For the majority of organizations, Windows 10 adoption can’t happen soon enough. The security enhancements bring on a sigh of relief in an age of Ransomware and devastating zero-day threats. There are, however, still isolated environments and service applications that happily run Windows 7, and will likely continue to do so up until Jan 14, 2020, when Microsoft stops providing security updates for the operating system.
Given there’s just under six months until 7’s end of support, some companies are in a mad dash to get everything upgraded. If this is you, your help desk is in for a rough year supporting it.
To keep Windows 7 going until the bitter end, we need to maintain an imaging environment to facilitate downgrades and break/fix. The fact that Windows 7 hasn’t had a major release since my kids were still in diapers means there are a LOT of updates that need to happen to an install, just to bring it up to current patch levels. It makes managing that reference image a little different from the norm.
I recently worked with one of these organizations, and we used MDT to manage their standard reference image. We followed all the typical steps to automating the build process, and everything worked great. Once we got to the point of thickening up the image a bit, things started to go awry. The problem was an un-scriptable application and hotfix that didn’t like Sysprep’s generalization process. The result was a rebuild of the reference image, and some noteworthy changes.
Build the Reference Image using Hyper-V
Ok, this isn’t new, but it’s still #1. There are three critical reasons why using Hyper-V for your reference image build is paramount:
- Hyper-V is a free, installable Windows Role. This means you can build and maintain your image from anywhere
- There are NO additional drivers. Drivers necessary for the operating system to function in Hyper-V are built into Windows 7. This means that no ghosted drivers end up in your deployed systems
- I can snapshot, er Checkpoint, my VM at various build stages. Even better, I can take a full copy of the VM and place it in a backup folder to be used later. Important note, when doing this it’s a good idea to merge/delete your checkpoints beforehand, to avoid corrupting a disk chain
- Use that Hyper-V host, or ideally another VM, for the install of MDT and ADK. This will keep the validated versions available for image creation, allowing the production deployment environment to be upgraded to the Windows 10 ADK
- Fully patch the VM, including optional updates. Use the Convenience Rollup Package from Microsoft that was released in May 2016. You can download it here. Please note there are a couple of caveats with using this rollup. Microsoft’s Nathan Mercer posted a great article about it, which you can read here
- Use a Task Sequence to create a thin image. Use this as an OS base for your actual Reference Image creation
- Use a separate sequence to customize the image for your organization, including site-licensed application installs and policy standards
Here’s a full Level 200 Step by Step for creating a Windows 7 Reference Image after its end of life:
Step 1: Install Hyper-V on your Windows 10 Machine
If your organization is running any virtualization solution, you are able to deploy a Server 2016 VM and install Hyper-V using nested virtualization. However, it may be more appealing to just use your workstation for this, and that’s fully possible out-of-box with Windows 8.1 and up. You can do it through the GUI, or just use PowerShell. Here’s the command:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
After the machine finishes rebooting, you’ll need to configure the vSwitch. If you only have one NIC, use:
New-VMSwitch -Name “External vSwitch” -NetAdapterName “Ethernet” -AllowManagementOS
Step 2: Install ADK and MDT
Download the Assessment and Deployment Kit for Windows 10, as well as MDT 2013 Update 2, and install both. Launch the Deployment Workbench and create a new Deployment Share. Add the source files from your Windows 7 ISO by Importing it to the Operating Systems node in the Workbench. Once the image has imported, create a Standard Client Task Sequence called Create Windows 7 Thin Image, accepting all the defaults.
Step 3: Customize and Automate the Deployment Share
In the properties of the Deployment Share, on the Rules tab there’s a button to edit the Bootstrap.ini. In here we need to add the following lines:
UserID=MDT_BA UserPassword=P@ssw0rd UserDomain=VIAMONSTRA KeyboardLocale=en-US SkipBDDWelcome=YES
To automate the LTI screens that don’t pertain to the image build process, we’re also going to add the following Rules to the main list (customsettings.ini). The first 9 need to be customized to your environment:
OSDComputerName=Win7Ref01 ComputerBackupLocation=\\MDT01.corp.viamonstra.com\DeploymentShare$\Captures BackupFile=Win7Ref01.wim DomainOrWorkgroup=WORKGROUP WorkgroupName=WORKGROUP DomainAdmin=Administrator DomainPassword=P@SSW0RD TimeZoneName=Mountain Standard Time AreaCode=403 SkipComputerName=YES SkipCapture=No DoCapture=YES SkipApplications=YES SkipAdminPassword=YES SkipProductKey=YES SkipDomainMembership=YES SkipUserData=YES UserDataLocation=NONE SkipLocaleSelection=YES SkipTimeZone=YES UserLocale=en-US UILanguage=en-US InputLocale=en-US KeyboardLocale=en-US Language=00000413 SystemLocale=00000413 BitsPerPel=32 vRefresh=60 xResolution=1 yResolution=1 SkipBitlocker=YES SkipSummary=YES
Once both these files have been modified. We need to perform an Update Deployment Share action to create the Lite Touch Boot Image ISO.
