Windows 10- moving from 1511 to 1607 in audit mode?

x23piracy

@mr626 you have to delete any other user profiles before you sysprep.
I use delprof2 for this:

delprof2 /q /id:retsch /i
NET USER retsch /DELETE
del /F c:\windows\system32\sysprep\panther\setupact.log
del /F c:\windows\system32\sysprep\panther\setuperr.log
del /F c:\windows\system32\sysprep\panther\ie\setupact.log
del /F c:\windows\system32\sysprep\panther\ie\setuperr.log
net stop FOGService
sc config FOGService start= delayed-auto
del /F "C:\Program Files (x86)\FOG\fog.log"
del /F "C:\Program Files (x86)\FOG\token.dat"
rem cscript slmgr.vbs /cpky >nul
rem cscript slmgr.vbs /upk >nul
rem cscript slmgr.vbs /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T >nul
rem Powershell.exe -executionpolicy remotesigned -File C:\Support\Tools\Checkpoint.ps1
rem reg import c:\support\tools\Checkpoint.reg
rem reg import c:\support\tools\Productkey.reg
cleanmgr /sagerun:1
c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown /unattend:c:\windows\system32\sysprep\unattend.xml

Regards X23

george1421

@mr626 Yes, while I use ESXi for virtualization that is pretty close to what we do. For the vm client we will create it with 4 vCPU just to speed up the windows update process but the rest is spot on.

For the MDT server we just use a desktop windows OS to host the MDT files and development environment. While you can do this all in one, we have a separate MDT server for Win7/2008 and Win10/2012. We use a similar process for creating our server vm templates (but FOG is not used for windows server template creation, that is all done in vSphere).

We do use /configure the administrator account (only account ever created on the reference image) exactly like we want the default user settings then in the unattend.xml file use the copyto option to have sysprep copy the administrators settings to the default user profile.

While its been a few years since we first started with MDT, it took me about 3 man days to go from knowing zero about MDT to being able to produce my first VM reference image. Then it was about 2 weeks to customize/perfect the task sequences to do exactly what we wanted. Now we select the proper task sequence and MDT does everything from building the image, installing all current wsus updates, installing the applications and patching. We don’t touch the reference image again until its time to sysprep and then capture the image with FOG.

Scott Adams

The problem with Windows 10 is that the anniversary updates is not really an update. It actually reinstalls Windows on top of your current OS. So, you may not have intentionally done an upgrade, but the update actually performed an upgrade without your knowledge.

To confirm, if you look in your drive, you should see a Windows.old folder.

To get around this, you should be able to do a disk cleanup and remove previous windows installations. Once complete (and you verify the Windows.old folder is gone), you should be able to sysprep.

mr626

@george1421 Thanks for that, really appreciate it.

@Scott-Adams Thanks, am aware of it being more than just an update. Your suggestion about removing Windows.old to allow sysprep is interesting, however:

-I’m pretty sure sysprep still didn’t work for me even after removing windows.old (I remove it regardless if it exists as it is just taking up space)
-Even if it did work, you are still increasing the re-arm count

@x23piracy Thanks, but I’m not sure what that has to do with what I’m taking about here. I’m fairly familiar with sysprep and what is / isn’t required.

Scott Adams

@mr626 Try the following after clearing old Windows Installations:

Remove this KEY from the Registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade

Remove this REG_DWORD from the Registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade

Set this REG_DWORD from the Registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\CleanupState [Set Hexadecimal Value: 7]

Run this command as Administrator:
slmgr /dli

After your operating system is activated re-run SysPrep and it should work!

Quazz

Like Scott said, you need to alter some registry keys after an upgrade.

Also, check if it didn’t sneakily create some new user.

But overall, I’d recommend simply installing a clean image.

x23piracy

@Quazz said in Windows 10- moving from 1511 to 1607 in audit mode?:

Like Scott said, you need to alter some registry keys after an upgrade.

Also, check if it didn’t sneakily create some new user.

But overall, I’d recommend simply installing a clean image.

I’ve also started from scratch instead of updating, would be the cleaner process while it’s generating more work but it’s worth it.

mr626

Thanks again for all the replies. I’ve started working on this and have made some progress.

Just wanted to check- what is the ‘best practice’ for Windows activation during the whole process?

