Windows 10 Pro OEM Sysprep & Imaging



  • Hi,

    i would like to explain the way i sysprep, reimage Windows 10 OEM in Steps:

    First of all Windows 10 OEM Version does not autoexecute SetupComplete.cmd, therefore i use FirstLogonCommands within unattend.xml to workaround that issue

    Here is my unattend.xml:

    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
    <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SetupUILanguage>
    <UILanguage>de-DE</UILanguage>
    </SetupUILanguage>
    <InputLocale>0407:00000407</InputLocale>
    <SystemLocale>de-DE</SystemLocale>
    <UILanguage>de-DE</UILanguage>
    <UILanguageFallback>de-DE</UILanguageFallback>
    <UserLocale>de-DE</UserLocale>
    </component>
    <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <DiskConfiguration>
    <Disk wcm:action="add">
    <CreatePartitions>
    <CreatePartition wcm:action="add">
    <Order>1</Order>
    <Type>Primary</Type>
    <Size>100</Size>
    </CreatePartition>
    <CreatePartition wcm:action="add">
    <Extend>true</Extend>
    <Order>2</Order>
    <Type>Primary</Type>
    </CreatePartition>
    </CreatePartitions>
    <ModifyPartitions>
    <ModifyPartition wcm:action="add">
    <Active>true</Active>
    <Format>NTFS</Format>
    <Label>System Reserved</Label>
    <Order>1</Order>
    <PartitionID>1</PartitionID>
    <TypeID>0x27</TypeID>
    </ModifyPartition>
    <ModifyPartition wcm:action="add">
    <Active>true</Active>
    <Format>NTFS</Format>
    <Label>OS</Label>
    <Letter>C</Letter>
    <Order>2</Order>
    <PartitionID>2</PartitionID>
    </ModifyPartition>
    </ModifyPartitions>
    <DiskID>0</DiskID>
    <WillWipeDisk>true</WillWipeDisk>
    </Disk>
    </DiskConfiguration>
    <ImageInstall>
    <OSImage>
    <InstallTo>
    <DiskID>0</DiskID>
    <PartitionID>2</PartitionID>
    </InstallTo>
    <InstallToAvailablePartition>false</InstallToAvailablePartition>
    </OSImage>
    </ImageInstall>
    <UserData>
    <AcceptEula>true</AcceptEula>
    <FullName>admin</FullName>
    <Organization>Company Group</Organization>
    </UserData>
    <EnableFirewall>true</EnableFirewall>
    </component>
    </settings>
    <settings pass="offlineServicing">
    <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <EnableLUA>false</EnableLUA>
    </component>
    </settings>
    <settings pass="generalize">
    <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SkipRearm>1</SkipRearm>
    </component>
    </settings>
    <settings pass="specialize">
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <InputLocale>0407:00000407</InputLocale>
    <SystemLocale>de-DE</SystemLocale>
    <UILanguage>de-DE</UILanguage>
    <UILanguageFallback>de-DE</UILanguageFallback>
    <UserLocale>de-DE</UserLocale>
    </component>
    <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <SkipAutoActivation>true</SkipAutoActivation>
    </component>
    <component name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <CEIPEnabled>0</CEIPEnabled>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <WindowsFeatures>
    <ShowMediaCenter>false</ShowMediaCenter>
    <ShowWindowsMail>false</ShowWindowsMail>
    </WindowsFeatures>
    <ShowWindowsLive>false</ShowWindowsLive>
    <DoNotCleanTaskBar>true</DoNotCleanTaskBar>
    <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>
    <ComputerName>COMPANY-PC</ComputerName>
    <CopyProfile>true</CopyProfile>
    </component>
    <component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <BlockPopups>yes</BlockPopups>
    <CompanyName>Company</CompanyName>
    <Home_Page>http://www.google.de</Home_Page>
    <DisableFirstRunWizard>true</DisableFirstRunWizard>
    </component>
    </settings>
    <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <AutoLogon>
    <Password>
    <Value>password</Value>
    <PlainText>true</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <LogonCount>1</LogonCount>
    <Username>Username</Username>
    </AutoLogon>
    <OOBE>
    <HideEULAPage>true</HideEULAPage>
    <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
    <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
    <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
    <NetworkLocation>Work</NetworkLocation>
    <SkipUserOOBE>true</SkipUserOOBE>
    <SkipMachineOOBE>true</SkipMachineOOBE>
    <ProtectYourPC>3</ProtectYourPC>
    </OOBE>
    <UserAccounts>
    <LocalAccounts>
    <LocalAccount wcm:action="add">
    <Password>
    <Value>password</Value>
    <PlainText>true</PlainText>
    </Password>
    <Description></Description>
    <DisplayName>Username</DisplayName>
    <Group>Administrators</Group>
    <Name>Username</Name>
    </LocalAccount>
    </LocalAccounts>
    </UserAccounts>
    <RegisteredOrganization>Company Group</RegisteredOrganization>
    <RegisteredOwner>admin</RegisteredOwner>
    <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
    <FirstLogonCommands>
    <SynchronousCommand wcm:action="add">
    <Description>SetupComplete</Description>
    <Order>1</Order>
    <CommandLine>C:\Windows\Setup\Scripts\SetupComplete.cmd</CommandLine>
    <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
    <Description>Control Panel View</Description>
    <Order>2</Order>
    <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f</CommandLine>
    <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
    <Description>Control Panel Icon Size</Description>
    <Order>3</Order>
    <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f</CommandLine>
    <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
    </FirstLogonCommands>
    <TimeZone>W. Europe Standard Time</TimeZone>
    </component>
    </settings>
    </unattend>
    

