By Johan Arwidmark /May 20, 2022
Here is a step-by-step quick guide on building the perfect Windows 11 21H2 reference image using Microsoft Deployment Toolkit (MDT) 8456.
Real World Note: Since Windows Vista, there is no technical requirement to create reference images in order to deploy Windows. After all, the ISO that you download from Microsoft contains WIM images that are in a deployable state. The main reason for creating reference images, meaning images with one or more applications in them, is often just deployment speed, and to some extent network efficiency (WIM images are highly compressed). However, in a world with better and better peer to peer solutions, better networking, better hardware, you can make deployments go quite fast even without a reference image. While more and more organizations are moving to use a thin image, and deploy settings and applications at deployment time instead, if you still need a reference image. Here is how to create one.
Block Internet Access
Due to how aggressive Windows 11 is regarding updating its native applications, which is known for breaking Sysprep, make sure the virtual machine does not have Internet access during the build and capture process.
Registry and state.ini Options
Tip: Daniel Barras (thank you), commented about a solution I was not aware of, removing the need for blocking Internet access. Please see the discussion in the comments section. The use of state.ini reduces some cleanup options you may want to to do. Also, thanks to Steyrs for providing the below steps:
Adding a registry key.
Add a "Run command line" in your task sequence.
Enter this as your Command line:
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState /t REG_SZ /d "IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE" /f
Create the state.ini file
Here is the example of a state.ini
[State]ImageState=IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE
Replace state.ini file
Add a "Run command line" in your task sequence.
Enter this as your Command line:
xcopy "%SCRIPTROOT%\State.ini" %windir%\setup\state\ /H /Y
Place your modified State.ini file in your "scripts" folder (e.g.: C:\DeploymentShare\Scripts).
That way it will get copied to your client when running the task sequence.
Add those two command lines before the Sysprep step.
I added them in my State Restore section of the task sequence.
Software Requirements
MDT can be installed either on a file server, or on your own laptop, but in this scenario, I use a file server named MDT01. Deployment of Windows 11 21H2 is only supported using Windows ADK for Windows 11 21H2, that supports both Windows 10 21H2 and Windows 11 21H2, but in my testing I found it working well even on older version of Windows ADK, like the Windows ADK 2004.
Note: Please don't use the newly released (May 2022) Windows ADK for Windows 11 22H2. It's not fully compatible with MDT 8456 since it no longer contains the x86 version of WinPE which MDT expects to find.
For this guide you need the following software.
- Windows 11 Enterprise 21H2 (make sure to use the latest media).
- Windows ADK for Windows 11 21H2: Download and install the Windows ADK | Microsoft Docs
Note: Since the release of Windows ADK for Windows 11 22H2 which is not compatible with MDT 8456, you find the 21H2 version under other downloads / ADK for Windows 11. The version of the adksetup.exe should be 10.1.22000.1. The same goes for the WinPE Addon. - WinPE Addon for Windows ADK for Windows 11 21H2: Download and install the Windows ADK | Microsoft Docs
- Microsoft Deployment Toolkit (MDT) 8456: Microsoft Deployment Toolkit documentation | Microsoft Docs
- MDT 8456 HotFix: Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware
- Script to relax default deployment share permissions: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Set-MDTBuildLabPermissions.ps1
Step-by-Step Guide
The entire process for creating a Windows 11 image using MDT takes about 20 – 30 minutes, fully automated. This guide covers the following seven steps:
- Step 1 – Install Windows ADK for Windows 11, and MDT 8456
- Step 2 – Create the MDT Build Lab Deployment Share
- Step 3 – Import the Windows 10 operating system
- Step 4 – Add applications
- Step 5 – Create the MDT Task Sequence
- Step 6 – Configure the deployment share
- Step 7 – Create Windows Reference Images
Step 1 – Install Windows ADK for Windows 11, and MDT 8456
In this example I have a virtual machine named MDT01, running Windows Server 2022 LTSC (Windows Server 2016 LTSC or Windows Server 2019 LTSC is fine too). The VM has 2 vCPUs and 4 GB RAM.
1. On MDT01, install Windows ADK for Windows 11, and select the following components:
- Deployment Tools
- Imaging and Configuration Designer (ICD)
- Configuration Designer
- User State Migration Tool (USMT
2. Install WinPE Addon for Windows ADK for Windows 11, and select the following component:
Windows Preinstallation Environment (Windows PE)
3. Install MDT 8456 using the default settings.
4. Install the MDT 8456 HotFix by extracting MDT_KB4564442.exe and extract it to a folder. In my lab, I extracted it to the E:\Setup\MDT 8456 HotFix folder.
