20695C ENU TrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20695C
Deploying Windows Desktops and
Enterprise Applications
MCT USE ONLY. STUDENT USE PROHIBITED
ii Deploying Windows Desktops and Enterprise Applications
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2016 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/trademarks are trademarks of the Microsoft
group of companies. All other trademarks are property of their respective owners.
Product Number: 20695C

Part Number: X20-97616
Released: 04/2016
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

Deploying Windows Desktops and Enterprise Applications xi
xii Deploying Windows Desktops and Enterprise Applications
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
David Susemiehl – Content Developer

David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has
extensive experience consulting on Microsoft Systems Management Server, Microsoft System Center
Configuration Manager 2007, Active Directory Domain Services (AD DS), Microsoft Exchange Server, and
Terminal Server/Citrix deployments. David has developed courseware for both Microsoft and Hewlett-
Packard, and has delivered those courses successfully in Europe, Central America, and across North
America. For the last several years, David has been writing courseware for Microsoft Learning, and
consulting on infrastructure transitions in Michigan.
Dave Franklyn – Subject Matter Expert
David M. Franklyn, MCSE, MCITP, Microsoft MVP Windows and Devices for IT, is also an Eastern USA
Regional Lead MCT. Dave has been a Microsoft MVP since 2011, and a Senior Information Technology
Trainer and Consultant at Auburn University in Montgomery Alabama, since 1998. He is the owner of
DaveMCT, Inc. LLC, and is a training partner with Dunn Training. Working with computers since 1976,
Dave started out in the mainframe world and moved early into the networking arena. Before joining
Auburn University, Dave spent 22 years in the United States Air Force as an electronic communications
and computer systems specialist, retiring in 1998. Dave is president of the Montgomery Windows IT
Professional Group, and a guest speaker at many events involving Microsoft products.
Gary Dunlop – Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada and is a technical consultant and trainer for Broadview
Networks. He has authored a number of Microsoft Learning titles and has been an MCT since 1997.
Orin Thomas – Subject Matter Expert

Orin Thomas is a Microsoft Regional Director, MVP, and MCT. In addition, he has a string of Microsoft
MCSE and MCITP certifications. Orin has written more than three dozen books for Microsoft Press, is a
contributing editor at Windows IT Pro, a courseware author for Microsoft Learning, and an author for
Pluralsight. He has been working in IT since the early 1990s. Orin is a regular speaker at events such as
Ignite in Australia, and around the world on topics such as Windows Server, Windows client, Microsoft
System Center, cloud computing, and security. In his spare time, Orin is completing his Doctorate in
Information Technology at Charles Sturt University.
Michael Buchardt – Subject Matter Expert/Content Developer

Michael Buchardt is an independent consultant and trainer based in Copenhagen, Denmark. He has
extensive experience consulting for some of the largest companies and institutions in Denmark on System
Center Configuration Manager, AD DS, and infrastructure and virtualization. Michael is a highly
experienced trainer and has been an active MCT since 2001. He has taught 300+ Microsoft Official
Courses, and holds certifications in every Windows operating system since Windows 2000. Michael has
worked for various training centers and consulting firms before starting his own company Mimercon in
2012, where he now offers consulting and freelance training.
Deploying Windows Desktops and Enterprise Applications xiii
Mark Wheatley – Technical Reviewer

Mark Wheatley is a certified educator and consultant specializing in system and operations management,
system security, network administration, and enterprise deployment techniques. With a Master’s degree in
Instructional Technology, Mark has been teaching about technical subjects since 1977. Mark has been an
active MCT since 1995, and is currently a Senior Technical Consultant with Infront Consulting Group,
where he works on capacity building with all of the System Center family members, and with Microsoft
Intune and Microsoft Office 365.
xiv Deploying Windows Desktops and Enterprise Applications
Contents
Module 1: Assessing the network environment for supporting
operating system and application deployment
Module Overview 1-1
Lesson 1: Overview of the enterprise desktop life cycle 1-2
Lesson 2: Assessing readiness for a desktop deployment by using

Configuration Manager 1-12
Lesson 3: Assessing deployment readiness by using MAP 1-20
Lab: Assessing the network environment for supporting operating system

and application deployment 1-25
Module Review and Takeaways 1-28
Module 2: Determining operating system deployment strategies

Module Overview 2-1
Lesson 1: Understanding tools and strategies you can use for operating system
deployment 2-3
Lesson 2: Using the High Touch with Retail Media deployment strategy 2-10
Lesson 3: Using the High Touch with a Standard Image deployment strategy 2-13
Lesson 4: Using a lite touch deployment strategy 2-16
Lesson 5: Using a zero touch deployment strategy 2-19
Lesson 6: Alternative deployment strategies for Windows desktops 2-22

Lab: Determining operating system deployment strategies 2-29
Module 3: Assessing application compatibility

Module Overview 3-1
Lesson 1: Diagnosing application compatibility issues 3-2
Lesson 2: Mitigating application compatibility issues 3-11
Lesson 3: Using ACT to address application compatibility issues 3-18
Lab: Assessing application compatibility 3-26

Deploying Windows Desktops and Enterprise Applications xv
Module 4: Planning and implementing user state migration

Module Overview 4-1
Lesson 1: Overview of user state migration 4-2
Lesson 2: Overview of USMT 10.0 4-7
Lesson 3: Planning user state migration 4-11
Lesson 4: Migrating user state by using USMT 4-22
Lab: Planning and implementing user state migration 4-39
Module 5: Determining an image management strategy

Module Overview 5-1
Lesson 1: Overview of the Windows image file format 5-2
Lesson 2: Overview of image management 5-7
Lab: Determining an image management strategy 5-14

Module 6: Preparing for deployments by using the Windows ADK

Module Overview 6-1
Lesson 1: Overview of the Windows Setup and installation process 6-2

Lesson 2: Preparing boot images by using Windows PE 6-8
Lab A: Preparing the imaging and Windows PE environment 6-18
Lesson 3: Using Windows SIM and Sysprep to automate and prepare an

image installation 6-21
Lab B: Building a reference image by using Windows SIM and Sysprep 6-30
Lesson 4: Capturing and servicing a reference image by using DISM 6-36

Lab C: Capturing and servicing a reference image 6-45
Lesson 5: Using the Windows ICD 6-47
Lab D: Using the Windows ICD 6-59
Module 7: Supporting PXE-initiated and multicast operating system

deployments
Module Overview 7-1
Lesson 1: Overview of PXE-initiated and multicast operating system

deployments 7-2
Lesson 2: Installing and configuring the Windows DS environment 7-11
Lab: Configuring Windows DS to support PXE and multicast operating system

deployments 7-20

xvi Deploying Windows Desktops and Enterprise Applications
Module 8: Implementing operating system deployment by using the MDT

Module Overview 8-1
Lesson 1: Planning for the MDT environment 8-2
Lesson 2: Implementing MDT 2013 Update 2 8-9
Lesson 3: Integrating Windows DS with MDT 8-23
Lab: Operating system deployment using the MDT 8-27
Module 9: Managing operating system deployment

Module Overview 9-1
Lesson 1: Overview of operating system deployment 9-2
Lesson 2: Preparing a site for operating system deployment 9-12
Lab A: Preparing the site for operating system deployment 9-22
Lesson 3: Deploying an operating system 9-26

Lab B: Deploying operating system images for bare-metal installations 9-44
Module 10: Integrating MDT and Configuration Manager for

operating system deployment
Module Overview 10-1
Lesson 1: Integrating deployment tools with Configuration Manager 10-2
Lesson 2: Integrating MDT with Configuration Manager 10-6
Lab A: Integrating MDT and Configuration Manager for operating system

deployment 10-20
Lab B: Configuring UDI 10-29
Module 11: Activating clients and managing additional configuration

settings
Lesson 1: Solutions for volume license activation 11-2
Lesson 2: Determining additional client configuration settings 11-14
Lab: Configuring additional settings for computer clients 11-26

Deploying Windows Desktops and Enterprise Applications xvii
Module 12: Deploying Office 2016

Lesson 1: Methods for deploying Microsoft Office 2016 editions 12-2
Lesson 2: Customizing Office deployments 12-13
Lesson 3: Deploy Office 2016 by using Office 365 12-20
Lesson 4: Managing Office settings 12-25
Lesson 5: Introducing Windows Store for Business 12-31
Lesson 6: Distributing apps using the Windows Store for Business 12-35
Lab: Deploying Microsoft Office 2016 by using the Office Customization Tool 12-39
Lab Answer Keys

Module 1 Lab: Assessing the network environment for supporting
operating system and application deployment L1-1
Module 2 Lab: Determining operating system deployment strategies L2-5
Module 3 Lab: Assessing application compatibility L3-9
Module 4 Lab: Planning and implementing user state migration L4-13
Module 5 Lab: Determining an image management strategy L5-19
Module 6 Lab A: Preparing the imaging and Windows PE environment L6-21
Module 6 Lab B: Building a reference image by using Windows SIM

and Sysprep L6-24
Module 6 Lab C: Capturing and servicing a reference image L6-30
Module 6 Lab D: Using the Windows ICD L6-31

Module 7 Lab: Configuring Windows DS to support PXE and multicast
operating system deployments L7-35
Module 8 Lab: Operating system deployment using the MDT L8-41
Module 9 Lab A: Preparing the site for operating system deployment L9-49
Module 9 Lab B: Deploying operating system images for bare-metal

installations L9-54
Module 10 Lab A: Integrating MDT and Configuration Manager for

operating system deployment L10-59
Module 10 Lab B: Configuring UDI L10-70
Module 11 Lab: Configuring additional settings for computer clients L11-77
Module 12 Lab: Deploying Microsoft Office 2016 by using the

Office Customization Tool L12-85
About This Course xix
About This Course

This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
This five-day course describes how to assess operating system and application deployment options,
determine the most appropriate deployment strategy, and then implement a deployment solution for
Windows devices and apps that meets your environment’s needs. Solutions that this course details include
operating system deployment scenarios ranging from high-touch solutions to zero-touch solutions. This
course also discusses the technologies that you use to implement these solutions, including the Microsoft
Deployment Toolkit (MDT) and Microsoft System Center Configuration Manager (Configuration
Manager).
Audience
This course is intended for is for IT professionals who deploy, manage, and maintain PCs, devices, and
apps across medium, large, and enterprise organizations. Typically, these IT professionals have a desktop-
support background, and have worked as Enterprise Desktop Administrators. A significant portion of this
audience uses or intends to use Configuration Manager to manage and deploy PCs, devices, and
enterprise applications. The Enterprise Desktop Administrator also might use several tools, including the
Windows Assessment and Deployment Toolkit (Windows ADK) and the MDT to support assessment,
operating system, and application deployment tasks. Additionally, this course is for individuals who are
interested in taking the MCSE exam 70-695: Deploying Windows Desktops and Enterprise Applications.
Student Prerequisites
This course requires that you meet the following prerequisites:
• System administrator–level working knowledge of networking fundamentals, including common
networking protocols, topologies, hardware, media, routing, switching, and addressing
• System administrator–level working knowledge of Active Directory Domain Services (AD DS)
principles, and fundamentals of AD DS management
• System administrator–level working knowledge of Installation, configuration, and troubleshooting for

Windows-based personal computers
In addition to the above, you must have a basic understanding of:
• Public key infrastructure (PKI) security.
• Scripting and Windows PowerShell syntax.
• Windows Server roles and services.
• Management tasks using Configuration Manager.
Course Objectives
After completing this course, students will be able to:
• Assess the network environment to support operating system and application deployment tasks.
• Identify the most appropriate operating system deployment strategy based upon organizational
requirements.
• Assess application compatibility issues and identify mitigation solutions to ensure that applications
function successfully after an operating system deployment.
• Describe and configure strategies to migrate user state during operating system deployments.
xx About This Course
• Determine the most appropriate image management strategy to support operating system and
application deployments.
• Describe and use the tools provided in the Windows ADK to prepare for and support automated
deployment strategies.
• Identify solutions to support Pre-Boot EXecution Environment (PXE)–initiated and multicast solutions
when performing operating system deployment tasks.
• Configure an operating system deployment strategy by using the MDT.
• Configure an operating system deployment strategy using Configuration Manager.

• Integrate the MDT with Configuration Manager to support operating system deployment procedures.
• Implement volume license activation and configuration settings for client computers.
• Customize and deploy Microsoft Office 2016 to an enterprise network environment.
Course Outline
The course outline is as follows:
Module 1, “Assessing the network environment for supporting operating system and application
deployment” examines how you can create a deployment strategy by using life-cycle information,
deployment tools and technologies, and licensing and activation information. It also explains how to plan
and effectively perform preparation tasks for deploying Windows 10 client operating systems.
Module 2, “Determining operating system deployment strategies” describes the tools and strategies that
are available to help you perform a successful operating system deployment. It also explains how to
identify the most appropriate operating system deployment strategy for your environment, based upon
organizational requirements.
Module 3, “Assessing application compatibility” describes the process for addressing common application
compatibility issues that you might experience during a new operating system deployment. The module
also explains how to use the Application Compatibility Toolkit (ACT) to help inventory, analyze, and
mitigate application compatibility issues.
Module 4, “Planning and implementing user state migration” introduces user state migration, and the
tools and methods that are useful in the planning and implementation of a user state migration in the
Windows software environment.
Module 5, “Determining an image management strategy” provides the information that you need to
manage images to support operating system and application deployments. Specifically, the module
describes the image formats and strategies for managing images.
Module 6, “Preparing for deployments by using the Windows ADK” describes how Windows Setup installs
the Windows operating system. It explains how to use the tools in the Windows ADK to prepare for and
support automated deployment strategies. It also explains how to use the Windows Preinstallation
Environment (Windows PE) to prepare boot images.
Module 7, “Supporting PXE-initiated and multicast operating system deployments” introduces the
architecture of network boot, PXE-initiated operating system deployments, multicasting operating system
delivery, and the Windows Deployment Services (Windows DS) functionality in Windows Server 2012 R2.
Module 8, “Implementing operating system deployment by using the MDT” describes the components of
the MDT, and how you can configure an operating system deployment strategy by using the MDT.
Module 9, “Managing operating system deployment” provides an overview of operating system

deployments, and explains how to use Configuration Manager to configure an operating system
deployment strategy.
About This Course xxi
Module 10, “Integrating MDT and Configuration Manager for operating system deployment” explains
how to integrate the MDT with Configuration Manager to support operating system deployment
procedures. It also describes the benefits of integrating the MDT with Configuration Manager.
Module 11, “Activating clients and managing additional configuration settings” describes volume license
activation solutions. It also explains how to implement volume license activation and configuration
settings for client computers.
Module 12, “Deploying Office 2016” explains how to customize and deploy Microsoft Office 2016 to an
enterprise network environment. It also explains how to deploy Office 2016 by using Office 365, and
manage Office 2016 settings.
xxii About This Course
Course Materials
The following materials are included with your kit:
• Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly focused format, which is essential for an effective in-class learning
experience.
o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
o Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
o Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
o Lab Answer Keys: provide step-by-step lab solution guidance.
Additional Reading: Course Companion Content on the

http://www.microsoft.com/learning/en/us/companion-moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the Course
Handbook.
• Modules: include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
• Resources: include well-categorized additional resources that give you immediate access to the most
current premium content on TechNet, MSDN, or Microsoft Press.
• Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
o To provide additional comments or feedback on the course, send an email to

mcspprt@microsoft.com. To inquire about the Microsoft Certification Program, send
an email to mcphelp@microsoft.com.
About This Course xxiii
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
Note: At the end of each lab, you must revert the virtual machines to a snapshot. You can
find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine that is used in this course:
Virtual machine Role
20695C-LON-DC1 Domain controller for the adatum.com domain that

contains:
• AD DS
• Domain Name System (DNS)
20695C-LON-CFG Configuration Manager primary site:

• System Center Configuration Manager
• Microsoft SQL Server 2014
20695C-LON-SVR1 Server in the adatum.com domain
20695C-LON-SVR2 Server in the adatum.com domain that will also

contain the Windows Server Update Services role with
pre-configured updates imported
20695C-LON-CL1 Client computers running Windows 10

20695C-LON-CL2
20695C-LON-CL3 Client computer running Windows 7
20695C-LON-REF1 Bare-metal computer used for deploying images
Software Configuration
The following software is installed in the course virtual machines:
• Configuration Manager
• Windows ADK for Windows 10
• SQL Server 2012 Service Pack 1 ( SP1 )
• Microsoft Deployment Toolkit 2013 Update 2
• Microsoft Assessment and Planning Toolkit

xxiv About This Course
Classroom Setup
Each classroom computer will have the same lab virtual machines configured in the same way.
You might be accessing those virtual machines either in a local on-premises classroom, or through
Microsoft Labs Online.
• On-premises classroom. If you are working on a local machine, at the end of each lab you might need
to revert the virtual machines to a snapshot. The lab will include the steps to do this.
• Microsoft Labs Online. If you are working in the hosted environment there might be some variations
in configuration or lab steps in your student manual. Any differences will be called out in the Lab
Notes document on the hosted lab platform.
Your Microsoft Certified Trainer will provide more details about your specific lab environment.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
Hardware Level 7
• Processor: 64 bit Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD - V) processor
(2.8 gigahertz (GHz) dual core or better recommended)
• Hard Disk: Dual 500-gigabyte (GB) hard disks 7200 RPM Serial ATA (SATA) labeled C drive and D drive
• Random access memory (RAM): 16 GB or higher
• DVD/CD: DVD; dual layer recommended
• Network adapter
• Sound card with amplified speakers
• Monitor: Dual SVGA monitors 17” or larger supporting 1440x900 minimum resolution
Additionally, the instructor computer must be connected to a projection display device that supports
SVGA 1024x768 pixels, 16-bit colors.
1-1
Module 1
Assessing the network environment for supporting
Contents:
Module Overview 1-1
Lesson 1: Overview of the enterprise desktop life cycle 1-2
Lesson 2: Assessing readiness for a desktop deployment by using Configuration

Manager 1-12
Lesson 3: Assessing deployment readiness by using MAP 1-20
Lab: Assessing the network environment for supporting operating system and
application deployment 1-25
Module Overview
Assessing an enterprise’s deployment requirements begins with understanding its hardware, software, and
infrastructure environment, and determining whether that hardware can support Windows 10. You can use
several tools to conduct an inventory of an environment and evaluate the computers in that environment.
For many organizations, one key decision is whether to deploy a new operating system. Doing so can offer
many benefits. However, many organizations consider it complicated and expensive to deploy a new
environment-wide operating system. Additionally, a migration’s complexity and cost can make it difficult
for users to recognize a new operating system’s benefits quickly.
Migrating and deploying a new operation system also can post additional challenges, including:
 Application incompatibilities.
 Complicated user-state migrations.
 Lack of migration resources.

 Lack of best practices and implementation guides.
 Insufficient end-user training and support.
This module examines how to use life-cycle information, deployment tools and technologies, and licensing
and activation information to create a deployment strategy. You will learn how to plan and perform
effective preparation tasks for deploying Windows 10 client operating systems.
Objectives
After completing this module, you will be able to:
 Describe the enterprise desktop life cycle.
 Assess readiness for a desktop deployment by using Microsoft System Center Configuration Manager
(Configuration Manager).
 Assess deployment readiness by using the Microsoft Assessment and Planning Toolkit (MAP).
1-2 Assessing the network environment for supporting operating system and application deployment
Lesson 1
Overview of the enterprise desktop life cycle
The enterprise desktop life cycle encompasses more than just deploying and removing computers. During
the first phase of the enterprise desktop life cycle, you must carefully plan for hardware that meets your
needs, and you should develop a purchasing strategy to avoid unnecessary spending. After you complete
the first phase, you can determine the best way to deploy the systems purchased. Application deployment
planning and user support are critical phases in the enterprise desktop life cycle. The key to these two
phases is providing users with the training and skills they need to operate their systems efficiently, which
can reduce issues. Eventually, all systems reach a point when technological advancements render them
obsolete. Upgrading or disposing of those systems ends that portion of their life cycle.
Lesson Objectives
After completing this lesson, you will be able to:
 Describe the enterprise desktop life-cycle model.
 Describe the planning and purchasing phases.
 Describe the desktop deployment phase.

 Describe the application deployment planning phase.
 Describe the operation and support phase.
 Describe the upgrade and retirement phase.
The enterprise desktop life-cycle model

In a world where work styles change rapidly,
business technologies must be flexible and able to
support increasing interconnectivity. Home and
office users who utilize a variety of devices in
various locations, and not necessarily at their
organization’s offices, need quick, constant access
to their resources. Windows 10 provides solutions
and capabilities that help you to meet these
requirements. Users want to work productively no
matter where they are. They might be traveling, at
home, or in a branch office. Regardless of users'
physical location, an IT department must meet the
users’ requirements. Additionally, companies often expect IT departments to do more to improve business
efficiency with fewer resources.
Organizations constantly manage the different phases of the enterprise desktop life cycle, which includes
planning, purchasing systems, deploying operating systems and software, and then managing users and
systems in production. The cycle begins and ends when you replace or retire older operating systems.
Deploying Windows Desktops and Enterprise Applications 1-3
The first phase of a client system’s life cycle, planning and purchasing, is a process that begins with
preparing and processing requisitions, and then obtaining approval of invoices for payment. The second
phase is deployment, which involves installing an operating system on a user’s computer. Application
deployment planning, the third phase, involves deploying software applications to client systems.
Operation and support is the fourth phase. In this phase, you ensure that the end users learn how to use
their systems and applications, and receive the support they need. The final phase of the life cycle is
upgrading and retirement, in which computers receive new software or you retire them from use and
recycle them.
Planning and purchasing

Before making purchasing decisions, organizations
should plan their requirements for new systems
carefully. Most organizations will have a mix of old
and new systems. They can replace some of these
systems with new equipment, and upgrade others
to Windows 10. Upgrades require careful planning
to ensure that the upgrades work correctly and
efficiently. During the upgrade process, you should
correct any previous operating system
misconfigurations.
The planning stage includes the following:
 Computer strategy. This includes policies such

as image and hardware standardization, environment design, replacement frequency, mobile device
versus desktop usage, and Bring Your Own Device (BYOD) policies.
 Computer selection. This process involves choosing hardware, software, and peripherals. Additionally, it
includes design configuration and application compatibility testing.
 Deployment methods. Each deployment method includes inherent costs to support that method.
Often, multiple deployment methods are used to accommodate different scenarios.
 Demand forecasting. This is the attempt to predict an organization’s future need for computing
resources, to determine the quantities that you should purchase.
 Design configuration. This process concentrates on deciding which new features you will use and how
you will incorporate them into the overall plan. The new tools, resources, and settings available can
help simplify configuration processes dramatically.
Purchasing is the process of obtaining personnel, material, services, or property from a vendor by
authorized means. It is the action or process of acquiring items at the operational level. The purchasing
process includes negotiation, contracts, vendor management, shipping, and disposal of packaging
materials.
During the purchasing stage, there are several decision points that will affect the overall cost of the
deployment:
 Hardware typically represents approximately half of all the costs in the purchase-phase of the
computer life cycle.
 Software costs include productivity applications, antivirus software, messaging tools, and groupware.
 The chosen deployment method will directly impact overall deployment cost. Additional costs can
include storage requirements of file servers and hard disk drives, universal serial bus (USB) flash drives,
blank DVDs, and providing for greater bandwidth for pushing large images and user data across a
network.
 Accessories include a wide range of computer-related supplies, such as cables, power supplies,
keyboards, mice, laptop bags, docking stations, and secure-access cards.
 Finally, after the systems arrive, you need to prepare them for deployment. You must securely store,
unpack, inspect, and inventory the systems properly. You should set aside the necessary space for this
before the systems arrive.
Desktop deployment
Deployment consists of the activities that make a
software system available for use. The general
deployment process consists of several interrelated
activities with possible transitions between the
build and deployment phases.
The desktop deployment life cycle provides a

framework for the tasks required to deploy a
software application or operating system
successfully. You must understand life cycle phases
to plan properly for the resources and tools that
are required for an effective implementation. The
key phases of the desktop deployment life cycle
are building and deploying.
Building
The building phase provides the opportunity to improve efficiency, and its key steps include:
 Streamlining the deployment process. This step includes developing automated solutions and
procedures that you can use for deployment.
 Developing and testing the deployment process for the baseline operating system image (or images).
Without a test system, you might fail to identify and correct errors, and you might subsequently
duplicate these errors to all of your environment’s computers during the actual deployment.
 Configuration. This step includes developing an automation solution, testing and configuring
standardized images, accounting for IT labor to configure computers, and planning for network access
configuration.
 Managing the logistics. This step includes storing computers, deploying and setting up physical
hardware, and communicating to end users.
Deploying
After you complete thorough building and testing, you can begin deploying the operating system. The
deployment phase is the period during which the team implements the solution and ensures that it is stable
and usable. A typical deployment takes place in phases throughout the networking environment. The
deployment team stabilizes each phase before progressing to performing upgrades or installations.
When you use software image deployment, you load a standard image and potentially replace preinstalled
original equipment manufacturer (OEM) software. You typically standardize these images on the basis of
organizational or departmental needs, such as sales or finance, or on the type of user who receives the
system, such as a manager, a home or office user, or a graphic designer. The next lesson will cover several
methods that you can use to deploy software images.
The deployment stage also includes migration of data, user state, and unimaged applications. Many users
think that having access to the data that was on their previous computers is an absolute requirement. You
can use many approaches to migrate data between client computers, such as by using file shares, Microsoft
SharePoint Server 2013, or Microsoft cloud services. However, some user data always remains on computers.
You should consider the storage space requirements for performing data transfers.
Note: You should focus on creating the minimum number of baseline images based
exclusively on operating system version and editions, and perform app deployment based on user
needs by using a deployment solution, such as Configuration Manager.
Application deployment planning

Application deployment planning consists of three
phases: managing application compatibility,
packaging applications, and providing life-cycle
support.
Application compatibility
Application compatibility can have a far-reaching
impact on your organization, but you can reduce
that impact significantly by planning your
application compatibility project properly. Your
migration to Windows 10 is an opportunity to
analyze your applications carefully and to
understand their strategic importance in your
environment.
Gathering an application inventory is the first step in understanding the effect of application compatibility
changes in your environment. Microsoft offers several tools to perform asset inventories, including the MAP
and the Microsoft Application Compatibility Toolkit (ACT). For larger enterprise environments, Microsoft
includes asset inventory functionality in Configuration Manager.
The ACT is a Microsoft tool suite that you can use to test and understand application compatibility in your
environment, and it is available as part of the Windows Assessment and Deployment Kit (ADK). ACT enables
software developers, independent software vendors, and IT professionals in an enterprise environment to
determine whether their applications are compatible with a new version of the Windows operating system.
ACT also enables these individuals to determine how updates will affect their applications.
The Microsoft Desktop Optimization Pack (MDOP) is a suite of six products sold as an add-in subscription
license to Microsoft Software Assurance (SA) customers. You can use two of the six products in the Desktop
Optimization Pack to mitigate application compatibility issues. You can use Microsoft Enterprise Desktop
Virtualization to mitigate application-to-operating-system incompatibilities (Windows 7 only), and you can
use Microsoft Application Virtualization (App-V) to mitigate application-to-application incompatibilities or
conflicts.
For environments that have thousands of managed applications, you can undertake an application
compatibility project as an opportunity to reduce the number of applications in the environment, thereby
reducing the costs associated with application proliferation. An easy, immediate way to reduce the number
of applications within an environment is to standardize the application versions in use across an
organization.
Newer applications might supersede many older applications that provide similar functionality, thus
enabling you to remove older applications. Every time you remove an application, you eliminate
corresponding licensing and support costs. During your application compatibility project, you can analyze
application compatibility across your entire enterprise. Configuration Manager can manage superseded
applications and their removal.
Note: App-V will not mitigate an application that the operating system does not support.
However, it does provide a test environment that allows apps that are incompatible with each
other to run on the same computer.
Application packaging
Application packaging and automated installation generally involve using silent installation commands
from vendors. You can find these commands in installation guides, on Internet forums, or by launching the
setup application with the /help or /? command-line options.
For applications that you develop in-house, there might not be silent installation commands. You will need
to package those applications or repackage them if the installer package does not work. You can create
Windows Installer packages, if necessary. App-V provides a packaging mechanism with the application
sequencing that it uses to create virtual applications. App-V is integrated with Configuration Manager for
app deployment.
Application life-cycle support

Application life-cycle support usually involves deploying new applications, installing new versions of
existing applications, and updating applications. Generally, updates are far more frequent and usually
require less testing than version upgrades. New applications are typically tested for compatibility issues
with existing applications. Version upgrades usually are significantly more complex to perform than
updates are, and comprehensive planning and testing are fundamental to ensuring that the upgrade
release occurs properly.
Two of the more recently developed methods for deploying applications include the Windows Store and
Windows Store for Business.
Windows Store
The Windows Store supports both free and purchased apps, and developers can use it to advertise their
desktop apps. The Windows Store is a platform for distributing Windows applications, including both
Windows RT (Windows 8 on Advanced RISC Machine or ARM processors) and desktop applications. The
store supports only Windows 8 and newer operating systems. Users can download modern UI applications
directly from the Windows Store. Users can access the traditionally installed desktop applications by using
the links to the developers' websites that are advertised in the Windows Store. Users can choose to share
content from one app to another, and can optimize apps to their context, hardware, and preferences.
Windows Store for Business

The Windows Store for Business is a Microsoft Azure–based portal for finding, distributing, and managing
applications in an enterprise. All applications in the Windows Store for Business are either Universal
Windows apps for Windows 10 or Universal Windows apps, by device: phone, Surface Hub, IoT, and
HoloLens. You can develop line-of-business (LOB) applications and publish them through the Windows
Store for Business so that they are available only to your organization. The Windows Store for Business is
not available in all locations currently.
Operation and support

You need to replace desktop computers regularly
to keep up with software and hardware
developments. However, from their initial
deployment until their retirement, desktop
computers, like any other system, need support.
Desktop-computer replacement cycles of around
three to four years have become a standard. The
release of a new Windows operating system
version often drives this schedule, as do the three-
year warranty and maintenance contracts common
in many enterprises. Economic factors cause many
organizations to postpone replacements because
they try to curtail nonessential spending. Sustained operation and support are vitally important in these
circumstances.
The following factors are essential to continued life-cycle support in the operation phase:
 Facilities. These include factors such as ensuring that the environment has continuous, regulated
electricity; that air conditioning and heating temperatures and humidity are within manufacturer’s
guidelines; and that the environment is clean, with dust and foreign objects kept away from the server
systems and storage. A building’s overall structural soundness also is a factor. The facility should meet
local codes; provide for safe, secure workspaces; and provide protection from outside elements such as
rain and humidity. Facilities also should meet basic office workspace ergonomics standards, including
keeping desktops safe from users tripping over cables, kicking cases, knocking over monitors, and
other potential accidents.
 Computer security. This issue requires constant vigilance. Not only do computers require protection
from malware and external attacks, they also are valuable corporate resources that you must protect
from theft, misuse, and misappropriation. Important computer-security responsibilities include
deploying antimalware software; performing software, application, and operating system updates; and
monitoring the status and inventory of systems.
 Software updates. This is another constant component of computer support. To help keep computers
that are running Windows operating systems stable and secure, you must update them regularly with
the latest security updates and fixes. Windows Update enables you to download and install important
and recommended updates automatically. You can update most Microsoft applications by using the
Windows Update functionality. Many software vendors also provide regular updates, and these
updates might require user interaction. Driver updates for various hardware component manufacturers
also are available through Windows Update. You can apply Windows Update to fix quickly most
security issues that manufacturers discover during a software product’s lifespan. However, certain
updates might cause functionality problems with some software. While this is rare, system failure can
occur. Therefore, testing updates is a part of this functionality. Many organizations require that
administrators use a formal process to test and deploy updates.
 Data protection. This involves backing up user and configuration data, providing for disaster
recoverability, and providing stable, secure information repositories. You typically implement this
functionality at the systems administration level, on the various servers that host data. However, most
systems administrators also provide repositories where users can move their data. Systems
administrators often provide scripts or some other functionality that moves user data automatically, so
that you can protect that data. Note that laptop and tablet users typically do not receive this level of
support and might be required to back up their devices themselves. You should consider planning to
protect mobile data in addition to traditional onsite data. Cloud and datacenter solutions are available
to perform both functions.
 IT administration. IT administration is the day-to-day resource that users rely on to help keep their
computers safe, to answer questions, and to resolve computing-related issues. IT administration
provides solutions to problems that users cannot fix. These solutions might involve going to a user's
computer physically to configure it or providing for a remote system that can do the same. Beyond
helping users, IT administration performs desktop-related functions, such as auditing and asset
management. Together, these activities form the core of IT administration.
The support phase of the life cycle includes providing training, IT support, and hardware servicing. Consider
the following factors when you provide for these activities:
 Training. This is potentially the costliest and most time-consuming component of the support phase.
This activity includes both training the IT staff and providing the IT labor required to develop and
deliver end-user training. It also includes LOB apps and training for the software and hardware on a
typical computer. The cost of training for unfamiliar LOB apps can be substantial. A successful Windows
10 deployment requires additional training, even for users who are familiar with Windows computing,
so that they can learn the new interface and gain the efficiencies that Windows 10 can provide. Some
workers might have more experience dealing with devices such as smart phones and tablets, and you
should customize the training accordingly. Many enterprises overlook the training component of an
enterprise desktop life cycle, and often do not provide adequate time or resources for training.
Generally, organizations find that investing in training can enhance workers' efficiency greatly.
 IT support. This support is integrated throughout the enterprise desktop life cycle. Most of the steps
described throughout this topic are part of IT support. This component includes help-desk and onsite
support. Most enterprises recognize that computer maintenance, including tasks such as disk
defragmentation, are end-user functions, but IT personnel still might monitor maintenance. Managing
reporting systems, including the ability to track issues and manage remedies, is another IT support
function. As workers join or leave an organization, supplying workers with new systems and reusing
older systems also are required.
 Servicing hardware. This involves fixing desktop computers, replacing failed or faulty components, and
managing warranty issues. It also involves keeping and restocking adequate components and
replacement systems, and shipping and receiving warrantied items back and forth from vendors.
Upgrading and retirement

Upgrade involves reusing hardware with new
software or new versions of older software. In most
cases, you need to consider these factors:
 You will need facilities to store systems that

are undergoing refurbishment, and a place to
store them until you place them in the user’s
workspace.
 You can upgrade software in place at a user’s

workstation. However, upgrading an
application to a new version will require
considerable planning and testing compared
with managing an update.
 Some organizations might have procedures on how to refurbish used equipment and how to test stock
items before deployment or after users return them. Additionally, new employees might need fully
equipped computers to perform their duties.
The retirement phase is an issue that every organization must eventually face. The focus of the retirement
phase is successful removal of a system from production when it is no longer useful. As you retire legacy
systems and replace them with new systems, you must complete this effort efficiently, without interrupting
daily organizational business needs or end users' work. Eventually, all software systems become obsolete or
other systems supersede them. Generally, these systems go through upgrades, but sometimes you no
longer require them and should remove them. Other factors that you need to consider when you plan the
retirement phase include the following:
 You should accomplish computer pickup in a way that causes the least interruption to users. Typically,
you can do this during nonbusiness hours by going to each department or room to retrieve computers.
Usually, computer pickup happens at the same time that new systems are distributed.
 Similar to your refurbishing efforts, you should prepare computers for reselling. If systems will go to an
outside entity, you should ensure that sensitive information stored on hard drives and other magnetic
media does not travel outside your organization. Typically, as part of the retirement process, you clear
the information on drives. You can use numerous software tools to do this, and there are machines
than can erase drives in bulk, even if the drives are not operational.
 Your organization might require administrative processing, which refers to the paperwork necessary to
inventory and account for all computer equipment removals and sales. You typically can accomplish
this with an existing inventory system.
 You might need to perform packing and shipping. You also might need a loading-dock area for
pickups.
 You need to consider residual value, which refers to the resale value of equipment. Laptops generally
get a higher price than desktops. Some organizations give old equipment to charity and use such
donations as part of their overall tax accommodation with government.
Check Your Knowledge

Question
Which of the following is NOT part of the enterprise desktop deployment life cycle?
Select the correct answer.
Demand forecasting
Imaging
Training
Virtualizing Windows sessions with Terminal Services
Virtualizing applications with App-V
Question: What are the considerations when you retire systems?
Categorize Activity
Categorize each item into the appropriate phase of enterprise desktop life cycle. Indicate your answer by
writing the category number to the right of each item.
Items
1 Streamlining the deployment process
2 Using ACT for testing and understanding application compatibility
3 Ensuring computer security
4 Developing and testing the deployment process
5 Using MDOP to mitigate application compatibility issues
6 Deploying software updates
7 Configuring standardized images
8 Virtualizing applications
9 Protecting data
10 Managing logistics
11 Using Windows Store to deploy applications
12 Providing IT support
13 Baselining images
14 Using Windows Store for Business to deploy applications
15 Training the end users

Category 1 Category 2 Category 3
Desktop deployment Application deployment Operation and support

planning
Lesson 2
Assessing readiness for a desktop deployment by using
Configuration Manager
Many organizations recognize that an efficient and automated desktop deployment can confer
considerable cost savings. To realize this potential, you must identify your organization’s current computer
software, hardware, and network infrastructure. Knowing what you can and cannot upgrade is key to
planning a successful desktop deployment properly. This lesson provides information about some of the
tools that you can use to perform detailed assessments of existing deployments, and it describes some of
the challenges that you might face when you perform these necessary assessments.
Lesson Objectives
 Describe the guidelines for an effective enterprise desktop deployment.
 Explain how to assess the current environment.
 Describe the tools that you can use to assess your current environment.
 Describe the Configuration Manager features that you can use for infrastructure assessments.
 Explain how to assess hardware inventory by using Configuration Manager.
Guidelines for an effective enterprise desktop deployment

You can accomplish an effective desktop
deployment by implementing the following basic
guidelines:
 Take an inventory and establish a network

map of the existing client computers, servers,
and other relevant networking services to
determine the installed application base and
hardware types that your organization has
deployed currently. You should consider the
organization’s main operating center and all
branch offices and other locations. You should
document even small offices located outside
the corporate network and any users who work remotely from home offices and while travelling.
 Determine what hardware you can reuse as part of the new computer deployment and which types
you might need to retire. You must fully understand the hardware requirements for the new operating
system and how the system will work with existing peripheral devices.
 Determine which applications you can redeploy on new desktop systems. Start a process for packaging
or scripting those applications, so that you can reinstall them quickly and consistently without user
intervention.
 Define a strategy for addressing applications that the new platform cannot support. For example, you
might have a critical application that a new operating system does not support, but it might be a
candidate for virtualization technology such as Client Hyper-V in the Windows 10 operating system, or
by using RemoteApp in the Windows Server 2012 R2 server operating system.
 Reduce cost with Windows Server 2012 R2 Hyper-V, Remote Desktop Services, and the System Center
product line. These products enable you to virtualize your enterprise, which might provide an overall
cost savings when compared to a physical deployment.
 Establish a process to capture user data, settings, and preferences on currently deployed systems and
to restore the data on newly deployed systems.
 Provide a method for backing up all of the relevant data on currently deployed computers before
redeployment. You can do this as part of the user-data capture mentioned above.
 Provide an end-to-end process for the actual desktop deployment. Several Microsoft automated
systems tools can do this, and the next lesson will cover these in more detail.
 Create a plan for training users on the updated desktop systems. The new features and functionality of
Windows 10 will help to reduce troubleshooting issues significantly post-deployment.
Discussion: Assessing your current environment

Discuss the following questions:
Question: What are the key factors to include
when you assess your current environment?
Question: What tools do you use to assess

your environment?
Question: What should be the output of an

environment assessment?
Tools for assessing your current

environment
One challenge in deploying a new operating
system is identifying the applications with which it
is compatible; in particular, you might find issues
with older or custom-built applications. You also
might face challenges when you attempt to
migrate applications and user settings from
previous desktop configurations to a new desktop
installation. Compatibility issues associated with
hardware and applications can delay an upgrade
or migration to a new operating system
significantly, and the loss of user settings can affect
productivity and user satisfaction.
The key to a successful desktop deployment is to obtain as much information about your existing desktop
environment as possible. Additionally, you should obtain guidance and best practices to assist you in each
phase of your desktop-deployment project. You can use the following tools to support the planning phase
and help ensure an effective desktop deployment:
 Windows ADK
 MAP
 Configuration Manager
Note: Microsoft enhances and updates these tools continually. The version numbers
reflected in this course are not necessarily the version with which you will be working. For specific
guidance, please refer to the documentation that accompanies the specific versions that your
organization uses.
Windows ADK
Windows ADK is a collection of tools and documentation that you can use to customize, assess, and deploy
Windows operating systems to computers. Most tools that were previously available in the Windows OEM
Preinstallation Kit and Windows Automated Installation Kit (AIK) are now available in Windows ADK.
Note: If you want to access all Windows ADK features, please note that it is an exceptionally
large download of more than 7 gigabytes (GB) of data.
The following tools are available in Windows ADK:
 ACT
 Deployment tools
 Windows Preinstallation Environment (Windows PE)
 Windows Imaging and Configuration Designer (ICD)

 Windows User State Migration Tool (USMT)
 Volume Activation Management Tool (VAMT)
 Windows Performance Toolkit

 Windows Assessment Services
Windows ADK tools specifically used for assessing the readiness for an operating system deployment
include ACT, Windows Performance Toolkit, and Windows Assessment Services.
ACT
To help ensure that applications do not fail when you deploy a new operating system, you must plan for the
integration carefully by taking an inventory of all the applications in the environment, identifying critical
apps to be tested, testing them thoroughly, and addressing mitigation requirements, as necessary. ACT
enables you to evaluate and mitigate application compatibility issues before you deploy a new version of
the Windows operating system or a new version of Internet Explorer. ACT includes:
 Application Compatibility Manager, which is the functional centerpiece of ACT. Using Application
Compatibility Manager, you can complete the following five compatibility testing phases:
o Collect inventory. Identify applications and devices for testing.

o Plan testing. Choose the applications to test and the methods used to test them.
o Test. Deploy runtime packages for users to test application compatibility.
o Analyze results. Assess the status of applications and determine what requires fixing.
o Mitigate. Understand compatibility problems and work to address them.
 Compatibility Administrator, including both 32-bit and 64-bit versions, contains many known fixes to
help resolve issues prior to deploying a new version of Windows. The Compatibility Administrator
database includes the following tables:
o Applications. This table includes many applications with known issues and the fixes that can be
applied to allow the applications to run.
o Compatibility Fixes. This table includes many preconfigured fixes (small pieces of code that
intercept certain API calls) that allow an application to run the same way it did on a previous
operating system. You can create custom compatibility fixes for applications, as necessary.
o Compatibility Modes. This table includes many preconfigured groups of compatibility fixes. You
can create your own compatibility modes, as necessary.
Note: Large organizations might have hundreds or thousands of apps in use. Although
compatibility testing is a necessary step in any upgrade project, you will not be able to test every
single app thoroughly because of the sheer amount of time that would require. In such
environments, you must identify the most critical apps for compatibility testing, and assume the
risk of using apps that have not been tested for compatibility.
Windows Performance Toolkit

You can install the Windows Performance Toolkit separately; however, it is a required component for
Windows Assessment Services. The Windows Performance Toolkit has two primary components, the
Windows Performance Recorder and the Windows Performance Analyzer with legacy support for Xperf:
 Windows Performance Recorder. You can use this to record events for analysis by using the Event
Tracing for Windows (ETW) functionality.
 Windows Performance Analyzer. You can use this to analyze the data collected by the Windows
Performance Recorder.
 Xperf. This is a command-line tool for collecting Event Tracing for Windows (ETW) events for analysis,
and it is included for legacy support.
Windows Assessment Services

Windows Assessment Services help you assess the performance, reliability, and functionality of a running
operating system or a set of features. This helps you diagnose problems and make improvements, and
consists of the following components:
 The Windows Assessment Services server. The server component provides a test framework that you
can use to automate the running assessments on multiple computers in a lab environment.
 Windows Assessment Services – Client (Windows ASC). This is the graphical user interface that you can
use to interact with Windows Assessment Services.
Assessments can help you to perform the following tasks:
 Assess the performance aspects of a single computer by using the Windows Assessment Console.
 Assess the performance aspects of multiple computers in a networked or lab environment by using
Windows Assessment Services.
Assessments consist of workloads that measure performance for specific scenarios. You create a custom
assessment job from the available assessments. You also can use the preconfigured templates. Each
assessment job consists of one or more workloads that measure specific processes. You can create custom
jobs from assessments such as:
 Boot performance (Fast Startup)
o Measures boot and shutdown times when using Fast Startup, and identifies components that
might cause delays.
 Boot Performance (Full Boot)
o Measures the overall duration of full boot and shutdown.
 Driver Verification
o Identifies issues with devices and drivers.

 File handling
o Measures the duration of common file functions, such as copy, move, delete, and zip.
 Out-of-Box Experience Performance (OOBE)

o Measures the duration of the first sign-in experience and reports on components that impact the
experience.
 Memory footprint
o Measures overall system memory usage, focusing on driver allocations and dynamic allocations.
The preconfigured job templates include at least one assessment by default and allow you to customize the
job by adding additional assessments related to the template. The available templates include:
 Battery life during idle periods
o Includes a single assessment, idle energy efficiency, which simulates idle time on the computer
while measuring the energy efficiency of the computer.
 Browsing experience
o Includes two assessments:

 Internet Explorer Security Software impact, which measures the primary performance
attributes of Internet Explorer that are typically impacted by antimalware and other browser
add-ins.
 Minifilter diagnostic: Internet Explorer, which identifies performance issues with minifilter
drivers during Internet Explorer launch.
MAP
MAP is an agentless inventory, assessment, and reporting tool that can securely assess the IT environments
for various platform migrations, including Windows 10, Microsoft Office 2016, Microsoft Office 365,
Windows Server 2012, Windows Server 2012 R2, SQL Server 2014, Microsoft Hyper-V, Microsoft Private
Cloud Fast Track, and Microsoft Azure.
Note: The next lesson provides more detail about MAP.

You can use Configuration Manager to maintain corporate compliance and control, while providing
employees access to the devices and applications they need to be productive. Configuration Manager
provides key management capabilities in application delivery, desktop virtualization, device management,
and security. This enables continued productivity even when devices proliferate, and might help in reducing
costs.
Configuration Manager allows you to perform tasks such as:
 Deploying operating systems.
 Deploying software applications.
 Deploying software updates.
 Monitoring software usage.

 Assessing and remediating deviation from desired configurations.
 Assess software compatibility.
 Taking hardware and software inventory.
 Remotely administering computers.
 Managing System Center Endpoint Protection.
Configuration Manager collects information in a Microsoft SQL Server database, allowing queries and
reports to consolidate information throughout the organization. Configuration Manager can manage a
wide range of Windows operating systems, including client and server platforms, and mobile devices.

Question
You are the IT manager for A. Datum Corporation. Your organization consists of multiple locations
connected to each other through a Multiprotocol Label Switching (MPLS) network. Over the
previous decade, the company has made several different computer purchases, and the application
portfolio has grown to include commercial and in-house developed applications. The chief
information officer (CIO) has decided that it is time for a hardware update. You have been asked to
develop a cost-effective plan to upgrade or replace all the client systems so that every user will be
using Windows 10. Which tools can help you develop this plan?
Windows ADK – Deployment tools
Windows ADK – Windows Assessment Services
MAP
Endpoint Protection
MDOP
Configuration Manager features that facilitate infrastructure assessment

You can use a number of Configuration Manager
features to inventory your organization’s hardware
and software. You can use Configuration Manager
Hardware Inventory, Software Inventory, and Asset
Intelligence features to gather information about
the hardware of client computers and mobile
devices, software, and files present on client
computers, and to monitor software licenses in the
enterprise.
The Assets and Compliance in System Center 2012

R2 Configuration Manager guide provides
documentation to assist you with using
Configuration Manager to manage your network devices, such as computers and mobile devices, by using
the following components:
 Asset Intelligence, which allows you to use the Asset Intelligence catalog to retrieve inventory data and
identify software-license usage throughout your enterprise.
 Asset Intelligence license management reports, which you can use to obtain data about licenses in use.
The license ledger report lists installed Microsoft applications in a format that is congruent with a
Microsoft License Statement. This provides a convenient method for matching purchased licenses with
used licenses.
 Discovery, which you can use to identify computer and user resources that you can manage by using
Configuration Manager.
 Hardware Inventory, which you can use to collect detailed information about the hardware of your
enterprise’s client devices. After you enable Configuration Manager hardware inventory, and the client
runs a hardware inventory cycle, the client sends the collected inventory information to the site
database. Configuration Manager hardware inventory runs on clients according to a schedule that you
specify in client settings.
 Software Inventory, which you can use to collect and report information about the files stored on client
computers in your organization.
 Software metering, which you can use to monitor and collect software usage data from clients.
Additional Reading: For more information on assets and compliance in Configuration

Manager, refer to Assets and Compliance in System Center 2012 Configuration Manager:
http://aka.ms/Cs7vn8.
Demonstration: Assessing hardware inventory by using Configuration

Manager
In this demonstration, you will learn how to use Configuration Manager to:
 Configure and run a hardware inventory.

 View hardware inventory data.
 View Asset Intelligence reports.

Demonstration Steps
Configure and run a hardware inventory

1. Open the Configuration Manager console.
2. Click Administration, and then click Default Client Settings.
3. Go to Properties, expand the Hardware Inventory item, and then view the options available.
4. On a client system, go to Control Panel, click System and Security, click Configuration Manager, and
then run a Hardware Inventory Cycle.
View hardware inventory data

 Return to the Configuration Manager console. After a few minutes, go to the Assets and Compliance
workspace, click Devices, and then click LON-CL1. Run the Resource Explorer tool. View the various
hardware items collected.
View Asset Intelligence reports

1. In the Configuration Manager console, go to the Monitoring workspace.
2. View the Hardware 08A – Hardware that is not ready for a software upgrade report.
Question: You are the IT manager for the Adatum company. Your organization consists of
multiple locations connected through an MPLS network. Over the previous decade, the
company has made several different computer purchases, and the application portfolio has
grown to include commercial and in-house developed applications. The chief information
officer (CIO) has decided that it is time for a hardware update. You have been asked to
develop a cost-effective plan to upgrade or replace all the client systems so that every user will
be using Windows 10. While looking through the data you previously collected, you decide
that you want to use Configuration Manager to assist with the assessment of your
environment. Which features of Configuration Manager do you think would be most helpful
with your assessment?
Lesson 3
Assessing deployment readiness by using MAP
When organizations upgrade operating systems, two of the biggest challenges that they face are the ability
to use existing applications on the new system, and the need to provide new applications. Additionally,
hardware specifications and minimum hardware requirements change over time and with operating system
versions. Simply upgrading might not be an option due to hardware issues, or simply installing or
reinstalling older applications on new systems in production might fail. Before you deploy any new systems,
you should assess and plan application and hardware compatibility carefully with the new operating
system. Microsoft created MAP as a free, comprehensive tool for migration planning, capacity planning,
and software and hardware tracking. This lesson covers the enhancements to this tool with the release of
Windows 10.
Lesson Objectives
At the end of this lesson, you will be able to:
 Explain the various phases involved in assessing the infrastructure by using MAP.
 Identify the MAP inventory and assessment reports.

 Explain how to use MAP for infrastructure and deployment readiness.
Overview of assessing the infrastructure using MAP

MAP is an agentless inventory, assessment, and
reporting tool that can securely assess the IT
environments for various platform migrations,
including:
 Windows 10, Windows 8.1, Windows 8, and

Windows 7.
 Microsoft Office 2013 and Microsoft

Office 365.
 Windows Server 2012 R2, Windows Server

2012 and Windows Server 2008 R2.
 SQL Server 2014 and SQL Server 2012.
 Microsoft Hyper-V Server 2012.

 Microsoft Private Cloud Fast Track.
 Microsoft Azure.
You can use MAP to scan and assess your organization’s readiness for Windows 10 and other upgrades.
MAP uses several agentless methods to connect to your network’s computers, assess their hardware and
device compatibility with Windows 10, and then create comprehensive Microsoft Word and Microsoft Excel
reports.
You need to consider very carefully how you will plan and conduct your deployment process. MAP is a tool
that can help you manage deployment, but you should consider its use carefully to get the best value from
it. You should tie your MAP use to a phased approach as part of your overall deployment strategy. There
are six distinct MAP deployment phases for you to consider, and the key to a successful MAP experience is
to complete each of the six phases sequentially. The following sections describe these phases.
Phase 1: Choose your goals

To use this phase correctly, it is important to know what MAP can do. MAP contains a number of inventory,
assessment, capacity planning, and software usage tracking scenarios that fit various industry situations.
MAP uses wizards to perform data collection, and that data can help you make better informed decisions.
The overall purpose of this phase is to understand what you are attempting to do when you deploy
Windows, and to obtain an overall idea of what the outcome will be. By knowing what you want to
accomplish, you can better use MAP to gather information, which the next phase does.
Phase 2: Gather your data-collection requirements

MAP communicates with machines in a network to collect information to use in various assessments. This
communication is subject to specific administration and security settings on the target machines, and is
based on many factors. These include the operating system, firewall, and antivirus settings, and the
information that you are trying to collect. During this phase, you gather the user accounts and passwords
that you need to connect and to inventory your environment successfully before you run the MAP toolkit.
You also must know the configuration of your environment and the target machines.
Phase 3: Prepare your environment

During this phase, you can adjust how MAP uses the several different communication protocols. These
include Windows Management Instrumentation (WMI), Active Directory Domain Services (AD DS),
SQL Server commands, and VMware Web Services and secure shell with remote shell commands. In this
phase, you will use the information that you gathered in Phase 1 and Phase 2. You need to prepare your
environment to ensure that MAP can connect and gather information from the target machine successfully.
To do this, you must enable the target machines to accept these communications. You can use Group
Policy Objects (GPOs), for example, to configure firewall and other settings to allow these communications.
Phase 4: Install MAP

MAP is a solution accelerator that is available as a free download from the Microsoft Download Center. You
install the toolkit according to the options that best fit your environment and goals. The MAP page on the
Microsoft Download Center has additional information and documentation to help you install MAP
correctly and then incorporate the information you gather into the installed MAP product. MAP stores
collected information in SQL Server databases. You can use either the Microsoft SQL Server 2012 Express
LocalDB, which is free, comes with MAP, and that you can install with MAP. Alternatively, you can use a SQL
Server database hosted on a Microsoft SQL Server 2008, SQL Server 2008 R2, or SQL Server 2012 database
server. If you use a full SQL Server installation, you will need to create a nondefault instance named MAPS
before you run the MAP installer.
Phase 5: Collect data

In phases one through four, you selected your goals, gathered data-collection requirements, prepared your
environment, and installed MAP. In Phase 5, you begin the data-collection process, which means that you
can begin using MAP. You use the following two wizards to collect the data that most scenarios require:
 Inventory and Assessment Wizard. The Inventory and Assessment Wizard is the starting point for all
MAP scenarios. Using the information gathered in the first three phases the step-by-step wizard will
prompt you to:
o Select your inventory scenario (Phase 1).
o Select your discovery method (Phase 2).
o Provide the credentials required so that you can connect and inventory the target machines
successfully (phases 2 and 3).
 Performance Metrics Wizard. The Performance Metrics Wizard collects specific performance-related
information such as CPU, memory, network, and disk utilization for Windows servers and clients, and
LINUX–based servers. The information that this collection mechanism gathers supports the capacity-
planning features for server consolidation, desktop virtualization, Microsoft Private Cloud Fast Track,
and Microsoft Azure application migration.
Phase 6: Review the reports

When you run the data-collection wizards, MAP will have the information necessary to generate custom
reports that are specific to the environment that MAP inventoried.
MAP inventory and assessment reports

To run the MAP wizards, install MAP on a single
computer that has access to the network on which
you want to conduct an inventory and assessment.
MAP has tools for assessing many different
scenarios, which are grouped together by their
general focus. Scenario groups applicable for
assessing desktops deployments include Desktop,
Desktop Virtualization, and Environment.
Before any reports can be generated, you must

collect data from the appropriate inventory
scenario. For example, when you plan a desktop
deployment, you can use the Windows computers
scenario to collect data about the Windows–based computers in your environment. After you run the
inventory scenario, you will be able to generate various Excel spreadsheet-based reports.
MAP includes several deployment assessment scenarios including assessments for Cloud, Desktop, Server,
and Desktop Virtualization. When you select an assessment scenario, several readiness scenarios that are
related to that assessment scenario are presented. This topic focuses on the Cloud, Desktop, and
Environment scenarios, and the readiness scenarios that are related to them.
Note: MAP generates many reports. This following list shows the scenarios relevant to
accessing and deploying Windows client operating systems and enterprise applications.
The following table lists the Windows 10 deployment scenarios and the reports that you can generate.
Scenario Description
Cloud All scenarios relevant to the migration to and use of cloud services and
products offered by Microsoft.
Office 365 Readiness This scenario provides readiness assessment of your environment for Office
365.
Accessing this scenario allows for the creation of the Office 365 Assessment
report. This is an Excel report that shows how many client computers are
ready for the Office 365 Web Apps Experience, how many are ready for full
client access to Exchange and SharePoint services, and how many are ready
for both Office 365 Web Apps and the full Microsoft Office client.
Additional tabs provide the supporting details for each of the systems
discovered.
Scenario Description
Desktop The desktop scenarios in MAP provide discovery and readiness assessments
for desktops inventoried in your environment.
Windows 10 Readiness This scenario assesses the viability of all the desktop hardware found in
your environment for the installation of Windows 10.
Accessing this scenario allows for the creation of the Windows 10 Readiness
report. This is an Excel report that shows how many systems are ready to
upgrade to Windows 10 and how many need hardware upgrades to be
ready for Windows 10. Additionally, there are tabs with the details for each
of the systems discovered.
Office 2013 Readiness This scenario assesses the viability of all desktop hardware found in your
environment for the installation of Office 2013.
Accessing this scenario allows for the creation of the Office 2013 report.
This is an Excel report that shows you how many systems currently have
Office 2013 or newer, how many systems are ready for Office 2013, and how
many systems are not ready for Office 2013. Additional tabs include
supporting details for each discovered system.
Environment The environment scenarios provide summary information about

the machines, databases, and other assets inventoried in your environment.
Performance Metrics This scenario provides a summary of the performance-metric data

collected in your environment.
Accessing this scenario allows for the creation of the Performance Metrics
report. The performance summary report provides a summary of the
collected performance data. The summary includes when the data was last
collected, the number of machines from which the data was collected, and
the number of machines that were not reachable.
Demonstration: Using MAP for infrastructure and deployment readiness

In this demonstration, you learn how to:
 Create an inventory database.
 View inventory data.
Demonstration Steps
Create an inventory database

1. Start the Microsoft Assessment and Planning Toolkit.
2. Create a Demo database, and then save it to the default database backup location \Program
Files\Microsoft Assessment and Planning Toolkit on drive C.
3. Import MAP_SampleDB into the Manage Database…Import a Database function.

View inventory data

1. Select the MAP_SampleDB database from the C:\Program Files\Microsoft Assessment and
Planning Toolkit\DatabaseBackups folder.
2. In the Desktop node, click Windows 10 Readiness.
3. Generate a Windows 10 Readiness report.
4. Review the Windows 10 Assessment Excel report with the class, by examining each tab and section.
5. Perform a similar report generation on the Environment node for the Inventory results. Review the
generated Excel report.
6. Close the console.
Question: You are the IT manager for the Adatum company. Your organization consists of
multiple locations connected to each other through an MPLS network. Over the previous
decade, the company has made several different computer purchases, and the application
portfolio has grown to include commercial and in-house developed applications. The CIO has
decided that it is time for a hardware update. You have been asked to develop a cost-effective
plan to upgrade or replace all the client systems so that every user will be using Windows 10.
As part of the planning phase, you have been gathering comments from the user base about
the environment. You are seeing frequent complaints about performance. How could you use
the MAP toolkit to assist with the migration planning, and to explore and assess the
complaints, and address performance issues, as necessary?
Lab: Assessing the network environment for supporting

Scenario
You are the IT manager at A. Datum Corporation. Your organization consists of multiple locations
connected to each other through an MPLS network. Over the previous decade, the company has made
several different computer purchases, and the application portfolio has grown to include commercial and
in-house developed applications. The CIO has decided that it is time for a hardware update. You have been
asked to develop a cost-effective plan to upgrade or replace all the client systems so that every user will be
using Windows 10. You have decided to use Configuration Manager and MAP to determine the best
migration path.
Objectives
After completing this lab, you will be able to:
 Determine your hardware and application inventory by using Configuration Manager.
 Inventory and determine your hardware and infrastructure readiness by using MAP.
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20695C-LON-DC1, 20695C-LON-CFG, 20695C-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. In Hyper-V Manager, click 20695C-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20695C-LON-CFG and 20695C-LON-CL1.
Exercise 1: Collecting hardware and application inventory by using

Scenario
To assist in your analysis, you decide to use the Hardware Inventory feature of Configuration Manager. The
inventory data includes information about applications other than Microsoft applications and details about
the installed hardware. You plan to use this information to target operating system and application
upgrades during the project's deployment phase.
The main tasks for this exercise are as follows:
1. Configure hardware inventory.
2. Review inventory data.
 Task 1: Configure hardware inventory

1. On LON-CFG, on the taskbar, click Configuration Manager Console.
2. In the Administration workspace, browse to Client Settings, open Default Client Settings, and then
configure the Hardware Inventory as follows:
o Enable hardware inventory on clients: Yes
o Hardware inventory schedule: Run every 1 day

3. Switch to LON-CL1, and then run a Hardware Inventory Cycle from the Configuration Manager
Properties.
 Task 2: Review inventory data

1. Switch to LON-CFG, and then return to the Configuration Manager console.
2. In the Assets and Compliance workspace, click Devices. Start the Resource Explorer tool, and then
examine the hardware inventory for LON-CL1. Review the collected data for information that might be
helpful in planning a deployment.
o Disk Partitions
o Installed Applications
o Operating System
3. Close the Configuration Management console.
Results: After completing this exercise, you should have collected hardware inventory from the client
computers and reviewed the information about your client computers’ configuration.
Exercise 2: Using MAP to determine infrastructure readiness

Scenario
The CIO has asked you to provide reports on the readiness of the environment for the operating system
deployment. You decide to use MAP to generate the necessary reports.
1. Create a sample database and perform an inventory on sample clients.
2. Review reports to determine infrastructure readiness.
3. To prepare for the next module.
 Task 1: Create a sample database and perform an inventory on sample clients

1. Sign in to LON-CL1 as adatum\administrator with the password Pa$$w0rd.
2. On the Start menu, open the Microsoft Assessment and Planning Toolkit, and then create an
inventory database called Client Assessment with a description of Initial assessment of Adatum
clients.
3. Perform an inventory of Windows computers by using the AD DS discovery method. Use

administrator@adatum.com and Pa$$w0rd for credentials.
4. For All Computer Credentials, add the administrator@adatum.com and Pa$$w0rd for credentials.
5. After the inventory runs, review the Computer Discovery and Collector Status sections. Click Close
when the assessment is complete.
 Task 2: Review reports to determine infrastructure readiness

1. Observe the Environment Summary in the Overview section.
2. Under the Desktop node, under Windows 10 Readiness, observe the Details section.
3. Under the Desktop node, view the Windows 10 Readiness Summary Results.
4. Run a report on Windows 10 Readiness, and then open and analyze the generated report.
Note: It might take a few minutes for the Generate Windows 10 Readiness Report link to
display.
5. Close all open windows, and then sign out of LON-CL1.
Results: After completing this exercise, you should have determined how many of the client computers are
ready for a Windows 10 upgrade.
 Task 3: To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following
steps:
2. In the Virtual Machines list, right-click 20695C-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20695C-LON-CFG and 20695C-LON-CL1.
Question: What are the differences between MAP and Configuration Manager when you use
them to assess operating system deployment readiness?
Module Review and Takeaways

Real-world Issues and Scenarios
The tools this module describes are used to discover issues in pre-production and production
environments. You should consider some of the limitations of these tools when you decide where to use
them.
 Windows ADK
o ACT fixes should be considered short-term solutions while the applications are being re-developed
to work with Windows 10 natively. Using an older application with a compatibility fix can leave an
application or system with security vulnerabilities.
o The Windows Performance Toolkit that ships with the Windows 10 ADK/SDK is not compatible
with Windows 7 SP1 or Windows Server 2008 R2 SP1.
o Before you use the Windows Assessment Services to assess production systems, you should
consider the implications carefully. Many of the tests modify the target system in undesirable
ways, such as altering local user accounts or automatic logons, and can take hours to complete.
Generally, only nondomain, nonproduction systems should be used to perform assessments.
o Keep checking the Microsoft Deployment Toolkit Team Blog at http://aka.ms/E43xvk for updates
and changes.
 MAP
o The MAP inventory might not include all the applications installed on a system. The application
collection process queries WMI directly to find all applications that are installed through a
Microsoft Windows Installer (MSI). MAP does not discover applications that are not installed using
an MSI. Configuration Manager software inventory can collect information about applications on a
system that might not be visible to MAP.
o Keep checking the MAP Blog at http://aka.ms/Mll3el and MAP Toolkit Content Index (en-US) at
http://aka.ms/Nd394p for updates and changes, especially after new versions of MAP are released.
Review Question
Question: Which Microsoft products, features, or tools can you use to retrieve your network’s
hardware and software inventory?
2-1
Module 2
Determining operating system deployment strategies
Contents:
Module Overview 2-1
Lesson 1: Understanding tools and strategies you can use for operating system
deployment 2-3
Lesson 2: Using the High Touch with Retail Media deployment strategy 2-10
Lesson 3: Using the High Touch with a Standard Image deployment strategy 2-13
Lesson 4: Using a lite touch deployment strategy 2-16
Lesson 5: Using a zero touch deployment strategy 2-19

Lesson 6: Alternative deployment strategies for Windows desktops 2-22
Lab: Determining operating system deployment strategies 2-29
Module Overview
A new operating system usually contains a new set of features and services that most organizations will find
beneficial. However, many organizations believe that an operating system deployment is complicated and
expensive, which often reduces the perceived return on investment (ROI). This misconception causes
organizations, large and small, to decide against deployment, and overlook the multitude of benefits that a
deployment offers.
Organizations also often face other deployment challenges that prompt them to consider whether a
deployment is valuable, such as:
 Issues with respect to post-deployment application compatibility.
 User state migration issues.
 Lack of migration resources.
 Lack of best practices and implementation guides.
 Deficient end user training and support.
This module will help you understand the different deployment strategies and tools that you can use to
perform an effective operating system deployment.
2-2 Determining operating system deployment strategies
Objectives
 Describe tools and strategies that are available for an effective operating system deployment.
 Describe the High Touch with Retail Media deployment strategy.
 Describe the High Touch with a Standard Image deployment strategy.
 Describe the lite touch deployment strategy.
 Describe the zero touch deployment strategy.
 Describe an alternate deployment strategy for Windows devices.

