Updating MDT Image
MDT gives you the ability to image a machine in a couple different ways. You can use what is called a "thin image" which installs a Windows 10 .iso file, then uses various tasks sequences to install software and configure the device. You can also use what is called a "thick image" which is a snapshot of a machine of all the software already setup. Each has advantages and disadvantages. Here at Royal I built out the MDT server using a hybrid image. While this does mean the image is a little larger, it also means deployment will be faster. There is no reason to install standard apps like Microsoft Office using a task sequence when every machine has it anyway, likewise there is no reason to install things like 7zip or VLC when every machine has these anyway. The same goes for Windows updates, yes part of the imaging process installs all Windows updates (and chocolatey updates, etc), but if you already have a good chunk of those Windows Updates baked into the image then your deployment will be faster because as opposed to installing 58 updates, you are only installing the new ones from when you last pulled the image. I try to update the image every 3-4 months or so. Again this is not a requirement, it just speeds up the imaging process. To make things easier for myself the Royal Image has a folder on the C drive (C:\REC) full of various scripts that I use to get an image up to date. This means you will only need to double click a few batch files to get the image up to date.
1. Because Microsoft, in their infinite wisdom, only allows you to SysPrep a machine 3 times, we will have to use VM Snapshots to restore a machine to a previous state, then run the updates and pull the image again. The first step of the process is to login to vSphere as your Admin account. Find the VM on the machine list and make sure it is turned off. If it is not turned off then turn it off. Once you have the machine off and selected go to Actions > Manage Snapshots > and select the most recent snapshot, and click "Revert To". I usually call these snapshots "Ready to SysPrep" as it indicates all updates have been done and it is ready for the image to be pulled. Whenever you do something to update an image it is best practice to do one thing at a time. Install Software A and shut down the VM and take a snapshot. Turn on the VM install Software B, shutdown the machine and take a snapshot. This allows you to quickly rewind in case you mess up the machine and you won't have to redo everything. Remember if you mess up something on the image you may not notice right away and this allows you to quickly rollback changes.
2. After you have reverted to the Ready to SysPrep snapshot you can turn on the machine and connect to it. Turn it on by pressing the green play arrow and connect to it by selecting Launch Web Console.
3. Go ahead and login to the machine using the default Admin password, password is located in Bitwarden. After you are logged into the machine please install whatever software you would like to add to the image. Remember that it is best practice to install one software then shut down the machine and take a snap shot. Turn on the machine and install another software and turn it off and take a snapshot, etc. This makes it so you have one snapshot per software install and it is easy to revert changes in case you messed up. For this example I will not be installing any software. I will be updating the Windows updates, as well as all preinstalled chocolatey apps. The Royal standard apps that are on the image is: Microsoft Office (including Teams), Google Chrome, Mozilla Firefox, VLC, 7zip, Notepadd++, TeamViewer, and Adobe Reader. Remember you do not know what kind of machine this image will be put on. So do not install any brand specific software like Dell Utility or HP Utility. This hybrid image should be very simple, and only contain the bare minimum. Also remember the way some software operates, some software has agents or licensing that will have to be considered. That is why Palo Alto Cortex and the Fresh Service agent are not part of the image. It would mess things up for inventory purposes.
I have created a batch file that will automatically do the following: Updates all windows updates, updates all Royal Standard apps, run a disk cleanup using both CleanManager and CCleaner, as well as a dism scan for any image corruption.
To bring the image up to date navigate to C:\REC\Scripts and run (as admin) PrepForSysPrep.bat. After you run the batch file the VM will automatically shutdown. Please note that some updates will want you to restart, please say No and let the script to run in its entirety.
You may notice some other files and scripts in the C:\REC folder. There is a reason I keep these scripts locally and baked into the image, which I will cover in a different section.
4. After the VM shuts down please take a snapshot of it by going to Actions > Snapshot > Take Snapshot. Give a name and description for your snapshot, something like "Installed Software X". In this case I will be using "Ready to SysPrep"
5. After you take the snapshot go ahead and turn the machine back on and login to it. Once you login you need to navigate to the MDT Capture Share. Because of the way MDT works the CaptureShare has to be on a different share than the DeploymentShare. Open up an explorer window and navigate to \\mdt01\mdtroyalcapture$
From there go to Scripts and run LiteTouch.vbs
.
After you run the LiteTouch.vbs you will see you have one option, Sysprep and Capture, select Sysprep and Capture then hit next, on the next screen select "Capture an image of this reference computer". By default the image name will be 00.wim. The convention I am using is "Royal Image - [Operating System] - [YYYYMMDD]". So for today when I am writing this it would be called "Royal Image - Windows 10 - 20220308.wim". Click on Next.
After this screen it will ask you to put in your username and password as well as domain. I plan to fix this soon but for now your username and password will work. Hit next a couple time until the SysPrep and Capture starts
6. Ok so now that we have the image captured we will have to move it over to the DeploymentShare, also we will have to change the file permissions on the wim file itself. From the MDT Deployment Share (MDTRoyal), right click on Operating Systems and select Import Operating System. After that the import wizard and hit next. The next screen will ask you to find the source wim file that we just captured. Remember this file is on a different share, so navigate to the Capture share (MDTRoyalCapture) and import the file. Since we don't need two copies of the file be sure to click the box that says "Move the files to the deployment share", this way we don't have a copy in two spots, the two shares are on the same drive. Go ahead and hit next saying setup files are not needed, and next again for the destination, you can accept the defaults. Go ahead and click through and hit finish.
7. Because of some weird NTFS file permission issue that I do not fully understand, we also have to change the file permission on the wim file that we just moved over. From an explorer window go to D:\MDTRoyal\Operating Systems and find the folder that you just imported and go into it. Right click on the wim file and go to properties and security. Click on Users and go to edit and give the Users group write permission. I am not sure why you have to do this as there are no writes being made to the file, but it just needs to be set to read otherwise your image will fail to deploy. If you have issues deploying an image MAKE SURE TO CHECK THIS PERMISSION! It's probably why.
8. After this we have only one or two small more steps. We now need to go into the Task Sequence and change the Image Task to the new wim file. From the MDT Royal tree click on Task Sequences then double click the Windows 10 - Royal Image task. Once you open the task the properties page will come up. Under the install folder click on Install Operating System, then click browse. From there another window will come up. Please select the new image you just captured. You might notice some old images on there. That is ok. If you want to go into the Operating Systems folder and delete some older ones that is ok. But please leave the last 3 most recent there. There will be times you will update an image and not realize it has an issue right away. Leaving the last 3 good images ensures you can just go back to a previous known good image while you pull a new one. I typically pull new images every 4 months or so.
After that just go back up to the MDT Royal folder, right click on it and say Update Deployment Share. You will not need to regenerate the boot images, for this you can just say Optimize the boot images and click through. You are all done. You can now use your new image.