4a. Copy the x86 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x86 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86. Replace the existing file.
4b. Copy the x64 version of the new Microsoft.BDD.Utility.dll from E:\Setup\MDT 8456 HotFix\x64 to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. Replace the existing file.
- On MDT01, using the Deployment Workbench (available on the start screen), right-click Deployment Shares and select New Deployment Share. Use the following settings for the New Deployment Share Wizard (my data volume on MDT01 is E:)
a. Deployment share path: E:\MDTBuildLab
b. Share name: MDTBuildLab$
c. Deployment share description: MDT Build Lab
d. Options: (default)
2. Once the deployment share is created you also want to relax the security a bit. MDT locks it down to hard by default. Use the following PowerShell script (named Set-MDTBuildLabPermissions.ps1) to set some better permissions (modify script to fit your environment):
#Requires -RunAsAdministrator# Configure NTFS Permissions for the MDT Build Lab deployment share$DeploymentShareNTFS = "E:\MDTBuildLab"icacls $DeploymentShareNTFS /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(RX)'icacls $DeploymentShareNTFS /grant '"Administrators":(OI)(CI)(F)'icacls $DeploymentShareNTFS /grant '"SYSTEM":(OI)(CI)(F)'icacls "$DeploymentShareNTFS\Captures" /grant '"VIAMONSTRA\MDT_BA":(OI)(CI)(M)'# Configure Sharing Permissions for the MDT Build Lab deployment share$DeploymentShare = "MDTBuildLab$"Grant-SmbShareAccess -Name $DeploymentShare -AccountName "EVERYONE" -AccessRight Change -ForceRevoke-SmbShareAccess -Name $DeploymentShare -AccountName "CREATOR OWNER" -Force
Note: In my environment the MDT01 server is joined to a domain, and my service account used for the deployments is VIAMONSTRA\MDT_BA. If using a different domain, or if using a workgroup server for your build and capture modify the Set-MDTBuildLabPermissions.ps1 script to reflect that.
Step 3 – Import the Windows 10 operating system
Note: Make sure to always download the latest version of Windows 10 Enterprise 21H2. Microsoft releases new media monthly.
On MDT01, mount the Windows 11 Enterprise x64 21H2.iso media (or whatever you named it). On my server it was mounted to the D: drive.
- Using the Deployment Workbench, expand the Deployment Shares node, expand MDT Build Lab, select the Operating Systems node and create a folder
named Windows 11. - Right-click the Windows 11 node, and select Import Operating System. Use the following settings for the Import Operating System Wizard.
- Full set of source files
- Source directory: D:
- Destination directory name: REFW11X64-21H2
- After adding the operating system, in the Windows 11 node, remove the indexes/images you don't need, and rename the remaining operating system to Windows 11 Enterprise x64 21H2
Note: The Windows 10 media comes with many Windows version, in the below example I simply removed all but the Enterprise version, and gave it a better name.
Step 4 – Add applications
In this example you add Microsoft 365 Apps for enterprise (formerly named Microsoft Office 365 ProPlus) to MDT. Use the Office Deployment Toolkit (ODT) to create a package of Microsoft 365 Apps for enterprise before continuing with these steps.
1. On MDT01, download the Office Deployment Toolkit (ODT), and extract it to E:\Setup\ODT.
2. Using an elevated Command prompt, download the installers by running the following command:
setup.exe /download configuration-Office365-x64.xml
3. Using the Deployment Workbench, expand Deployment Shares / MDT Build Lab / Applications and create a folder named Microsoft.
4. Right-click the Microsoft folder, and select New Application. Use the following settings for the New Application Wizard:
- Application with source files
- Publisher:
- Application name: Install – Microsoft 365 Apps for enterprise
- Version:
- Source Directory: E:\Setup\ODT
- Specify the name of the directory that should be created: Install – Microsoft 365 Apps for enterprise
- Command Line: setup.exe /configure configuration-Office365-x64.xml
- Working directory: (default)
Step 5 – Create and Configure the MDT Task Sequence
- On MDT01, using the Deployment Workbench, in the MDT Build Lab deployment share, select the Task Sequences node, and create a folder named Windows 10.
