for example UE-V and App-V are missing.

2. Install MDT 8443 using the default settings.

Installing MDT 8443.

On MDT01, using the Deployment Workbench (available on the start screen), right-click Deployment Shares and select New Deployment Share. Use the following settings for the New Deployment Share Wizard (my data volume on MDT01 is E:)

a.    Deployment share path: E:\MDTBuildLab
b.    Share name: MDTBuildLab$
c.    Deployment share description: MDT Build Lab
d.    Options:

2. Once the deployment share is created you also want to relax the security a bit. MDT locks it down to hard by default. Use the following PowerShell script to set some better permissions:

# Check for elevation
Write-Host "Checking for elevation"
 
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
    [Security.Principal.WindowsBuiltInRole] "Administrator"))
{
    Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
    Write-Warning "Aborting script..."
    Break
}
 
# Configure NTFS Permissions for the MDT Build Lab deployment share
$DeploymentShareNTFS = "E:\MDTBuildLab"
icacls $DeploymentShareNTFS /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(RX)'
icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'
icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'
icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'
 
# Configure Sharing Permissions for the MDT Build Lab deployment share
$DeploymentShare = "MDTBuildLab$"
Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -Force
Revoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force

Step 3 – Import the Windows Server 2016 operating system

On MDT01, mount the Windows Server 2016.iso media (or whatever you named it). On my server it was mounted to the D: drive.
Using the Deployment Workbench, expand the Deployment Shares node, expand MDT Build Lab, select the Operating Systems node and create a folder named Windows Server 2016.
Right-click the Windows Server 2016 node, and select Import Operating System. Use the following settings for the Import Operating System Wizard.
1. Full set of source files
2. Source directory: D:\
3. Destination directory name: WS2016
4. After adding the operating system, using the Deployment Workbench, in the Windows Server 2016 node, change the operating system names to the following:
  Windows Server 2016 Datacenter
  
  Windows Server 2016 Datacenter Core
  Windows Server 2016 Standard
  Windows Server 2016 Standard Core

The Windows Server 2016 operating system imported to deployment workbench.

Step 4 – Import Packages

In order for having Windows Server 2016 somewhat up to date, and to use a recent Windows Update agent, you should offline service the latest cumulative update (KB3201845 in this case) into the image. In MDT that is done by adding it as a package in the Deployment Workbench, and create a selection profile for Windows Server 2016.

Download KB3201845 or a later Windows Server 2016 CU (recommended), and save it in C:\Setup\Windows Server 2016 Updates on MDT01.
On MDT01, using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Packages and create a folder named Windows Server 2016.
In the Windows Windows Server 2016 folder, right-click and select Import OS Packages. Point to the C:\Setup\Windows Server 2016 Updates folder.
Expand the Advanced Configuration node, and create a selection profile named Windows Server 2016. When creating the selection profile, select the Packages / Windows Server 2016 folder.

The KB3201845 package imported into the Deployment Workbench.

Step 5 – Add applications

Not a hard requirement, but it make sense to add at least the various Visual C++ runtimes to your reference because quite frankly, you are installing Windows Server 2016 to run apps, and many apps are depending on one or more of these runtimes. As you probably know, there are x86 and x64 versions of the runtimes, and for Windows Server 2016, you need both.

For the Visual C++ runtimes, you make the install a bit easier by using a VBScript wrapper that installs all of them.

On MDT01, extract the Visual C++ runtimes install wrapper to C:\Setup.
Download each runtime from Microsoft Download Center, and copy to the corresponding folder in C:\Setup\Install – Microsoft Visual C++ – x86-x64\source.

Using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications and create a folder named Microsoft.
Right-click the Microsoft folder, and select New Application. Use the following settings for the New Application Wizard:
a.    Application with source files

b.    Publisher:

c.    Application name: Install – Microsoft Visual C++ – x86-x64

d.    Version:

e.    Source Directory: C:SetupInstall – Microsoft Visual C++ – x86-x64

f.     Specify the name of the directory that should be created: Install – Microsoft Visual C++ – x86-x64

g.    Command Line: cscript Install-MicrosoftVisualC++x86x64.wsf

h.    Working directory:

Step 6 – Create and Configure the MDT Task Sequence, and edit Unattend.xml

On MDT01, using the Deployment Workbench, in the MDT Build Lab deployment share, select the Task Sequences node, and create a folder named Windows Server 2016.
Expand the Task Sequences node, right-click on the Windows Server 2016 node, and select New Task Sequence. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REFWS2016-001
2. Task sequence name: Windows Server 2016 Standard
3. Task sequence comments: Reference Build
4. Template: Standard Client Task Sequence
5. Select OS: Windows Server 2016 Standard
6. Specify Product Key: Do not specify a product key at this time
7. Full Name: ViaMonstra
8. Organization: ViaMonstra
9. Internet Explorer home page: about:blank
10. Do not specify an Administrator password at this time
Edit the task sequence, by navigating to the Task Sequences / Windows Server 2016 folder, right-click the Windows Server 2016 Standard task sequence, and select Properties.
On the Task Sequence tab, configure the Windows Server 2016 Standard task sequence with the following settings:
1. Preinstall. Configure the Apply Patches action to use the Windows Server 2016 Standard selection profile.
2. State Restore. After the Tattoo action, add a new Group action with the following setting:
  Name: Custom Tasks (Pre-Windows Update)
3. State Restore. Enable the Windows Update (Pre-Application Installation) action.
4. State Restore. Enable the Windows Update (Post-Application Installation) action.
5. State Restore. After the Windows Update (Post-Application Installation) action, rename the existing Custom Tasks group to Custom Tasks (Post-Windows Update).
6. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
  Name: Install – Microsoft NET Framework 3.5.1Select the operating system for which roles are to be installed: Windows Server 2016 Standard Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
7. State Restore – Custom Tasks (Pre-Windows Update). After the Install – Microsoft NET Framework 3.5.1 action, add a new Install Application action with the following settings:
  