Lesson 1
Understanding tools and strategies you can use for
In larger organizations, conducting an effective operating system deployment can be a complex and
strenuous process. Because of this, organizations often decide to postpone an upgrade, and sometimes
even avoid deployment of a full version of an operating system. However, with the right tools and
strategies, you can deploy a new operating system easily to hundreds, and even thousands of computers,
without it being a complicated project or requiring long hours from your information technology (IT)
professionals.
Lesson Objectives
 Describe guidelines for developing an effective operating system deployment strategy.
 Describe deployment features that the Windows Assessment and Deployment Kit (Windows ADK)
provides.
 Describe common enterprise deployment strategies.
 Explain how to use the Windows 10 in-place upgrade.
 Explain how to use Windows ADK tools in a deployment process.
Discussion: Common challenges in an operating system deployment

IT professionals encounter several challenges when
deploying an operating system to a new or existing
device. These challenges vary in impact and
difficulty based on the type of deployment that
you are executing and the existing environment in
which the device will operate. For instance, if you
are deploying a newer version of the Windows
operating system to an existing desktop computer,
you might face issues regarding data migration,
application compatibility, and your deployment
strategy. However, for new devices, or wipe-and-
reload scenarios, you will not have to worry about
application compatibility issues.
If you are an IT professional, you might have been involved with an operating system deployment project.
Based on your experience, answer the following questions:
 Did you deploy the operating system over a network or by using removable media, or by using both
methods?
 Did you use the installation files or a custom image?
 How did you handle the need for non-Microsoft device drivers?
 How did you handle product keys and licensing?

 How did you handle user state data migration?
 How did you handle application compatibility issues?
The answers to these questions will vary depending on your environment and your organization’s size,
including the level of automation that your environment allows and the deployment tools that are available
to you. However, these answers should summarize some of the key challenges that any organization
encounters when deploying an operating system.
Guidelines for developing an effective operating system deployment

strategy
There are different strategies that you can use to
deploy an operating system. The strategy that best
fits your needs will depend on many factors, such
as the number of devices to which you must
deploy the operating system, your deployment
scenarios, your end users’ needs, and the
deployment tools that are available in your
organization. You can follow the guidelines below
to identify the strategy that best meets your needs,
including that you should:
 Identify the deployment scenario or scenarios.

The scenario that you encounter will
determine the need for restoring user state data. There are four basic deployment scenarios that most
organizations see:
o New. You must install the operating system on a new device, which no one in your organization
has used. In this scenario, if you will be deploying the device for a new user, there might not be
user state data to migrate. This also can include existing devices that you will be treating as new,
when you do not need to retain any of the device’s data.
o Upgrade. You have to install the new operating system over an existing operating system. This
upgrades the operating system and retains all existing applications and settings.
o Refresh. You have to reinstall the operating system on the device, usually to address an issue with
the device, or to follow standardization protocols. In this scenario, you usually need to maintain
user state data that resides on the device.
o Replace. This is a combination of the two previous scenarios. You will use a new device as a
replacement for an existing device. Therefore, you have to transfer the existing device’s user state
data to the new device.
 Identify the operating system architectures to use. Your environment might still contain 32-bit
processor-based devices, and 64-bit processor-based devices. By identifying the available
architectures, you can determine the minimum number of images that you must create.
 Identify the necessary device drivers. Different hardware requires different drivers. Ensure that you
identify and secure the necessary drivers for each hardware device that you use from a particular
manufacturer. Do this for all applicable manufacturers.
 Identify storage and network resources that you can leverage during deployment. You must store
images, installation files, device drivers, and user state data, and then copy this data to the device
undergoing deployment. Ensure that you identify available file servers, and estimate the amount of
space that you need for each item that you must store and copy.
 Identify operating system features and settings that each deployment requires. You can automate most
settings to apply during deployment. Most organizations enable BitLocker drive encryption on their
Windows-based mobile devices. You can customize your deployment process to enable BitLocker after
deployment.
 Identify how you will handle licensing and activation. Smaller organizations usually have an individual
product key per user, while larger organizations might use Key Management Service (KMS) or multiple
activation key (MAK).
 Identify critical applications that you must maintain post-deployment. You need to ensure that
applications are compatible with the new operating system, or that you can mitigate any
incompatibilities. You will learn how to handle application compatibility issues in a later module.
 Document your environment, and choose the appropriate strategy based on the information that you
identify.
Deployment features in Windows ADK

The Windows ADK contains different tools that IT
professionals can use to assess, customize, and
deploy Windows operating systems to computers.
You typically use Windows ADK in two key
scenarios: Windows assessment and Windows
deployment. This topic focuses on Windows
deployment.
Windows ADK contains the following deployment

tools:
 Windows Imaging and Configuration Designer

(ICD). You can use the ICD to create
provisioning packages to customize a
Windows 10 deployment or to customize an existing Windows 10 installation.
 Deployment Image Servicing and Management (DISM) tool. DISM is available as part of the Windows
operating system, and you can use it to perform offline image servicing. This is crucial for maintaining
images that an operating system deployment uses. DISM is part of the Windows 7, Windows Server
2008 R2, and newer operating systems.
 Windows System Image Manager (SIM). You can use Windows SIM to create unattended Windows
Setup answer files.
 Windows Preinstallation Environment (Windows PE). Windows PE is the initial operating system that
you use during a Windows operating system deployment. Windows PE prepares a computer by
running tasks such as partitioning a hard drive, creating and formatting volumes, copying disk image
files to a system, and initiating setup.
 User State Migration Tool (USMT). USMT is a collection of executable files that you can use to copy user
state data from a computer. You then can load that data onto a new installation of the Windows
operating system.
 Volume Activation Management Tool (VAMT). VAMT provides a centralized tool for managing volume
licensed Microsoft products, including Windows operating systems and Microsoft Office products.
 Additional tools. You can use several command-line tools, such as oscdimg, which creates bootable
Windows PE .iso image files, and makewinpemedia, which creates Windows PE bootable universal
serial bus (USB) media.
 Technical reference documentation. This includes documentation for Windows Setup, DISM, the
System Preparation Tool (Sysprep), Windows SIM, Windows Recovery Environment (WinRE), and
additional deployment documentation.
Common enterprise deployment strategies

If you are deploying a small number of devices, the
process of using the Windows ADK tools to deploy
the Windows operating system to a device works
well for organizations of all sizes. It also is a widely
available process, since it does not require any
commercial deployment tools, just the operating
system media and Windows ADK.
Traditional deployment methods

Although this process works, it might not be the
best method for larger enterprises that need to
deploy Windows 10 to hundreds, or even
thousands, of devices. Depending on your
organization’s needs, and the tools that are available to you, you can use one of the following strategies to
deploy Windows 10:
 High Touch with Retail Media. This strategy involves using the Windows retail media on each individual
computer. You can use Windows SIM to create an answer file and automate a portion of the
installation. This strategy suits organizations that have a small, unmanaged network, few or no IT staff,
and a small network with fewer than 100 client computers.
 High Touch with Standard Image. This strategy involves the creation of a standard image, by using the
available tools in the Windows ADK, which you can customize. It requires an IT professional with
imaging knowledge, and is ideal for small or distributed networks with 100 to 200 client computers.
 Lite touch. This strategy involves the use of images and distribution technologies, such as Windows
Deployment Services, to provide minimum interaction during deployment. An IT professional starts the
process, and all other steps are automated. We typically recommend this method for organizations
that have a dedicated IT staff and a managed network with 200 to 500 client computers. You also can
integrate Windows Deployment Services with Microsoft Deployment Toolkit (MDT) and the latest
version of System Center Configuration Manager (Configuration Manager) to offer a lite touch
deployment experience.
 Zero touch. This strategy utilizes Configuration Manager to provide a fully automated deployment
experience that does not require any interaction. You also can integrate Configuration Manager with
MDT to offer a zero touch deployment experience. This is ideal for larger organizations that have more
than 500 client computers and a dedicated IT staff that has knowledge of Configuration Manager.
Note: The number of devices listed above for lite touch and zero touch strategies are
recommendations only. Large enterprises can use lite touch deployment for thousands of devices,
or could use Configuration Manager for lite touch or zero touch deployments.
Windows 10 scenarios
Organizations can use the traditional deployment scenarios when deploying Windows 10, and also can take
advantage of the following deployment scenarios.
 In-place upgrade. This deployment scenario provides a simple, automated process that leverages the
Windows setup process to upgrade automatically from an earlier Windows version. You also can use
this process to upgrade to a newer Windows 10 release. When you use an in-place upgrade, Windows
migrates existing data, settings, drivers, and applications automatically.
 Dynamic provisioning. You should use this deployment scenario to configure new Windows 10 devices
without having to deploy a new custom organization image to the device. Typically, you would use this
with an MDM service, such as Microsoft Intune, to support a Bring Your Own Device (BYOD) strategy
for your organization’s end users, or choose your own device scenario to provide final customizations
to a device.
Both of these scenarios eliminate the image creation process, which can simplify the deployment process
significantly.
Using the Windows 10 in-place upgrade

In the past, organizations have been reluctant to
perform in-place upgrades of their operating
systems. However, the Windows 10 in-place
upgrade method improves significantly on the
same functionality in previous Windows versions.
You can use the Windows 10 in-place upgrade
method only on Windows 7, Windows 8.0, and
Windows 8.1 operating systems. One of the
primary benefits of using the in-place upgrade
method is that the overall time to upgrade a
system is less than the wipe-and-load method. The
upgrade to Windows 10 automatically preserves all
data, settings, applications, and drivers from the existing operating system. Additionally, the in-place
upgrade process allows you to roll back to the previous operating system, if necessary.
The in-place upgrade method has four phases to upgrade a supported operating system to Windows 10,
and they include:
1. Copying files. The operating system is Windows 7, Windows 8, or Windows 8.1. When you run setup, it
checks the system, inventories the applications, inventories the drivers, assesses compatibility, and
prepares to run WinRE.
2. Installing features and drivers. You can use the WinRE system to back up the down-level operating
system, install Windows 10, and prepare Windows 10 for the next phase. It injects drivers and migrated
data into Windows 10.
3. Configuring settings. The first start into Windows 10 begins the specialization phase for Windows 10.
Drivers are installed, applications are migrated, and any additional files are migrated.
4. Final Phase. The Windows 10 upgrade is finished, welcoming the user back and the out-of-box
experience (OOBE) is presented.
The in-place upgrade method uses the standard Windows installation media image (Install.wim). The in-
place upgrade method does not support using custom images due to potential conflicts between existing
applications and new applications in a custom image. Additional scenarios that would require a traditional
wipe and load deployment are:
 Changing from Windows x86 to Windows 10 x64.
 Changing from legacy basic input/output system (BIOS) to Unified Extensible Firmware Interface (UEFI)
booting.
 Windows To Go or Boot from virtual hard disk installations.
 Devices with third party disk encryption.
 Dual boot or multi boot systems
Demonstration: Windows 10 in-place upgrade

In this simulation, you will see how to perform an in-place upgrade.
Demonstration Steps
The in-place upgrade to Windows 10 is the simplest way to deploy Windows 10 to existing systems.
Overview of Windows ADK tools in a deployment process

You can use Windows ADK to develop deployment
processes in your environment. You can create a
very basic deployment process, or a complex
deployment process that involves application and
hardware testing. A few steps that all image-
deployment processes have in common are the
creation and capture of a reference computer, and
the use of that image to build client systems.
A basic deployment process might include the

following steps, which you can perform without
using Windows ADK. However, by using Windows
ADK, you can make this process faster and more
consistent across multiple builds. The steps include that you:
1. Create Windows PE media. You can use a USB device or a bootable CD with Windows PE to capture
your image and deploy it after you customize it. You should:
a. Customize the image with any necessary drivers.
b. Customize the image with any additional packages, such as the Windows RE.
c. Use the makeWinPEMedia /ufd command to create the bootable USB device.
2. Create and modify answer files. To automate the installation, you need to create answer files with the
configuration that you want to use, including that you should:
a. Use the installation media to create a catalog file that Windows SIM can use.
b. Modify a sample answer file to fit your needs, and include any drivers or other packages in the
installation.
c. Create the answer file for your environment.
d. Copy the answer file to the root directory of the USB device and name it Autounattend.xml.
e. Create a profile that includes the CopyProfile setting, so that you can customize the default user
profile. You also can customize the profile manually by making direct changes to the registry or
creating a script that uses the REG command.
f. Copy the answer-file profile to the root directory of the USB device as CopyProfile.xml.
3. Use the answer file that you created to install a Windows operating system on your reference
computer:
a. Plug the USB device into the reference computer.
b. Use the Windows product CD to start the reference system. The setup process will use the
Autounattend.xml file to complete the installation.
c. Customize the administrator profile.

d. Ensure that the USB device with the CopyProfile.xml is plugged in.
4. Capture the image:
a. Use Sysprep to generalize the system. To use the CopyProfile.xml file, you use the following
Sysprep command, on a single line with no space after /unattend:
C:\Windows\System32\Sysprep\Sysprep.exe /generalize /oobe /shutdown /unattend:

D:\CopyProfile.xml
b. Start the computer from the Windows PE USB device.

5. Use the DISM tool to copy the Windows partition to a network location or external hard drive.
6. Deploy the image to a test computer:
a. Start the test system with the Windows PE USB device.
b. Use diskpart to configure the hard drive as appropriate.
c. Use the applyimage command to apply the previously captured image.
d. Verify that the computer image and profile settings are correct.
You can extend this deployment process by using additional tools that are available in Windows ADK,
including that you can:
 Use the Application Compatibility Toolkit (ACT) to validate your application on a test computer.
 Install and configure USMT to capture user profiles if you are deploying Windows in a refresh scenario.
 Install and configure VAMT if you are deploying volume licensed versions of the Windows operating
system.
Question: In your environment, will you use the Windows 10 in-place upgrade?
Lesson 2
Using the High Touch with Retail Media deployment
strategy
Smaller organizations with little or no IT staff often deploy the Windows operating system by using the
High Touch with Retail Media strategy. Although it is a simple process, the person who executes the
deployment must spend a significant amount of time on it. Even without IT staff, you can reduce this time
by using answer files and accessing the retail media over a network.
Lesson Objectives
 Describe the High Touch with Retail Media strategy.
 Explain the requirements for using the High Touch with Retail Media strategy.
 Describe the High Touch with Retail Media deployment process.
 Explain the limitations of the High Touch with Retail Media strategy.
What is a High Touch with Retail Media strategy?

Most small organizations purchase new computers
on which the original equipment manufacturer
(OEM) or OEM partner has installed an operating
system. However, these organizations typically
understand the benefits of upgrading their
operating system to Windows 8.1 without buying
new equipment. Therefore, they opt to refresh or
upgrade the operating system by running the
setup program from the retail media.
This is acceptable for smaller organizations that

require installation on a few computers only.
However, even in the smallest of organizations,
running the setup program and configuring all of its options repeatedly is tedious and time-consuming.
Additionally, there is a large margin for human error. However, you can use an answer file to avoid this
repetition, and automate the following steps of the Windows operating system setup, including the:
 Partitioning of the hard disk.
 Installing of device drivers.

 Installing apps.
 Applying updates.
 Configuring settings.
 Enabling and disabling features.
 Suppressing the Setup user interface.

Note: An answer file is an XML file that contains settings that Windows applies during Setup.
You can create these files by using any text editor, but that requires an understanding of the XML
schema that the Windows Setup program uses. To facilitate the creation of answer files, use
Windows SIM.
Requirements for Using the High Touch with Retail Media strategy
The requirements for using High Touch with Retail
Media are minimal. The only necessary
components are the:
 Windows 10 media
 Windows SIM (available from Windows ADK

for Windows 10)
 Removable media to store the answer file

(Unattend.xml)
Note: Several websites provide functionality

similar to Windows SIM. If you use any of these sites, ensure that you never expose your
organization information. For instance, never use your product key on these websites, use XXXXX-
XXXXX-XXXXX-XXXXX-XXXXX instead, and then edit the answer file to include your actual product
key.
Additional Reading: To download the Windows ADK for Windows 10 update, refer to
http://aka.ms/J8vq9g.
Overview of the High Touch with Retail Media Deployment Process

The High Touch with Retail Media deployment
process has six steps:
1. Create the Unattend.xml answer file by using

Windows SIM or any other method with which
you are familiar.
2. Copy the Unattend.xml file to removable
media.
3. Connect the removable media that contains

the Unattend.xml file to the computer on
which you plan to deploy Windows 10.
4. Run the setup program, start the computer

from the retail media DVD. The setup program will look for the unattend.xml file in any removable
device that is present on the client computer.
5. Install the required apps, and then configure any settings that the Unattend.xml file does not include.
6. Activate the computer online.

Limitations of the High Touch with Retail Media strategy

The High Touch with Retail Media strategy is
suitable for smaller environments, with just a few
dozen computers. However, it does have
limitations, including that it:
 Can cause issues when deploying to multiple

computers. Larger organizations might need
to deploy an operating system to hundreds,
sometimes thousands, of computers
simultaneously. Using this strategy for a large
amount of computers is time consuming and
can create errors. Consider using lite touch or
zero touch strategies for such environments.
 Requires that you refresh computers frequently. Even if your organization has a dozen computers, but
has a requirement of refreshing all computers frequently (which is common on kiosk computers and
Internet cafes), using this strategy will be too time consuming.
 Requires deploying multiple versions and editions of the Windows operating system. The use of the
same answer file for multiple versions of the Windows operating system is not supported. You must
have a separate file, that is made for each version of the Windows operating system that you are
deploying.
Question: In your environment, will you be using the High Touch with Retail Media
deployment strategy?
Lesson 3
Using the High Touch with a Standard Image deployment
strategy
Smaller organizations with a small IT staff often deploy the Windows operating system by using the High
Touch with a Standard Image strategy. Although this is a simple process, it requires some preparation time
to create the standard image for the organization. Standard images are ideal for smaller organizations that
require the same operating system, and mostly the same settings and applications on all network
computers.
Lesson Objectives
 Describe the High Touch with a Standard Image deployment strategy.

 Explain the requirements for a High Touch with a Standard Image deployment.
 Describe High Touch with a Standard Image deployment process.
 Explain the limitations of a High Touch with a Standard Image deployment.
What is a High Touch with a Standard Image strategy?

Smaller organizations tend to use retail media to
deploy the Windows operating system on their
computers, but even when you use a Unattend.xml
answer file, the tedious repetitive process of
running the setup program on several computers
can result in human error and slightly different
settings on each individual computer. To reduce
human error and provide a faster deployment
experience, you can use the High Touch with a
Standard Image deployment strategy.
This strategy makes use of a standard installation

of an operating system on a computer, usually
known as a reference computer. You configure the reference computer according to your organization’s
needs. Once you configure it, you take a snapshot or image of the reference computer, and apply it to all
target computers. This reduces the need for an answer file, although you still will use them for automating
the Windows setup portion of the deployment. Additionally, it guarantees a consistent configuration across
all computers. Furthermore, organizations can provide their OEMs with a copy of their standard image, so
that OEMs can provide newly purchased computers that have the image.
The High Touch with a Standard Image deployment strategy provides the following benefits:
 Faster deployments. All applications and settings are present on the standard image, reducing the time
it takes to configure the computer after deploying the operating system.
 Reduced testing and validation time. Because you will be applying the same image to all computers,
you can perform testing on a smaller set of target computers, as long as they have similar hardware
settings.
 Offline updating. You can apply updates to the standard images, thereby reducing the time it takes to
apply updates to all computers.
 Reduced support issues. Because settings are consistent throughout the entire organization, this
reduces troubleshooting time, and you can apply the same fix to all computers.
Requirements for using the High Touch with a Standard Image strategy
The High Touch with a Standard Image
deployment strategy requires a few more
components than the High Touch with Retail
Media strategy. The main difference between the
two strategies is that when using the High Touch
with a Standard Image strategy, you need an IT
professional to create the standard image. The
only necessary components are:
 Windows 10 media
 Windows ADK for Windows 10
o Windows PE
o DISM
o Windows SIM
o ACT (optionally)
 Removable media on which to store the standard image
 A reference computer on which you will create the standard image
 A target computer on which to test the image
Overview of the High Touch with a Standard Image deployment process

The High Touch with a Standard Image
deployment process includes the following steps:
1. Optionally use the ACT to gather app

information from your network, prioritize
apps, and remediate compatibility issues.
Note: A later module will discuss the ACT.
2. Install Windows 10 on the reference computer

by using retail media. You can use the High
Touch with Retail Media deployment strategy.
3. Install all necessary applications, device drivers, and updates on the reference computers. You also
might configure the necessary features and settings.
4. Run Sysprep to generalize the image, and then shut down the computer. Some applications might not
work with Sysprep, and you might want to automate the installation by using an answer file.
5. Start the reference computer by using Windows PE, and capture the image by using DISM.
6. Copy the image to a removable device or a network share.
7. Create an answer file that points to the newly created image, or create a new installation media and
replace the install.wim file with the newly created image.
8. Run the setup program from the new installation media, or run it from the old media by using an
answer file. You can also use DISM to apply the image by using an answer file.
9. Activate the computer online if you do not have a volume license.
Limitations of the High Touch with a Standard Image deployment

The High Touch with a Standard Image strategy is
suitable for small environments, with no more than
a few dozen computers being deployed at one
time. To better understand its limitations, consider
that it is:
 Unsuitable for multiple images. This strategy is

only suitable for organizations that require the
same applications on all computers, and you
can use a single image. For larger
organizations with varying application needs,
it would be better to use an image containing
the bare operating system without
applications in a lite touch or zero touch deployment.
 Unsuitable for images that need multiple updates. You can use Sysprep as many times as you want on a
computer. However, when you generalize an image by using Sysprep, this resets the computer’s
activation clock. This reset can occur only three times for retail media. Therefore, if you have to update
an image more than three times, you might have to recreate it from scratch. A possible solution for this
problem is to use a virtual machine (VM) as a reference computer, and save a snapshot prior to running
Sysprep.
 Not scalable. This strategy requires a technician, and optionally removable media, for each installation.
Therefore, this strategy does not scale to larger organizations with hundreds, or thousands, of
computers.
 No upgrades. Because you are deploying an image, you cannot use this strategy to upgrade an existing
deployment of the Windows operating system.
Question: In your environment, will you use the High Touch with a Standard Image method
for migrating to Windows 10?
Lesson 4
Using a lite touch deployment strategy
Larger organizations often use several Microsoft tools, such as the Windows ADK and the tools available in
the operating system, to automate operating system deployments in their environments. These
organizations might benefit from using the MDT 2013 Update 1, a free supported set of tools that you can
use to achieve a lite touch deployment. Lite touch deployments are ideal for larger organizations. Unlike a
high touch deployment, lite touch deployments do not require that an IT technician deploys the operating
system on every computer individually.
Lesson Objectives
 Describe the lite touch deployment strategy.
 Explain the requirements for a lite touch deployment.

 Describe the process for executing a lite touch deployment.
 Explain the limitations of a lite touch deployment.
What is a lite touch deployment strategy?

Lite touch deployments are automated
deployments that require some user intervention.
A user must be present at the computer to initiate
the installation process and provide custom
settings, if necessary. You also can use an answer
file to provide custom information.
Most organizations that use the lite touch

deployment strategy have a standardized network
environment. Typically, the network has Active
Directory Domain Services (AD DS) installed, and
the prerequisites required to implement Windows
10 by using the automated techniques that MDT
2013 Update 1 and Windows ADK for Windows 10 provide. Lite touch deployments do not require MDT,
and you can perform one by using Windows Deployment Services or an unattended file. However, for
better management of images, drivers, and settings, the use of MDT is advisable.
The lite touch deployment strategy provides the following benefits:
 Easier deployment. You can use MDT 2013 Update 1 to provide device driver, application, and update
installation.
 Streamlined maintenance. You can use MDT 2013 Update 1 to update device drivers, applications, and
images.
 Scalable. There is no need for someone to be present at each computer during deployment.
Additionally, using a network to push deployment facilitates scalability to hundreds, even thousands, of
computers simultaneously.
 Reduced support issues. Settings are consistent throughout the entire organization, which typically
reduces troubleshooting time, and allows you to apply the same fix to all computers.
 Can use multiple images. You can use a single thin image, and install apps depending on needs. You
also can use multiple thick images that contain all apps required for different user groups.
Requirements for using lite touch deployments

The lite touch deployment strategy has a few more
requirements than the high touch deployment
strategies. The main difference is the need for a
standardized network environment. The necessary
components include:
 Volume licensed media. You obtain this media
through your organization’s license
agreement with Microsoft. It contains the files
necessary to install the operating system,
including the boot.wim and install.wim files.
 Microsoft Assessment and Planning Tool

(MAP). MAP is not a mandatory requirement.
However, you can use it to assess your environment and plan your deployment. However, it is not
required, or even necessary, for a successful deployment.
 Windows ADK for Windows 10:
o Windows PE. Use Windows PE to start devices during deployment.
o DISM. Use DISM to capture and apply images.

o Windows SIM. Use Windows SIM to create answer files.
o ACT. ACT is not a mandatory requirement. Use it to mitigate application compatibility issues.
o USMT. Use USMT for refresh scenarios to migrate user state data.
o Windows Deployment Services or removable media. Start devices from your network by using
Windows Deployment Services or locally by using removable media.
 MDT 2013 Update 1. Use MDT to manage images, device drivers, and task sequences.
 File server to store distribution share. Use a file server to store all images, device drivers, and other
elements that MDT requires.
Overview of the lite touch deployment process

The lite touch deployment process has several
steps, including that you:
1. Determine organization’s readiness by using

MAP.
2. Determine and mitigate compatibility issues

by using ACT.
3. Prepare the lite touch infrastructure by

deploying a file server or identifying a file
server that MDT can use. Additionally, we
recommend that you install Windows
Deployment Services, although it is optional.
4. Install MDT 2013 Update 1.
5. Create a distribution share. Distribution shares store operating system installation media, images,
applications, device drivers, and updates.
6. Create a task sequence for each configuration that your environment requires. You create task
sequences in MDT, and they contain tasks used to deploy Windows 10, configure a computer, and
install apps and device drivers.
7. Create and update a deployment share in MDT. When you update a deployment share, you create
Windows PE boot images that you can use to start target computers during deployment.
8. Add the images that you created in step 7 to Windows Deployment Services or a removable device.
9. Start the target computer by using Windows Deployment Services or the removable device that you
used in step 8.
Limitations of a lite touch deployment strategy

A lite touch deployment strategy does not have
any significant limitations for medium and large
organizations. However, it does require some user
interaction, as you must start the target computer
so that it can communicate with Windows
Deployment Services, or someone must start the
deployment from removable media. However, it is
extremely easy for larger organizations to move
from a lite touch deployment to a zero touch
deployment, which the next lesson covers.
Question: In your environment, will you use a

lite touch deployment strategy?
Lesson 5
Using a zero touch deployment strategy
A zero touch deployment is a fully automated deployment with zero user interaction. Larger organizations
that have a standardized network environment and IT professionals who are proficient in Configuration
Manager and MDT 2013 Update 1 can use these tools to provide a zero touch deployment, or they can use
Configuration Manager without MDT to create a zero touch deployment.
Lesson Objectives
 Describe the zero touch deployment strategy.
 Explain the requirements for a zero touch deployment.
 Describe the zero touch deployment process.
 Explain the limitations of a zero touch deployment process.
What is the zero touch deployment strategy?

Zero touch deployments are fully automated
deployments that do not require any user
interaction. You can start zero touch deployments
remotely from a Configuration Manager server,
and Configuration Manager administrators can
monitor them.
Organizations that use a zero touch deployment

strategy have a standardized or fully automated
network environment. Typically, the network has
AD DS installed, including the prerequisites
required to implement Windows 10 by using the
automated techniques that Configuration
Manager, MDT 2013 Update 1, and Windows ADK for Windows 10 provide.
The zero touch deployment strategy offers several benefits, including:
 Easier deployment. You can use Configuration Manager alone or Configuration Manager and MDT
2013 Update 1 integrated together to install device drivers, applications, and updates.
 Streamlined maintenance. You can use Configuration Manager (with or without MDT 2013 Update 1) to
update device drivers, applications, and images.
 Highly scalable. There is no need for a technician to be present at each computer during deployment.
Additionally, the use of Configuration Manager to push the deployment facilitates scalability to
hundreds, even thousands, of computers simultaneously.
 Reduced support issues. Settings are consistent throughout the entire organization, so this method
reduces troubleshooting time and applies the same fix to all computers.
 Can use multiple images. You can use a single thin image, and install applications depending on needs,
or you can use multiple thick images that contain all applications required for different user groups.
Requirements for using zero touch deployments

When compared to the lite touch deployment
strategy, the zero touch deployment strategy has a
few more requirements. The main difference is the
need for Configuration Manager. The necessary
components for zero touch deployments include:
 Volume licensed media. This is the media

obtained through your organization’s license
agreement with Microsoft. It contains the files
necessary to install the operating system,
including the boot.wim and install.wim files.
 MAP. MAP is not a mandatory requirement.

You can use it to assess your environment and
plan your deployment, but again, it is not required or necessary.
 Windows ADK for Windows 10
o Windows PE. Use Windows PE to start devices during deployment.
o DISM. Used in Configuration Manager task sequences to capture and apply images.
o Windows SIM. Use Windows SIM to create answer files.
o ACT. ACT is not a mandatory requirement, but you can use it to mitigate application compatibility
issues.
o USMT. Use USMT to migrate user state data in refresh scenarios.
 MDT 2013 Update 1. MDT Update 1 is not required for zero touch, but you can use it to integrate with
Configuration Manager and allow Configuration Manager to use the zero touch deployment task-
sequence template.
 Configuration Manager and its prerequisites. Configuration Manager assumes the roles that MDT
typically plays in a deployment.
Overview of the zero touch deployment process

The zero touch deployment process includes the
following steps:
1. Determine your organization’s readiness by

using MAP.
2. Determine and mitigate application

compatibility issues by using ACT.
3. Prepare the zero touch infrastructure by

deploying a fully functional Configuration
Manager environment.
4. Install MDT 2013 Update 1, and configure

integration with Configuration Manager.
Note: MDT is not a mandatory requirement for zero touch scenarios. However, we
recommend it highly because you can integrate it with Configuration Manager.
5. Create a capture image optionally. You can use Configuration Manager to capture an image from a
reference computer.
6. Create a task sequence for each configuration needed in MDT 2013 Update 1 or Configuration
Manager.
7. Deploy the task sequence that you created in MDT or Configuration Manager to a collection in
Limitations of the zero touch deployment process

The zero touch deployment strategy’s most
significant limitations are the required
infrastructure and the skills required to manage it.
The zero touch deployment strategy is dependent
on Configuration Manager related software and
network connectivity between the Configuration
Manager environment and the clients being
managed. Additionally, it does require a
specialized IT staff to operate Configuration
Manager, which some organizations might view as
a limitation.
Question: How do you use DISM in zero

touch deployments?
Lesson 6
Alternative deployment strategies for Windows desktops
Organizations have used high touch, lite touch, and zero touch deployment strategies for decades. With
the evolution of the Windows operating system, MDT, and Configuration Manager, these strategies have
become easier to implement, and organizations are using them more often. However, beginning with
Windows 7 and Windows Server 2008 R2, Microsoft introduced additional deployment alternatives that
support specific needs that the high, lite, or zero touch deployments do not support. However, with
Windows 8 and Windows 8.1, the virtual hard disk with native boot and the Windows to Go deployment
strategies were introduced. In Windows 10, you also can use Windows ICD to provision devices.
Lesson Objectives
At the end of this lesson, you will be able to:
 Describe how to use Windows ICD to provision a device.

 Describe the virtual hard disk with native boot deployment strategy.
 Explain the requirements for a virtual hard disk with native boot deployment.
 Configure virtual hard disk with native boot.

 Describe Windows To Go.
 Explain the requirements for Windows To Go.
 Create a Windows To Go Image.
Using Windows ICD to provision a device

Windows ICD helps you customize and provision
Windows 10 images. As part of the Windows ADK,
the Windows ICD is an optional, free tool that you
can download and use independently of
Configuration Manager. You can use the Windows
ICD to create custom Windows 10 deployments
with provisioning packages or to create
provisioning packages that you can use to
customize existing devices.
When provisioning an existing device, use the

Windows ICD to create a new provisioning
package. You can configure the new provisioning
package to support settings that are:
 Common to all Windows Devices
 Common to all Windows desktop editions
 Common to all Windows mobile editions

 Windows 10 IoT Core editions
Note: For additional information about Windows 10 for the Internet of Things (IoT) edition
visit: http://aka.ms/Buvdmo.
After you determine which type of package to create, you must decide which customizations to configure.
For example, the customizations settings common to all Windows mobile editions include:
 AutomaticTime
o NTPRegularSyncInterval
 Use to set interval between time sync (hours)
o NTPRetryInterval
 Use to set Retry if regular sync fails (hours)
o NTPServers
 Enumerates the Network Time Protocol (NTP) source server that the NTP client uses
 Certificates
 Allows you to add certificates into the following stores:
o CACertificates
o ClientCertificates
o RootCertificates
o TrustedPeopleCertificates
o TrustedProvisioners
 EditionUpgrade
o UpgradeEditionWithLicense
 Enable an edition upgrade of Windows 10 mobile devices. Does not require reboot.
o UpgradeEditionWithProductKey
 Enable an edition upgrade of Windows 10 desktop devices. Requires reboot.
You can configure more than 30 settings for the customizations settings that are common to all Windows
mobile editions. Once you configure all of the settings that you need, you can save the project, and then
deploy it to a USB-connected device or a removable drive. You also have the option to export the settings
as a provisioning package.
You can deploy a provisioning package in the following ways.
Package delivery method Initiation method Supported device
Removable media From the start menu, click All Windows 10 devices.
Settings, click Accounts,
click Work Access, and then
click Add or remove a
management package.
Downloaded the package to a Double-click the package Windows 10 for desktop

network share, and then copy it to a file. editions.
local folder on the systems that you
will provision.
From a USB-tethered device. Drag-and-drop the package Windows 10 Mobile devices and
file onto the target device. IoT Core devices.
Note: For more information, go to Getting started with Windows ICD:

http://aka.ms/Cdxruh.
What is the virtual hard disk with native boot deployment strategy?
Organizations became familiar and proficient in
managing virtual hard-disk drive files that their
VMs use, thanks to the increased adoption of
virtualization technology in the past decade.
Virtual hard disk with native boot is a simple .vhd
file that contains a Windows image, and you can
use it to start a computer.
Virtual hard disk with native boot deployments are

not a replacement for traditional deployment
strategies, such as lite touch and zero touch
deployments. In fact, they address a series of
different scenarios that these strategies do not
cover, including:
 Deploying the Windows operating system for multiple boot scenarios, without requiring multiple disk
partitions.
 Deploying supported Windows images for fast deployment in reusable testing and development
environments.
 Replacing virtual hard disk images for server recovery or redeployment.
Requirements for using the virtual hard disk with native boot strategy
To use virtual hard disk with native boot on a
computer, you must meet the following
requirements, including that:
 Your local disk must have two partitions or

more, including a:
o System partition. This partition must have

a Windows 8.1 or newer boot-
environment and a Boot Configuration
Data (BCD) store.
o Virtual hard disk partition. This partition

should contain one or more .vhd or .vhdx
(Windows 8 and newer only) files.
 You must have enough physical space to expand dynamic virtual hard disks to their maximum size, and
use page-file creation when booting from the virtual hard disk.
Note: You create the page file for a virtual hard disk with native boot outside the virtual hard
disk, which differs from when you use a virtual hard disk in a VM.
Demonstration: Configuring virtual hard disk with native boot

In this simulation, you will see how to:
 Configure Windows 10 to start from a virtual hard disk with native boot.
 Start the computer from a virtual hard disk with native boot.
 Remove the virtual hard disk with native boot.
Demonstration Steps
This simulation demonstrates the steps to configure Windows 10 to start from a virtual hard disk with native
boot. You also will see how to start a computer from a virtual hard disk with native boot, and remove the
virtual hard disk with native boot.
What is Windows To Go?

Windows To Go is an enterprise option in Windows
8 and newer operating systems that provides a
bootable Windows environment from an external
USB drive on a computer that is running any
operating system. This environment is a Windows
To Go workspace, which is not a substitute for any
other deployment strategy. However, they provide
answers to new challenges that most large
organizations face today, such as mobile
computing and BYOD scenarios.
Windows To Go provides several benefits,

including:
 No footprint. Nothing is installed on the computer on which you use Windows To Go, which runs in its
self-contained environment from a USB key.
 BitLocker Drive Encryption. BitLocker is built in to Windows To Go drives.
 A 60-second lockdown. When you remove the drive while you are working, you have 60 seconds to
plug it back in without losing any work.
 Easy licensing. If you utilize software assurance, employees can take a Windows To Go drive to work on
their personal computers without needing a new license.
Requirements for using Windows To Go

To use Windows To Go on a computer, you must
meet the following requirements, including that
you:
 Configure the host computer to start from a

USB. Windows To Go is contained in a USB
key, so you might need to change your
device’s BIOS or UEFI settings to allow it to
start from a USB.
 Ensure that your host computer meets the

minimum hardware requirements for
Windows 10. As long as the device on which
you want to run Windows To Go is compatible
with Windows 10, you can use it. The operating system that is installed currently on the device does not
affect Windows To Go, since you will start the device from the USB key, and never actually touch the
operating system that is installed on the device.
 The host computer must have firmware that is compatible with the architecture that you use to create
the Windows To Go workspace. If you create a Windows To Go workspace from a 64-bit computer, it
can run only on a 64-bit device.
To create a Windows To Go workspace, you must meet the following requirements, including that you:
 Use a Windows To Go-certified USB 3.0 drive, 32 gigabytes (GB) or larger. Windows To Go-certified is
not a hard requirement, but rather a recommendation. Drives that are certified with Windows To Go
are built to last longer and work as a solid-state drive (SSD) more than a simple USB flash drive.
However, you can use any USB drive with Windows To Go.
 Have a Windows 10 Enterprise license. Windows To Go is an enterprise feature of Windows 8.1 and
newer versions.
 Have a generalized Windows 10 Enterprise image. This is the image to use for your Windows To Go
workspace. Make sure that it contains all of the applications that you want to make available to users.
Creating a Windows To Go image

From within Windows 10, you can create a
Windows To Go environment in two ways. You can
use the Windows To Go workspace wizard, or you
can use Windows PowerShell, DISM, and bcdboot.
Note: You also can use Configuration

Manager to build Windows To Go media.
To create a Windows To Go workspace by using

the Windows To Go Creator Wizard, perform the
following procedure:
1. Insert a certified USB 3.0 drive on a computer that is running Windows 10.
2. Ensure that you have a .wim file that contains a valid Windows 10 generalized image.
3. In Cortana, type Windows To Go, and then click Windows To Go.
4. In the Create a Windows To Go workspace wizard, on the Choose the drive you want to use page,
select the drive that you just plugged into the computer, and then click Next.
5. On the Choose a Windows 10 image page, select the generalized .wim file. If your generalized image
is not displayed, click on Add search location, and then browse for the folder in which the image is
located.
6. On the Set a BitLocker password (optional) page, enable Use BitLocker with my Windows To Go
workspace, type a password in the Enter your BitLocker password text box, enter your password in
the Reenter your BitLocker password text box, and then click Next to enable BitLocker or click Skip
to skip this setting.
7. On the Ready to create your Windows To Go workspace page, click Create. The workspace creation
can take approximately 20 to 30 minutes or longer if you are not using a USB 3.0 drive.
8. On the Choose a boot option page, click Yes to configure your computer to start from a USB, or click
No. You can come back to this page to reset your start options.
9. Click Save and close.
To create a Windows To Go workspace by using Windows PowerShell, DISM, and bcdboot, perform the
1. Insert a certified USB 3.0 drive on a computer that is running Windows 10.
2. In Cortana, type PowerShell, and right-click on Windows PowerShell, and then click Run as
administrator.
3. In the Windows PowerShell console, type each of the following commands, pressing Enter after each
command. These commands will format and partition the disk, and prepare it for the Windows To Go
image:
$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and
-not $_.IsBoot }
Clear-Disk –InputObject $Disk[0] -RemoveData
Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
$SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive
Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 -Partition
$SystemPartition
$OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS -Partition
$OSPartition
Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
4. In the Windows PowerShell console, execute the following command by replacing imagepath with the
full path to the .wim file that you want to use, and indexNumber with the image’s index number in the
.wim file. If the .wim file has a single image, use 1. Type the following command, and then press Enter:
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1

/applydir:W:\
5. In the Windows PowerShell console, execute the following command:
W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:

6. To prevent Windows To Go from bringing an internally connected drive online when it starts, create a
file named san_policy.xml with the contents below in the W: partition of the USB drive:
<?xml version='1.0' encoding='utf-8' standalone='yes'?>

<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
<component
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
language="neutral"
name="Microsoft-Windows-PartitionManager"
processorArchitecture="x86"
publicKeyToken="31bf3856ad364e35"
versionScope="nonSxS"
>
<SanPolicy>4</SanPolicy>
</component>
<component
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
language="neutral"
name="Microsoft-Windows-PartitionManager"
processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35"
>
<SanPolicy>4</SanPolicy>
</component>
</settings>
</unattend>
7. In the Windows PowerShell console, type the following command to apply the file that you created
above, and then press Enter:
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
8. Create an answer file (Unattend.xml) in the W:\Windows\System32\sysprep folder of the USB drive, and
ensure that the file includes the following code:
<?xml version="1.0" encoding="utf-8"?>

<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-WinRE-RecoveryAgent"
processorArchitecture="x86"
publicKeyToken="31bf3856ad364e35" language="neutral"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UninstallWindowsRE>true</UninstallWindowsRE>
</component>
<component name="Microsoft-Windows-WinRE-RecoveryAgent"
processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UninstallWindowsRE>true</UninstallWindowsRE>
</component>
</settings>
</unattend>
Question: Do you plan to use any of the alternative methods for deploying Windows 10 in
your environment?
Lab: Determining operating system deployment strategies

Scenario
To choose the most effective deployment strategy for different scenarios, you must analyze each scenario,
answer the related questions, and then select the most appropriate deployment strategy. After working on
each scenario, you will install Windows ADK to prepare for a deployment.
Objectives
 Identify the best deployment strategy for each scenario.
 Install Windows ADK.
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-CL1

Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20695C-LON-CL1.

Exercise 1: Identifying operating system deployment strategies for a small

network
Scenario
You must plan an operating system deployment strategy, and selecting suitable deployment tools to use.
A. Datum Operating Client Deployment Strategy Document
Document Reference Number: BS00942/1
Document Author Brad Sutton

Date 5th July
Requirements Overview:
To select the appropriate operating system deployment strategy and tools based on:
 Familiarity of the IT staff with operating system image management.
 Number of desktops that must be deployed.
 Variation in desktop configurations.
 Use of retail or volume license media.
 Network configuration, in terms of the distribution of servers to be deployed and the services currently
installed that will support the deployment process.
The IT staff is planning to deploy Windows 10 to a remote office in Miami, Florida, that is used by
researchers. The remote office has 12 desktop computers that are running Windows 7, and does not have
any dedicated IT staff. They run independently, and although they have Internet connectivity for work
purposes, they are not connected to the corporate office. All users save their data to their local
computers, and there are no servers in the office. Each user has their own different set of applications,
and they prefer not to have to reinstall them.
Proposals
1. Would High Touch with Retail Media, High Touch with a Standard Image, lite touch, or zero touch
deployment be applicable for this scenario?
2. Which deployment technologies would you consider to implement the server upgrade plan?
3. What are the requirements for implementing this deployment technology?
1. Read the Exercise Scenario.
2. Answer deployment questions.
 Task 1: Read the Exercise Scenario

 Read the documentation in the lab exercise scenario.
 Task 2: Answer deployment questions

 Answer the questions in the proposals section of the A. Datum Automated Client Installation and
Deployment Strategy document.
Results: After completing this exercise, you should have planned an operating system deployment strategy
for the Miami remote office.
Exercise 2: Identifying operating system deployment strategies for a

medium-sized network
Scenario
You must plan an operating system deployment strategy, and selecting suitable deployment tools.
A. Datum Operating System Deployment Strategy Document

Date 5th July
installed that support the deployment process.
The IT staff is planning to deploy Windows 10 to the regional office in Montreal, Quebec, Canada.
Montreal has their own IT staff composed of five IT professionals who have limited experience in
operating system deployment. They manage their own AD DS subdomain, and have two file servers with
ample storage space. Although Configuration Manager is installed in the main office and the regional
U.S. office, the Montreal office is not part of the Configuration Manager infrastructure. They want to
install Windows 8.1 on all existing user devices and future devices. They currently have 300 devices, and
users have a different set of apps they need based on the department in which they work.
Proposals
1. Read the supporting documentation.

 Task 1: Read the supporting documentation


for the Montreal regional office.
Exercise 3: Identifying operating system Deployment Strategies for an

Enterprise Network
Scenario
You must plan an operating system deployment strategy, and selecting suitable deployment tools.
A. Datum Operating System Deployment Strategy Document

Date 5th July
installed to support the deployment process.
The IT staff is planning to deploy Windows 10 to the U.S. region, which is composed of a main office and
32 regional offices. Each office has between 300 to 500 users, 10 to 20 servers, and their own Active
Directory Certificate Services (AD CS) site under the adatum.com domain. All System Center 2012 R2
products are in use at the U.S. region, and the IT staff is proficient with all System Center products.
Proposals


for the U.S. offices.
Exercise 4: Installing the Windows ADK

Scenario
The first step in creating your image management workstation is to install Windows ADK. You will install the
Windows ADK, and then verify the tools that it provides.
1. Install Windows ADK.
2. Verify the results of the installation, and identify the tools that have been installed.
 Task 1: Install Windows ADK

1. On LON-CL1, on the taskbar, click File Explorer.
2. Execute the \\LON-DC1\E$\Labfiles\WADK\adksetup.exe file.

3. Complete the setup wizard with all of its default options, until you get to the Select the features you
want to install page.
4. On the Select the features you want to install page, make sure only the following features are
selected, and then click Install:
o Deployment Tools
o Windows Preinstallation Environment (Windows PE)

o Imaging and Configuration Designer (ICD)
o User State Migration Tool (USMT)
5. On the Welcome to the Windows Assessment and Deployment Kit - Windows 10! page, click
Close.
6. Do not restart the computer at this time.
 Task 2: Verify the results of the installation, and identify the tools that have been
installed
1. Open File Explorer.
2. Navigate to C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\.
3. Take note of the various features that have been installed, including:
o Deployment Tools
o Windows Preinstallation Environment
o Imaging and Configuration Designer
o User State Migration Tool
Results: After completing this exercise, you should have installed the Windows ADK on LON-CL1.

When you finish the lab, revert all virtual machines to their initial state by performing the following steps:
Question: What type of deployment would you use for an organization that has 200 user
devices in a single location, with five Windows Server 2012 R2 servers that are running Internet
Information Services (IIS), SQL Server, and file services only, without having to purchase new
software?
Question: What type of deployment would you suggest for the same company if it had
deployed Configuration Manager?

Some organizations might have a lot of time, money, and effort invested into sector-based imaging
products, and might be reluctant to move to image-based deployments. There is an initial investment into
training and planning for new ways of deployment, but the return on investment will occur over time.
Microsoft provides most of the image-based deployment tools free of charge, and these tools typically
require less time and effort with respect to image creation and maintenance.
Tools
The following table includes the tools that are needed for this module.
Tool Used to Where to find it
Windows ADK Assess your environment, and To download the Windows

deploy Windows operating Assessment and Deployment Kit
systems. (Windows ADK) for Windows 10,
refer to http://aka.ms/C7o0nj.
MDT 2013 Update 1 Deploy Windows by using the To download the Microsoft
lite touch and zero touch Deployment Toolkit (MDT) 2013
strategies. Update 1, refer to
http://aka.ms/Kplg7k.
Best Practices
 Create your reference machine as a VM, so that you can take snapshots of the reference system at
various stages of development. This is useful if you need to recover your reference system quickly. You
can use MDT and Configuration Manager to maintain and service the reference image.
 If you are using Configuration Manager to deploy your images, consider using thin images and adding
applications through application deployment in Configuration Manager.
 Avoid using high touch strategies as much as possible. They leave a lot of room for human error and
are harder to maintain in larger environments.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Sysprep fails when trying to capture the

reference image.
The Pre-Boot EXecution Environment (PXE)

start is terminated.
3-1
Module 3
Assessing application compatibility
Contents:
Module Overview 3-1
Lesson 1: Diagnosing application compatibility issues 3-2
Lesson 2: Mitigating application compatibility issues 3-11
Lesson 3: Using ACT to address application compatibility issues 3-18
Lab: Assessing application compatibility 3-26
Module Overview
Application compatibility can affect an organization’s productivity significantly, and it can determine the
success of an application environment’s implementation for a new operating system. Application
compatibility is an application’s ability to run as expected without data loss from the user’s perspective.
Whether you deploy new apps with a new operating system or use existing apps, one of your critical goals
should be to ensure that your users can sign in after a new Windows deployment and continue with their
work as usual.
This module describes the process for addressing common application compatibility issues that you might
experience during a new operating system deployment. The module also explains how to use Microsoft
Application Compatibility Toolkit (ACT) to help inventory, analyze, and mitigate application compatibility
issues.
Objectives
 Describe how to diagnose application compatibility issues.
 Explain the solutions available for mitigating application compatibility issues.
 Resolve application compatibility issues with ACT.

3-2 Assessing application compatibility
Lesson 1
Diagnosing application compatibility issues
Migrating to a new operating system, or testing a new operating system prior to installing it in your
environment, can expose potential compatibility issues for apps in your environment. It is crucial that you
identify and mitigate these issues as a part of the testing and preparation phase before you install apps,
both before and after the new operating system is running in your environment.
This lesson provides you with information to help you understand application compatibility in Windows 10
and the issues that can arise from installing an incompatible app.
Lesson Objectives
 Explain application compatibility.
 Describe common application compatibility issues found in Windows 10 apps.

 Describe the tools that you can use to diagnose application compatibility issues.
Determining application compatibility

In Windows 10 and previous Windows versions,
apps depend on the underlying operating system
to provide access to a variety of resources, such as
system hardware, file and folder permissions, and
configuration information. When an app cannot
access one of these resources, or when the
resource returns information that the app does not
expect, the app might respond to the user in an
unexpected way. Again, an application’s ability to
run as expected without data loss from the user’s
perspective is application compatibility.
When you deploy a new operating system to

clients that are using an app that is incompatible with the new operating system, application compatibility
issues can cause serious problems. Application compatibility problems can manifest themselves in a
number of ways, including apps that do not run, error messages that appear, missing or nonfunctioning
features, or subtler, potentially harmful symptoms like data corruption or loss.
It is critical that you assess application compatibility correctly to identify potential application compatibility
issues. You must implement application compatibility as an environment-wide approach, rather than an
unplanned activity. However, you can assess application compatibility with a measured and manageable
process by following these steps:
1. Discover the apps that you want to continue to use in the Windows 10 environment.
2. Rationalize the apps to ensure that all discovered apps still fit into the organization’s app portfolio. If an
app no longer has a practical use, you can remove it from the compatibility-assessment process.
3. Prioritize apps. Organizations might have hundreds, or even thousands, of apps. It is financially and
operationally impossible to test such a multitude of apps. Therefore, you must prioritize your apps and
decide which ones to test.
4. Test apps to ensure that the functionality that you require is available when the app runs in
Windows 10.
5. Mitigate any issues that you discover, which might include using built-in operating system
compatibility functionality, upgrading an app, or replacing the app with one that functions properly in
Windows 10. You can consider removing the app completely, but doing so typically leaves a gap in
business functionality. This is not a desirable outcome.
Windows as a service
The Windows operating system is evolving into a cloud-enabled delivery model starting with Windows 10.
Instead of creating and then deploying an entirely new operating system every few years, Microsoft will
update Windows 10 continuously with an update process called Windows as a service. Microsoft will
perform the Windows 10 servicing options by using configuration branching. In this method, you can
configure a single operating system in a number of different ways. Microsoft will have the following three
main branch deployments available in certain OS editions:
 Current Branch, which is immediately available after first publishing.

 Current Branch for Business, which is available approximately four months after publishing.
 Long Term Servicing Branch (LTSB), which enables long-term deployment of Windows 10 releases in
low-change configurations. These Windows 10 releases will not contain many features that are likely to
change, so there is no need to plan and test these changes.
Testing application compatibility must become an ongoing process as Microsoft introduces new
components, features, and interfaces as part of the Windows as a service model. For organizations,
potentially sweeping changes to an interface or feature can radically effect how an application performs. A
strong change management process should be in place to ensure such changes do not stop applications
from working.
Common application compatibility issues

Some Windows operating system components
vary in composition between versions. When an
app attempts to use a resource or operating
system component that does not behave as the
app expects, compatibility issues occur. Even when
developers follow standard best practices to avoid
many Windows compatibility issues, some apps
might be incompatible with Windows 10. This is
because exposed portions of the operating system
change from version to version to fix security-
related issues, to improve performance, or simply
because the exposed portion no longer applies to
the way the new version operates.
As you prepare to migrate your computers from a previous Windows version to Windows 10, it is important
that you understand the following common areas of incompatibility so that you can design an appropriate
compatibility fix for the app.
Migrating from Windows 8.1, Windows 8, Windows 7, or Windows Vista

Most apps designed for Windows 8.1, Windows 8, Windows 7, or Windows Vista also run on Windows 10.
The few Windows apps that do not run in Windows 10 are primarily security-class apps and apps that
perform low-level kernel calls.
Note: When an app makes a low-level kernel call, it bypasses the standard Windows
application-programming interface (API) and communicates with system hardware. App errors
and failures at this level typically result in the app failing and general operating system failure.
Setup and installation

During setup and installation, two common issues can occur:
 An app tries to copy files and shortcuts to folders that existed in a previous Windows operating system,
but which no longer exist in the new operating system.
 An app setup process checks for a specific operating system version. This can prevent application
installers from installing the app or prevent apps from starting.
User Account Control

Windows 10 runs every app in the context of standard user permissions, even if the user has administrative
permissions. Conversely, when users attempt to launch an app that is marked as requiring administrator
permissions, the operating system explicitly asks them to confirm their intention with a prompt for
credentials or elevated permissions. User Account Control (UAC) can result in the following compatibility
issues:
 The operating system might not detect custom installers, uninstallers, and updaters. When this occurs,
the apps’ permissions are not elevated to run as an Administrator, and do not respond.
 Standard user apps that require administrative privileges to perform their tasks can stop responding, or
tasks within the apps that require administrative privileges will not be available to standard users.
 Control Panel applets that perform administrative tasks and make global changes do not function
properly and stop responding.
When you need to run apps by using administrative-level credentials, you can quickly mitigate the
application compatibility issues that pertain to running as a standard user by applying the RunAsAdmin
flag in a custom shim database. However, we recommend that you use more advanced techniques to
troubleshoot and remediate administrator dependency. Avoid granting users administrator rights to
reduce the percentage of local Administrator accounts that the organization requires. Some apps might
require the user to have administrative rights to write to the file system and the registry, but UAC includes
file and registry virtualization technology that allows the app to run even if the user does not have
administrative rights.
Kernel-mode drivers
Kernel-mode drivers must support the Windows 10 operating system. By default, vendors must sign all
drivers digitally for Windows 10 64-bit versions to be installed.
Note: Microsoft has removed kernel-mode printer driver support from Windows 10,
Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2012 R2, Windows Server
2012, Windows Server 2008 R2, and Windows Server 2008.
Microsoft Edge
Microsoft Edge is the default browser for Windows 10. Microsoft Edge implements a new web-based
extension model that does not use third-party add-ins or other programmatic features. For example,
Microsoft Edge does not support ActiveX controls, browser helper objects, or VBScript. However, many
enterprise organizations have line-of-business (LOB) services and web apps that depend on Internet
Explorer and various third-party add-ins and programmatic features. To help support these organizations,
Windows 10 includes Internet Explorer 11 with Enterprise Mode, which is the same version that Windows 8.1
and 7 support. This means you can use Enterprise Mode with Microsoft Edge to open Internet Explorer 11
for your business’s sites that require Internet Explorer. You can extend Enterprise Mode support to
Microsoft Edge by having Microsoft Edge open Internet Explorer 11 in any site specified on the Enterprise
Mode site list. Administrators can use existing Internet Explorer 11 Enterprise Mode site lists or they can
create new lists specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in
Windows 10 and only opening legacy LOB sites in Internet Explorer, you can help keep newer development
projects on target by using the latest Microsoft Edge standards. For organizations that have significant
legacy content, you can also configure any intranet site to open in Internet Explorer when a user navigates
to it by using Microsoft Edge. This functionality is available as part of Windows 10 and has no additional
installation requirements.
You can use the Enterprise Mode Site List Manager for Windows 10 tool to create and update the Enterprise
Mode Site List in the version 2.0 XML schema. This tool is available as a free download from the Microsoft
Download Center. If you already have an existing site list, you can import it into the tool.
Additional Reading: For more information about importing the site list, refer to Import your
Enterprise Mode site list to the Enterprise Mode Site List Manager: http://aka.ms/O5qdm2.
Before you can use the Enterprise Mode site list, you must turn on the Group Policy setting that points to
the XML file. To do so, in the Local Group Policy Editor, or a domain-level Group Policy Object (GPO),
navigate to Computer Configuration\Administrative Templates\Windows Components
\Microsoft Edge, and enable the Configure the Enterprise Mode Site List policy setting.
Internet Explorer Protected Mode

By default, when you install Windows 10, Internet Explorer runs in Protected Mode for the Internet and
Restricted Sites zones. Running the Internet Explorer process with greatly restricted privileges helps protect
users from attack, because Protected Mode significantly reduces the ability of malicious code in an app to
write, alter, or destroy data on the user’s computer. For example, Protected Mode can help protect a user’s
computer from code that self-installs without authorization.
Application compatibility issues in the Internet Explorer Protected Mode relate to the following:
 Apps that use Internet Explorer cannot write directly to disk while the computer is connected to the
Internet. Protected Mode builds on integrity mechanisms in Windows to restrict write access to
securable objects with higher integrity levels, such as processes, files, and registry keys. When you run
Internet Explorer in Protected Mode, it is a low-integrity process. It cannot gain write access to files and
registry keys in a user’s profile or system locations.
 Low-integrity processes can write only to folders, files, and registry keys to which you assign a low-
integrity mandatory label. As a result, Internet Explorer and its extensions run in Protected Mode, which
can write only to low-integrity locations, such as the Temporary Internet Files folder, the History folder,
the Cookies folder, the Favorites folder, and the Windows Temporary Files folders.
 Locally installed apps do not respond to messages sent from the web application. The Protected Mode
process runs with a low-integrity level, which prevents it from sending most window messages to
higher-integrity processes.
Operating system version changes

The operating system version number changes with each Windows operating system release. For apps
that use the GetVersion function, GetVersion runs and returns the current Windows version number to
the app. This might affect apps or application installers that query against the operating system version
number to determine whether to install the software or run the app. If the app specifically limits operating
system versions to known version numbers, and the known version numbers do not include Windows 10,
the app will return an error message even though the app might be able to install and run, with issues, in
Windows 10.
Note: Because many apps verify the operating system version during install, the various
operating systems report their version number in the following manner:
Windows XP as 5.1, Windows Vista as 6.0, Windows 7 as 6.1, Windows 8 as 6.2, Windows 8.1 as 6.3,
and Windows 10 as 10.0. You can use an operating system version to specify a shim that the app
may require.
64-bit architecture
Windows 10 fully supports 64-bit architecture. The Windows 10 64-bit version can run 32-bit apps with the
help of the Windows-32-bit-on-Windows-64-bit (WoW64) emulator. Issues for applications running on for
the Windows 10 64-bit version include the following:
 Apps or components that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers do not start or
function properly on a computer that is running a Windows 10 64-bit edition.
 32-bit kernel driver installations stop responding on a 64-bit system. If an installer adds a driver by
editing the registry, the system does not load this driver. This can cause the system to stop responding.
 64-bit unsigned driver installations stop responding on a 64-bit system. If an installer adds a driver by
editing the registry, the system does not load the driver during load time when the driver is not signed.
 The WOW64 emulator redirects 32-bit apps that require registry and file system access to the
appropriate folder and registry locations.
Windows Filtering Platform API

Developers use the Windows Filtering Platform API to create code that interacts with the filtering that takes
place at several layers in the networking stack and throughout the operating system. You typically use the
Windows Filtering Platform API to build apps like firewalls that filter network traffic. Windows 8 and
Windows 10 incorporate new publicly supported Windows Filtering Platform APIs. However, these new APIs
cause some earlier network scanning antivirus and firewall apps to stop responding. If this occurs, users
must update to apps that use the new Windows Filtering Platform APIs.
Deprecated components
Some components available in previous Windows versions are deprecated or removed from Windows 10. If
an application attempts to use a deprecated component, it might lose functionality or stop responding. For
example, the Windows Media Center has been removed in Windows 10.
Graphical Identification and Authentication DLL

Prior to the release of Windows Vista, independent software vendors (ISVs) were able to modify
authentication by installing a Graphical Identification and Authentication dynamic-link library (DLL). The
Graphical Identification and Authentication DLL performed the user identification and authentication.
The current authentication model does not require the Graphical Identification and Authentication DLL,
and it ignores all previous Graphical Identification and Authentication DLLs. This change affects any app or
hardware component that attempts to sign in by using customized sign-in apps, including biometric
devices, customized user interfaces, and virtual private network (VPN) solutions for remote users with
customized user interfaces.
Tools for diagnosing application compatibility issues

The considerable list of potential application
compatibility issues in the Windows operating
system challenge anyone who needs to
troubleshoot application compatibility issues.
However, a number of tools and techniques are
available that can aid your diagnosis and assist you
in developing a solution that suits your
environment.
Diagnosing application compatibility

issues in Windows 10
You can use several methods to diagnose
application compatibility in Windows 10. Often,
you can use these methods to identify a component of the operating system that is causing the
incompatibility, and work to rectify the situation. You can use:
 Error messages. Although error messages can be frustrating and cryptic at times, they also are the first
indication that an application compatibility problem exists. For example, an error message referencing
permissions often leads to a UAC issue. Conversely, an error message about the wrong Windows
version points to an app that is querying with GetVersion for the operating system version number.
 Event Viewer. Event Viewer can contain events that indicate application compatibility. The greatest
benefit of using Event Viewer is that it records and stores events in the event log. These events are
available to reference long after end users clear error messages and notifications.
 Task Manager and performance-monitoring tools. Simple tasks like observing unresponsive processes
and unexpected usage of system resources can help you diagnose subtler incompatibility issues, like
invalid hardware requests or inefficient use of memory or processor cores.
 User acceptance. Ultimately, users consume apps. If the users are able to use the app as they expect,
without data loss, then the app is ready for install and does not require any changes.
Using the Microsoft Assessment and Planning Toolkit

Although the Microsoft Assessment and Planning Toolkit (MAP) 9.3 is not specifically designed to assess
application compatibility, it does provide application compatibility assessment reports for Microsoft Office,
Office 365, and other Microsoft products. Additionally, you can use it to obtain general information about
your apps and environment. You can use MAP 9.3 to prepare for migration to Windows 10 by generating
detailed readiness assessment reports and proposals based on an agentless, network-wide inventory of
computers that are running Windows.
MAP 9.3 takes advantage of preexisting technology in the information technology (IT) environment to
enable agentless discovery of IT resources. These technologies include Windows Management
Instrumentation (WMI), Remote Registry Service, Active Directory Domain Services (AD DS), secure shell,
and the Computer Browser service.
MAP 9.0 provides three key functions that aid in app and operating system migration and planning,
including:
 Discovery and inventory of computers and apps.
 Hardware and software migration-readiness assessments.
 Software-usage tracking.
Discovery and inventory of computers and apps

You can use MAP 9.3 to inventory a wide variety of platforms and technologies to prepare for application
assessment and deployment. These platforms include Windows 10, Windows 8.1, Windows 7, Windows
Vista, Windows XP, Windows Server 2012, Windows Server 2008, Windows Server 2003, and Windows 2000
Server. MAP 9.0 also can inventory many Microsoft server products, including Microsoft SQL Server,
Microsoft Lync Server, Microsoft Hyper-V Server 2012, and Microsoft System Center 2012 R2 Configuration
Manager.
Hardware and software migration readiness assessments

MAP can perform a detailed analysis of computer hardware and installed applications in preparation for
migration to Windows 10. You can use MAP to create reports that provide the following information:
 Evaluations of existing hardware against the recommended system requirements for Windows 10. MAP
provides recommendations that detail which machines meet the requirements and which machines
might require hardware upgrades.
 Assessments regarding the readiness of your IT infrastructure for a Windows Server 2012 R2
deployment. MAP includes a comprehensive inventory of servers, operating systems, workloads,
devices, and server roles to help in planning efforts.
 Performance data for Linux-based physical and virtual machines, which you can use to perform
virtualization and private cloud planning and analysis for Windows-based and Linux-based machines in
the Hyper-V and Microsoft Private Cloud Fast Track scenarios.
 Currently installed Windows client operating systems, including these systems’ hardware and
recommendations for migration to Windows 10.
 An inventory and reporting of deployed web browsers, Microsoft ActiveX controls, and add-ons for
migration to Internet Explorer versions that are compatible with Windows 10.
 Currently installed Office software, in addition to recommendations regarding migrations to Office

2013, Office 2016, and Office 365.
 Currently installed Windows Server operating systems, and their underlying hardware and devices, in
addition to recommendations for migration to Windows Server 2012 R2.
 Currently installed Linux operating systems, and their underlying hardware and suitability for
virtualization within Hyper-V or for management by Microsoft System Center 2012 R2 Operations
Manager.
 Virtual machines that are running on both Hyper-V and VMware, their hosts, and details about hosts
and guests.
 Analysis of web apps, Microsoft Internet Information Services (IIS) servers, and SQL Server databases for
migration to the Microsoft Azure platform.
 Detailed assessment of server utilization, and recommendations for server consolidation and virtual
machine placement by using Hyper-V.
 Discovery of SQL Server 2012 databases, instances, and selected characteristics.

