Deploying Windows 10: Part 1
This next series of posts will deal with deploying Windows 10 from ConfigMgr and MDT. I will be using the latest versions of all software: Windows 10 v1511, ConfigMgr 1511 and MDT 2013 Update 1. Part one will focus on creating your reference image, part two will focus on capturing and deploying your image with ConfigMgr 1511, and part three will focus on capturing and deploying your image with MDT 2013 Update 1.
Creating your reference image is not that much different from Windows 8.1. You can configure a default profile, install any applications that you need, and configure the OS using the many of the same methods. This series will simply serve as guide to doing all of this, and will include some best practices as well as my recommendations.
I will be using Windows 10 Enterprise 64-bit for my reference image.
Installing Windows 10
I always recommend creating reference images on a virtual machine platform that can do snapshots or checkpoints. I come from the VMware world, so I will refer to them as snapshots throughout this series, but the terms are interchangeable. You can use snapshots throughout the process of creating your reference image if you make a mistake. Most importantly for me, however, is being able to take a snapshot before capturing the image. This allows me to revert back after sysprep, which is helpful for running future updates, because I do not have to build the reference from scratch.
Once you have you VM ready, install Windows 10 from a CD, USB, or ISO. There’s nothing special here, just a default installation. Once installation as completed, I would recommend clicking “Customize settings” and changing ALL of the options after install to No. This will strengthen the privacy setting for Windows 10.
After the Customize settings screens, your VM will probably restart. After that, depending on the version of Windows 10 (Pro, Enterprise, Education), you may see different options on the following screenshot. Click “Join a domain”.
Because this is a reference image, we will actually do neither of these options. When you click Join a domain, you have the option of creating a local account, which is what we want. You can name this account whatever you like, because we are going to be deleting it anyway.
Customize the Reference Image
The first thing we will do is activate the built-in Administrator account and delete the account created during Windows OOBE (out-of-box experience). We will use the built-in account to create our default profile, so we will do all of our work from here. We use the built-in account because both ConfigMgr and MDT have actions to disable this account in the task sequence. To do this, right-click on the Start Menu and click “Computer Management”. Expand “Local Users and Groups” and select “Users”. Double-click on “Administrator”. Uncheck the “Account is disabled” box and click OK.
Now, log out of this account and log back in as “Administrator”.
Remove Default Modern Apps
This is an enterprise build, so we do not need the built-in apps such as Xbox, Groove, etc. You can elect to leave any of these by just omitting the line, but here’s a PowerShell script that will remove this apps (also available to download at the bottom of the page):
# Groove Music/Zune
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Zune*”} | Remove-AppxProvisionedPackage -Online
# Xbox
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*XboxApp*”} | Remove-AppxProvisionedPackage -Online
# 3DBuilder
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*3DBuilder*”} | Remove-AppxProvisionedPackage -Online
# All Bing Apps
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Bing*”} | Remove-AppxProvisionedPackage -Online
# Messaging
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Messaging*”} | Remove-AppxProvisionedPackage -Online
# All Office Apps
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Office*”} | Remove-AppxProvisionedPackage -Online
# Solitaire
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Solitaire*”} | Remove-AppxProvisionedPackage -Online
# Skype
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Skype*”} | Remove-AppxProvisionedPackage -Online
# People
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*People*”} | Remove-AppxProvisionedPackage -Online
# All Windows Apps, expect store and calculator
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Windows*” -AND $_.DisplayName -notLike “*Cal*” -AND $_.DisplayName -notLike “*Store*”} | Remove-AppxProvisionedPackage -Online
You may have a few questions on some of these, so let me talk about them. First, why am I removing Office? These applications are only pointers to Office 365. Hopefully you have this already and will be installing it via task sequence. One app the you want to keep is the Modern version of OneNote. If that is the case, replace the Office section of the script with this:
# Office, keeping OneNote
Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Office*” -AND $_.DisplayName -notLike “*OneNote*”} | Remove-AppxProvisionedPackage -Online
Next, you may be wondering about the Windows Apps. That line will remove Alarms, Camera, Maps, Phone, and Sound Recorder. If you would like to keep any of these, break that line out and exclude what you like. To get a list of applications, run this command. It will give you the DisplayName field that you can input into my remove commands.
(Get-AppxProvisionedPackage -Online).DisplayName
Windows Features
I also recommend a few changes to the installed Windows Features. To modify these, right-click on the Start Menu and select Control Panel. Click “Programs” and then select “Turn Windows features on or off”. First, I recommend enabling “.NET Framework 3.5 (includes .NET 2.0 and 3.0)”. This will install .NET 3.5, which a lot of software still requires. Microsoft still supports and patches .NET 3.5, so there’s not a big security risk here.
Modifying the rest of the features is up to you, but I would suggest looking at Simple TCPIP services and TelNet Client.
Other Recommendations
I would recommend putting the CMTrace tool somewhere in the image, especially if you using SCCM. This tool is vital when reading ConfigMgr logs. Where you put it is up to you, though I create a folder in Program Files (x86) for it.
Next, I would go ahead and enable Previous Versions and set it to 10% of the hard drive. You can set this according to your organization, especially if you have network storage. To enable this, right-click on the Start Menu and select System. Click “Advanced System Settings” in the left panel and go to the “System Protection” tab. Now, click the Configure button. Enable system protection, and configure the usage using the slider.
Another good option to set is how folders and files display. I like to keep mine on hide hidden folders and show all file extensions. To do this, open a File Explorer window. In the ribbon, click View, and then Options. Navigate to the “View” tab and make sure “Don’t show hidden files, folders, or drives” is selected. Also, make sure “Hide extensions for known file types” is unchecked.
Make any further modifications needed by organization. Be sure to get the Start Menu laid out as well.
When you are done, make sure to run all Windows Updates. In Part 2, we will capture this for ConfigMgr deployment.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.
