Windows 10 1709 Reference Image

Update – 2018-03-06 – Read at the bottom

When creating a Windows 10 reference image a common issue is that the store updates will autoupdate while you are busy installing software updates and applications. This then causes sysprep to fail in giant ball of fire.

To solve this there are basically two options and for some option one doesn’t seem to work which is why I always opt for option two.

Option 1, follow the guidance for disabling auto store updates. This consists of adding a DWORD registry item to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore named AutoDownload with a value of 2. More info on how to do this check out the blog over at deploymentresearch.com

Option 2, is to use a WSUS and then disable internet access for the duration of the build. This can easily be achieved using PowerShell and a sprinkle of magic.

Here is how! Lets start with creating a small PowerShell Script.

param (
[Parameter(Mandatory=$False,Position=0)]
[Switch]$Disable
)

If (!$Disable) {
Write-Output “Adding internet block”
New-NetFirewallRule -DisplayName “Block Outgoing 80, 443” -Enabled True -Direction Outbound -Profile Any -Action Block -Protocol TCP -RemotePort 80,443
}

if ($Disable) {
Write-Output “Removing internet block”
Get-NetFirewallRule -DisplayName “Block Outgoing 80, 443” | Remove-NetFirewallRule

}

Save that into as Invoke-InternetAccess.ps1 and place the file into the MDT deployment share script folder.

Now time to set the sequence.
Add two “Run PowerShell script” steps as shown below.

Ref1709

For the first one just set the script name to Invoke-InternetAccess.ps1
For the second one set the script name to Invoke-InternetAccess.ps1 and parameters to –Disable

All done! Now you can run your sequence and not worry about any store updates during your build.

Update – 2018-03-06
There has been some discussion around this and there is an alternative to the way below which will work if you use MDT. The solution is a simple as it is elegant and requires very little configuration.

All you would need is to set HideShell=YES in your customsettings.ini. This will not load a full explorer and hence store will not start and there will be no store updates downloaded.

 

Happy deploying

/Peter

Advertisements

18 comments

  1. Just tried this out, and normally my update process on reference image would take 2-5 minutes to start working. now its instant. never had problems with sysprep failing. but this does speed up my image creation. Thankyou

    Like

  2. Hi Peter. Nice script there for blocking internet access during the build and capture. This looks like it would work nicely for MDT, but for those that use Configuration manger it presents a bit of a problem. As port 80 (or 443 in secure environments) is blocked for all traffic, the Configuration Manger client is not able to talk back to the management point and so any task sequence will fail.

    I have taken the liberty of extending your script to create a firewall rule that blocks all addresses, except for those on the same “class A” network, i.e. “my IP address is 10.141.12.123, I will block everything except 10.*.*.* ”

    param (
    [Parameter(Mandatory=$False,Position=0)]
    [Switch]$Disable
    )

    If (!$Disable) {

    #Get the top-level octect of the IP address (Class A equivalent identifier).
    $IPOctect = ((Get-NetIPAddress | Where-Object {$_.InterfaceAlias -eq ‘Ethernet’ -and $_.AddressFamily -eq ‘IPv4’}).IPAddress).split(“.”)[0]

    # Define the IP ranges that will be blocked. Basically everything but the Class A equivalent. e.g. for the ip address 10.141.12.123 everything but 10.*.*.* will be blocked.
    $IPBlockLow = “1.0.0.0-$([Int]$IPOctect – 1).255.255.255”
    $IPBlockHi = “$([Int]$IPOctect + 1).0.0.0-255.255.255.255”

    New-NetFirewallRule -DisplayName “Block Outgoing 80, 443” -Enabled True -Direction Outbound -Profile Any -Action Block -Protocol TCP -RemotePort 80,443 -RemoteAddress @($IPBlockLow,$IPBlockHi) | Out-Null
    }

    if ($Disable) {

    Get-NetFirewallRule -DisplayName “Block Outgoing 80, 443” | Remove-NetFirewallRule
    }

    Like

    1. Thank you, the reason for that not beeing an issue ever is you should not be using ConfigMgr to build Reference images. Not even official Ms documentation recommends it. https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image

      Using MDT will give you a smoother process and a generic image that can be used with VMM, ConfigMgr, templates for VmWare etc while the reference image in ConfigMgr is earmarked for ConfigMgr only.

      /Peter

      Like

  3. Here are my two cents. It seems that the fix that Johan has shared on deploymentresearch.com at times works and at times doesn’t. I stumbled on this post couple of days ago and then also noticed Johan linking to this post. Here are my findings.

    I am using combination of script from Johan’s blog post and disabling apps updates via running the script during WinPE. I am also pointing to our internal WSUS server. I also used the script in this blog post to disable port 80 and 443.

    I started out creating couple of VM’s to start the build process. I noticed that once out of three times, Windows still went ahead and installed whole bunch of apps e.g. Candy Crush etc. So even with all these steps in place its still apps?

    In other case, I noticed with all steps in place the apps did not get updated, in my reference image I see whole bunch of “down” arrows, but I noticed “Mixed Reality” portal still got installed.