- Expand the Task Sequences node, right-click on the Windows 10 node, and select New Task Sequence. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: REFW11-X64-001
- Task sequence name: Windows 11 Enterprise x64 21H2
- Task sequence comments: Reference Build
- Template: Standard Client Task Sequence
- Select OS: Windows 11 Enterprise x64 21H2
- Specify Product Key: Do not specify a product key at this time
- Full Name: ViaMonstra
- Organization: ViaMonstra
- Internet Explorer home page: about:blank
- Do not specify an Administrator password at this time
- Edit the task sequence by navigating to the Task Sequences / Windows 11 folder, right-click the Windows 11 Enterprise x64 21H2 task sequence, and select Properties.
- On the Task Sequence tab, configure the Windows 11 Enterprise x64 21H2 task sequence with the following settings:
- In the State Restore / Custom Tasks group, add a new Install Application action with the following settings:
Name: Install – Microsoft 365 Apps for enterprise
Install a Single Application: Install – Microsoft 365 Apps for enterprise
- In the State Restore / Custom Tasks group, add a new Install Application action with the following settings:
To configure the deployment settings, you modify the two rules files (Bootstrap.ini and CustomSettings.ini). You can do the either via the MDT Build Lab deployment share properties, or directly in the file system, in the E:\MDTBuildLab\Control folder. Below you find the configurations I used in this guide.
Bootstrap.ini
[Settings]Priority=Default[Default]DeployRoot=\\MDT01\MDTBuildLab$UserDomain=VIAMONSTRAUserID=MDT_BAUserPassword=P@ssw0rdSkipBDDWelcome=YES
CustomSettings.ini
[Settings]Priority=Default[Default]_SMSTSORGNAME=ViaMonstraUserDataLocation=NONEComputerBackupLocation=NETWORKDoCapture=YESOSInstall=YAdminPassword=P@ssw0rdTimeZoneName=Pacific Standard TimeJoinWorkgroup=WORKGROUPHideShell=NOFinishAction=SHUTDOWNApplyGPOPack=NOBackupShare=\\MDT01\MDTBuildLab$BackupDir=CapturesBackupFile=%TaskSequenceID%_#month(date) & "-" & day(date) & "-" & year(date)#.wimSkipAdminPassword=YESSkipProductKey=YESSkipComputerName=YESSkipDomainMembership=YESSkipUserData=YESSkipLocaleSelection=YESSkipTaskSequence=NOSkipTimeZone=YESSkipApplications=YESSkipBitLocker=YESSkipSummary=YESSkipRoles=YESSkipCapture=NOSkipFinalSummary=YES
- On MDT01, modify the Bootstrap.ini and CustomSettings.ini per the preceding examples.
- Using the Deployment Workbench, right-click the MDT Build Lab deployment share and select Properties.
- In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
- Image description: MDT Build Lab x86
- ISO file name: MDT Build Lab x86.iso
- Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
- Selection profile: Nothing
- Select the Include all drivers from selection profile option
Configuring the deployment share not to add the Windows 10 CU into the boot image.
- In the Windows PE tab, in the Platform dropdown list, make sure x64 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
- Image description: MDT Build Lab x64
- ISO file name: MDT Build Lab x64.iso
- Still in the Windows PE tab, select the Drivers and Patches tab, and configure the following:
- Selection profile: Nothing
- Select the Include all drivers from selection profile option
- Click OK.
- Update the deployment share, by right-clicking the MDT Build Lab deployment share and select Update Deployment Share. Use the default Options for the Update Deployment Share wizard.
- In the Windows PE tab, in the Platform dropdown list, make sure x86 is selected. Then in the Lite Touch Boot Image Settings area, configure the following settings:
Step 7 – Create Windows Reference Images
Now it is time to create a Windows 10 Reference WIM Image, fully automated.
Note: To make sure Sysprep does not fail during the build and capture process, make sure the virtual machine you are using does not have Internet access during the entire process.
- On MDT01, copy the E:\MDTBuildLab\Boot\MDT Build Lab x64.iso file to your VMware or Hyper-V machine.
- Create a virtual machine named REF001, assign it 2 vCPUs and 4 GB RAM. Then mount MDT Build Lab x64.iso on the virtual machine.
- Start the REF001 virtual machine, and allow it to boot. Then complete the Deployment Wizard using the below settings:
- Select a task sequence to execute on this computer: Windows 11 Enterprise x64 21H2
- Specify whether to capture an image: Capture an image of this reference computer.
