Deploy Windows 10 Part 1

Deploying Windows 10: Part 1

This next series of posts will deal with deploying Windows 10 from ConfigMgr and MDT. I will be using the latest versions of all software: Windows 10 v1511, ConfigMgr 1511 and MDT 2013 Update 1. Part one will focus on creating your reference image, part two will focus on capturing and deploying your image with ConfigMgr 1511, and part three will focus on capturing and deploying your image with MDT 2013 Update 1.

Creating your reference image is not that much different from Windows 8.1. You can configure a default profile, install any applications that you need, and configure the OS using the many of the same methods. This series will simply serve as guide to doing all of this, and will include some best practices as well as my recommendations.

I will be using Windows 10 Enterprise 64-bit for my reference image.

Installing Windows 10

I always recommend creating reference images on a virtual machine platform that can do snapshots or checkpoints. I come from the VMware world, so I will refer to them as snapshots throughout this series, but the terms are interchangeable. You can use snapshots throughout the process of creating your reference image if you make a mistake. Most importantly for me, however, is being able to take a snapshot before capturing the image. This allows me to revert back after sysprep, which is helpful for running future updates, because I do not have to build the reference from scratch.

Once you have you VM ready, install Windows 10 from a CD, USB, or ISO. There’s nothing special here, just a default installation. Once installation as completed, I would recommend clicking “Customize settings” and changing ALL of the options after install to No. This will strengthen the privacy setting for Windows 10.


After the Customize settings screens, your VM will probably restart. After that, depending on the version of Windows 10 (Pro, Enterprise, Education), you may see different options on the following screenshot. Click “Join a domain”.


Because this is a reference image, we will actually do neither of these options. When you click Join a domain, you have the option of creating a local account, which is what we want. You can name this account whatever you like, because we are going to be deleting it anyway.

Customize the Reference Image

The first thing we will do is activate the built-in Administrator account and delete the account created during Windows OOBE (out-of-box experience). We will use the built-in account to create our default profile, so we will do all of our work from here. We use the built-in account because both ConfigMgr and MDT have actions to disable this account in the task sequence. To do this, right-click on the Start Menu and click “Computer Management”. Expand “Local Users and Groups” and select “Users”. Double-click on “Administrator”. Uncheck the “Account is disabled” box and click OK.


Now, log out of this account and log back in as “Administrator”.

Remove Default Modern Apps

This is an enterprise build, so we do not need the built-in apps such as Xbox, Groove, etc. You can elect to leave any of these by just omitting the line, but here’s a PowerShell script that will remove this apps (also available to download at the bottom of the page):

# Groove Music/Zune

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Zune*”} | Remove-AppxProvisionedPackage -Online

# Xbox

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*XboxApp*”} | Remove-AppxProvisionedPackage -Online

# 3DBuilder

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*3DBuilder*”} | Remove-AppxProvisionedPackage -Online

# All Bing Apps

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Bing*”} | Remove-AppxProvisionedPackage -Online

# Messaging

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Messaging*”} | Remove-AppxProvisionedPackage -Online

# All Office Apps

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Office*”} | Remove-AppxProvisionedPackage -Online

# Solitaire

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Solitaire*”} | Remove-AppxProvisionedPackage -Online

# Skype

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Skype*”} | Remove-AppxProvisionedPackage -Online

# People

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*People*”} | Remove-AppxProvisionedPackage -Online

# All Windows Apps, expect store and calculator

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Windows*” -AND $_.DisplayName -notLike “*Cal*” -AND $_.DisplayName -notLike “*Store*”} | Remove-AppxProvisionedPackage -Online

You may have a few questions on some of these, so let me talk about them. First, why am I removing Office? These applications are only pointers to Office 365. Hopefully you have this already and will be installing it via task sequence. One app the you want to keep is the Modern version of OneNote. If that is the case, replace the Office section of the script with this:

# Office, keeping OneNote

Get-AppxProvisionedPackage -Online | Where-Object -FilterScript {$_.DisplayName -like “*Office*” -AND $_.DisplayName -notLike “*OneNote*”} | Remove-AppxProvisionedPackage -Online

Next, you may be wondering about the Windows Apps. That line will remove Alarms, Camera, Maps, Phone, and Sound Recorder. If you would like to keep any of these, break that line out and exclude what you like. To get a list of applications, run this command. It will give you the DisplayName field that you can input into my remove commands.

(Get-AppxProvisionedPackage -Online).DisplayName

Windows Features

I also recommend a few changes to the installed Windows Features. To modify these, right-click on the Start Menu and select Control Panel. Click “Programs” and then select “Turn Windows features on or off”. First, I recommend enabling “.NET Framework 3.5 (includes .NET 2.0 and 3.0)”. This will install .NET 3.5, which a lot of software still requires. Microsoft still supports and patches .NET 3.5, so there’s not a big security risk here.

Modifying the rest of the features is up to you, but I would suggest looking at Simple TCPIP services and TelNet Client.

Other Recommendations

I would recommend putting the CMTrace tool somewhere in the image, especially if you using SCCM. This tool is vital when reading ConfigMgr logs. Where you put it is up to you, though I create a folder in Program Files (x86) for it.

Next, I would go ahead and enable Previous Versions and set it to 10% of the hard drive. You can set this according to your organization, especially if you have network storage. To enable this, right-click on the Start Menu and select System. Click “Advanced System Settings” in the left panel and go to the “System Protection” tab. Now, click the Configure button. Enable system protection, and configure the usage using the slider.


Another good option to set is how folders and files display. I like to keep mine on hide hidden folders and show all file extensions. To do this, open a File Explorer window. In the ribbon, click View, and then Options. Navigate to the “View” tab and make sure “Don’t show hidden files, folders, or drives” is selected. Also, make sure “Hide extensions for known file types” is unchecked.


Make any further modifications needed by organization. Be sure to get the Start Menu laid out as well.

When you are done, make sure to run all Windows Updates. In Part 2, we will capture this for ConfigMgr deployment.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
WME Cybersecurity Briefings No. 008
Cyber Security

WME Security Briefing 03 May 2024

Security Bulletin: MITRE Corporation Targeted by Nation-State Cyber Attack Overview The MITRE Corporation, a prominent security and cybersecurity researcher in the USA, has fallen prey to compromise in its environment because of a sophisticated cyberattack from

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.