 Heterogeneous database discovery of MySQL, Oracle, and Sybase instances.
 SQL Server host machines and SQL Server components.
Software usage tracking

MAP 9.3 provides enhanced software usage tracking that reports on software usage in your environment. It
can also provide licensing information regarding server and client usage for Microsoft products based on
the core client access license (CAL), including:
 Windows Server
 Microsoft SharePoint Server
 Microsoft Exchange Server
 SQL Server
 System Center 2012 R2 Configuration Manager

 Microsoft Forefront Endpoint Protection 2010
 Lync Server
You also can use the Active Users and Devices report to inventory active users and active Windows-based
devices in your environment to assess adherence to enterprise licensing agreements and Active Directory
information for your environment.
Note: To download MAP, refer to the Microsoft website at http://aka.ms/h3dgop.
You also can use the Windows Sysinternals tool process monitor and other process monitoring tools to
verify the reason why an app is failing. These tools show you the list of files and registry settings that an app
is trying to access. Therefore, if the app is trying unsuccessfully to access a resource to which the user does
not have access, you will be able to determine to what resources the app was denied access.
Additional Reading:
The Windows Sysinternals Suite includes the process monitor tool along with many other tools and
is available as a free download. To download the Windows Sysinternals Suite, go to
http://aka.ms/P1dc88.
Using the Application Compatibility Toolkit

The ACT is a set of tools used during the inventory, analyze, and mitigate phases of the application
compatibility testing process. Prior to deployment, software developers and IT professionals who work in a
corporate environment use ACT to determine whether the organization’s apps will be compatible with a
new version of the Windows operating system. These individuals also can use ACT to determine how an
update to the new version affects their apps.
Use ACT to do the following:
 Identify and manage your overall application portfolio within your organization.
 Verify application, device, and computer compatibility with a new version of the Windows operating
system, including determining your risk assessment.
 Help evaluate the impact of Windows updates.
 Reduce the cost and time involved in resolving application compatibility issues.
 Create application mitigation packages to deploy to client computers.

ACT is available as part of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10.
Additional Reading: To download Windows ADK for Windows 10, which includes ACT, refer
to the Microsoft website at http://aka.ms/Miad4n.

Question
What is the biggest concern that the Microsoft Edge browser brings to application compatibility?
People are not used to Microsoft Edge and do not know how it works.
It does not use third-party add-ins or other programmatic features, such as ActiveX controls,
browser helper objects, or VBScript.
It only works with 64-bit versions of Windows 10.
The Internet Explorer browser has been removed from Windows 10.
There are no options available to configure the use of Microsoft Edge.

Lesson 2
Mitigating application compatibility issues
Mitigating application compatibility issues in Windows 10 is not limited to local computers. You have
options for mitigating incompatibility locally by using tools such as ACT and Client Hyper-V. Other options
leverage the Windows Server 2012 R2 infrastructure to provide more robust and highly available solutions
to application compatibility problems within Windows 10. These options include Remote Desktop Services
(RDS) and Virtual Desktop Infrastructure (VDI). This lesson introduces these local and server-based
remediation methods.
This lesson covers how each of these technologies functions and each method’s use in various compatibility
scenarios.
Lesson Objectives
 Identify available application compatibility solutions.
 Describe how you can resolve application compatibility issues by using Client Hyper-V.
 Describe how you can resolve application compatibility issues by using RDS and VDI.
 Discuss the process of determining an appropriate application compatibility remediation strategy for a
given scenario.
Overview of application compatibility solutions

You can use several different approaches when
attempting to solve application compatibility
problems in your environment. The local operating
system might provide some solutions, whereas
other solutions might use a different server
infrastructure to provide a compatible
environment in which to run the app.
ACT
ACT can diagnose application compatibility issues
in Windows. Depending on the type of
incompatibility issues you encounter, it can also
solve application compatibility problems.
One of the greatest benefits of ACT is that it can provide a solution that requires no significant change to
the users’ operating environment. ACT mitigates compatibility issues by attaching shims to apps. Shims
redirect calls from apps to the appropriate location in Windows 10, or simulate the operating system
components that the app is attempting to access.
Client Hyper-V
Introduced in Windows 8, Client Hyper-V enables you to provide a local, virtualized environment in which
previous versions of Windows can run in virtual machines. This environment enables you to run
incompatible apps on supported versions of Windows while maintaining Windows 8 or Windows 10 as the
main operating system, and while using only local resources. If you are providing a virtual environment for
Windows XP, you must consider that Microsoft discontinued support for Windows XP in April 2014. You
should investigate a long-term solution that does not involve Windows XP.
Note: You must have a computer with a 64-bit processor capable of Second-level Address
Translation (SLAT) to run Client Hyper-V in Windows 10.
RDS
RDS allows you to connect to a remote computer so that you can use resources and applications on that
computer. You can set up an RDS Server Host that is running a version of the operating system that is
compatible with specific applications, and you can allow users to connect remotely to the computer to use
specific applications. You also can use Windows Server 2008 RemoteApp to provide the same functionality,
except that RemoteApp runs the application inside its own window within the user’s desktop.
VDI
VDI combines RDS and Hyper-V virtualization technology to provide a more personalized and
compartmentalized user experience. You can use the new features in Windows Server 2012 or Windows
Server 2012 R2 to more easily implement and manage virtual machines that you use to support VDI.
You can create desktop collections, which are pooled collections that users share or dedicated personal
virtual machines that you can maintain and manage in a similar fashion to physical machines.
You can consider other methods, such as finding apps and software that better fit the Windows 10
environment. While you can consider Application Virtualization (App-V) as an option, you can use App-V
only when you have a license agreement that allows you to use the Microsoft Desktop Optimization Pack.
While App-V is not useful for app compatibility issues, a later module covers the use of App-V.
Resolving compatibility issues by using Client Hyper-V

Windows 8 introduced the Client Hyper-V feature.
It is still available in Windows 10. Client Hyper-V
uses Hyper-V virtualization technology to provide
a local virtual-machine hosting environment that is
both robust and compatible with the server-based
versions of the Hyper-V technology. Although
Client Hyper-V does not provide the scalability and
manageability of other solutions that this module
discusses, it is relatively straightforward to use. You
can install it on a single computer, so that it is self-
contained. This is valuable when a client computer
is disconnected from the network or when network
limitations prevent the use of a technology like RDS. You can use Client Hyper-V to provide a virtual
environment for an app that is incompatible with Windows 10 by running a previous version of Windows in
a Hyper-V virtual machine environment.
Running Windows in a Hyper-V virtual machine

A Windows 10 Hyper-V virtual machine can contain any supported guest operating systems, which is one of
the most effective methods for running an app that does not support Windows 10. When you run an app
and alternate operating system in a virtual machine, the app has access to a supported version of Windows,
and it is separate from the rest of the Windows 10 operating system on the host computer.
In this case, you would install a separate copy of Windows on the virtual machine. You can then join the
virtual machine to the domain, install apps, and test, just as you would with a physical computer in the
environment.
By using this method, you can mitigate application compatibility issues while isolating the app from the rest
of the host operating system. This isolation is beneficial because it can prevent a potentially incompatible
app from negatively affecting other services and apps on the Windows 10 computer.
The Hyper-V environment also is useful for testing application compatibility in different Windows versions
or for multiple configurations of an app. You can use virtual machine snapshots to capture operating
system or app configuration as it exists at a specific time. If irreparable installation or configuration errors
occur during testing, you can revert to the snapshot and then attempt various mitigation methods until one
is successful.
You can use Client Hyper-V in Windows 10 to:
 Isolate an app from the host operating system. If an app is causing other apps or operating system
components to stop responding, you can run the app within a virtual machine to prevent this issue.
 Run apps in other versions of Windows. Virtual machines in Hyper-V can run different versions of
Windows without affecting the state of the host operating system.
 Control system resources available to an app within a virtual machine. You can limit the processor,
memory, and hard-disk usage of an app by running it within a virtual machine that has been allocated
a specific amount of system resources. This could be useful in a situation where an app consumes all of
the system memory because of a memory leak. If this situation occurs within the virtual machine, the
app will consume only the memory assigned to the virtual machine and not all of the physical memory
available to the host computer.
 Test an app within a virtual machine before deploying the virtual machine to your production Hyper-V
environment. The virtualization environments in Windows 10 and Windows Server 2012 R2 are
compatible, so you can create, configure, and test virtual machines in Windows 10. After the virtual
machine is ready for the production environment, you can export the virtual machine, and then import
it directly into Windows Server 2012 R2.
Planning beyond Windows XP

Although you can use virtualization technology in Windows 10 to access previous Windows versions easily,
you must consider the support cycle for earlier operating systems. You must update and maintain
operating systems in virtual machines as you would their physical counterparts. Keep in mind that after the
support lifecycle ends for an operating system, Microsoft no longer provides updates and fixes. For
example, Windows XP reached the end of its support lifecycle in April 2014. Since then, Microsoft no longer
develops updates except where Microsoft has specifically negotiated with an organization to provide direct
support. This course does not cover Windows XP support in this particular arrangement.
Resolving compatibility issues by using RDS and VDI

RDS provides centralized, server-based apps to
desktop users in a manner that closely or
identically resembles the apps, so it appears to the
user that the apps are running on the local client
computer. In most cases, the client still initiates the
app or connection, but the server handles the
storage and execution of the app. Client
computers that are running the Windows
operating system can run Remote Desktop
Connection or any other Remote Desktop Protocol
(RDP)–compliant app.
Application compatibility scenarios for RDS

You might deploy RDS in your organization to satisfy a number of application compatibility scenarios,
including:
 You are planning to centralize your application environments. RDS enables you to centralize
application environments in a server-based solution, which you can manage in a central datacenter or
in regional datacenters.
 You are combining your computing resources and users after a company merger or acquisition. You
can deliver an alternate client desktop or app alongside an organization’s existing desktops, so that
users have access to desktops and apps from both parts of the merged enterprise. This method can
accelerate the integration of the acquired company’s systems significantly.
 You are delivering full desktop environments. Organizations might use RDS to deliver a new desktop
environment to computers when they do not want to or cannot upgrade the computers with a new
operating system.
 You are deploying new apps rapidly across an enterprise. This method enables users to be up and
running very quickly without needing to wait for new apps to install on their desktops.
 You are provisioning individual apps and desktops through a web browser to external vendors,
suppliers, or other third parties.
 You want to ensure business continuity if a disaster occurs. You can use RDS to provision a full working
desktop rapidly to a newly acquired or rented population of user workstations in a new location.
 You are provisioning apps that are difficult to maintain or used infrequently. The management
overhead of running such apps on end-user workstations can be significant. It can make business sense
to run them centrally, and then deliver the apps through RDS.
 You are delivering data-intensive client workloads over low-bandwidth links. You can use RDS to
deliver apps over bandwidth-constrained links. This is very effective for remotely accessing and
manipulating large volumes of data, because only a screen view of the data, rather than the actual
data, is transmitted over the network to the client.
Note: Keep in mind that apps that are running on an RDS server are installed on a server
operating system, such as Windows Server 2012 R2, Windows Server 2012, Windows Server 2008
R2, or Windows Server 2008. Therefore, you need to test the app to ensure that it works properly
on the operating system, and you should ensure that other application compatibility issues do not
arise due to the server operating system.
RDS and VDI

VDI is a centralized desktop delivery architecture that you can use to centralize the storage, execution, and
management of Windows desktops in a datacenter. You can use VDI to run and manage Windows 10
desktop environments in virtual machines on a centralized server, including previous Windows versions. A
user can connect to a virtual desktop with Remote Desktop Connection (RDC) or by using web access.
Deployment scenarios
The two key deployment scenarios that VDI supports are personal virtual machines and pooled virtual
machines:
 Personal virtual machines. When you use personal virtual machines, there is a one-to-one linking of
virtual machines to users. Each user is assigned a dedicated virtual machine, which the user can
personalize and customize. The one-to-one linking preserves any changes that the user makes.
Therefore, by deploying personal virtual desktops, you are providing great flexibility to end users.
 Pooled virtual machines. In a pooled virtual machine, VDI replicates a single image. You can store the
user state by using profiles, folder redirection, and personal disks on Windows Server 2012 and newer
versions. However, the user state does not persist on the virtual machine after the user signs out, which
frees some system resources.
Note: VDI stores personal disks as a separate virtual hard disk, which means they are
persisted for reuse.
In both cases, the Windows Server 2012 R2 solution supports image storage on the Hyper-V host, and
clients connect to the virtual machine by using RDP.
Resolving compatibility issues by using ACT

ACT is a set of tools that you can use during the
inventory, analyze, and mitigate phases of the
application compatibility testing process. IT
professionals use ACT in corporate environments
to determine whether apps are compatible with a
new version of the Windows operating system
before deploying the apps. They also use ACT to
determine how an update to the new version
might affect their apps.
You can use ACT to:
 Identify and manage your overall application

portfolio within your organization.
 Verify app, device, and computer compatibility with a new version of the Windows operating system.
 Reduce the cost and time involved in resolving application compatibility issues.
 Create application mitigation packages that you can deploy to client computers.
ACT is available as part of the Windows ADK for Windows 10 Update, which contains a collection of tools
that you will use for Windows deployment.
Benefits of using ACT

You can use the features of ACT to help you with application inventory and analysis tasks, such as:
 Inventorying your portfolio of apps, ActiveX controls, and computers. You can conduct inventory by
using an inventory agent that runs on client computers.
 Supporting pilot deployments of Windows 8 by gathering compatibility data. A runtime analysis

package uses this data for analysis and diagnosis of unresponsive apps.
 Prioritizing and categorizing app and computer inventory. Prioritizing and categorizing your app and
computer inventory provides detailed views of inventory that you can use to analyze the stored data
fully.
 Synchronizing compatibility information from the ACT community and from the Windows
Compatibility Center. The ACT community is a web service that provides compatibility information
from ISVs, in addition to compatibility information shared by other members of the IT community.
New features in ACT

ACT is designed to work with Windows 10, Windows Server 2012 R2, and previous versions of the Windows
operating system. The current version of ACT that comes with the Windows ADK for Windows 10 is ACT 10,
but it does not differ from ACT 6. It now shows a version number of 10 just to keep it in the same version
family as the Windows ADK. ACT 10 introduces the following new features and differs from ACT 5.6 in the
following ways:
 Runtime analysis packages. The runtime analysis package gathers compatibility information. You install
it on computers so that you can test apps with the version of Windows that you want to deploy. The
data from the runtime analysis package replaces data from issue detectors that attempt to forecast
compatibility issues by running on a previous version of Windows.
 Streamlined inventory collection. Data collection overhead is reduced because the purpose of the
inventory-collector package now is limited to inventory collection. The redesigned inventory-collector
package does not cause app conflicts because it does not interact with apps. You no longer need to
schedule the inventory-collector package to avoid conflicts.
 Application grouping. The reports about apps in Application Compatibility Manager now show a single
parent entry for an app when multiple versions of the app are detected. All of these app versions are
grouped together under this entry.
 Restructured ACT documentation. ACT documentation is streamlined so that you can locate
information faster and more conveniently than in previous versions of ACT.
 Windows ADK integration. ACT is now part of the Windows ADK. You can install ACT by using ADK
Setup.
 Simplified emphasis on operating system deployment. Compatibility information now focuses on

operating system deployment. Update compatibility has been removed.
Categorize Activity
Categorize each item into the appropriate category. Indicate your answer by writing the category number
to the right of each item.
Items
1 Isolate an app from the host operating system.
2 Centralize application environments in a server-based solution.
3 Inventory your portfolio of apps, ActiveX controls, and computers.
4 Run apps in other versions of Windows.
5 Deliver full desktop environments.
6 Support pilot deployments of Windows 10 by gathering compatibility data.
7 Control system resources available to an app within a virtual machine.
8 Deploy new apps rapidly across an enterprise.
9 Gather compatibility information with runtime analysis packages.
10 Test an app within a virtual machine before deploying the virtual machine to your production
Hyper-V environment.
11 Provision apps that are difficult to maintain or used infrequently.
12 Prioritize and categorize app and computer inventory.
Client Hyper-V RDS ACT

Lesson 3
Using ACT to address application compatibility issues
You can use ACT to resolve many Windows application compatibility issues. You can use ACT to diagnose
and remediate compatibility problems, while maintaining your users’ operating system environment and
continuing to provide apps in their native, locally installed state.
This module explains how to use ACT to provide application compatibility solutions for your organization’s
computers that are running Windows 10.
Lesson Objectives
 Identify ACT components.
 Describe data collection packages (DCPs).
 Describe ACT compatibility ratings.

 Explain how to use ACT to diagnose application compatibility.
 Describe how to configure ACT.
 Explain how to diagnose compatibility issues with ACT.
 Use ACT to diagnose application compatibility issues.
Overview of the ACT architecture

The ACT architecture consists of several major
components, including the:
 Application Compatibility Manager. A tool you

use to configure, collect, and analyze data to
fix any issues before deploying a new
operating system or deploying a Windows
update in your organization.
 Inventory collector package. A DCP that you

can deploy to computers to gather inventory
data to upload to the ACT database. You
deploy these packages as Windows Installer
(.msi) files to client computers.
 Runtime analysis-package. A DCP that you can deploy to computers in a test environment. This allows
you to perform compatibility testing on a new operating system. You deploy these packages as .msi
files to client computers.
 ACT Log Processing Service. A service that you use to process the ACT log files uploaded from your
client computers. It automatically adds the information to your ACT database.
 ACT Log Processing Service share. A file share that the ACT Log Processing Service accesses. It stores
the log files that are processed and added to the ACT database.
 ACT database. A Microsoft SQL Server database that stores data regarding the collected apps,
computer, device, and compatibility. You can view the information stored in the ACT database as
reports from the Application Compatibility Manager.
 Microsoft Compatibility Exchange. A web service that propagates application compatibility issues from
the server to the client. It also enables client computers to connect to Microsoft through the Internet to
check for updated compatibility information.
How ACT components work together

ACT components interact in the following manner:
1. An IT administrator configures packages to computers by using the Application Compatibility

Manager, and then uses a deployment tool to deploy the packages.
2. The packages write log files to the ACT Log Processing shared folder.
3. The ACT Log Processing Service processes the logs, and then uploads the data to the ACT database.
4. The Application Compatibility Manager presents the collected data for analysis.
5. The Application Compatibility Manager retrieves the relevant assessments, issues, and solutions that
Microsoft, vendors, and the ACT community post.
What are DCPs?

DCPs are the primary method in ACT that you use
to collect app information from client computers
in your environment. You create DCPs in the
Application Compatibility Manager console by
using a wizard-based interface. The Application
Compatibility Manager creates these packages as
.msi installer files, and then deploys them to client
computers, where you install them. After
installation, the DCP communicates with the Log
Processing Service to store data collected from
client computers. You can deploy the .msi files
manually or by using deployment tools, such as
There are two DCP types in ACT–the inventory collection package and the runtime analysis package:
 Inventory collection package. You can install these packages on client computers to gather a list of
installed apps and devices. Inventory collection packages collect the following data from Windows:
o System inventory. Contains information about the client computer, including memory capacity,
processor speed, and processor architecture.
o Device inventory. Contains information about the devices that are installed on the client computer,
including a device’s model, manufacturer, and class.
o Software inventory. Contains an inventory of apps that are installed on the computer.
You should inventory all computers within the scope of your application assessment. However, the
more computers to which you deploy the inventory collection package, the larger your resultant data
set becomes. This data set could be overwhelming both in the information sent to the ACT Log
Processor and in the effort required to analyze the data.
 Runtime analysis package. You can use these packages to collect information about actively running
apps in the Windows environment. The runtime analysis package includes a tool called Compatibility
Monitor, which enables real-time analysis of app execution. You can also use the Compatibility Monitor
to provide feedback about apps that you run in your environment. This feedback uploads to the ACT
community database for other organizations to use in their application assessment tasks.
What are ACT compatibility ratings?

An application assessment, device assessment, or
website assessment provides guidance, based on
your environmental variables, about potential
compatibility issues. Assessments can originate
from authoritative sources, such as the app vendor;
from your organization; or from the ACT
community, if you are a member.
Compatibility ratings for apps are set and viewed

from within the Application Compatibility
Manager, on the Applications screen. You can set
your own compatibility ratings and download
vendor assessment ratings from software vendors
and community assessment ratings from the Microsoft Compatibility Exchange. Assessment ratings are
tracked for both 32-bit and 64-bit versions of an app.
Possible ratings include:
 Works. During your organization’s testing phase, no issues with the app, installation package, or
website existed.
 Works with minor issues or has solutions. During your organization’s testing phase, there were no
major issues with the application, installation package, or website.
 Does not work. During your organization’s testing phase, the application, installation package, or
website experienced a major issue resulting in unexpected app termination.
 No data. You have no compatibility data to provide.
You can view high-level assessment summaries and specific app, device, or website assessment details in
the applicable report screen or in the Report Detail dialog box, respectively.
Process for diagnosing compatibility by using ACT

You use the Application Compatibility Manager to
create new DCPs and collect inventory
information, and then view this information
through a series of quick reports. You need to be
familiar with the following configuration steps:
 Modifying your configuration settings. The

Application Compatibility Manager Tools
menu includes a Settings option that you use
to modify your database and log-processing
service settings, change your membership
status in the ACT community, and receive ACT
software updates.
 Creating and configuring the ACT database. You use the ACT database for storing information that
pertains to your organization’s inventory, including information about your computers, devices,
installed apps, and associated compatibility issues.
 Creating and configuring a DCP. You use DCPs for collecting the information that the ACT database
stores. You must configure each DCP to identify the scenario related to the evaluation, such as
deploying a new operating system or service pack, applying Windows updates, or updating to a
new version of Internet Explorer. You also must configure the starting date and time for monitoring
app use.
 Analyzing your compatibility data by using the Application Compatibility Manager reports. After data
collection occurs, you can organize it by using priorities, assessment ratings, categories, and
subcategories. After organizing your data, you can filter it, determine which apps have compatibility
issues, and view the information in customized reports from the Application Compatibility Manager.
You can use Application Compatibility Manager to configure, collect, and analyze data to fix any issues
detected during testing and pilot phases prior to deploying a new operating system in your organization.
The functionality that the Application Compatibility Manager performs is divided into five phases:
 Phase 1: Collect inventory
 Phase 2: Plan testing
 Phase 3: Test
 Phase 4: Analyze results
 Phase 5: Mitigate
If the Application Compatibility Manager determines that the issues are valid, you can use the Compatibility
Administrator tool in ACT to create mitigation packages to fix the issues, or use the other developer tools
that the ACT provides.
The following sections provide more detail on the tasks performed in Phases 1 and 2.
Phase 1: Collect inventory

This phase includes the task of creating a new DCP. You use the DCP to collect your organization’s
inventory, including information about your computers, devices, and installed apps. After configuring the
DCP, you can save and distribute it to your network clients.
Phase 2: Plan testing

This phase includes prioritizing your apps, categorizing them, and defining an assessment rating by
performing the following steps:
 Prioritize your data. Prioritize apps and computers based on how critical they are to your business.
Exclude any apps or computers that you no longer want to track or review in reports. The available
priority levels are:
o Priority 1 - Business Critical. This is the highest priority level. Assigned to business-critical items that
are so important to your organization that that they must be certified before you can deploy the
updated operating system.
o Priority 2 – Important. This is the priority level for apps, websites, and updates that your
organization regularly uses, but which your organization can continue to function without using.
You can deploy the updated operating system without certification.
o Priority 3 – Nice to have. The priority level for apps, websites, and updates that do not fall into the
previous two categories; however, you want them to appear in your ACT compatibility reports. The
updated operating system will deploy regardless of certification.
o Priority 4 – Unimportant. The priority level for apps, websites, and updates that are not relevant to
your organization’s daily functions. Use this priority level to filter out the unimportant items from
your reports.
o Unspecified. The default priority level, which is assigned automatically to all apps, websites, and
updates. You can use this priority level to denote apps that are not yet reviewed for deployment.
 Categorize your data. You can create categories and subcategories, and then assign them to apps. Use
this process to view custom reports.
 Select your assessment rating. Assign an assessment rating to each of your apps, application
installation packages, and websites. Base an assessment rating, which must apply to your entire
organization, on your own testing results and organizational requirements. Filter your app data,
application installation package data, and website data according to the assessment.
Phase 3: Test
In this phase, you deploy and collect data from the runtime analysis DCPs based on the information created
during phase 2.
Phase 4: Analyze results

In this phase, you analyze the data that is collected and organized in this phase. Options available for
analyzing your data include:
 Synchronizing compatibility issue data. Keeps your compatibility issue data current by synchronizing
with the Microsoft Compatibility Exchange. This online database provides information regarding
compatibility issues from Microsoft, ISVs, and the ACT community.
 Data filtering. Creates and applies custom filtering to provide specific data for your organization and
requirements. Creates a single filter to display your compatibility data based on your priority, category,
subcategory, and assessment rating. You can view the filtered data as a customized report that you can
tailor to your organizational requirements.
 Extensive reporting. Creates reports based on your deployment type, such as operating system
deployment or update impact analysis. You can filter these reports by entity, such as apps, computers,
and websites. In addition, users can view reports based on priorities or custom categories that you
created.
Phase 5: Mitigate
After you have identified application compatibility issues that you must mitigate in your environment, you
can use mitigation tools to fix problems with application compatibility in your environment. You can use
tools like the Compatibility Administrator and Standard User Analyzer to provide mitigation or create
mitigation packages to deploy to client computers.
Diagnosing application compatibility issues by using ACT

You can use ACT to diagnose and potentially
mitigate application compatibility issues in several
ways. The Microsoft Compatibility Monitor
provides real-time analysis of app execution, and
provides access to the Standard User Analyzer and
Compatibility Administrator.
Using Microsoft Compatibility Monitor

When you install runtime analysis packages on
Windows-based computers, the Microsoft
Compatibility Monitor also is installed. You can use
Microsoft Compatibility Monitor to monitor
specific app behavior and identify compatibility
issues within Windows. Microsoft Compatibility Monitor is a user-initiated tool, and requires manual
activation to begin monitoring. When monitoring is running, Microsoft Compatibility Monitor identifies
issues with apps that run during the monitoring process. When you finish the monitoring process and stop
monitoring, Microsoft Compatibility Monitor uploads the data that it gathers to the ACT Logs Processing
Service which adds the data to the ACT database. Because of this, you can perform app testing in different
operating system environments and still store application compatibility data centrally.
Standard User Analyzer

You can use the Standard User Analyzer tool to test for known UAC issues. The Standard User Analyzer does
this by monitoring API calls to detect compatibility issues related to the Windows 10 UAC feature. You also
can use Standard User Analyzer to apply the recommended fixes, and then export the fixes to an .msi file for
deployment to other computers.
Some apps might not run properly under standard user credentials because they require access to
restricted file or registry locations. The Standard User Analyzer monitors and reports many issues, including
issues related to files, registry keys, initialization (.ini) files, tokens, privileges, namespaces, and processes.
You can find the Standard User Analyzer at C:\Program Files (x86)\Windows Kits\10\Assessment and
Deployment Kit\Application Compatibility Toolkit\Standard User Analyzer\.
Compatibility Administrator tool

You use the Compatibility Administrator tool to maintain a custom compatibility database (.sdb) that
contains:
 Several built-in fixes that you can reuse.
 Compatibility information from your environment, which you generate from a search tool that is
available in Compatibility Administrator. This tool allows you to verify which fixes have applied in your
environment.
 Compatibility fixes created in the tool. These fixes often are referred to as shims.
 Compatibility modes. A compatibility mode is a collection of fixes that you can apply together.
 AppHelp messages. You can create blocking and nonblocking AppHelp messages that the operating
system presents to the user when an app starts.
You can add the .msi files that the Standard User Analyzer creates as compatibility fixes in the Compatibility
Administrator tool.
Demonstration: Configuring ACT

In this demonstration, you will see how to install DCPs on a Windows 10 computer.
Demonstration Steps
Configure ACT
1. On LON-DC1, create a new folder named ACTLogs on Local Disk (C:).
2. Open the Application Compatibility Manager, and then run the ACT Configuration Wizard, using the
following information:
o ACT Log Processor: This computer

o SQL Server: (local)\ADK
o Database name: ACTDB
o Log Location: C:\ACTLogs
o Log Processing Account: Local System
3. Confirm access to \\LON-DC1\ACTLogs.
4. Ensure that the ACT Log Processing Service has a status of Running.
Create data collection packages (DCPs) for deployment

1. On LON-DC1, in the Microsoft Application Compatibility Manager, in the navigation pane, click Data
Collection Packages.
2. Create a new inventory collection package with the following configuration:
o Package Name: SalesInventoryPKG
o Package description: Sales Inventory
o Package location: \\LON-DC1\Labfiles\SalesInventoryPKG.msi
3. Create a new runtime analysis package with the following configuration:
o Package Name: SalesRuntimePKG
o Package description: Sales Runtime
o Package location: \\LON-DC1\Labfiles\SalesRuntimePKG.msi
Install DCPs on a Windows 10 computer

1. Sign in to LON-CL1 as Adatum\Alan with the password Pa$$w0rd.
2. On LON-CL1, install SalesInventoryPkg.msi and SalesRuntimePkg.msi from \\LON-DC1\Labfiles.


Question
What is the primary reason to use DCPs?
To provide guidance, based on your environmental variables, about potential compatibility

issues.
To upload the gathered data to the ACT Logs Processor.
To provide a web service that propagates application compatibility issues from the server to the
client.
To configure, collect, and analyze data to fix any issues before deploying a new operating system
or deploying a Windows update in your organization.
To collect app information from client computers in your environment.

Lab: Assessing application compatibility

Scenario
Your task is to ensure that the ACT has been used to properly analyze the commonly used apps in the Sales
department for compatibility. You must create inventory and runtime status collection packages in ACT on
LON-DC1, which will be deployed to LON-CL1 and LON-CL2, where the apps for the Sales department have
been installed on Windows 10. You will use ACT to inventory, organize, and analyze compatibility issues.
Note: You will not actually use the LON-CL2 virtual machine in this lab.
Objectives
 Analyze applications for compatibility issues.
 Mitigate application compatibility issues.
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-CL1
Password: Pa$$w0rd
1. On the host computer, from the Start screen, click Hyper-V Manager.

o Domain: Adatum
5. Repeat steps 2 and 3 for 20695C-LON-CL1.
Exercise 1: Analyzing applications for potential compatibility issues

Scenario
You must ensure that commonly used apps in the Sales department have been properly analyzed for
compatibility with ACT. To check the apps in Sales, you decide to create inventory and runtime status
collection packages in ACT on LON-DC1, which will be deployed to LON-CL1, where the apps for the Sales
department have been installed on Windows 10. You then decide to use ACT to inventory, organize, and
analyze compatibility issues.
1. Configure the ACT.
2. Create data collection packages.

3. Install data collection packages.
4. Organize and analyze the application inventory.
 Task 1: Configure the ACT

1. Switch to LON-DC1.
2. On LON-DC1, create a new folder named ACTLogs on Local Disk (C:).
3. From the Start screen, start Application Compatibility Manager.

4. Complete the ACT Configuration Wizard by using the following information:
o Run as ACT Log Processing Service: Yes
o Database type: (local)\ADK
o Database name: ACTDB
o Log File Path: C:\ACTLogs
o Service: Local System

5. Open the Microsoft Application Compatibility Setting dialog box, and then verify the following:
o Database settings
o Log Processing settings
o Preferences
6. From the Task Manager, click the Services tab, and then confirm that the ACTLogProcessor Service is
running.
 Task 2: Create data collection packages

2. Create a new inventory collection package with the following configuration:

o Package Name: SalesInventoryPKG
o Package label: Sales Inventory
o Package location: \\LON-DC1\Labfiles\SalesInventoryPKG.msi
3. Create a new runtime analysis package with the following configuration:
o Package Name: SalesRuntimePKG
o Package label: Sales Runtime
o Package location: \\LON-DC1\Labfiles\SalesRuntimePKG.msi
 Task 3: Install data collection packages

1. Sign in to LON-CL1 as Adatum\Administrator by using the password Pa$$w0rd.
2. Open File Explorer, and then go to \\LON-DC1\Labfiles.

3. Install SalesInventoryPKG.msi.
4. Install SalesRuntimePKG.msi.
5. Sign out of LON-CL1.

 Task 4: Organize and analyze the application inventory

2. In the Application Compatibility Manager, click Analyze, and then configure the following:
o Under the Windows 10 Reports\Computers node, verify that LON-CL1 has reported information.
Double-click LON-CL1 to view reported data.
o In the Windows 10 Reports section, click Applications. Verify that applications are listed in the
details pane.
o Click the Devices node, and then verify that devices are reported for LON-CL1.
o Under Windows 10 Reports, on the Applications node, create a new category named Sales,
create a new subcategory within the Sales category named Customer Service, and then assign
Microsoft Office Excel Viewer to the Customer Service subcategory.
o On the Applications tab, assign Microsoft Office Excel Viewer a deployment status of Ready to
Deploy.
Results: After completing this exercise, you should have analyzed applications for potential compatibility
issues.
Exercise 2: Mitigating application compatibility issues

Scenario
The StockViewer app has compatibility issues with Windows 10. You need to identify and mitigate the
specific issues on LON-CL1, as a test for other Windows 10 computers in the Sales department.

1. Identify application compatibility issues.
2. View and synchronize application compatibility information.
 Task 1: Identify application compatibility issues

2. From the Start menu, open the Microsoft Compatibility Monitor.
3. In the User Account Control window, type Adatum\Administrator as the username and Pa$$w0rd as
the password, and then click Yes.
4. In Compatibility Monitor, from the Advanced tools menu, run the Standard User Analyzer.
5. In the Standard User Analyzer window, browse to, and then open, the following file: C:\Program Files
(x86)\StockViewer\StockViewer.exe.
6. In Standard User Analyzer, clear the Elevate check box, and then launch StockViewer.
7. Answer Yes to the App Verifier logs message.
8. In the User Account Control window, type Adatum\Administrator as the username and Pa$$w0rd as
the password, and then click Yes.
9. Notice the Permission Denied error message.

10. To determine potential issues, test the following tasks:
o Click Trends.
o Click the Tools menu, and then click Options.
o Click the Tools menu, and then click Show Me a Star.
11. Close the StockViewer application.
 Task 2: View and synchronize application compatibility information

1. Check the errors reported in the Name Space tab in the Standard User Analyzer window.
2. Check the errors reported in the Other Objects tab in the Standard User Analyzer window.
3. Apply mitigations to the application.

4. Close the Standard User Analyzer window.
5. Close the Compatibility Monitor window.
6. When the Upload Required message appears, click Yes.
Results: After completing this exercise, you will have mitigated application compatibility issues by using
Microsoft Application Compatibility Toolkit (ACT).

When you have finished the lab, revert all virtual machines back to their initial state:
3. In the Revert Virtual Machines dialog box, click Revert.


Review Questions
Question: What are some examples of common application categories or considerations to
use when organizing your application inventory?
Question: You have just installed ACT and configured the initial settings. What final task must
you complete to ensure that inventory collection occurs?
Tools
Enterprise Mode Site List Create and update the Enterprise http://aka.ms/Wn7yay
Manager for Windows 10 Mode Site List in the version 2.0 (v.2)
XML schema and import an existing
site list.
Microsoft Assessment and Provides application compatibility http://aka.ms/Drnn9f

Planning Toolkit (MAP) 9.3 assessment reports for Microsoft
Office, Office 365, and other
Microsoft products. You also can use
it to obtain general information
about your apps and environment.
Application Compatibility A set of tools that you can use during Downloaded as part of the
Toolkit (ACT) the inventory, analyze, and mitigate Windows Assessment and
phases of the application Deployment Kit (Windows ADK),
compatibility testing process. IT available at
professionals use ACT in corporate http://aka.ms/Miad4n
environments to determine whether
apps are compatible with a new
version of the Windows operating
system before deploying the apps.
They also use ACT to determine how
an update to the new version might
affect their apps.
4-1
Module 4
Planning and implementing user state migration
Contents:
Module Overview 4-1
Lesson 1: Overview of user state migration 4-2
Lesson 2: Overview of USMT 10.0 4-7
Lesson 3: Planning user state migration 4-11
Lesson 4: Migrating user state by using USMT 4-22
Lab: Planning and implementing user state migration 4-39
Module Overview
Determining how to migrate user profiles and data is an important part of planning the deployment of a
new operating system. Many users spend a significant amount of time configuring their Windows client
operating systems to personalize display items such as desktop wallpaper, UI elements, or other operating
systems and application components. They also might save documents locally to their computers, rather
than saving them on a file server or Microsoft SharePoint Server. This grouping of specific settings, or user
state, is an important part of the migration process when you replace a computer, or when you install a new
operating system. This module will introduce you to user state migration, and to the tools and methods
that you can use to plan and implement a user state migration in the Windows software environment.
Objectives
 Describe user state migration.
 Identify the features of the User State Migration Tool (USMT) 5.0.
 Plan user state migration.
 Migrate user state by using the USMT.

4-2 Planning and implementing user state migration
Lesson 1
Overview of user state migration
User state migration enables you to retain users’ settings and preferences when it is necessary for them to
change their operating systems or computers. You can perform user state migration by using a variety of
tools, in scenarios ranging from a single user on a stand-alone computer to thousands of users in an
enterprise environment.
This lesson introduces user state migration in detail. In this lesson, you also will identify and discuss the key
tools that you can use to perform user state migration.
Lesson Objectives
 Describe the purpose of a user state.
 Describe user state migration.

 Describe how to minimize the impact to a user’s state during operating system deployments.
 Identify tools that you can use for user state migration.
What is user state?

User state is a general term that describes several
categories that determine user environment, user
data, and settings. You cannot identify user state in
one specific file or setting, rather it presents a set
of various files and settings. In operating systems,
such as Windows 7 or newer, the user state
separates the user environment, files, and settings
from the files and settings that are specific to the
installed operating system and those belonging to
applications. Additionally, user state is specific to
each user of the computer, which means that every
user has their own user state that is mostly
independent of other users. The user state includes user’ data and their application or operating system
configuration settings. Traditionally, a user’s computer contains the authoritative copy of that user’s data
and settings.
User state consists of four main data categories, including:
 User settings. This component describes all settings that a user has personalized after the operating
system was installed.
 User registry. This is the part of the machine’s registry that is specific to each user. Registry hive
HKEY_CURRENT_USER (HKCU) stores settings that are specific to the currently signed-in user. The
HKCU registry key is a link to the HKEY_USERS subkey that corresponds to the user. The same
information is accessible in both locations. On computers that run Windows 7 or newer, each user's
settings are stored in their own files, named NTUSER.DAT and USRCLASS.DAT. These files are in their
Users folder on the boot volume. Settings in the HKCU hive follow users with a roaming profile from
machine to machine.
 Application Data. Application Data (or AppData) is one of the folders that are part of user state. This
folder contains mostly application settings that are specific to a user. For example, if a user installs
Microsoft Word 2016, and personalizes settings to fit his or her needs, such as adjusting toolbars,
proofing, or language settings, Word stores these settings in the Application Data folder. Although all
well-designed applications should ideally store the user’s settings in the same folder, it is not possible
to enforce this behaviour because it is entirely up to the developers.
o In previous versions of Windows operating systems, the Application Data folder stored
application-related data with little or no separation of user-related or computer-related
application settings. However, in Windows 7 and newer versions, the AppData folder replaces the
Application Data folder, and it provides a high degree of separation for user-related and
computer-related application settings. In Windows 7 and newer Windows versions, the AppData
folder is stored in the user’s profile folder.
 User data. This component contains all user-specific data, such as files, in the Documents folder,
Favorites folder, and Pictures folder.
What is user state migration?

A user state migration captures all of the desired
settings on a group of existing computers, known
as source computers. It then restores these settings
on a group of newly deployed computers, known
as destination computers. Typically, you would
perform a user state migration during or after the
deployment of a new operating system. A user
state migration enables users to be more
productive, because they do not have to spend
time reconfiguring settings or looking for personal
data after a deployment.
Determine and locate the application settings that

you want to migrate. You can acquire this information when you are testing new applications for
compatibility with their new operating system. Remember to determine whether you are using the same
version of the application on both the old and the new operating system, and in what location the specific
application settings are stored.
Settings might be stored in the registry, .ini files, or in text or binary files. To determine the location of an
application setting, review the application’s documentation or relevant websites.
User state migration in the replace and refresh computer scenario

User state migration can occur in different stages of deployment, depending on whether you use a refresh
or replace deployment scenario:
 Replace scenario. When deploying a new operating system to new computers, you can capture the
user state from source computers before or after you deploy the operating system to destination
computers. After the operating systems deploy to the destination computers, you can restore the user
states on these computers. In this scenario, the source and destination computers are different
computers.
 Refresh scenario. When upgrading operating systems on computers that have existing operating
systems, you can capture the user state, store it in temporary storage, deploy the operating systems,
and then restore the user state on the upgraded computers. In this scenario, the source and destination
computers are the same computers.
Note: Microsoft Deployment Toolkit (MDT) 2013 Update 2 also supports an in-place upgrade
from Windows 7 or newer which maintains user profiles and installed applications. This upgrade
does not employ the USMT and you cannot specify what settings will be migrated. The in-place
upgrade migrates all profiles and settings.
When you deploy Windows 10 to a computer that has an existing, supported Windows operating system,
Windows creates a Windows.old folder. You can migrate user settings from that folder. Windows 10 enables
nondestructive deployment because a Windows 10 installation does not wipe out the target partition and
preserves data in its original location.
The previous Windows installation folder, the Program Files folder, and the Users folder move to the
Windows.old folder, whereas user data in the root folder remains unchanged. However, it is not possible to
start the computer by using the files in the Windows.old folder.
Minimizing the impact to the user state during operating system

deployments
Files and settings that contain user states are
typically stored locally on the computer from
which the user is working. However, by using user
state virtualization, you can place these files and
settings on a network location, and they can follow
the user through all computers and devices onto
which that user signs in. Microsoft has several
solutions that can help to virtualize the user state.
However, this course will not cover these
technologies in detail, because the primary focus
for this course is the actual deployment process.
Roaming user profiles

Roaming user profiles allow users to sign in to any managed computer on a network and have their profiles
automatically downloaded from a network shared folder, allowing them to use their personalized desktop
environments. Roaming user profiles redirect user profiles to a shared network folder, so that users can
receive the same Windows and application settings on multiple computers. When a user signs in to a
computer with a domain account that is configured with a shared network folder as the profile path, the
user’s profile downloads to the local computer and merges with the local profile, if present. The user then
sees his or her personalized desktop with all of its application settings and preferences, such as network
drive mappings, printer connections, and wallpaper selections. The user can make changes and add data to
folders during the session. When the user signs out, the local copy of their profile —including any
changes—merges with the profile’s server copy on the shared network folder.
Because roaming user profiles contain almost the entire user state, it is a simpler solution to use. However,
you cannot use this solution if the users save data outside of their profile or if the applications save settings
outside of the users’ profile, in either the registry or the file system. Although roaming user profiles is a
good solution in the absence of other solutions, because a profile can grow to a large size, synchronization
can take a considerable amount of time.
Folder redirection
Folder redirection allows users or administrators to redirect the path, manually, of a known folder to a new
location. Administrators typically use Group Policy for folder redirection. The new location can be a folder
on the local computer or a directory on a shared network folder. Users interact with files in the redirected
folder as if it still existed on the local drive. For example, you can redirect the Documents folder, which
typically is on a local drive, to a network location. The files in the folder then are available to the user from
any computer on the network. Windows 10 supports the redirection of the following 13 folders found within
user profiles: AppData\Roaming, Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites,
Contacts, Downloads, Links, Searches, and Saved Games.
You also can use folder redirection to minimize the size of the roaming profile. However, you cannot
redirect all data in the user’s profile. The AppData folder contains three subfolders, named Local, LocalLow,
and Roaming. You can redirect the Roaming folder only. Redirecting the Roaming folder can cause issues,
because not all applications do well with a redirected AppData folder. For example, when the same user
signs in to more than one workstation, this can cause the files and settings to be updating at the same time.
User Experience Virtualization (UE-V)

The popularity of the Bring Your Own Device (BYOD) capabilities that many users have today means that
they often are signing into multiple devices at once, including smartphones, computers, and tablets. This
increase in the number of devices that users sign in to results in an increased need for IT departments to
provide a consistent experience across these devices, their application types (physical and virtual), and the
desktops delivered through Virtual Desktop Infrastructure (VDI). Microsoft developed UE-V as a solution to
this problem. UE-V is a product in the desktop virtualization family and part of Microsoft Desktop
Optimization Pack (MDOP), which itself is part of Microsoft Software Assurance.
Most administrators only want to target the business applications that have settings that need to roam. UE-
V provides the administrator this choice by using settings location templates. Administrators also can roll
back settings due to unexpected changes on a per-application basis, and do not have to roll back the entire
user profile.
What is the User State Migration Tool?

USMT 10.0 is a set of command-line tools that
gives administrators greater control over user data
migration. You can use USMT in large
environments in which you need to migrate data
for multiple users on multiple machines. The
command-line interface for USMT helps
administrators to incorporate USMT into enterprise
environments and automated processes. USMT
uses tools to capture and store user data in the first
phase of the migration, and then restore the data
to another operating system from the captured
data.
USMT captures:
 User accounts
 User files
 Operating system settings

 Application settings
You can automate USMT as part of the deployment phase when using either Microsoft Deployment Toolkit
(MDT) or Microsoft System Center Configuration Manager for deployment. Windows Assessment and
Deployment Kit (Windows ADK) includes USMT.
Limitations of USMT
USMT is appropriate for large Windows automated deployments. Scenarios where USMT is not a good fit
include:
 Migrations that require any end-user interaction
 Migrations that need customizations per machine
Question: What is the difference between a replace scenario and a refresh scenario?
Question: Which registry hive stores the user settings?

Lesson 2
Overview of USMT 10.0
USMT 10.0 can simplify user state migration during large-scale Windows deployments. USMT captures user
state from the old Windows installation, and then migrates them to a new Windows installation. You can
use USMT for both PC replace and PC refresh migrations.
USMT consists of three command-line interface (CLI) tools: Scanstate.exe, Loadstate.exe, and
USMTUtils.exe.
This lesson describes the features of USMT 10.0 and its use in performing a user state migration.
Lesson Objectives
 Describe the process of migrating user state by using USMT.
 Identify the features and benefits of USMT.

 Describe the toolset that USMT includes.
Process of migrating user state by using USMT

USMT includes the ScanState.exe and
LoadState.exe tools, and a set of modifiable .xml
files, including MigApp.xml, MigUser.xml, and
MigDocs.xml. You can modify the .xml files to suit
a particular deployment, but it is recommended
that you add custom .xml files to your migration.
You can migrate user settings and data in a two-
stage process:
1. Collect files and settings from the source

computer.
2. Restore files and setting on the destination

computer.
Collecting files and settings from the source computer

To collect files and settings from the source computer:
1. Close all applications on the source computer.

2. Run the ScanState tool on the source computer to collect files and settings. Specify all of the .xml files
that you need for the migration.
Preparing and restoring files and settings on the destination computer

To prepare the destination computer:
1. Install an operating system on the destination computer.
2. Install all applications that were on the source computer.

To restore files and settings on the destination computer:
1. Run the LoadState tool on the destination computer. Specify the same set of .xml files that you
specified when you used the ScanState tool. However, you do not have to specify the Config.xml file,
unless you want to exclude some files and settings that you migrated to the store. Sign out after
running the LoadState tool.
2. Some settings, such as fonts, wallpaper, and screen savers, will not take effect until the next time the
user signs in.
Features and benefits of USMT

You can use USMT in many user state migration
scenarios. USMT offers a comprehensive set of
features and capabilities that enables you to
address your environment’s migration needs.
Features of USMT 10
USMT 10 includes the following features:
 Migrating third-party drivers. This new feature

allows the USMT to migrate third-party drivers
to provisioning packages by using the
scanstate.exe /drivers and /ppkg parameters.
The /drivers parameter specifies what third-
party drivers should be captured. By default, all drivers will be migrated. The /ppkg parameter specifies
that the migrated drivers should be stored in a provisioning package.
 Command-line switches for USMTUtils.exe that you can use to ensure data consistency in data stores
and extract specific files from a store. These switches include:
o /verify. Use the verify option after gathering a ScanState compressed store. This verifies the
consistency of the store and checks for corrupted files or a corrupted catalog. The verify switch is a
reporting tool only. It cannot fix a corrupt store.
o /extract. Use the /extract option if you want to restore only specific files, or if you cannot restore a
compressed store with LoadState. There are several situations in which you can use the /extract
option:
 If a store was partially corrupt after validation.
 If LoadState cannot operate normally on a destination computer.
 If a user deletes a file shortly after LoadState restoration, but before his or her backups run.
 This capability can restore files based on include and exclude patterns. The /extract switch
restores files only. It does not restore registry information or settings.
 Hard-link migration store. For use in the refresh computer scenario, hard-link migration stores are
saved locally on the computer that is being refreshed. It improves migration performance significantly
and reduces hard-disk utilization. A hard-link migration store also reduces deployment costs and
enables entirely new migration scenarios.
 Offline migration. This enables you to collect data from offline Windows operating systems by using
the ScanState tool in the Windows Preinstallation Environment (PE). Furthermore, USMT 10 supports
migrations from previous operating system installations that are in Windows.old directories. The offline
directory can be a Windows directory when you run the ScanState tool in Windows PE, or Windows.old
when you run the ScanState tool in the Windows operating system.
Benefits of USMT
USMT provides several benefits to businesses that are deploying Windows operating systems, including
that it:
 Migrates user accounts, operating system settings, and application settings safely.
 Is customizable and highly scriptable, which increases automation in large-deployment scenarios.
 Reduces the cost of deploying the Windows operating system by preserving the user state. This
reduces the time necessary for users to become familiar with a new operating system, which in turn
reduces the time necessary for users to customize desktops and locate missing files and settings.
 Reduces end-user downtime, which reduces help-desk calls and increases employee satisfaction.
The USMT Toolset

The following list defines the USMT components:
 ScanState. This tool scans a source computer,

collects the files and settings, and then creates
a store. ScanState does not modify the source
computer. By default, it compresses the files
and saves them as a migration store. ScanState
copies files into a temporary location and then
to the migration store.
 LoadState. This tool migrates files and settings,

one at a time, from the store to a temporary
location on the destination computer. This
tool decompresses files, and decrypts them if
necessary, during this process.
 LoadState then transfers files to their correct locations, deletes their temporary copies, and begins
migrating more files. Compression improves performance by reducing network bandwidth usage and
the space that the store requires. You can turn off compression by using the /nocompress option.
 USMTUtils. This tool can perform several functions relating to compression, encryption, and validation
of a migration store. USMTUtils also can extract files manually if your data store becomes corrupt or
your hard-link store becomes locked.
 Migration XML files. These are the XML files that USMT uses for migrations. These include the
MigApp.xml, MigUser.xml, or MigDocs.xml files, and any custom .xml files that you create:
o MigApp.xml. This file contains rules for migrating application settings.
o MigDocs.xml. This file contains rules for the MigXmlHelper.GenerateDocPatterns helper function,
which can find user documents on a computer automatically without creating extensive custom
migration .xml files.
o MigUser.xml. This file contains rules for migrating user profiles and data.
 Config.xml. To exclude data from the migration, you can create and modify the Config.xml file by using
the /genconfig option with the ScanState tool. This optional file has a different format from the
migration .xml files, because it does not contain migration rules.
 The Config.xml file lists the elements that you can migrate. Specify migrate=“no“ for the elements that
you want to exclude from the migration. You also can use this file to control some migration options
for USMT.
 Component manifests for Windows 7 and newer. If the source or destination computer is running
Windows 7 and newer, the component-manifest files control which operating system settings migrate
and how they migrate.
o These files are located on computers that are running Windows 7 and newer, and you cannot
modify them. If you want to exclude certain operating system settings when the source computer
is running Windows 7 and newer, you need to create and modify a Config.xml file.
 USMT internal files. All other .dll, .xml, .dat, .mui, and .inf files included with USMT are for USMT internal
use. You should not modify these files, and the migration process would most likely fail if you attempt
to do so.
Question: What are some benefits of the hard-link migration store?
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Scanstate.exe is used to collect files and settings from a source computer.

Lesson 3
Planning user state migration
Carefully planning user state migration can help ensure that the migration proceeds smoothly and reduces
the risk of migration failure. In migration planning, you must first identify what to migrate, such as user
settings, applications and application settings, and personal data files and folders. By identifying the
applications that you want to migrate, you can avoid capturing data for applications that you expect to
discontinue.
One of the most important requirements for migrating settings and data is to restore only the information
that the destination computer requires. Even if the data captured on the source computer is more
comprehensive than the data restored for backup, it is redundant to restore data or settings for applications
that users will not install on the destination system, and it can introduce instability in the newly deployed
computer.
Lesson Objectives
 Explain the considerations for a user state migration.

 Identify common migration scenarios.
 Determine what data to migrate.
 Describe how to choose a migration store and location.
Considerations for a user state migration

You need to consider the following factors when
planning a user state migration:
 Determine the migration scenario. When

performing a PC refresh scenario, determine
whether you will use a hard-link migration
store or a compressed migration store on a
server. Or you can upgrade the computer first
and then use USMT to scan and load user
settings from the Windows.old directory. A PC
replacement scenario requires either a
network location to store user settings or an
external disk to store user settings if no
network location is available.
 Determine what to migrate. Consider migrating user-state elements, which include end-user
information, application settings, operating system settings, files, folders, and registry keys.
 Determine where to store your data. Based on the size of your migration store, you can store data
remotely on a file share, locally in a hard-link migration store, on a local external storage device, or
directly on the destination computer.
 Estimate the time it will take to do the migration. Do not underestimate the amount of data users store
locally on their computer. It may take several hours, per computer, to perform the migration,
depending on the size of the migration store and the network speed.
 Use the /genmigxml command-line option to select the files that you will include in your migration
and to determine whether any modifications are necessary. The /genmigxml option specifies that the
ScanState tool must use the document finder to create and export an XML file. This file defines how to
migrate the files on the computer on which the ScanState tool is running.
 Modify the migration XML files and create custom .xml files, if necessary. To modify migration
behavior, you can create a custom .xml file or modify the rules in existing migration .xml files. For
example, an organization might want to migrate the \Data folder on drive C but not the \Data\tmp
folder on drive C.
 Create a Config.xml file to exclude any elements from a migration. To create this file, use the
/genconfig option and the .xml files you want to exclude when you use the ScanState tool.
 Review the migration state in the Config.xml file and specify migrate=no for any element that you do
not want to migrate.
Common migration scenarios: PC refresh

USMT manages the migration of the user's state
from a source computer, and restores it on a
destination computer after the operating system
upgrade occurs. This lesson will discuss several
migration scenarios, all of which pertain to
situations in which you are upgrading only an
operating system, and not hardware; this is called a
PC refresh scenario.
In PC refresh migration scenarios, the ScanState

tool collects the user state in one of two ways:
 Online. An online migration involves running

ScanState while the source version of the
Windows operating system is running.
 Offline. In an offline migration, ScanState runs against a copy of the Windows operating system that is
not running. This can be done by:
a. Running ScanState from the Windows PE environment, and collecting data from an existing
version of the Windows operating system.
b. Running ScanState against the Windows.old directory that contains data from the previous
Windows installation.
In the PC refresh scenarios, the source and destination computers are the same. Windows 10 replaces the
old operating system, and you preserve and migrate the user state to Windows 10 by using USMT.
You must implement the following high-level steps to perform a PC-refresh:
1. Collect user state data with ScanState and save it to a migration store.
2. Install Windows 10.
3. Use LoadState to restore user state by using preserved data from the migration store.
You can collect the user state data in step 1 online or offline. There are several ways to perform a PC refresh
migration. The method that you select depends on several factors, including how you install Windows 10
and which resources you have available.
Scenario 1: Offline migration by using Windows PE and hard-link migration

You must upgrade your accounting department’s computers to Windows 10 by using their existing
computers. There will be no network connection available while you are upgrading your computers.
Therefore, you will run ScanState from Windows PE, and use a hard-link migration store to save each user
state on each computer by using the following procedure:
1. On each computer, boot the machine into Windows PE, and then run the ScanState command-line
tool, specifying the /hardlink /nocompress options. ScanState saves the user state to a hard-link
migration store on each computer, which improves performance by minimizing network traffic.
2. On each computer, install the company’s standard image that includes Windows 10 and company
applications.
3. Run the LoadState command-line tool on each computer. LoadState restores each user state back to
each computer.
Scenario 2: Online migration by using a compressed migration store

You must upgrade several computers to Windows 10. All of the computers are network-connected, and a
file server will host the migration store. For this scenario, you need to perform the following procedure:
1. On each computer, from the original operating system, run ScanState, and then specify the file server
as the location for the migration store.
applications.
3. Run LoadState on each computer, which will restore the user state from the previous version of the
Windows operating system.
Scenario 3: Online migration by using hard-link migration

You must upgrade several computers to Windows 10. In this scenario, you run ScanState directly against the
existing operating system, and specify a hard-link migration store to reduce the user-state migration time.
For this scenario, you need to perform the following procedure:
1. On each computer, from the original operating system, run ScanState with the /hardlink and
/nocompress options. This will save the user state to a local, hard-link migration store on the computer.
The ScanState process completes faster because the files do not have to transfer across the network or
write to an external disk. The files do not even move on the disk, but instead remain in their original
location.
applications.
3. Run LoadState on each computer, which will restore the user state from the previous version of the
Windows operating system.
Scenario 4: Offline migration by using the Windows.old folder and hard-link

migration
You must upgrade several computers to Windows 10. In this scenario, when installing Windows 10, you will
be leaving the Windows.old folder on the upgraded systems.
You will perform an offline migration from within the newly installed Windows 10 operating system by
using the Windows.old directory and a hard-link migration store. For this scenario, you need to perform the
1. On each computer, install Windows 10 without reformatting or repartitioning the operating system
drive, and then install all required applications.
2. Run ScanState and then run LoadState on each computer with the /hardlink and /nocompress options.
Common migration scenarios: PC replace

In the PC replace scenario, the source and
destination computers are not the same. PC
replace scenarios involve migrating user states
from one computer to another. Thus, PC replace
scenarios do not have to follow the PC refresh
process of scan, install, and load.
Scenario 1: Offline migration by using

Windows PE and an external migration
store
Your company is deploying 20 new computers in
the Research department. These computers will
replace existing computers, all of which contain
important user information. No network connection is available, but you do have an external hard disk to
use. You will perform the entire user state migration offline by using the external hard disk as the location
for the migration store. For this scenario, you need to perform the following procedure:
1. On each of the source computers, start in Windows PE, and then run ScanState to collect the user state
data on the external hard disk.
2. On each of the destination computers, deploy Windows 10 by using the company’s standard Windows
deployment process.
3. On each of the destination computers, run LoadState, which restores the user state from the source
computer.
Scenario 2: Manual network migration

You have received 50 new laptops to distribute to company managers, and new employees then will
receive the managers’ existing laptops. You must perform the upgrade and user state migration for both
the managers and the new employees. A network file server is available to host the migration store. For this
scenario, you need to perform the following procedure:
1. On each of the managers’ old laptops, run ScanState to export the user state to the migration store on
the file server.
2. On each of the new laptops, deploy Windows 10 by using the company’s standard Windows
deployment process.
3. On each of the new laptops, run LoadState, which will restore the user state from the managers’ old
laptops.
4. On each of the old laptops, deploy Windows 10 using the company’s standard Windows deployment
process. No user state migration is necessary for the new employees’ laptops.
Scenario 3: Managed network migration

Your company is allocating 200 new computers to users in the Marketing department. These users are in
several different locations. You will perform a managed migration, which will not require you to run
ScanState or LoadState interactively while you are signed in to any computer. The migration store will be
stored on a network file server. For this scenario, you need to perform the following procedure:
1. On each of the source computers, configure System Center Configuration Manager, MDT, or a logon
script to run ScanState. Store the user state data in the migration store on the file server.
2. On each of the new computers, deploy Windows 10 by using the company’s standard Windows
deployment process. This involves using System Center Configuration Manager, MDT, or Windows
Deployment Services.
3. On each of the source computers, configure System Center Configuration Manager, MDT, or a logon
script to run LoadState. Restore the user state data from the migration store on the file server.
Determining what to migrate

USMT migrates user accounts, application settings,
operating system settings, file types, files, and
folders.
These default settings frequently are enough for a
basic migration. However, you should consider
what settings you want users to be able to
configure and what settings you want to
standardize when determining what settings to
migrate. USMT controls the data that you can
migrate by using migration .xml files, including
MigApp.xml, MigDocs.xml, and MigUser.xml, as
well as any custom .xml files that you create.
User data
ScanState uses rules in the MigUser.xml file to collect everything in a user’s profile. ScanState then performs
a file extension–based search on most of the system for other user data.
By default, USMT migrates the following user data and access control lists (ACLs) by using the MigUser.xml,
MigDocs.xml, and MigApps.xml files:
 Folders from each user profile. USMT migrates everything in a user’s profile, including Documents,
Video, Music, Pictures, Desktop files, Start menu, Quick Launch settings, and Favorites.
 Folders from the All Users and Public profiles. USMT also migrates the following from the Public profile
in Windows 7 or newer: Shared Documents, Shared Video, Shared Music, Shared Desktop files, Shared
Pictures, Shared Start menu, and Shared Favorites.
 File types. The ScanState tool searches the fixed drives and collects and migrates files that have any of
the following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp,
.one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt,
.vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, or .xls*.
The MigUser.xml file does not migrate the following data:
 Files outside of a user profile that do not match one of the file name extensions in the MigUser.xml file.
 ACLs for folders that are outside of a user profile.

