Building a Windows 10 Image
Creating your Base Configuration
Installation of Windows 10
Reference:
http://www.tenforums.com/tutorials/2113-system-image-create-hardware-independent-system-i
mage.html#post151664
1. Boot computer off installation media (DVD or USB with Windows 10 EDU)
2. The installer process will begin. Clean the drive you want to install -- delete all
items/partitions. Windows 10 will rebuild the “WinRE” (recovery environment) partition.
a. For images, you do not want a partition larger than the lowest common
denominator drive size that may host the image (ie 128GB).
b. If you are installing on a machine with a drive larger, create a partition of 128GB
and leave the remaining portion “unallocated”.
3. Allow the installation to run. Using a VLM Windows 10 installer, we should not be
prompted for a product key during the install.
4. Once installation is completed, you will then go into the “first run” (out of box) Windows
setup screens.
5. Do NOT start the process of clicking through items. You need to immediately change
Windows into Sysprep “Audit” mode.
1
6. Windows reboots, and enters Audit Mode using the built-in “Administrator” account.
When the desktop loads, you will notice the Sysprep box open in the middle of your
screen. Close it for now by pressing the Cancel button.
a. NOTE on AUDIT MODE: Throughout image construction process, remain
in AUDIT Mode. When reboots are required, system will boot back up and
auto-login to Administrator account. Sysprep box will be presented.
Simply hit CANCEL option each time.
Creation of “Base” Image
In this stage, you will start setup and customization of your “template” profile.
Note: You will need to input a product key via Settings → Updates and Security → Activation
You can find this under the DML/Windows/Windows10 Iso folder - Readme
I. User Interface Customizations
A. Start Menu
1. Remove ALL instances of Live Tiles and other Modern “Apps”.
B. Desktop
1. Copy “Cupola.jpg” wallpaper from DML/CTS Tools folder
2. Place into: C:\Windows\Web\Wallpaper
3. Set wallpaper via Settings → Personalization → Background
a) Choose picture → Browse to Cupola image
4. Personalization → Themes → Desktop icon Settings:
a) Enable “Computer”, “User’s Files” and “Recycle Bin” options.
5. Personalization → Start
a) Occasionally show suggestions in Start -- OFF
b) Show most used apps -- OFF
c) Show recently added apps -- OFF
6. Personalization → Taskbar
a) Notification area → Select which icons appear → Enable “always
show…” option.
II. Application Installations - OS “Base”
Install the following set of applications into the BASE configuration, to be shared across
all builds:
A. Browsers: Mozilla Firefox & Google Chrome
1. OS already includes Internet Explorer 11 and Microsoft Edge
B. Adobe Flash for Firefox
C. Audacity and LAME Plugin
D. Dell OMCI Management agent
E. Microsoft .NET Framework (latest revision)
F. Microsoft Office Professional Plus 64Bit Suite (from DML)
G. Notepad++ -- download latest revision
H. Premier Accessibility Suite (from DML)
I. Paint .NET -- download latest revision
2
III. Create Customizations for Applications
A. Browser Configurations
Note: See “Browser Configurations” Document for Specifics.
1. Internet Explorer
2. Google Chrome
3. Mozilla Firefox
IV. OS Changes and Tweaks
A. Feature Removal: Right-click on Start Menu → Programs and Features
1. Click on “Turn Windows Features on or off”
a) Uncheck “XPS Services” and “XPS Viewer”
b) Remove Microsoft Print to PDF Feature
B. Disable “Reset My PC” Option (So a local admin user doesn’t do a system
refresh and/or remove machine from domain, etc.)
1. Admin Command Prompt: reagentc.exe /disable
2. (Alternative) Boot into another environment like WinPE to get past System
File Checker protection. Rename
“c:\windows\system32\systemreset.exe” to include a “.bak” extension so
the exe cannot be used/invoked.
C. Turn off Location Services
1. Settings → Privacy → Location: “Location Service” -- set to OFF.
D. “Modern App” Removal Process
1. Powershell script: [final location TBD]
a) This script will remove instances of Modern UI Apps with the
exception of the Windows Store.
b) Note: Additional option(s) for blocking to be used in ATC & Lab
Build(s) will be noted (Local/Domain GPO with AppLocker
service).