- Location:
- File name:
The task sequence will now do the following:
- Install the Windows 10 Enterprise operating system.
- Install the added applications, roles, and features.
- Stage WinPE on the local disk.
- Run Sysprep and reboot into WinPE.
- Capture the Windows 10 installation to a WIM file.
Resources
Note: Please also check these posts:
Image Factory
Automate this process even further (you still need to do the step in this guide first), check out the Image Factory for Hyper-V solution by Mikael Nystrom (@mikael_nystrom).
http://github.com/DeploymentBunny/ImageFactoryV3ForHyper-V
About the author
Johan Arwidmark
5 5 votes
Article Rating
Subscribe
Login
72 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Rae Ward
11 days ago
Can someone please explain why the recommendation is to set image state in the reg key and the state.ini file to different values? Or is this a mistake and if they should be the same, which one is it – IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE or IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE?
Reply
Author
Johan Arwidmark
5 days ago
Reply to Rae Ward
I haven't tested those scenarios much; I added them after recommendations from our community. I hope someone can contribute. You can also try posting this question here: https://academy.viamonstra.com/products/communities/voa-community
Reply
Ray Dean
2 months ago
What do I put in the State.ini file, exactly? Should I create a state.ini file, or am I modifying an existing one? I don't see anything under my Build share "scripts" folder…
Reply
Author
Johan Arwidmark
2 months ago
Reply to Ray Dean
Per the state.ini contributors of this post, Daniel and Steyrs, the state.ini file should be copied to the C:\Windows\setup\state folder during deployment. The state.ini file should look like this per Daniel example:
[State]
ImageState=IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE
1
Reply
Ray Dean
2 months ago
Reply to Johan Arwidmark
I just wanted to report to all that all the steps worked — I noticed the NIC was indeed disabled during the sysprep phase. However, before that, I did see the Win 11 setup process still reach out to the internet for updates —- so I think the general recommendation to cut off internet access is best. Don't know how to do that in vSPhere.
Reply
James
2 months ago
Hello Johan, I create the server image of physical 2016 server. Should I have to follow the same procedure or is there any changes I have to make? Step 1 – I installed the ADK, Windows PE add on and last I installed the MDT on the server. 2 – created the Deployment kit on workbench 3 – Imported the operating system on Deployment KIT 4 – Create the Task Sequence 5 . Advance Configuration > Media to capture the lite touch ISO When I follow the whole procedure I don't see the ISO in Media Folder. Please assist for…Read more »
Reply
Author
Johan Arwidmark
2 months ago
Reply to James
The MDT build and capture process creates a WIM file in the captures folder, not an ISO file.
Reply
Ahmed
5 months ago
Hello Johan,
Thanks for the informative guide, what do you recommend during creating reference image:
- should i install latest windows update before capture WIM file?
- what you use to cleanup the windows before capture image?
- any other recommendation for building the reference image based on your experience?
Thanks,
Reply
Author
Johan Arwidmark
4 months ago
Reply to Ahmed
I recommend using already updated media to build an image that includes applications. Don't do build and capture unless you need to applications to your image.
Reply
Graham Perkins
1 year ago
If you happen to be putting Notepad++ in your images, be warned that version 8.5 and up install a UWP package that will cause Sysprep to fail. The registry key and state.ini will get around the error when capturing, but the image won't deploy correctly.
I disable Windows Store updates using the Deployment Research scripts mentioned in the v1809 guides
Reply
Hugo
1 year ago
Anyone has this working with Windows 11 22H2?
When deploying at first reboot it doesn't auto login.
Can't see anything much in the logs.
Thank you very much.
4
Reply
Author
Johan Arwidmark
1 year ago
Reply to Hugo
Sorry for the late reply, but this has worked nicely for me with Windows 11 22H2.
Reply
Stig Bergene
9 months ago
Reply to Johan Arwidmark
22H2 Works for me as well, but not 23H2
Reply
Author
Johan Arwidmark
9 months ago
Reply to Stig Bergene
I've had no issues doing a build and capture of Windows 11 23H2 in MDT as long as it's a Hyper-V Gen 1 (BIOS-based) VM, and Internet access has been blocked during the build and capture process. Here is a simple way to do that: https://www.deploymentresearch.com/block-internet-access-to-a-hyper-v-vm/
Reply
Reply to Hugo
I've got the same issue when trying to deploy windows 11 22H2.