Operating system components

By default, USMT migrates most standard operating system features to destination computers that are
running Windows 10 from computers that are running Windows 7 or newer. Some settings, such as fonts,
are not available for an offline migration until after the destination computer restarts. For this reason, we
consider it a best practice to restart the destination computer after Loadstate has run.
The following list includes some of the operating system components that migrate with USMT:
 Mapped network drives
 Network printers
 Folder Options
 Users personal certificates
 Internet Explorer settings
Supported applications
We recommend that you install all applications on the destination computer before restoring the user state.
This ensures that you preserve migrated settings. If you install the application after the user state has been
migrated, the installation might overwrite the users’ settings.
The installed applications’ versions must match on the source and destination computers. USMT does not
support migrating the settings of an earlier version of an application to a later version, except for Microsoft
Office. USMT only migrates settings that users have changed. Default application settings might not be
migrated if the user has not changed the settings from the default values. If you specify the MigApp.xml
file, USMT will migrate settings for many of the applications.
What USMT does not migrate

USMT does not migrate the following settings:
 Application settings. USMT does not migrate settings from earlier versions of an application.
Additionally, it does not migrate application settings, and some operating system settings, when you
create a local account.
 Existing applications. USMT does not migrate existing applications. You have to reinstall all applications
on the destination computer before restoring the application settings.
 Operating system settings. USMT does not migrate the following operating system settings.
 Local printers, hardware-related settings, drivers, and passwords.

 Shared folder permissions. You must share these folders again after the migration completes.
 Files and settings migrating between operating systems with different languages.
 Customized icons for shortcuts.
USMT is an administrator tool. If you run the USMT as a standard user, either the tool will not run or only
the current user will be migrated. Depending on the Windows version that you install, USMT will not
migrate some operating system settings.
Identify users
You should consider how to migrate users carefully. You can specify which users to include and exclude at
the command prompt with user options.
Before migration, you should consider that:
 If local user accounts do not exist on the destination computer, use the /lac option with the LoadState
command. If you do not use this option, USMT will not migrate these accounts.
 You may need to create new user accounts on the destination computer. The /lae option enables the
account that was created by using the /lac option. If you create a disabled local account by using only
the /lac option, a local administrator must enable the account on the destination computer.
 You should be careful when specifying a password for local accounts. The /lac:[Password] allows you
to specify a password when the local user accounts are created. If you create a local account that has a
blank password, anyone can sign in to that account on the destination computer. If you create a local
account that has a password, the password is available to anyone with access to the folder where you
store the USMT command-line tools and accompanying scripts.
 Source and destination computers do not have to be connected to the domain for domain user profiles
to migrate.
Identify applications and settings

The following process might help you decide which applications to redeploy and which to discontinue:
 Create and prioritize a list of applications to migrate.
 Identify an experienced application owner to provide insight into how the organization installs,
configures, and uses the various applications.
 Identify and locate the application settings to migrate.
 After you complete the list of applications to migrate, review the list, and then work with each
application owner to develop a list of settings to migrate.
 Consider whether the destination version of the application is newer than the source version and if the
existing settings work with the new version.
 Create a custom .xml file to migrate the settings, and work with application owners to develop test
cases. Typically, you continue to perform migration testing for application settings to determine if the
settings have migrated successfully.
Identify operating system settings

When planning your migration, identify which operating system settings you want to migrate and to what
extent you want to create a new standardized environment. USMT allows you to migrate the settings that
you choose and keep the default values for all other operating system settings. Operating system settings
include the desktop’s appearance, such as wallpaper or colors; actions such as clicking or double-clicking to
open an item; and Internet settings and mail-server connection information.
Consider the following factors when determining which settings to migrate:
 Any previous experiences with migration, or the results of any surveys and tests that you conduct.
 The number of help desk calls related to operating system settings that you have had in the past, and
how many you think you will receive in the future.
 How many new operating system functionalities you want to use.
 Divide the settings into three categories: settings that users must have to do their work, settings that
make the work environment more comfortable, and settings that might reduce help-desk calls.
Migrating these items can increase user productivity and overall satisfaction with the migration
process.
 Because users may not remember how to apply all operating system settings, the operating system
settings are often an overlooked part of user state migration.
Identify file types, files, and folders

When planning your migration, if you are not using MigDocs.xml, identify the file types, files, folders, and
settings to migrate. Performing the following steps is important:
 Determine the standard file locations on each computer.
 Identify and locate the nonstandard locations. Consider the file types that you want to include and
exclude in the migration, the locations that you want to exclude, and new locations to which you want
to migrate files on the destination computer.
 After verifying which files and file types end users regularly utilize, you need to locate the files.
Choosing a migration store and location

The migration store is your temporary repository
for user migration data. You determine the type of
migration store you will use based on how you
save the captured user state from the source
computer before restoring it to the destination
computer. When planning the migration, you must
consider your specific scenario and the space
required to run USMT on the source and
destination computers, and then determine which
migration store suits your requirements. You also
must decide whether you are using a local folder, a
network share, or other storage devices to store
the user state data. Lastly, you should consider whether it is necessary to encrypt the migration store to
ensure that you maintain user-data integrity.
Migration store types

USMT includes the following migration store types:
 Uncompressed. The uncompressed migration store is an uncompressed directory with a mirror image
of the folder hierarchy that you are migrating. Each directory and file has the same access permissions
as the source computer. You can use Windows Explorer to view this migration store type. A catalog file
stores these settings, and this file describes how to restore files on the destination computer. To create
an uncompressed migration store, use the /nocompress option when running ScanState.
 Compressed. The compressed migration store is a single-image file that contains all of the files and
settings that you are migrating, as well as a catalog file. This image file often is encrypted and
password-protected, and you cannot navigate it by using Windows Explorer. ScanState creates a
compressed migration store by default.
 Hard-link. A hard-link migration store functions as a map that defines how a collection of bits on the
hard disk integrates into the file system. You can use the hard-link migration store only in the refresh
computer scenario. This is because the hard-link migration store is maintained on the local computer,
while you remove the old operating system and install the new operating system.
Using a hard-link migration store saves network bandwidth, and minimizes both the time and storage
space required to perform the migration. Keeping files in place on the local computer eliminates
redundant files. Additionally, it benefits performance and reduces disk usage. Create a hard-link
migration store by using the /hardlink option when ScanState is running. Hard-link migration is almost
identical to an uncompressed migration store. It is stored at a location that you specify by using the
ScanState command-line tool, and you can view the store’s contents by using Windows Explorer. After
you create the store, you can delete or copy it to another location without changing the user state.
Restoring a hard-link migration store is similar to restoring any other migration store.
Estimate the size of a migration store

You must determine how much space you need to store the data that you want to migrate. Base your
calculations on the volume of email, personal documents, and system settings for each user. The best way
to estimate the size required is to survey several computers that are representative for the entire set of
computers, and then arrive at an average size that the store will require.
The amount of space that the store requires will vary depending on your organization’s local storage
strategies. For example, one key element that determines the size of migration data sets is email storage. If
your organization stores email centrally, data sets will be smaller. If your organization stores email locally,
such as by using offline storage files, data sets will be larger. Mobile users most likely will have larger data
sets than workstation users. Perform tests and inventory the network to determine the average size of your
organization’s data sets. During the tests, measure the time that you need to perform the migration. Several
companies have had to extend the time to finish migration due to the extended time it takes to copy huge
amounts of data to and from the network’s shared folder.
If you use hard-link migration, you do not have to estimate the size of the migration store because files do
not move from the local disk. This is only possible in the PC Refresh scenario.
You should consider the following issues when determining how much disk space you will need:
 Email. If users manage a large volume of email or keep email on their local computers instead of on a
mail server, this email can occupy as much disk space as all other user files combined. Before migrating
user data, ensure that users who store email locally synchronize their Inbox folders with their mail
server.
User documents. The size required for user documents varies greatly depending on the types of files
involved. You should look at sample folders of user documents before performing calculations for
storage requirements.
 For example, an architectural firm that uses computer-aided design files needs much more space than
a law firm that primarily uses word-processing documents. You do not have to migrate the documents
that users store on file servers through mechanisms such as folder redirection, as long as users will have
access to these locations after the migration.
 User operating system settings. 5 MB usually is a sufficient amount of space for saving registry settings.
However, this requirement can fluctuate based on the number of applications that a user installs on his
or her computer.
Local store vs. remote store

If you choose the refresh scenario and the local computer has sufficient space, you can choose to store the
user state data on a local device. Typically, this is the best option because it reduces server-storage costs
and eliminates network-performance issues. You can store the data locally, either on a different partition or
a removable device, such as a USB drive. Additionally, depending on the imaging technology that you are
using, you may be able to store the data on a partition that you reimage, if you protect that data from
deletion during the reimage.
If you choose the replace scenario, or if the local computer has insufficient space, you must store the user
state data remotely. For example, you can store it in on a shared folder or removable media.
You can also store it directly on the destination computer. For example, you can create and share C:\store
on the destination computer, run the ScanState tool on the source computer, save the files and settings to
\\DestinationComputerName\store, run the LoadState tool on the destination computer, and then specify
C:\store as the store location. By doing this, you do not have to save the files to a server.
Space requirements for hard disks

The space requirements for hard disks that you use in a migration depend on the size of the migration store
and the migration scenario that you use. You can estimate the disk space that you will need for computers
in your organization based on information about your organization’s infrastructure. You also can calculate
disk-space requirements by using the ScanState tool:
 Migration store. For migrations that do not use a hard links, ensure that there is enough available space
on the location where you want to store the migrated data. You can save your migration store to
another partition or an external storage device, such as a USB flash drive or a server.
 Source computer. The source computer must have enough available space for the following:
o 250 MB minimum of hard disk space. This is required to support USMT operations, such as the
growth in the page file. If every volume involved in the migration is formatted for the NTFS file
system, 250 MB may be enough to ensure success for almost every hard-link migration, regardless
of the migration’s size. USMT will not create the migration store if 250 MB of disk space is not
available.
o Temporary space for USMT to run. Additional disk space for USMT to operate is required. This does
not include the minimum 250 MB required to create the migration store. ScanState can calculate
the temporary space that you will require.
o Hard-link migration store. You do not have to estimate the size of a hard-link migration store. The
only case in which the hard-link store can be large is when non-NTFS file systems exist on the
system and contain data that you are migrating.
 Destination computer. The destination computer must have enough available space for the following:
o Operating system.
o Applications.
o Data being migrated. In addition to the files being migrated, registry information also requires
hard-disk space for storage.
o Temporary space for USMT to run. Additional disk space for USMT to operate is required.
ScanState can calculate the temporary space that you will require.
Calculating disk space requirements by using the ScanState tool

You can use the ScanState tool to calculate the disk-space requirements of a particular compressed or
uncompressed migration. You do not have to estimate the migration store size for a hard-link migration,
because this method does not create a separate migration store. The ScanState tool provides disk-space
requirements for the computer’s state when the tool is running. Because the computer’s state may change
during daily use, we recommend that you use the calculations as an estimate when planning your
migration.
Create an XML file that includes an improved space estimate for the migration store by using the /p option
of the ScanState tool. This option creates an XML file in the path that you specify.
The following example shows the ScanState command to create this .xml file:
Scanstate.exe C:\MigrationLocation [additional parameters] /p:"C:\MigrationStoreSize.xml"

The following example shows a sample report:
<?xml version="1.0" encoding="UTF-8"?>

<PreMigration>
<storeSize>--
<size clusterSize="4096">11010592768</size>
</storeSize>
<temporarySpace>
<size>58189144</size>
</temporarySpace>
</PreMigration>
The report returns the disk-space requirements in bytes, so in the sample report, the store is approximately
10.5 gigabytes (GB) and the temporary space is 55 MB.
Question: What two ways can scanstate.exe perform an offline migration?
Statement Answer
The USMT can migrate existing applications as well as application settings.

Lesson 4
Migrating user state by using USMT
USMT is the recommended tool for scenarios in which you have many computers to migrate. You must
spend time configuring the migration .xml files, and you may have to create Config.xml and other custom
.xml files to provide additional customization for your migration. After configuring your migration settings,
you migrate the user state by using USMT, and then run the ScanState and LoadState tools to capture and
restore user state data.
This lesson describes how to edit USMT migration files. Typically, the basic settings for USMT migration
scripts are configured automatically when you perform lite-touch installation and zero-touch installation
deployments by using MDT and Configuration Manager. Therefore, you might only have to edit the files
manually for advanced settings.
Lesson Objectives
 Explain how to create a custom XML migration file.
 Explain how to create a Config.xml file.
 Describe how to capture user state by using ScanState.
 Describe how to restore user state by using LoadState.
 Explain how to perform an offline migration.
 Identify best practices for using USMT.
 Identify security best practices for using USMT.
Creating a custom XML migration file

You can create a custom XML file to migrate
specific line-of-business (LOB) application settings
or to change the default migration behavior. You
also can use a custom XML file to migrate settings
for applications that the MigApp.xml file does not
support. For ScanState and LoadState to use this
file, you must specify the custom XML file on both
command lines. Restore the settings after you
install the applications, but before the user runs
the applications for the first time.
XML file requirements

When creating custom .xml files, there are several
requirements, including that the file:
 Must be UCS Transformation Format 8 (UTF-8). You must save the file in this format, and you must
specify <?xml version=“1.0“ encoding=“UTF-8“?> at the beginning of each .xml file.
 Must have a unique migration urlid. The urlid of each file that you specify at the command prompt
must be different. If two migration .xml files have the same urlid, the second .xml file that you specify
at the command prompt will not be processed. This is because USMT uses the urlid to define the
elements within the file.
 Each element in the file must have a display name for it to appear in the Config.xml file. This is because
the Config.xml file defines the elements by the display name and the migration urlid. For example,
specify My Application.
Determine which files to migrate

You can use the /genmigxml command-line option to determine which files to include in your migration of
a specific computer, and to determine if any modifications are necessary. Because this is a computer-
specific file, you cannot use it without making modifications:
The following command will generate an XML file:
Scanstate.exe /genmigxml:<xmlfilename>.xml
Create an XML File to Migrate Application Settings

We recommend that if you want to migrate custom application settings, you create a separate custom .xml
file instead of adding settings to the MigApp.xml file. This is because the MigApp.xml file is large, and it will
be difficult to read and edit. Furthermore, if you reinstall USMT, the MigApp.xml file will be overwritten by
the default version of the file, and you will lose your customized version. You can use the MigApp.xml file as
an example to create the custom .xml file.
You can create a custom XML file that can perform the following functions:
1. Check whether the application and correct version is installed by:
o Searching for the installation uninstall key under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall by using the
DoesObjectExist helper function.
o Checking for the correct version of the executable application file by using the
DoesFileVersionMatch helper function.
2. If the correct version of the application is installed, ensure that each setting is migrated to the
appropriate location on the destination computer:
o If the versions of the applications are the same on the source and destination computers, migrate
each setting by using the <include> and <exclude> element.
o If the version of the application on the destination computer is newer than the one on the source
computer, and the application cannot import directly without modification, your script must add
the set of files that trigger the import by using the <addObjects> element. Alternatively, your
script must create a mapping that applies the old settings to the correct location on the
destination computer by using the <locationModify> element and the RelativeMove and
ExactMove helper functions.
o You must install the application before migrating the settings. You can delete any settings that are
on the destination computer by using the <destinationCleanup> element.
Sample custom XML file
The following example illustrates a custom XML file:
<?xml version="1.0" encoding="UTF-8"?>

<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
<component type="Application">

<displayName>My Application</displayName>

<environment context="System">

<variable name="myVar1">


<text>value</text>
</variable>
<variable name="myAppExePath">

<script>MigXMLHelper.GetStringContent("Registry","HKLM\Software\MyApp\Installer
[EXEPATH]")</script>
</variable>
</environment>
<role role="Settings">
<detects>

<detect>

<condition>MigXMLHelper.DoesObjectExist("Registry","HKLM\Software\MyApp
[win32_version]")</condition>
</detect>
<detect>


<rules context="User">

<destinationCleanup>

<objectSet>
<pattern type="Registry">HKCU\Software\MyApp\Toolbar\* [*]</pattern>
<pattern type="Registry">HKCU\Software\MyApp\ListView\* [*]</pattern>
<pattern type="Registry">HKCU\Software\MyApp [ShowTips]</pattern>
</objectSet>
</destinationCleanup>

<include>

<objectSet>
<pattern type="Registry">HKCU\Software\MyApp\Toolbar\* [*]</pattern>
<pattern type="Registry">HKCU\Software\MyApp\ListView\* [*]</pattern>
<pattern type="Registry">HKCU\Software\MyApp [ShowTips]</pattern>
</objectSet>
</include>

<exclude>

<objectSet>
<pattern type="Registry">HKCU\Software\MyApp [Display]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
</migration>
Example of ScanState Syntax
The following syntax provides an example of how you can configure ScanState to scan a source computer:
Scanstate \\LON-DC1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o

/ui:DBService /ue:Adatum\Don
Creating a Config.xml File

Config.xml is an optional USMT file that you can
create by using the /genconfig option with the
ScanState tool. To include all of the default
elements without changing the default store-
creation or profile-migration behaviors, you do not
need to create a Config.xml file.
If you are satisfied with the default migration
behavior defined in the MigApp.xml, MigUser.xml,
and MigDocs.xml files, but you want to exclude
certain elements, you can create and modify the
Config.xml file and leave the other .xml files
unchanged. For example, you must create and
modify the Config.xml file to exclude any of the operating system settings that are migrated. You must
create and modify this file to change any of the default store-creation or profile-migration behaviors.
The Config.xml file has a different format compared to other migration .xml files because it does not
contain any migration rules. It only contains a list of the operating system features, applications, and user
documents that can be migrated, as well as user-profile and error-control policies. For this reason,
excluding features by using the Config.xml file is easier than modifying migration .xml files, because you do
not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in
this file.
After you create and alter the config.xml file to satisfy of your migration’s requirements, you should include
it in the migration with the /config parameter.
The following scanstate command will create the config.xml file:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
Capturing user state by using the ScanState tool

Use the ScanState tool to scan the source
computer, collect files and settings, and to create a
store. This topic explains the syntax of the
ScanState command and describes different
command-line options.
You can specify the options in any order. If the

option contains a parameter, you can use a colon
or a space separator.
The ScanState syntax is as follows:
scanstate [StorePath] [/i:[Path\]FileName] [/o] [/v:VerbosityLevel] [/nocompress]

[/localonly] [/encrypt /key:KeyString|/keyfile:[Path\]FileName] [/l:[Path\]FileName]
[/progress:[Path\]FileName] [/r:TimesToRetry] [/w:SecondsBeforeRetry] [/c] [/p] [/all]
[/ui:[DomainName\]UserName]|LocalUserName] [/ue:[DomainName\]UserName]|LocalUserName]
[/uel:NumberOfDays|YYYY/MM/DD|0] [/efs:abort|skip|decryptcopy|copyraw]
[/genconfig:[Path\]FileName[/config:[Path\]FileName] [/?|help]
For example, use the following command to create a store that is encrypted by using the Config.xml file
and the default migration .xml files:
scanstate \\migserver\migration\store1 /i:migapp.xml /i:miguser.xml /o /config:config.xml

/v:13 /encrypt /key:"secretkey"
The ScanState tool provides various options related to specific categories, which the following sections
explain.
Storage Options
The following table describes the storage options that you can configure by using ScanState.
Option Description
Storepath Specifies the folder in which you want to save the migration store.
StorePath cannot use drive C. You must specify the StorePath
option in the ScanState command. The only exception is when
using the /genconfig option. You can specify only one StorePath
location.
/o Overwrites existing data in the migration store or Config.xml file. If

you do not specify this option, the ScanState command will fail if
the migration store already exists and contains data. You can only
use this option once on a command line.
/vsc Specifies that the volume shadow copy service should migrate files
that are locked or in use. This command-line option eliminates
most file-locking errors that the <ErrorControl> section typically
encounters. You can only use this option with the ScanState
command, and you cannot combine it with the /hardlink option.
/hardlink Creates a hard-link migration store at the location that you specify.
You must specify the /nocompress option with the /hardlink
option.
Option Description
/encrypt:”keystring” Encrypts the store with the key that you specify. You must enable
or encryption, because it is disabled by default. With this option, you
must specify the encryption key in one of the following ways:
/encrypt /keyfile:[Path\]Filename
 /key: KeyString specifies the encryption key. If there is a space in
KeyString, you will need to enclose it with quotation marks.
 /keyfile:[Path\]FileName specifies a text (.txt) file that contains
the encryption key.
For security reasons, you should use a KeyString that is at least
eight characters long. It cannot exceed 256 characters. The /key
and /keyfile options cannot be used on the same command line.
Additionally, you cannot use the /encrypt and /nocompress
options on the same command line.
Use caution because anyone who has access to the ScanState script
also will have access to the encryption key.
The following example shows the ScanState command and the
/key option:
scanstate /i:miguser.xml /i:migapp.xml
\\fileserver\migration\mystore /encrypt /key:mykey
/nocompress Disables compression of data and saves everything to a hidden

folder named File at StorePath\USMT10. Compression is enabled
by default. If you combine the /nocompress option with the
/hardlink option, it creates a hard-link migration store . You use
this option to view what USMT stored, troubleshoot a problem, or
run an antivirus utility against the files. You should not use this
option in production environments. It is recommended that you
use a compressed store during your actual migration, unless you
are combining the /nocompress option with the /hardlink
option.
You cannot use the /nocompress and /encrypt options together.
If you choose to migrate an uncompressed store, the LoadState
command migrates each file directly from the store to the correct
location on the destination computer without a temporary
location.
Migration Rule Options

The following table describes the common migration rule options that you can configure by using
ScanState.
Option Description
/i:[Path\]FileName Specifies an .xml file that contains rules that defines what
applications and settings to migrate. You can specify this option
multiple times to include all of your .xml files, such as MigApp.xml,
MigUser.xml, and any custom .xml files that you create (except
config.xml). You must specify the config.xml file with the /config
option. The path can be a relative or full path. If you do not specify
the full path, then FileName must be located in the current
directory.
/genconfig:[Path\]FileName Specifies the Config.xml file that the ScanState command must use
to create the store. You can only use this option once at the
command prompt. The path can be a relative or full path. If you do
not specify the full path, FileName must be located in the current
directory.
The following example shows the ScanState command to create a
store by using the Config.xml file, MigUser.xml and MigApp.xml
files:
scanstate /i:migapp.xml /i:miguser.xml
/genconfig:config.xml /v:13
/config:[Path\]FileName Specifies the Config.xml file that the ScanState command must use
to create the store. You can only use this option once at the
command prompt. The path can be a relative or full path. If you do
not specify the full path, FileName must be located in the current
directory.
The following example shows the ScanState command to create a
store by using the Config.xml file, MigUser.xml and MigApp.xml
files:
scanstate \\fileserver\migration\mystore
/config:config.xml /i:miguser.xml /i:migapp.xml /v:13
/l:scan.log
/localonly Only migrates files that are stored on the local computer. This
option will disregard the rules in the .xml files that you specify at
the command line. Use this option to exclude the data from
external drives on the source computer, such as USB flash drives
and external hard drives, and mapped network drives. If you do
not specify the /localonly option, the ScanState command will
copy files from these drives into the store.
The /localonly command-line option includes or excludes data in
the migration, according to the following list:
 Flash drive: Excluded
 Network drive: Excluded
 Fixed drive: Included
Monitoring options
USMT provides several options that you can use to analyze problems that occur during migration. The
following table describes the monitoring options that you can configure by using ScanState.
Option Description
/listfiles:FileName Generates a text file that lists all of the files that the migration
includes.
/l:[Path\]FileName Specifies the location and name of the ScanState log. The
ScanState log is created by default, but you can specify the name
and location of the log with the /l option. The path can be a
relative or full path, but not Storepath. If you do not specify the full
path, the ScanState tool will create the log in the current directory.
You can use the /v option to adjust the amount of logged
information. If you run the ScanState or LoadState commands
from a shared network resource, you must specify this option or
USMT will fail with the “USMT was unable to create the log file(s)“
error. To fix this issue, use the /l:scan.log command.
/v:VerbosityLevel Enables verbose output in the ScanState log file. The default value
is 0.
You can set the VerbosityLevel to one of the following levels:
 0: only the default errors and warnings are enabled.
 1: enables verbose output.
 4: enables error and status output.
 5: enables verbose and status output.
 8: enables error output to a debugger.
 9: enables verbose output to a debugger.
 12: enables error and status output to a debugger.
 13: enables verbose, status, and debugger output.
The following example shows the ScanState command and the /v
option:
scanstate \\fileserver\migration\mystore /v:13
/i:miguser.xml /i:migapp.xml
User options
By default, all users are migrated. The only way to specifically include or exclude users is with user options.
You cannot exclude users in the migration .xml files or by using the Config.xml file. The following table
describes the user options that you can configure with ScanState.
Option Description
/all Migrates all of the users on the computer. USMT migrates all user
accounts on the computer unless you specifically exclude an account
with either the /ue or /uel options. For this reason, you do not need
to specify this option at the command line. However, if you choose
to specify the /all option, you cannot use the /ui, /ue, or /uel
options.
/ui:DomainName\”User Name” Migrates the specified users. By default, all users are included in the
or migration. Therefore, this option is helpful only when you use it with
the /ue or /uel options. You can specify multiple /ui options, but the
/ui:LocalUserName
/ui option cannot be used with the /all option. DomainName and
UserName can contain the wildcard character (*). When you specify a
user name that contains spaces, you need to place it in quotation
marks.
The following example shows the ScanState command to include
only local users:
/ue:*\* /ui:%computername%\*
The following example shows the ScanState command to migrate all

users from the Adatum domain, and exclude all other users who have
not been active in the last 30 days:
/uel:30 /ui:Adatum\*
In this example, user Adatum\user1, who last signed in two months

ago, will be migrated, because /ui takes precedence over /uel.
However, adatum\User5, who last signed in 40 days ago, will not be
migrated.
/uel:NumberOfDays Migrates the users who signed in to the source computer within the
or specified period, based on the Last Modified date of the Ntuser.dat
file on the source computer. For example, the /uel:30 option
/uel:YYYY/MM/DD
migrates users who signed in within the last 30 days from the date
or when the ScanState command is run. It also is possible to specify a
/uel:0 date, in the YYYY/MM/DD format.
/uel:0 will only migrate currently signed in users.
The following example shows the ScanState command to include
only users that have signed in at least once since January 31, 2014:
/uel:2014/01/31
Option Description
/ue:DomainName\”User Name” Excludes the specified users from the migration. You can specify the
or /ue option multiple times on the command-line. You cannot use this
option with the /all option. <DomainName> and <UserName> can
/ue:LocalUserName
contain the asterisk (*) wildcard character. When you specify a user
name that contains spaces, you need to surround it with quotation
marks.
The following example shows the ScanState command to exclude
users from the adatum domain:
/ue:contoso\*
The following example shows the ScanState command to exclude a

local user named user1:
/ue:%computername%\user1
Encrypted file options

Use the following options to migrate encrypted files. By default, USMT fails if an encrypted file is found,
unless you specify the /efs option. The following table describes the encrypted file options that you can
configure by using ScanState.
Option Description
/efs:hardlink Creates a hard link to the Encrypting File System (EFS) file instead of
copying it. Use only with the /hardlink and the /nocompress
options.
/efs:abort Causes the ScanState command to fail with an error code if it locates
an EFS file on the source computer. This is the default action.
/efs:skip Causes the ScanState command to ignore EFS files and not include
them in the migration store.
/efs:copyraw Causes the ScanState command to copy the files in the encrypted
format. The files will be inaccessible on the destination computer
until EFS certificates are migrated. If you use this option, ensure that
the certificates will be migrated.
Example of ScanState syntax
The following syntax provides an example of how you can configure ScanState to scan a source computer:
Scanstate \\LON-DC1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o

/ui:DBService /ue:Adatum\Don
Restoring a user state by using the LoadState tool

You can use the LoadState tool to restore files and
settings from the migration store to the
destination computer. This topic explains the
syntax of the LoadState command and describes
the different command-line options. You can
specify the options in any order. You can use a
colon or space as a separator in options that
contain a parameter.
The LoadState tool provides various options

related to specific categories. These categories are
similar to ScanState and are explained in the
following sections. Where relevant look in the
topic for ScanState to find more detailed information regarding the options.
Storage options
The following table describes the storage options you can configure by using LoadState.
Option Description
/StorePath This is the folder that stores the files and settings. StorePath is
a required option when you use the LoadState command. You
can specify only one StorePath.
/decrypt /key:"KeyString" Specify the encryption key in one of the following ways:
or  /key:KeyString specifies the encryption key. If there is a
/decrypt /keyfile:[Path\]FileName space in KeyString, the KeyString must be surrounded with
quotation marks.
 /keyfile:FilePathAndName specifies a text (.txt) file that
contains the encryption key.
/decrypt:"encryptionstrength" Encryptionstrength defines the encryption strength that you

specify for the migration store decryption. The option must be
the same as that which you specify with ScanState. The
possible values are AES, AES_128, AES_192, AES_256, 3DES, and
3DES_112.
/hardlink Enables restoration of user state data from a hard-link

migration store. You must specify the /nocompress
parameter with the /hardlink option.
Migration rule options

The following table describes the monitoring options you can configure by using LoadState.
Option Description
/i:[Path\]FileName Specifies an .xml file that contains rules that define what to
migrate. You can specify this option more than once to include all
the .xml files, such as MigApp.xml, MigSys.xml, MigUser.xml, and
any other custom .xml files that you create.
/config:[Path\]FileName Specifies the Config.xml file that the LoadState command must
use. You can only specify this option once at the command
prompt. The path can be a relative or full path. If you do not
specify the full path, then the FileName must be located in the
current directory.
Monitoring options
USMT 10 provides several command-line options that you can use to troubleshoot problems that might
occur during the migration. The monitoring options and syntax is the same as it is for the scanstate.exe
command.
User options
All users are migrated by default. You can include and exclude users by using user options. You can only
exclude users with these options. You cannot exclude users by using one of the .xml files. The following
table describes the user options that you can configure with LoadState.
Option Description
/all Migrates all users from the migration

store to the computer. This option
behaves the same way as the
ScanState command.
/ui:DomainName\UserName Migrates the users that you specify.

or This option behaves the same way as
the ScanState command.
/ui:DomainName\"User Name"
or
/ui:LocalUserName
/uel:NumberOfDays Migrates the users who signed in to

or the source computer within the
specified period. This is based on the
/uel:YYYY/MM/DD
modified date of the Ntuser.dat file.
or This option behaves the same way as
/uel:0 the ScanState command.
/ue:DomainName\UserName Excludes the specified users from the

or migration. You can specify multiple
/ue options. This option behaves the
/ue:DomainName\"User Name"
same way as the ScanState command.
or
/ue:LocalUserName
Option Description
/md:OldDomain:NewDomain Specifies a new domain for the user.

or Use this option to change the domain
for users on a computer or to migrate
/md:LocalComputerName:NewDomain
a local user to a domain account. You
can specify this option more than
once.
/mu:OldDomain\OldUserName :[NewDomain\]NewUserName Specifies a new user name for the

or specified user. If the store contains
more than one user, you can specify
/mu:OldLocalUserName: NewDomain\NewUserName
multiple /mu options. You cannot use
wildcard characters (*) with this
option.
/lac:[Password] USMT will create the user on the

destination computer, if the account is
a local (non-domain) non-existing
user on the destination computer.
However, it will be disabled. To enable
the account, use the /lae option.
Note: Use the Password variable

with caution, because it is provided in
plain text. Anyone with access to the
script that is running the LoadState
command can obtain the password.
Additionally, if the computer has
multiple users, all migrated users will
have the same password.
/lae Enables the account that was created

by using the /lac option. You must
specify the /lac option with this
option.
LoadState Syntax Example

The following syntax provides an example of how to configure LoadState to migrate user state to a
destination computer:
Loadstate \\LON-DC1\DesktopMigration /i:migapp.xml /i:miguser.xml /ue:Adatum\Don

/ui:DBService /lac:Pa$$w0rd /lae
Performing an offline migration

USMT enables you to perform an offline migration.
You can run the ScanState tool inside a different
Windows operating system than the Windows
operating system from which ScanState is
collecting files and settings. You can use offline
migration in the PC refresh scenario if you have
installed the new operating system on the
computer, and moved the old Windows, Program
Files, and Users or Documents, and Settings folders
to the Windows.old folder. You also can use this
option in the scenario where you boot to Windows
PE and the current operating system is not
running. This makes it easier to do a successful migration if there are many locked files that cannot be
migrated otherwise.
The following offline scenarios use USMT:
 Running ScanState in Windows PE
 Running ScanState to scan Windows.old
Offline migration benefits

USMT’s offline migration feature has a direct effect on reducing the cost of deploying Windows 10,
including:
 Reduced complexity. In refresh computer scenarios, migrations from the Windows.old directory reduce
complexity by eliminating the need to run the ScanState tool before you deploy the operating system.
Additionally, migrations from the Windows.old directory enable ScanState and LoadState to be run
successively.
 Improved performance. When USMT runs in a Windows PE environment, it has better access to
hardware resources. The file system creates links to the files as opposed to moving or copying them,
which may increase performance on older machines with limited hardware resources and numerous
installed software applications.
 New recovery scenario. In scenarios where a computer no longer starts correctly, you can start
Windows PE on that computer and collect user state information with the ScanState tool.
 Improved migration success. The offline migration feature increases the migration’s success rate
because files are not locked for editing while the operating system is offline. Windows PE also provides
administrator access to files in the offline Windows file system. This eliminates the need for
administrator-level access.
Command-line options
You can enable an offline migration by using a configuration file at the command line or by using one of
the following command-line options.
Option Description
/offline:<path to offline.xml> Enables offline-migration mode and requires a path to an

Offline.xml configuration file.
/offlineWinDir:<Windows directory> Enables the offline-migration mode and starts the migration
from the specified location. It is only for use in Windows PE
offline scenarios where the migration is occurring from a
Windows directory.
/OfflineWinOld:<Windows.old Enables offline-migration mode and starts the migration from

directory> the specified location. You should use it only in Windows.old
migration scenarios where the migration is occurring from a
Windows.old directory.
Scenario: Migrating from Windows 7 to Windows 10 by using USMT offline migration

and hard-link migration store
You can use USMT hard-link migration with online and offline migration scenarios. If you have a computer
that is running a previous version of the Windows operating system, such as Windows 7, you can use USMT
to migrate user settings and data by using offline migration and a hard-link migration store. To do this,
perform the following steps:
1. Run the Windows 10 installation program on an existing Windows 7 computer. You can run the
installation program from the product DVD, removable media, or Windows Deployment Services.
2. Install Windows 10 on the same partition as the Windows 7 installation. Follow the default installation
instructions, and do not delete or format partitions containing the operating system or data.
3. After you complete the Windows 10 installation, open Windows Explorer, and then go to drive C or to
the drive letter containing the Windows 10 operating system.
If there are folders other than the default folders in the root directory in the Windows 7 operating
system, those folders will still be there because the Windows 10 installation does not delete user data.
You also will find a Windows.old folder. Windows.old contains the files and settings to be migrated
from the Windows 7 operating system to the newly installed Windows 10 operating system.
4. Run ScanState and LoadState with administrative privileges with the following options:
scanstate.exe c:\store /v:13 /o /c /hardlink /nocompress /efs:hardlink /i:MigApp.xml

/i:MigDocs.xml /offlineWinOld:c:\windows.old\windows
loadstate.exe c:\store /v:13 /c /lac /lae /i:migapp.xml /i:migdocs.xml /sf /hardlink
/nocompress
The ScanState tool creates the hard-link migration store at C:\store from the Windows.old directory.
The LoadState tool will remap the hard-link files to their appropriate locations in Windows 10.
5. Go to the Users folder on drive C. You will see the user folders in Windows 10 and all user files in
corresponding file libraries.
Note: The ability of Windows 10 to seamlessly upgrade from Windows 7 or newer will reduce
the requirement for offline migrations to be performed except in special circumstances, such as
when the old operating system has become inaccessible.
Best practices for using USMT

You should implement the following best practices
when using USMT:
 Run the Chkdsk.exe tool before running the

ScanState and LoadState tools. Chkdsk.exe
creates a status report for a hard-disk drive,
and lists and corrects common errors. Run
Chkdsk.exe before starting the migration
process to ensure an error-free hard drive.
 Install applications before running the

LoadState tool. Install all applications on the
destination computer before restoring the
user state. This helps to ensure the
preservation of migrated settings.
 Do not use MigUser.xml and MigDocs.xml together. Using both .xml files can cause duplication of
some migrated files if there are conflicting instructions about the destination locations. If your data set
is unknown, such as when you use many nonstandard file locations, MigDocs.xml is a better choice.
You can use the /genmigxml command-line option to determine which files your migration will
include and to determine if any modifications are necessary.
 Close all applications before running the ScanState or LoadState tools. Using the /vsc option to enable
volume shadow copy allows many files that are open with other applications to migrate. However, it is
recommended that you close all applications to ensure the proper migration of all files and settings.
Without the /vsc or /c option, USMT will fail if it cannot migrate a file or setting. When you are using
the /c option, USMT will ignore any files or settings that it cannot migrate, and it will log an error.
 Sign out after you run the LoadState tool. Some settings, such as fonts, wallpaper, and screen saver
settings, will not take effect until the user signs in. A restart is necessary after you perform an offline
migration.
 Create a managed environment. To create a managed environment, you can move all of an end user’s
documents into My Documents (%CSIDL_PERSONAL%). We recommend that you migrate files into the
smallest possible number of folders on the destination computer. This helps to clean up files on the
destination computer if the LoadState command fails to complete.
 Migrate in groups and phases. If you perform the migration while users are using the network, we
recommend that you migrate user accounts in groups. To minimize the impact on network
performance, determine the size of the groups based on the size of each user account.
By migrating in phases, you can make sure each phase is successful before starting the next phase. Using
this method, you can modify your plan between groups, as necessary.
Security best practices when using the USMT

You must protect the privacy of users, and
maintain security during and after a migration. In
particular,
consider the following issues when you are using

the USMT:
 Encrypting File System (EFS). You should

consider the encryption state when migrating
encrypted files, because the end user does not
need to be signed-in to capture the user state.
By default, USMT fails if it finds an encrypted
file. If you migrate an encrypted file without
migrating the certificate that was used to
encrypt the file, end users will not be able to access the file after the migration.
 Drive-encryption technologies. When performing migrations by using USMT in Windows PE, you
should suspend drive-encryption technologies, such as BitLocker drive encryption. These technologies
could prevent access to the hard disk’s contents.
 Migration store encryption. Consider using the /encrypt option with the ScanState tool and the
/decrypt option with the LoadState tool. However, use extreme caution with this set of options because
anyone who has access to the ScanState command-line script also has access to the encryption key.
 Virus scan. Scan the source and destination computers for viruses before running USMT. Additionally,
scan the destination computer image. To help protect data from viruses, run an antivirus utility before
migration.
 Security of the file server and the deployment server. You must maintain the security of the file and
deployment servers. Make sure that the file server where you save the migration store is secure. You
also must secure the deployment server to ensure that the user data in the log files is not exposed. We
recommend that you transmit data over a secure Internet connection, such as a VPN.
 Password migration. To ensure the privacy of end users, USMT does not migrate passwords, including
those for applications such as Windows Live Mail, Internet Explorer, Remote Access Service
connections, and mapped network drives. Make sure that end users know their passwords.
 Local accounts migration. You should use the /lac option when you are using the LoadState tool to
migrate local accounts that do not exist on the destination computer. If you do not specify the /lac
option, no local user accounts will be migrated. Additionally, consider whether to use the /lae option to
enable user accounts that are created on the destination computer.
Question: Which Scanstate parameter creates a config.xml file?
Statement Answer
Hard-link migrations can only be performed during online migration

scenarios.
Lab: Planning and implementing user state migration

Scenario
You must plan and implement the user state migration for several users who are receiving new Windows 10
computers in the Research department at A. Datum Corporation’s London location. Adam Brooks, the
Research department IT Manager, has provided you with the necessary information to plan and implement
the user state migration.
Supporting Documentation
E-mail from Adam Brooks:
Chad Corbitt
From: Adam Brooks [Adam@adatum.com]
Sent: 10 Jan 2016 08:01
To: chad @adatum.com
Subject: Re: User State Migration for the new Research Department Windows 7 computers
Hi Chad,
We have 8 new Windows 10 computers that are being deployed within the Research department. Last time
the employees got a new computer, we did not remember to get their settings from the old computers
before they were reused. They had to spend hours to get the settings back on the computers. This time we
want to do it the right way. What I want you to do is use USMT 10 to help with the user state migration.
Here are some additional things to consider:
 The old computers are all Windows 7 32-bit computers.

 All computers have the Office 2007 system installed.
 The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated
from Windows 7 to the new Windows 10 computers.
 We have a custom folder named ResearchApp that has to be migrated from all the old computers to
the new Windows 10 computers.
 All domain profiles that are on each existing computer should be migrated to the new system.
 There is a local service account on each Windows 7 computer called DBService that will also have to be
migrated to the new Windows 10 computers.
 Each Windows 7 computer has a local account called LocalAdmin. This account should not be migrated
to the new Windows 10 computers.
 Please make sure that all encrypted files are also migrated from the old computers to the new
computers.
 You can use \\LON-DC1\MigrationStore as a location to store the data store during the migration task.
The data store should be compressed in order to minimize space. Since there is no confidential
information on these specific computers, we do not need the migration store encrypted.
Thanks, Adam
User State Migration Planning–Job Aid – Department Name: __________________
Question Information Details
Migration scenario PC Refresh
PC Replace
Which operating Windows 7 32 bit

system are you
migrating user data 64 bit
from
Windows 8 32 bit
64 bit
Windows 8.1 32 bit
64 bit

system are you
migrating user data to 64 bit
Windows 8 32 bit
64 bit
Windows 8.1 32 bit
64 bit
Windows 10 64 bit
Migration store type Local store
Remote store
Encrypted
Compressed
Hard-link
Accounts to be Local accounts

migrated
Domain accounts
Application settings to
be migrated
Custom folders to be
migrated
Are there encrypted Yes

files?
No
Operating system
settings to be migrated
XML files to use in the Config.XML

migration
MigApp.XML
MigUser.XML
Custom.XML file
Objectives
 Plan for the user state migration.
 Create and customize the USMT XML files.
 Capture and restore user state by using USMT
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-CL1, and 20695C-LON-CL3
Password: Pa$$w0rd
o User name: Adatum\Administrator
5. Repeat steps 2 through 3 for 20695C-LON-CL1 and 20695C-LON-CL3.
Exercise 1: Planning for user state migration

Scenario
You must plan the upgrade process for 10 new computers that are being deployed to the Research
department at A. Datum Corporation. Adam Brooks, the IT Manager from the Research department, has
sent you the following email outlining the migration requirements.
The main task for this exercise is as follows:
1. Complete the USMT Planning Job Aid.
 Task 1: Complete the USMT Planning Job Aid

 Based on the information in the email, you should be able to complete the User State Migration Tool
(USMT) Planning Job Aid that is in the lab scenario
Results: After completing this exercise, you will have planned for user state migration.
Exercise 2: Creating and customizing USMT XML files

Scenario
Your user state migration information states that several operating system features should not be migrated.
You also have to migrate a custom folder from the old computers to the new Windows 10 computers. Your
first task will be to create the XML files that address these requirements.
1. Create a Config.xml file.
2. Create a custom migration XML file.
 Task 1: Create a Config.xml file

1. Sign in to LON-CL3 as Adatum\Administrator with the password Pa$$w0rd.
2. Mount the USMT share located on LON-DC1 as the F drive.

3. Open a Command Prompt window, change to the F drive, and then create a config.xml file with the
scanstate.exe tool by using migapp.xml and miguser.xml migration files as input. The creation of
the Config.xml file will begin. This can take several minutes to complete.
4. Open config.xml in Notepad.

5. To exclude the Shared folders, locate the Documents node, and then modify the lines to match the
following code:
component displayname="Shared Video" migrate="no"

component displayname="Shared Music" migrate="no"
component displayname="Shared Pictures" migrate="no"
6. Save your changes, and then close Notepad.
 Task 2: Create a custom migration XML file

1. Open folders.xml in Notepad. This is a custom XML file that will migrate a specific folder called
ResearchApp to the destination computers.
2. Change the file to migrate the C:\ResearchApp folder and all of the content below. The entire line
should read as follows:
<pattern type= "File">C:\ResearchApp\* [*]</pattern>
3. Log off of LON-CL3.
Results: After completing this exercise, you will have created and customized XML files to use with the User
State Migration Tool (USMT).
Exercise 3: Capturing and restoring a user state by using the USMT

Scenario
Now that you have the required custom XML files, you can perform the USMT migration task. Use USMT to
capture the current user state on LON-CL3 by using ScanState and the custom migration files. Then, restore
the user state to LON-CL1 and confirm the migration.
1. Create user state for a research user on the source computer.
2. Capture a user state from a source computer.
3. Restore user state to the destination computer.
4. Verify that user state migration is successful.

 Task 1: Create user state for a research user on the source computer
1. Sign in to LON-CL3 as Adatum\Allie with the password Pa$$w0rd.
2. Create a new text file named Allies file.txt on the Desktop.

3. Create a new folder in the Public Pictures folder named Our pictures.

 Task 2: Capture a user state from a source computer

2. Open a command prompt, change to drive F, type the following, and then press Enter:
Scanstate \\LON-DC1\MigrationStore /i:migapp.xml /i:miguser.xml /i:folders.xml

/config:config.xml /o /efs:copyraw /ue:%computername%\LocalAdmin
This will take several minutes to complete.
 Task 3: Restore user state to the destination computer

2. Mount the USMT share located on LON-DC1 as the F drive.
3. Open a command prompt. change to the F drive, type the following, and then press Enter:
Loadstate \\LON-DC1\MigrationStore /i:migapp.xml /i:miguser.xml /i:folders.xml

/lac:Pa$$w0rd /lae
4. When the LoadState task completes, sign out of LON-CL1.
 Task 4: Verify that user state migration is successful

2. Verify that the Allies file.txt file has been migrated.
3. Verify that the Our pictures folder has not been migrated.
4. Verify that the C:\ResearchApp folder has been migrated.

7. Among the list of local users, verify that DBService is LocalAdmin is not listed.
8. If DBService is not listed, then open Computer Management. Locate Users under Local Users and
Groups. DBService should be listed here.
Results: After completing this exercise, you will have captured and restored user state by using USMT.

When you are finished with the lab, revert all virtual machines to their initial state:

4. Repeat the steps for 20695C-LON-CL1 and 20695C-LON-CL3.


Review Question
Question: You migrated a user account to a new computer by using the /lac option. However,
when attempting to sign in, the user receives an error message and cannot sign into the
computer. What is the most likely cause of the issue?
Tools
Tool Use for Where to find it
ScanState.Exe Collecting user state data for migration. Windows ADK
LoadState.Exe Restoring user state data to newly installed operating systems. Windows ADK
USMTUtils.Exe Extracting data from and verifying a migration store. Windows ADK
5-1
Module 5
Determining an image management strategy
Contents:
Module Overview 5-1
Lesson 1: Overview of the Windows image file format 5-2
Lesson 2: Overview of image management 5-7
Lab: Determining an image management strategy 5-14
Module Overview
Imaging is an important part of the desktop deployment process. Several Microsoft and non-Microsoft
tools are available for imaging Windows operating systems. One of the key differences between imaging
tools is the format in which they store the images. Microsoft imaging tools use a Windows image file format
to store the files that image deployment uses. Several tools are available for managing and maintaining the
.wim files (Windows image files) that you use to deploy systems in your environment.
This module provides the information that you need to manage images to support operating system and
application deployments. Specifically, the module describes the image formats and strategies for managing
images.
Objectives
 Describe the purpose and benefits of the Windows image file format.
 Describe image management.

5-2 Determining an image management strategy
Lesson 1
Overview of the Windows image file format
For many years, organizations have used various disk-imaging methods to deploy Windows operating
systems. These methods have evolved through the years from sector-based imaging products to the
current file-based imaging products. In this lesson, you will learn about the types of images that you can
create and the tools that you can use to manage them.
Lesson Objectives
 Describe the challenges of maintaining images in an organization.
 Describe the types of images that current Windows environments use.
 Describe the benefits of the Windows image file format.
 Describe the tools that you can use to manage the Windows image file format.
 Use image management tools to view the contents of a Windows image file.
Discussion: The challenges of maintaining images in your organization

Some early imaging technologies used sector-
based imaging, which copies each sector of a
target hard drive, regardless of the contents.
Although these products are useful, they are not
hardware-independent. Additionally, they require
multiple images to support various hardware
platforms. Updating and installing security patches
on these types of images usually requires
deploying, modifying, and then recapturing the
whole image. This is very time consuming.
Question: Have you used sector-based

imaging products in the past?
Question: How many different images did you have to maintain?
Question: How did you manage security patches and updates?
Question: How do you currently handle the deployment of software to new systems?
Types of images that current Windows environments use

The Windows image file format enabled
administrators to break away from using sector-
based imaging tools and methods. Newer file-
based formats also can assist in deployment of
Windows operating systems. The following file-
based imaging formats are available for
Windows 10:
 Windows image file (.wim). The Windows

image file is a file-based disk-image format
that has a .wim file extension and that contains
one or more individual volume images. The
Windows image file structure can contain six
types of resources, including:
o Header. Defines the content of the Windows image file, including .wim file attributes.
o File resources. A series of packages that contain captured data.
o Metadata resources. Information about the files that you capture. There is one metadata resource
for each image in a .wim file.
o Lookup table. Information about the location of file resources in the .wim file. There is one lookup
table for each image.
o XML data. Additional information about the image. There is one XML data field for each image.
o Integrity table. Security hash information that you can use for image verification during
operations. There is one integrity table for each image.
 Virtual hard disk (.vhd). Typically, you use .vhd files with virtual machines. Windows 7 and newer
operating systems provide the capability to start physical machines by using a .vhd file on the hard
disk, instead of installing the operating system files directly on the hard disk. This is the boot from VHD
process. There are multiple ways to create .vhd files, such as the Windows PowerShell New-VHD
cmdlet, the DiskPart command-line tool, the Disk Management console, or Microsoft Hyper-V
Manager. Once you create the .vhd file, you can apply a Windows image file that contains your
operating system to it, and boot from it as if it were a physical computer. Additionally, the Windows 8
Enterprise operating system introduced Windows To Go, which enables you to start a physical
computer from a removable storage device, such as a USB drive. Windows To Go uses a .vhd file to
store an operating system partition on a removable device.
Note: The DiskPart command-line tool is being deprecated, although it remains currently
available. The preferred tool is Windows PowerShell.
 .vhdx. Windows 8 and Windows Server 2012 introduced the .vhdx file format to overcome some of the
limitations of the .vhd file format. Some of the benefits of the .vhdx file format include:
o Maximum size of 64 terabytes (TB), whereas .vhd files are limited to a maximum size of 2 TB.
o Better protection against corruption due to power failures.
o Improved alignment of the virtual-disk structure for working with large sector disks.
o The availability of large block sizes for dynamic and differencing virtual hard disks.
o The ability to add custom metadata to the file.

WIMBoot files
WIMBoot files allow a computer that is running Windows 10 to boot and run directly from a compressed
.wim file by using a new partition layout. A normal Windows installation has two sets of operating system
files. One compressed version is for recovery, while the Windows partition uses an uncompressed set of files
as the running operating system. In a WIMBoot installation, the compressed .wim file writes to the disk, and
the Windows partition uses pointers. In this process, the Windows installation uses significantly less space
than a standard Windows installation.
Benefits of the .wim file format

The .wim file format has many advantages for
imaging computer systems, including:
 Hardware independence. You can deploy .wim

files, which are hardware-independent, to a
new system by using the same technology as
for a new deployment of a Windows operating
system. The .wim file format overcomes the
limitations of file systems, UEFI or BIOS boot,
and system architecture.
 Multiple images in a single file. You can have a

.wim file that contains multiple versions of an
operating system.
 Compression. The .wim file format supports different compression levels to help maintain smaller
image sizes.
 Single instancing. When a .wim file contains multiple images, such as multiple versions of an operating
system, and certain files exist in those multiple images, the .wim file stores only one copy of the
duplicated files. Other images store pointers to the location of the duplicated files. This enables
multiple images to exist without files growing too large.
 Offline servicing. You can open .wim files, and add or remove folders, files, drivers, and operating
system components without deploying the image to a computer.
 Installation on any hard disk. The .wim file format is file-based. Unlike sector-based images, .wim files
do not limit you to deploying the file to a disk that is the same size or larger than the imaged disk.
 Nondestructive deployment. You can deploy an image on a computer that has data on it, such as in a
refresh scenario, and the data will still be there when the deployment is complete. This is because the
disk is not erased by default, as it might be in other formats.
Tools that you can use to manage the .wim file format
You might want to modify an existing .wim file by
injecting drivers or adding Windows packages to
an image. You can use several tools to service .wim
files. You can deploy .wim files through the
Microsoft Deployment Toolkit (MDT), Windows
Deployment Services, and Microsoft System Center
2012 Configuration Manager. You also can use the
ImageX and Deployment Image Servicing and
Management (DISM) command-line tools or the
DISM PowerShell module cmdlets to service and
deploy .wim files manually.
ImageX
ImageX is a command-line tool that Microsoft introduced with the .wim file format to manage .wim files.
You can run ImageX from within the Windows operating system when servicing an image, or from the
Windows Preinstallation Environment (Windows PE) when deploying an image. ImageX is being
deprecated and replaced with DISM.
DISM
DISM.exe is a command-line tool that you can use to service and deploy .wim files. Microsoft developed
DISM to replace several image management tools, including ImageX. DISM includes the same functionality
that ImageX includes, such as the ability to mount, service, capture, and create .wim files. You also can use
DISM to prepare Windows PE images and to deploy .vhd and .vhdx files.
A DISM PowerShell module is available natively in Windows 8 and newer versions, and Windows Server
2012 and newer versions. The DISM PowerShell module also is available through Windows Assessment and
Deployment Kit (Windows ADK). This module has 22 cmdlets, and it provides the ability to service existing
images in .wim files. However, it does not have all the functionality of the command-line tool. For example,
there is no Windows PowerShell cmdlet to apply an image to a disk.
Using DISM command-line parameters or Windows PowerShell cmdlets

The command-line parameters and the Windows PowerShell cmdlets provide similar functionality. The
following table includes the basic commands for imaging.
DISM command-line
Task Windows PowerShell cmdlets
parameters
Mount a .wim file for servicing /mount-image Mount-WindowsImage
Commit changes made to a /commit-image Save-WindowsImage

mounted .wim file
Get information about a /get-imageinfo Get-WindowsImage

Windows image in a .wim file
Dismount a .wim file /unmounts-image Dismount-WindowsImage
Add a driver to a mounted /image:PathToImage /add- Add-WindowsDriver –Driver

image driver /driver:PathToDriver PathToDriverFile –Path
PathToRootDirectoryOfImage
DISM command-line
Task Windows PowerShell cmdlets
parameters
Apply an image to a specified /apply-image No Windows PowerShell cmdlets

drive for this task
Capture an image of a drive /capture-image New-WindowsImage

into a new .wim file
Additional Reading: To read the available options for DISM for Windows 10, see “DISM
Image Management Command-Line Options”: http://aka.ms/Ee69eb.
Additional Reading: To view the available Windows PowerShell cmdlets for DISM, see
“DISM Cmdlets”: http://aka.ms/Jjtaes.
Demonstration: Using image management tools to view the contents of a

.wim file
In this demonstration, you will see how to:
 Use the DISM PowerShell module to view the information about a .wim file.
 Use the DISM PowerShell module to mount an image to a directory for servicing.
 Use the DISM PowerShell module to unmount the image back to a .wim file.
 Use the DISM command-line tool to view the contents of a .wim file.
Demonstration Steps
Use the DISM PowerShell module to view the information about a .wim file
1. Open Windows PowerShell and run the following cmdlet:
Get-WindowsImage –ImagePath D:\sources\Boot.wim
2. Review the results of the command.
Use the DISM PowerShell module to mount an image to a directory for servicing
1. Create a directory on the C: drive named Service.
2. Run the following cmdlet:
Mount-WindowsImage –ImagePath D:\Sources\Boot.wim –Index 1 -Path c:\Service –ReadOnly
3. Open the C:\Service folder, and then discuss the files and folders.
Use the DISM PowerShell module to unmount the image back to a .wim file
 Run the following cmdlet:
Dismount-WindowsImage –Path C:\Service –Discard
Use the DISM command-line tool to view the contents of a .wim file
1. Open a command prompt and run the following command:
Dism /Get-ImageInfo /ImageFile:D:\Sources\Install.wim
2. Review the results of the command, and then close all open windows.
3. Revert the 20695C-LON-DC1 virtual machine.

Lesson 2
Overview of image management
An important part of the imaging process is determining the best way to store the images that you create.
Additionally, you will need to maintain and service images after building them. In this lesson, you will learn
how to plan for implementing and maintaining an imaging solution. You also will learn about the different
kinds of images that you might use in Windows deployments.
Lesson Objectives
 Discuss the considerations for managing operating system images.
 Describe boot images.
 Describe install images.
 Describe image management strategies.

 Describe how to maintain and service images.
 Describe how to manage device drivers for images.
Considerations for managing operating system images

Imaging has been in use for a long time, with early
imaging products primarily performing sector-
based imaging. Windows 7 and newer operating
systems use .wim files that contain file-based
images. When you are planning an image
management strategy, you must address many
considerations. Some of the primary
considerations include the type of image and
number of images, storage requirements, software
and device drivers, and update management.
Type of image
You can choose between sector-based and file-
based imaging. As discussed earlier, file-based imaging has many advantages over sector-based imaging.
These include hardware independence, storing multiple images in a single file, single instancing, offline
servicing, and nondestructive deployment. However, sector-based images have a few advantages,
including:
 They deploy faster than file-based images. File-based images copy files to the destination volume
whenever they are applied. File-based images then read answer files and apply configuration options.
Sector-based images just copy bits, regardless of what files or configurations you might need.
 They typically include all the necessary drivers, and they work well when all client systems are identical.
If your computer includes critical hardware that is not Plug and Play, using file-based imaging requires
extra work to ensure that the proper device drivers are available.
Storage requirements
Depending on what your image includes, the image can take up a large amount of storage space. Typically,
the images that sector-based imaging products create include the blank space on a hard drive, because it
simply copies everything on the hard drive. This can lead to larger images than a file-based imaging
solution creates, because the file-based image only contains the files installed on the computer.
Additionally, if you have many different hardware vendors, you might need to have sector-based images
for each different hardware abstraction layer (HAL). This can require substantial disk space for storage.
Number of images
When planning your image management strategy, you need to consider the number of images that you
have to create. Besides the space that you need to store the images, you will require an appreciable amount
of time to maintain them.
When you use sector-based imaging, you might need to create multiple images based on the hardware
that your environment is using. Typically, each different storage technology that you use requires an image.
Additionally, as you acquire new hardware, you might have to create, store, and maintain additional
images. When you use file-based imaging, you can use the same image for deployment to most systems.
Software
Operating system images do not have to include only the operating systems. You can install most software
on your reference computer before imaging it. However, the more software that images include, the larger
the images become, and the longer they take to deploy.
Deployment of device drivers

You can include device drivers in captured images, provide a custom driver store that supports Plug and
Play functionality for your hardware, or you can install them with post-image deployment. You might need
to include certain device drivers in the image or make them available during the imaging process when
they are critical to the installation. Critical drivers typically are storage and network drivers.
Image updates
When you create an image, you are taking a snapshot of what the computing environment looks like at
that time. However, outside of the image, your drivers, operating systems, and applications continue to
update. You need to plan for including these ongoing changes in your images. If you are using sector-
based images, this typically means deploying the image, making the necessary changes, and then
recapturing the image. File-based images that feature offline servicing greatly reduce the time necessary
for maintaining images.
What is a boot image?

You can build boot images from Windows PE for
Windows 10, which is a lightweight version of the
Windows operating system. You can use boot
images to start a computer in an environment
where you can capture or install an operating
system image. When you start a PC from a boot
image, you load the Windows PE image into
random access memory (RAM) and the system
creates a RAM disk to which it assigns the drive
letter X. The RAM disk provides a virtual file system
in memory, which allows you to remove the actual
boot media if required. For example, you could
remove the boot DVD to put in a DVD that has a .wim file that you want to apply to the hard disk.
The Windows installation media contains a default boot image named Boot.wim. In many cases, you can
use this boot image to start the imaging process, but you can modify the Boot.wim file to meet any special
requirements of your organization, such as injecting specific network drivers.
You can use boot images to start a system in two ways. You can use Windows Deployment Services to start
the system from the network via Pre-Boot EXecution Environment (PXE) boot, or you can use a CD, DVD, or
USB drive to start the system by using local media.
You can create two special types of boot images for the image deployment process: capture images and
discover images. These types of images are specific to Windows Deployment Services.
Capture images
You use capture images to start a reference computer so that you can create an image of it. Capture images
contain the files necessary to capture an image. You must first create the capture image by using the
Windows Deployment Services Image Capture Wizard. The wizard creates a capture image from an existing
boot image stored in the Boot Images folder of the Windows deployment server. After you prepare a
reference computer for imaging by using the Sysprep tool, you can then start it with a capture image. Then
you can capture the reference machine’s operating system volume to a .wim file.
Discover images
You use discover images to start computers that cannot perform a network start when deploying an image.
You can configure discover images to use:
 Static discovery. You configure the discovery image to connect to a specific deployment server.
 Dynamic discovery. The discovery image emulates the PXE boot process to find that deployment
server.
What is an install image?

The install image contains the operating systems
that you plan to deploy to client computers. The
default install image is Install.wim, and it is in the
sources folder in the Windows installation media.
Typically, you create your own installation images
by building a reference computer based on the
Windows installation media for the operating
system that you want to install. After the initial
installation, you modify it to meet your needs, such
as installing apps, and then capture and store it on
your deployment server.
Once you create a custom installation image, you

will need to perform regular maintenance on the image’s operating systems, including:
 Operating system updates. Microsoft publishes software and security updates on a monthly basis and
sometimes publishes other, critical updates that you should apply immediately. You need to apply
these updates to your running clients, and you need to update your images as Microsoft publishes
them.
 Application updates. End users often update or replace applications regularly. When they update
applications on their client systems, you need to update them in the images as well. You can do this
with online or offline servicing.
 Driver updates. Typically, drivers are stored not in a .wim file but on the deployment server.
Data images
A data image is a type of .wim file that enables you to add resources such as applications, files, or scripts
during the installation process. Data images can be useful if you have applications that require certain file
structures or data sets to exist in order to function. You can create data image files by using the DISM
/Capture-Image parameter. You can then use the Windows System Image Manager (Windows SIM) to
create an answer file that specifies the path to the data image. You can use data images instead of $OEM$
folders to transfer data to a Windows installation.
Overview of image management strategies

One of the first things that you need to do for your
image management strategy is to define how you
are going to build your images, including the
number of variations that you include in each .wim
file. For example, you might need to deploy 64-bit
and 32-bit architecture in your organization. Each
type of architecture requires a separate image. As
the previous lesson detailed, .wim files support
single instancing of files in an image file. As an
example, the volume license Windows 10 image
actually contains multiple versions of the operating
system. However, it takes up barely more space
than a single install image.
There are three primary strategies that you can use to create images for use in operating system
deployments, including:
 Thick image. The thick-image strategy involves installing, in every image, every application that your
organization uses. This image strategy requires that you perform significant work creating and testing
the image to ensure that the imaging process does not affect any of the applications. The result is a
very large image. However, after you deploy it, your client system is ready instantly. Because the image
contains all of your applications, it is unlikely that you would need to add multiple images into a single
.wim file.
 Thin image. The thin-image approach is the opposite of the thick-image strategy. When creating a thin
image, you do not capture any applications to the image. The image consists solely of the operating
system and software updates. This method requires that you install applications either as scripted,
silent installations post-deployment or through some other post-deployment method. Because the
image does not include installed applications, it is unlikely that you would need to create multiple
images in a single .wim file.
 Hybrid image. The hybrid image is a combination of both strategies, which can capitalize on the
Windows imaging technology. By using the hybrid strategy, you create one or more images with a
limited set of applications. You can create images that include the few applications and client software
that everybody uses, and you can create multiple images, each of which can include the applications
and clients that a specific group or department uses. This method allows you to take advantage of the
single instancing in a Windows image by combining multiple hybrid images into a single .wim file.
Maintaining and servicing an image

You need to maintain and update images to keep
them current. You can service .wim file images at
different stages of the deployment process. There
are three basic strategies for image maintenance,
including:
 Using Windows Setup. This strategy involves

using an answer file with Windows Setup when
deploying the image. You can create or
modify answer files by using the Windows SIM
tool.
 Online servicing. This strategy involves

deploying the image back to a reference
computer, making all of the necessary changes, and then reimaging the reference computer. You
might need to do this when installing new applications, Windows Installer–based software updates
(.msi files), or drivers with .exe installations, and when adding anything that depends on Windows–
installed services, such as the Microsoft .NET Framework.
 Offline servicing. This strategy involves using DISM to mount a .wim file and service the image. When
servicing images offline, you can add Microsoft Update–based Windows software updates, drivers, and
language packs, and add or remove folders, files, and Windows software components. Offline servicing
typically does not include installing applications.
Using Windows Setup to customize images

You can use Windows Setup to modify an image during different phases of the deployment process, such
as when deploying an image to a reference computer for online servicing or when deploying the image to
client machines. By using an unattended Windows Setup answer file, you can perform many different
customizations, including the following servicing operations:
 Add or remove a language pack.
 Configure international settings.

