Windows 10 | MDT & AutoUnattend

INTRO

This will be a short guide on creating an AutoUnattend.xml answer files for the automated installation of Windows 10 via a USB removable flash drive. The answer file is created in Windows System Image Manager (WSIM) which is included in the Windows 10 ADK files. MDT currently works to deploy Windows 10 22H2 and Windows 11 24H2.

GOAL

That an Answer File does not deviate too much or at all from Microsoft’s default values if possible. The Microsoft Deployment Toolkit (MDT) is Microsoft’s free official method for deploying Windows 10 to computers which can also be used in conjunction with WDS. Therefore, converting for standalone USB installation should be as close as possible to the official method.

CREATION & USE

• Have official Windows 10 22H2 installation media source files.
• Windows 11 ADK and Microsoft Deployment Toolkit (MDT) installed on a supported version of Windows 11.
• Generate catalog file (.clg) with Windows Image System Manager (WSIM) from source files.
• Create answer file in WSIM from available settings in the generated catalog file (.clg).
• Save answer file desired and rename as AutoUnattend.xml.
• Place AutoUnattend.xml on root of ‘removable’ USB drive.
• Have USB drive inserted into computer during install of Windows so Setup.exe can find it.
• Setup.exe finds AutoUnattend.xml and installs Windows automatically with no user intervention required.

BUILDING NOTES

• Answer Files are first generated in MDT and then edited with WSIM to be compatible for USB deployment (AutoUnattend.xml), keeping Microsoft’s default values when images are imported into MDT.
  
• Selecting in MDT: %DeploymentShare% -> Task Sequences – > Select Task Sequences -> Properties (Right-click menu) -> Edit Unattend.xml (Button) will start generating a catalog file (.clg) for the source image linked to the task sequence. Located at: %DeploymentShare%\Operating Systems\Windows 10 22H2 RTM x64\sources\install_Windows 10 Pro.clg.
  
• The default Unattend.xml file is located at: %DeploymentShare%\Control%TaskSequenceID%\Unattend.xml.

TROUBLESHOOTING

• If Setup.exe does not find AutoUnattend.xml it’s possible Windows source files in use does not contain USB controller or chipset drivers for your computer so the USB drive will not be seen. Certain USB controller hubs might not be detected or have detection delayed, some USB ports may be detected where others are not. Additionally the EULA window may present itself as the installer boots before the USB drive and Answer Files is detected, in many cases you just have to click “OK” and the automated install will still continue.

BUILDING ANSWER FILES YOURSELF

• Download and install Windows 11 Enterprise Evaluation 64-bit, here.
• Download and install Windows ADK for Windows 11, version 22H2, here.
• Download and install Windows PE add-on for the Windows ADK for Windows 11, version 22H2, here.
• Download and install Microsoft Deployment Toolkit, here.

PATCHES

Please refer to Microsoft Deployment Toolkit Known Issues for help with various issues but I will list below the ones I had to use.

FAILURE ( 5616 ): 15250: Verify BCDBootEx

• Download and install MDT_KB4564442, here.

Could not find a part of the path ‘C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs’.

• Run the following command in CMD:

md "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs"

Script Error – An error has occurred in the script on this page.

• HTA applications rely on MSHTML and starting with Windows 11, version 22H2, the default legacy scripting engine was changed. To enable this change in MDT, we recommend that you back up the following file: C:\Program Files\Microsoft Deployment Toolkit\Templates\Unattend_PE_x64.xml and to modify it as follows:

<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
        <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
            <Display>
                <ColorDepth>32</ColorDepth>
                <HorizontalResolution>1024</HorizontalResolution>
                <RefreshRate>60</RefreshRate>
                <VerticalResolution>768</VerticalResolution>
            </Display>
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Fix HTA scripts error Windows 11 ADK 22H2</Description>
                    <Order>1</Order>
                    <Path>reg.exe add "HKLM\Software\Microsoft\Internet Explorer\Main" /t REG_DWORD /v JscriptReplacement /d 0 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Lite Touch PE</Description>
                    <Order>2</Order>
                    <Path>wscript.exe X:\Deploy\Scripts\LiteTouch.wsf</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>
</unattend>

MODIFICATIONS

When deploying an image with MDT everything is performed under LiteTouchPE which accesses the MDT deployment share which contains many scripts. When installing Windows via AutoUnattend.xml from a USB ‘removable’ flash drive we don’t have access to these scripts which creates some limitations when trying to clone the default configuration.

Empty/Blank Values Removed

• Empty or blank values have been removed as they causes issues, they’re usually filled out manually during the LiteTouchPE deployment wizard, for USB deployment they can be removed.

Administrator AutoLogin Password

• The password for the Built-in Local Administrator account used for AutoLogin is “Password01!”.

Error & Depreciated Values Resolved

• The default Unattend.xml answer file had validation errors in WSIM, these have been fixed.

