Windows 10 Pro OEM Sysprep & Imaging

x23piracy

Hi,

i would like to explain the way i sysprep, reimage Windows 10 OEM in Steps:

First of all Windows 10 OEM Version does not autoexecute SetupComplete.cmd, therefore i use FirstLogonCommands within unattend.xml to workaround that issue

Here is my unattend.xml:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>de-DE</UILanguage>
</SetupUILanguage>
<InputLocale>0407:00000407</InputLocale>
<SystemLocale>de-DE</SystemLocale>
<UILanguage>de-DE</UILanguage>
<UILanguageFallback>de-DE</UILanguageFallback>
<UserLocale>de-DE</UserLocale>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DiskConfiguration>
<Disk wcm:action="add">
<CreatePartitions>
<CreatePartition wcm:action="add">
<Order>1</Order>
<Type>Primary</Type>
<Size>100</Size>
</CreatePartition>
<CreatePartition wcm:action="add">
<Extend>true</Extend>
<Order>2</Order>
<Type>Primary</Type>
</CreatePartition>
</CreatePartitions>
<ModifyPartitions>
<ModifyPartition wcm:action="add">
<Active>true</Active>
<Format>NTFS</Format>
<Label>System Reserved</Label>
<Order>1</Order>
<PartitionID>1</PartitionID>
<TypeID>0x27</TypeID>
</ModifyPartition>
<ModifyPartition wcm:action="add">
<Active>true</Active>
<Format>NTFS</Format>
<Label>OS</Label>
<Letter>C</Letter>
<Order>2</Order>
<PartitionID>2</PartitionID>
</ModifyPartition>
</ModifyPartitions>
<DiskID>0</DiskID>
<WillWipeDisk>true</WillWipeDisk>
</Disk>
</DiskConfiguration>
<ImageInstall>
<OSImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>2</PartitionID>
</InstallTo>
<InstallToAvailablePartition>false</InstallToAvailablePartition>
</OSImage>
</ImageInstall>
<UserData>
<AcceptEula>true</AcceptEula>
<FullName>admin</FullName>
<Organization>Company Group</Organization>
</UserData>
<EnableFirewall>true</EnableFirewall>
</component>
</settings>
<settings pass="offlineServicing">
<component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<EnableLUA>false</EnableLUA>
</component>
</settings>
<settings pass="generalize">
<component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SkipRearm>1</SkipRearm>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>0407:00000407</InputLocale>
<SystemLocale>de-DE</SystemLocale>
<UILanguage>de-DE</UILanguage>
<UILanguageFallback>de-DE</UILanguageFallback>
<UserLocale>de-DE</UserLocale>
</component>
<component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SkipAutoActivation>true</SkipAutoActivation>
</component>
<component name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CEIPEnabled>0</CEIPEnabled>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<WindowsFeatures>
<ShowMediaCenter>false</ShowMediaCenter>
<ShowWindowsMail>false</ShowWindowsMail>
</WindowsFeatures>
<ShowWindowsLive>false</ShowWindowsLive>
<DoNotCleanTaskBar>true</DoNotCleanTaskBar>
<BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>
<ComputerName>COMPANY-PC</ComputerName>
<CopyProfile>true</CopyProfile>
</component>
<component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BlockPopups>yes</BlockPopups>
<CompanyName>Company</CompanyName>
<Home_Page>http://www.google.de</Home_Page>
<DisableFirstRunWizard>true</DisableFirstRunWizard>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>password</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<LogonCount>1</LogonCount>
<Username>Username</Username>
</AutoLogon>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<NetworkLocation>Work</NetworkLocation>
<SkipUserOOBE>true</SkipUserOOBE>
<SkipMachineOOBE>true</SkipMachineOOBE>
<ProtectYourPC>3</ProtectYourPC>
</OOBE>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>password</Value>
<PlainText>true</PlainText>
</Password>
<Description></Description>
<DisplayName>Username</DisplayName>
<Group>Administrators</Group>
<Name>Username</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<RegisteredOrganization>Company Group</RegisteredOrganization>
<RegisteredOwner>admin</RegisteredOwner>
<DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Description>SetupComplete</Description>
<Order>1</Order>
<CommandLine>C:\Windows\Setup\Scripts\SetupComplete.cmd</CommandLine>
<RequiresUserInput>false</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Description>Control Panel View</Description>
<Order>2</Order>
<CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f</CommandLine>
<RequiresUserInput>false</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<Description>Control Panel Icon Size</Description>
<Order>3</Order>
<CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f</CommandLine>
<RequiresUserInput>false</RequiresUserInput>
</SynchronousCommand>
</FirstLogonCommands>
<TimeZone>W. Europe Standard Time</TimeZone>
</component>
</settings>
</unattend>

To remove any Windows 10 Apps except Store and Calculator i use:

Get-AppxPackage -AllUsers | where-object {$_.name –notlike “*store*” -And $_.packagename –notlike “*culator*”} | Remove-AppxPackage
Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike “*store*” -And $_.packagename –notlike “*culator*”} | Remove-AppxProvisionedPackage -online

