Windows 10 | MDT & AutoUnattend

Intro

The Microsoft Deployment Toolkit (MDT) is Microsoft’s free official method for deploying Windows 10/11 to computers which can also be used in conjunction with WDS if desired. Converting for standalone USB installation should be as close as possible to what MDT accomplishes which is that an Answer File does not deviate too much or at all from the default values if possible.

The Process

• Have official Windows 10 22H2 installation media source files.
• Windows ADK and Microsoft Deployment Toolkit (MDT) installed on a supported version of Windows 11.
• Generate catalog file (.clg) with Windows Image System Manager (WSIM) from source files.
• Create answer file in WSIM from available settings in the generated catalog file (.clg).
• Save answer file desired and rename as AutoUnattend.xml.
• Place AutoUnattend.xml on root of ‘removable’ USB drive.
• Have USB drive inserted into computer during install of Windows so Setup.exe can find it.
• Setup.exe finds AutoUnattend.xml and installs Windows automatically with no user intervention required.

Downloads

• Download and install Windows 11 Enterprise Evaluation 64-bit, here.
• Download and install Windows ADK for Windows 11, version 22H2, here.
• Download and install Windows PE add-on for the Windows ADK for Windows 11, version 22H2, here.
• Download and install Microsoft Deployment Toolkit, here.

Generate a Catalog File and Edit Answer Files for USB Deployment

When deploying Windows using Microsoft Deployment Toolkit (MDT), it’s crucial to generate a catalog file for your source image and customize the Answer File (AutoUnattend.xml) for USB deployment. Below is a step-by-step guide on how to perform these tasks.

---

Step 1: Open MDT Deployment Workbench

1. Launch the Microsoft Deployment Toolkit (MDT).
2. Navigate to your Deployment Share where your task sequences and operating systems are stored.

---

Step 2: Navigate to Task Sequences

1. In the left pane of the MDT Deployment Workbench, expand the Deployment Shares node.
2. Click on your Deployment Share.
3. Under the Deployment Share, expand the Task Sequences folder.

---

Step 3: Select the Task Sequence

1. Right-click on the Task Sequence associated with the Windows 10 image you wish to generate a catalog file for.
2. From the context menu, select Properties.

---

Step 4: Edit Unattend.xml

1. In the Properties window of the Task Sequence, click on the Edit Unattend.xml button.
2. MDT will automatically start generating the catalog file (.clg) for the source image linked to the task sequence.
3. The catalog file will be saved to the following location: %DeploymentShare%\Operating Systems\Windows 10 22H2 RTM x64\sources\install_Windows 10 Pro.clg

---

Step 5: Verify Catalog File Creation

1. Navigate to the folder: %DeploymentShare%\Operating Systems\Windows 10 22H2 RTM x64\sources\
2. Ensure the install_Windows 10 Pro.clg file is present.

---

Step 6: Generate and Edit the Answer File (AutoUnattend.xml)

1. Answer Files (AutoUnattend.xml) are first generated in MDT and then edited with Windows System Image Manager (WSIM) to make them compatible for USB deployment.
2. By default, the Unattend.xml file is located at: %DeploymentShare%\Control%TaskSequenceID%\Unattend.xml

---

Step 7: Open Unattend.xml in WSIM

1. Navigate to the location of the Unattend.xml file: %DeploymentShare%\Control%TaskSequenceID%\Unattend.xml
2. Open this Unattend.xml file using Windows System Image Manager (WSIM).
   • If WSIM is not already installed, download it as part of the Windows Assessment and Deployment Kit (ADK).

---

Step 8: Modify Answer File for USB Deployment

1. In WSIM, modify the Unattend.xml file to customize your deployment (e.g., configure disk partitioning, product key, locale settings, etc.).
2. Once finished, save the file.

---

Step 9: Place the Modified Answer File on the USB Drive

1. After editing the AutoUnattend.xml, copy the file to the root of your USB drive.
2. Ensure the USB drive contains both the AutoUnattend.xml and all deployment files.

---

Step 10: Use the USB for Deployment

• With the AutoUnattend.xml file on your USB, you can now boot from the USB drive and deploy Windows 10 to the target system using the customized unattended installation.

---

Additional Notes

• The .clg file is required for the unattend.xml to function properly during installation. It contains key information about the Windows image.
• The AutoUnattend.xml answer file ensures a completely automated deployment process, eliminating user interaction during installation.

Patches & Fixes

Please refer to Microsoft Deployment Toolkit Known Issues for help with various issues but I will list below the ones I had to use.

FAILURE ( 5616 ): 15250: Verify BCDBootEx

• Download and install MDT_KB4564442, here.

Could not find a part of the path ‘C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs’.

• Run the following command in CMD:

md "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs"

Script Error – An error has occurred in the script on this page.