    So should we say all these fixes are working to a certain extent? @Peter, please let me know what your thoughts are.

    Like

      1. Hello Peter, I am back with some findings. I used 3 VMs for testing. Please use the following link for screenshots:

        https://imgur.com/a/sHXQT

        Task Sequence – You can see the Block Internet step is being run.

        VM1 – 80-443 were blocked – VM Uptime has been for 10+ hours – I did few restarts in the
        middle.

        VM2 – 80-443 were initially blocked. Once TS suspended, I deleted the firewall rule to see what the OS does. I did couple of restarts for the VM. Didn’t seem like any windows apps got installed even after firewall rule was deleted. VM uptime has been 10+ hours.

        VM3 – This is where things get interesting. You can see the firewall rule is in place, though this VM ended up getting apps installed. The uptime for this VM has been 10+ hours.

        Like

  4. I use a different registry key than yours. They key you use doesn’t seem to work correctly.

    Replace your regwrite line with:
    oShell.RegWrite “HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\WindowsStore\AutoDownload”, “2”, “REG_DWORD”

    Like

  5. Hello Peter, I’d like to report that after I had my reference image build VM up and running for couple of days, the OS ended up getting apps installed after all, even with the port blocking via windows firewall. If you’d like further details, please reach out to me @ verma.girish@gmail.com. Thanks.

    Like

  6. I can’t help but be angry that all this is even necessary. Is it so much to ask that Microsoft make Windows 10 anything but difficult to sysprep? I don’t mind doing my job, but for crying out loud – sysprep is a pretty fundamental task.

    Like

    1. In principle yes however I would not recommend using a manual process as there are to many things that can go wrong. If you look at the official docs from Microsoft on how to build a reference image even they recommend mdt as the solution

      Like

  7. Since I don’t use WSUS I couldn’t completely block internet access due to patching but not loading the shell with HideShell=YES finally did the trick. Thanks to that tip a very frustrating part of my day has been put behind me.

    Like

  8. Hi, so this is a great little snippet of code. I get confused with disabling something to enable it and vice versa. So I changed the code and added “-Remove” instead. I also added a little checking so it won’t try to delete the rule if it does not exist.

    # When used in a MDT task sequence, copy the script to deployment share
    # and use the below command line:
    # Powershell.exe -ExecutionPolicy ByPass -File Configure-Enable-SmartScreen.ps1
    # Or
    # Powershell.exe -ExecutionPolicy ByPass -File Configure-Enable-SmartScreen.ps1 -Remove

    #Source: https://gal.vin/2018/05/07/building-windows-10-1803-reference-image-walkthrough
    #Original Source: https://syscenramblings.wordpress.com/2017/10/25/windows-10-1709-reference-image/

    ## Creates the Remove option used by the script
    param (
    [Parameter(Mandatory=$False,Position=0)]
    [Switch]$Remove
    )
    #If the switch is “-Remove” then internet access is restored.

    #Set the name of the firewall
    $FirewallRuleName=”Block Outgoing 80, 443″

    #TEST
    Write-Output (“Testing for the presence of the internet blocking firewall rule, `””+$FirewallRuleName+”`””)
    IF (-not(Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)){Write-Output “There is no internet blocking firewall rule”}
    IF ( (Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)){Write-Output “There is an internet blocking firewall rule”}

    #Create an array with the settings for the rule
    $NoInternetRule = @{
    DisplayName = $FirewallRuleName
    RemotePort = 80,443
    Direction=”Outbound”
    Protocol =”TCP”
    Action = “Block”
    }

    ## The script adds a Firewall Rule to block traffic on ports 80 (http) and 443 (https),
    ## if it does not already exist, unless the -Remove switch is used.
    If (!$Remove)
    {Write-Output “Remove parameter was not specified”
    IF (-not(Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue))
    {
    Write-Output “Creating firewall rule to block the internet”
    New-NetFirewallRule @NoInternetRule
    #Validate that the rule was created successfully
    IF ( (Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)){Write-Output “The internet blocking firewall rule has been created”}
    IF (-not(Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)){Write-Output “The script failed to create the internet blocking firewall rule”}
    }
    }

    ## If the Remove command line option is added, the script removes the Firewall Rule, if it exists.
    If ($Remove)
    {Write-Output “Remove parameter was used”
    IF (Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)
    {
    Write-Output “Removing firewall rule”
    Get-NetFirewallRule -DisplayName $FirewallRuleName | Remove-NetFirewallRule
    #Validate that the rule has been removed.
    IF ( (Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)){Write-Output “The script failed to delete the interne blocking firewall rule “}
    IF (-not(Get-NetFirewallRule -DisplayName $FirewallRuleName -ErrorAction SilentlyContinue)){Write-Output “The script has deleted the internet blocking firewall rule”}
    }
    }

    Write-Output (“Script complete. Internet blocking firewall rule, `””+$FirewallRuleName+”`” has been created or deleted.”)

    Liked by 1 person

Leave a Reply to thirdeye386 Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s