1. Download latest Windows 10 Pro OEM ISO by MS MEdia Creation Tool
2. Install it to a VM (i use Virtual Box)
3. After first reboot when the assistant ask you for express settings or with 1703 the inital language question goto admin mode with pressing STRG (CTRL) + SHIFT +F3
4. When entering the Admin mode close the Sysprep Window and start customizing windows and install your software and do your tweaks
5. Now to sysprep i use the following Script:

@echo off
delprof2 /q /id:retsch /i
NET USER retsch /DELETE
powercfg -h off
rem C:\Support\Tools\Shutup\OOSU10.exe ooshutup10.cfg /quiet
del /F c:\windows\system32\sysprep\panther\setupact.log
del /F c:\windows\system32\sysprep\panther\setuperr.log
del /F c:\windows\system32\sysprep\panther\ie\setupact.log
del /F c:\windows\system32\sysprep\panther\ie\setuperr.log
del /F "C:\Program Files (x86)\FOG\fog.log"
del /F "C:\Program Files (x86)\FOG\token.dat"
rem "C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe"
copy SetupComplete.cmd C:\Windows\Setup\scripts\ /Y
copy unattend.xml C:\Windows\System32\Sysprep /Y
reg import C:\Support\Tools\ResetERAgentUUID.reg
net stop FOGService
sc config FOGService start= disabled
sc config EraAgentSvc start= disabled
cleanmgr /sagerun:1
defrag c:
c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown /unattend:c:\windows\system32\sysprep\unattend.xml

My SetupComplete.cmd look like:

del C:\Windows\System32\Sysprep\unattend.xml
sc config FOGService start= auto
net start FOGService
del C:\Windows\Setup\Scripts\SetupComplete.cmd

6. After executing this Windows will be sysprepped and shutdown after that, you can image now

7. When i need to rework that image i deploy it to a vm again and use the following to enter audit mode again:

@echo off
c:\windows\system32\sysprep\sysprep.exe /audit /reboot

If anyone is asking himself what i do with:

delprof2 /q /id:username /i
NET USER username /DELETE

This deletes the user i create with unattend.xml to workaround the problem with setupcomplete.cmd, i use firstlogoncommands to execute the script when the first user logon happens, to clean this i remove the profile and username before i sysprep because the user will be recreated from unattend.xml, as you can see in the unattend.xml there is 1 autologon for that user, else setupcomplete.cmd will not be executed.

The good thing is this user can persist on the machine after deployment because it’s our local admin account on that machine additional to the locked local admin account.

The System will automatically reboot when fog client has joined the machine into the domain, so the machine will finish with a logon screen not with a logged in user

Good luck

Regards X23

george1421

@x23piracy said in Windows 10 Pro OEM Sysprep & Imaging:

stop FOGService

Very nice indeed.

Our process looks very similar but we use MDT to build our reference image. The process is slightly different, but at sysprep time we look the same.

Since we deal with Dells in our office we preload the WinPE drivers cab into the reference image so during the initial oobe process (when its still in winpe) it has the winpe drivers for the nics and storage. Is this necessary?? Does it work for us? Yes.

Just for reference we have a FOG post install script that during imaging updates these type of fields for international support based on the site where the image is being deployed. Its a sed script that updates them.

<SetupUILanguage>
    <UILanguage>de-DE</UILanguage>
</SetupUILanguage>
<InputLocale>0407:00000407</InputLocale>
<SystemLocale>de-DE</SystemLocale>
<UILanguage>de-DE</UILanguage>
<UILanguageFallback>de-DE</UILanguageFallback>
<UserLocale>de-DE</UserLocale>

The post install scripts can automate, or dynamically update the unattend.xml script during deployment time based on anything that can be calculated by FOG.

None the less, your post is great!! Thank you for sharing.

x23piracy

Hi,

i forgot something, when working with computers that have embedded license into bios i use the following method to activate them:

@echo off
for /f "tokens=*" %%i in ('%cd%\oemkey') do set oemkey=%%i
cscript %systemroot%\system32\slmgr.vbs /ipk %oemkey% >nul
cscript %systemroot%\system32\slmgr.vbs /ato >nul
exit

I’ve packed that into a 7z self extracting binary that execute the batch as snapin

oemkey.exe is a binary i found in the net it reads the windows key from bios
I can share the binary if needed.

If you have OEM license simply input the key into desired field within host management:

Regards X23

JackieJack

This post is deleted!

Joe Gill

@george1421 I realize this is an older post. Is this information still relevant? Has this process changed any? Thanks!

Zer0Cool

@joe-gill I am working through it now, basically its the same. The variations come from differences in the environments and goals people have.

I have a Windows Server 2016 box with WDS and WSUS roles (only as they are needed for my process, I dont functionally use them directly) with ADK installed.