E. Application Pins
1. Create 2 rows of Tile pins:
a) Row 1: “Microsoft Office” -- Word, Excel, Powerpoint
b) Row 2: “Browsers” -- Chrome, Firefox, Internet Explorer
F. Add cts-admin Account
1. Go into Settings → Accounts → “Family & Other People”
a) Click the “Add someone to this PC” option. Create cts-admin as a
local administrator with CTS Password.
G. Run Windows Updates / Patch
V. Final Preparations
A. Copy the following to CTS-Admin Desktop folder from Win10 Setup folder:
1. Domain addition script
2. Sysprep folder (containing buildSysprep.cmd and unattend.xml)
3. Command Prompt shortcut
4. 802.1x setup script folder
5. UninstallWinClient.exe -- LANDesk removal tool
3
6. Create a shortcut to DML: \\cts-fs1\DML and name it “DML”
VI. Capture an Image of the Windows 10 Base
Note: Capturing is done in order to allow divergent types of builds to be completed from
this level.
A. Capture a Ghost Snapshot
1. This will allow you to maintain an image that stays in Audit mode with the
Administrator account auto-logging in.
2. Boot into Windows PE. Either map network share or connect external
device for image capture.
3. Launch Ghost32.exe (from x:\Oswego\ghost)
4. Capture ghost image.
B. Capture a LANDesk (ImageW) Snapshot if desired.
Creation of a Lab & ATC Build
In this stage, you will use the Base Image constructed previously to build up a Lab/ATC Image
template.
Once booted into Windows 10 with Local Administrator account, in Audit mode, you can begin
further work on customizations for a Lab image.
I. User Interface Tweaks
A. Enable Public Desktop
1. File Explorer → C:\Users\Public
2. VIEW Ribbon: Check “Hidden Items” box -- the hidden “Public Desktop”
folder should appear.
3. Right-click on Desktop folder. Select “Properties”. Uncheck “Hidden”
attribute.
B. Copy “restart.bat” script from Win10 Setup folder to C:\Windows
1. For ATC: Set option to shutdown -l
2. For Labs: Set option to shutdown -r -t 00
C. Copy “Logout.lnk” (Shortcut) to the Public Desktop folder.
D. Copy the Lab version of Cupola wallpaper (with user notice) to
C:\Windows\Wallpaper and overwrite the other cupola.jpg file.
E. Remove OneDrive from File Explorer
1. http://www.windowscentral.com/how-remove-onedrive-file-explorer-windo
ws-10
II. Application Installations & Customizations - Lab & ATC Build
A. Adobe Acrobat DC
1. Install Acrobat DC for Labs/ATCs - Includes updater preference file to
disable updates. (DML)
2. Download a PDF file from internet. Save to computer (desktop).
Right-click on PDF. Choose “Open With” → Select an app. Choose
4
Adobe Acrobat as the option, and make sure to check option for “Always
use this app” (so it will maintain the default!)
B. Java JRE - Most current (1.8.121 as of drafting)
1. Turn off Java Autoupdate option.
C. Windows Movie Maker (Using Windows Essentials 2012 installer) -- (DML)
D. VLC Media Player (http://www.videolan.org/vlc/index.html)
1. For DVD playback in particular.
2. Turn off Auto updating.
E. Zotero StandAlone (www.zotero.org)
1. Turn off Auto updating
F. Skype (ATC Image only)
1. Turn off auto-update option
G. Panopto (ATC Image only)
1. Requires .NET Framework 4.5.2 or higher)
2. Point to C:\PanoptoRecorder directory. Symbolic Link fix applied
post-imaging after DeepFreeze installation to link to T:\ Drive
H. Install additional applications and tweak settings as needed if building from the
BASE OS for a specific Lab configuration.
I. Note: For various applications installed in BASE section, you may want to
go into settings for those applications and set Updating preference to OFF.
III. Operating System Tweaks
A. Set Group Policy Configurations within the Image - Local GPO Editor
Open: gpedit.msc
1. Computer Level Configurations (Part A)
a) Windows Settings → Security Settings → Local Policies →
Security Options
(1) Interactive Logon: Do not require CAD: Disabled
(2) Interactive Logon: Do not display last username: Enabled
b) Windows Settings → Security Settings → AppLocker
(1) Right-click “AppLocker” and click “Import Policy”
Copy from: [Location TBD]
* AppLabLocker Policy set more rigid than Facstaff.