    To remove any Windows 10 Apps except Store and Calculator i use:

    Get-AppxPackage -AllUsers | where-object {$_.name –notlike “*store*” -And $_.packagename –notlike “*culator*”} | Remove-AppxPackage
    Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike “*store*” -And $_.packagename –notlike “*culator*”} | Remove-AppxProvisionedPackage -online
    
    1. Download latest Windows 10 Pro OEM ISO by MS MEdia Creation Tool
    2. Install it to a VM (i use Virtual Box)
    3. After first reboot when the assistant ask you for express settings or with 1703 the inital language question goto admin mode with pressing STRG (CTRL) + SHIFT +F3
    4. When entering the Admin mode close the Sysprep Window and start customizing windows and install your software and do your tweaks
    5. Now to sysprep i use the following Script:
    @echo off
    delprof2 /q /id:retsch /i
    NET USER retsch /DELETE
    powercfg -h off
    rem C:\Support\Tools\Shutup\OOSU10.exe ooshutup10.cfg /quiet
    del /F c:\windows\system32\sysprep\panther\setupact.log
    del /F c:\windows\system32\sysprep\panther\setuperr.log
    del /F c:\windows\system32\sysprep\panther\ie\setupact.log
    del /F c:\windows\system32\sysprep\panther\ie\setuperr.log
    del /F "C:\Program Files (x86)\FOG\fog.log"
    del /F "C:\Program Files (x86)\FOG\token.dat"
    rem "C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe"
    copy SetupComplete.cmd C:\Windows\Setup\scripts\ /Y
    copy unattend.xml C:\Windows\System32\Sysprep /Y
    reg import C:\Support\Tools\ResetERAgentUUID.reg
    net stop FOGService
    sc config FOGService start= disabled
    sc config EraAgentSvc start= disabled
    cleanmgr /sagerun:1
    defrag c:
    c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown /unattend:c:\windows\system32\sysprep\unattend.xml
    

    My SetupComplete.cmd look like:

    del C:\Windows\System32\Sysprep\unattend.xml
    sc config FOGService start= auto
    net start FOGService
    del C:\Windows\Setup\Scripts\SetupComplete.cmd
    
    1. After executing this Windows will be sysprepped and shutdown after that, you can image now

    2. When i need to rework that image i deploy it to a vm again and use the following to enter audit mode again:

    @echo off
    c:\windows\system32\sysprep\sysprep.exe /audit /reboot
    

    If anyone is asking himself what i do with:

    delprof2 /q /id:username /i
    NET USER username /DELETE
    

    This deletes the user i create with unattend.xml to workaround the problem with setupcomplete.cmd, i use firstlogoncommands to execute the script when the first user logon happens, to clean this i remove the profile and username before i sysprep because the user will be recreated from unattend.xml, as you can see in the unattend.xml there is 1 autologon for that user, else setupcomplete.cmd will not be executed.