I have a powershell script that take the install.wim from my Windows OS (7,8,10,server 2008, 2012, 2016) and patches it with all the relevant updates from a WSUS server on the network (so installing Windows 7 or server 2012 doesnt require 1,000 updates out of the box). I use manual commands in dism to add drivers to the image if its for a specific set of machines (like USB 3, NIC drivers or printers).

I then rebuild an ISO from that install.wim. I dump those ISO contents onto my FOG server as the sources to install from via iPXE.

I also on the 2016 server have a batch file I use to create the winpe stuff for each Windows OS. I also have an unattend file for sysprep with an entry in it to run SetupComplete.cmd to enable the FOG service as mentioned in OP.

I install via FOG/PXE to a machine to create the initial image, add the FOG client, disable its service and capture the image.

When deploying the image, first boot runs the batch file and enables the FOG client thus joining the machine to AD, changes the host name and activates Windows.

I created a batch snapin to delete the local user and its profile folder that was created by the unattend file, push gpupdate /force and reboot. So after the images deploy, having all the machines needed in the same group in FOG i just push the snapin to the group and then they are done.

I probably do somewhat less automation than the OP but its a lot better than a month ago when I had to do most of the post deployment stuff manually. Hope this helps

Joe Gill

@zer0cool Thanks for that info! I"m working on it right now myself.

neiliob1973

@x23piracy As a FOG noob, where does this script need to go? Also, I have tried to modify your “unattend.xml” file for en-US (rather than German…your file, as-is, works great, but wrong local & language)…I modify the language and locations, but it “fails to parse” every time. Any idea what I’m doing wrong?
I can get a generalized sysprep to work, and any software & settings ARE persistent through the sysprep and imaging…but then I am back to filling out all the initial set-up prompts. Suggestions?

george1421

@neiliob1973 Understand the unattend.xml and sysprep have nothing to do with FOG. This is a MS Windows thing.

The unattend.xml script goes in c:\windows\panther directory. Another recommendation I can make is to use an online unattend.xml generator to get you started with the configuration. Just don’t include any private information in the generator. This way you can see the structure of the file. http://www.windowsafg.com/

neiliob1973

@george1421 Thank you for the link, George! Yeah, I’ve used FOG for about 2 years, but in a Linux environment (and has worked GREAT), but sysprep has not reared it’s head until now. This post also has a script (in a later comment) to deal with the license key/motherboard issues…any insights?

george1421

@neiliob1973 As for licensing when you build your golden image you use your VLK key (mak or kms) and then put the activation command into your setupcomplete.cmd file so its called just after winsetup is completed or if the fog client is installed the fog client can activate the computer for you.

Just for clarity Windows 10 Pro OEM EULA does not support reimaging. Meaning you are only allowed to install Windows OEM from the original OEM media and not construct a golden image based on Win10 OEM then redeploy it using any method. This is against the MS EULA. You can get past this issue by purchasing 1 Windows 10 Pro volume license seat to get you access to deploy a reasonable amount of Win10 Pro seats in your organizational as long as the Windows OEM version is the same (Win10Pro OEM -> Win10Pro VLK). You can not use this method to do a version upgrade (Win10Home OEM -> Win10Pro VLK). For this method you will need to purchase 1 seat for every computer you do a version upgrade on.

epsilonrt

@x23piracy said in Windows 10 Pro OEM Sysprep & Imaging:

oemkey.exe

Hi x23,
I’m interested in your 7z snapin file to activate an OEM windows, could you provide it to us? Thank you.

lebrun78

@george1421 said in Windows 10 Pro OEM Sysprep & Imaging:

Hello
I don’t understand the articulation between sysprep and the activation / deactivation of the fog client.
I have a deployment procedure via MDT which installs Windows, creates my users with their password and installs the applications. And ends up installing the fog client.
I would like to do a sysprep. Do I just have to enable sysprep in MDT? Or do it by hand?
How do I get the fog client to activate automatically when or after the image is deployed?

george1421

@lebrun78 I don’t use the FOG Client so I can’t really speak to its activation of the target computer. But I believe if its enabled in the fog management web ui and you have entered either a OEM key or VLK key in the host configuration for that computer the FOG Client will try to activate it. I believe this is outside of any sysprep process.

I can tell you how I use MDT, sysprep and FOG.

I do use MDT to build my golden image each time using the lite touch process. At the end of imaging I run through a quick quality check to ensure everything is setup as it should be then I run a batch file that MDT drops in a certain directory that calls sysprep and points to a custom unattend.xml file. Sysprep then powers off the computer. I capture it with FOG. Then deploy it. I have a post install script update the unattend.xml file on the target computer with the computer’s name, target OU, timezone, KMS Key, and a few other things. When the computer boots and runs WinSetup/OOBE the target computer connects itself to AD and in the proper OU from the unattend.xml file. At the end of OOBE WinSetup calls the setupcomplete.cmd and runs a command cscript c:\Windows\System32\slmgr.vbs /ato that activates windows.