 Add and remove drivers.
 Add and remove packages.
 Enable and disable Windows operating system features.
Online servicing
You can perform online servicing with the DISM tool or through manual intervention. After deploying the
system to a reference computer, you can add Plug and Play device drivers to the driver store, install
applications and system components, install folders and files, and test the changes to the image. After you
complete and test the changes, you can recapture the reference system. You can use the following tools to
perform various online operations:
 DISM to enumerate drivers, international settings, packages, features, and to apply unattended answer
file settings.
 DPInst to add drivers for detected hardware.
 PnPUtil to add, remove, and enumerate drivers.
 Windows Update Standalone Installer to add service packs or other .msu files.
 LPKSetup to add or remove language packs.

Offline servicing
Offline servicing is available for images that are stored in the .wim file format and use the DISM tool for
servicing. The DISM tool can perform one or more of the following:
 Mount, remount, and unmount an image in a .wim file for servicing.
 Query information about a Windows image.
 Add, remove, and enumerate drivers provided as .inf files.
 Add, remove, and enumerate packages, including language packs, provided as .cab files.
 Add .msu files.
 Configure international settings.
 Enable, disable, and enumerate Windows operating system features.
 Upgrade to a newer edition of Windows.
 Check the applicability of a Windows Installer application update (.msp file).
 Enumerate applications and application updates installed in a Windows image.
 Apply the offline servicing section of an unattended answer file.
 Update a Windows PE image.
Managing device drivers for images

Managing device drivers presents a unique set of
challenges. Many device drivers already exist in the
Plug and Play driver store. The exact contents of
the driver store vary between different versions of
Windows. You can add additional drivers into the
Plug and Play store online or offline, or you might
have some drivers that you can install only when
the operating system is online. Additionally, you
need to account for drivers that are not Plug and
Play. You can service drivers at multiple points in
the deployment process, and you can install
certain drivers only in certain deployment phases.
Typically, Plug and Play drivers have an .inf file that describes the files and settings that the driver needs.
You can install these drivers in the following ways:
 Offline by using the DISM tool.
 Online when the image is first built or later, while performing online servicing.
 By using Windows Setup as part of an answer file.
 By using deployment tools that inject them from a custom driver store during the image deployment.
When you add device drivers to an offline image by using the DISM tool, the drivers can be:
 Not boot-critical. These drivers are staged in the Plug and Play driver store. They are available, but do
not install until you plug in the device.
 Boot-critical. You install boot-critical drivers in the operating system. The critical device database is
updated to reflect these drivers, and any necessary registry changes apply.
Deployment tools, such as Windows Deployment Services and Configuration Manager, can maintain a
database of drivers and inject them during the deployment of the images. You should be aware of the
following additional considerations when you manage device drivers:
 When adding multiple drivers to an image, you should store the files in separate folders under a
common parent folder. Using a common parent folder allows you to import the drivers in bulk by using
the /recurse option with DISM or the import functions of Windows Deployment Services, the MDT, or
 Some drivers have installation .exe files, which you can install only when the operating system is online.
 Some drivers are stored in compressed files, and you need to extract them before using offline
servicing to add them to an image.
 By default, 64-bit versions of the Windows operating system require that the drivers are signed
digitally.
Statement Answer
An image can contain both 32-bit and 64-bit images.
Statement Answer
You must name your image file Install.wim.

Lab: Determining an image management strategy

Scenario
To support your enterprise desktop-deployment strategy, you need to determine how you will manage the
images that your environment uses. You need to consider image requirements, including the types of
image, number of images, and how much information you will store within the images. This information will
become part of your organizational image management strategy.
Objectives
After completing this lab, you will be able to identify requirements, and then plan an image management
strategy.
Lab Setup
No virtual machines are required for this lab.
No setup is required for this lab. You need to read the scenario.
Exercise 1: Assessing business requirements to support an image

management strategy
Scenario
You are the Desktop Support Manager for A. Datum Corporation. A. Datum is an international corporation
with branches in London, Toronto, Sydney, and Perth. A. Datum utilizes different hardware, Windows
operating systems, and line-of-business applications in multiple languages. You must develop a new
image-management strategy to deploy standardized images to the entire enterprise. You have collected
the following information about the existing environment:
 London:
o About 40 percent of the systems in London are 64-bit versions of Windows 8.1. There is a mix of
laptops and desktops. A. Datum acquired all of these systems in the last few months, and we have
not created an image for them yet.
o The rest of the systems are a mix of Windows 7 32-bit and 64-bit systems.
o London currently maintains 20 different Windows 7 images. These include images for French,
Japanese, German, and Swedish.
o All users have Microsoft Office installed. Marketing has three different applications that they use,
while Human Resources has two different applications that are department-specific. Research is
currently using two different applications, but they report a high turnover in the applications that
they use. Sales uses a customer relationship management (CRM) application. Accounting has its
budgeting application, and the warehouse has a tracking application that integrates with
handheld scanners through a wireless connection.
 Toronto:
o About 20 percent of their systems are 64-bit versions of Windows 8.1. These are primarily laptops
that A. Datum purchased in the last few months, and they still have the OEM image on them.
o Approximately 70 percent of their systems are Windows 7, with a mix of 32-bit and 64-bit systems.
o They currently are maintaining 12 different Windows 7 images. They have image sets for English,
French, and Japanese, and for each of these languages, they have a 32-bit and 64-bit image.
Additionally, they have a few different application sets.
o There is budget approval to purchase new computers to replace the Windows 7 systems and to
install Windows 10.
o Everyone uses Microsoft Office in the appropriate language. Marketing has two apps that they use
exclusively, Sales has the CRM application, and the computers in the warehouse have the tracking
software installed.
 Sydney:
o About 10 percent of their systems are 64-bit versions of Windows 8.1. These are primarily laptops
that they purchased last year, which still have the OEM image on them.
o Approximately 60 percent of their systems are Windows 7.
o They currently are maintaining 12 different Windows 7 images. They have image sets for English,
Korean, and Japanese, and for each of these languages, they have a 32-bit and 64-bit image.
Additionally, they have a few different application sets.
o The rest of the systems are running 32-bit Windows Vista. They are planning to replace the systems
with new systems once they develop corporate Windows 10 images.
o Everyone uses Microsoft Office in the appropriate language. Marketing has two legacy apps that
they use exclusively, which currently have support only on Windows 7 32-bit systems. Sales has the
CRM application, and the computers in the warehouse have the tracking software installed.
Given the multisite infrastructure that comprises Adatum.com, you need to determine your image-
management strategy for each major location. Based on your initial hardware and software discovery, you
need to support the following platforms:
 London and Toronto: Windows 8.1 64-bit and Windows 10 64-bit.
 Sydney: Windows 7 32-bit, Windows 8.1 64-bit, and Windows 10 64-bit

1. Plan the image management strategy.
2. Discuss the suggested proposals.
 Task 1: Plan the image management strategy

Create an image management strategy that addresses the following questions:
 What types of images do you need: thick, thin, or hybrid?
 How will you address the applications that your users utilize within the company?
 How many images and .wim files will you require?
 How will you address multiple vendor models?
 What will go into the image?
 How will you address driver requirements?
 How will you address storage considerations for the image management strategy?
 How will you maintain changes within the images?

 Task 2: Discuss the suggested proposals

 Discuss the suggested proposals.
Results: After completing this exercise, you should have identified requirements and then planned an
image management strategy.
Question: How did you determine your current imaging strategy in your company?
Question: What additional factors might you include in your image strategy?

Best Practices
 Create your reference machine as a virtual machine, so that you can take snapshots of the reference
system at various stages of development. This is useful if you need to recover your reference system
quickly.
 If you are using a physical computer as your reference machine, wipe the disk, and then perform a
clean installation.
 Perform a clean installation on your reference image. Do not use a system that you have upgraded or
used in production as your reference image.

Some hardware devices are not functioning

properly after image deployment.
Application packages are not installing

correctly.

Some organizations might have invested a lot of time, money, and effort into sector-based imaging
products, and might be reluctant to move to image-based deployments. Although there will be an initial
investment into training and planning for new ways of deployment, the return on investment will pay off
over time. Most of the image-based deployment tools are free offerings from Microsoft, and require less
time and effort for the creation and maintenance of images.
Tools
This table shows tools that were mentioned in this module.
PnPUtil Add, remove, and enumerate Included with the Windows 10

drivers operating system in
%windir%\system32. Launch
from an elevated command
prompt.
Wusa.exe Add service packs or other Included with the Windows 10

.msu files operating system in
prompt.
LPKSetup Add or remove language packs Included with the Windows 10

operating system in
prompt.
Windows Driver Kit (WDK) 10 Develop drivers for Windows Download from
operating systems http://aka.ms/Drbal2.
6-1
Module 6
Preparing for deployments by using the Windows ADK
Contents:
Module Overview 6-1
Lesson 1: Overview of the Windows Setup and installation process 6-2
Lesson 2: Preparing boot images by using Windows PE 6-8
Lab A: Preparing the imaging and Windows PE environment 6-18
Lesson 3: Using Windows SIM and Sysprep to automate and prepare an image
installation 6-21
Lab B: Building a reference image by using Windows SIM and Sysprep 6-30
Lesson 4: Capturing and servicing a reference image by using DISM 6-36
Lab C: Capturing and servicing a reference image 6-45
Lesson 5: Using the Windows ICD 6-47

Lab D: Using the Windows ICD 6-59
Module Overview
To deploy and manage images successfully, you must understand how the deployment process works.
You also must understand how to build and capture images from a reference computer, and then update
and maintain those images. Microsoft provides a number of tools that you can use for these tasks. These
free tools are available as a bundle in the Windows Assessment and Deployment Kit (Windows ADK).
Windows ADK provides both a toolset and documentation to assist with the imaging tasks. Windows ADK
for Windows 10 is the latest version officially available, which you can find in the Microsoft Hardware Dev
Center. In this module, you will first learn how Windows Setup installs the Windows operating system, and
then you will learn how to use the tools that Windows ADK includes.
Objectives
• Describe the Windows installation process.

• Describe how to use and customize Windows Preinstallation Environment (PE).
• Use Windows System Image Manager (Windows SIM) and Sysprep to automate and prepare images.
• Capture and service a reference image.

6-2 Preparing for deployments by using the Windows ADK
Lesson 1
Overview of the Windows Setup and installation process
Windows Setup installs Windows operating systems by using image-based setup (IBS). By using IBS, you
can either perform a clean installation or upgrade an existing instance of an operating system, if it is
upgradeable. You can customize and automate Windows Setup by using answer files. In this lesson, you
will learn how Windows Setup works and how you can control it. You also will learn about the various
phases of configuration.
Lesson Objectives
• Describe how Windows Setup affects operating system installations.
• Describe how to control and automate the Windows Setup process.
• Describe the Windows Setup configuration passes.
How does Windows Setup affect operating system installations?

All Windows installations are image-based, which
you invoke by booting from Windows media. Any
boot-capable device, such as a USB flash drive or
a DVD, can contain this installation media. The
Windows installation media contains two
Windows image files: Boot.wim and Install.wim. An
installation starts by loading the Windows PE
image into memory from the Boot.wim file.
Windows PE then applies the Windows Setup
image from the Boot.wim file to facilitate the
application of the Windows operating system
from the Install.wim file. A Windows Setup dialog
box appears, prompting you to select your language and preferences. Windows Setup begins after you
click Next in this dialog box. Windows Setup displays a series of dialog boxes to collect the information
required to complete the installation, such as the computer name. It then copies and expands the
operating system image file from Install.wim and installs the Windows operating system by using the
information that you provide.
Installation types
Windows Setup can initiate two types of installations:
• Custom installations are clean installations that allow you to repartition the disk or save the previous
Windows directory, but never preserve applications or settings.
• Upgrade installations retain the settings, preferences, and applications while upgrading the operating
system.
Windows Setup performs all of the required tasks to install the operating system, and requires very little
user intervention. Windows Setup supports interactive setup and automated installations. Deployment
tools such as Windows Deployment Services and Microsoft Deployment Toolkit (MDT) no longer use
Windows Setup.exe. Microsoft deployment tools use the Deployment Image Servicing and Management
(DISM) command-line tool to apply the image and to process any answer files. While you can still use the
older ImageX command-line tool to capture and apply images, the current version of DISM has all the
features of ImageX and several additional features.
Whether you perform an upgrade, or perform a custom installation over an existing Windows installation,
Windows Setup moves directories and files from the previous Windows installation to a folder named
Windows.old. This includes the contents of the Users directory and Program Files.
During an interactive setup, Windows Setup presents the user with dialog boxes at certain stages of the
installation process. The user can select options such as language, time and currency format, and
keyboard layout in these dialog boxes.
Automated installations use answer files to supply some or all of the information that a successful
installation requires, such as computer name. Regardless of the type of setup that you perform, the setup
process goes through the same basic phases that the following table describes.
Windows Setup phase Setup actions
Down level for custom installations, or Windows 1. Complete Windows Setup through interactive
PE, started from DVD or custom Windows PE Windows Setup dialog boxes or an unattended
image
answer file. You can use a combination of the
two.
2. Apply the WindowsPE configuration pass

settings from the answer file.
3. Configure the disk.
4. Copy the Windows image to the disk.

5. Prepare the boot information.
6. Process the offlineServicing configuration pass.

Settings apply after restart.
Online configuration 1. Complete the offlineServicing process.

2. Perform basic hardware installations.
3. Apply the specialize configuration pass.
Windows Welcome 1. Apply the oobeSystem settings from the

answer file.
2. Apply settings from the Oobe.xml file.
3. Display the Windows Welcome screen.
Logging
The following directories log all of the setup actions and results.
Log-file location Description
$windows.~bt\sources\panther Log location before setup can access the drive.
$windows.~bt\sources\rollback Log location when setup rolls back after a fatal error
occurs.
%WINDIR%\panther Log location of setup actions after disk configuration.

Log-file location Description
%WINDIR%\inf\setupapi*.log Use to log Plug and Play device installations.
%WINDIR%\memory.dmp Location of memory dump from bug checks.
%WINDIR%\minidump\*.dmp Location of log minidumps from bug checks.
%WINDIR%\system32\sysprep\panther Location of Sysprep logs.
%WINDIR%\Debug\Netsetup.log Use to log events related to joining a domain.
Note: During the installation, you can press Shift+F10 to open a command-prompt
window. You then can use Notepad to view the setupact.log file, which provides ongoing
information about the setup in progress.
Windows 10 now includes a new upgrade process, the in-place upgrade. You can perform an in-place
upgrade when you want to replace an existing version of Windows 7 or Windows 8.1 with Windows 10,
and you wish to retain all user applications, files, and settings. For the home or small business user, you
can run Setup.exe from a product DVD or from a network share. During an in-place upgrade, the
Windows 10 installation program automatically retains all user settings, data, hardware device settings,
apps, and other configuration information. Microsoft recommends this method for existing Windows 7
and Windows 8.1 devices. An in-place upgrade has four phases:
• Checking the system
• Installing Windows 10 with the Windows PE
• The first startup
• Installing the Windows operating system and the second startup
You can stop and roll back an installation during any of these four phases. However, we recommend that
you always back up your important data, when performing an upgrade or as a periodic maintenance
function.
The “Determining Operating System Deployment Strategies” module of this course covers the in-place
upgrade in further detail.
Controlling and automating the Windows Setup process

You can customize Windows Setup by using
answer files. Answer files can provide all of the
basic information that an installation requires to
complete successfully. You also can use answer
files to configure Windows settings, and to
automate Windows Setup, so that users do not
have to interact with the setup process.
Windows Setup caches the answer file to the

%WINDIR%\Panther location and uses the answer
file throughout the various installation stages. You
can create answer files by using any text editor,
but because of their complexity, it is best to use a
tool such as the Windows System Image Manager (Windows SIM) to avoid syntax errors. You can use
Windows SIM to create and edit answer files that you use to automate Windows installations. It uses a
graphical interface to create an XML-based answer file. This module covers creating answer files with
Windows SIM in more depth in a later lesson.
The following table lists the common command-line options that Setup.exe supports.
Option Description
/installfrom:<path> Enables you to specify a custom .wim file to use for installation.
/M:<folder_name> Causes Windows Setup to copy files from an alternate location.

This option does not support a universal naming convention
(UNC) path. The folder has a prescribed structure that Windows
ADK describes.
/noreboot Instructs Windows Setup not to restart the computer after the
first phase of the setup process completes.
/tempdrive:<drive_letter> Instructs Windows Setup to create the temporary installation

files on the partition that you specify.
/unattend:<answer_file> Instructs Windows Setup to use the specified answer file to

complete the installation.
The Windows Setup configuration passes

A Windows installation has multiple stages called
configuration passes. There are seven
configuration passes, though you do not
necessarily run all passes during an installation.
For example, the auditSystem and auditUser
passes are optional, and you only use the
Generalize pass with the System Preparation Tool
(Sysprep). Each pass executes at a specific point in
the Windows installation, and each presents the
opportunity to configure multiple settings during
that phase. You can create answer files to apply
specific settings at the proper installation stage. If
the user performing the installation does not provide an answer file, the user will be required to enter the
appropriate setup information during the installation. The following table lists the configuration passes.
Configuration pass Description
WindowsPE This is the first pass in any installation. Low-level actions such as disk
partitioning and language selection occur during this pass. You can add
critical drivers to Windows PE at this time.
OfflineServicing This pass applies updates, packages, language packs, and security updates.
You also can add drivers to the image before you install the image.
Specialize This pass applies system-specific information, such as computer name and
domain information.
Configuration pass Description
Generalize This pass is associated with Sysprep and occurs in the image creation stage.
It removes system-specific information, such as computer name and
security identifier (SID), and hardware-specific information. This pass only
runs if you run the Sysprep /generalize command. The next time the
Windows image boots, the specialize pass will run.
AuditSystem This pass processes unattended Setup settings while the Windows
operating system is running in system context, before a user signs in to the
computer in Audit mode. The auditSystem pass runs only if you boot to
Audit mode. Original equipment manufacturers (OEMs) often use this pass
for testing configurations, and it is not required to run. You can only
configure AuditSystem and AuditUser mode to run on the next boot by
using the /audit parameter in Sysprep.
AuditUser This pass processes unattended Setup settings after a user signs in to the
computer in Audit mode. The auditUser pass runs only if you boot to Audit
mode. OEMs often use this pass for testing configurations, and it is not
required to run.
OobeSystem The out-of-box experience (OOBE) pass applies settings to the Windows
operating system before the Windows Welcome starts. You typically use
this pass to configure settings such as time zone, locale, and local user
accounts.
You use Windows Setup for manual installations, and often for creating the initial reference system that
will later become a corporate image for distribution. A typical installation involves the following steps:
1. Start the system by using the Windows product DVD and, optionally, an answer file on a USB flash
drive. If an answer file exists, its values provide the information that setup requires during the various
configuration passes.
2. Windows Setup starts, and the WindowsPE and offlineServicing passes run.
3. The Windows image copies to the hard disk, the system restarts, and Windows Setup runs the
specialize pass.
4. After Windows Setup completes, the oobeSystem configuration pass runs and Windows Welcome
starts.
If you create this system to be a reference system that a corporate image will be based on, then the
system will be sysprepped by using the generalize parameter. When you deploy a sysprepped image by
using the Microsoft deployment tools, Windows Setup runs the specialize and oobeSystem passes. You
can configure the values for these settings by using a combination of task sequence variables, custom.ini
files, or answer files.

Question
Deployment tools such as Windows Deployment Services and MDT no longer use
Windows Setup.exe. What tool do they use instead?
The ImageX.exe command-line tool
The Setup.cmd command-line program.
The DISM command-line tool.
The sysprep.exe command-line tool.
The Unattend.xml configuration file.

Lesson 2
Preparing boot images by using Windows PE
Windows PE provides a basic operating system for performing tasks such as operating system deployment
and troubleshooting of existing installations. Windows PE provides functionality as the initial operating
system during computer deployment, and it provides a wider range of functionality and tools to enhance
the deployment process.
Lesson Objectives
• Describe Windows PE.
• Describe Windows PE requirements.
• Describe the limitations of Windows PE.
• Describe common command-line tools for supporting Windows PE.

• Describe the optional components Windows PE supports.
• Customize a Windows PE image.
• Create Windows PE media.
What is Windows PE?

Windows PE is a lightweight version of the
Windows operating system. It is not a fully
functioning operating system, but rather is
available to facilitate maintenance of existing
operating systems and Windows image-based
deployments. You can use Windows PE to start
computers that have no operating system, and its
most common use is to initiate Windows Setup.
Typically, you will see the command prompt only.
However, you can run some tools that are based
on a graphical user interface (GUI) in Windows PE,
such as the Notepad text editor and the Windows
Setup wizards. You can customize Windows PE to meet your needs, such as injecting specific network
drivers or diagnostic packages to aid in Windows recovery.
Additional Reading: For more information, refer to What's New in Windows PE:
http://aka.ms/Jrbdg8.
You can use Windows PE to perform only the following tasks:
• Creating partitions and formatting drives.
• Installing the Windows operating system from local or network drives.
• Modifying the Windows operating system while it is offline.
• Setting up recovery tools.

• Recovering data from unbootable computers.
• Customizing by adding third-party tools.
Windows PE benefits
Windows PE supports 32-bit and 64-bit hardware, and the installation of 32-bit or 64-bit versions of the
Windows operating system. This eliminates the need to maintain multiple versions of boot media for
different hardware platforms. Additionally, because it is based on the Windows kernel, there are additional
benefits compared to MS-DOS–based boot disks, including:
• Native support for the NTFS file system.
• Native support for TCP/IP and connecting to network shares.
• Native support for Windows 32-bit and 64-bit drivers.
• Native support for some Windows-based applications through the Windows application
programming interface (API).
• Optional support through add-in modules for additional Windows-based components.
• The ability to start from multiple media types, including CD, DVD, USB, and the Pre-Boot EXecution
Environment (PXE).
• Support for offline sessions, including servicing of images.
• Inclusion of all Microsoft Hyper-V drivers, except display drivers. This allows Windows PE to run in a
hypervisor and take advantage of features such as mass storage, mouse integration, and networking.
Windows PE requirements
Windows PE is not a typical operating system, and
it does not have the requirements associated with
other operating systems. Although you can run a
few other applications in addition to Windows
Setup on Windows PE, there are not many
resources available to run these applications. The
primary reason for using Windows PE is that you
have to start a computer before you can install a
Windows operating system or troubleshoot the
computer. There are several different ways to start
a system by using Windows PE. You can install
Windows PE from:
• A CD or DVD
• A USB flash drive
• A hard drive
• A Windows Deployment Services server for PXE-boot support
• A supported third-party PXE server

Typically, when you start a system by using Windows PE media, Windows PE loads into a random access
memory (RAM) disk, and you start the computer from a removable device. This enables you to remove
the media once the system is running. You also can configure Windows PE to perform a flat boot. Flat
booting is the process of installing Windows PE on the computer’s hard drive, and then booting from the
hard drive. Flat boot–configured media must remain connected to the computer while you are using
Windows PE.
When booting Windows PE into a RAM disk, you must have:
• An x86-based or x64-based computer.

• A minimum of 512 megabytes (MB) of RAM, not including the RAM needed for optional modules.
When booted into a RAM disk, the Windows PE drive uses the letter X. Booting Windows PE into a RAM
disk provides several benefits, including the ability to:
• Swap the removable boot drive for other media.
• Start from a PXE server.
• Repartition a hard disk that was used to boot into Windows PE.
• Speed up startup time duration.
Flat booting Windows PE can allow you to start a system with less than 512 MB of RAM. However, we
recommend that you have at least 512 MB of RAM to start your system. When flat booting Windows PE,
you must consider the following points:
• You must install Windows PE on a FAT32 file system, and limit the FAT32 file system to a maximum of
32-gigabyte (GB) partition.
• Flat booting can enable faster performance during the initial startup process and can be very useful in
virtual environments with low available memory.
• Using flat-boot media can allow changes to persist across reboots.

Windows PE comes with the same set of built-in device drivers as the corresponding version of the
Windows operating system. When you are building a Windows PE image, you might need to inject
storage or network drivers to support your specific hardware. You use the DISM tool to configure
Windows PE. You can add drivers to a Windows PE image by using the DISM /Add-driver command or
the Drvload command.
Limitations of Windows PE
Because Windows PE is designed for you to use
during installations and troubleshooting scenarios
only, there are several built-in limitations,
including that:
• You cannot join Windows PE to a domain.
• Windows PE automatically stops running and

restarts after 72 hours of continuous use.
• You cannot configure Windows PE as a server.

It does not support share creation or terminal
services connections.
• Windows PE only supports stand-alone

Distributed File System (DFS) namespaces.
• Only TCP/IP and NetBIOS over TCP/IP connections can connect to file servers.
• The Windows PE registry is volatile and will not save changes made while an image is running. To
make permanent registry changes, you must edit the registry offline.
• When creating volumes in Windows PE, the drive letters are assigned in the order that you create
them. After restarting the computer, the volumes will be lettered in the default order.
• If you convert any disks to dynamic disks by using Diskpart in Windows PE prior to installing the
Windows operating system, the Windows setup process will not recognize any of the volumes on the
dynamic disk.
• You cannot install Windows Installer (.msi) file packages in Windows PE.
• You cannot start Windows PE from a path that contains non-English characters.
• 64-bit Windows PE does not include Windows 32-bit on Windows 64-bit (WOW64). Only native
programs can run on Windows PE. For example, only 32-bit Windows Setup can run on 32-bit
Windows PE.
Common command-line tools for supporting Windows PE

Windows ADK includes several command-line
tools that you can use with Windows PE to help
support deployment of Windows operating
systems. The following table lists both Windows
ADK commands and commands found in the
Windows operating system that you can use to
help with deployment.
Command Description
BCDboot Initializes the Boot Configuration Data (BCD) store and copies boot
environment files to the system partition during image deployment.
Bootsect Updates the master boot code for hard disk partitions to switch
between Windows Boot Manager (Bootmgr.exe) and Windows NT
Loader.
Copype Creates and populates a directory structure for a specified

architecture.
Drvload Adds third-party drivers to a booted Windows PE image.
Expand Expands one or more cabinet (.cab) files.
Lpksetup Installs language packs and configures international settings.

Command Description
Makewinpemedia Creates bootable Windows PE media for a USB drive or creates an

.iso file.
Oscdimg Creates an .iso image file of a customized 32-bit or 64-bit version of

Windows PE.
Powercfg Controls power settings and configures computers to use hibernate

or standby by default.
Tzutil Manages available time zones.
Winpeshl.ini Files Controls whether a customized shell is loaded in Windows PE instead

of the default command prompt window.
Wpeinit Initializes Windows PE every time that it boots. Specifically,

Wpeinit.exe installs Plug and Play devices, processes Unattend.xml
settings, and loads network resources.
Wpeutil Enables you to run commands during a Windows PE session.
Optional components that Windows PE supports

You can customize the Windows PE image with
Windows PE optional component modules or
executable files, such as log viewers, that can run
in Windows PE. To keep the Windows PE image
small, all of the possible functionality is not added
into the default Windows PE image. Windows PE
supports the following types of customizations:
• Modifying the base Windows PE image with
optional components and language packs.
• Setting the destination path of the

Windows PE image.
• Enabling or disabling file tracing.
• Adding third-party drivers and third-party components.
• Adding Windows PE updates.
• Customizing temporary storage.
Note: You typically use optional components in special case scenarios. Typically, the most
that you will need to customize Windows PE will be to inject network or storage drivers that the
native driver store might not include. The Windows PE driver store is equivalent to its Windows
counterpart.
The Windows SIM tool does not add components automatically to the default Windows PE image if you
select to use them in an answer file. Whenever you want to customize the Windows PE image, you can use
the DISM /Add-package or /Remove-package options. Windows Recovery Environment (Windows RE) is
an example of a customized Windows PE environment.
Optional components are in Windows ADK. It contains more than 30 optional components and
languages. The following table lists a few of the more common optional components and languages.
Optional component
Description
name
WinPE-FMAPI Provides access to the File Management API for finding and restoring
deleted files on an unencrypted volume. Additionally, you can use a
password or recovery key to recover files from a volume that is protected
by BitLocker drive encryption.
WinPE-HTA Provides HTML Application (HTA) support.
WinPE-WDS-Tools Includes APIs to enable the Image Capture tool.
WinPE-NetFX4 Contains the Microsoft .NET Framework 4 Client Profile, a subset of the
.NET Framework.
WinPE-Scripting Contains a multiple-language scripting environment, including Windows

Script Host (WSH) and Active Directory Service Interfaces (ADSI).
WinPE-DismCmdlets Contains the DISM Windows PowerShell module, which includes cmdlets
used for managing and servicing Windows images.
WinPE-WMI Contains a subset of the Windows Management Instrumentation (WMI)

providers for use with system diagnostics.
WinPE-Rejuv Used by Windows RE. Rejuv package included in the base winre.wim file.
WinPE-PowerShell Contains Windows PowerShell command-line interface-based diagnostics

that work with WMI to query hardware. You must install WinPE-NetFX4,
WinPE-Scripting, and WinPE-WMI before you can use WinPE-
PowerShell4. Note that this package does not support the Windows
PowerShell Integrated Scripting Environment (ISE) or Windows
PowerShell remoting.
WinPE-Setup Parent of WinPE-Setup-Client and WinPE-Setup-Server. This component

contains the setup files that are common to the client and server. You
must install the WinPE-Setup before the WinPE-Setup-Client and WinPE-
Setup-Server components.
WinPE-SecureStartup Enables provisioning and management of BitLocker and the Trusted

Platform Module (TPM). You must install WinPE-WMI before you can use
WinPE-SecureStartup.
WinPE-EnhancedStorage Enables Windows to discover additional functionality for storage devices

such as encrypted drives. This component enables management of
BitLocker-protected volumes.
Demonstration: Customizing a Windows PE image

• Create the directory structure to support building a Windows PE image.
• Mount the default Windows PE image from the Boot.wim file.

• Add drivers and packages to the Windows PE image.
• Dismount and save the Windows PE image.
Demonstration Steps
Create the directory structure to support building a Windows PE image
1. Open the Deployment and Imaging Tools Environment as Administrator.
2. Run the following command:
Copype amd64 E:\Winpe64
3. Use File Explorer to view the contents of the E:\Winpe64 folder. Note the size of the
media\Sources\Boot.wim file.
Mount the default Windows PE image from the Boot.wim file
Note: The version of DISM installed with Windows ADK for Windows 10 is not the same as
the version in the default Windows PowerShell console (version: 6.3.9600.16384). You must add
the correct DISM module for the current version of Windows ADK. The reason this is so is the
version that is in Windows PowerShell is for Windows Server 2012 R2, while the version in the
latest Windows ADK is for Windows 10.
1. In the Administrator: Windows PowerShell window, type the following cmdlet, and then press Enter:
Import-Module "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment

Kit\Deployment Tools\amd64\DISM"
2. To mount the Boot.wim, open Windows PowerShell, and then run the following command:
Mount-WindowsImage –ImagePath E:\Winpe64\Media\Sources\Boot.wim –Index 1 –Path

E:\Winpe64\Mount
Add drivers and packages to the Windows PE image

1. To add the Hyper-V drivers to the Windows PE image, run the following command:
Add-WindowsDriver –Path E:\winpe64\mount –Driver E:\Software\Drivers\HyperVx64

-Recurse –ForceUnsigned
2. To add support for the Windows PowerShell command-line interface to the Windows PE image, run
the following commands:
CD “C:\Program Files (x86)\Windows Kits\10\Assessment and deployment kit\Windows

preInstallation Environment\amd64\WinPE_OCs”
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-Scripting.cab
Dismount and save the Windows PE image
1. To commit the changes to the Windows PE image, run the following command:
Dismount-WindowsImage –Path E:\winpe64\mount –Save
Note: To avoid syntax errors, copy and paste the commands into the Windows PowerShell
command prompt from the E:\Labfiles\Mod06\Mod06_DISM_Powershell.txt file.
2. Use File Explorer to view the contents of the E:\Winpe64 folder. Note the size of the
media\Sources\Boot.wim file. It should be larger than when first checked.
3. Close all open windows.
Creating Windows PE media

Windows ADK contains a command-line tool
named Makewinpemedia.cmd that you can use
to create both .iso files and bootable USB flash
drives from the Boot.wim file. You can use this
tool on the basic Windows PE image or one that
you customize by injecting your own drivers, files,
or packages.
Prerequisites for using

Makewinpemedia
You must first use the Copype command to
create the correct directory structure. The
Copype.cmd tool creates the Media\Sources
folders for the designated architecture in the root folder that is created when you run the command
initially. For example, the command Copype.cmd x86 C:\Winpe will create a root folder named Winpe
and a directory structure within it that includes all the files and folders necessary for a 32-bit architecture.
The Media\Sources directory contains the Boot.wim file, which, in turn, contains the Windows PE image.
Using Makewinpemedia
The following table describes the Makewinpemedia command-line tool parameters that are available.
Parameter Description
/ufd Specifies a USB flash drive as the type of media to create.
/iso Specifies an .iso file as the type of media to create.
/f Suppresses the confirmation message that appears before you format

the USB flash drive or overwrite an existing .iso file.
WorkingDirectory Specifies the name of the root directory that is created to hold the
directory structure. This parameter is required.
DestinationLocation Specifies the drive letter of the USB flash drive if you are using the
/ufd option, or the name of the .iso file if you are using the /iso
option. This parameter is required.
MakeWinPEMedia examples
Use the following command to create a bootable USB flash drive that has been assigned the drive letter F:
from the working directory C:\Winpe:
Makewinpemedia /ufd C:\winpe F:
Use the following command to create a .iso file named Winpe64.iso from the working directory C:\Winpe
and save it to a folder named C:\BootImages:
Makewinpemedia /iso C:\winpe C:\BootImages\Winpe64.iso
Note: The folder in which you create the .iso file must exist before you run the
Makewinpemedia command. If it does not, the command will fail to create the .iso file.
Note: The architecture of the created boot image is dependent on the architecture that
you specify with the copype.cmd tool. For example, if the copype command specified the x86
architecture, the boot image that is created will be 32-bit.
Using Makewinpemedia to install Windows PE to a USB hard disk

If you want to have a bootable USB hard disk that also includes your deployment images, you will have to
create two partitions on your USB hard disk. This is because Windows PE requires a boot partition
formatted in FAT32, which only supports file sizes up to 4 GB. A typical Windows operating system image
is larger than 4 GB, and therefore must reside on a NTFS partition that can accommodate the large file
size.
There are a number of ways in which you can create and format multiple partitions and assign drive
letters to them on your USB hard disk. For example, you can use the Diskpart command-line tool or the
Disk Management console.
Note: Although you can configure multiple partitions on USB thumb drives, the
manufacturer classes these devices as removable drives. Windows operating systems will
recognize only the first partition on the drive. Therefore, you cannot use USB thumb drives to
support multiple partitions on Windows operating systems, unless the USB thumb drive supports
Windows 8 standards.
Once you partition your USB hard disk with a boot partition that you format in FAT32 and a data partition
that you format in NTFS, you can use Makewinpemedia with the /UFD parameter to apply the Windows
PE image from the Boot.wim file to the USB boot partition. You then can copy your deployment image to
the NTFS partition.
Additional Reading: For information on downloading Windows PE and installing it to an

internal or external hard drive, refer to WinPE: Install on a Hard Drive (Flat Boot or Non-RAM):
http://aka.ms/D8l76e.
Categorize Activity
Items
1 Installation DVD
2 Copype
3 WinPE-DismCmdlets
4 USB flash drive
5 BCDBoot
6 WinPE-Scripting
7 Network share
8 Lpksetup
9 WinPE-SecureStartup
Windows PE media types Windows PE tools Windows PE optional

components
Lab A: Preparing the imaging and Windows PE

environment
Scenario
As part of the Windows 10 deployment initiative, you need to configure an approved, business-accepted,
and well-tested image that you can deploy to enterprise desktops throughout A. Datum Corporation. You
have decided to use the tools provided by Windows ADK to create and manage the image. You need to
create a custom Windows PE boot image that you will use to provide the startup environment for the
capture and deployment processes.
Objectives
• Configure a custom Windows PE environment.
Lab Setup
Virtual Machines: 20695C-LON-DC1 and 20695C-LON-CFG
User Name: Adatum\Administrator
Password: Pa$$w0rd
Before you begin you must complete the following steps:
o Domain: Adatum
Note: Ensure that 20695C-LON-DC1 starts fully before starting any other virtual machines.
5. Repeat steps 2 through 4 for 20695C-LON-CFG.
Exercise 1: Configuring a custom Windows PE environment

Scenario
To support your Windows imaging process, you need to create a custom Windows PE boot image. This
boot image must contain the drivers and components that are necessary to support both media-based
and network-based image deployments. This requires the creation of a .wim file and an International
Organization for Standardization (ISO) image that contains the custom Windows PE.
1. Set up the Windows PE build environment.
2. Mount the base Windows PE image.

3. Add drivers and optional components to the Windows PE image.
4. Save changes and dismount the image.
5. Create Windows PE media.
 Task 1: Set up the Windows PE build environment

1. On LON-CFG, open the Deployment and Imaging Tools Environment as Administrator.
3. Use File Explorer to view the contents of the E:\Winpe64\Media\Sources folder. Note the size of the
Boot.wim file.
 Task 2: Mount the base Windows PE image
Note: The version of DISM installed with Windows ADK for Windows 10 is not the same as
the version in the default Windows PowerShell console (version: 6.3.9600.16384). You must add
the correct DISM module for the current version of Windows ADK. The reason this is so is the
version that is in Windows PowerShell is for Windows Server 2012 R2, while the version in the
latest Windows ADK is for Windows 10.

2. To mount the Boot.wim, open Windows PowerShell, and then run the following command:

E:\Winpe64\Mount
 Task 3: Add drivers and optional components to the Windows PE image

1. To add the Hyper-V drivers to the Windows PE image, run the following command:

-Recurse -ForceUnsigned
2. To add support for the Windows PowerShell command-line interface to the Windows PE image, run
the following commands:
CD “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows

Preinstallation Environment\amd64\WinPE_OCs”
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-NetFX.cab
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-WMI.cab
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-PowerShell.cab
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-DismCmdlets.cab
Note: Each Add-WindowsPackage cmdlet might take several minutes.

Note: To avoid syntax errors, copy and paste the commands from the
E:\Labfiles\Mod06\Mod06_DISM_Powershell.txt file into the Windows PowerShell command
prompt.
Note: After each Windows PowerShell cmdlet, ensure that the operation completes
successfully.
 Task 4: Save changes and dismount the image

1. To commit the changes to the Windows PE image, run the following command:
2. Use File Explorer to view the Boot.wim file located at E:\Winpe64\Media\Sources. Note the new
size of the file.
3. Close Windows PowerShell and File Explorer.
 Task 5: Create Windows PE media

1. To create an ISO image of the Boot.wim, restore the Deployment and Imaging Tools Environment
window and run the following commands:
MD E:\BootISO
MakeWinpeMedia /iso E:\Winpe64 E:\BootISO\WinPEx64.iso
2. Use File Explorer to ensure that the WinPEx64.iso file was created.
Results: After completing this exercise, you should have customized the Windows Preinstallation
Environment (Windows PE) image and created an .iso file of the image.
 To prepare for the next lab

• Leave the virtual machines running for the next lab. Do not revert.
Lesson 3
Using Windows SIM and Sysprep to automate and prepare
an image installation
Building a reference computer to capture a Windows operating system installation image can be a simple
or complex process. A reference computer can be as simple as a base operating system, or as complex as
an operating system with installed applications and specialized hardware. You can use answer files to
automate and customize your installation. An important part of the imaging process is ensuring that the
image does not contain any information specific to the computer or installation. You can accomplish this
with the Sysprep tool.
Lesson Objectives
• Explain how to modify setup processes by using answer files.
• Create answer files by using Windows SIM.
• Explain how to prepare installations by using Sysprep.

• Describe the Sysprep process.
• Explain how to use answer files with Sysprep.
• Use Sysprep to prepare a reference computer.
Modifying setup processes by using answer files

You can use answer files to automate a Windows
installation partially or completely. A Windows
Setup answer file is an XML-based file that can
contain a variety of settings and their values for
use during Windows Setup. These options can
include computer name, disk partitioning, IP
addressing, and many other options. You also can
specify user settings, such as favorites in Internet
Explorer and your desktop wallpaper. If you do
not include all required information in the answer
file, the Windows Setup process will stop and
display the appropriate Windows Setup dialog
box so that you can enter the information at run time. You can implement answer files in different ways,
including by:
• Using a USB flash drive. Create an answer file named Autounattend.xml, and save it to the root of
the USB drive. Windows Setup will detect if there is a file with that name. If it finds the file, Windows
Setup will load it into memory and use the values that it contains.
• Specifying the answer file as a command-line parameter of Setup.exe, such as Setup.exe

/unattend:custom.xml.
• Replacing the answer file in an offline image. Mount the image by using DISM and replacing the
Windows\Panther\unattend.xml file with your customized version of unattend.xml.
• Specifying and caching answer files when Sysprep is running. You can use the Sysprep /unattend
parameter to specify the answer file.
Windows SIM creates answer files that relate to a specific Windows image. This allows you to validate the
settings in the answer file against the settings in the Windows image. Answer files have two main sections:
components and packages.
Components
This section contains all of the settings that Windows Setup applies during the configuration phases. The
organization of the components matches the configuration passes: auditUser, auditSystem, windowsPE,
generalize, specialize, offlineServicing, and oobeSystem. You can apply settings during one or more
passes. If a setting can apply to more than one configuration pass, you must select the pass in which to
apply the setting.
Packages
Microsoft uses packages to distribute service packs, software updates, and language packs. Additionally, it
stores Windows-based features in packages. During the offlineServicing configuration pass, you can add,
remove, or configure packages in an image.
Features
You can use answer files to enable or disable Windows features, such as Telnet Client or the XPS Viewer in
Windows operating systems. All of the resources for a Windows feature are available to users, if you
enable that feature. Users cannot use disabled Windows features. However, an administrator can enable
disabled features when necessary.
Some Windows-based features have dependencies that require the installation of other features before
they will install. When you are enabling features in an answer file, you must validate your answer file
against the installation media, and add any necessary packages.
Demonstration: Creating answer files by using Windows SIM

• Create an answer file by using Windows SIM.
• Add and configure components and packages.
• Validate and save the answer file.
Demonstration Steps
Create an answer file by using Windows SIM
1. Open the Start screen, and then start Windows System Image Manager.
2. Open the E:\Labfiles\sources\install.wim Windows image.
3. Open the Autounattend_x64_BIOS_sample.xml sample answer file at E:\Labfiles\Mod06, and then

associate it with the image.
4. Save the answer file as Autounattend.xml on your desktop.
Add and configure components and packages
1. In the Answer File pane, under the Components node, explain the settings imported with the
sample file.
2. Under the 1 WindowsPE, amd64_Microsoft-Windows-Setup_neutral component, review the

UserData settings.
3. Type your name in the FullName field and your company name in the Organization field.
4. Note the UserData, ProductKey field, and then review how to use the help file to see the format
required for the Key field.
5. In the Windows Image pane, locate the amd64_Microsoft-Windows-Shell-

Setup_10.0.10586.0_neutral component.
6. Add the OEMInformation to Pass 7 oobesystem.
7. In the answer file, add the following OEMInformation:
o Manufacturer: your company name
o Support Hours: 6 AM to 8 PM
o Support URL: your company URL
8. In the Windows Image pane, under Packages, add amd64_Microsoft-Windows-Foundation-

Package_10.0.10586.0_ to the answer file.
9. In the Answer File pane, set Hyper-V-All to Enabled.
Validate and save the answer file
1. From the Tools menu, validate the answer file.

2. Save the answer file.
3. Open the answer file with Notepad, and then review the entries in the file.
Preparing installations by using Sysprep

Using Sysprep is the only way to prepare an
existing Windows installation for imaging by
removing information that makes the installation
unique. This process is known as generalizing. An
image in a generalized state does not contain any
unique computer information. If you are going to
deploy an image to multiple computers, you must
generalize it first. A specialized image includes
information unique to a specific computer. After
you install a generalized image on a computer,
the next time that the computer restarts in OOBE
mode, the user can enter computer-specific and
user-specific information, and then accept the Microsoft Software License Terms. You can run Sysprep as
either a command-line tool or a GUI tool. The basic command to prepare a computer for imaging is:
Sysprep /generalize /oobe /shutdown
The following table lists the options that Sysprep supports.
Option Description
/generalize Instructs Sysprep to remove system-specific data, such as event logs

and unique SIDs, from the Windows operating system installation.
When Setup starts at the next reboot, the specialize pass will occur,
unless you configure it to boot to audit mode.
/oobe Instructs the Windows operating system installation to run OOBE the
next time that the computer starts.
Option Description
/shutdown Instructs the computer to shut down and not to restart.
/audit Instructs the Windows operating system installation to run in audit

mode the next time that the computer starts. Audit mode is
sometimes referred to as Reseal mode.
/reboot Instructs the computer to restart. You can use this option to audit the
computer and to verify that the first-run experience operates
correctly.
/quiet Runs Sysprep without displaying onscreen confirmation messages. If

you automate Sysprep, use this option in conjunction with an answer
file.
/unattend:answerfile Applies settings in the specified answer file to Sysprep.
/mode:vm Generalizes a virtual hard disk, so that you can deploy it as a virtual
hard disk on the same virtual machine or hypervisor. After the virtual
machine restarts, it can boot to OOBE. You can only run the vm mode
from inside a virtual machine, and you must deploy the virtual hard
disk to a virtual machine with a matching hardware profile.
You can use the Sysprep tool in two scenarios: creating a new reference image or creating a model-
specific reference image.
Create a new reference image

This is the basic Sysprep scenario. In this scenario, you create an image to deploy to multiple computers.
The basic process consists of building a single Windows reference image by installing the Windows
operating system and customizing the image, including adding any desired applications. You then can
capture the reference image and deploy it to other computers. Sysprep makes no additional modifications
to this image.
Create a model-specific reference image

In this scenario, you start with a single reference image, and then customize it with drivers and
applications that require a specific computer model. To accomplish this, you can start in the audit mode.
This allows you to install additional devices and applications that are specific to that computer model
without completing the OOBE phase. You can use this scenario when users are required to complete the
OOBE phase themselves and agree to the license agreement. Typically, OEMs use this scenario to prepare
computers for delivery to customers.
Benefits of Sysprep
Sysprep provides the following benefits:
• Removes system-specific data from Windows operating systems. You then can capture the Windows
operating system installation and deploy the image throughout an organization.
• Configures Windows operating systems to start in the audit mode. Audit mode uses a built-in
administrator account that enables you to customize and test the integrity of the Windows image.
• Resets the Plug and Play database so that device detection runs the next time that the system starts.
• Configures Windows operating systems to start to the OOBE mode. This allows the user to accept the
license agreement and complete the installation.
Sysprep dependencies
Sysprep has the following dependencies:
• Windows Setup must be complete before you use Sysprep.
• You need an imaging tool to capture an image of the installation.
Overview of the Sysprep process

When you run Sysprep, the process consists of the
following phases:
1. Sysprep verification. Verifies that Sysprep can

run. Only an administrator can run Sysprep.
Sysprep must run on the same version of the
Windows operating system that you are
sysprepping. For example, you could not run
the Sysprep.exe from a Windows Vista
installation on a Windows 8.1 system.
2. Logging initialization. Sysprep logs actions in

different directories depending on the
configuration pass:
o Generalize: %Windir%|System32\Sysprep\Panther
o Specialize: %Windir%\Panther\
o Unattended Windows Setup actions: %Windir\Panther\Unattendgc
3. Parsing command-line arguments. If a user does not provide command-line arguments, a System
Preparation Tool GUI window appears.
4. Processing Sysprep actions. Calls appropriate .dll and executable files, and adds actions to the log file.
5. Verifying Sysprep processing actions. Verifies that all .dll files have processed all of their tasks, and
then shuts down or restarts the system.
On the next startup, Windows starts into either OOBE mode or audit mode. OOBE mode is the default
mode that allows the user to customize the Windows operating system by entering personal information
and language settings, setting up networking, and accepting the Microsoft terms of service.
You can configure a Windows-based computer to start in the audit mode by using Sysprep. In audit
mode, you can make additional changes to a Windows operating system installation without interrupting
the OOBE process. You can add drivers or applications that you cannot install unless the Windows
operating system is running. For example, all computers might require a driver for a special hardware
device that is not Plug and Play, such as a barcode reader.
Starting up into audit mode signs you in as the built-in administrator account. Immediately after signing
in, the built-in administrator account is disabled and remains disabled once the computer reboots into
OOBE mode.
Benefits of the audit mode

In the audit mode, you can do the following:
• Bypass the OOBE process. You can access the desktop without configuring the default settings, such
as user account, location, and time zone.
• Install applications, add device drivers, and run scripts. You can connect to a network and access
additional device drivers, language packs, installation files, and scripts.
• Test the validity of a Windows operating system installation. You can perform tests on the system
without creating a user account. After testing is complete, you can prepare the system to start in the
OOBE mode on the next startup.
• Add more customizations to a reference image. You can maintain one base image, and then add
customizations to specific computers as you deploy them.
Create a reference image process (OOBE mode)

This is the most common scenario, and you can use it to prepare an image for capture and deployment to
a wide variety of client systems. This scenario includes the following steps:
1. Install the Windows operating system on a reference computer.
2. After the installation is complete, boot the computer into the Windows operating system.
3. Customize the image by installing optional components and language packs.
4. Install any additional applications.
5. Install Windows Updates.
6. Run the Sysprep /oobe /generalize /shutdown command.
7. Reboot the computer into Windows PE that has Windows PowerShell and DISM support added.
8. Capture the image by using the New-WindowsImage cmdlet.
You can now use this reference image to install the Windows operating system on computers that support
the same architecture.
Create a model-specific reference image process (audit mode)

You can use this scenario when you need to deploy to a system with hardware-specific requirements, and
you want the final user to complete the OOBE process after making the model-specific changes. This
scenario includes the following steps:
1. Build a reference image on a computer that is representative of the specific model that you are using.
This is similar to the first scenario.
2. After you complete the installation, run the Sysprep /audit /generalize /shutdown command to
configure the Windows operating system to start the computer in audit mode.
3. Image the computer and install the image on the model-specific target computer. On startup, the
computer will be in audit mode.
4. Install applications and other model-specific updates. Verify that all components are working
correctly.
5. After all updates are complete, run the Sysprep /oobe /shutdown command. The computer now is
ready for deployment.
Provisioned apps and Sysprep

Certain Windows Store apps are referred to as provisioned apps. These apps include Mail, Maps,
Messaging, Bing, Travel, and News apps, among others. The Windows 10 and Windows 8 Sysprep has an
additional provider that cleans AppX packages and generalizes images. If you remove any provisioned
app on an image, or manually deprovision an app from the image but do not remove it for a particular
user, the provider will stop Sysprep and log an error. Additionally, if one of the users on the reference
computer updated a provisioned app on the image, the provider will also fail Sysprep.
The best way to avoid these issues is to only Sysprep reference computers that have not had any users on
them except a local administrator. Beyond this, to resolve this issue, you must remove any altered app
package for the user who is running Sysprep, and also remove the provisioning. Use the following these
steps to fix the issue:
Note: To prevent Windows Store from updating apps, unplug the Internet connection or
disable Automatic Updates in audit mode before you create the image.
1. Run the following cmdlets in Windows PowerShell:
Import-Module Dism.
Get-AppxPackage -AllUser | Where PublisherId -eq 8wekyb3d8bbwe | Format-List
-Property PackageFullName,PackageUserInformation.
o In the output of this last cmdlet, check the users for whom the package is appearing as Installed.
Delete these user accounts from the reference computer. As an alternative, you can sign in to the
computer by using these user accounts. Then run the cmdlet in step 2 below to remove the AppX
package.
o This cmdlet lists all packages published by Microsoft and installed by any user on that reference
computer. Because the computer is to be Sysprepped, these user profiles no longer require the
package, so deleting the user accounts is your best option.
2. If you have manually provisioned apps that belong to other publishers, run the following cmdlets:
Get-AppxPackage -AllUser | Format-List -Property

PackageFullName,PackageUserInformation
Remove-AppxPackage -Package <packagefullname>.
3. Substitute the PackageFullName derived from step 1.
4. Remove the provisioning by running the following cmdlet:
Remove-AppxProvisionedPackage -Online -PackageName <packagefullname>
If you try to recover from an update issue, you can reprovision the app after you follow these steps.
Note: The issue does not occur if you are servicing an offline image. When offline servicing,
the provisioning is automatically cleared for all users, including the user who runs the command.
Using answer files with Sysprep

To have greater control over Sysprep actions, you
can create answer files to use with Sysprep. If you
deploy a Windows operating system installation
by using an answer file, the file is cached. If you
then run Sysprep on that system, it will read the
cached file for settings, which might not be
desirable. Additionally, by running Sysprep with
an answer file, you can choose options that are
not available when running Sysprep manually.
Running Sysprep multiple times

If you specify a Windows 10 product key during
deployment and have a network connection so
that Windows 10 is activated, you can run Sysprep an unlimited number of times. You can do this by
adding a valid key in the answer file for Windows Setup in the Microsoft-Windows-Shell-Setup
\ProductKey unattended section of the specialize configuration pass.
If you do not wish to add the product key, you can run Sysprep on a system multiple times by including
the parameter SkipRearm=1 in an answer file that Sysprep uses. For example, by using the following
command, you can run Sysprep on the system with the generalize and the oobe parameters and point to
a unattended file named unattend.xml:
Sysprep /generalize /oobe /unattend:C:\unattend.xml /shutdown
Additional Reading: For more information, refer to Sysprep, SkipRearm, and Image Build
Best Practices: http://aka.ms/Txojm2.
Persisting Plug and Play device drivers through the generalize configuration pass
By default, the generalize configuration pass removes all unique settings, including Plug and Play drivers.
If you want to save the Plug and Play drivers when generalizing a system, you must use an answer file and
configure the PersistAllDeviceInstalls setting in the Microsoft-Windows-PnPSysprep section of the
answer file as True.
Customizing the default user profile by using CopyProfile

When the CopyProfile setting, located in the Components\4_specialize\amd64-Microsoft-Windows-Shell-
Setup_neutral folder of a Sysprep answer file, is set to True, you can save the custom profile settings
configured on an image. To use the CopyProfile setting, you first need to start the computer in audit
mode by using Sysprep. Audit mode automatically signs in to the computer as the built-in administrator
account. You then can customize the user profile, install applications, create shortcuts, or make any other
profile changes. After your changes are complete, you need to generalize the computer with an answer
file, which is stored on removable media and which has the CopyProfile value set to True. For example, if
the answer file that has the CopyProfile setting is on a USB drive labeled F:, and the answer file you
created is named CopyProfile.xml, then you would use the following command syntax:
C:\Windows\System32\Sysprep\Sysprep /generalize /oobe /shutdown /unattend:

F:\CopyProfile.xml
After shutting down the computer, capture the image.

Cached answer files

Windows Setup does not process all configuration passes. The generalize, auditSystem, or auditUser
configuration passes only run during the Sysprep process. If you need to configure any options for these
passes, you must supply an answer file.
If you installed Windows 8.1 initially with an answer file that had settings from the generalize,
auditSystem, or auditUser section, then those settings would not have been applied. However, they would
have been cached for later use. To use the settings in the answer file cache, you can run:
• Sysprep /audit. Applies any settings that you configure in the auditSystem or auditUser sections of
the cached answer file.
• Sysprep /generalize. Applies any settings that you configure in the generalize section of the cached
answer file.
If you do not want to use settings from a cached answer file, or want to use a different answer file to
deploy the system, you can specify an answer file by using Sysprep /unattend:<filename>.
Demonstration: Using Sysprep to prepare a reference computer

In this demonstration, you will see how to use Sysprep to generalize an image.
Demonstration Steps
1. On LON-REF1, run a command prompt as Administrator.
2. Change to the C:\Windows\System32\Sysprep directory.
Sysprep /generalize /oobe /shutdown

Question
In which configuration pass would you add packages in an answer file?
During the oobeSystem configuration pass
During the offlineServicing configuration pass
During the windowsPE configuration pass
During the auditUser configuration pass
During the specialize configuration pass

Lab B: Building a reference image by using Windows SIM

and Sysprep
Scenario
You want to create an automated setup process that uses an answer file to provide all setup information.
You will use this setup process to create reference images, which will be captured and deployed to
desktops. To support your initial image, you are going to use Windows SIM to create an answer file, and
then perform a manual setup to ensure that it works as expected. You will also Sysprep the reference
image to prepare it for imaging deployment. Later you will automate the reference image creation
process and apply the knowledge you have gained from this task.
Objectives
• Build custom answer files by using Windows SIM.

• Install a reference computer by using a custom answer file.
• Customize an image in audit mode and preserve profile changes by using Sysprep.
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-CFG, and 20695C-LON-REF1
Password: Pa$$w0rd
20695C-LON-DC1 and 20695C-LON-CFG should be running from the previous lab.
Exercise 1: Building custom answer files by using Windows SIM

Scenario
You also want to customize the answer file to provide support information, such as the organization name
and phone number for support.
1. Create a new answer file, on a virtual floppy disk, by using Windows SIM.
2. Add and configure component and component settings.
3. Validate and save the answer file.
4. Create an answer file to preserve the profile.
 Task 1: Create a new answer file, on a virtual floppy disk, by using Windows SIM
1. Switch to LON-CFG. From the Media menu, insert the Reference.vfd diskette drive located at
D:\Program Files\Microsoft Learning\20695\Drives.
2. On LON-CFG, open File Explorer, and then format the floppy disk in the A: drive.
3. From the Start screen, start Windows System Image Manager.
4. Select the E:\Sources\Install.wim Windows image. When prompted, create a catalog file. This will
take several minutes.
5. Open the sample answer file, E:\labfiles\Mod06\Autounattend_x64_BIOS_sample.xml.
6. Save the answer file to the A: drive as Autounattend.xml.
 Task 2: Add and configure component and component settings

1. In the Answer File pane, expand the 1 windowsPE pass, expand amd64_Microsoft-Windows-
Setup_neutral, select the UserData component, in the FullName field, type your name, and then
in the Organization field, type Adatum.
2. Expand UserData, and then delete the ProductKey component.
3. In the Windows Image pane, expand Components, and then add the amd64_Microsoft-Windows-
UnattendedJoin_10.0.10586.0_neutral component to Pass 4.
4. In the Answer File pane, under the 4 specialize pass, configure the amd64_microsoft-Windows-
Shell-Setup_10.0.10586.0_neutral ComputerName value as Reference.
5. Expand amd64_microsoft-Windows-Shell-Setup_neutral, and then delete the OEMInformation

component.
6. Expand amd64_Microsoft-Windows-UnattendedJoin_neutral, select Identification, and then

configure the JoinWorkgroup field as imaging.
7. Add the following components to pass 7 oobeSystem:
o amd64_Microsoft-Windows-International-Core_10.0.10586.0_neutral
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0 _neutral\OOBE
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0 _neutral
\ UserAccounts\AdministratorPassword
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral
\ UserAccounts\LocalAccounts\LocalAccount
8. Configure the following values in the Answer File pane:
o amd64_Microsoft-Windows-International-Core_10.0.10586.0_neutral\InputLocale as en-us
o amd64_Microsoft-Windows-International-Core_6.3.9600.16384_neutral\UILanguage as en-
us
o amd64_Microsoft-Windows-International-Core_10.0.10586.0_neutral\UserLocale as en-us
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral\TimeZone as Pacific
Standard Time
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral\OOBE\HideEULAPage as
true
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral\OOBE\NetworkLocation as
Work
o Right-click amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral\UserAccounts
\AdministratorPassword\ Value, and then select Write Empty String.
o amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral\UserAccounts
\LocalAccounts\Local Account\DisplayName as your full name
\LocalAccounts\Local Account\Group as Administrators
\LocalAccounts\Local Account\ Name as your first name
o LocalAccount[Name=”yourname”]\Password\Value as Pa$$w0rd
9. Add the amd64_Microsoft-Windows-Foundation-Package_10.0.10586.0 package.
10. In the amd64_Microsoft-Windows-Foundation-Package_10.0.10586.0 package, under Microsoft-

Hyper-V-All, right-click Microsoft-Hyper-V-Tools-All, and then enable parent features and the
following:
o Microsoft-Hyper-V-Management-Clients
o Microsoft-Hyper-V-Management-PowerShell
 Task 3: Validate and save the answer file

1. From the Tools menu, validate the answer file.
Note: You will see warnings that say The setting has not been modified. It will not be
saved to the answer file. You will also see a warning that the Setting Network Location has
been deprecated. You can ignore these warnings.
2. Save the answer file.

3. Close the answer file.
 Task 4: Create an answer file to preserve the profile

1. In Windows SIM, create a new answer file.
2. Add the amd64_Microsoft-Windows-Shell-Setup_10.0.10586.0_neutral component to Pass 4

specialize.
3. In the Answer File pane, in the Microsoft-Windows-Shell-Setup Properties pane, set the value of
CopyProfile to True.
4. Save the file to Floppy Disk Drive (A:), and then name it CopyProfile.xml.
5. Close the Answer file, and then close Windows System Image Manager.
6. Eject the Reference.vfd from LON-CFG1.
Results: After completing this exercise, you should have created an answer file on a virtual floppy disk by
using Windows System Image Manager (Windows SIM), added components and packages to the answer
file, and validated and saved the answer file.
Exercise 2: Installing a reference computer by using a custom answer file

Scenario
After creating a custom answer file, you will now build the reference image. You will use Windows 10
media and the answer file created previously to perform an unattended installation. After the installation
completes, the reference computer will be ready for final configuration and preparation.
1. Mount the Windows 10 media, and start the unattended installation.
2. Verify that answer file settings have applied.
 Task 1: Mount the Windows 10 media, and start the unattended installation
1. In Hyper-V Manager, insert the reference.vfd floppy disk drive located at D:\Program Files
\Microsoft Learning\20695\Drives to 20695C-LON-REF1.
2. Insert the D:\Program Files\Microsoft Learning\20695\Drives\Win10TH2Ent_Eval.iso to the DVD

drive.
3. Start 20695C-LON-REF1.
Note: The installation can take 30 minutes.
 Task 2: Verify that answer file settings have applied

1. After the installation is complete, select Use express settings, if prompted.
2. Sign in to LON-REF1 by using the local account you provided in the answer file.
3. On the Start screen, type Hyper-V. The search results should include the Hyper-V Manager feature
you added.
4. From the Control Panel, open the System applet, and then verify that the Computer name is
Reference and the Workgroup is imaging.
5. Open Computer Management, and then verify that your user account is in the local Administrators
group. Verify that the System partition is 350 MB.
7. Eject the DVD media.
Results: After completing this exercise, you should have mounted the Windows 10 media, performed an
unattended installation, and verified that the answer-file settings were applied.
Exercise 3: Customizing your image in the audit mode and preserving the
profile changes by using Sysprep
Scenario
To complete the configuration of the reference computer, you need to finalize settings and application
requirements. You need to place the reference computer into audit mode and then set the required
configuration settings. You will use Sysprep and Windows SIM to help address these configuration
requirements.
1. Boot into the audit mode and configure changes as required.
2. Run Sysprep with the /generalize, /oobe, /shutdown, and /unattend switches.
3. To prepare for the next lab.
 Task 1: Boot into the audit mode and configure changes as required
1. On LON-REF1, connect to \\LON-CFG\E$\Software as Adatum\Administrator with the password
Pa$$w0rd. Remember the credentials.
2. Install the Microsoft PowerPoint Viewer software from the Office Viewers folder.
3. Start a command prompt as Administrator.

4. Change to the C:\Windows\System32\Sysprep directory, and then run the following command:
Sysprep /audit /reboot
5. After the reboot, LON-REF1 will sign in as the Administrator automatically, by using a blank
password. Open the System window, and then click Advanced System Settings.
6. Click the Advanced tab, and then in the User Profiles section, delete the profile that you created for
your name.
7. Open Computer Management, and then delete the user account that you created for your name.
9. Pin the PowerPoint Viewer to the Start screen.
10. Pin the Snipping Tool to the taskbar.