For some reason Windows 10 22H2 works fine.
Did you manage to get this resolved Hugo?
Reply
Donato Brea
1 year ago
Hi, thank you for this post.
Followed it (Using Win11 22H2 Enterprise Volume License) but having an issue after the sysprep step. Instead of booting into the WinPE to do capture, it boots to the OS takes like 15 minutes on "Working on things…" and finally show an error: Could not find script "C:\LTIBootStrap.vbs"
Could someone point me the right direction?
Thanks
Reply
Author
Johan Arwidmark
1 year ago
Reply to Donato Brea
Hi Donato,
The only thing that comes to mind is the MDT 8456 hotfix missing in the deployment share. Please reach out to me on LinkedIn and I can help: https://www.linkedin.com/in/jarwidmark/
Reply
Foegi
8 months ago
Reply to Donato Brea
The error appears only on UEFI VMs at the execute sysprep step when sysprepping and capturing within VMware. This does not happen on legacy BIOS VMs.
The task sequence should reboot and get back into WinPE, but it is booting back into Windows. This bug is caused by a pending Windows reboot. The sysprep step will reboot the VM, but MDT already set up the VM to reboot into WinPE, so the pending Windows reboot is still there.
This error can be fixed by adding a Restart Computer step just before the Imaging step in State Restore.
1
Reply
Runa Anderson
1 year ago
Thanks for Article, Johan. I think about Virtual Machine, can I use VirtualBox for alternative from VMware or Hyper-V? My laptop was too potato or low-end for using VM besides VirtualBox. And, Do you think I can do deploying Windows without Virtual Machine and do it in Real Hardware?
Reply
Author
Johan Arwidmark
1 year ago
Reply to Runa Anderson
Virtual Box or Proxmox should be ok, but I havent tested. That being said, never, ever, build the images directly from physical hardware.
These days, pretty much any PC supporting Windows 10 or Windows 11 is capable of running one VM in Hyper-V.
/ Johan
Reply
Matt Partain
1 year ago
With steyrs and others advice, Adding state.ini and the registry key DO work to allow sysprep to work properly, PROVIDED TWO additional things: Do not at any point remove modern apps (remove-appx… PowerShell command or manually). This will cause Sysprep to fail with the error that an application was installed for a user, but not for all users. We can probably fine-tune what can and cannot be safely removed before sysprep, but I just kept all pre-installed modern apps. If you enable long paths in the registry ("LongPathsEnabled" = 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem), you must disable it before sysprep, or sysprep…Read more »
Reply
Tim
1 year ago
I've been looking around the internet but can't find if there is a way to reset "Smart App Control" for these captured images, it was enabled during the time of capture. It kind of looks this is automatically disable if the hardware is not the same source, because I have reimaged to a VM on the same hardware and it was still enabled. If it was "on" during capture, I don't see why this would be an issue to maintained it on the new hardware.
Last edited 1 year ago by Tim
Reply
Author
Johan Arwidmark
1 year ago
Reply to Tim
While there are registry keys controling "Smart App Control", I'm afraid you have to create a new image if enabled during capture.
Reply
Matt Partain
1 year ago
There is just no good way to keep the Windows 11 machine off the internet as I build it and sysprep it. So, I have followed the advice about setting the registry key and state.ini, but am still unable to sysprep. I have tried this in multiple places, even incorporating it into the unattend.xml in the oobeSystem pass. In every case, the setuperr log during (attempted) sysprep is: SYSPRP PackageMicrosoft.SecHealthUI_1000.22621.1.0_x64__8wekyb3d8bbwewas installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image. 2023-03-0110:45:44,ErrorSYSPRP Failed to remove apps for the current user:0x80073cf2. 2023-03-0110:45:44,Error…Read more »
Reply
Author
Johan Arwidmark
1 year ago
Reply to Matt Partain
Your milage with the state.ini might vary, I haven't used it much. Blocking Internet access for a VM is usually quite easy. For Hyper-V VMs you can use the Add-VMNetworkAdapterAcl cmdlet to block certain IP adresses.