• HTA applications rely on MSHTML and starting with Windows 11, version 22H2, the default legacy scripting engine was changed. To enable this change in MDT, we recommend that you back up the following file: C:\Program Files\Microsoft Deployment Toolkit\Templates\Unattend_PE_x64.xml and to modify it as follows:

<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
        <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
            <Display>
                <ColorDepth>32</ColorDepth>
                <HorizontalResolution>1024</HorizontalResolution>
                <RefreshRate>60</RefreshRate>
                <VerticalResolution>768</VerticalResolution>
            </Display>
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Fix HTA scripts error Windows 11 ADK 22H2</Description>
                    <Order>1</Order>
                    <Path>reg.exe add "HKLM\Software\Microsoft\Internet Explorer\Main" /t REG_DWORD /v JscriptReplacement /d 0 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Lite Touch PE</Description>
                    <Order>2</Order>
                    <Path>wscript.exe X:\Deploy\Scripts\LiteTouch.wsf</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>
</unattend>

Answer File Modifications

When deploying an image with MDT everything is performed under LiteTouchPE which accesses the MDT deployment share which contains many scripts. When installing Windows via AutoUnattend.xml from a USB ‘removable’ flash drive we don’t have access to these scripts which creates some limitations when trying to clone the default configuration.

Empty/Blank Values Removed

More info

• Empty or blank values have been removed as they cause issues. These fields are usually filled out manually during the LiteTouchPE deployment wizard. For USB deployment, these values can be safely removed.

Administrator AutoLogin Password

More info

• The password for the Built-in Local Administrator account used for AutoLogin is: Password01!.

Error & Deprecated Values Resolved

More info

• The default Unattend.xml answer file had validation errors in WSIM, which have now been fixed.

Errors fixed include:

• The 'ColorDepth' element was invalid: The value '' is not a valid UInt32 value.
  • Path: (Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/ColorDepth)
• The 'HorizontalResolution' element was invalid: The value '' is not a valid UInt32 value.
  • Path: (Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/HorizontalResolution)
• The 'RefreshRate' element was invalid: The value '' is not a valid UInt32 value.
  • Path: (Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/RefreshRate)
• The 'VerticalResolution' element was invalid: The value '' is not a valid UInt32 value.
  • Path: (Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/Display/VerticalResolution)
• Setting NetworkLocation is deprecated in the Windows image.
  • Path: (Components/oobeSystem/amd64_Microsoft-Windows-Shell-Setup_neutral/OOBE/NetworkLocation)

Windows Recovery Partition Logic

By default, the Windows partition is configured to use 99% of the available disk space after creating the System partitions, with the remaining 1% allocated to the Recovery partition. Unfortunately, WSIM doesn’t provide a built-in method to set specific partition sizes or resize partitions dynamically. Using manual values for partition sizes isn’t feasible either, as you can’t predict the exact disk size across different machines during imaging. To address this limitation, I added five additional RunSynchronousCommands in the Specialize phase to handle partition resizing.

Additionally, following the BitLocker vulnerabilities discussed in KB5034441, which required resizing the partition for better security, I increased the System Reserved partition from its default size of 300 MB to 768 MB.

I also fixed an issue where the Recovery partition was being created, but winre.wim was missing. By leveraging reagentc commands, I successfully resolved this, and after thorough testing, everything is functioning as expected now.

• UEFI/GPT-based hard drive partitions
• BIOS/MBR-based hard drive partitions
• Windows Recovery Environment (Windows RE)

powershell.exe -noninteractive -command "reagentc /disable"
powershell.exe -noninteractive -command "echo 'sel volume c' 'shrink minimum=768' 'create partition primary' 'format quick fs=ntfs label=Recovery' 'assign letter=R' | diskpart.exe"
powershell.exe -noninteractive -command "echo 'sel volume r' 'set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac' 'gpt attributes=0x8000000000000001' 'remove letter=R' | diskpart.exe"
powershell.exe -noninteractive -command "reagentc /enable"
reg delete "HKLM\SYSTEM\MountedDevices" /v "\DosDevices\R:" /f

Conclusion

Well hope this helped, you can also find the same info on my GitHub repository here, and you can also download my files for your use.

WinReflection

My name is Dex Sandel, author at WinReflection, a blog which aims to help others on various IT and Christian related subjects. DON’T TREAD ON ME! The best is yet to come, and nothing can stop what’s coming!

You all have a greater destiny in Christ, should you choose to ‘follow’ Him, not just believe. Many of you feel lost, without drive, and lack a greater purpose in your life causing depression, sadness, anxiety, and loneliness. Working your 9-5 job isn’t your primary purpose. So, then what is? That’s for you to discover, but hopefully I can provide some new unlocks along your path.

What will ‘you’ do, and what will your destiny be?

John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.