11. Verify the changes.
 Task 2: Run Sysprep with the /generalize, /oobe, /shutdown, and /unattend switches
1. On LON-REF1, run a command prompt as Administrator.
2. Change to the C:\Windows\System32\Sysprep directory.
Sysprep /generalize /oobe /shutdown /unattend:A:\copyprofile.xml
Note: After completing this step, you might see an error message that states A fatal error
occurred while trying to sysprep the machine. This is due to a corrupt CopyProfile.xml file
being saved to the floppy disk. To address this issue, redo the “Create an answer file to preserve
the profile” lab task from Exercise 1. Save the answer file to the floppy disk as indicated.
Results: After completing this exercise, you should have the Windows 10 reference system generalized
and ready for imaging.
 Task 3: To prepare for the next lab

Keep all virtual machines in their current state for the next lab. Do not revert them.
Lesson 4
Capturing and servicing a reference image by using DISM
After you have built and prepared a reference image, the next deployment phase is to capture the image
for future deployments. After you capture an image, you will want to maintain it to avoid building a new
image if hardware and software updates occur. Windows ADK contains the DISM.exe command-line tool
to help you with this process.
Lesson Objectives
• Describe DISM.
• Explain how to capture images by using DISM.
• Explain how to mount and modify images by using DISM.
• Explain how to service an image by using DISM.

• Mount and service an image by using DISM.
Overview of DISM
You can use the DISM.exe command-line tool to
service Windows operating systems or Windows
PE images. You can use DISM to service .wim,
.vhd, or .vhdx files. DISM cannot service files that
are newer than the installed version of Windows
ADK. Windows ADK for Windows 10 and Windows
10 both include the latest DISM version. You can
use DISM to service the following operating
systems:
• Windows 10
• Windows 8 and 8.1
• Windows Server 2012 and 2012 R2
• Windows 7
• Windows Server 2008 and 2008 R2
• Windows PE 3.0 through Windows PE 5.1

Windows 10 and Windows Server 2016 Technical Preview included the DISM Windows PowerShell
module. On other supported operating systems, you can install Windows ADK for Windows 10, which
includes the DISM Windows PowerShell module. When using an operating system earlier than Windows
10 that is running Windows ADK for Windows 10, run the following cmdlet in Windows PowerShell to
load the Windows ADK version of DISM:

Note: To install or remove drivers in an offline Windows Vista SP2 or Windows Server 2008
image, you must use the Windows 7 version of DISM.
You would typically use DISM for two purposes, including:
• Managing data, such as installed components, updates, or drivers in a Windows image. You also can
use DISM to manipulate .wim files by capturing, splitting, or mounting an image, or deleting an
image in a .wim file.
• Servicing an image, which involves adding or removing drivers, modifying language settings, enabling
or disabling Windows-based features, or upgrading the Windows operating system to a newer
edition.
You can also use DISM in Windows PE. When creating a Windows PE image, add the WinPE-DismCmdlets
package for full functionality.
How to capture images by using DISM

You can use the DISM tool to capture a hard disk’s
image for deployment as a .wim file. The basic
process is to install the Windows operating system
on a computer, configure the computer to have
all of the applications and settings that you want
for your basic computer, run Sysprep on the
computer, and then shut down the computer.
After the computer shuts down, you can start it in
Windows PE. If you start it accidently into the
Windows operating system, the OOBE will start,
and the computer will not be generalized.
Before you begin the process of image capture,

you need to create the Windows PE boot media, and prepare a location to which to copy the captured
.wim file.
Determining the partitions to capture

Depending on your needs, you can create and capture multiple partitions. The following table shows the
possible partitions, and those that you should capture or can skip.
Partition Need to capture?
System partition (BIOS system Not required. If you have made customizations and you use this
partition or Extensible image on one model only, then you can capture this partition.
Firmware Interface [EFI] system Otherwise, the partition will be recreated automatically during the
partition) deployment process.
Microsoft Reserved partition No. This partition contains a globally unique identifier (GUID) for a
GUID partition table (GPT) disk partition.
Primary partitions (Windows Yes. This is the operating system and any data drives that you want
operating system partitions, to include in the image.
utility partitions)
Logical partitions (Windows Yes, if you create the partitions so that the operating system and
operating system partitions, any data drives that you want to capture reside in a logical
utility partitions) partition.
Other partitions (without the No. If you are planning to have an additional, empty partition on
Windows operating system or the deployed systems, there is no reason to capture an empty
other data that you wish to partition.
capture)
Preparing to capture an image

Depending on how you have configured your reference computer, you might find that you have
partitions that you want to capture that do not have assigned drive letters, such as the system partition.
Before you can capture a partition with DISM, you must assign it a drive letter. The following table
describes how you can use the Diskpart command to perform these operations.
Command Description
Diskpart By default, Windows PE starts in a command prompt at the X: drive. Running

Diskpart starts the Diskpart environment.
List disk If there are multiple hard disks, this command will enumerate them. The first
hard disk detected will be disk 0 (zero).
Select disk 0 If there is more than one hard drive on the reference computer, you can use
the select disk command to determine the proper disk to choose. Using the
select disk command defines the disk that the following commands will use.
Even if there is only a single hard disk, you must run this command to select it.
List partition Displays the partitions defined on the hard disk. Use the information presented
to determine the drive to which you need to assign a letter.
Select partition 2 Defines the partition that the following command will use.
Assign letter R Assigns the drive letter of your choice.
Exit Closes Diskpart.
After you assign drive letters to all of the partitions that you want to capture, you can use the DISM tool
to capture the images. The basic command for capturing an image is DISM /Capture-Image. For
example, you can use the following commands to capture the images of a primary partition and a system
partition, after assigning S: to the system drive:
DISM /Capture-Image /ImageFile:c:\windows-partition.wim /CaptureDir:C:\ /Name:"My Windows

partition"
DISM /Capture-Image /ImageFile:s:\system-partition.wim /CaptureDir:C:\ /Name:"My system
partition"
The following table includes a brief description of the switches that the commands shown above use.
Command Decription
/ImageFile:<Path> Captures an image to the new .wim file specified. Captured partitions
include all subfolders and data. Any folders that you want to capture
must contain at least one file. If the drive that you are capturing has
enough empty space, DISM saves the image locally.
/CaptureDir:<drive Letter> Specifies the drive letter of the partition to capture.
/Name:”Image_Name” Specifies a friendly name for the image, which is particularly

important if multiple images will be in the same .wim file.
The following table includes additional switches that you can use with DISM /Capture-Image.
Command Description
/Description:”Image_description” Allows you to add additional descriptive information to the

image.
/ConfigFile:”configuration_file.ini” Specifies the name and location of a configuration file that

can include capture and compress exclusions. By default,
nothing is excluded.
/Compress:{max|fast|none} Specifies the encryption level to use. By default, DISM uses

maximum compression. Fast compression completes
quicker, but the resulting file is larger. None provides no
compression.
/Bootable Marks a volume as bootable. You can use this option only
when capturing Windows PE images.
/CheckIntegrity Monitors the .wim file for corruption. The capture process
will halt if corruption is detected.
/Verify Checks for errors and file duplication.
Once a local image capture occurs, you can transfer it to a network share or copy the file to an external
drive. From the command prompt, you can use the Net Use <drive letter> \\Server\Share command to
map a connection to a network share.
Using DISM to mount and modify images

After you capture an image, you might decide to
modify it by adding folders or files to it. You can
use DISM to mount the image and make changes
to it without having to start the image.
Note: DISM cannot mount a Windows

image from a .vhd file on Windows Vista SP1 or
Windows Server 2008.
To mount an image, the first thing that you need

to create is an empty folder. When DISM mounts
an image, it simply expands all of the folders and files into the designated folder. Within this folder, you
can make your changes, and then commit and unmount the image. This creates a new .wim file with all of
the updates that you performed.
The basic command line for mounting an image is DISM /Mount-Image. The Windows PowerShell DISM
cmdlet is Mount-WindowsImage. For example, you could use either of the following commands to
mount an image named image.wim located in the C:\images folder to the C:\images\offline folder:
DISM /Mount-Image /ImageFile:C:\images\image.wim /index:1 /MountDir:C:\images\offline
or
Mount-WindowsImage –ImagePath C:\images\image.wim –Index 1 –Path C:\images\offline
The following table provides a description of the typical parameters for the DISM /Mount-image
command and the DISM Windows PowerShell cmdlet Mount-WindowsImage.
DISM command DISM PowerShell Description
/Imagefile:<path> -ImagePath <path> Specifies the path and name of the .wim file to
mount.
/Index:<integer> -Index <integer> Specifies the image to mount from the .wim file
by index number. Alternatively, you can use the
/Name switch.
/MountDir:<path> -Path <path> Specifies the folder location to mount the .wim
file.
After you mount an image, you can open the mount directory, and then modify the folders and files in
the image. After all modifications are complete, you must commit the changes that you made by using
the DISM /Commit-Image command. For example, to commit changes to the image mounted in the
previous example, you would run the following command:
DISM /Commit-Image /MountDir:C:\images\offline
You then can use the DISM /Unmount-Image command to unmount the image. For example, the
following command would unmount the image mounted in the previous examples:
DISM /Unmount-Image /MountDir:C:\images\offline /commit
To dismount and save changes, you can use the following Windows PowerShell cmdlet:
DisMount-WindowsImage –Path C:\Images\Offline -Save
Servicing an image by using DISM

Sometimes you need to do more than just copy or
delete folders and files in an image. You can use
DISM to add or remove features, components,
drivers, or operating system updates. This process
is known as servicing an image. You can use the
DISM tool to service an image offline or online.
Similar to modifying an image, the first step in servicing an image is to mount the image so that it is
accessible. A wide variety of DISM command-line options exist for servicing images. The following sections
provide examples that briefly describe some of the tasks that you can perform and the commands that
support them.
Servicing applications
Application servicing allows you to check the applicability of Windows Installer application patches (.msp)
files, and to verify the .msp files applied to an offline image. Additionally, you can view information for
Windows Installer–installed applications. The following table contains a summary of the available
command parameters for the DISM /Image:<path to mounted image>.
Command parameters Description
/Check-AppPatch Displays information about the .msp patch, but only if the patch is
/PatchLocation: <mountpath> installed on the image.
/Get-AppPatchInfo Displays detailed information about the .msp patches that you
[/PatchCode:<GUID>] specify or about all the patches applied to a specific product.
/ProductCode:<GUID>
/Get-AppPatches Displays information about all .msp patches applied to the image.
[/ProductCode:<GUID> Alternatively, you can specify a product to view information about
all the .msp patches applied to the application.
/Get-Apps Displays basic information about all installed .msi applications for
all users or for a specific package or user.
Servicing Windows-based features

You can use the DISM command-line tool or Windows PowerShell cmdlets to add or remove packages,
such as software updates or service packs, or to enable or disable Windows-based features, either
manually or by using an answer file. You can enable or disable Windows-based features on a running
operating system (online servicing) by saving them to a .wim file or to a .vhd or .vhdx file (offline
servicing).
The following table lists options that are available for servicing Windows-based features.
Command line Cmdlet Description
DISM /Image:<mountpath> Get-WindowsPackage – Displays basic information about

/Get-Packages Path <mountpath> all packages in the image.
DISM /Image:<mountpath> Add-WindowsPackage – Adds a single .cab or .msu file to

/Add-Package <packagepath> Path <mountpath>- a Windows image.
PackagePath <path>
DISM /Image:<mountpath> Remove-WindowsPackage Removes specific packages from

/Remove-Package -Path <mountpath> - the image. You also can use the
/PackageName: <nameinimage> PackageName PackagePath parameter to
<nameinimage> specify the path to the .cab file of
the package.
DISM /Online /Get-Features Get- You can get information about

or DISM /Image:<mountpath> WindowsOptionalFeature features from images either
/Get-Features -Online online or offline. This option will
display a list of the available
or for offline image
Windows-based features in the
Get- operating system.
WindowsOptionalFeature
-Path <mountpath>
/Get-FeatureInfo Get- Displays information about the

/FeatureName:<name> WindowsOptionalFeature specified feature.
–Path <mountpath> -
FeatureName <name>
/Enable-Feature /FeatureName: Enable- Enables the specified feature.

WindowsOptionalFeature You can add the All parameter to
-FeatureName <name> enable all parent features as well.
/Disable-Feature Disable- Disables the specified feature.

/FeatureName:<Feature_Name> WindowsOptionalFeature You can use this online or offline.
-Featurename <name> Adding the /Remove parameter
removes the feature from the
image. You can use this option
only with Windows 8, Windows
Server 2012, or newer versions.
Servicing Windows device drivers

You can use DISM to add or remove drivers to an offline Windows image. You can use an unattended
answer file to perform this task, or you can perform the task manually at the command prompt. When
you add a driver to an offline image, the driver is added to the Plug and Play store. When the image is
booted and the device is connected, installation of the associated driver occurs.
Note: When you are servicing a Windows 8, Windows Server 2012, or newer image, the
operating system that you use for performing the servicing must match the Windows version
being serviced, or you must use Windows PE 4.0 or newer. If you use a different operating
system, the driver signature verification can fail.
The following table lists options that are available for servicing device drivers.
DISM Add-WindowsDriver Adds the specified driver to the Plug

/Image:<mountpath> –Path <mountpath> -Driver and Play store. You can use the
/Add-Driver <path> Recurse parameter to install all drivers
/Driver:<Path> in a folder and subfolders.
/ForceUnsigned -ForceUnsigned By default, x64-based Windows

operating systems require digitally
signed drivers. You can use the
ForceUnsigned parameter to add
drivers that do not have digital
signatures.
/GetDrivers Get-WindowsDriver Displays a list of all third-party drivers

added to an image. When a driver is
added to the Plug and Play store, the
.inf file is renamed Oem*.inf, where the
* represents a sequential number
starting at 0. For example, the first
driver added would become Oem0.inf
and the second driver installed is
Oem1.inf. This information can come
from online or offline images.
/Remove-Driver Remove-WindowsDriver Removes the specified driver from the

/Driver:OEM1.inf -Driver OEM1.inf Plug and Play store. You can specify
multiple drivers by using the /Driver
/Driver:OEM2.inf
option multiple times.
Demonstration: Mounting and servicing an image by using DISM

• Use Windows PowerShell DISM cmdlets to mount an image.
• Get detailed information about a package, and service an image with Windows PowerShell DISM
cmdlets.
Demonstration Steps
Use Windows PowerShell DISM cmdlets to mount an image
1. Create a folder named Service on the E: drive.
2. Start Windows PowerShell, and then run the following command:
Get-WindowsImage –ImagePath E:\Sources\install.wim
3. Also in Windows PowerShell, run the following command:

4. Discuss the results, and then run the following command:
Mount-WindowsImage –ImagePath E:\sources\install.wim –Index 1 –Path E:\Service
5. Open the E:\service folder, and then show the mounted image.
Get detailed information about a package, and service an image with Windows PowerShell DISM
cmdlets
Get-WindowsPackage –Path E:\Service
2. Review the results.
3. Get detailed information about a package by running:
Get-WindowsPackage –Path E:\Service -PackageName Microsoft-Windows-Foundation-

Package~31bf3856ad364e35~amd64~~10.0.10586.0
4. To enable the TelnetClient feature, and any parent features, run:
Enable-WindowsOptionalFeature –Path E:\Service –FeatureName TelnetClient –All
5. To check that the feature is enabled, run:
Get-WindowsOptionalFeature –Path E:\Service
6. Create a new folder named Important Docs in the E:\service directory.

7. Dismount the image by running:
Dismount-WindowsImage –Path E:\Service –Save
8. Leave the virtual machines running for the next demonstration.

Question
You have mounted an image for offline servicing. You have added a couple of
Windows feature packages, added a new device driver, and put a custom folder
structure onto the system drive. You now need to dismount the image and save the
changes. Which DISM command do you use?
Dismount-WindowsImage –Path E:\Service –Save
DISM /Commit-Image /MountDir:C:\images\offline
DISM /Unmount-Image /MountDir:C:\images\offline /commit
DISM /Image:E:\Service /Add-Package Appx1
DISM /Mount-Image /ImageFile:C:\images\image.wim /index:1

/MountDir:C:\images\offline
Lab C: Capturing and servicing a reference image

Scenario
Now that you have installed, configured, and generalized a reference computer, you can perform the
image capture. You will boot the reference computer by using the custom Windows PE media that you
created previously. You will then perform the image capture by using the DISM tool.
Objectives
• Capture a reference system image.
• Mount and service an image.
Lab Setup

Password: Pa$$w0rd
LON-DC1 and LON-CFG virtual machines should still be running from the last lab. You Sysprepped and
shut down LON-REF1 at the end of the last lab.
Note: Do not start LON-REF1 until instructed to do so in the lab.
Exercise 1: Capturing a reference system image

Scenario
Administrators have provided you with a network location to store all reference images. This location is on
\\LON-DC1\Images. You will boot the reference computer into Windows PE and then use DISM to capture
the image to the network location.
1. Boot the reference computer by using Windows PE.
2. Use Diskpart to assign a drive letter.
3. Use DISM to capture the reference image to the shared network folder.
 Task 1: Boot the reference computer by using Windows PE

1. In Hyper-V Manager, connect to 20695C-LON-REF1.
2. Insert the D:\Program Files\Microsoft Learning\20695\Drives\WinPEx64.iso to the DVD drive.
3. Start 20695C-LON-REF1 from the DVD. When prompted, hit a key to start from the DVD.
 Task 2: Use Diskpart to assign a drive letter

1. Start Diskpart.
2. From the Diskpart prompt, run the following commands:
Select disk 0
List partition
Select partition 2
Assign letter R
Exit
 Task 3: Use DISM to capture the reference image to the shared network folder
1. Use the Net Use command to map drive letter G: to the \\LON-CFG\E$\Images shared folder as
Adatum\Administrator.
2. To initiate the image capture, run the following command:
DISM /Capture-Image /Imagefile:G:\Win10.wim /CaptureDir:R:\ /Name:”Adatum Windows 10”
Note: For a few minutes, the cursor will continue to sit at the prompt, but then the image
save will begin. At that point, you can shut down the virtual machine.
3. Revert 20695C-LON-REF1. Do not revert the other virtual machines.
Results: After completing this exercise, you should have booted the reference machine into your
customized Windows PE image, used Diskpart to assign a drive letter, and used DISM commands to
capture the image to the shared network folder.
Lesson 5
Using the Windows ICD
Windows 10 provisioning enables you to configure and apply Windows images on new desktop devices.
This is especially useful in Bring Your Own Device (BYOD) scenarios. You use the Windows Imaging and
Configuration Designer (Windows ICD) to create and configure devices with provisioning packages.
Windows ICD is part of Windows ADK for Windows 10.
Overview of Windows ICD

Windows ADK for Windows 10 includes an easy-
to-use suite of tools called Windows ICD, which
helps you create provisioning packages to make
changes to images without requiring a full
deployment. For example, you have a Windows 10
Pro image that you deployed to several devices,
but because of a new volume license agreement
with Microsoft, you wish to deploy the Enterprise
version instead. Normally, you would have to
redeploy a new image to all the devices. With
Windows ICD, however, this is not necessary.
Instead, you can create a provisioning package
that simply adds the Enterprise elements to the existing image.
Several different tasks are well suited for Windows ICD, including:
• Viewing all the various configurable settings and policies for a Windows 10 image or provisioning
package.
• Creating answer files to use with a provisioning package.

• Using an answer file to add third-party drivers, apps, or other assets to an image.
• Creating alternate images and specifying the settings that apply to each.
• Building a provisioning package.
• Building and flashing a Windows image.
Windows ICD is primarily designed for OEMs and original design manufacturers (ODMs), system
integrators, and IT departments that need a quick and easy way to make changes to Windows images,
as follows:
• System builder or OEM/ODM. They need to configure and apply Windows images on new desktops
and mobile devices that they sell. They can use Windows ICD to create full image media (USB,
network, USB tethering) for sale with a device, or to create a provisioning package to deploy the
images directly, prior to sale.
• Small organizations. They can use Windows ICD to customize new desktops and mobile devices and
to create provisioning packages.
• Midsize organizations. Normally, they would use MDT to create and deploy custom images, but they
could also use Windows ICD to create provisioning packages for those images and to deploy mobile
device images.
• Large or enterprise-size organizations. Normally, they would use MDT or Microsoft System Center
Configuration Manager (Configuration Manager) to create and deploy custom images, and they
would use Windows ICD to create provisioning packages. However, they also could use Windows ICD
to create provisioning packages for those images and to deploy mobile device images.
Windows ICD opens in a management console with large block-size tiles that let you create a new
provisioning package or a new Windows image customization. It also lists a tile for every provisioning
package or Windows image customization project that you have already created. However, if you have
already created numerous projects, only the most recent projects will appear as tiles. In that event, a tile
labeled Open will show a File Explorer window of the default project folder location, which is your user
name\Documents\Windows Imaging and Configuration Designer (WICD)\. Windows ICD lists each project
that you have created here with an .xml extension.
How to build and customize a provisioning package

You can use a provisioning package to configure
the Windows user interface, to adjust connectivity
settings, to meet mobile network requirements, to
comply with security policies and directives, or to
fit markets and regions where you ship devices.
You use a provisioning package to modify an
initial deployment of Windows 10. After a
provisioning package runs, the settings are
permanent until changed.
When you create and open a provisioning

package, or when you open an existing or
imported provisioning package, the Available
customizations page displays. This page is presented in a management console–like view. On the left
side is the View area, at the top middle is the Details pane, on the bottom middle is a section that shows a
webpage that is dependent on the item selected in the Details pane, and on the right side is the Selected
customizations area.
The View area has an expandable list of items in one or more nodes, depending on what item you select
in the View drop-down list. The drop-down list has three items that you can select: All settings,
Common OEM settings, and Common IT Pro settings. The default selection in the drop-down list is All
settings. Below the View drop-down list is a Search text box, where you can type the name of the asset
or setting that you want to configure, if you know it. Below the Search text box are two nodes:
Deployment assets and Runtime settings. If you select Common OEM settings, only the Deployment
assets node displays. If you select Common IT Pro settings, only the Runtime settings node displays.
Both nodes appear under the All settings view.
When you expand the Deployment assets node, several expandable subnodes appear. All the subnodes
pertain to files that you can deploy to a device or image, such as application .appx files, device driver files,
or Windows Update .msu files. You do not set deployment assets directly; you add the files that contain
various settings that then are applied to that image. You apply assets not at runtime but during the
deployment phase. You can also deploy assets to an offline image.
The following table lists the subnodes and their major settings.
Asset type File type Description
Applications .appx, .appxbundle An .appx or .appxbundle package, along with the

dependency packages, license file, and optional
custom data file, that you can provision in an image.
Driver set .inf All driver .inf files and their payloads in a specified
folder are added to the driver store in an image, and
boot-critical drivers will be reflected.
Drivers .inf An individual driver .inf file and its payload are added
to the driver store in an image, and boot-critical
drivers will be reflected.
Features on .cab Features-on-demand v2 packages (for example, .NET

demand or language component packages) are optional
features that you can add to an image on demand.
Language packages .cab In Windows 10, language packs have been rewritten so
that the package sizes are much smaller.
Reference device .ppkg These are Classic Windows application files and
data registry settings that User State Migration Tool (USMT)
ScanState.exe captures in a provisioning package from
a reference device. Instead of installing a Classic
Windows application online on a device, you can install
the app to a desktop image offline by importing the
provisioning package that contains reference device
data.
Windows Update .msu Knowledge-base updates that download from

updates Windows Update or Windows Server Update Services
(WSUS) that can be installed in an image to keep the
image up to date and secure.
Windows ICD applies runtime settings to a running device, to an offline image, or after you have
deployed the image to that device. There are several runtime settings, with some having multiple
subsettings with various targets and values that allow conditional configuration of a particular device or
group of devices. The following table lists the settings and their uses.
Setting node Description Subnodes
Accounts Contains the settings for ComputerAccount,

computer and user accounts Users
AssignedAccess Settings for assigned access, AssignedAccessSettings

formerly known as kiosk
mode
Browser Character string that PartnerSearchCode

specifies an OEM
PartnerSearchCode
Certificates Allows you to add and ACertificates, ClientCertificates,

manage various certificate RootCertificates, TrustedPeopleCertificates,
functionalities TrustedProvisioners
Commands Specifies the commands to FirstLogon, Logon

run the first time—or
subsequent times—a user
signs in to a Windows device
Connections Settings that relate to Cellular, Proxies

various types of phone
connections
ConnectivityProfiles Specifies the connectivity Email, Exchange, WiFiSense, WLAN

settings that you can
customize for Windows
devices
CountryAndRegion Specifies some of the CountryCodeForExtendedCapabilityPrompts

settings that partners must
customize to ship Windows
devices to specific countries
or regions
DeviceFormFactor Contains settings that dictate DeviceForm

the form factor of a
Windows device
DeviceManagement Device management settings PGLists, Policies,--MMS, OMACP, SISL;

TrustedProvisioningSource--PROVURL
DMClient Device management client UpdateManagementServiceAddress

settings
EditionUpgrade Allows for updating UpgradeEditionWithLicense,

Windows 10 Mobile edition UpgradeEdtionWithProductKey
with a license or a Windows
10 desktop with a new
product key
Folders Allows you to add Public documents

documents to a device
Maps Settings that relate to maps ChinaVariantWin10, UseExternalStorage,

on a device UseSmallerCache
OOBE Settings that relate to a Desktop

device OOBE
Policies Policies for Windows 10 A very large number of subnodes, with

devices most having additional subnodes. Includes:
Abovelock, Account,
ApplicationManagement, Authentication,
Bluetooth, Browser, Camera, Connectivity,
Data Protection, Defender,
DeliveryOptimization, DeviceLock,
Experience, MicrosoftEdge, Search, Security,
Settings, Start, System, TextInput, Update,
WiFi
Power Settings for a device's Controls, EmergencyEstimationEngine

power-related apps
SMISettings Storage Management AnimationDisabled, BrandingNeutral,

Initiative settings CrashDumpEnabled, DisplayBootMenu,
DisplayDisabled, HideAllBootUI,
HideAutoLoginUI, HideBootLogo,
HideBootStatusIndicator,
HideBootStatusMessage, NoLockScreen,
ShellLauncher, UIVerbosityLevel
Start Settings for the Start menu StartLayout
TabletMode Settings that relate to tablets ConvertibleSlateModePromptPreference,

and slates SignInMode
UnifiedWriterFilter Used to protect storage FilterEnabled, OverlaySize, OverLayType,

media ResgistryExclusions, Volumes
UniversalAppInstall Settings for installing DeviceContextApp,

universal apps DeviceContextAppLicense, UserContextApp,
UserContextAppLicense
UniversalAppUninstall Settings for uninstalling Uninstall

universal apps
Workplace Workplace Join certificate Enrollments

settings
After you have applied all of your various asset and settings choices, you save your project, and then you
can deploy or export the provisioning package. Under the Deploy drop-down list, next to the File menu,
you have two selections: To USB connected device or To removable device. If you choose either
option, you have to provide a source full flash update (FFU) image. Finally, there is the Export drop-down
list, which lets you export a provisioning package that other Windows ICD systems can import.
How to apply a provisioning image
You can apply provisioning packages to a

Windows 10 device at any time. The provisioning
package can include customization of network
connections and policies, installation of specific
apps, management instructions and policies, and
more.
You can include provisioning packages when

you build a Windows image. This allows you to
create a single provisioning package that you
can add to different hardware-specific images.
You can even put a provisioning package on a
USB drive or secure digital card (SD card) to apply
to mass-produced devices. You can also send the provisioning package to someone by email. When you
need to change configuration, you can reset a device to its original state and then apply a new
provisioning package rather than wiping the device and applying a new system image. This saves
deployment time.
Use the Windows ICD tool included in Windows ADK for Windows 10 to create a runtime provisioning
package. Open Windows ICD, and then perform the following steps:
1. Select New provisioning package.
2. Name your project and click Next.
3. Select Common to all Windows editions and click Next.
4. On New project page, click Finish. The workspace for your package then opens.
5. Configure settings to whatever you require. There are dozens of settings you can choose. See the
previous topic in this lesson, “How to build and customize a provisioning package,” for a detailed
overview of all the various settings.
6. On the File menu, select Save.
7. On the Export menu, select Provisioning package.
8. Change Owner to IT Admin, which will set the precedence of this provisioning package higher than
other provisioning packages applied to this device, and then select Next.
9. Set a value for Package Version.
10. In the Provisioning package security window, you can choose to encrypt the package and enable
package signing. This is optional. You can choose the following:
o Enable package encryption. If you select this option, Windows ICD displays an autogenerated
password on the screen.
o Enable package signing. If you select this option, you need to apply a valid certificate to use for
signing the package. You can specify the certificate by clicking Select... and then choosing the
certificate you want to use.
Note: We recommend that you include a trusted provisioning certificate in your

provisioning package. When you apply the package to a device, the certificate is added to the
device’s certificate store and subsequently any package signed with that certificate can be
applied silently.
11. Click Next to specify the output location where the provisioning package will go after you build it.
Windows ICD uses the project folder as the output location by default. You can click Browse to
change the output location.
12. Click Build. This will start building the package. The build page and the progress bar indicate the
build status.
13. If your build fails, you will receive an error message that includes a link to the project folder. You can
scan the ICD.log to determine what caused the error. You can find the log in c:\users\accountname
\Documents\Windows Imaging and Configuration Designer (WICD)\Project name. After correcting
the issue, you can try building the package again. If your build runs successfully, it will display the
name of the provisioning package, output directory, and project directory.
You can build the provisioning package again and pick a different path for the output package. To do
this, before closing the package, click Back to change the output package name and path, and then
click Next, which starts another build. Otherwise, click Finish to close the wizard.
14. To apply the package, in the Customizations page, select the output location link to go to the
location of the package, which you set in step 11. You can provide that .ppkg file to others through
any of the following methods:
o Shared network folder
o SharePoint site
o Removable media (USB/SD)
o Email
o USB tether (mobile only)

o Near field communications (NFC) (mobile only)
15. The user then runs the .ppkg file on the device and the provisioning begins.
Demonstration: Building and applying a provisioning package

• Use Windows ICD to build a provisioning package.

• Apply the package you built to a client computer.
Demonstration Steps
Build a Windows ICD provisioning package
1. On LON-CFG, open Windows ICD, and then create a new provisioning package with the following
values:
o Name: Demo1
o Folder location: E:\Images\WICD
o Description: A demonstration on building and applying a provisioning package
o Choose which settings to view and configure: Common to all Windows editions
2. Accept all other options by clicking Next, and then click Finish.
3. In the Demo1 window, add the following runtime settings, and then save the package:
o Policies, Defender, Excludedpaths: E:\Labfiles
o Policies, System, AllowTelemetry: Disabled [Enterprise SKU only]
4. Export Demo1 with the Owner item set to IT Admin, and all other settings set to the defaults, and
then build the package.
5. Click the File menu item, select Close project, and then in the Save project(s)? dialog box: Save all.
Apply the Demo1 Windows ICD provisioning package
1. On LON-CL2, open the Settings app, and in the Privacy settings, click Feedback & diagnostics.
Check the Diagnostics and usage data area and note that the drop-down list item is set to Full
(Recommended).
2. In the Settings app, open Update & security, click Windows Defender, and note that there are no
exclusions listed.
3. In File Explorer, connect to \\lon-cfg\e$\images as adatum\administrator, and then copy and

paste the WICD folder to Local Disk (C:).
4. From C:\, run Demo1.ppkg and trust the source.
5. Go back to the Settings app.
6. In the Privacy, Feedback & diagnostics page, under the Diagnostics and usage data area, note
that the pull down item is set to Security, and that it appears dimmed and is not adjustable.
7. In the Windows Defender page, in the Exclusions page, note that the C:\WICD folder is now listed.
Close the Settings app.
8. Close all open windows and sign out of LON-CL2.
How to build an image for Windows 10 for desktops
You can use the Windows ICD to create images

for Windows 10 for desktop editions, including
the Home, Pro, Enterprise, and Education editions.
You can customize the image by adding apps,
drivers, language packs, and settings. You can also
build the deployment media either to a folder or
to a USB key. You must have an install.wim file
that you can use as your base image, and you
create a provisioning package to go with the
image and then deploy customizations.
How to create a Windows customized

image
You can click the New Windows image customization tile, which brings up the New project window.
Here you can name the project, browse to a project folder, and provide a description. Next is the Select
imaging source format page, where you can select either The Windows image is based on a Windows
image (WIM) file or The Windows image is based on Microsoft packages.
Note: After you have selected the Install.wim file, all the images that make up that .wim file
are listed in the Available images panel. The first Windows image in the list is selected by
default and the information about this image is displayed in the Image information panel.
To use the Microsoft package option, you need to have access to a preinstalled operating system kit. If
you selected the WIM file, the next page, the Select image page, has a Browse option to help you find
images that have been saved in the file system. After this, you have the option to import a provisioning
package, which merges its contents into the package you are creating, and then you click Finish.
The Available customizations page will then open. This page is presented in a management console–like
view. On the left side is the View area, at the top middle is the Details pane, on the bottom middle is a
section that shows a webpage that is dependent on the item selected in the Details pane, and on the right
side is the Selected customizations area.
The View area has an expandable list of items in one or more nodes, depending on which item you
select in the View drop-down list. The drop-down list has three items that you can select: All settings,
Common OEM settings, and Common IT Pro settings. The default selection in the drop-down list is
All settings. Below the View drop-down list is a Search text box, where you can type the name of the
asset or setting that you want to configure, if you know it. Below the Search text box are three nodes:
Deployment assets, Image time settings, and Runtime settings. The next topic discusses deployment
assets and runtime settings. Over 50 image time settings, which are settings deployed at package runtime,
each of which contains a list of subsettings, are available to configure an image.
Note: To see a list of all the Windows Provisioning settings, refer to Windows Provisioning
settings reference: http://aka.ms/mz452x.
After you have configured all your settings, you can create media by using the options available in the
Create drop-down list by the File menu. The Create drop-down list provides options to create
Production media, Clean install media, or Recovery media. In the Deploy drop-down list, you can
select either To a USB device or To removable device. Both options require the use of an FFU image,
which is primarily a mobile device tool. Finally, the Export drop-down list helps you make the image
setting into a provisioning package.
How to deploy an image for Windows 10 for desktops

After your customizations are complete, you can
deploy the image to a bootable USB drive, a full
flash update (FFU) file, or a local folder on a
computer. Note that if you save to a local folder,
and wish to use the image saved there to install to
physical hardware, you will need additional tools,
such as an ISO creator tool, to make that data
available to install on a physical or virtual
computer. To deploy the build image, perform the
following steps:
1. When you finish configuring your

customizations, you can optionally export a
provisioning package if you want to reuse the customizations that you configured in this project. To
do so, click the Export drop-down Windows ICD console ribbon, select Provisioning package, add
the required information and options for the package, and then build it.
Note: You can import only one provisioning package.
2. If you have completed configuring your customizations, or have finished optionally exporting a
provisioning package, you can now build the media that contains the image. To do so, click Create
from the main menu, and then select one of the media types:
o Production media. This is media that OEM manufacturing uses. The media can run fully
automated. It provides you with the option to boot to audit mode and use optional test scripts.
Production media provides several optimizations to save deployment time.
o Clean install media. This is media that only the end user can use to perform a clean install. This
media boots to OOBE for end user input and then continues until it gets to the desktop. The
installation itself ends before booting to OOBE and the OOBE continues as in a normal user
installation.
Note: If you are building clean install media, all the assets are placed in a provisioning
package together with install.wim. The .ppkg file is not injected into install; instead, it merges into
the operating system (OS) at deployment time.
o Recovery media. This is media that the end user uses for data-only recovery of a device that is
not fully functioning. This can only be in the WIM image format.
3. Click Next to select the image format and media type, and provide other information as necessary to
build your image:
o On the Select image format page, you can choose to build the image in a WIM or FFU format:
 WIM. Builds the image in a WIM file format.
This allows you to build the media to a local folder or network share, or to create a bootable
media on a USB drive.
 FFU. Builds the image in a FFU.
If you select the FFU option, enter or select the path for the target location.
o You can also select image options, such as enabling Compact OS, which installs the operating
system files as compressed files, or specifying the first boot behavior, which includes booting to
audit mode or selecting to run a script at first boot.
o In the Deployment media page, select the type of media that you want to create:
 Save to a folder. Selects a folder that contains the deployment media. The resulting media is
not a bootable media and is not guaranteed to work on bootable drives.
 Create a bootable USB drive. Creates bootable media on a USB drive. If you select this,
Windows ICD detects all the available USB drives attached to the host PC and lists these in
the Output drive drop-down list. If Windows ICD does not detect a USB drive, reattach the
USB drive, and then click Refresh.
4. Click Next and then click Build to start the image build. The build page displays project information
and the progress bar indicates the build status.
5. If your build fails, you will receive an error message that includes a link to the project folder. You can
scan the ICD.log to determine what caused the error. You can find the log in c:\users\accountname
\Documents\Windows Imaging and Configuration Designer (WICD)\Project name. After correcting
the issue, you can try building the image again. If your build runs successfully, it will display the name
of the provisioning package, output directory, and project directory.
o You can build the provisioning package again and pick a different image format, or select the
deployment media, or both. To do so, before you close the package, click Back to select what
you want to change, and then click Next, which starts another build.
o Otherwise, click Finish to close the wizard.
Deploying the Windows ICD–created image is straightforward. You can use the USB drive method, or you
can use other management solutions for deploying operating systems. To deploy an image to a desktop
computer by using the USB drive, perform the following steps:
1. Insert the USB drive that contains the bootable media into the computer and then boot the computer
from the USB drive.
2. Enter the Windows 10 edition product key, if you used an image that has a retail key.
3. Accept the license terms and then wait for the installation to complete.
There are several ways of deploying the image. You can use the bootable USB drive as describe earlier, or
you can import this build inside your MDT Deployment share. Alternatively, you can import the build
image and use the Windows Deployment Services (Windows DS) server role, or import into Configuration
Manager and use the operating system deployment (OSD) feature to push the build image out to desktop
computers.
Demonstration: Building and deploying an image for Windows 10 for

desktops
In this demonstration, you will see how to use Windows ICD to build a Windows 10 desktop image.
Demonstration Steps
1. On LON-CFG, open Windows Imaging and Configuration Designer and select New Windows image
customization.
2. Create a new project with the following values:
o Name: Build Demo
o Project folder location: Create a new folder in Allfiles (E:)\Images\WICD\ named BuildIMG
o Description: A demonstration of creating a Windows 10 Desktop image

3. In Select image source format, note that the only selection available is The Windows image is based
on a Windows image (WIM) file.
4. For the selected image, select Allfiles(E:)\Sources\install.wim, and note that there is only one
available image on install.wim.
5. Import the provisioning package Allfiles (E:)\Images\WICD\Demo1.ppkg.
6. Create the build by using Clean install media with the WIM image format. When asked where to
store the deployment files, select Save to a folder. Save to a new folder named BuildImage in
Allfiles (E:)\Images\WICD.
7. Build the Windows image and note the progress bar on the Build the Windows image page. It will
take several minutes to build the deployment media folder.
8. Open File Explorer and navigate to Allfiles (E:)\Images\WICD\BuildImage.
9. Examine the folder structure. It is the same as a mounted installation .iso file.
Categorize Activity
Items
1 Primarily designed for OEMs/ODMs, system integrators, and IT

departments.
2 Used to configure the Windows user interface, to adjust connectivity

settings, to meet mobile network requirements, to comply with
security policies and directives, or to fit markets and regions where
you ship devices.
3 Must use an install.wim file as input.
4 Displays created projects on the start page of the console.
5 You can put it on a USB flash drive or SD card.
6 Used to create images for new Windows 10 for desktop editions,

including Home, Pro, Enterprise, and Education editions.
7 Installed as part of Windows ADK.
8 Includes the Available customizations page.
9 Can only use one provisioning package as image build.
Windows ICD Provisioning package Windows image customization

Lab D: Using the Windows ICD

Scenario
You can use the Windows ICD to create provisioning packages to deploy to existing systems or to deploy
with a new image. You can create a base .wim file and then use provisioning packages to customize the
deployment for different needs, without repeating the .wim file creation process. In this lab, you will
create a provisioning package and then combine that with the previously created .wim file to create a
custom deployment for the IT department.
Objectives
• Create a provisioning package.
• Create a deployment image to include the provisioning package.
Lab Setup
Virtual machines: 20695C-LON-DC1 and 20695C-LON-CFG
Password: Pa$$w0rd
LON-DC1 and LON-CFG virtual machines should still be running from the last lab. If not, you must

o Domain: Adatum
Note: Ensure that 20695C-LON-DC1 starts fully before starting any other virtual machines.

Exercise 1: Create a provisioning package

Scenario
You have created a reference image for deployment throughout your organization. You now need to
create a provisioning package to customize the deployment image for the IT department. You must place
a folder named AdatumData on the C: drive. You must also add the Microsoft IntelliPoint drivers to the
image.
1. Create a new provisioning package for all Windows 10 editions.
2. Use the Windows ICD to add the designated customizations.
3. Save the provisioning package to LON-CFG.
 Task 1: Create a new provisioning package for all Windows 10 editions

1. On LON-CFG, open Windows Imaging and Configuration Designer, and then create a new
provisioning package with the following values:
o Name: LabDPP
o Folder location: E:\Images\WICD
o Description: Provisioning Package for Lab D
o Choose which settings to view and configure: Common to all Windows desktop editions
2. Accept all other options by clicking Next, and then click Finish.
 Task 2: Use the Windows ICD to add the designated customizations

• In the Available customization pane, add the following runtime settings to the package:
o Deployment Assets
o Driver Set: E:\ Software\Drivers\point64
o Name: IntelliPoint Drivers
o Runtime settings
o Folders\
o PublicDocuments,
o Location: Allfiles (E:)\Labfiles\Mod06 file: Mod06_DISM_Powershell.txt

o Relative path to directory on target device: AdatumData
 Task 3: Save the provisioning package to LON-CFG

1. Export LabDPP with the Owner item set to IT Admin, saving it to \\LON-CFG\e$\Images as
LabDpp.ppkg. With all other settings set to the defaults, build the package.
2. Close the project.
3. Browse to E:\Images and note the file named labdpp.ppkg.
Results: After completing this exercise, you should have created a provisioning image and stored it in a
networkshared folder location.
Exercise 2: Creating a Windows 10 deployment package

Scenario
After you have created the reference image and the provisioning package for the IT department, you
need to create the custom deployment media.
1. Create a new Windows image customization.
2. Import the .wim image.

3. Import the provisioning package.
4. Create a Full flash Update (FFU) image and save it to LON-CFG.
 Task 1: Create a new Windows image customization

1. On LON-CFG, open Windows Imaging and Configuration Designer, and then select New Windows
image customization.
2. Create a new project with the following values:
o Name: LabDBuild
o Project folder location: Create a new folder in Allfiles (E:)\Images\WICD\ named
LabDBuildIMG
o Description: Create a Windows 10 Desktop image for Lab D
 Task 2: Import the .wim image

• For the image to import, select Allfiles(E:)\Sources\install.wim. Note that there is only one available
image on install.wim.
 Task 3: Import the provisioning package

• In the New Project Wizard, import the provisioning package from \\lon-cfg\e$\images
\labDpp.ppkg.
 Task 4: Create a Full flash Update (FFU) image and save it to LON-CFG
1. In the Windows ICD console, create the build by using Clean install media with the FFU image
format. Save to E:\Images\WICD\LabDBuildIMG\LabDBuild.ffu.
2. Build the Windows image and note the progress bar on the Build the Windows image page. It will
take several minutes to build the FFU file.
3. Open File Explorer and navigate to Allfiles (E:)\Images\WICD\LabDBuildIMG.
4. Examine the folder contents. You should see the LabDBuild.ffu file. It can be exported to a USB
removable drive or a SD card for deployment to a Windows 10 desktop.
Results: After completing this exercise, you should have created the Windows 10 FFU image to meet the
deployment requirements for the IT department.
 To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:

4. Repeat steps 2 and 3 for 20695C-LON-CFG.

Best Practices
• Ensure that there is enough space for Windows Setup temporary files. You might require up to
500 MB of free space.
• Always back up your data before performing an upgrade.
• Prior to capturing an image of your reference machine, remove any null drivers (indicated by yellow
icons in Device Manager) by uninstalling them from Device Manager.
• Ensure that you are capturing the correct partition. Use Diskpart to assign drive letters.
• Always validate answer files in Windows SIM. Using Windows SIM to create and validate your answer
files will reduce the chance that you will create invalid answer files.
• Avoid creating empty elements in answer files. You can use Windows SIM to create empty values.
However, not all settings will work with empty elements, and this might cause deployment issues.

Commands such as Copype are not being

recognized.
The system will not boot from a USB flash

drive with Windows PE.
Sysprep is failing to start.
DISM cmdlets fail within Windows

PowerShell.
Review Question
Question: How would your company benefit from moving to image-based deployments?

As an organization moves from sector-based deployment tools and images, they will see a decrease in:
• The number of images that they must maintain.
• The time required to maintain those images.
• The amount of disk space necessary to store images.
Considering that the Microsoft tools to implement image-based deployments are free, and most
sector-based deployment tools are expensive, the return on investment could be large.
Tools
Tool Location
DISM Install Windows ADK. Accessible from the Deployment and Imaging Tools
Environment command prompt.
Windows SIM Windows ADK
Windows PowerShell Native to Windows. Accessible from the taskbar or Start screen.
Sysprep %WinDir%\System32\Sysprep
7-1
Module 7
Supporting PXE-initiated and multicast operating system
deployments
Contents:
Module Overview 7-1
Lesson 1: Overview of PXE-initiated and multicast operating system

deployments 7-2
Lesson 2: Installing and configuring the Windows DS environment 7-11
Lab: Configuring Windows DS to support PXE and multicast operating system

deployments 7-20
Module Overview
Deploying a new operating system over the network can expedite the deployment process. Windows
Deployment Services (Windows DS) is a server role in Windows Server 2012 R2 that enables computers to
start up via the network and download the operating system over the network. You can deliver this
operating system in the Windows image (.wim) file format and install it on a computer, or you can deliver
it in virtual hard disk format.
This module introduces you to the architecture of network boot, multicasting operating system delivery,
and the Windows DS functionality in Windows Server 2012 R2.
Objectives
• Identify solutions to support PXE-initiated and multicast solutions when performing operating system
deployment tasks.
• Install and configure the Windows DS environment.

7-2 Supporting PXE-initiated and multicast operating system deployments
Lesson 1
Overview of PXE-initiated and multicast operating system
deployments
Windows DS uses two networking technologies during operating system deployment occurring over a
network—Pre-boot Execution Environment (PXE) and multicast. PXE enables the computer to start up by
using the network adapter, and then retrieves information from the Windows DS server to install an
operating system. Multicasting deploys an operating system image to several computers concurrently.
This reduces the network bandwidth that you have to use, because the data is sent over the network only
once per subnet.
This lesson explains the architecture behind PXE. It also describes the factors that you need to consider for
an operating system deployment to work successfully on larger networks.
Lesson Objectives
• Describe PXE.
• Explain the requirements for implementing a PXE-initiated operating system deployment solution.
• Describe how PXE works to deploy operating system images.
• Identify the considerations for implementing a successful PXE environment.

• Explain how to use multicast for operating system deployment.
• Identify the considerations for implementing a successful multicast solution.
• Describe how Windows DS supports PXE and multicast.
What is PXE?
PXE is a specification of client-server technology
that allows computers to start up by using the
network adapter to download and boot into a
minimal operating system while bypassing any
installed operating systems. PXE is primarily used
to install new operating systems. PXE eliminates
the need to have boot media such as DVDs or
bootable USB drives available to start computers.
It uses several standard network protocols, such as
Internet Protocol version 4 (IPv4), Dynamic Host
Configuration Protocol (DHCP), and Trivial File
Transfer Protocol (TFTP) to deliver the operating
system to the computer.
When a PXE boot is initiated, the computer tries to locate available PXE boot servers on the network by
using a PXE redirection service (Proxy DHCP), which may be the PXE boot server itself. The computer then
asks a PXE server for a network boot program (NBP), downloads the NBP into its random access memory
(RAM) by using TFTP, and executes it.
PXE benefits in operating system deployment

Installing an operating system manually on a computer can be very inefficient, especially in large
organizations that deploy hundreds or thousands of computers. However, by using the System
Preparation Tool (Sysprep) and an imaging solution, you could create a custom image that contains the
operating system and any applications that the user needs. You then can upload that image to an image
server, and use PXE to download the image and install the operating system, with applications,
automatically across a network.
Custom images can be more than 10 gigabytes (GB) in size, and downloading that amount of data can
take considerable time and significant bandwidth. Companies that are deploying large numbers of
computers may provide a physical staging area on a dedicated subnet. This helps to isolate operating
system deployment traffic, and avoids extra strain on the normal office local area network (LAN). This can
speed up the deployment of large numbers of computers by taking advantage of the network to multicast
the image to multiple computers simultaneously.
Having the PXE server, DHCP server, and the PXE client on different subnets takes some extra
configuration, which later sections of this module detail. Additionally, depending on your PXE server’s
functionality, you may be able to automate your deployment fully.
Requirements for implementing a PXE-initiated operating system

deployment solution
The only functionality that the PXE server provides
is the delivery of the NBP that starts the operating
system deployment. You will need other
components and services to be available to assist
the PXE server during the operating system
deployment.
The components that you will need in a
PXE-initiated operating system deployment
are a:
• DHCP server, which provides the client
computer with an IP address. Depending on
the placement of servers and clients on your
network, the DHCP server also may need to hand out some PXE-related options. A later topic will
describe this in more detail.
• PXE Server. The PXE Server sends the NBP path to the client after the client receives an IP address
from the DHCP server.
• TFTP Server. The TFTP server sends the NBP to the client.
• Network. If the DHCP server, PXE server, and client are on the same subnet, you do not need to
perform any additional configuration. If one or the other is on a different subnet, you may need to
configure DHCP options 66 and 67. You also may require an IP Helper address, depending on the
configuration. The IP Helper will forward the DHCP/PXE broadcast to the DHCP and/or PXE server,
which will respond to the client computer.
• Client computer. The network adapter on the client computer needs to support PXE booting. The
majority of computers, that most major brands manufacture today, support PXE.
How PXE works to deploy operating system images

Depending on the network configuration, the
DHCP and PXE discover process will have different
sequences.
However, in general, when the DHCP server and

PXE server are on the same subnet, the PXE boot
process takes place in the following steps:
1. The first time a new PXE remote boot-
enabled client computer is turned on, it uses
an extended DHCPDISCOVER broadcast
which adds DHCP option 60 to identify that
the client is PXE-enabled. The PXE client
sends the request to User Datagram Protocol
(UDP) port 67 to request both an Internet Protocol (IP) address for itself and the IP address of a PXE
server.
The PXE client will wait up to 60 seconds for a response, during which time it will retry the
DHCPDISCOVER broadcast four times. If the PXE client does not receive an offer, the boot process
stops with a PXE-M0F error.
2. The DHCP Server sends a DHCPOFFER to the client on UDP port 68.
3. The client sends an extended DHCPREQUEST with a request for the boot-file name.
4. When the client computer receives an IP address from the DHCP server, it requests service from the
PXE server. A request goes to the DHCP Proxy as a broadcast, with the limitations of broadcasts
traversing the network routers. The request contains a Global Unique Identifier and a MAC address to
identify the client computer. The PXE server will respond, depending on the server configuration,
either by servicing the request, ignoring the request, or passing the request to another PXE server.
5. When the client computer receives a reply from the PXE server, it initiates a TFTP download of
the NBP.
6. When the NBP downloads, the client computer executes it. Normally, the NBP prompts the user to
press F12 to initiate a network installation. If the user does not press F12 within three seconds, the
network boot stops, and the client computer attempts to boot from the next available boot device.
When the user presses F12, the client computer uses TFTP to download a program that performs the
network installation.
Note: If DHCP and PXE are on the same server, the DHCP server also sends DHCP option
60, which lets the client computer know that the DHCP server also is the PXE server. If they are on
different servers, the DHCP offer can be split into two separate packages coming from the
different servers. The DHCP server will send out the DHCP offer containing the client’s IP address
and the PXE server will send out the DHCP offer containing the option 60, indicating that the
server is PXE-capable and can supply the boot server and file information.
Considerations for implementing a successful PXE environment

In larger organizations, separate server subnets
help to isolate and secure the network. When the
clients and the DHCP/PXE servers are located on
separate subnets, a mechanism for discovering the
PXE server is required.
At startup, the client requests an IP address from

the DHCP server or a DHCP Relay Agent.
However, the DHCPRequest packet cannot reach
the PXE server, because it is on another subnet.
Therefore, the client can discover the PXE server
through network boot referrals or by configuring
an IP helper address.
Network boot referrals

By using DHCP options 66 and 67, network boot referrals inform the PXE client where to download the
NBP. DHCP options define the following:
• Option 66 defines the PXE server host name or IP address.
• Option 67 defines the path and filename for the NBP.
• Option 60 should be set to the string PXEClient to identify the client as PXE-capable if the DHCP
server and the Windows DS server are on the same physical server.
Network boot referrals may be useful:
• To direct a client computer to download a NBP located at a specific location

• To limit the traffic to a specific server
• To support complex networks and Microsoft Active Directory Domain Services (AD DS) topologies
IP helper address
The IP Helper address allows the local computer to retrieve network configuration settings. This option
involves configuring the router and switching hardware to forward DHCP and PXE boot requests from the
network subnet on which the client is located, to the IP address on which the DHCP server and the PXE
server are located. The UDP traffic being forwarded includes:
UDP Port Common Name
69 TFTP
67 BOOTP Client
68 BOOTP Server
Note: You need to ensure that UDP port 4011 traffic is allowed through any firewalls
between networks.
Advantages and disadvantages of network boot referrals and IP helper address

Network boot referrals IP helper address
Advantages • Can provide more granularity to • Relies on simple Layer 3

direct image deployment from functionality.
specific servers.
Disadvantages • Relies on network adapter BIOS. • Requires network team

Network cards with older PXE ROM involvement to configure
may incorrectly parse the DHCP networking hardware devices.
options returned from the DHCP
• Forwards all DHCP and PXE
server.
traffic on a subnet.
• Option 67 points to a specific boot
file, which does not allow the
Windows DS server to decide which
NBP to send to the client; for
example, 32-bit or 64-bit.
• Client computers may bypass the
Windows DS server answer policy.
• Some Unified Extensible Firmware
Interface (UEFI) systems do not work
with this option for PXE boot.
Using multicast for operating system deployment

When computers communicate on an IP network,
there are three delivery methods:
• Unicast. Delivers a separate network packet to

each recipient. Works with both IPv4 and
Internet Protocol version 6 (IPv6).
• Multicast. Delivers the same network packet

to selected recipients on a subnet. Works with
both IPv4 and IPv6.
• Broadcast. Delivers the same network packet

to all computers on a subnet. Works with IPv4
only.
The unicast method involves sending a separate network packet to each recipient host. As a result, the
load on the network increases with each additional concurrent recipient. Broadcasting involves sending
the same network packet to all hosts, including those not interested in receiving it. Multicasting is the
most practical method for one-to-many delivery, with respect to operating system deployment, because it
only sends the network packets to those computers that are configured to receive packets.
If you want to use the multicast delivery method on your network, there are special IP addresses reserved
for multicast. The deployment server or a special multicast scope on a DHCP server can hand out the IP
addresses. The multicast addresses are:
• IPv4: 224.0.0.0/4 or from 224.0.0.0 to 239.255.255.255
• IPv6: FF00::/8
Note: Each client in a multicast transmission does not get one of these addresses. Instead,
the transmission gets one multicast IP address.
IP multicasting components
A multicast solution consists of several components:
• Host (source or receiver). A host is a client or server on the network. You can configure a host to send
and/or receive multicast traffic.
• Router. A multicast router is capable of handling host requests to join or leave a group, and of
forwarding multicast data to subnets that contain group members. A multicast router can be either a
third-party router that uses a multicast routing protocol, or a Windows Server running the Routing
and Remote Access service.
• Multicast address. A Class D IP address used for sending IP multicast data. An IP multicast source
sends the data to a single multicast address. That specific IP multicast address is a group address.
• Multicast group. A multicast group is the set of hosts that listen for a specific IP multicast address.
A multicast group is a host group.
Before you can use multicast, you must enable the network for multicasting by:
• Configuring hosts to send and receive multicast data.

• Ensuring that your routers support multicast forwarding and multicast routing protocols, and support
the Internet Group Membership Protocol (IGMP).
Multicast support is not enabled by default. It is usually something that involves the network group.
Multicast will not work just because you set up Windows-specific components.
Note: This course does not cover multicast routing protocols.
IGMP is responsible for maintaining the transmission membership on a local subnet. Hosts use IGMP to
send multicast group membership requests to their local multicast router. The routers send out queries to
determine which multicast transmissions are active or inactive on the local subnet.
Multicast and operating system deployment

When you use multicast to facilitate operating system deployment, multiple clients on the same subnet
can connect to the multicast transmission from the deployment server. Normal operating system
deployment with multicast requires the image download to the client to occur first, and then the
installation occurs.
Many multicast deployment servers can generate the transmission and set it to start automatically,
depending on the number of connected clients, or at a specific time. An example scenario in which
multicast is beneficial is if you are about to deploy 20 new client computers on the same subnet, and you
do not want to start the deployment of the new operating system before all 20 client computers are
ready. Another scenario in which multicast is beneficial is if you do not want to start the deployment until
after work hours.
Considerations for implementing a successful multicast solution

Multicasting is not relevant in all deployment
scenarios. The following table provides details that
can help you decide whether your deployment
will benefit from multicasting.
Multicasting may be an option if

Multicasting is not an option if your organization:
your organization:
Has network equipment that Has network equipment that does not support multicasting.
supports multicasting.
Is a large company that requires Deploys images to only a small number of computers
many concurrent installations. concurrently.
Wants to use network bandwidth Network bandwidth is not a limitation.

efficiently.
Has enough disk space on client Has disk-space limitations on the client computers. This is
computers for the image to because the image downloads to client computers and is then
download. installed, instead of being installed from the server.
Note: In Windows DS, a multicast transmission can only be created if there is an image
group containing an image to transmit.
Issues in multicasting operating system deployment

You may encounter the following issues when implementing multicasting:
• If you have multiple servers that are using multicast functionality on a network, you must configure
each server so that the multicast IP addresses do not collide. Otherwise, you may encounter excessive
traffic when you enable multicasting. To ensure that each server is using a unique IP address, use
Multicast Address Dynamic Client Allocation Protocol, or specify static ranges that do not overlap.
• If you change the multicast IP address, UDP port range, or remote procedure call (RPC) port number,
you must restart the service so that the changes can take effect.
• Each transmission can only be as fast as the slowest client. Therefore, the entire transmission will be
slow if you have one slow client. If the deployment is unacceptably slow, determine which client is the
slowest (this is the master client), and disconnect that client. The other clients' multicast performances
should speed up. If the performances do not speed up, repeat this step for the new master client.
How does Windows DS support PXE and multicast?

Windows DS has components that assist with both
PXE-initiated and multicast deployments.
Windows DS consists of two server roles: the
Deployment Server and the Transport Server. The
Deployment Server is the PXE server. You can
configure Windows DS to limit PXE response only
to clients that have been added to an AD DS
domain before installation. This ensures that only
known clients can retrieve an image from
Windows DS. You can configure Windows DS to
require administrator approval before unknown
clients can retrieve an image.
Note: The next lesson provides detailed information regarding Windows DS. This topic only
discusses how Windows DS uses PXE and multicast.
You can create multicast transmissions if images have been added to Windows DS. All Windows DS
servers will use the same IPv4 address ranges, namely 239.192.0.2-239.192.0.254 and FF15::1:1-FF15::1:FF,
and approximately 250 addresses for both IPv4 and IPv6 multicast. If there are several Windows DS
servers, then you need to change the scope manually or choose to obtain addresses from DHCP. Multicast
Address Dynamic Client Allocation Protocol, which is part of the DHCP server, can assign multicast IP
addresses to clients. Windows DS also supports creating transmissions at more than one speed (up to
three) or disconnecting clients that are connecting at speeds that are lower than a configured speed.
You can schedule multicast transmissions to start automatically when the first client requests it, to start at
a specific time and date, or to start when a specified number of clients request the image. You can
configure the multicast to allow clients to join the multicast at any point in the transmission.
Windows Server 2012 R2 supports multicast with IPv6. In Windows Server 2012 R2, there no longer is a
requirement to create a local copy of the image. This shortens the time that it takes to deploy with
multicast.
Statement Answer
Network boot referrals are the preferred method for the client computer to
discover the PXE boot server.

Question
Which DHCP option identifies the client as being a PXE-enabled client?
Option 66
Option 67
Option 44
Option 60
Option 3
Lesson 2
Installing and configuring the Windows DS environment
Windows DS is Microsoft’s implementation of a PXE server. Windows DS makes it possible to deploy the
Windows operating system across a network. Windows Server 2012 R2 and earlier versions of Windows
Server include Windows DS, which aids in automating the image-deployment process. Windows DS also
provides enhancements to the deployment process, such as network boot, dynamic driver deployment,
and virtual hard disk deployment.
This lesson will introduce you to Windows DS and the different options for installing Windows DS.
Additionally, this lesson discusses the image types that Windows DS supports, and explains how to install
and configure Windows DS.
Lesson Objectives
Describe deployment considerations and the services that are included in the Windows DS server role.
• Explain the installation options for the Windows DS server role.
• Describe the image types that Windows DS supports.