Here is an example: Add-VMNetworkAdapterAcl –VMName PC0011 -RemoteIPAddress 192.168.1.1 -Direction Both -Action Deny
Otherwise you have to add a script just before sysprep that removes the user-installed appx packages: Get-AppxPackage -AllUsers | where-object {$_.name –notlike '*store*'} | Remove-AppxPackage -ErrorAction SilentlyContinue
1
Reply
Jason
1 year ago
Sysprep never runs. It just reboots the VM back to a login prompt. The disable Internet script doesn't do anything. The VM has WWW access after first reboot. Neither running a script or entering the command directly disables WWW for the VM. Also, the registry add and state.ini steps don't seem to do anything either. What am I missing?
Reply
Author
Johan Arwidmark
1 year ago
Reply to Jason
Not sure why the disable Internet script won't work, but you can also block it on the VM level. Here is an example for Hyper-V, where I'm blocking access to the default gateway: Add-VMNetworkAdapterAcl –VMName REF001 -RemoteIPAddress 192.168.1.1 -Direction Both -Action Deny
Reply
Mark
1 year ago
Ever since 22H2 it seems that the Unattend.xml file is not processed.
I can create and capture fine, but when we go to redploy it once it loads into Windows it doesn't autologin and just stops at the login screen. The password we set for administrator also doesn't work.
1
Reply
Author
Johan Arwidmark
1 year ago
Reply to Mark
Even though MDT does not officially support Windows 11, I have not seen that behavior with Windows 11 22H2. Are you deploying with MDT as well?
Reply
Hugo
1 year ago
Reply to Mark
Hi Mark.
I have exactly the same problem. Did you manage to fix it?
Thank you.
Reply
Hugo
1 year ago
Reply to Mark
Hi Mark.
I have exactly the same problem with Windows 11 22H2.
Did you manage to fix it?
Please let me know.
Thank you very much.
Reply
Craig
1 year ago
I am having an issue where the VM locks up right as sysprep is finishing. It will not reboot to actually capture the image. If I force the VM to shut down and come back up it just loads into windows 11 and does not capture the image. Any thoughts?
Reply
Author
Johan Arwidmark
1 year ago
Reply to Craig
Sorry for the very late reply, but nothing I've seen. Is this Hyper-V or VMWare? I know that VMware workstation had some issues with updated Windows 11 22H2 images, but that was fixed in version 17.
Reply
Christian
1 year ago
Reply to Craig
Hey, how did you resolve this ? I am facing the same issue…
Reply
1 year ago
https://www.deploymentresearch.com/building-a-windows-11-21h2-reference-image-using-microsoft-deployment-toolkit-mdt/#comment-3020 @Dean Here is how I did it. Adding a registry key. Add a "Run command line" in your task sequence. Enter this as your Command line: reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState /t REG_SZ /d "IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE" /f Replace state.ini file Add a "Run command line" in your task sequence. Enter this as your Command line: xcopy "%SCRIPTROOT%\State.ini" %windir%\setup\state\ /H /Y Place your modified State.ini file in your "scripts" folder (e.g.: C:\DeploymentShare\Scripts). That way it will get copied to your client when running the task sequence. Add those two command lines before the sysprep step. I added them in my State…Read more »
Last edited 1 year ago by steyrs
Reply
Author
Johan Arwidmark
1 year ago
Reply to steyrs
Sorry for the very late reply, but a big thank you for sharing these details. I'll update the post with them (with proper credits, of course)
1
Reply
Matt Partain
1 year ago
Reply to steyrs
How early in the State restore process do you do this? I have this step just before "Install Applications", but when I try to sysprep and capture later on, sysprep gives me "SYSPRP Package Microsoft.SecHealthUI_1000.22621.1.0_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users." And SecHealthUI (Defender) is not easily removed using the normal means.
Reply
Dana Simison
4 months ago
Reply to steyrs
It says to put the modified State.ini file in the scripts folder. But I don't see where we are modifying the state.ini file.
1
Reply
RomS
2 years ago
so just thought I'd add to the discussion, based on our recent experience trying to build our first reference image using latest MDT, win 11 21h2 ADK and july media. think our network blocks most of our internet traffic when building the reference image in VM, so didn't find (as far as I could tell) that I needed to do anything to block internet access or do the setup\state reg key posted by some others in chat. we also have, still in our ref creation TS to run the config-disablewindowsstoreupdates.wsf, so assuming that still works on win 11, I'm hoping…Read more »
Reply
Author
Johan Arwidmark
2 years ago
Reply to RomS
Thanks for the info, and I'm glad you got it working.
Reply
Kelly Smith
2 years ago
I added to my task sequence using these commands.