(2) This will set Lab/ATC AppX rules to block most of the
default Apps from loading into a new profile and being
launched, and to help speed up the creation of a profile.
2. Computer Configurations (Part B) - Administrative Templates Section
a) Control Panel → User Accounts
(1) Apply the default account picture to all users: Enabled
Copy/Overwrite Logo image to
“C:\ProgramData\Microsoft\User Account
Pictures\user.jpg”
b) System → Group Policy
5
(1) Configure Group Policy Loopback mode: Enabled
* Used for setting user settings at the computer-level
c) System → Logon
(1) Show first sign-in animation: Disabled
(2) Hide entry points for fast user switching: Enabled
(3) Always wait for the network at computer startup and logon:
Enabled
* To allow for 802.1x network processing and the network
stack to fully load)
d) Windows Components
(1) Cloud Content: Turn off Microsoft consumer experience:
Enabled
(2) Location and Sensors: Turn off Location: Enabled
(3) OneDrive: Prevent the usage of OneDrive for file storage:
Enabled
(4) Store: Turn off the Store application: Enabled
(5) Windows Calendar: Turn off Windows Calendar: Enabled
(6) Windows Mail: Turn off Windows Mail: Enabled
(7) Windows Powershell: Turn on Script Execution: Enabled
Policy: allow all scripts
DISCUSSION POINT
3. User Level Configurations in Local GP Editor
All will start in: User Configuration → Administrative Templates
a) Control Panel → Printers
(1) Turn off Windows Default Printer Management: Enabled
b) Start Menu & Taskbar
(1) Show Windows Store Apps on the Taskbar: Disabled
(2) Remove Frequent Programs list from the Start Menu:
Disabled
(3) Change Start Menu Power Button: Enabled
(a) Set action to RESTART
(4) Remove Logoff on the Start Menu: Enabled
(5) Remove Notifications and Action Center: Enabled
(6) Notifications Subfolder: Turn off toast notifications:
Enabled
c) System
CTRL-ALT-DEL Options
(1) Remove Change Password: Enabled
(2) Remove Lock Computer: Enabled
d) Windows Components
(1) Cloud Content: Do not suggest third-party content in
Windows spotlight: Enabled
(2) Store: Turn off the Store Application: Enabled
6
(3) Windows Update: Remove Access to use all Windows
Update Features: Enabled
Configuration: 0 - Do not show any notifications
B. Set Windows Updates (via gpedit.msc)
1. Computer Configuration → Administrative Templates → Windows
Components → Windows Update
a) Policy: “Configure Windows Updates” -- Set to DISABLED.
2. This method should allow us to have control over pushing updates to
clients via LANDesk patching process without Windows automatically
downloading.
C. Services MMC
1. Change the following service to DISABLED: App Readiness
2. Verify that Application Identity is set to “Manual -- Triggered” (default)
D. Settings Panel
1. System → Power & Sleep
a) Screen: Plugged in -- turn off after 2 Hrs (ATC!)
b) Sleep: Set options to NEVER
2. System → Default Apps
a) Video Player: VLC
b) Web Browser: Google Chrome
c) Click Set Default apps by App
(1) Adobe Acrobat: Set this program as default (all options
set)
(2) Google Chrome: Set as default (all options set)
IV. Finalize the Image & Prepare for Capture
A. Boot into Windows PE and capture a GHOST SNAPSHOT of Lab/ATC Image
1. This will allow for easier changes to your image instead of rebuilding from
scratch.
2. If you created a lab-specific image, this will also be v ery important!
B. Right-click on Start Menu → Command Prompt (As Admin)
1. CD \Users\cts-admin\Desktop\Sysprep
2. Run the “buildSysprep.cmd” script to generalize the image and make
ready for final capture.
3. Machine will run Sysprep passes/generalize and shut down.
C. Boot into Windows PE, do a LANDesk (ImageW) capture of Lab (or ATC) image.
Creation of a Faculty/Staff Image
Note: Start from your ghost snapshot of Base image first, if not already creating from scratch.