Windows 10 Pro OEM Sysprep & Imaging



  • Hi,

    i would like to explain the way i sysprep, reimage Windows 10 OEM in Steps:

    First of all Windows 10 OEM Version does not autoexecute SetupComplete.cmd, therefore i use FirstLogonCommands within unattend.xml to workaround that issue

    Here is my unattend.xml:

    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
    <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SetupUILanguage>
    <UILanguage>de-DE</UILanguage>
    </SetupUILanguage>
    <InputLocale>0407:00000407</InputLocale>
    <SystemLocale>de-DE</SystemLocale>
    <UILanguage>de-DE</UILanguage>
    <UILanguageFallback>de-DE</UILanguageFallback>
    <UserLocale>de-DE</UserLocale>
    </component>
    <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <DiskConfiguration>
    <Disk wcm:action="add">
    <CreatePartitions>
    <CreatePartition wcm:action="add">
    <Order>1</Order>
    <Type>Primary</Type>
    <Size>100</Size>
    </CreatePartition>
    <CreatePartition wcm:action="add">
    <Extend>true</Extend>
    <Order>2</Order>
    <Type>Primary</Type>
    </CreatePartition>
    </CreatePartitions>
    <ModifyPartitions>
    <ModifyPartition wcm:action="add">
    <Active>true</Active>
    <Format>NTFS</Format>
    <Label>System Reserved</Label>
    <Order>1</Order>
    <PartitionID>1</PartitionID>
    <TypeID>0x27</TypeID>
    </ModifyPartition>
    <ModifyPartition wcm:action="add">
    <Active>true</Active>
    <Format>NTFS</Format>
    <Label>OS</Label>
    <Letter>C</Letter>
    <Order>2</Order>
    <PartitionID>2</PartitionID>
    </ModifyPartition>
    </ModifyPartitions>
    <DiskID>0</DiskID>
    <WillWipeDisk>true</WillWipeDisk>
    </Disk>
    </DiskConfiguration>
    <ImageInstall>
    <OSImage>
    <InstallTo>
    <DiskID>0</DiskID>
    <PartitionID>2</PartitionID>
    </InstallTo>
    <InstallToAvailablePartition>false</InstallToAvailablePartition>
    </OSImage>
    </ImageInstall>
    <UserData>
    <AcceptEula>true</AcceptEula>
    <FullName>admin</FullName>
    <Organization>Company Group</Organization>
    </UserData>
    <EnableFirewall>true</EnableFirewall>
    </component>
    </settings>
    <settings pass="offlineServicing">
    <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <EnableLUA>false</EnableLUA>
    </component>
    </settings>
    <settings pass="generalize">
    <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SkipRearm>1</SkipRearm>
    </component>
    </settings>
    <settings pass="specialize">
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <InputLocale>0407:00000407</InputLocale>
    <SystemLocale>de-DE</SystemLocale>
    <UILanguage>de-DE</UILanguage>
    <UILanguageFallback>de-DE</UILanguageFallback>
    <UserLocale>de-DE</UserLocale>
    </component>
    <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SkipAutoActivation>true</SkipAutoActivation>
    </component>
    <component name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <CEIPEnabled>0</CEIPEnabled>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <WindowsFeatures>
    <ShowMediaCenter>false</ShowMediaCenter>
    <ShowWindowsMail>false</ShowWindowsMail>
    </WindowsFeatures>
    <ShowWindowsLive>false</ShowWindowsLive>
    <DoNotCleanTaskBar>true</DoNotCleanTaskBar>
    <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>
    <ComputerName>COMPANY-PC</ComputerName>
    <CopyProfile>true</CopyProfile>
    </component>
    <component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <BlockPopups>yes</BlockPopups>
    <CompanyName>Company</CompanyName>
    <Home_Page>http://www.google.de</Home_Page>
    <DisableFirstRunWizard>true</DisableFirstRunWizard>
    </component>
    </settings>
    <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <AutoLogon>
    <Password>
    <Value>password</Value>
    <PlainText>true</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <LogonCount>1</LogonCount>
    <Username>Username</Username>
    </AutoLogon>
    <OOBE>
    <HideEULAPage>true</HideEULAPage>
    <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
    <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
    <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
    <NetworkLocation>Work</NetworkLocation>
    <SkipUserOOBE>true</SkipUserOOBE>
    <SkipMachineOOBE>true</SkipMachineOOBE>
    <ProtectYourPC>3</ProtectYourPC>
    </OOBE>
    <UserAccounts>
    <LocalAccounts>
    <LocalAccount wcm:action="add">
    <Password>
    <Value>password</Value>
    <PlainText>true</PlainText>
    </Password>
    <Description></Description>
    <DisplayName>Username</DisplayName>
    <Group>Administrators</Group>
    <Name>Username</Name>
    </LocalAccount>
    </LocalAccounts>
    </UserAccounts>
    <RegisteredOrganization>Company Group</RegisteredOrganization>
    <RegisteredOwner>admin</RegisteredOwner>
    <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
    <FirstLogonCommands>
    <SynchronousCommand wcm:action="add">
    <Description>SetupComplete</Description>
    <Order>1</Order>
    <CommandLine>C:\Windows\Setup\Scripts\SetupComplete.cmd</CommandLine>
    <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
    <Description>Control Panel View</Description>
    <Order>2</Order>
    <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f</CommandLine>
    <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
    <Description>Control Panel Icon Size</Description>
    <Order>3</Order>
    <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f</CommandLine>
    <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
    </FirstLogonCommands>
    <TimeZone>W. Europe Standard Time</TimeZone>
    </component>
    </settings>
    </unattend>
    