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState /t REG_SZ /d IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE /f
Then edit the state.ini and use xcopy to move to destination.
cmd /c xcopy "%SCRIPTROOT%\custom\State.ini" "C:\Windows\Setup\State" /Q /H /E /I /Y
Added a custom group just before imaging step in sequence
Last edited 2 years ago by Kelly Smith
1
Reply
Keith Hemmelman
2 years ago
Johan, you reference to download and use the "Windows ADK for Windows 11 21H2" for compatibility with MDT 8456. The download link you posted doesn't have a download named like "Windows ADK for Windows 11 21H2". Is the ADK download you mean the one under 'Other ADK downloads' and named "Windows ADK for Windows 10, version 2004"? Thank you.
Reply
Author
Johan Arwidmark
2 years ago
Reply to Keith Hemmelman
Hi Keith,
Thanks for your comment. When this post was written, the Windows ADK 11 22H2 had not yet been released. I added the following to the blog post for clarity.
Note: Since the release of Windows ADK for Windows 11 22H2 which is not compatible with MDT 8456, you find the 21H2 version under other downloads / ADK for Windows 11. The version of the adksetup.exe should be 10.1.22000.1. The same goes for the WinPE Addon.
1
Reply
Keith Hemmelman
2 years ago
Reply to Johan Arwidmark
Thank you Johan for your quick reply and clarification.
Reply
Andrew
2 years ago
Hi Johan, is there a process for removing the consumer apps in Windows 11? I'm using the old method RemoveApps.ps1 which works but doesn't help with the social apps like tiktok, facebook, amazon prime sitting there after the image completes.
Reply
Author
Johan Arwidmark
2 years ago
Reply to Andrew
Hi Andrew,
Haven't had a chance to look at that yet, but I expect they are coming down via any of the consumer experience types of channels. This post may have help you: https://community.spiceworks.com/topic/2339916-windows-11-deployment-without-bloatware
Reply
Ryan Janzen
2 years ago
Great article and works like a charm. Is there a way of customizing the default user profile throughout this process?
Reply
Author
Johan Arwidmark
2 years ago
Reply to Ryan Janzen
Yes, via PowerShell/scripting, loading the offline hive, etc. But please stay away from the old copy profile techniques, they don't play nicely with Windows 10 and Windows 11
/ Johan
Reply
Ryan Janzen
2 years ago
Reply to Johan Arwidmark
Any chance you may have a link to an article of yours or someone else's who has gone through the process and has it documented?
Thanks in advance
1
Reply
Author
Johan Arwidmark
2 years ago
Reply to Ryan Janzen
I'm not quite following. This post is step-by-step guide on how to do it. If you're looking for a video-based guide, we do offer those as part of our academy courses: https://academy.viamonstra.com/
-1
Reply
Daniel Barras
2 years ago
Your "Block Internet Access" is not needed. Change the registry key at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State
ImageState to IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE
Then replace the State.ini file at C:\Windows\Setup\State to read:
[State]
ImageState=IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE
In the Custom Tasks area of your Task Sequence, before the capture, and you won't have an issue.
In my suspend task (cscript.exe "%SCRIPTROOT%\LTISuspend.wsf"), I even update all of the apps.
Last edited 2 years ago by Daniel Barras
Reply
Author
Johan Arwidmark
2 years ago
Reply to Daniel Barras
Hi Daniel,
That's a great tip, will update the post with this tip. Thanks!
/ Johan
Reply
Daniel Barras
2 years ago
Reply to Johan Arwidmark
Happy I could help. This will also work with Windows 10.
3
Reply
Brian Klish
1 year ago
Reply to Johan Arwidmark
Johan, I think you also need to update the post to include the new contents of state.ini. I read that section several times and ended up very confused what I was putting in the new state.ini file.
Reply
Author
Johan Arwidmark
1 year ago
Reply to Brian Klish
Valid point, I'll get that done.
-1
Reply
Dean
2 years ago
Reply to Daniel Barras
Can you provide some more details about how you accomplish this? I assume it's a reg key add… the second part about replacing the state.ini file is the part that confuses me more.
Reply
MDT User
2 years ago
Reply to Daniel Barras
Thank You Barras for posting this registry key. Can you pls mention how to include both these keys in the MDT and/or WDS ? that way the image system will get these changes and won't need reimaging, thank you.
Reply
Jason
1 year ago
Reply to Daniel Barras
This did absolutely nothing in my tests. Sysprep doesn't run.