Step 4: Tweak the Task Sequence
For this stage of the process, there’s really only two things we need to do: Install the Convenience Rollup and Pause the Task Sequence.
To install the Convenience Rollup, it first requires an update to the Windows 7 Servicing Stack which is not included in the base ISO. To do this, we’ll add the update in as an Application. The update binaries are in the Windows Catalog, and can be downloaded from here. The Convenience Rollup itself will be installed in the same fashion. We’ll download it from here and extract the contents into a folder. Then, we’re going to add it as an application in MDT, using this as the install string:
The final change, we’ll add a pause to the task sequence, using a Run Command Line action after the Install Applications step. The command is %SCRIPTROOT%\LTISuspend.wsf
Step 5: Build the Thin Image
Now we’re going to create our Win10Ref01 VM. If you put the LiteTouch_x64.iso in C:\VMs, use these two commands to build the VM:
New-VM -Name Win7Ref01 -MemoryStartupBytes 4GB -BootDevice CD -SwitchName "External vSwitch" -NewVHDPath "C:\VMs\Win7Ref01\Virtual Hard Disks\Win10Ref01--C.vhd" -NewVHDSizeBytes 127GB -Path C:\VMs\Win7Ref01 -Generation 1 Set-VMDvdDrive -VMName Win7Ref01 -Path C:\VMs\LiteTouch_x64.iso
Connect to the VM and start it, booting into the “DVD” drive. Select the Create Windows 7 Thin Image task sequence, and click Next. Due to the configuration in our rules file, we should now only see a screen to confirm our Image Capture settings. Validate/Update the settings and click next to initiate the build.
When the Task Sequence pauses, check Windows Update to confirm that the Convenience Rollup applied and connect to Windows Update to finish patching. Once all patches have been applied, shut down the VM. From File Explorer, place a copy of C:\VMs\Win7Ref01 in another location. This will serve as a backup of your patched Windows 7 VM. Once the copy has finished, launch the VM and re-connect. On the desktop will be a “Resume Task Sequence” icon. Double-Click this to resume the Task Sequence, which will Sysprep the VM, reboot into WinPE and capture the image. NOTE: By Default, MDT does not grant write privileges to the Captures Folder. You will need to ensure proper access is granted at the NTFS and Share level
Once the Image has been fully captured Import it into MDT as a Custom Image. We will use this image to create the next sequence.
Step 6: Build the Reference Image Capture Sequences
Create one more Standard task sequence, called Reference Image Build Sequence.
At this point, you’re also going to want to import into MDT any applications that you will be using in your Reference Image. Even if the application cannot be silently installed, it is a good idea to add it in with the install string, as this will make the image build self-documenting. Note the Application GUID that is assigned to each application as they are imported into MDT.
In File Explorer, navigate to C:\DeploymentShare\Control and make a copy of CustomSettings.ini and place it in the same folder. Rename the copy to CSApps.ini, then edit it.
After SkipSummary=YES in the file, place the following lines:
Applications001=<GUID> Applications002=<GUID> Applications003=<GUID> OSDComputerName=Win7Ref02 BackupFile=Win7Ref02.wim
Of course, you will need to replace <GUID> with the actual application’s GUID as its shown in MDT. You can add/remove lines as needed, just make sure there are no gaps in the numbering. When finished, Save the file.
We’re then going to need to Edit the Task Sequence, and scan the steps for “Gather.” There are a few. At each of these steps, make sure the Radio button to process the rules file is selected, and replace CustomSettings.ini with CSApps.ini. Then, add in the same Pause step as before, in the same place right after Install Applications.
Let’s create a new VM (or we can re-use the first one)
New-VM -Name Win7Ref02 -MemoryStartupBytes 4GB -BootDevice CD -SwitchName "External vSwitch" -NewVHDPath "C:\VMs\Win7Ref02\Virtual Hard Disks\Win10Ref02--C.vhd" -NewVHDSizeBytes 127GB -Path C:\VMs\Win7Ref02 -Generation 1 Set-VMDvdDrive -VMName Win7Ref02 -Path C:\VMs\LiteTouch_x64.iso
At the Pause step, we just need to ensure that our applications and configurations were completed successfully, then proceed to capture the completed Reference Image. We’ll use this as our starting point for all deployments going forward, and with the steps we’ve added along the way, keeping it up to date for the next 2.5 years will be a breeze.
Hope this helps!