    The good thing is this user can persist on the machine after deployment because it’s our local admin account on that machine additional to the locked local admin account.

    The System will automatically reboot when fog client has joined the machine into the domain, so the machine will finish with a logon screen not with a logged in user ;)

    Good luck

    Regards X23



  • @zer0cool Thanks for that info! I"m working on it right now myself.



  • @joe-gill I am working through it now, basically its the same. The variations come from differences in the environments and goals people have.

    I have a Windows Server 2016 box with WDS and WSUS roles (only as they are needed for my process, I dont functionally use them directly) with ADK installed.

    I have a powershell script that take the install.wim from my Windows OS (7,8,10,server 2008, 2012, 2016) and patches it with all the relevant updates from a WSUS server on the network (so installing Windows 7 or server 2012 doesnt require 1,000 updates out of the box). I use manual commands in dism to add drivers to the image if its for a specific set of machines (like USB 3, NIC drivers or printers).

    I then rebuild an ISO from that install.wim. I dump those ISO contents onto my FOG server as the sources to install from via iPXE.

    I also on the 2016 server have a batch file I use to create the winpe stuff for each Windows OS. I also have an unattend file for sysprep with an entry in it to run SetupComplete.cmd to enable the FOG service as mentioned in OP.

    I install via FOG/PXE to a machine to create the initial image, add the FOG client, disable its service and capture the image.

    When deploying the image, first boot runs the batch file and enables the FOG client thus joining the machine to AD, changes the host name and activates Windows.

    I created a batch snapin to delete the local user and its profile folder that was created by the unattend file, push gpupdate /force and reboot. So after the images deploy, having all the machines needed in the same group in FOG i just push the snapin to the group and then they are done.

    I probably do somewhat less automation than the OP but its a lot better than a month ago when I had to do most of the post deployment stuff manually. Hope this helps



  • @george1421 I realize this is an older post. Is this information still relevant? Has this process changed any? Thanks!



  • This post is deleted!


  • Hi,

    i forgot something, when working with computers that have embedded license into bios i use the following method to activate them:

    @echo off
    for /f "tokens=*" %%i in ('%cd%\oemkey') do set oemkey=%%i
    cscript %systemroot%\system32\slmgr.vbs /ipk %oemkey% >nul
    cscript %systemroot%\system32\slmgr.vbs /ato >nul
    exit
    

    I’ve packed that into a 7z self extracting binary that execute the batch as snapin ;)

    oemkey.exe is a binary i found in the net it reads the windows key from bios
    I can share the binary if needed.

    If you have OEM license simply input the key into desired field within host management:

    alt text

    Regards X23


  • Moderator

    @x23piracy said in Windows 10 Pro OEM Sysprep & Imaging:

    stop FOGService

    Very nice indeed.

    Our process looks very similar but we use MDT to build our reference image. The process is slightly different, but at sysprep time we look the same.

    Since we deal with Dells in our office we preload the WinPE drivers cab into the reference image so during the initial oobe process (when its still in winpe) it has the winpe drivers for the nics and storage. Is this necessary?? Does it work for us? Yes.

    Just for reference we have a FOG post install script that during imaging updates these type of fields for international support based on the site where the image is being deployed. Its a sed script that updates them.

    <SetupUILanguage>
        <UILanguage>de-DE</UILanguage>
    </SetupUILanguage>
    <InputLocale>0407:00000407</InputLocale>
    <SystemLocale>de-DE</SystemLocale>
    <UILanguage>de-DE</UILanguage>
    <UILanguageFallback>de-DE</UILanguageFallback>
    <UserLocale>de-DE</UserLocale>
    

    The post install scripts can automate, or dynamically update the unattend.xml script during deployment time based on anything that can be calculated by FOG.

    None the less, your post is great!! Thank you for sharing.


 

428
Online

41.5k
Users

12.0k
Topics

113.4k
Posts