Reply
Matt Partain
1 year ago
Reply to Daniel Barras
I have tried this in multiple places, even incorporating it into the unattend.xml in the oobeSystem pass. In every case, the setuperr log during (attempted) sysprep is:
SYSPRP Package Microsoft.SecHealthUI_1000.22621.1.0_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
2023-03-01 10:45:44, Error SYSPRP Failed to remove apps for the current user: 0x80073cf2.
2023-03-01 10:45:44, Error
What can I do to prevent this error? I'm trying to build my first thick w11 image, and it just doesn't work.
Reply
Author
Johan Arwidmark
1 year ago
Reply to Matt Partain
Easiest way to prevent this is to block Internet access to the VM you are building.
Reply
Dana Simison
4 months ago
Reply to Daniel Barras
I have modified State.ini to read as follows:
[State]
ImageState=IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE
I've placed the modified state.ini file in E:\MDTBuildLab\Scripts\
And I've created a Custom Tasks item called Replace state.ini file with the following command line: xcopy "%SCRIPTROOT%\State.ini" %windir%\setup\state\ /H /Y
Unfortunately, this is continually failing. Seems the task sequence can't find the file.
Reply
Author
Johan Arwidmark
4 months ago
Reply to Dana Simison
I haven't played around much with the state.ini file. For now, I recommend simply disabling Internet access to the VM used for build and capture.
Reply
2 years ago
Thank you for the article Johan! In Step 6 I've found with the latest ADK and WinPE add on that x86 WinPE is no longer supported, and then it does not install the x86 folder in the Windows Preinstallation Environment folder which the Deployment Workbench MMC requires (or crashes if it can't find it). I had to extract the x86 folder from the the Windows 10 WinPE add on to make the MMC console happy.
2
Reply
Author
Johan Arwidmark
2 years ago
Reply to Kevin Bishop
Hi Kevin,
You can still use Windows ADK for Windows 11 21H2, it's only the 22H2 release that is missing the x86 WinPE.
/ Johan
Reply
Brendon
2 years ago
Hi Team. I've noticed that when installing the latest Windows 11 ADK version 22H2 (10.1.22621.1) WinPE Add-On Components for use with MDT version 8456, the x86 Win PE Components do not appear to be installed as they were with the Windows 11 ADK version 21H2 (10.1.22000.1) WinPE Addon. This leads to an issue that when you right click on the Deployment Share in MDT, click Properties and then click on the 'Windows PE' Tab. An exception message appears that states: 'Could not find a part of the path 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs'. My work around…Read more »
Last edited 2 years ago by Brendon
Reply
Author
Johan Arwidmark
2 years ago
Reply to Brendon
I'll update the blog post with info on the newly released 22H2 version of Windows ADK for Windows 11. Thanks.
/ Johan
Reply
NBN
1 year ago
Reply to Johan Arwidmark
Hi Johan,
Windows 11 Deployment via MDT.
ADK and ADK WinPE latest.
MDT also updated.
Issue is, after OS installation system reboots to OS. But the final tasks are not running. The success screen also not showing.
Could you please advice any suggestions..
1
Reply
Author
Johan Arwidmark
1 year ago
Reply to NBN
Sorry for the late reply. Do you get the same result if deploying into a workgroup (meaning without any domain policies)? Also make sure the HideShell is not set to YES.
Reply
Robert Rathbun
1 year ago
Reply to Johan Arwidmark
For those interested, you'll find the references to the State.ini and other very interesting settings here: Windows Setup States | Microsoft Learn
I'm also trying to locate scripts I previously found that appears to be MS's version of MDT in pure PowerShell that OEM's are using on these newest builds. If I come across it again, I'll add it to this thread.
For those struggling with State.ini, it's explained in verbose detail in the link provided above.
In short, the contents of the "State.ini" file should look like this:
[State]
ImageState="IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE"
1
Reply
Robert Rathbun
1 year ago
Reply to Johan Arwidmark
Here's the link to the Windows 11 image framework:
Looks like you could leverage a lot of this for customized deployments. Not as easy as MDT though.
Reply
Rune
1 year ago
Reply to Brendon
Just copy the AMD X64 one and rename the folder to x86 also works.
At least to the point of not hanging. Since I don't use the x86 image I haven't tested the resulting image, but the rest works just fine.
Reply
Ricky Moreno
2 years ago
Nice! Thanks.
Reply
←Previous post Next post→