  Name: Install – Visual C++ 2005 SP1 – x86-x64
  Install a Single Application: Install – Visual C++ 2005 SP1 – x86-x64
8. After the Install – Microsoft Visual C++ 2015 – x86-x64 action, add a Computer Restart action.
9. Click OK.

Task Sequence configured for the reference image build and capture.

5. Edit the task sequence, by navigating to the Task Sequences / Windows Server 2016 folder, right-click the Windows Windows Server 2016 Standard task sequence, and select Properties.

6. In the OS Info tab, click Edit Unattend.xml. A catalog file will now be generated, and then Windows System Image Manager (WSIM) will start.

7. In WSIM, in the Answer File pane, expand 7 oobeSystem / amd64_Microsoft-Windows-Shell-Setup_neutral / OOBE, and then set ProtectYourPC to 3.

Disabling automatic update in the Unattend.xml. Will be handled by the Windows Update action in the task sequence instead.

Since you have added operating system packages (updates) to MDT, you need to configure your deployment share not to add them to your boot image.

In the MDT Build Lab deployment share properties, in the Windows PE tab, select the x64 platform, and in the Drivers and Patches tab, select the Nothing selection profile, and select the Include all drivers from the selection profile option.

Configuring the deployment share not to add any imported packages to the boot image.

Then, to configure the deployment settings, you modify the two rules files (Bootstrap.ini and CustomSettings.ini). You can do the either via the MDT Build Lab deployment share properties, or directly in the file system, in the E:MDTBuildLabControl folder. Below you find the configurations I used in this guide.

Note: In my environment, my WSUS server is named WSUS01, and I'm using the default WSUS port in Windows Server 2016 (and Windows Server 2012 R2) which is 8530.

Bootstrap.ini

[Settings]
Priority=Default

[Default]
DeployRoot=\\MDT01\MDTBuildLab$
UserDomain=VIAMONSTRA
UserID=MDT_BA
UserPassword=P@ssw0rd
SkipBDDWelcome=YES

CustomSettings.ini

[Settings]
Priority=Default

[Default]
_SMSTSORGNAME=ViaMonstra
UserDataLocation=NONE
ComputerBackupLocation=NETWORK
DoCapture=YES
OSInstall=Y
AdminPassword=P@ssw0rd
TimeZoneName=Pacific Standard Time
JoinWorkgroup=WORKGROUP
HideShell=NO  
FinishAction=SHUTDOWN     
WSUSServer=http://wsus01.corp.viamonstra.com:8530
ApplyGPOPack=NO

BackupShare=\\MDT01\MDTBuildLab$
BackupDir=Captures
BackupFile=%TaskSequenceID%_#month(date) & "-" & day(date) & "-" & year(date)#.wim

SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES

On MDT01 in the E:L\abfiles\LTI Support File\sMDT Build Lab\Control folder, modify the Bootstrap.ini and CustomSettings.ini per the above examples.
Using the Deployment Workbench, right-click the MDT Build Lab deployment share and select Properties.
1. In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
  1. Image description: MDT Build Lab x86
  2. ISO file name: MDT Build Lab x86.iso
2. In the Windows PE tab, in the Platform dropdown list, make sure x64 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
  1. Image description: MDT Build Lab x64
  2. ISO file name: MDT Build Lab x64.iso
3. Click OK.
4. Update the deployment share, by right-clicking the MDT Build Lab deployment share and select Update Deployment Share. Use the default Options for the Update Deployment Share wizard.

The contents of the E:MDTBuildLabBoot folder after updating the deployment share.

Step 8 – Create Windows Reference Images

Create a Windows Server 2016 Reference WIM Image, fully automated.

On MDT01, copy the E:\MDTBuildLab\Boot\MDT Build Lab x64.iso file to your VMware or Hyper-V machine.
Create a virtual machine named REF001, assign it two vCPUs and 2 GB RAM. Then mount MDT Build Lab x64.iso on the virtual machine.
Start the REF001 virtual machine, and allow it to boot. Then complete the Deployment Wizard using the below settings:
1. Select a task sequence to execute on this computer: Windows Server 2016 Standard
2. Specify whether to capture an image: Capture an image of this reference computer.
  1. Location:
  2. File name:

The task sequence will now do the following:

Install the Windows Server 2016 operating system.
Install the added applications, roles, and features.
Stage WinPE on the local disk.
Run Sysprep and reboot into WinPE.
Capture the Windows Server 2016 installation to a WIM file.

MDT 8443 capturing a Windows Server 2016 Image.

Written by Johan Arwidmark