    To remove any Windows 10 Apps except Store and Calculator i use:

    Get-AppxPackage -AllUsers | where-object {$_.name –notlike “*store*” -And $_.packagename –notlike “*culator*”} | Remove-AppxPackage
    Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike “*store*” -And $_.packagename –notlike “*culator*”} | Remove-AppxProvisionedPackage -online
    
    1. Download latest Windows 10 Pro OEM ISO by MS MEdia Creation Tool
    2. Install it to a VM (i use Virtual Box)
    3. After first reboot when the assistant ask you for express settings or with 1703 the inital language question goto admin mode with pressing STRG (CTRL) + SHIFT +F3
    4. When entering the Admin mode close the Sysprep Window and start customizing windows and install your software and do your tweaks
    5. Now to sysprep i use the following Script:
    @echo off
    delprof2 /q /id:retsch /i
    NET USER retsch /DELETE
    powercfg -h off
    rem C:\Support\Tools\Shutup\OOSU10.exe ooshutup10.cfg /quiet
    del /F c:\windows\system32\sysprep\panther\setupact.log
    del /F c:\windows\system32\sysprep\panther\setuperr.log
    del /F c:\windows\system32\sysprep\panther\ie\setupact.log
    del /F c:\windows\system32\sysprep\panther\ie\setuperr.log
    del /F "C:\Program Files (x86)\FOG\fog.log"
    del /F "C:\Program Files (x86)\FOG\token.dat"
    rem "C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe"
    copy SetupComplete.cmd C:\Windows\Setup\scripts\ /Y
    copy unattend.xml C:\Windows\System32\Sysprep /Y
    reg import C:\Support\Tools\ResetERAgentUUID.reg
    net stop FOGService
    sc config FOGService start= disabled
    sc config EraAgentSvc start= disabled
    cleanmgr /sagerun:1
    defrag c:
    c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown /unattend:c:\windows\system32\sysprep\unattend.xml
    

    My SetupComplete.cmd look like:

    del C:\Windows\System32\Sysprep\unattend.xml
    sc config FOGService start= auto
    net start FOGService
    del C:\Windows\Setup\Scripts\SetupComplete.cmd
    
    1. After executing this Windows will be sysprepped and shutdown after that, you can image now

    2. When i need to rework that image i deploy it to a vm again and use the following to enter audit mode again:

    @echo off
    c:\windows\system32\sysprep\sysprep.exe /audit /reboot
    

    If anyone is asking himself what i do with:

    delprof2 /q /id:username /i
    NET USER username /DELETE
    

    This deletes the user i create with unattend.xml to workaround the problem with setupcomplete.cmd, i use firstlogoncommands to execute the script when the first user logon happens, to clean this i remove the profile and username before i sysprep because the user will be recreated from unattend.xml, as you can see in the unattend.xml there is 1 autologon for that user, else setupcomplete.cmd will not be executed.

    The good thing is this user can persist on the machine after deployment because it’s our local admin account on that machine additional to the locked local admin account.

    The System will automatically reboot when fog client has joined the machine into the domain, so the machine will finish with a logon screen not with a logged in user ;)

    Good luck

    Regards X23



  • Hi,

    i forgot something, when working with computers that have embedded license into bios i use the following method to activate them:

    @echo off
    for /f "tokens=*" %%i in ('%cd%\oemkey') do set oemkey=%%i
    cscript %systemroot%\system32\slmgr.vbs /ipk %oemkey% >nul
    cscript %systemroot%\system32\slmgr.vbs /ato >nul
    exit
    

    I’ve packed that into a 7z self extracting binary that execute the batch as snapin ;)

    oemkey.exe is a binary i found in the net it reads the windows key from bios
    I can share the binary if needed.

    If you have OEM license simply input the key into desired field within host management:

    alt text

    Regards X23


  • Moderator

    @x23piracy said in Windows 10 Pro OEM Sysprep & Imaging:

    stop FOGService

    Very nice indeed.

    Our process looks very similar but we use MDT to build our reference image. The process is slightly different, but at sysprep time we look the same.

    Since we deal with Dells in our office we preload the WinPE drivers cab into the reference image so during the initial oobe process (when its still in winpe) it has the winpe drivers for the nics and storage. Is this necessary?? Does it work for us? Yes.

    Just for reference we have a FOG post install script that during imaging updates these type of fields for international support based on the site where the image is being deployed. Its a sed script that updates them.

    <SetupUILanguage>
        <UILanguage>de-DE</UILanguage>
    </SetupUILanguage>
    <InputLocale>0407:00000407</InputLocale>
    <SystemLocale>de-DE</SystemLocale>
    <UILanguage>de-DE</UILanguage>
    <UILanguageFallback>de-DE</UILanguageFallback>
    <UserLocale>de-DE</UserLocale>
    

    The post install scripts can automate, or dynamically update the unattend.xml script during deployment time based on anything that can be calculated by FOG.

    None the less, your post is great!! Thank you for sharing.


Log in to reply
 

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.