For example, should I have the Windows image activated against a MAK key during the build process, and then reactivate against my KMS server when I actually deploy the image?

Thanks

george1421

@mr626 I won’t speak to best practices because each situation is different. But I can say what we do in our environment.

Our reference image is created by MDT, which you might already know. It is rebuilt each quarter with all of the windows updates, and applications. This reference image is never connected to AD or activated. You have 3 days to tweak the image (if necessary) before activation is required. If we miss the window then we just rebuild the reference image with MDT and keep tweaking. In the MDT build we just use the generic WinX key to allow reference image build.

You have 3 basic ways of activating your target image (not reference).

1. In the unattend.xml file used to build your target system you can enter the product key right into the unattend.xml file.
2. Back in the unattend.xml file, you can use the first logon section synchronous command (assuming you have an autoadmin login setup) to execute the following command cscript //b c:\windows\system32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
3. You can run the previous command also in the setupcomplete.cmd batch file.

We use option 2 in our setup for activation.

Wayne Workman

4th option - have the FOG Client activate windows for you. There’s a field for product key for every individual host. This is only useful if you’re using MAKs, but it is very useful in that situation. This is how I managed to activate Windows at my last job.

adukes40

Maybe I am the only one who can’t figure this out, maybe I’m not and am too stupid to use Google. I have searched all over the place and can’t find what I am looking for.

I am trying to build our first Win 10 image for deployment. I can’t for the life of me find how to edit personalization settings without activating windows. Once in audit mode it tells me that I have to activate windows to personalize my PC. How are other handling this.

I have read of the win 10 thread on this forum, but this part is stumping me.

Quazz

@adukes40 What exactly do you want to change?

A lot of what I do is move files manually (via a specifically written script for VM preparation in audit mode) and then run defprof program which will move those changes I made on the admin account (in audit) to the default account.

adukes40

@Quazz

mainly backgrounds, colors, Lock Screens, and start menu.

Quazz

@adukes40 I don’t know about all of them, but you can make a themepack on your current computer, activate that in audit mode, then run defprof and it should transfer everything that a theme can contain (background for sure, I think colors too).

Not sure what you want to alter about the start menu, if you mean rearranaging stuff and what not, I remember people having trouble with that, not sure if defprof is able to do that for you (mine remains default, so no experience there)

george1421

@adukes40 said in Windows 10- moving from 1511 to 1607 in audit mode?:

@Quazz

mainly backgrounds, colors, Lock Screens, and start menu.

The backgrounds, and colors can be set in the admin account, and then when you sysprep the system reference your unattend.xml file with the copyto setting in the unattend.xml file to copy the settings from the admin account to default user.

As for the start menu that one is a bit tougher and we are still struggling with that one. But basically you need to either create the perfect start menu on a test computer and then export the configuration to an xml file and then have it setup to that when a new user logs into a win10 system the exported menu xml file is imported into the user’s profile. You can also set a registry key to point to this xml file, but it restricts the user from changing/customizing their own menu.

Quazz

@george1421 Yes, I don’t use unattend files myself (and I find defprof more reliable than unattend as well), though, so hence the alternative. My start menus aren’t broken on deploy at any rate, which was a huge issue with customizing the start menu without defprof

george1421

@Quazz I’m not familiar with defprof so I need to look into that and learn something new today, thank you for the tip!

adukes40

Guess I will try the package idea. So just make a fresh machine thats activated, make changes, export the theme, then import on the audit mode machine?

george1421

@adukes40 said in Windows 10- moving from 1511 to 1607 in audit mode?:

Guess I will try the package idea. So just make a fresh machine thats activated, make changes, export the theme, then import on the audit mode machine?

This is what we did for our win7 base image. Setup the environment exactly like we wanted on a development machine and then exported the theme into a theme pack and loaded the theme pack during some post image deployment tasks.

Quazz

@adukes40 Yes. Although according to @george1421 you should be able to make those changes anyway (without themepack)? (I seem to recall being unable to in Windows 8, maybe 10 too though, IT MIGHT DEPEND ON THE VERSION (eg HOME vs ENTERPRISE)

Cool thing about themepack though is that they’re cross compatible on Windows 7 and above (maybe vista too? never tested it)