- The 'ColorDepth' element is invalid - The value '' is invalid according to its datatype 'ColorDepthType' - The string '' is not a valid UInt32 value.
(Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/ColorDepth)

- The 'HorizontalResolution' element is invalid - The value '' is invalid according to its datatype 'HorizontalResolutionType' - The string '' is not a valid UInt32 
value.	
(Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/HorizontalResolution)	

- The 'RefreshRate' element is invalid - The value '' is invalid according to its datatype 'RefreshRateType' - The string '' is not a valid UInt32 value.
(Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/RefreshRate)

- The 'VerticalResolution' element is invalid - The value '' is invalid according to its datatype 'VerticalResolutionType' - The string '' is not a valid UInt32 value.
(Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/VerticalResolution)

- Setting NetworkLocation is deprecated in the Windows image
(Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/OOBE/NetworkLocation)

Disk Configuration: Recovery Partition

• By default the Windows partition is set to use 99% of the drive after the System partitions are created and the Recovery partition is set to use the last remaining 1% of the drive space. WSIM does not offer a way to do this or even shrink a partition. You would need to use manual values which won’t work since you can’t predict the size of every disk in a computer for imaging. To get around this, 5 more RunSyncronousCommands were added to the Specialize phase.
• Due to the BitLocker exploits mentioned in KB5034441 where the partition must resized I increased the size from 300 MBs to 768 MBs.
• I also resolved the issue where the Recovery partition was made but winre.wim did not exist on it. By utilizing reagentc commands I was able to solve this, tested and confirmed all is good now.

powershell.exe -noninteractive -command "reagentc /disable"

powershell.exe -noninteractive -command "echo 'sel volume c' 'shrink minimum=768' 'create partition primary' 'format quick fs=ntfs label=Recovery' 'assign letter=R' | diskpart.exe"

powershell.exe -noninteractive -command "echo 'sel volume r' 'set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac' 'gpt attributes=0x8000000000000001' 'remove letter=R' | diskpart.exe"

powershell.exe -noninteractive -command "reagentc /enable"

reg delete "HKLM\SYSTEM\MountedDevices" /v "\DosDevices\R:" /f

Recovery Tools Partition Information

• UEFI/GPT-based hard drive partitions
• BIOS/MBR-based hard drive partitions
• Windows Recovery Environment (Windows RE)

Recovery tools partition This partition must be at least 300 MB.

The Windows Recovery Environment (Windows RE) tools require additional free space:

A minimum of 52 MB is required but 250 MB is recommended, to accommodate future updates, especially with custom partition layouts.

When calculating free space, note:

The recovery image, winre.wim, is typically between 250-300MB, depending on what drivers, languages, and customizations you add. The file system itself can take up additional space. For example, NTFS may reserve 5-15MB or more on a 750MB partition. This partition must use the Type ID: DE94BBA4-06D1-4D40-A16A-BFD50179D6AC.

The recovery tools should be in a separate partition than the Windows partition to support automatic failover and to support booting partitions encrypted with Windows BitLocker Drive Encryption.

Create a separate recovery partition to support automatic failover and to support booting Windows BitLocker Drive Encryption-encrypted partitions.

We recommend that you place this partition in a separate partition, immediately after the Windows partition. This allows Windows to modify and recreate the partition later if future updates require a larger recovery image.

The Windows RE update process makes every effort to reuse the existing Windows RE partition without any modification. However, in some rare situations where the new Windows RE image (along with the migrated/injected contents) does not fit in the existing Windows RE partition, the > update process will behave as follows:

If the existing Windows RE partition is located immediately after the Windows partition, the Windows partition will be shrunk and space will be added to the Windows > RE partition. The new Windows RE image will be installed onto the expanded Windows RE partition.

If the existing Windows RE partition is not located immediately after the Windows partition, the Windows partition will be shrunk and a new Windows RE partition will > be created. The new Windows RE image will be installed onto this new Windows RE partition.

The existing Windows RE partition will be orphaned. If the existing Windows RE partition cannot be reused and the Windows partition cannot successfully be shrunk, the new Windows RE image will be installed onto the Windows partition. The existing Windows RE partition will be orphaned.

CONCLUSION

Well hope this helped, you can also find the same info on my GitHub repository here, and you can also download my files for your use.

WinReflection

My name is Dex Sandel, author at WinReflection, a blog which aims to help others on various IT and Christian related subjects. DON’T TREAD ON ME! The best is yet to come, and nothing can stop what’s coming!

You all have a greater destiny in Christ, should you choose to ‘follow’ Him, not just believe. Many of you feel lost, without drive, and lack a greater purpose in your life causing depression, sadness, anxiety, and loneliness. Working your 9-5 job isn’t your primary purpose. So, then what is? That’s for you to discover, but hopefully I can provide some new unlocks along your path.

What will ‘you’ do, and what will your destiny be?

John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.