• Explain the considerations for designing a Windows DS environment.
• Explain how to install and configure the Windows DS environment.
• Explain how to deploy virtual hard disks by using Windows DS.
• Install and configure Windows DS.
Installation options for the Windows DS server role

Windows DS is a server role that you can install in
the same manner as any server role; by using
Server Manager’s Add Roles and Features Wizard
or by using Windows PowerShell.
Note: You cannot install Windows DS on a

Windows Server Core installation or on a virtual
machine in Windows Azure. You cannot install
Windows DS on a failover cluster node.
Additional Reading: For more information,

refer to Windows Deployment Services Cmdlets in Windows PowerShell: http://aka.ms/R1ng0w.
Windows DS consists of two role services and three management tools:
• Deployment Server. This role service manages end-to-end Windows operating system deployment
solutions, including a PXE component.
• Transport Server. This role service provides basic network services and a PXE listener. This listener
forwards the requests to a PXE provider, which the Transport Server does not include. If you install the
Transport Server role service as a stand-alone component, you must use an additional management
tool, such as Microsoft System Center Configuration Manager, Microsoft System Center Virtual
Machine Manager, or custom deployment services.
• Windows DS snap-in. This is the Windows DS graphical user interface (GUI). You can complete most
Windows DS tasks in this snap-in, which you can install only if you install the Deployment Server role
service.
• WDSUTIL. The command-line management tool for Windows DS. You also can use WDSUTIL to script
Windows DS management.
• Windows PowerShell cmdlets that were introduced in Windows Server 2012 R2.
You can use the Deployment Server and Transport Server roles together, or you can use the Transport
Server role alone by using Configuration Manager or Virtual Machine Manager. You cannot run WDSUtil
and the Windows PowerShell cmdlets remotely. You must log on to the Windows DS server to be able to
configure Windows DS though the command line.
You can install and integrate Windows DS with AD DS, or install it as a stand-alone service. Installing
Windows DS as an AD DS–integrated service provides the following benefits:
• AD DS acts as a data store, and you can pre-stage a computer in AD DS. During the deployment
process, Windows DS will match the physical computer to the AD DS object.
• AD DS allows Windows DS to register as a system services control point. A system services control
point identifies the computer account as a Windows DS server and stores configuration settings, such
as whether the server is responding to PXE requests.
Image types that Windows DS supports

Windows DS supports two different types of
images for deployment:
• Boot images. When you configure

Windows DS as a stand-alone solution, it uses
boot images for starting computers for
capture or for image deployment.
Windows 10 and Windows Server 2012 R2
installation media include a Boot.wim file in
the sources directory that contains Windows
PE and the Windows DS client. Alternatively,
you can use your own customized boot file.
You can create two types of boot images that
have specialized purposes, including:
o Capture images. Capture images are boot images that you use to start a custom configured
system that you have generalized by using Sysprep. You capture the operating system in a .wim
file. You also can create boot media, such as a CD, DVD, universal serial bus (USB) drive, or other
type of media, that contains the capture image, and then you start the reference computer from
the media. You can create a capture image by customizing the default Boot.wim file.
o Discover images. You can use these when clients cannot perform a network boot by using PXE.
They enable a computer to locate a Windows DS server and use it to install an image. You also
can use discover images when a client is not PXE-enabled, a client is on a different subnet and
there is no method of getting PXE to the client, or you want to target a specific Windows DS
server.
• Install images. Install images contain the operating system images for deployment. Windows 10 and
Windows Server 2012 R2 installation media include the basic image used for installation named
install.wim in the sources directory.
You have to add at least one boot image to Windows DS before you can add an install image. If you add
multiple boot images to Windows DS, clients will have a menu of available options when they connect.
Windows 7 and newer operating systems support natively starting the operating system from a virtual
hard disk. Windows 8 and newer operating systems also support starting the operating system from a
.vhdx file. The Windows DS role fully supports deploying virtual hard-disk images and .wim files.
Windows DS will copy the virtual hard disk file to the local hard drive, and then configure the local Boot
Configuration Data (BCD) to use the virtual hard disk file to start the computer.
Designing a Windows DS environment

When you are deploying Windows DS, you can
install either the Deployment Server and Transport
Server roles, or just the Transport Server role. The
following table details the prerequisites for
installing Windows DS and the installation options
to which they apply.
Deployment and Transport Server roles Transport Server role only
AD DS By default, a Windows DS server running both Not required. AD DS only stores

roles must be a member of an AD DS domain or information for the Deployment
a domain controller. Optionally, you can install Server role.
Windows DS in standalone mode.
DHCP server You must have a working DHCP server with an Not required. The Transport
appropriate, active scope to use PXE boot. Server role does not natively
support PXE boot.
DNS server You must have a working DNS server on your Not required for Transport only
network before you deploy Windows DS. mode.
NTFS The server running the Deployment Server role The Transport Server role does
volume must have an available NTFS volume to store not use install images.
the install images.
Credentials The user performing the install is a local The user performing the install is
administrator. When in AD DS mode, the user a local administrator.
that initializes the server must be in the Domain
Users group. If DHCP is located on the server
you must be in the Enterprise Admins group to
authorize the DHCP server.
Your overall deployment strategy will determine the deployment options that you choose. If you are
planning to use a third-party deployment solution, you may need to install just the Transport Server role.
The following table shows a comparison of the differences between installing both roles and installing just
the Transport Server role.
Deployment and Transport Server

Transport Server role only
roles
PXE Includes a PXE provider to support Does not include a PXE provider. To
network boot. support PXE boot, you must install a
custom PXE provider.
Image server Includes a secure store on an NTFS Does not natively store images for
volume for storing images. deployment.
Transmission method Supports both unicasting and Only supports multicasting natively.
multicasting. You configure
multicasting per image that you are
deploying.
Management tools GUI-based through the Windows DS You can manage it by using the
snap-in, or command-line based by WDSUTIL tool natively.
using the WDSUTIL tool.
Client computer Uses the Windows DS client, Only uses WDSMCast.exe or a

deployment WDSMCast.exe from Windows custom multicast application.
Assessment and Deployment Kit
(Windows ADK), or a custom multicast
application.
Using Windows DS with Configuration Manager or VMM

If you are going to use other tools, such as Configuration Manager or Virtual Machine Manager for
operating system deployment, you will not need to install anything extra. This is because the
configuration process for operating system deployment in those products will install the necessary
components automatically.
Multisite operations
When you are planning a Windows DS architecture to include multiple physical locations, it is
recommended that you create a Distributed File System (DFS) shared folder to store your images. DFS
Replication will allow you to maintain consistency across all your Windows DS servers. Additionally, it is
recommended that you configure the supporting environment, such as DHCP and DNS, to direct client
computers to local Windows DS servers.
Additional Reading: For more information, refer to Storing and Replicating Images Using
DFS: http://aka.ms/Qrnzn5.
Client operations
Most client computers will support PXE deployment. If you have systems that do not support PXE, you can
create a discover image in the Boot Images node of the Windows Deployment Services console. You need
to create a bootable media from that discover image. You then can start up the computer with the media
to perform the deployment.
Process for installing and configuring the Windows DS environment

You can install the Windows DS roles through the
Server Manager or through Windows PowerShell.
Before installing an AD DS–integrated
Windows DS server, ensure that the prerequisite
roles are available on your network.
Installing Windows DS
Installing the Windows DS role services through
the Server Manager is similar to deploying other
roles. After choosing the Windows DS role, you
have to choose whether to install both the
Deployment Server and the Transport Server role
services, or just the Transport Server role service.
To use Windows PowerShell for the installation, use the following command:
Install-WindowsFeature –Name WDS -IncludeManagementTools
When you install roles and features by using Windows PowerShell, the management tools are not
included by default. Therefore, you must include the –IncludeManagementTools parameter in the
command, or specify the name of the management tool.
Configuring Windows DS
After you install Windows DS, you have to choose whether you want your initial server configuration to be
stand-alone, or integrated with AD DS. This will configure the PXE provider, but can be unnecessary if you
use it in conjunction with other tools that come with their own PXE provider.
Windows DS stand-alone mode

The following are the general steps that you can follow to configure Windows DS standalone mode:
1. Sign in to the server as a local administrator.
2. Launch the Server Manager, and then in the Tools section, click Windows Deployment Services.
3. Right-click the server icon, and then click Configure Server.
4. Advance the wizard to the Install options page, and then click Stand-alone server.
5. When you advance through the wizard, you will be prompted to configure the Remote Installation
Folder Locations, which is the NTFS partition that will store your images.
6. Next, the wizard will prompt you to configure the PXE Server Initial Settings. This can be one of two
options:
o Do Not Respond to Any Client Computer. You may choose this option if you want to prevent
any computers from attaching until configuration is complete.
o Respond to All (Known and Unknown) Client Computers. Because standalone mode does not
support AD DS integration, all client computers will be unknown.
7. Finally, you will have a chance to add images to the server. You can clear the check box for this
option to install images later.
Windows DS AD DS integrated mode

These are the general steps to configure Windows DS integrated mode:
1. Sign in to the server as a member of the local administrators group.
2. Launch Server Manager, and then in the Tools section, click Windows Deployment Services.
3. Right-click the server, and then click Configure Server.
4. Advance the wizard to the Install options page, and then click Integrated with Active Directory.
5. Advancing through the wizard will then prompt you to configure the Remote Installation Folder
Locations, which is the NTFS partition that will store your images.
6. If the server is also a DHCP server, you will see the Proxy DHCP Server page. On this page, you
should select the Do not listen on DHCP and DHCPv6 ports and Configure DHCP options for
Proxy DHCP check boxes. This will configure DHCP with options to allow your clients to locate the
Windows DS server.
7. Finally, you will have a chance to add images to the server. You can clear this check box for this
option to install images later.
Modifying the Windows DS configuration

After the initial configuration is complete, you can modify the Windows DS configuration through the
Properties dialog box of the server in Windows DS. To access the server properties, right-click a server in
Windows DS, and then click Properties. The tabs in the Properties dialog box are:
• General. Contains information about the Windows DS, including the location of the Remote
Installation folder. The General tab does not include any configurable options.
• PXE Response. Contains the configuration options for the PXE service. On this tab, you can change
the settings you chose during the initial configuration. The PXE options include:
o Do not respond to any client computers. This option disables PXE.
o Respond only to known client computers. This option requires that the client computers be
pre-staged in AD DS.
o Respond to all client computers (known and unknown). This option allows you to require
administrator approval for a deployment.
• AD DS. Includes policies for naming unknown clients. Additionally, you can specify the domain and
organizational unit in which to create an unknown client when joining the domain.
• Boot. Includes options for configuring PXE boot behavior and the default boot images to use.
• Client. Includes the Windows DS client unattend file settings to allow unattended installation of an
image, whether to join the client to the domain, and the ability to enable logging.
• DHCP. Configures integration with DHCP services.
• Multicast. Allows you to configure multicast deployments and the parameters for transferring
images.
• Advanced. Contains settings to specify interaction with AD DS servers.
• Network. Allows you to configure the UDP ports used for image deployment.
• TFTP. Contains the maximum block size settings that control how image files are transferred across
the network.
To automate a Windows DS deployment, you need two answer files:
• Windows DS client unattend file. You require an Unattend.xml file that is stored on the Windows DS
server in the C:\RemoteInstall\WDSClientUnattend folder. This file automates the Windows DS
client screens, such as entering credentials, choosing an install image, and configuring the disk. This
file is added to Windows DS on the Client tab in the Windows DS server Properties dialog box.
• Image unattend file. You require an Unattend.xml file in Windows Vista or later. This file is stored with
the image, and you use it to automate the remaining setup phases. You can add this file to an image
by opening the image properties, and then specifying the file on the General tab.
Using variables in Windows DS answer files

Windows DS deployment can insert values into the Windows DS unattended installation files. The
variables that you can use are:
• %USERDOMAIN%. The name of the user's domain, which is specified by credentials or in the
Windows DS client unattend file.
• %USERNAME%. The user's name, which is specified by credentials or in the Windows DS client
unattend file.
• %USERPASSWORD%. The user's password, which is specified by credentials or in the Windows DS

client unattend file. The password will be written to the unattend file in plain text.
Note: We do not recommend using the %USERPASSWORD% variable because it may pose
a security risk.
• %MACHINEDOMAIN%. The domain containing the computer account that represents the physical
client computer.
• %MACHINENAME%. The computer name of the account that represents the physical client computer.
Preparing the Windows DS environment

After configuring Windows DS, you need to prepare the environment for image captures and
deployments. The following general steps are the first steps you must take after the initial configuration:
• Add the initial boot image. You must have a boot image before you can perform any deployment
tasks.
• Add an install image. You can add the default image from the operating system media.
• Create a capture image. A capture image is a boot image you use to capture a custom operating
system install image.
Deploying virtual hard disks by using Windows DS

Windows DS supports deploying the Windows
operating system as .vhd and .vhdx files, and it
can deploy the files directly or through multicast.
When Windows DS installs a virtual hard disk
image, the deployment process automatically
configures the local BCD for native boot from the
virtual hard disk. The following procedure
provides an overview of the process to deploy a
virtual hard disk:
1. Create a virtual hard disk with an operating

system image. You need to create the .vhd file
to deploy. You can create the reference image
manually or use Deployment Image Servicing and Management (DISM) to apply a .wim file to the
.vhd file. To use DISM to apply a .wim image, create a .vhd file, mount it to a drive letter, and then run
the DISM /apply-image command.
For example, if you are applying the install.wim file to a virtual hard disk mounted on the V: drive, you
would run the following command:
DISM /apply-image /imagefile:install.wim /index:1 /ApplyDir:V:\
2. Import the virtual hard disk into the Windows Deployment Services console. You can import the .vhd
file by following the same method that you use to import a custom .wim file.
3. Create an answer file to deploy the image. You can customize the operating system with an answer
file by following the same method that you use for a .wim file deployment.
Demonstration: Installing and configuring Windows DS

In this demonstration you will see how to:
• Install the Windows DS server role.
• Run the Windows DS server role configuration wizard.
• Configure the Windows DS server role.
• Add a Windows 10 install image to Windows DS.
• Add a Windows 10 boot image to Windows DS.
• Change the DHCP options to support PXE with multiple subnets
Demonstration Steps
Install the Windows DS server role

• Install the Windows DS server role with the following Windows PowerShell command:
Install-WindowsFeature –Name WDS -IncludeManagementTools

Run the Windows DS server role configuration wizard

1. In the Windows Deployment Services console, run the Configure Server Wizard for
LON-DC1.Adatum.com.
2. Select the following options in the wizard:
o Integrated with Active Directory
o E:\RemoteInstall as the path
o Ensure that both check boxes are checked for Proxy DHCP Server.
Note: You would not see this screen if DHCP is not installed on the server.
o Respond to all client computers (known and unknown)
Note: If you receive a message stating “The service did not respond to the start or control
request in a timely fashion”, then start the service manually.
Configure the Windows DS server role

1. In Properties for LON-DC1.Adatum.com, click the AD DS tab, and then select London Clients OU as
the location.
2. On the Multicast tab, click the Separate clients into three sessions (slow, medium, fast) option.
Add a Windows 10 boot image to Windows DS

1. Add a Boot image in the Boot images section in the Windows Deployment Services console.
2. Use the D:\sources\boot.wim file.
Change the DHCP options to support PXE with multiple subnets

1. Open the DHCP console.
2. In the IPv4 section, configure the following Server Options:

o Option 066 Boot Server Host Name: type LON-DC1.Adatum.com as the String value.
o Option 067 Bootfile Name: type boot\x64\pxeboot.com as the String value.
Statement Answer
The PXE provider is part of the Transport Server role.
Statement Answer
Windows DS can be installed on Windows Server Core.

Lab: Configuring Windows DS to support PXE and

multicast operating system deployments
Scenario
To support a PXE and multicast operating system deployment environment, you need to design and
implement a Windows DS solution. This solution must provide efficient management, and also minimize
network bandwidth requirements.
Objectives
• Plan the Windows DS environment.
• Install and configure the Windows DS server role.
Lab Setup
Virtual machines: 20695C-LON-DC1 and 20695C-LON-REF1

Password: Pa$$w0rd
Exercise 1 is a paper-based lab. The remainder of the exercises will require LON-DC1.
Before you begin, you must complete the following steps:
o Domain: Adatum
Exercise 1: Planning the Windows DS environment

Scenario
You must plan and implement the Windows DS environment. To do so, you will use information provided
in an email.
Supporting Documentation
E-mail from Adam Brooks to Chad Corbitt:
----- Original Message -----
Chad Corbitt
From: Adam Brooks [Adam@adatum.com]
Sent: 12 Dec 2015 08:01
To: chad@adatum.com
Subject: Requirements for the new Windows DS environment needed to deploy new Windows 10
computers
Hi Chad,
We have several new Windows 10 computers that we are deploying within the entire corporation. We
need to configure a Windows DS environment to make the deployment go smooth. We have the image
ready, together with files to automate the deployment and migrate the user state.
All configuration options not specified by the considerations should be left at their default. You need to
consider the following when you design the Windows DS environment:
• LON-DC1 has been chosen to host the Windows DS server role.
• LON-DC1 also hosts the Dynamic Host Configuration Protocol (DHCP) server role.
• LON-DC1 has two volumes: Drive C: and drive E:. We do not want to store the Windows DS files and
images together with the operating system.
• The network contains multiple subnets connected with routers that have broadcasts disabled.
• PXE and Multicast transmission needs to be supported. We have some offices where the network
connections do not have the same bandwidth as the newer part of the building. We want the
installation to be as fast as possible for all clients.
• We do not want to create the computer accounts in AD DS before deployment, and we do not want
to delay the deployment by requiring the approval of unknown clients.
• It would be preferable to place the new client computer accounts in the London Clients
organizational unit (OU).
I hope you have everything you need to plan the Windows DS environment.
Thanks, Adam
Windows DS Configuration Planning–Job Aid
Server on which to
install Windows DS
Drive and folder to

save images to
Windows DS AD
installation mode
Stand-alone
Additional options to Option 60

set in DHCP
Option 66
Option 67
Deploy to which Unknown

clients
Known
Require
administrator
approval
Join clients to domain Yes
No
Location for Domain

computer accounts in
AD OU
Computer naming Default Windows DS

format
Other, specify
Should multicast be No
supported and if yes,
how should it be Yes 1 speed
configured
2 speeds
3 speeds
DHCP multicast
scope
Windows DS default
1. Read the supporting documentation and complete the design table.

 Task 1: Read the supporting documentation and complete the design table
• Based on the information in the email, you should be able to complete the Windows DS
Configuration Job Aid that is located in the exercise scenario.
Results: After completing this exercise, you should have filled out the table that leads to a design concept
for the Windows DS deployment to support multiple subnets within the organization. Be sure that the
plan also covers Windows DS configuration requirements.
Exercise 2: Installing and configuring the Windows DS server role

Scenario
Based upon the Windows DS plan, you have to install and configure the Windows DS server role within
your environment. You will install the role and role services, and then configure role settings as stated in
the Windows DS plan. You will also add images to Windows DS and configure a multicast transmission.
You will use the multicast transmission to deploy Windows 10 to a computer.
1. Install the Windows DS server role.
2. Configure Windows DS.
3. Add images to Windows DS.
4. Configure multicast transmission.

5. Deploy Windows 10 via multicast.
 Task 1: Install the Windows DS server role

1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open Windows PowerShell as an administrator.

3. Run the following command to install the Windows DS role and the management tools:
Install-WindowsFeature –Name WDS –IncludeManagementTools
 Task 2: Configure Windows DS

1. From Server Manager, start the Windows Deployment Services console.
2. Run the configuration wizard for LON-DC1.Adatum.com.

3. Select the following options in the wizard:
o Integrated with Active Directory
o E:\RemoteInstall as the path.
o Both check boxes are checked on the DHCP options page.
o Respond to all client computers
4. If you receive a message stating “The service did not respond to the start or control request in a
timely fashion”, right-click LON-DC1.Adatum.com, click All Tasks, and then click Start.
5. Change the following settings in the Properties for LON-DC1.Adatum.com:
o Location for computer accounts: Adatum.com/London Clients
o Multicast configuration: Separate clients into three sessions (slow, medium, fast)
 Task 3: Add images to Windows DS

1. In Hyper-V Manager, insert the D:\Program Files\Microsoft Learning\20695\Drives
\Win10TH2Ent_Eval.iso file to the DVD drive of 20695C-LON-DC1.
2. In the Windows Deployment Services console, add D:\sources\boot.wim as a boot image.
3. In the Windows Deployment Services console, create an image group in Install Images named
Windows 10.
4. In the Windows Deployment Services console, add D:\sources\install.wim as an install image to the
Windows 10 install image group.
 Task 4: Configure multicast transmission

1. In the Windows Deployment Services console, create a multicast transmission from the Windows 10
Enterprise Evaluation install image.
2. In the Create Multicast Transmission Wizard, use London MultiCast as the name for transmission and
Auto-Cast as the multicast type, and then accept the other default values.
3. Verify that no clients are connected to the London Multicast multicast transmission.
 Task 5: Deploy Windows 10 via multicast

1. Change the boot order for 20695C-LON-REF1 to boot from the Legacy Network Adapter.
2. Start 20695C-LON-REF1, and then press F12 when prompted.

3. Select the defaults in the Windows Setup wizard. Sign in as Adatum\Administrator with the
password Pa$$w0rd.
4. When the Installing Windows page appears, and the installation begins, switch to LON-DC1.
5. In the Windows Deployment Services console, click the Refresh button on the toolbar. Notice that
one client is connected.
Note: At this point, you can end the lab.
Results: After completing this exercise, you should have deployed and configured Windows DS to support
the imaging environment. You will have also performed a Windows DS multicast deployment of
Windows 10.
 To prepare for the next module

4. Repeat steps 2 and 3 for 20695C-LON-REF1.


Best Practices
• In environments with multiple subnets, use IP Helpers. Some UEFI computers do not support PXE
booting with DHCP options 66 and 67.
• Move the client computer and the Windows DS server as close to each other as possible on the
network.
• Have sufficient bandwidth on the network. You may have to upgrade your network infrastructure to
support greater bandwidth and higher throughput. For instance, you may have to upgrade from 100
Mb to 1 Gb, upgrade cabling, use routers or switches instead of hubs, or lower the number of clients
that are able to concurrently access a particular network segment.
• Reduce image size: Because larger images mean longer installation times and greater network strain,
consider creating images that contain minimum customization, drivers, and applications; or consider
creating specialized images for each department, hardware type, or function.
• Use Performance Monitor to identify resource issues on Windows DS servers. The following are useful
counters for diagnosing Windows DS performance:
o Network Interface (Bytes Sent/sec)
o PhysicalDisk (Avg. Disk sec/Read, Avg. Disk sec/Write, and Current Disk Queue Length )
o Process (Page Faults/sec)
o Processor (% Processor Time)

o WDS Multicast Server (all counters)
o WDS TFTP Server (all counters)
o WDS Server (all counters)

• Use Dynamic Driver Provisioning. It is not necessary to update images when you introduce new
hardware into the environment. By storing drivers centrally on deployment servers, separate from
images, you can install drivers dynamically.
• Reduce the number of drivers on individual PCs to reduce the number of potential driver conflicts.
This ultimately streamlines installation and setup times, and improves the reliability of the PC.
• Partition network segments to distribute the load across multiple servers.

• Ensure that the disk that contains the remote install folder has enough throughput to meet the client
demand.
• Ensure that there is sufficient memory on the server to handle the demands.
• Use Windows DS together with software deployment tools such as Microsoft Deployment Toolkit or
System Center 2012 R2 Configuration Manager.

Multicast transmissions are running slow.
After enabling multicast traffic, you notice

excessive traffic on the network.
PXE client boot performance takes a long

time in a branch office.

Outdated driver and BIOS versions can affect the success of PXE booting for client computers. If you
encounter issues trying to start computers from PXE boot, ensure that network interface card (NIC) drivers
and BIOS firmware are up to date. Consult the vendor sites if necessary.
Tools
Tool Used for Where to find it
Windows Deployment Services Configuration of Windows DS Installed with the Windows DS

console role
WDSUtil.exe Command-line configuration of Installed with the Windows DS

the Windows DS server role
Windows PowerShell cmdlets Command line configuration of Installed with the Windows DS
the Windows DS server role on Windows Server 2012
R2
WDSMCast.exe Connect to a multicast Windows Assessment and

transmission from Windows DS Deployment Kit (Windows ADK)
DISM.exe Capture or apply a Windows Built into the Windows

image from the command line operating system
Windows System Image Create unattend files to Windows ADK

Manager automate deployment
8-1
Module 8
Implementing operating system deployment by
using the MDT
Contents:
Module Overview 8-1
Lesson 1: Planning for the MDT environment 8-2
Lesson 2: Implementing MDT 2013 Update 2 8-9
Lesson 3: Integrating Windows DS with MDT 8-23
Lab: Operating system deployment using the MDT 8-27
Module Overview
The Microsoft Deployment Toolkit (MDT) 2013 Update 2 is a collection of tools, processes, and guidance
that you can use to manage and deploy operating system images. You can use the MDT to perform
lite-touch installations (LTIs), which require little user interaction. You can enhance the LTI deployment
process by integrating MDT with Windows Deployment Services (Windows DS) in the Windows Server
2012 R2 operating system. You can add enhancements to zero-touch installations (ZTIs) by integrating
MDT 2013 Update 2 with Microsoft System Center 2012 R2 Configuration Manager.
Objectives
• Describe the MDT components and process for a lite-touch deployment strategy.
• Install and configure the MDT environment.
• Describe how you configure Windows DS to integrate with MDT 2013 Update 2.
8-2 Implementing operating system deployment by using the MDT
Lesson 1
Planning for the MDT environment
To plan the MDT deployment process, you first must understand the various available integration
strategies. MDT 2013 Update 2 supports LTI, which automates most of the installation process and
requires minimal user interaction to complete. In this lesson, you will learn how to plan the MDT
environment.
Lesson Objectives
• Describe the MDT deployment process.
• Plan the MDT imaging strategy.
• Describe the prerequisites for using MDT.
• Describe the MDT deployment share.

• Explain task sequencing.
Strategies for integrating MDT into a deployment process

In most deployment environments, IT specialists
no longer deploy operating systems and apps
manually. They now utilize a more automated
deployment environment. One common way of
implementing automation is by using MDT 2013
Update 2 as the primary tool in an LTI
deployment. An LTI deployment is a methodology
that requires light interaction from the
administrator or a user who has access to start the
LTI process, and depending on the level of
automation, input customized information during
deployment. This high-volume deployment
strategy works well for medium-sized organizations that have an information technology (IT) staff.
When you use LTI, you start a deployment on each computer, and then configure deployment settings.
This automates the deployment and typically requires no user intervention. The lite-touch occurs when
you start the computer and input customized information, which starts the entire process.
Note: You can preconfigure deployment settings to provide the information that the user
would normally have to provide. This can automate the LTI deployment to the point that the user
needs only to run a command to start the LTI deployment.
Organizations that maintain a standardized environment, but do not have the required infrastructure or
skilled staff for a ZTI, can utilize the functionality in MDT 2013 Update 2 to support LTI scenarios. Then, in
the future, those organizations can use the experience and knowledge their IT personnel gained from LTI,
to migrate to a ZTI environment. ZTIs do not require customized information from an administrator or
user to start the deployment process. When the computers are started, they immediately proceed with the
installation. Furthermore, if you use With Wake-on-LAN technologies, you can start the computers
remotely to begin the process. The ZTI methodology requires a System Center 2012 Configuration
Manager (Configuration Manager) infrastructure as its primary tool.
Note: The “Implementing operating system deployment by using Configuration Manager”

module covers the ZTI solution more in-depth.
One of the common purposes for MDT 2013 Update 2 in an LTI or ZTI scenario is to create a reference
image. In this case, you separate the reference-image creation process from the production deployment
process. MDT creates the reference image by capturing a reference computer operating system into a
Windows image (.wim) file. You can configure a particular computer with all of the settings and apps that
you want to deploy to other computers, and then capture it to a .wim file. You then can use the .wim file
as a basis of deployment through MDT, or alter it by adding drivers, packages, and apps by using task
sequences when deployment occurs.
When preparing to use the LTI method, you can divide your preparation into four major tasks:
• Plan the MDT imaging strategy. Your imaging strategy will determine how you build the MDT
management computer.
• Install the prerequisites and MDT 2013 Update 2 and the Windows Assessment and Deployment Kit
(Windows ADK) for Windows 10, both of which are free downloadable solution accelerators from
Microsoft. The LTI method has fewer prerequisites than other installation strategies.
• Create the deployment share. The deployment share is the repository for all of the deployment files.
• Create and customize the task sequences. You can use task sequences to automate the build and
deployment processes.
Planning the MDT imaging strategy

When you are planning MDT deployments, you
should consider several factors. The deployment
process can be space-intensive for both networks
and hard drives. The following table provides an
example of possible answers that can help you to
plan your MDT deployment.
Considerations Overview
Where will you store your distribution LTI deployment files are stored in the MDT deployment
files? shares. ZTI and user-driven installation deployments
integrate with System Center 2012 Configuration Manager,
which stores most of these files on distribution points.
Depending on your environment, you might need to have
multiple deployment shares.
Will you deploy across the network, or If you are deploying across the network, verify that there is
with removable media, or both? Will sufficient bandwidth between the deployment shares or
you use multicast deployments? distribution points, and target computers.
What is your imaging and source-file You can create .wim files containing multiple images or
strategy? single images. Additionally, you might decide to include
applications in your images.
Will you deploy the image from the The packaged Windows Media file contains the Install.wim
packaged Windows Media file, or will file, which is the basis for all Windows operating system
you create custom images? installations. Typically, you use the Install.wim file to deploy
the reference computer, and you then use the reference
computer to create custom images for installation on client
computers. The custom image output will be a .wim file
that you name intuitively, depending on its purpose.
Will you need to create custom boot Although the Boot.wim file included with the Windows
images? media will work in the majority of cases, boot images are
hardware-dependent, and you might need to customize
them for mass storage drivers or network drivers.
How are you going to manage Depending on your organization’s size, you might use
product keys and licensing? individual product keys or volume license keys. You need to
consider providing licensing services and activation
procedures, as well.
Are you going to allow users to choose You can choose between LTI, ZTI, and user-driven
any installation parameters? installation deployments. The latter allows you to specify
the level of control that you want users to have over the
operating system deployment.
How will you allow apps to deploy? Apps can be imbedded in the image as part of the
deployment or selected at deployment time or you can let
users install apps post-deployment. Keep in mind that users
would need local administrator rights to install apps
manually.
Are you going to migrate user-state When replacing existing computers, you might want to
settings? save and restore local user settings throughout the
deployment process.
Do you want to back up the When refreshing computers with a new operating system,
computers prior to deployment? you might want to back up the computer prior to
deployment. The amount of storage space required for this
will influence your decision.
Do you want to use Windows When deploying to laptops or tablets, you might want to
BitLocker Drive Encryption? use BitLocker to protect or encrypt laptop or tablet drives
in case they are stolen or lost.
Considerations Overview
Will you deploy 32-bit or 64-bit If you deploy multiple operating architectures, this
architectures, or both? increases the amount of hard drive space required on the
deployment share.
Will you deploy multiple editions of If you deploy multiple operating system editions, this can
the Windows operating system? increase the amount of hard-drive space that the
deployment share requires.
What deployment scenarios are you You can deploy operating systems to new systems, migrate
planning? existing computers (replacement scenario), or install
operating systems on existing computers (refresh scenario).
Prerequisites for using MDT

You can install MDT 2013 Update 2 on Windows 7
and newer Windows client operating systems, and
Windows Server 2008 R2 and newer Windows
Server operating systems.
MDT 2013 Update 2 can deploy Windows 10 and
Windows Server 2012 R2 editions. However, you
cannot configure older versions of MDT to deploy
these two operating systems. MDT 2013 Update 2
can also deploy Windows 8, Windows 8.1 and
Windows 7, in addition to Windows 2008 R2 and
Windows Server 2012. MDT 2013 Update 2 does
not support deploying Windows XP, Windows
Vista, Windows Server 2003, or Windows Server 2008.
Using MDT for LTI deployments has the fewest prerequisites of all MDT deployment strategies. The
management computer, which will host the deployment share, requires enough available hard-drive
space to hold all of the deployment files, while the computer on which you will install MDT 2013 Update 2
requires the following software:
• Microsoft .NET Framework
o .NET Framework 3.5 Service Pack 1 (SP1) for Windows 8, Windows 8.1, and Windows 10
o .NET Framework 4.0 for Windows Server 2012 and Windows Server 2012 R2
• Windows PowerShell: command-line interface:
o Windows PowerShell 2.0 or newer for Windows 8, Windows 8.1, and Windows 10
o Windows PowerShell 3.0 for Windows Server 2012 and Windows Server 2012 R2
• Windows ADK for Windows 10
• Operating system distribution files
• Device drivers for the reference computer
• Device drivers for the target computers

Additionally, you will need the following server roles in your environment:
• Domain Name System (DNS) services
• Dynamic Host Configuration Protocol (DHCP) server
Optionally, you can integrate the MDT with a Windows DS server. You also can deploy software updates
from Windows Updates or Windows Server Update Services (WSUS) as part of a custom task sequence.
These updates install when you deploy the target system. In this scenario, you must provide a WSUS
infrastructure before using this task sequence. You can use the Install Updates Offline task sequence to
create a selection profile to specify which particular updates to deploy.
What is the MDT deployment share?

The MDT deployment share is a shared location
that contains all of the files required for a
management computer. You can create the
deployment share on a management computer,
or you can use a different share on the network.
The name of the default deployment share is
DeploymentShare. It is shared as a hidden share
named DeploymentShare$, but you can use any
name for the folder and share.
The deployment share consists of the following

folders:
• $OEM$. This is a legacy folder for adding

supplemental files to a Windows operating system deployment.
• Applications. This folder contains application files for installation through MDT task sequences.
• Backup. This folder contains backups of MDT components.
• Boot. This is the default location for storing boot images.

• Captures. This is the default location for storing captured images.
• Control. This folder contains task sequences in subfolders and control files, such as the
CustomSettings.ini and Bootstrap.ini files.
• Operating Systems. This is the default location for imported operating system install images.
• Out-of-Box Drivers. This is the default location for storing non-Microsoft drivers. This will typically be
used to store vendor-issued drivers that you have gathered for specific computer models or devices.
This location becomes a driver repository for Plug and Play (PnP) during deployment.
• Packages. This is the default location for operating system packages, such as security updates or
language packs.
• Scripts. This contains the default MDT scripts.
• Servicing. This contains x86 and x64 tools such as DISM.exe, ImageX.exe and various provider
DLL files.
• Templates. This contains the MDT 2012 Security Compliance Manager Group Policy Object (GPO)
packs.
• Tools. The default location for the MDT tools that you can use with ZTI deployments.
Some of these folders appear in the MDT Deployment Workbench, such as Applications, Operating
Systems, Out-of-Box-Drivers and Packages.
Overview of the task sequence

A task sequence automates the task steps
performed during LTI on a client computer. It is
the overall framework of the activity or process.
A task sequence consists of a series of steps that
must occur to perform the deployment, for
example, formatting the disk, installing the
operating system, and joining the domain.
Task sequences are not a scripting language, but

they do provide instructions to the deployment
client on what steps to perform and the order in
which they should occur. In addition to the
predefined tasks that are available in MDT, a task
sequence can run Windows PowerShell scripts or scripts written in the Microsoft Visual Basic Scripting
Edition (VBScript) language, and other scripts.
You can use the MDT Workbench or Windows PowerShell MDT cmdlets to create and manage task
sequences. When using the MDT task sequences, ensure that all of the deployment steps happen in the
correct order. The following list provides an overview of the components that make up a task sequence:
• Task steps. These steps define the individual actions in the task sequence. Task steps can consist of
actions and conditions.
• Actions. These are the actual commands performed in the task steps. There are two types of actions:
built-in, and custom.
• Built-in action. This is a predefined step, such as partitioning a hard drive, which a task sequence can
perform.
• Custom action. This is a script or command, which the administrator provides, that the task sequence
can perform.
• Conditions. These are parameters within a task step or task group to determine if the step or group
should be processed.
• Group. This is a logical grouping of task steps in a task sequence.
MDT 2013 Update 2 also has several task sequence templates that cover common deployment scenarios.
You can use these templates directly or modify them for particular requirements. The next lesson will
discuss the available templates.

Question
Which of the following operating systems can MDT 2013 Update 2 deploy? Choose
all that apply.
Windows Server 2008
Windows 10
Windows 7
Windows Vista
Windows Server 2012
Statement Answer
You can install only MDT 2013 Update 2 on client computers running
Windows 8 or newer operating systems.
Lesson 2
Implementing MDT 2013 Update 2
By using MDT, you can automate and customize your organization’s computer deployment. You can
configure MDT to specify different actions for different types of deployments and the operating systems
that are deployed. For example, you can specify the user data and apps that are on the operating system,
and any updates or drivers they contain. In this lesson, you will learn how to configure and use MDT.
Additional Reading: For more information, refer to Get started with the Microsoft
Deployment Toolkit (MDT): http://aka.ms/Ruvrsi.
Lesson Objectives
• Install and configure MDT 2013 Update 2.

• Describe the MDT deployment process.
• Configure the deployment share.
• Describe the MDT configuration files.

• Describe the MDT task-sequence templates.
• Configure an MDT task sequence and update the deployment share.
• Describe language-pack deployment integration.

• Deploy Windows operating systems by using the Deployment Wizard.
• Describe the advanced configuration and monitoring options for MDT 2013 Update 2.
Installing and configuring MDT 2013 Update 2

Installing the MDT is a multistep process that is
not complete until after the installer utility has
finished running. After choosing or building a
system to host the MDT, you can download and
run the MDT setup program
MicrosoftDeploymentToolkit2013_x64.msi.
Note: Windows ADK for Windows 10 must

be installed prior to installing the MDT 2013
Update 2 files. Otherwise, you cannot use the
deployment share node. Note that you do not
need to install all utilities in Windows ADK for
Windows 10. For the MDT, you only need to install the Deployment Tools, Windows
Preinstallation Environment (Windows PE), and User State Migration Tool (USMT).
After installing the MDT, the next step is to start the Deployment Workbench and begin configuring the
MDT environment. In the Deployment Workbench, you should configure the Components container first.
The Components container displays the status of the MDT components. Some components will display as
already installed, and some may show as required. Required components will need to be downloaded and
installed. If you are connected to the Internet, you can highlight any component, and then click
Download to download the component for installation.
After the initial installation is complete, you need to create your first deployment share. The deployment
share is created as a physical structure on a hard drive, and most of the deployment share folders on the
hard drive are directly represented as folders in the Deployment Workbench. In addition to the default
folders, you can create subfolders through the Deployment Workbench to keep your objects organized.
You can create multiple deployment shares to support multiple deployment configurations, if desired. You
may also create deployment shares on alternate servers across a wide area network (WAN) connection,
especially when you have limited bandwidth. To create a new deployment share, right-click the
Deployment Shares node, click Create New Deployment Share, and then complete the steps in the
New Deployment Share Wizard.
Overview of the MDT deployment process

You can use the MDT to automate the
deployment of Windows operating systems,
applications, desktops, laptops, tablets, and
servers in the enterprise. In essence, the MDT
helps you configure the unattended answer files
and provides tools for automating additional
components and settings. The MDT allows you to
automate the creation of a reference computer
and then capture that computer to an image,
which you then can deploy to target computers.
When you follow the LTI process (which uses only

the tools available in the MDT), you perform the
following high-level steps:
1. Install the MDT, create a deployment share on the management computer, and then import the
source files that you want to use.
2. Create a task sequence and boot image for the reference computer.
3. Update the deployment share with any changes.
4. Boot the reference computer with the MDT media. This will provide access to the task sequence files,
the task sequence, and the boot image to the reference computer.
5. Run the Deployment Wizard to install the operating system on the reference computer, and capture
an image of the reference computer.
6. Copy the captured image to the management computer.
7. Create the boot image and task sequence to deploy the captured image to target computers.
8. Update the deployment share.

9. Boot the target computer with the MDT media. This will provide the reference computer with access
to the task sequence files, the task sequence, and the boot image.
10. Run the Deployment Wizard to install the operating system on the target computer.
Demonstration: Configuring the deployment share

• Install MDT 2013.
• Add the Windows ADK prerequisite files.

• Create an MDT deployment share.
• Examine the MDT deployment share properties.
• Import operating system files into an MDT deployment share.
• Create a subfolder in the Out-of-Box Drivers folder.
• Import device drivers into an MDT deployment share.
Demonstration Steps
Install MDT 2013
1. On LON-SVR1, open File Explorer, and then browse to \\LON-DC1\Labfiles\MDT2013.
2. Install MicrosoftDeploymentToolkit2013_x64.msi.
3. Complete the Microsoft Deployment Toolkit 2013 Update 2 (6. 3.8330.1000) Setup Wizard with the
default settings.
Add the Windows ADK prerequisite files

1. Open File Explorer, and then browse to \\LON-DC1\Labfiles\WADK.
2. Run adksetup.exe as an administrator, and then install Windows ADK. When prompted to add or
remove features, click Continue.
3. On the Select the features you want to install page, select the check boxes next to Deployment
Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tool
(USMT). Clear the checkbox on any other components, and then click Change.
Note: This process takes approximately five minutes.
4. Complete the Assessment and Deployment Kit Wizard, and then close File Explorer.
Create an MDT deployment share

1. On LON-SVR1, insert the D:\Program Files\Microsoft Learning\20695\Drives
\Win10TH2Ent_EVAL.ISO into the virtual machine’s virtual hard drive.
2. From the Start screen, open the Deployment Workbench New.
3. Right-click Deployment Shares, and then click New Deployment Share.
4. Create a DeploymentShare folder on drive C.
5. Complete the New Deployment Share Wizard with default settings.

Examine the deployment share properties

1. Expand both the Deployment Share and the MDT Deployment Share (C:\DeploymentShare)
nodes.
2. Open the Properties window for the MDT Deployment Share.
3. Examine each tab in the MDT Deployment Share (C:\DeploymentShare) Properties dialog box.
4. Close the MDT Deployment Share (C:\DeploymentShare) Properties dialog box.
Import operating system files into the deployment share

1. From the Operating System folder, click Import an Operating System.
2. Use the Import Operating System Wizard to import source files.
3. Complete the Import Operating System Wizard using defaults.
Create a subfolder in the Out-of-Box Drivers folder

• Right-click the Out-of-Box Drivers node, and then create a new folder named Intellipoint Drivers.
Import device drivers into the deployment share

1. From the Intellipoint Drivers folder, click Import Drivers.
2. Use the Import Driver Wizard to import all device drivers from \\LON-DC1\Labfiles\Drivers
\point64.
3. Complete the Import Driver Wizard by using the default settings.

4. After all demonstration steps are complete, leave the virtual machines running for the next
demonstration.
Overview of the MDT configuration files and database option

You can use two files to control the behavior of
installations that you deploy from a deployment
share. The rules shown in the Deployment Shares
Properties are stored in the CustomSettings.ini file,
which is in the deployment share in the Control
folder. The CustomSettings.ini file is the primary
configuration file for the deployment share. All
installations from the deployment share process
this file’s settings.
Also found on the Rules tab is the Bootstrap.ini

file, which is stored in the deployment share in the
Control folder. The BootStrap.ini file processes
before the CustomSettings.ini file.
The Bootstrap.ini file and the CustomSettings.ini file are organized into sections. The first section is the
Settings section, which defines the file’s contents, including:
• Priority. Specifies the sections to process during deployment and the order in which to process them.
This property is in both the Bootstrap.ini file and the CustomSettings.ini file.
• Properties. Specifies the variables that you are defining for use in the file. This property is in the
CustomSettings.ini file only.
Additionally, each of the files contains the Default section, which stores the default properties when you
create a deployment share.
The CustomSettings.ini file

The scripts for LTI use properties that the CustomSettings.ini file defines. If you choose to use the LTI
scripts without configuring the required properties in the CustomSettings.ini file, your deployments likely
will fail. You can configure more than 200 properties in the CustomSettings.ini file for both LTI and ZTI
scripts. For a complete list of the settings, review the Toolkit Reference.docx that the MDT documentation
includes.
The CustomSettings.ini file is a text file that you can configure by using a Property=Value format. For
example, to configure the Deployment Wizard to skip the Join the computer to a domain or workgroup
page, and to specify the domain that the computer should join, configure the following entries in the
Default section of the CustomSettings.ini file:
• SkipDomainMembership=YES
Tells the Deployment Wizard to skip the Join the computer to a domain or workgroup page.
• JoinDomain=<domain>
Configures the computer to join the <domain> during deployment.
• DomainAdmin=<adminaccount>
Specifies the account to use to join the domain. This account must be a member of the Domain
Admins group in the <domain>.
• DomainAdminDomain=<domain>
The domain of which the DomainAdmin account is a member.
• DomainAdminPassword=<adminpwd>
The password the account specified in the DomainAdmin property.

When you create additional sections in the CustomSettings.ini file, you must list the sections in the
Priority property in the Settings section, and then identify them with square brackets, such as
[SectionName].
When you turn on Monitoring, the script adds certain entries automatically to CustomSettings.ini, such as
EventService. For example, the following entry is added when you enable Monitoring with the default port
numbers on LON-SVR1.
EventService=http://LON-SVR1:9800
The Bootstrap.ini file

Bootstrap.ini is configured similarly to the CustomSettings.ini file, although it uses only a subset of the
values that you can use in CustomSettings.ini. You use the Bootstrap.ini file when a target computer is
unable to connect to the appropriate deployment share. The bootstrap.ini file instructs the boot media
where to find the deployment share. Without it, there is no way for the boot media to know where the
share is, or how to connect to it so that the process can continue. The default Bootstrap.ini file includes
only the Universal Naming Convention (UNC) path to the deployment share. If the deployment share
requires credentials to access the share, you can configure the following properties:
• UserDomain=<domain>
The domain that contains the user account that can connect to the deployment share.
• UserID=<username>
The user account name of the user who is allowed to connect to the deployment share.
• UserPassword=<password>
The password for the user account that can connect to the deployment share.
Additionally, the Bootstrap.ini file can contain a property to skip the initial Welcome screen,
SkipBDDWelcome, or to specify the keyboard language, KeyboardLocalePE. You must configure both
the SkipBDDWelcome and KeyboardLocalePE properties in the Bootstrap.ini and CustomSettings.ini file
to function properly.
Database option
As an alternative to using the CustomSettings.ini text file, you can prestage your Windows 10 deployment
information in a Microsoft SQL Server 2014 SP1 Express database. You then can use the database to
specify data, such as computer names, IP addresses, apps that you want to deploy, and many other
settings, to those operating systems that you are deploying.
You also can use a full version of a SQL Server, but this will require additional licensing. We recommend
using the free SQL Server 2014 SP1 Express version, because most deployment databases are small, even
in large enterprise environments.
You configure the database option for the MDT in the Deployment Workbench. Go to the Database node
in the Advanced Configuration node under Deployment Share. In the Database node of the
Deployment Workbench, you can use the New DB Wizard to add information about the deployment
database, including the server name, database name, instance, and the port number. This wizard contains
the following configuration pages:
• SQL Server Details. Add the SQL Server name and instance, and the network library type. The default
type of network library is Named Pipes. Microsoft recommends using Named Pipes, because it
works well with Windows Preinstallation Environment (Windows PE).
• Database. Use an existing database, create a new database, or create tables and views in an existing
database. In most cases, you would create a new database.
• SQL Share. When Windows PE is running, it needs to communicate with the server that is hosting the
database. By default, this communication is through Windows integrated security, so you must map a
drive directly to establish a secure connection. The communication type is Server Message Block
(SMB) and SQL named pipes. However, the purpose of this share is to authenticate to the SQL Server.
This is required only if you use named pipes as the network library. You use named pipes because
they are easier to authenticate using a share. If you select TCP/IP as the network library, the
connection string would have to include a user name and password, which, in turn, must be written
somewhere in plain text. If you are using SQL Server 2014 SP1 Express that is running on your MDT
server, you can use the default MDT share, DeploymentShare$.
You also can configure database rules by using the Configure DB Wizard, which walks you through the
following configuration pages:
• Computer Options. Add several computer-related queries, such as computer-specific settings, role
assignments, apps to be installed, and other options.
• Location Options. Add location-related queries, such as location names based on default gateways
or other location-specific settings.
• Make/Model Options. Add make and model-related queries.
• Role Options. Add role-related queries.
Additional Reading: For more information, refer to Microsoft Deployment Toolkit (MDT):
http://aka.ms/N4twrh.
Overview of the MDT task sequence templates

MDT includes task sequence templates for the
most common deployment scenarios. When
creating task sequences for your deployments,
you start by choosing one of the available
templates. Ten predefined task sequence
templates and one custom task sequence
template are available:
• Sysprep and Capture. Use to automate the

running of the System Preparation Tool
(Sysprep) and the capturing of a reference
computer.
• Standard Client Task Sequence. Use to

create the default task sequence for deploying operating system images to client computers. This
template includes several generic tasks, such as creating a reference computer, which you can enable
or choose not to perform, as necessary. The next demonstration shows you how to use this
functionality.
• Standard Client Replace Task Sequence. Use to back up a client system completely, including the
user state data, and then wipe the disk before deploying an operating system.
• Standard Client Upgrade Task Sequence. Use to automate the process of upgrading a PC currently
running Windows 7, Windows 8, or Windows 8.1 to Windows 10.
• Litetouch OEM Task Sequence. Use to preload operating system images on computers in a staging
environment prior to deploying the target computers in the production environment. Typically,
computer original equipment manufacturers (OEMs) use this template.
• Standard Server Task Sequence. Use to create the default task sequence for deploying server
operating system images to servers.
• Standard Server Upgrade Task Sequence. Use to automate the process of upgrading a server
currently running Windows Server 2008 or newer Windows Server operating system to Windows
Server 2016.
• Post OS Installation Task Sequence. Use to perform tasks after you deploy an operating system to a
target computer, such as enabling Windows Update.
• Deploy to VHD Client Task Sequence. Use to deploy an operating system to a target computer’s
virtual hard disk for Boot from VHD installations on client computers.
• Deploy to VHD Server Task Sequence. Use to deploy an operating system to a virtual hard disk on
a target computer for Boot from VHD installations on servers.
• Custom Task Sequence. Use to create a customized task sequence. A custom task sequence has only
one task available after creation—the Install Application task. However, you can add other tasks to
the task sequence.
After you create a task sequence, you can further customize each task in the task sequence. You also can
add new tasks to the task sequence.
Demonstration: Configuring a task sequence, and updating the

deployment share
• Create a standard client upgrade task sequence.
• Edit the standard client upgrade task sequence.
• Update the deployment share.
Demonstration Steps
Create a standard client upgrade task sequence

1. In the Deployment Workbench, in the MDT Deployment Share (C:\DeploymentShare), in the Task
Sequences folder, create a New Task Sequence.
2. Use the New Task Sequence Wizard to create a task sequence with the following information:
o Task sequence ID: LON-001

o Task sequence name: Upgrade to Windows 10
o Template: Standard Client Upgrade Task Sequence
o Operating system: Windows 10 Enterprise Evaluation in Windows10x64 install.wim
o Product key: Do not specify a product key at this time
o Full name: Administrator
o Organization: Adatum
o Administrator password: Pa$$w0rd
3. Complete the wizard with the default settings.
Edit the standard client upgrade task sequence

1. From the Task Sequences node, open the Upgrade to Windows 10 task sequence.
2. View the properties of the task sequence.
3. In the Upgrade the Operating System section, edit the Inject Drivers task step to use the Nothing
selection profile.
4. Close the Upgrade to Windows 10 Properties window.
Update the deployment share

1. Right-click the MDT Deployment Share (C:\DeploymentShare), and then click Update
Deployment Share.
2. Complete the wizard with default settings.

Integrating language packs into the deployment process

Many organizations span multiple countries or
regions, and have offices and factories across the
world. In such situations, users expect an
operating system and apps designed for a user’s
productivity to be available in their language.
The Windows operating system is

language-neutral, and you add all language and
locale resources through language packs using
Lp.cab files. Language packs are one of the
package types that you can add to the MDT, and
they enable a multilingual Windows environment.
You can enable those languages when installing
the operating system by adding one or more language packs to the deployment task sequence. This
means that you can deploy the same Windows image to regions with different language and locale
settings, thereby reducing development and deployment time.
Lpksetup.exe
Lpksetup.exe is a tool that allows you to perform unattended or silent-mode language pack operations,
and runs only on online Windows operating systems. You can install or uninstall specified language packs.
You can run Lpksetup.exe in silent mode to suppress the user interface while the install or uninstall
operation occurs, or you can manually run the tool after installation from Control Panel. If you are
performing an unattended installation, you first must download the language pack that you wish to
install. If you are using Control Panel, the language pack that you specify will be downloaded
automatically.
The following code example installs all language packs from a given installation media as defined in the
path:
lpksetup.exe /i * /p <path to language pack .cab files>
To use Lpksetup.exe during an unattended installation, perform the following steps:
1. Use Windows System Image Manager to create an answer file.
2. Add a RunSynchronous command to the pass in which you want to install the language pack. For
the command, specify the command-line options that you intend to use. For example, to install the
German language pack from the Windows\Langpacks folder, type:
lpksetup.exe /i de-DE /r /p %SYSTEMDRIVE%\LangPacks
The Lpksetup.exe tool requires administrator privilege to run. The RunSynchronous command must run
in an account that has administrator privilege. Running Lpksetup.exe during unattended installations is
supported only in the following configuration passes:
• auditUser
• oobeSystem
Using the MDT to deploy language packs

There are three methods in the MDT to add language packs during the deployment. For all three
methods, you first must add the specific language pack LP.cab file as a package in the Package node of
the Deployment Workbench. If you are adding multiple language packs, you might want to create
selection profiles for each different language pack.
Note: The language pack version must match the operating system version you are
installing. For example, if you are installing Windows 10 Enterprise Version 1511, then the
language pack must be version 1511. If the versions do not match, then the language pack
deployment will fail.
Using Deployment Wizard

Once you add the packages to the Packages node of the Deployment Workbench, the Deployment
Wizard will display the Language Packs screen. This screen enables the user running the deployment to
select any of the language packs available. If you do not want the user to have the ability to select the
language pack then you should add the following line of code to your Customsettings.ini file:
SkipPackageDisplay=YES
Using a task sequence

A deployment share might have multiple task sequences. This method will deploy language packs only by
using specific task sequences that you choose to modify. Modify a task sequence to add the Install
Updates Offline task to the Postinstall phase of the task sequence. Configure the task to use the
appropriate selection profile that includes the language pack (or packs) that you want to deploy.
Using the Customsettings.ini file

This method will deploy language packs to all the deployments that come from this deployment share.
You can use the Customsettings.ini file to install the language packs. For example, if you want to add two
languages to your deployment, you would add the following lines to your customsettings.ini file:
LanguagePacks1={guid_for_lp1}
LanguagePacks2={guid_for_lp2}
Note: You can view the GUID of a language pack in the Details pane in the Packages node
in the Deployment Workbench.
You can install multiple language packs when deploying the Enterprise editions of the Windows client and
Windows Server operating systems. When deploying other editions of Windows operating systems, you
can select only one language pack because of Windows licensing restrictions.
Deploying Windows operating systems by using the Deployment Wizard

When you update the deployment share, the LTI
boot media is either created or modified. The LTI
boot media includes the MDT program, which
calls the Windows Deployment Wizard when
performing a deployment. When you boot a
system by using the LTI boot media, the MDT
program starts automatically and the following
actions occur:
1. The Bootstrap.ini file is processed. When the

computer first starts, the MDT program
processes Bootstrap.ini, and then uses the
information to connect to the deployment
share.
2. After you connect to the deployment share, from the Welcome page, you can:
o Run the Deployment Wizard to install a new operating system, which starts the Windows
Deployment Wizard.
o Run the Windows Recovery Wizard, which starts the Windows Recovery Environment.
o Exit to the command prompt.

Additionally, you can choose the keyboard layout or configure a static IP address. You also can configure
the keyboard layout in the Boostrap.ini file.
Choosing the Run the Deployment Wizard to install a new operating system involves the following steps:
1. The Credentials dialog box appears. If you have not configured the Bootstrap.ini file with user
credentials for accessing the deployment share, you will be prompted to enter them.
2. The CustomSettings.ini file is processed. The CustomSettings.ini file includes settings for
preconfiguring and skipping Windows Deployment Wizard pages, including skipping the wizard
altogether.
3. The Task Sequence page appears. After you apply the CustomSettings.ini file settings, the Windows
Deployment Wizard presents the available task sequences.
After you choose a task sequence, the Windows Deployment Wizard will proceed to show the pages that
are appropriate for the type of deployment and task-sequence template used. Settings in the
CustomSettings.ini file could prevent certain pages from displaying.
When you perform a new computer deployment by using a task sequence based on the standard client-
task sequence and a default CustomSettings.ini file, the Windows Deployment Wizard will present the
following pages:
• Computer Details. This page allows you to specify the Computer name, Join a workgroup, or Join
a domain, and if joining a domain, the information required to join the domain.
• Move Data and Settings. If the computer had an existing operating system, you could choose to
Move the user data and settings to a specified location.
• User Data (Restore). If you have previously used the Move the user data and settings option as
part of a computer migration, you can specify the location on this page.
• Locale and Time. This page allows you to specify the language and time settings for your
deployment.
• Ready. If you click the Details button on this page, you can review all the settings that you have
configured. If you need to change anything, you can use the Back button to return to the
appropriate page. When the settings are correct, you click Begin to start the deployment.
MDT troubleshooting and monitoring options

Like other complex systems MDT 2013 Update 2
can fail at different points for various reasons,
such as misconfiguration, and communications
loss. Having a sound troubleshooting
methodology is an important tool for any
administrator. By using a structured
troubleshooting methodology, you can recover
quickly and return to normal operations.
Additional Reading: For more information,

refer to Troubleshooting Methodology:
http://aka.ms/Stjx6x.
The Deployment Workbench has a Troubleshooting Reference document in the Documentation node of
the Information Center. There are numerous troubleshooting articles on the Internet based on the MDT
function, such as apps installation, deployment shares, driver installation, and Sysprep. The
Troubleshooting Reference document also contains a list of error codes, and descriptions of what they
mean. Additionally, it contains flowcharts on both the LTI and ZTI deployment processes. A section on
logs explains what information the logs contain and how to read them.
MDT creates and updates several logs, such as the BDD.log and the smsts.log. By default, these logs are
stored on the computer that the operating system is being deployed to. You can configure these logs to
be stored on a network share to make them more accessible. Two types of logging are available:
• Standard logging stores all the logs on a network share at the end of the deployment.
• Dynamic logging writes only the BDD.log file, but writes it in real time during the deployment.
You can specify both types of logging in the CustomSettings.ini file.
To perform standard logging, add the following entry to the Default section of the CustomSettings.ini file:
SLShare=\\servername\share
To perform dynamic logging add the following entry to the Default section of the Customsettings.ini file:
SLShareDynamicLogging=\\servername\share
Note: CMtrace.exe is a tool for viewing the MDT logs in a more readable form, showing live
data being written to the logs. This tool is part of the System Center 2012 R2 Configuration
Manager Toolkit, and is available from the Microsoft Download Center as well.
Advanced Configuration node

The Deployment Workbench includes an Advanced Configuration node that contains several items that
you can use to extend LTI deployment features. This includes linking deployment shares, support for
standalone media, and configuring an MDT database.
MDT has a monitoring feature that the Deployment Workbench and MDT scripts support. You can use the
Monitoring node in the Deployment Workbench to view the deployment process.
Selection profiles
Selection profiles allow you to create groups of folders in the Deployment Workbench. You can use any
folder that contains at least one item, including Applications, Operating Systems, Out-of-Box Drivers,
Packages, and Task Sequences. Once you create your selection profiles, you can use them in several
different locations, including:
• The Deployment Share Properties dialog box, on the Windows PE tab, in the Drivers and Patches
tab. Here you can specify the selection profile to limit the drivers that will be added to the Windows
PE boot image.
• An Inject Drivers task step. You use the selection profiles in this step to control the drivers that will be
available for a particular task sequence.
• An Apply Patches task step. You use the selection profiles in this step to control the update packages
that will be installed.
• The New Media Wizard. Here you can use the selection profiles to control the Applications, Operating
Systems, Out-of-Box Drivers, Packages, and Task Sequences folders that deploy with standalone
media.
• The New Linked Deployment Share Wizard. Here you can use the selection profiles to control the
linked content.
The following table details the six selection profiles that are created by default.
Selection profile Description
Everything Contains all folders from all nodes
All drivers Contains all folders from the Out-of-Box Drivers item
All drivers and packages Contains all folders from the Packages and Out-of-Box Drivers items
All packages Contains all folders from the Packages item
Nothing Includes no folders or items
Sample A sample selection profile that contains folders from the Packages and
Task Sequences items
Linked deployment shares

You can use linked deployment shares to connect two deployment shares logically. One deployment
share acts as the source and the other deployment share is the target. You use a selection profile to
control the content that will be copied to the target deployment share. Using linked deployment shares
allows you to use LTI deployments in larger organizations, while keeping the management simple by
requiring that you update only the source deployment share.
Media
You can use the Media item to create LTI media for standalone deployment media, which enables you to
perform an LTI deployment without contacting the server. You can create media and place it on a DVD,
USB drive, or other portable media. You can control the contents of the standalone media by choosing
the appropriate selection profile when you start the New Media Wizard.
Database
By default, the variables that you use with your task sequences are stored in CustomSettings.ini. As your
deployments grow more complex, the conditions that you define in the CustomSettings.ini file might
become too numerous to manage effectively. To address this challenge, you can create a SQL Server
database to store the conditions that you want to define. After creating the database, you run the
Configure DB Wizard to configure the CustomSettings.ini file to use the MDT database.
Monitoring MDT deployments

Monitoring is not configured by default. The process for enabling monitoring is different for LTI
deployments and Configuration Manager–based deployments. To configure monitoring for LTI
deployments, you need to enable it in the Deployment Share Properties dialog box, on the Monitoring
tab. Select the Enable monitoring for this deployment share check box to make changes to your
management computer. These changes include:
• Installing the MDT Monitor service (MDT_Monitor). This service receives and stores the events from
the computers that are being monitored. It also provides the information to the Deployment
Workbench.
• Installing an SQL compact database. Only the MDT Monitor service uses this database.
• Updating the CustomSettings.ini file with the EventService property, and a value of
http://<Management Computer>:9800. This connection does not require Microsoft Internet
Information Services (IIS). It uses features from the .NET Framework to provide the http functionality.
After you enable the monitoring feature, you can monitor deployments by using the Monitoring node in
the Deployment Workbench. You will need to refresh the Monitoring node periodically.
Statement Answer
The Bootstrap.ini file can be used to provide credentials to allow

connections to the deployment share.
Question: What do you have to do to allow the addition of language packs by using the
Deployment Wizard?
Lesson 3
Integrating Windows DS with MDT
You can use Windows DS to enhance the MDT deployment process. In Module 7 of this course, you
reviewed Windows DS. In this lesson, you will learn how to configure MDT and Windows DS integration.
Lesson Objectives
• Describe how Windows DS enhances an MDT environment.
• Describe how to create and import an MDT boot image into Windows DS.
• Describe how to use Windows DS multicasting with MDT deployments.
How Windows DS Enhances an MDT Environment

Windows DS is a Windows Server role that you can
use to deploy the Windows operating system
across a network without using a local media
source. You can configure Windows DS to use LTI
boot media to support Pre-Boot EXecution
Environment (PXE) clients. This allows you to use
LTI deployment on systems without starting them
from an LTI CD or USB device.
If Windows DS is installed on the same server as

the MDT deployment share, you have an
additional option for integration. When a PXE
client loads the MDT boot image from the
Windows DS server, the Windows DS server name is stored in the WDSServer variable, which you can
reference in the Bootstrap.ini file by the DeployRoot property. To use this variable, modify the
DeployRoot property in the Bootstrap.ini file as follows:
Change:
DeployRoot=\\<ServerName>\DeploymentShare$
to:
DeployRoot=\\%WDSServer%\DeploymentShare$
After you make this change, you need to recreate the LTI boot images by updating the deployment share.
After that process completes, you import the LTI boot images into Windows DS.
There are many scenarios where integrating Windows DS and MDT is beneficial. You can add the LTI boot
images, which allows Windows DS to initiate LTI deployment automatically by starting the LTI boot image
after an administrator or user starts the system. Another example is the ability to use a Windows DS image
when creating task sequences. This means that the images created in either MDT or Windows DS are
interchangeable.
In an LTI deployment scenario, MDT cannot use prestaged computer accounts. However, you can utilize
prestaged computer accounts by using Windows DS in conjunction with MDT.
One of the highlights of Windows DS is the ability to perform multicast deployments. This means that
multiple computers can receive a single copy of an image. Using multicast can significantly reduce the
amount of bandwidth that your network’s deployment services consume when you are performing
multiple simultaneous deployments. MDT supports multicasting when you install both MDT and the
deployment share on the computer that is running the Windows DS role, or when you install them on
another computer that has access to administrate the Windows DS server remotely by using the WDSUTIL
command-line tool.
Creating and importing an MDT boot image into Windows DS

Whenever you update a deployment share, the
update process checks for changes and creates a
new LTI boot image. The boot image is created in
both a .wim file and an .iso image file, which you
then can use to create bootable media. You can
import the .wim file into Windows DS, and then
use Windows DS to start the PXE boot clients that
are using the MDT boot Windows image file. PXE
boot clients started from the LTI boot image will
run the Windows Deployment Wizard the same as
a locally started system.
Creating LTI boot media

If you need to create new boot media for a deployment share, such as for adding new device drivers to
the boot media, you configure the boot media in the Deployment Share Properties dialog box in
Deployment Workbench. To create new boot media when you need to add drivers for new hardware,
perform the following high-level procedure:
1. In the Out-of-Box Drivers folder, create any necessary subfolders, and then import the new device
drivers. There might be network adapter drivers that you must inject for the particular device.
2. In the Advanced Configuration node, create or modify the Selection profile that you want to use
for the LTI boot media.
3. Open the Deployment Share Properties dialog box, click the Windows PE tab, click the Drivers
and Patches tab, and then select the desired Selection profile. Configure this setting for both
platform types.
4. Click the Features tab, and then select any desired additional features. Configure these settings for
both platform types.
5. Click the General tab, ensure that the check boxes are selected to create both a Windows image file
and an International Organization for Standardization (ISO) file. Configure this for both platform
types.
6. When the Windows PE configuration is complete, click OK to close the dialog box.
7. Right-click Deployment Share, and then click Update Deployment Share to generate the new LTI
boot images.
Adding a boot image to Windows DS

To add the LTI boot-image files (LiteTouchPE_x64.wim and LiteTouchPE_x86.wim) from the
deployment share, perform the following procedure:
1. Sign in to the Windows DS server as a member of the local administrators group.
2. Start the Server Manager, and then in the Tools menu, click Windows Deployment Services.
3. Expand the server container, click Boot Images, and then click Add Boot Image.
4. Browse to the boot image file (LiteTouchPE_x64.wim or LiteTouchPE_x86.wim) in the

\\<management computer\<deployment Share>\Boot folder of the deployment share, and
then click Open.
5. Provide a name and description on the Image Metadata page, and then complete the wizard.
Windows DS multicasting with MDT deployments

Windows DS in Windows Server 2008 or newer
supports deploying images by using multicast
transmissions. Multicast transmissions allow you to
deploy multiple computers by using the same
network stream, thereby potentially using less
bandwidth, and decreasing overall deployment
time when distributing the same image to
multiple computers. Windows ADK includes the
Wdsmcast.exe client file, which joins the multicast
stream.
The LTIApply.wsf script uses the Wdsmcast.exe file

when it accesses an operating system deployment.
When the LTIApply.wsf script runs, it attempts to join a multicast stream. If this fails, LTIApply.wsf will fall
back to using a standard file copy.
The deployment server prerequisites for MDT multicasting are that you must:
• Use a deployment server that has Windows Server 2008 R2 or newer installed.
• Install Windows DS.

