Deploy Windows 10 Part 1

Deploying Windows 10: Part 1

This next series of posts will deal with deploying Windows 10 from ConfigMgr and MDT. I will be using the latest versions of all software: Windows 10 v1511, ConfigMgr 1511 and MDT 2013 Update 1. Part one will focus on creating your reference image, part two will focus on capturing and deploying your image with ConfigMgr 1511, and part three will focus on capturing and deploying your image with MDT 2013 Update 1.

Creating your reference image is not that much different from Windows 8.1. You can configure a default profile, install any applications that you need, and configure the OS using the many of the same methods. This series will simply serve as guide to doing all of this, and will include some best practices as well as my recommendations.

I will be using Windows 10 Enterprise 64-bit for my reference image.

Installing Windows 10

I always recommend creating reference images on a virtual machine platform that can do snapshots or checkpoints. I come from the VMware world, so I will refer to them as snapshots throughout this series, but the terms are interchangeable. You can use snapshots throughout the process of creating your reference image if you make a mistake. Most importantly for me, however, is being able to take a snapshot before capturing the image. This allows me to revert back after sysprep, which is helpful for running future updates, because I do not have to build the reference from scratch.

Once you have you VM ready, install Windows 10 from a CD, USB, or ISO. There’s nothing special here, just a default installation. Once installation as completed, I would recommend clicking “Customize settings” and changing ALL of the options after install to No. This will strengthen the privacy setting for Windows 10.


After the Customize settings screens, your VM will probably restart. After that, depending on the version of Windows 10 (Pro, Enterprise, Education), you may see different options on the following screenshot. Click “Join a domain”.


Because this is a reference image, we will actually do neither of these options. When you click Join a domain, you have the option of creating a local account, which is what we want. You can name this account whatever you like, because we are going to be deleting it anyway.

Customize the Reference Image

The first thing we will do is activate the built-in Administrator account and delete the account created during Windows OOBE (out-of-box experience). We will use the built-in account to create our default profile, so we will do all of our work from here. We use the built-in account because both ConfigMgr and MDT have actions to disable this account in the task sequence. To do this, right-click on the Start Menu and click “Computer Management”. Expand “Local Users and Groups” and select “Users”. Double-click on “Administrator”. Uncheck the “Account is disabled” box and click OK.


Now, log out of this account and log back in as “Administrator”.

Remove Default Modern Apps

This is an enterprise build, so we do not need the built-in apps such as Xbox, Groove, etc. You can elect to leave any of these by just omitting the line, but here’s a PowerShell script that will remove this apps (also available to download at the bottom of the page):

# Groove Music/Zune

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Zune*”} | Remove-AppxProvisionedPackage -Online

# Xbox

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*XboxApp*”} | Remove-AppxProvisionedPackage -Online

# 3DBuilder

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*3DBuilder*”} | Remove-AppxProvisionedPackage -Online

# All Bing Apps

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Bing*”} | Remove-AppxProvisionedPackage -Online

# Messaging

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Messaging*”} | Remove-AppxProvisionedPackage -Online

# All Office Apps

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Office*”} | Remove-AppxProvisionedPackage -Online

# Solitaire

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Solitaire*”} | Remove-AppxProvisionedPackage -Online

# Skype

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Skype*”} | Remove-AppxProvisionedPackage -Online

# People

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*People*”} | Remove-AppxProvisionedPackage -Online

# All Windows Apps, expect store and calculator

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Windows*” -AND $_.DisplayName -notLike “*Cal*” -AND $_.DisplayName -notLike “*Store*”} | Remove-AppxProvisionedPackage -Online

You may have a few questions on some of these, so let me talk about them. First, why am I removing Office? These applications are only pointers to Office 365. Hopefully you have this already and will be installing it via task sequence. One app the you want to keep is the Modern version of OneNote. If that is the case, replace the Office section of the script with this:

# Office, keeping OneNote

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Office*” -AND $_.DisplayName -notLike “*OneNote*”} | Remove-AppxProvisionedPackage -Online

Next, you may be wondering about the Windows Apps. That line will remove Alarms, Camera, Maps, Phone, and Sound Recorder. If you would like to keep any of these, break that line out and exclude what you like. To get a list of applications, run this command. It will give you the DisplayName field that you can input into my remove commands.

(Get-AppxProvisionedPackage -Online).DisplayName

Windows Features

I also recommend a few changes to the installed Windows Features. To modify these, right-click on the Start Menu and select Control Panel. Click “Programs” and then select “Turn Windows features on or off”. First, I recommend enabling “.NET Framework 3.5 (includes .NET 2.0 and 3.0)”. This will install .NET 3.5, which a lot of software still requires. Microsoft still supports and patches .NET 3.5, so there’s not a big security risk here.

Modifying the rest of the features is up to you, but I would suggest looking at Simple TCPIP services and TelNet Client.

Other Recommendations

I would recommend putting the CMTrace tool somewhere in the image, especially if you using SCCM. This tool is vital when reading ConfigMgr logs. Where you put it is up to you, though I create a folder in Program Files (x86) for it.

Next, I would go ahead and enable Previous Versions and set it to 10% of the hard drive. You can set this according to your organization, especially if you have network storage. To enable this, right-click on the Start Menu and select System. Click “Advanced System Settings” in the left panel and go to the “System Protection” tab. Now, click the Configure button. Enable system protection, and configure the usage using the slider.


Another good option to set is how folders and files display. I like to keep mine on hide hidden folders and show all file extensions. To do this, open a File Explorer window. In the ribbon, click View, and then Options. Navigate to the “View” tab and make sure “Don’t show hidden files, folders, or drives” is selected. Also, make sure “Hide extensions for known file types” is unchecked.


Make any further modifications needed by organization. Be sure to get the Start Menu laid out as well.

When you are done, make sure to run all Windows Updates. In Part 2, we will capture this for ConfigMgr deployment.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.