• Install Windows AIK or Windows ADK (appropriate to the version of MDT, such as MDT 2013
Update 2, Windows ADK for Windows 10).
• Import at least one .wim file into Windows DS.
You can enable multicast for MDT on the General tab of the Deployment Share Properties dialog box
in the Deployment Workbench. It is disabled by default.
Note: The Network (UNC) path text box and the Local Path text box on the General tab
must contain valid paths for multicasting to function properly.
After the configuration is complete, an Auto-Cast Windows DS multicast transmission that uses the MDT
deployment share is created. An Auto-Cast Windows DS Multicast transmission starts when the first client
connects, and other clients will join the stream in progress. You can use multicast only with operating
system image .wim files, and not boot.wim files.
Verifying the multicast transmission

To verify the multicast transmission is active, open the Windows Deployment Services console, and under
the server_name node, click the Multicast Transmissions node. If the multicast configuration was correct,
you will see an Auto-Cast transmission for the deployment share that is listed as Active.
When an installation is running, the Installation Progress dialog box will show Multi-Cast Transfer while
the Install Operating System action is running.
After you deploy a computer by using multicast, verify that the operating system was downloaded from a
multicast transmission by examining the BDD.log file in the \Windows\Temp\DeploymentLogs folder. You
will find two entries in the logs folder, both beginning with Multicast transfer. Check them to verify a
successful transfer.
Statement Answer
Boot images are created automatically by updating the deployment share.
Statement Answer
You must install Windows DS on a computer running Windows Server 2008

R2 or newer.
Lab: Operating system deployment using the MDT

Scenario
Cora Bauer, the manager of the A. Datum Corporation information technology (IT) department, has asked
that you evaluate the capabilities of the MDT for deploying Windows 10.
A. Datum has not had a major client-system deployment since you were hired, and Cora wants a fresh pair
of eyes to look at the process. You know that all the client systems had to be reimaged in London
recently, and that the reimaging did not go as smoothly as desired. Therefore, you will evaluate MDT 2013
Update 2 and use it to create reference images for deployment throughout your organization. You will
assist in the planning and implementing the solution, and then update the MDT planning job aid that
explains your choices.
Objectives
• Plan for the MDT environment.

• Install MDT 2013 Update 2 and the prerequisite components.
• Create and configure a deployment share.
• Deploy and capture a reference operating system image
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-SVR1, and 20695C-LON-REF1

Password: Pa$$w0rd
2. In Microsoft Hyper-V Manager, click 20695C-LON-DC1, and then in the Actions pane, click Start.
5. Repeat steps 2 through 4 for 20695C-LON-SVR1.
6. You also will use 20695C-LON-REF1, but you only need to bring up its virtual-machine connection.
Do not start this virtual machine until instructed to do so.
Exercise 1: Planning for the MDT environment

Scenario
Based upon the lab scenario, you need to determine the configuration settings that the MDT environment
requires. You will fill out an MDT planning job aid to assist in your planning tasks.
To: Robert Bevins
From: Cora Bauer [cbauer@Adatum.com] Sent: 17 Dec 2:30 PM To: Robert Bevins [rbevins@adatum.com]
Subject: Re: Automated Windows 10 deployment
Robert,
You know my philosophy on this, keep it uncomplicated, and reduce the opportunity for errors. I know
there were a few complaints when we had to reimage several systems in London after that virus outbreak,
but the company policy remains: all A. Datum–related files are to be stored on a server. Since we use
roaming profiles, I do not see the need to migrate profiles for users. Since there is nothing critical on the
client systems, I do not think we need to worry about that feature either. None of the users have BitLocker
Drive Encryption enabled.
For the time being, we are going to continue deploying apps to the client systems post installation. Unless
purchasing changes their policies, we do not want to deploy any apps until the requesting department
has secured their licenses.
As for the rest of the features, I like the idea of deploying from a central image. Since we are not giving
the users local administrative rights, we need to include any drivers they might need, for instance the
IntelliPoint drivers for the Microsoft pointing devices we use in our department. You can use the server
named LON-SVR1 to host the deployment share. The LON-DC1 computer has the 64-bit Windows 10
evaluation ISO file on it. You just need to make a custom image based on these criteria. If we eventually
tie in MDT to Windows DS, we also will need custom boot images.
Keep in mind that not all the custom apps have been tested in a 64-bit environment yet. If anything else
comes up, just use your best judgment and we can discuss it at the next meeting. While we do not need
to use the Windows DS role in our test environment, install it on LON-SVR1 and set it to provide
multicasting.
Thanks,
Cora
----- Original Message ----- From: Robert Bevins [rbevins@adatum.com] Sent: 17 Dec 11:15 AM To: Cora
Bauer [cbauer@Adatum.com] Subject: Re: Automated Windows 10 deployment
Cora,
I have had a chance to download the Microsoft Deployment Toolkit 2013 Update 2. I am not sure if you
are aware of all the features in the Toolkit. Besides deploying Windows 10, we could do the following:
• Partially Automated Deployment of Windows 10 (Lite-Touch)
• Fully Automated Deployment of Windows 10 (Zero-Touch)
• Deploy Windows 10 from an image
• Deploy Apps
• Pre-install device drivers
• Migrate user profiles
• Enable BitLocker on deployed systems

I know you want a report at the next department meeting. Do you have a preference as to which features
we should evaluate before then?
Thanks,
Robert
----- Original Message ----- From: Cora Bauer [cbauer@Adatum.com] Sent: 15 Dec 09:30 AM To: Robert
Bevins [rbevins@adatum.com] Subject: Automated Windows 10 deployment
Robert,
As discussed in the last planning meeting, we are looking at rolling out Windows 10 next quarter. I want
you to download the latest version of the Microsoft Deployment Toolkit and evaluate it for use in
automating the deployment of Windows 10.
Thanks,
Cora

2. Update the MDT planning job aid.

• Read the lab scenario, including the email exchange between Cora Bauer and Robert Bevins.
 Task 2: Update the MDT planning job aid

Fill in the following worksheet:
Question Answer
Where will you store your distribution

files?
What is your imaging and source-file

strategy?
Will you deploy the image from Windows

media, or will you create custom images?
Will you need to create custom boot

images?
How will you deploy applications?
Are you going to migrate user-state

settings?
Do you want to back up the computers

prior to deployment?
Do you want to use BitLocker Drive

Encryption?
Question Answer
Will you deploy 32-bit, 64-bit, or both

types of operating systems?
Will you deploy multiple editions of the

Windows operating system?
What deployment scenarios are you

planning?
Results: Students will have a plan that outlines how they will configure MDT at the London location
Exercise 2: Installing MDT 2013 Update 2, and addressing MDT

prerequisites
Scenario
Based upon the MDT job aid, you need to install and configure the MDT components. This includes the
MDT 2013 Update 2 installation, and the Windows ADK for Windows 10 installation files.
1. Install MDT 2013 Update 2.
2. Add the Windows ADK prerequisite files.
 Task 1: Install MDT 2013 Update 2

1. On LON-SVR1, open File Explorer, and then browse to \\LON-DC1\Labfiles\MDT2013.
2. Install MicrosoftDeploymentToolkit2013_x64.msi.
3. Complete the Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) Setup Wizard with the
default settings.
 Task 2: Add the Windows ADK prerequisite files

1. In File Explorer, browse to \\LON-DC1\Labfiles\WADK.
2. Run adksetup.exe as an administrator, and then install Windows ADK. When prompted to add or
remove features, click Continue.
3. On the Select the features you want to install page, select only the check boxes next to
Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State
Migration Tool (USMT), and then click Change.

4. Complete the Assessment and Deployment Kit Wizard, and then close File Explorer.
Results: After completing this exercise, you should have installed MDT 2013 Update 2 and Windows ADK
for Windows 10 on the technician server.
Exercise 3: Creating and configuring the deployment share

Scenario
Before using MDT 2013 Update 2, you have to create a deployment share by using the Deployment
Workbench. This deployment share is the repository for the operating system images, language packs,
applications, device drivers, and other software that is deploying to the target computers. You will modify
the Customsettings.ini file to skip unused pages of the Deployment Wizard and store the deployment log
files on a network share. You will also install the Windows DS. Because you are only deploying 64-bit
systems, you will configure the deployment share to create only 64-bit boot media, and to create a
multicast transmission when you update the deployment share.

1. Open the deployment workbench, and create a deployment share.
2. Add operating system files to the deployment share.
3. Add device drivers to the deployment share.
4. Create a task sequence to deploy and capture a reference computer.
5. Modify the customsettings.ini file to store log files, and skip unused pages in the Deployment Wizard.
6. Install and configure the Windows DS role.

7. Configure and update the deployment share.
 Task 1: Open the deployment workbench, and create a deployment share

1. On LON-SVR1, open Deployment Workbench NEW from the Start screen.
2. Right-click Deployment Shares, and then click New Deployment Share.
3. Create the Deployment Share in C:\DeploymentShare path.
4. Complete the New Deployment Share Wizard with default settings.
 Task 2: Add operating system files to the deployment share

1. Modify the Settings of 20695C-LON-SVR1 virtual machine on the localhost to insert
D:\Program files\Microsoft Learning\20695\Drives\Win10TH2Ent_EVAL.iso, into the
DVD drive.
2. In the Deployment Workbench, from the Operating Systems folder, click Import an Operating
System.
3. Use the Import Operating System Wizard to import a full set of source files from drive D into the
Windows10x64 folder.
4. Complete the Import Operating System Wizard using defaults.

 Task 3: Add device drivers to the deployment share

1. In the Deployment Workbench, right-click the Out-of-Box Drivers node, and then create a New
Folder named Intellipoint Drivers.
2. From the Intellipoint Drivers folder, click Import Drivers.
3. Use the Import Driver Wizard to import all of the drivers from \\LON-DC1\Labfiles\Drivers
\point64.
4. Complete the Import Driver Wizard using defaults.
 Task 4: Create a task sequence to deploy and capture a reference computer

1. From the Task Sequences node, create a new folder named Windows 10, and then from the folder,
start the New Task Sequence Wizard.
2. Create a task sequence with the following information:
o Task sequence ID: LON-001
o Task sequence name: Deploy Windows 10
o Template: Standard Client Task Sequence
o Operating System: Windows 10 Enterprise Evaluation Technical Preview in Windows10 x64

install.wim
o Product Key: Do not specify a product key at this time
o Full Name: adatum\administrator
o Organization: Adatum
o Administrator Password: Pa$$w0rd
4. Select the Task Sequences\Windows 10 node, right-click the Deploy Windows 10 task sequence,
and then click Properties.
5. Under Preinstall, edit the Inject Drivers task step to use the Nothing selection profile.
6. Click OK to close the Deploy Windows 10 Properties window.
 Task 5: Modify the customsettings.ini file to store log files, and skip unused pages in
the Deployment Wizard
1. Open the properties of the MDT Deployment Share (C:\DeploymentShare), and then click the
Rules tab.
Note: Because you are deploying to new computers, do not back up computers, invoke
BitLocker, or migrate any user data. You will configure the CustomSettings.ini file not to display
those pages in the Deployment Wizard. You will also save the deployment log files to a network
share.
2. Change the SkipComputerBackup=NO entry to SkipComputerBackup=YES, and change the

SkipBitLocker=NO entry to SkipBitLocker=YES.
3. Add the following lines to the [Default] section, and then click OK:
o SkipUserData=YES
o SLShare=\\Lon-DC1\Labfiles\DeployLogs
 Task 6: Install and configure the Windows DS role

1. Open Windows PowerShell as administrator, type the following cmdlet, and then press Enter:
Install-WindowsFeature –Name WDS -ComputerName LON-SVR1 –IncludeManagementTools
2. Open the Windows Deployment Services Snap-in, expand the list of servers until LON-SVR1 appears,
and then right-click and configure LON-SVR1 with the following options:
o Select Integrated with Active Directory
o Remote installation folder: C:\RemoteInstall (accept warning about System Volume)
o PXE Server Initial Settings: Respond to all client computers (known and unknown)
o Clear the Add images to the server now check box on completion
3. Add the install.wim file from the deployment share (C:\DeplaymentShare\Operating Systems
\Windows10x64\Sources\Install.wim) to the Install Images node.
Note: This process takes approximately five minutes to complete.
 Task 7: Configure and update the deployment share

1. Open the properties of the MDT Deployment Share (C:\DeploymentShare).
2. On the General tab, deselect x86 and enable multicast for the deployment share.
3. On the Windows PE tab, do not generate a Lite Touch bootable image for the x86 platform.
4. Right-click the MDT Deployment Share (C:\DeploymentShare),, and then click Update
Deployment Share.
6. Return to the Windows Deployment Services and check that a multicast transmission named MDT
Share DeploymentShare$ auto-cast transmission has been created.
Results: After completing this exercise, you should have ensured that the deployment share is ready
to use.
Exercise 4: Deploying and capturing a reference operating system image

Scenario
You have configured the MDT deployment, and you now are ready to deploy and capture a reference
computer. After creating the task sequence to deploy Windows 10 to the reference computer, you must
initiate the operating system deployment and capture by starting the reference computer with the LTI
bootable media.
1. Start the reference computer, and complete the Windows Deployment Wizard.
2. Review the deployment summary, and verify the capture of the reference computer.

 Task 1: Start the reference computer, and complete the Windows Deployment
Wizard
1. Modify the settings of the 20695C-LON-REF1 virtual machine on the localhost to insert the
D:\Program files\Microsoft Learning\20695\Drives\LiteTouchPE_x64.iso into the DVD drive.
3. After the system starts, click Run the Deployment Wizard to install a new Operating System.
4. Connect to the deployment share as Adatum\Administrator with the password Pa$$w0rd.

5. Complete the Windows Deployment Wizard with the default settings, except for the following:
o Task Sequence: Deploy Windows 10
o Computer name: Reference
o Capture Image: Capture an image of this reference computer
Note: This procedure takes approximately 90 minutes to complete.
 Task 2: Review the deployment summary, and verify the capture of the reference
computer
1. On LON-REF1, verify that the Deployment Summary window displays Success - Operating system
deployment completed successfully.
2. Click Finish.
3. After LON-REF1 restarts, sign in as Administrator with the password Pa$$w0rd.
4. Switch back to LON-SVR1, and then verify that the C:\DeploymentShare\Captures\LON-001.wim

file exists.
5. Switch to LON-DC1 and navigate to E:\Labfiles\Deploylogs\Reference. Take note of the

deployment logs.
6. Close all open windows, and then sign out of all virtual machines.
Results: After completing this exercise, you should have deployed and captured a reference computer.

After you finish the lab, revert the virtual machines to their initial state. To do this, complete the following
steps:
1. On the host computer, start Hyper V Manager.
2. In the Virtual Machines list, right click 20695C-LON-DC1, and then click Revert.
4. Repeat steps 2 and 3 for 20695C-LON-REF1 and 20695C-LON-SVR1.


Best Practices
• Build your reference system using a virtual machine. This will avoid having an image with any
hardware-specific configurations embedded.
• Create folders in the Out-of-Box-Drivers node to organize all your vendor or model-specific drivers.
• Use Profile Selections to deploy only the required drivers to a given hardware configuration.
• Build thin images and apply applications on demand through the applications node. This will allow
you to keep the application current as updates and patches are released, without having to rebuild
the image.

Mismatch between versions of MDT and

Windows AIK or Windows ADK
Language packs are not deploying

properly
Cannot find lite-touch boot media in the

Boot folder of the Deployment Share
Deployments are ending prematurely with

errors
9-1
Module 9
Managing operating system deployment
Contents:
Module Overview 9-1
Lesson 1: Overview of operating system deployment 9-2
Lesson 2: Preparing a site for operating system deployment 9-12
Lab A: Preparing the site for operating system deployment 9-22
Lesson 3: Deploying an operating system 9-26
Lab B: Deploying operating system images for bare-metal installations 9-44
Module Overview
You can use the operating system deployment feature in Microsoft System Center Configuration Manager
(Configuration Manager) to create operating system images that you can deploy to both unmanaged
computers and those that Configure Manager manages. Several scenarios exist in which you can deploy
operating systems by using Configuration Manager, including when you work with new systems or when
you upgrade existing systems. Operating system deployment uses both Configuration Manager and
Windows components to manage and deliver operating system images. You can configure settings on a
reference computer prior to capturing an image of its operating system or by using task sequences that
Configuration Manager creates after you deploy the image to a target system.
Objectives
• Describe the terminology, components, and scenarios used to deploy operating systems by using
• Describe how to prepare a site for operating system deployment.
• Describe the process used to deploy an operating system image.

9-2 Managing operating system deployment
Lesson 1
Overview of operating system deployment
Operating system deployment in Configuration Manager is a set of technologies that focuses on the
complete end-to-end deployment of operating systems. You can configure an operating system
deployment to occur with minimal or no user interaction. In this lesson, you will learn about the operating
system deployment feature and the terminology and scenarios associated with it.
Lesson Objectives
• Define the operating system deployment feature.
• Describe the terms used in operating system deployment.
• Describe the various operating system deployment scenarios that Configuration Manager supports.
• Describe the server roles for the operating system deployment process.
• Describe the Unified Extensible Firmware Interface (UEFI) considerations for operating system
deployment.
Deploying operating systems by using Configuration Manager

Operating system deployment in Configuration
Manager is a feature that you can use to create
and deploy operating system images to
destination computers. Destination computers can
be known computers that Configuration Manager
manages or unknown computers that
Configuration Manager does not manage.
Operating system deployment includes the

following features:
• Operating system image capture. You can

create an operating system image from a
reference computer by using capture media,
or you can automatically build a reference computer and then capture the operating system. After
you capture the image, it is stored as a Windows image file (.wim file) that you can allocate to
distribution points for use in deployments.
• The Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. The Windows ADK
for Windows 10 is a collection of tools and documentation that can help you to deploy Windows
Server and Windows client operating systems. Before you install Configuration Manager, you must
download and install the Windows ADK for Windows 10.
• Task sequences. Task sequences enable performing multiple commands or tasks on a computer with
little or no user intervention. Task sequences do not represent a full scripting language.
• Operating system image deployment. By using operating system image deployment, you can place
an operating system image on a destination computer. You can use several methods to deploy
images across a network or from removable media, such as CDs, DVDs, or USB flash drives.
• User state migration. You can capture and restore user state information by using the User State
Migration Tool (USMT) 10. The Windows ADK for Windows 10 includes USMT 10, which supports the
following operating systems:
o Windows 10
o Windows 8.1
o Windows 8
o Windows 7
o Windows Server 2012 R2

o Windows Server 2012
o Windows Server 2008 R2
Additional Reading: For more information about how to manage enterprise operating
systems with Configuration Manager, refer to Manage enterprise operating systems with System
Center Configuration Manager: http://aka.ms/Xz0qx9.
Question: What is the difference between a reference computer and a destination

computer?
Operating system deployment terminology

The following tables define the terms that
describe the concepts and actions pertaining to
managing operating system deployment.
Category Term Definition
Image Boot image The Windows Preinstallation Environment (Windows PE) 10 image
that you can use to start a computer for operating system
deployment actions.
Operating The captured image that you deploy to a destination computer.

system image
.wim file A compressed collection of files and folders that contain a copy of
the files and file structure from the source computer for an image
that you capture by using operating system deployment.
Task Task sequence A step that performs a single task, such as:
step • Format and Partition Disk
• Apply Windows Settings
• Apply Device Drivers
Task sequence steps run entirely on a destination computer and
never on a Configuration Manager site system.
Task sequence A collection of one or more task sequence steps. For example, the
group Install Operating System task sequence group might include the
following task sequence steps:
• Restart in Windows PE
• Format and Partition Disk
• Apply Operating System
• Apply Windows Settings
• Apply Network Settings
• Apply Device Drivers
Task sequence A series of one or more task sequence steps or groups that run
administrator-specified actions. You use task sequences with
operating system deployment to:
• Deploy an operating system to source computers.
• Capture an operating system image from a reference computer.
Driver Windows A set of files consisting of an information file (.inf file) and one or
device driver more additional files that install a device driver.
(or driver) For example, this might be the settings and drivers for a particular
video card or for a particular chipset on a motherboard.
Drivers node A list of drivers that are available for deployment.
Driver package A Configuration Manager package that contains the content for
one or more device drivers.
Computer Reference A fully configured computer from which you generate a .wim file
computer that you can use to distribute operating system images to
destination computers.
Source An existing Configuration Manager client computer that contains

computer the user state data and settings that will migrate to a new
destination computer. You must link the source computer and
destination computer by using a computer association for a side-
by-side migration.
Destination A computer on which you install the Windows operating system

computer image by using Configuration Manager operating system
deployment.
When you use this setting in conjunction with user state migration,
you must link the source computer and destination computer by
using a computer association for a side-by-side migration.
Unknown A computer that Configuration Manager has not discovered.

computer
Unprovisioned A computer that Configuration Manager discovers that does not

Computer have an installed client.
Other Windows PE 10 A lightweight version of Windows 10 that you can use to provide
an operating system environment in which to run the task
sequence steps for operating system deployment.
Pre-Boot A method for starting computers by using a network interface

EXecution independent of any installed operating systems. When using this
Environment method, a computer contacts a PXE-enabled distribution point,
(PXE) boot downloads a boot image that contains Windows PE, and then
starts Windows PE.
Operating A Configuration Manager package that contains the original

system installation source files for building a reference computer. It can
upgrade also consist of the source files for Windows 10 used when
package upgrading to Windows 10.
System A Windows tool that you can use to prepare an image for
Preparation deployment to multiple destination computers. Sysprep
Tool (Sysprep) generalizes a reference computer by removing computer-specific
information, such as security identifiers, network addresses, and
the computer name. When you deploy a generalized image to
other computers, they establish their own identity and do not
duplicate the identity of the reference computer.
Note: Sysprep does not generalize the Configuration Manager
client. Therefore, you should uninstall the client from a reference
computer before you capture it.
Additional Reading: For more information, refer to Introduction to operating system

deployment in System Center Configuration Manager: http://aka.ms/Bfdbr0.
Overview of operating system deployment scenarios

Different scenarios exist in which you can use the
operating system deployment feature in
Configuration Manager, including:
• Bare-metal installation. Use Configuration

Manager to install a supported operating
system on computer hardware that does not
have an operating system.
• Operating system refresh. Use Configuration Manager to install a supported operating system on a
computer system with an existing operating system. In an operating system refresh scenario, you do
not save any data on a client system. You only install a new operating system.
• In-place upgrade. Use Configuration Manager to perform an operating system refresh and save user
data that is on the system you are refreshing. An in-place upgrade provides you with the tools to
automate saving data from a client system before the refresh occurs. You can then use tools to
restore data after the operating system refresh is complete.
• Side-by-side migration. When you replace a user’s computer with a new computer, you can use a
side-by-side migration to save the old system’s data; install an operating system on the new, bare-
metal computer; and then restore the data to the new system. This method requires that the old
computer be a Configuration Manager client and that you link the new computer to the old
computer by using a computer association in Configuration Manager.
The following table provides information about the various initiation methods and their respective
scenarios, dependencies, advantages, and disadvantages.
Typical
Initiation method Dependencies Advantages Disadvantages
scenarios
Configuration • Operating The destination You can deploy an This method

Manager software system computer must be operating system requires a
deployment refresh a Configuration image without connection to a
Manager client. creating additional Configuration
• In-place
media. Manager site.
upgrade
This method Destination
• Side-by- requires no user computers must
side intervention. You be Configuration
migration can move settings Manager clients.
from an old
installation to a
new installation if
required.
PXE boot • Bare-metal You must install This method works Optional PXE
installation Windows well when no user deployments
Deployment is present at the require user
• Side-by-
Services (Windows destination intervention.
side
DS) on a computer, such as You need to
migration
distribution point. in datacenter consider the
• Operating You must enable environments. implications when
system the PXE This method works the Dynamic Host
refresh configuration for with bare-metal Configuration
the distribution computers and Protocol (DHCP)
point on which requires no service is on the
you install physical media. same server with
Windows DS. the PXE-enabled
You must also distribution point.
configure all
intervening
firewalls to allow
PXE traffic.
Typical
Initiation method Dependencies Advantages Disadvantages
scenarios
Bootable media • Bare-metal Appropriate This method works This method

installation image architecture well for bare- requires user
must be available metal operating intervention.
• Side-by-
on an accessible system
side
distribution point. deployment
migration
scenarios.
You can
password-protect
media for security
enhancement.
Standalone media • Bare-metal This method uses This method works The media must
installation removable media well for computers contain all the
such as a USB that connect to necessary
• Operating
flash drive, CD, or the Configuration installation files
system
DVD, which will Manager site with and device drivers.
refresh
contain the a low-bandwidth No way exists to
necessary connection. set an expiration
installation files. This method date on the media.
requires no The operating
connection to the system image can
Configuration span media,
Manager site. depending on the
You can size of the files.
password-protect
media for security
enhancement.
Prestaged media • Bare-metal All the installation You copy all The media must
installation files and drivers bootable media contain all the
must be available and image files to necessary
• Operating
to build the a computer’s hard installation files
system
image. disk drive. and required
refresh
This method helps device drivers.
to increase the No way exists to
speed of a set an expiration
deployment in date on the media.
remote offices.
Windows To Go is a feature in Windows 10 Enterprise that allows you to boot and run Windows 10
directly from an external USB drive independently of the operating system currently installed on the
computer.
Before you use the Windows To Go feature, you must create a bootable USB drive with the Windows To
Go workspace. You can manually create the Windows to Go drive from a computer running Windows 10
Enterprise, or you can use Configuration Manager to provision Windows To Go.
Note: Even though the provision of Windows To Go is much like other operating system
deployments, you must do some things a bit differently when provisioning Windows To Go.
Windows To Go high-level provisioning workflow

1. You verify the Windows To Go provisioning prerequisites:
o Distribute the boot image and the Windows 10 operating system image to a distribution point.
o Create a Windows 10 deployment task sequence.
2. Create prestaged media.
3. Create a Windows To Go Creator package in Configuration Manager, and then distribute it to your
distribution points.
4. Enable BitLocker in the Windows To Go task sequence:
o Note that when you use BitLocker with Windows To Go, you must configure a passphrase.
5. Deploy the Windows 10 deployment task sequence and the Windows To Go Creator package as
available.
6. Run the Windows To Go Creator package, perform the following:
o Runs the Windows To Go Creator package from either the Configuration Manager Software
Catalog or the Configuration Manager Software Center.
o Inserts the USB drive to be provisioned and selects it, and then the Windows To Go Creator
package configures and prestages content to the USB drive.
o The computer restarts.

7. Configuration Manager prepares the Windows To Go drive, perform the following:
o The computer boots into Windows PE and connects to the Configuration Manager infrastructure
to get information about how to complete the operating system deployment.
o After Configuration Manager stages the drive, the end user can restart the computer and
optionally install applications and join the computer to the domain.
8. Windows To Go is ready for use:

o The end user can start using the Windows 10 operating system running in the Windows To Go
workspace.
Additional Reading: For more information about Windows To Go, refer to Windows To
Go: Feature Overview: http://aka.ms/Qtkylp.
For more information about how to deploy Windows To Go by using Configuration Manager,
refer to Deploy Windows to Go with System Center Configuration Manager:
http://aka.ms/Ti75o6.
For more information, refer to Methods to deploy enterprise operating systems using System
Center Configuration Manager: http://aka.ms/Xp2gon.
Question: What is the difference between a bootable media deployment and a standalone
media deployment?
Server roles for the operating system deployment process

All deployment scenarios use the following server
roles during operating system deployment:
• Distribution point. The distribution point

contains the operating system image that you
want to install.
• Management point. After the client starts, it

contacts the management point to download
the deployment tasks. After the deployment is
complete, the client sends state messages to
the management point about the
deployment.
• Primary site server. You use the primary site server to import the operating system image and
distribute it to the distribution points.
The Configuration Manager system roles that deployment scenarios use can differ, depending on the
specific deployment scenario that you use.
Deployment
Description Server role Server role description
scenario
Operating system A deployment to an Primary site server You must create a

refresh existing client that does not deployment for the
save any user information operating system image
on the computer. to the collection that
contains the destination
computer.
Bare-metal A basic operating system Primary site server You must import the
installation deployment. Before computer information
deploying an operating into the primary site.
system to a bare-metal Additionally, you must
computer, you need to create a deployment for
import the computer the operating system
information or enable image to a collection
unknown computer that contains the
support. The information imported computer or
you import to uniquely the All Unknown
identify the bare-metal Computers collection.
computer is either the
system GUID or the Distribution point You can configure the
network card’s media distribution point to
access control (MAC) support PXE boot for the
address. clients. You can use
bootable media in place
of PXE boot for the bare-
metal installation
scenario.
Deployment
Description Server role Server role description
scenario
In-place upgrade A deployment to an Primary site server You must create a

existing client that saves deployment for the
user information on a operating system image
computer. to the collection that
contains the destination
computer.
State migration You can use the state

point migration point to
temporarily store user
profile information in a
security-enhanced
manner during the
upgrade process.
Side-by-side The most-complex Primary site server We recommend that you

migration operating system simplify the user state
deployment, which uses migration by importing
parts of the bare-metal the new computer
installation and in-place information and
upgrade methods. establishing an
association with the old
computer. You must also
create a deployment for
the operating system
image to the collection
that contains the
destination computer.
Distribution point You can use the

distribution point to
support PXE boot for
new client systems.
The most-complex State migration You can use the state

operating system point migration point to
deployment, which uses temporarily store the
parts of the bare-metal user profile information
installation and in-place in a security-enhanced
upgrade methods. manner during the
upgrade process.
Simultaneously deploying an image to multiple client systems

You can configure a distribution point to use multicasting to send an operating system deployment to
multiple systems simultaneously. Two multicast modes exist:
• Autocast mode. When you use the autocast mode, the multicast session starts as soon as the first
client system requests the image. When you start additional client systems and request the same
image, they join the current multicast session in progress and download the remainder of the stream.
When the stream ends, it starts again. The systems that join late download the parts that they missed.
Using autocast mode is not as efficient as using scheduled multicast mode. However, it is more
efficient than delivering an image to one system at a time. When you enable multicasting, autocast is
the default mode.
• Scheduled multicast mode. When you use scheduled multicast mode, you have more control of the
multicast session. You can configure the maximum time delay or a minimum number of clients that
must join the session before the multicast starts. The multicast session starts whenever either of the
two requirements is met. This helps to provide an administrator with enough time to start and
prepare all systems. After the systems are ready, they simultaneously load the image, which helps to
provide for the best usage of network resources. You can enable scheduled multicast by selecting the
Enable scheduled multicast check box on the Multicast tab in the Distribution Point Properties
dialog box.
Additional Reading: For more information, refer to Manage enterprise operating system
with System Center Configuration Manager: http://aka.ms/Xz0qx9.
Question: When creating a Servicing Plan for Windows 10, which kinds of software updates
are included in the software update group created by the Servicing Plan rule?
Question: Which operating system deployment scenarios does Configuration Manager

support?
Lesson 2
Preparing a site for operating system deployment
An operating system deployment can be as simple as using standalone media to deploy a system.
Conversely, it can be a complex operation in which bare-metal computers use the PXE boot method on a
subnet firewall that exists between the clients and the Configuration Manager site. Before you use a
deployment method, you must prepare the Configuration Manager site for the scenarios that you intend
to use. Several prerequisites and optional components for configuring operating system deployment exist.
In this lesson, you will learn how to configure a site for operating system deployment.
Lesson Objectives
• Describe the prerequisites for operating system deployment.
• Enable PXE and multicasting on a distribution point.

• Describe the Configuration Manager settings and component requirements.
• Configure the Network Access account.
• Manage device drivers.
• Explain how to prepare boot images.
• Manage the default boot images.
• Describe operating system images and installers.

• Describe how to manage additional packages that operating system deployment uses.
Prerequisites for operating system deployment

Several prerequisites for operating system
deployment exist. Some apply only to specific
deployment scenarios. The following table
summarizes the prerequisites for operating system
deployment.
Prerequisite Description
Windows ADK for Before you install Configuration Manager, you must download the Windows
Windows 10 ADK for Windows 10 and then install it on the primary site server. Configuration
Manager takes advantage of several components of the Windows ADK for
Windows 10, including:
• Boot images. Configuration Manager copies the Windows PE boot images
that the deployment uses from the Windows ADK to Configuration Manager.
• USMT 10. USMT contains tools that copy user data from a source computer
to a destination computer when the deployment requires user state
migration.
Distribution point The distribution point stores the images that you can deploy to destination
computers. The distribution point also stores any other content that the task
sequence references, such as applications, software updates, packages, and
programs.
DHCP server DHCP provides an IP address to client computers. In scenarios that use PXE boot,
the DHCP server directs client computers to the PXE server.
Windows DS • Windows DS is a Windows Server role that provides PXE services and
multicast support. Enabling PXE support on a distribution point automatically
installs Windows DS for computers that are running Windows Server 2008 or
later.
• The destination computer must be able to communicate to the PXE server
over User Datagram Protocol ports 69 (for Trivial File Transfer Protocol) and
4011 (for PXE).
State migration A state migration point is a Configuration Manager role that USMT uses to store
point user state data in a security-enhanced manner during operating system
upgrades and side-by-side migration scenarios.
Additional Reading: For more information, refer to Prepare site system roles for operating
system deployments with System Center Configuration Manager: http://aka.ms/Uojhnf.
Demonstration: Enabling PXE and multicast support on a distribution point

In this demonstration, you will see how to enable PXE and multicast support on a distribution point.
Demonstration Steps
1. Open the Configuration Manager console, click the Administration workspace, and then navigate to
the Servers and Site System Roles node.
2. Configure the following Distribution point properties:
o Enable PXE support for clients
o Review Required ports for PXE
o Allow this distribution point to respond to incoming PXE requests
o Enable unknown computer support

o Require a password when computers use PXE: use Pa$$w0rd as the password
o Enable multicast to simultaneously send data to multiple clients
3. In the Monitoring workspace, verify that the \\LON-CFG.Adatum.com distribution point

configuration status displays Yes in the PXE and Multicast columns.
Question: What is the difference between autocast mode and scheduled multicast mode?
Configuration Manager settings and component requirements

Regardless of the deployment scenario that you
choose, you must configure several Configuration
Manager settings before you can complete
operating system deployment tasks. You must
configure the Network Access account on the
software distribution component. Additionally,
you must add any driver files that the destination
computers require to the Configuration Manager
site.
Network Access account

Configuration Manager client computers use the
Local System account to perform most local
Configuration Manager client operations. However, the Local System account cannot access network
resources. When a client computer in either the site server's domain or a trusted domain accesses a
distribution point to access content, including operating system deployment packages, the client uses its
ComputerName$ account to access resources in a trusted Active Directory domain. You use a Network
Access account when Configuration Manager clients from workgroups or untrusted domains require
access to resources in the site server's domain. You also need this account during the Windows PE phase
of operating system capture and deployment task sequences, because the computer will be running
Windows PE and will not belong to any domain. Therefore, it will not have a domain computer account to
access network content.
The Network Access account should have at least the minimum number of appropriate permissions on the
distribution points to access content for software deployment or operating system deployment. The
account must have the appropriate Access this computer from the network permission on the distribution
point or on any other server that holds the package content. You can create multiple Network Access
accounts per site in case you need to access resources on the distribution point in different domains.
To configure the Network Access account for a site, complete the following steps:
1. In the Administration workspace, under Site Configuration, in the Sites node, select the site that
you want to configure.
2. On the ribbon, in the Settings group, click Configure Site Components, and then click Software
Distribution.
3. On the Network Access Account tab, select Specify the account that accesses network locations,
and then add the account that you want to use to download the operating system deployment files
to a destination computer.
Note: The password of the Network Access account is not validated against Active
Directory Domain Services, so you must be certain that you use the correct password. You can
use the Verify feature to verify that the account is able to connect to the distribution point.
Drivers
When you build a task sequence, two task sequence steps are available for applying drivers:
• Auto Apply Drivers. When you build a task sequence in the Create Task Sequence Wizard, an Auto
Apply Drivers task sequence step named Apply Device Drivers is included, except when you create a
custom task sequence. By default, this task sequence step uses Plug and Play, and it installs only the
best-matched drivers. However, you can modify it to install all compatible drivers. Additionally, by
default, this task sequence step installs drivers from all categories. However, you can modify it to
install drivers from only specified categories. The Auto Apply Drivers task sequence step installs
drivers only for devices that attach to the client during the deployment process.
• Apply Driver Package. You can add this task sequence step when you modify an existing task
sequence or create a custom task sequence. This task sequence step installs all the drivers in the
package that you specify.
The Software Library workspace of the Configuration Manager console contains two nodes, named
Drivers and Driver Packages, that you can use to manage drivers.
Drivers node
You can import Windows device drivers into the Configuration Manager site so that they are available for
operating system deployments. You can categorize imported drivers to make them easier to sort and find
in the Configuration Manager console. When you import drivers, you can add them to packages during or
after the import process. Additionally, you can add drivers to boot images during the installation process
or later. Because boot images only start the computer and download task sequence content from a
distribution point, you should add only necessary network and/or storage drivers to a boot image. Device
drivers are enabled by default, and you can disable them during or after the import process. The share
that you specify during the import process stores the device drivers, and you can view them in the Drivers
node. By storing drivers in this way and not with each individual operating system image, you reduce the
number of required operating system images. When you deploy an operating system image, each
operating system image can install enabled device drivers that have been imported and are available on a
distribution point.
Driver Packages node

You can use driver packages to group similar device drivers and publish them to a distribution point.
Driver packages contain the files that are associated with one or more device drivers. Device drivers can
belong to more than one driver package. When you create a driver package, the source location of the
package should point to an empty network share to which the Configuration Manager system account
has read/write permission. When you add a device driver to a driver package, Configuration Manager
copies the device driver to the driver package source location. A driver package can include only device
drivers that you import and enable in the Drivers node.
You must copy the driver package to at least one distribution point for computers to access it, and you
must copy all the device drivers in a specific package together. If you want to copy a subset of device
drivers from an existing driver package to a distribution point, you must create a new driver package that
contains the subset of drivers.
Demonstration: Configuring the Network Access account

In this demonstration, you will manage the Network Access account and device drivers.
Demonstration Steps
1. Under Site Configuration, click the Sites node. On the ribbon, click Settings, click Configure Site
Components, and then click Software Distribution.
2. In the Software Distribution Components Properties dialog box, on the Network Access Account
tab, provide the following information as the credentials for the Network Access account:
o User name: Adatum\NetworkAccess
o Confirm password: Pa$$w0rd
3. Verify that the account can access the \\LON-CFG\SMS_S01 share, and then close the Software
Distribution Components Properties dialog box.
Question: What permissions does the Network Access account require for use with the
operating system deployment process?
Demonstration: Managing device drivers

In this demonstration, you will see how to import device drivers and distribute them.
Demonstration Steps
1. In the Software Library workspace, in the Operating Systems folder, select the Drivers node, and
then on the ribbon, click Import Driver.
2. Use the Import New Driver Wizard to import the drivers into the \\LON-CFG\Software\Drivers
\HypervX64 folder.
Note: Wait for the driver information to validate.
3. Remove the check mark next to Hide drivers that are not digitally signed.
4. Create two categories for the drivers: 64-bit Drivers and Hyper-V Drivers.
5. Create a new package named Hyper-V Drivers, and then store it in \\LON-CFG\E$\Source\Drivers.
6. In the Driver Packages node, right-click the Hyper-V Drivers package, and then click Distribute
Content.
7. Use the Distribute Content Wizard to add the package to LON-CFG.Adatum.com.
8. Right-click the Hyper-V Drivers package, and then click Refresh. Repeat this step until the status
shows Success. This should take about one minute.
Question: Why do you want to add only the necessary drivers to a boot image?
Question: When importing drivers into Configuration Manager, should you use one package
for all the drivers or divide them into multiple packages?
Preparing boot images

Boot images are similar to operating system
images, except that they contain Windows PE
rather than a full operating system. Boot images
are stored with the Windows image format and
usually have a .wim file name extension.
Configuration Manager does not capture these
.wim files from reference computers but
automatically copies two default boot images
from the Windows ADK for Windows 10 during
installation. One supports the x86 platform,
whereas the other supports the x64 platform. You
can customize the default images after
installation. Additionally, you can import images that you obtain from an external source. Windows PE in
Configuration Manager is based on Windows 10.
Windows PE 10 supports the following operating systems:
• Windows 10
• Windows 8.1
• Windows 8
• Windows 7
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
Like it does for operating system images, Configuration Manager distributes boot images to distribution
points. From a distribution point, clients can copy boot images from the local hard drive for client-
targeted task sequences, copy them to .iso images or USB flash drives for boot-media initiated task
sequences, or distribute them over the network for PXE-initiated task sequences.
Boot images must contain both the appropriate network adapter drivers and mass storage drivers to run
task sequences successfully on the destination computer. Because Windows PE 10 comes with many
drivers, you probably do not need to add any drivers. If you need to add drivers, you must use either the
32-bit or the 64-bit version of the Windows 10 driver you want to add, because Windows PE 10 is based
on Windows 10. Many hardware vendors provide Windows PE driver packages that you can download
from their respective websites.
The boot images might also require input device drivers to provide full keyboard support in Microsoft
Hyper-V in Windows Server 2012 or to support the use of a wireless keyboard and mouse.
Configuration Manager allows you to customize a boot image directly in the Properties dialog box for
the boot image. You can add drivers to a boot image on the Drivers tab, and you can further customize
the image on the Customization and Optional Components tabs.
Using the Customization tab

The Customization tab has the following options:
• Enable prestart command. Selecting the Enable prestart command check box allows you to
specify a command that will run before the client contacts a management point. If this command
requires access to files that are not part of the boot image, you can add the files to the boot image.
For example, you can run a script that runs a Windows Management Instrumentation query for the
Chassis Type value. Based on the value, the script can then set the SMSTSPreferredAdvertID task
sequence variable to an appropriate value to deploy an image for a desktop computer or portable
computer.
• Windows PE Background. The Windows PE Background area allows you to specify a custom
background for your deployment.
• Windows PE Scratch Space (MB). Configuration Manager uses Windows PE 10, which can
dynamically set its scratch space. Therefore, you do not have to specify a scratch-space size setting.
Regardless of what you select, if at least 1 gigabyte of memory exists on the deployed computer,
Windows PE 10 assigns 512 megabytes (MB) of scratch space.
• Enable command support (testing only). Selecting this check box allows you to press F8 while the
deployment is running to display a Command Prompt window on the deployed client computer. For
example, you can use this Command Prompt window to open the log files that the deployment
process creates. However, before selecting this check box, consider the security implications of
allowing full access to the installation files.
Note: If the Command Prompt window is open, no automatic restarts will occur. You must
manually close the Command Prompt window for automatic restarts to occur.
Optional Components tab

On the Optional Components tab, you can configure which optional components you want to add to
the boot image. You can add more than 20 components, such as those for recovery, HTML support,
Windows PowerShell support, and Microsoft .NET support (WinPE-NetFx and WinPE-NetFx4).
You must enable PXE for at least one boot image from each architecture on your PXE-enabled
distribution points. When a client boots by using PXE, the Windows DS server delivers a network boot
program (NBP) to the client that depends on the architecture of the client. The NBP is included in the
boot image.
Question: In your work environment, is there a need to customize any of the boot images?
Demonstration: Managing the default boot images

In this demonstration, you will see how to manage the default boot images.
Demonstration Steps
1. In the Boot Images node, right-click Boot Image (x64), and then click Properties.
2. On the Customization tab, select the Enable command support (testing only) check box.
3. On the Data Source tab, verify that the Deploy this boot image from the PXE-enabled
distribution point check box is selected.
4. Click the Optional Components tab, and then in the Components section, click new (sun icon).
5. In the Select optional components window, select Windows PowerShell (WinPE-PowerShell), and
click OK twice.
6. In the Boot Image (x64) Properties dialog box, click OK.
7. In the Configuration Manager dialog box, click Yes, and then complete the wizard with the default
settings.
8. Right-click Boot Image (x86), and then click Properties.
9. Add Microsoft Hyper-V Network Adapter to the Drivers tab.
11. On the Data Source tab, verify that the Deploy this boot image from the PXE-enabled
click OK twice.
settings.
16. Click Boot Image (x64), Ctrl+click Boot Image (x86), right-click Boot Image (x64), and then click
Distribute Content.
17. Use the Distribute Content Wizard to add the packages to LON-CFG.ADATUM.COM.
18. Right-click one of the packages, and then click Refresh. Repeat this step for the other package to
check its status. Repeat periodically until both show a status of Success. This should take about one
minute.
Question: Why did you include only the network driver when modifying the package?
Operating system images and upgrade packages

You can create two types of operating system
objects in Configuration Manager:
• Operating system upgrade package. You can

copy the installation media that you typically
use only during the build phase of a build and
capture task sequence and then use that copy
as an operating system upgrade package. The
operating system installer image is a copy of
all the files from the installation media.
• Operating system image. This is an operating

system that is captured and is ready for
deployment, and a single .wim file stores it as
an operating system image.
Operating system upgrade packages

An operating system upgrade package contains a copy of the installation media that you can use to install
an operating system. This can include a mix of compressed and uncompressed files.
An operating system upgrade package generally does not include any additional applications or service
packs.
Typically, you use the operating system upgrade package for a build and capture task sequence. You use
a Build and Capture task sequence to install an operating system on a reference computer and then
capture an image of its hard drive.
Note: You can use either operating system upgrade packages or operating system images
for deployment task sequences. However, when you create a task sequence to install an
operating system by using the Create Task Sequence Wizard, you can select only an image. If you
later edit the task sequence, you can change the Apply Operating System Image task sequence
step to use an installer.
Operating system images

Configuration Manager stores operating system images in the .wim file format. This format is a file-based
disk image format that was introduced in Windows Vista. The image files are compressed packages that
contain several related files. A single, compressed, .wim file contains all the necessary files for deploying
one or more images. When you build and capture an operating system image, the .wim file that the
capture process creates stores the operating system files and the files for all the applications installed
during the build process.
Typically, you use the operating system image file to deploy to destination computers.
Managing the additional packages used by operating system deployment

You can use several additional packages with
operating system deployment. To install
additional packages and manage a newly
deployed destination computer, you must use the
Configuration Manager client installation or
upgrade package. Depending on your
deployment scenario or other business
requirements, you might need to create other
packages or applications.
Configuration Manager client package

A Configuration Manager client package is
created by default and automatically distributed
to the distribution point.
USMT package
A USMT 10 package is created by default, but you have to distribute it to the distribution point.
Additional Reading: For more information, about how to Plan for operating system
deployment in System Center Configuration Manager, refer to: http://aka.ms/R8e4ej.
Demonstration: Managing operating system deployment packages

In this demonstration, you will see how to manage operating system deployment packages.
Demonstration Steps
Verify that the USMT and Configuration Manager client packages are ready for use
1. In the Software Library workspace, navigate to Application Management, Packages, and then
verify that the following two packages exist:
o Configuration Manager Client Package
o User State Migration Tool for Windows 10
2. View the Content Locations properties of the Configuration Manager Client Package, and then
notice that the package is distributed to LON-CFG.Adatum.com.
3. Check the Content Locations properties of the User State Migration Tool for Windows 10
package, and then notice that the package is not distributed.
4. Right-click the User State Migration Tool for Windows 10 package, click Distribute Content, and
then distribute the package to the LON-CFG.ADATUM.COM distribution point.
Question: What kinds of drivers must you add to your boot images, and which operating
system should they be for?
Question: How do you enable the Windows PE peer cache in a task sequence?
Statement Answer
You can add only one Network Access account in

Lab A: Preparing the site for operating system deployment

Scenario
A. Datum Corporation has made a large purchase of bare-metal computers. To help simplify the
deployment, your manager wants you to configure the operating system deployment feature in
Configuration Manager. You need to configure all the Configuration Manager roles necessary to deploy
operating systems successfully.
Objectives
After completing this lab, the students will be able to:
• Manage the site system roles used to support operating system deployment.
• Manage packages to support operating system deployment.
Lab Setup
Virtual machines: 20695C-LON-DC1 and 20695C-LON-CFG
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, complete
the following steps:

5. Repeat steps 2 through 4 for virtual machine 20695C-LON-CFG.
Exercise 1: Managing the site system roles used to support operating

system deployment
Scenario
You must configure Configuration Manager to support operating system deployment. In this exercise, you
will configure the site server to support operating system deployment.
1. Enable PXE on the distribution point.
2. Add the state migration point role.
3. Configure the Network Access account.

 Task 1: Enable PXE on the distribution point

1. In the Configuration Manager console, click the Administration workspace, expand Site
Configuration, and then click Servers and Site System Roles.
2. Select \\LON-CFG.adatum.com, right-click the Distribution point role, and then click Properties.
3. In the Distribution point Properties dialog box, click the PXE tab, and then select the Enable PXE
support for clients check box. When prompted, click Yes.
4. Select the Allow this distribution point to respond to incoming PXE requests and Enable
unknown computer support check boxes. When prompted, click Yes.
5. In the Password and Confirm password boxes, under Require a password when computers use
PXE, type Pa$$w0rd.
6. Next to the User device affinity box, select Allow user device affinity with manual approval.
7. In the Distribution point Properties dialog box, click OK.

8. Click the Monitoring workspace, expand Distribution Status, and then click Distribution Point
Configuration Status.
9. Right-click \\LON-CFG.Adatum.com, and then select Refresh. Repeat periodically until the PXE
column displays Yes.
 Task 2: Add the state migration point role

1. On LON-CFG, open the Configuration Manager console.
2. Start the Add Site System Roles Wizard for \\LON-CFG.Adatum.com, and then add the state
migration point role.
3. Configure the state migration point to use the E:\UserState folder to store migration data.
 Task 3: Configure the Network Access account

1. Click the Administration workspace, and then click Sites. Right-click S01 - Adatum Site. Select
Configure Site Components, and then click Software Distribution.
2. In the Software Distribution Component Properties dialog box, click the Network Access
Account tab. Specify the details of the Network Access account as Adatum\NetworkAccess with the
password Pa$$w0rd.
3. Verify that the account can access \\LON-CFG\SMS_S01, and then close the Software Distribution
Components Properties dialog box.
Results: After this exercise, you should have enabled PXE on the distribution point and configured the
Network Access account to support Configuration Manager operating system deployment.
Exercise 2: Managing packages to support operating system deployment

Scenario
You have configured the infrastructure and Configuration Manager site system roles that are necessary for
operating system deployment. Now, you need to configure the boot images and driver package to
support the deployment method that A. Datum Corporation will use. In this exercise, you will prepare and
distribute the various packages that you will need to complete the operating system deployment process.
1. Import Hyper-V drivers.
2. Distribute a driver package.
3. Modify the boot images.

4. Distribute the boot images.
5. Distribute the USMT package.
 Task 1: Import Hyper-V drivers

1. In the Software Library workspace, in the Operating Systems folder, select the Drivers node.
2. On the ribbon, click Import Driver.
3. Use the Import New Driver Wizard to import the drivers in the \\LON-CFG\Software\Drivers
\HyperVx64 folder.
4. Remove the check mark next to Hide drivers that are not digitally signed.
5. Create two categories for the drivers: 64-bit Drivers and Hyper-V Drivers.
6. Create a new package named Hyper-V Drivers, and then store it in \\LON-CFG\E$\Source\Drivers.
 Task 2: Distribute a driver package

1. In the Driver Packages node, right-click the Hyper-V Drivers package, and then click Distribute
Content.
2. Use the Distribute Content Wizard, and then add the package to LON-CFG.ADATUM.COM.
3. Right-click the Hyper-V Drivers package, and then click Refresh. Repeat this step periodically until
Content Status shows Success. This should take about one minute.
 Task 3: Modify the boot images

1. In the Boot Images node, right-click Boot image (x86), and then click Properties.
3. On the Optional Components tab, click new (sun icon), select Windows PowerShell
(WinPE-PowerShell) , and when prompted, click OK.
settings.
6. In the Boot Images node, right-click Boot image (x64), and then click Properties.
8. On the Optional Components tab, click new (sun icon), select Windows PowerShell (WinPE-
PowerShell), and when prompted, click OK.
9. On the Drivers tab, click new (sun icon).
10. In the Select a driver dialog box, remove all selections, select Microsoft Hyper-V Network
Adapter, and then click OK.
11. In the Boot Image (x64) Properties dialog box, click OK, and then update the distribution points as
prompted.
 Task 4: Distribute the boot images

1. Click Boot image (x64), Ctrl+click Boot image (x86), right-click Boot image (x64), and then click
Distribute Content.
2. Use the Distribute Content Wizard, and then add the packages to the LON-CFG.ADATUM.COM
distribution point.
3. Right-click one of the packages, and then click Refresh. Repeat this step for the other package to
check its status.
Note: Repeat this step periodically until both packages show a status of Success. This
might take several minutes.
 Task 5: Distribute the USMT package

1. Under Application Management, click Packages.
2. Click the User State Migration Tool for Windows 10 package, and then click Distribute Content.
3. Use the Distribute Content Wizard, and then add the packages to LON-CFG.Adatum.com.
4. Right-click the User State Migration Tool for Windows 10 package, and then click Refresh.
Note: Repeat this step until the package shows a status of Success. This should take about
one minute.

• Leave all the virtual machines running for use in the next lab.
Results: After this exercise, you should have configured the boot images and created the driver package
that is required for operating system deployment.
Question: In your work environment, would you enable unknown computer support for PXE
boot?
Question: Apart from the packages deployed in the lab, what packages would you include
as part of the operating system deployment process?
Lesson 3
Deploying an operating system
After you create and capture an operating system image, you have to import it into Configuration
Manager and then deploy the image to destination computers. Several methods exist for deploying an
operating system image. For all the methods, you use a task sequence to perform the deployment.
Additionally, you can apply software updates to the operating system images you use for deployment so
that the deployments include up-to-date images. In this lesson, you will learn techniques for deploying a
captured operating system image.
Lesson Objectives
• Describe the process for deploying an operating system image.
• Describe how to add an operating system image to Configuration Manager.

• Import and distribute an operating system image.
• Describe the process for creating and deploying a task sequence to install an existing image.
• Describe the methods for running an installation task sequence.
• Describe how to maintain software updates for operating system deployment images.
• Describe the log files and reports that are used to troubleshoot operating system deployment.
Process for deploying an operating system image

After capturing an image, the deployment process
generally consists of the following steps:
1. Importing the image metadata into

Configuration Manager. After an image is
created, you need to import the image
metadata into Configuration Manager. The
metadata includes the information about one
or more operating systems in the .wim file
and the source location of the .wim file.
2. Distributing the image content to distribution

points. Importing metadata about an image is
the first step in preparing an image for use.
After importing the image metadata, you must distribute the image content to distribution points
from where destination computers can download it.
3. Creating a task sequence to install an operating system. You need to choose the method that you use
to deploy an image and then create a task sequence that supports that choice.
4. Deploying the task sequence. You need to deploy the task sequence to appropriate destination
computers.
Additional Reading: For more information, about How to Deploy Operating Systems in
Configuration Manager, refer to: http://aka.ms/F6tt75.
Using unknown computers vs. importing computer objects

By default, Configuration Manager interacts only
with known computers. Therefore, if you want to
deploy an operating system to a computer that is
not known by Configuration Manager, additional
configuration is needed. You must to add that
computer to the Configuration Manager database
by using either the Import Computer Information
Wizard or unknown computer support.
A computer is considered unknown by

Configuration Manager if:
• The computer does not have a Configuration
Manager client installed on it.
• The computer is not imported into the site database.
• The computer has not been discovered by Configuration Manager.
Importing computer information

The Import Computer Information Wizard lets you import information, either for a single computer or for
multiple computers, by using an import file. You must create the import file in the comma-separated
values (CSV) format before you run the Import Computer Information Wizard.
The file must include the computer name, the system management BIOS (SMBIOS) GUID (32 hexadecimal
characters), and the MAC address (12 hexadecimal characters), with each pair of values separated by a
comma.
The following is a sample import file.
LON-CL6,11111111-1111-1111-1111-111111111116,25:12:15:A0:B9:A1
LON-CL7,11111111-1111-1111-1111-111111111117,25:12:15:A0:B9:A2
LON-CL8,11111111-1111-1111-1111-111111111118,25:12:15:A0:B9:A3
LON-CL9,11111111-1111-1111-1111-111111111119,25:12:15:A0:B9:A4
LON-CL10,11111111-1111-1111-1111-111111111110,25:12:15:A0:B9:A5
The following table describes the pages and settings in the Import Computer Information Wizard.
Page Description
Select Source On this page, you can select Import computers using a file to
specify a file that contains the computer information to import. You
can select Import a single computer to specify information related
to that one computer.
Single Computer On this page, you can specify the computer name, MAC address,
and SMBIOS GUID. Optionally, you can create a computer
association by typing the name of a reference computer from which
the user state and settings will be migrated to the new computer.
Data Preview On this page, you can review the computer information.
Choose Target Collection On this page, you can add new computers to an existing
Configuration Manager collection. You can choose either Add new
computers only to the All Systems collection or Add computers
to the following collection. If you choose Add computers to the
following collection, the computer is added to the collection that
you choose and to the All Systems collection.
Page Description
Summary On this page, you can review the import settings.
Using unknown computer support

Another option when dealing with unknown computers is to use unknown computer support. Because the
Configuration Manager database has no records about an unknown computer, you must do the following
prior to the deployment of a task sequence:
• Deploy the task sequence to the All Unknown Computers collection.
• Enable unknown computer support for your PXE-enabled distribution point or media.
Two unknown computer objects, one for 32-bit (x86) computers and the other for 64-bit (x64) computers,
are located in the All Unknown Computers collection. These objects are not real computers but serve as
placeholders that Configuration Manager uses as targets for the deployment.
When an unknown computer boots, Configuration Manager recognizes it as an unprovisioned computer

and not as an unknown discovered computer. The computer receives the task sequences deployed to the
All Unknown Computers collection, which installs an operating system together with the Configuration
Manager client. A record for the computer, including the real MAC address, is created in the appropriate
collection. In case the deployment fails before the operating system and the Configuration Manager client
are installed, a record named Unknown is created for the computer in the All Systems collection.
To enable unknown computer support, perform the following steps in the Configuration Manager
console:
1. Select the Administration workspace, and then expand Site Configuration. Click the Servers and
Site System Roles node.
2. In the details pane, select the PXE-enabled distribution point, and then in the preview, right-click
Distribution point. Select Properties.
3. In the Distribution Point Properties dialog box, click the PXE tab, and then select Enable unknown
computer support. In the Configuration Manager dialog box, click OK.
To enable unknown computer support for bootable or prestaged media, perform the following steps in
the Configuration Manager console:
1. Select the Software Library workspace, and then expand Operating Systems.
2. Right-click the Task Sequence node, and then select Create Task Sequence Media.
3. In the Create Task Sequence Media Wizard, select either Bootable Media or Prestaged Media.
4. On the Security page, ensure that Enable unknown computer support is selected. Generally, it is
selected by default. Proceed through the rest of the wizard by making the appropriate choices.
Adding an operating system image to Configuration Manager

To import the metadata for a captured image into
Configuration Manager, use the Add Operating
System Image Wizard. The wizard allows you to
specify the location of a .wim file that holds an
image and some basic information about the
operating system image object. After the image
metadata is imported, you can use the various
tabs in the <operating system image name>
Properties dialog box to configure several
settings for the object. The following table
describes each tab’s settings in the Properties
dialog box of an operating system.
Tab Configuration settings
General • Contains the general information you provided in the Name, Version, and
Comment settings.
Images • Allows you to view the properties of the images in a .wim file.
• Allows you to reload an image that has been edited.
Data Source • Displays the location of an image source and allows you to modify that
location.
• Allows you to set a schedule for updating distribution points.
• Allows you to specify if content should persist in the client cache (not be
automatically deleted as needed).
• Allows you to specify the use of differential replication.
Data Access • Allows you to configure package share settings.

• Allows you to specify package update settings.
Distribution • Allows you to specify a distribution priority for site-to-site and site server–to–
Settings distribution point data copying.
• Allows you to specify if this package is available from protected distribution
points.
• Allows you to specify the behavior of the Package Transfer Manager when
the package is assigned to a distribution point that is enabled for prestaged
content.
• Allows you to specify if an operating system can be transferred via
multicasting.
Servicing • Shows the software updates that are scheduled to be applied.
Installed Updates • Lists all the software updates applied to the image.
Content Location • Shows the distribution points this package has been assigned to.
Tab Configuration settings
Security • Shows who has permissions to manage the image.
After an image imports into Configuration Manager, you must distribute the image to one or more
distribution points before you can use it.
Additional Reading: For more information, about how to Customize operating system
images with System Center Configuration Manager, refer to: http://aka.ms/Dknlyp.
For more information, about an Introduction to operating system deployment in System Center
Configuration Manager, refer to: http://aka.ms/Bfdbr0.
Demonstration: Importing and distributing an operating system image

In this demonstration, you will import and distribute an operating system image.
Demonstration Steps
1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace, expand
Operating Systems, and then click Operating System Images.
2. On the ribbon, in the Create group, click Add Operating System Image.
3. In the Add Operating System Image Wizard, on the Data Source page, in the Path box, type the path
to your .wim file, and then click Next.
4. On the General page, in the Name box, type the name of the image, and then click Next.
5. On the Summary page, click Next, and then on the Completion page, click Close.
6. Right-click the image you want to distribute, and then select Distribute Content.
7. In the Distribute Content Wizard, on the General page, click Next.
8. On the Content Destination page, click Add, and then select Distribution Point.
9. In the Add Distribution Points dialog box, select your distribution points, and then click OK.
10. On the Content Destination page, click Next.
12. Right-click the image, and then click Refresh. Repeat periodically until the status shows Success.
Question: If you plan to use operating system deployment to deploy Windows 10 to two
brands of laptops and three models of desktop computers, how many operating system
images will you have to import?
Overview of task sequences

Task sequences are objects that you can use to
run a complex process, such as installing an
operating system, configuring settings on a
computer, or preparing a computer for operating
system capture.
A task sequence step represents an individual

action that runs in a task sequence. For instance,
before installing an operating system, you might
need to format the disk on which you will install
the operating system. To do this, you can use a
Format and Partition Disk task sequence step.
You group task sequence steps into task sequence

groups. Using task sequence steps in task sequence groups allows you to organize and configure error
control for each individual task sequence, step, and group. Task sequence groups have the same options
as individual task sequence steps. However, all the steps in the group are treated as a whole. For example,
all the steps in the group are disabled if you disable the task sequence group, and no steps in the group
will run if a specified condition is not met.
The following table lists the terms that describe task sequences and their components.
Term Definition
Action The command part of a single step within a task sequence. Two types of task
sequence actions exist: custom actions and built-in actions.
Custom action A command-line string, which the administrator supplies, that runs a command
on a destination computer.
Built-in action A Configuration Manager action that performs a specific action on a destination
computer. Examples of built-in actions include joining a workgroup or domain,
and formatting and partitioning a disk.
Condition A parameter within a task sequence step or task sequence group that
determines whether the target should process the action.
Task sequence The basic component of a task sequence or task sequence group. Each step can
step contain an action and an optional check for the conditions assigned to a task
sequence.
Task sequence A logical arrangement of multiple steps within a task sequence. A task sequence
group group consists of a name and an optional check for the conditions assigned to a
task sequence.
You are not required to group the task sequence steps. However, using groups
improves the readability of the task sequence and provides better conditional
processing.
Note that each task sequence group can contain additional, nested task
sequence groups.
Task sequence variables

A Configuration Manager task sequence variable is a placeholder for a value that you can use to supply
configuration and operating system deployment settings for task sequence steps.
Task sequence variables provide a mechanism to configure and customize individual task sequence steps
within a task sequence. You can configure task sequence variables on a collection or as part of a prestart
command on a boot image.
You can define task sequence variables in the following places:
• On a computer
• On a collection
• As a task sequence step
• On the Customization page of the Task Sequence Media Wizard

Because you can define task sequence variables in more than one place, conflicts can occur. In this case,
the following logic is used to determine which variable will win:
1. The Set Task Sequence Variable step in a task sequence wins over all other variables.
2. A variable defined on the computer object wins over a variable defined on the collection.
3. A task sequence that runs from media uses the variables set on the Customization page of the Task
Sequence Media Wizard and ignores the variables set on either the computer or collection.
You can use task sequence variables in the task sequence environment to perform the following actions:
• Configure settings for a task sequence action.
• Supply command-line arguments for a task sequence step.
• Evaluate a condition that determines if a task sequence step or group runs.
• Provide values for custom scripts used in a task sequence.
For example, a task sequence might include a Join Domain or Workgroup task sequence step. You might
deploy the task sequence to different collections, where the collection membership determines the
domain membership. In this case, you can specify a per-collection task sequence variable for each
collection’s domain name and then use that task sequence variable to supply the appropriate domain
name in the task sequence.
Question: In your environment, how can you use task sequence variables?
Creating and deploying a task sequence to install an existing image

Before you can create your deployment task
sequence, you need to determine the deployment
scenario you are going to use. You must select
one of the following deployment scenarios: bare-
metal installation, operating system refresh, in-
place upgrade, or side-by-side migration.
Creating an operating system

deployment task sequence
When you use the Create Task Sequence Wizard,
you can create a task sequence to deploy an
operating system image that was previously
captured. After you create a task sequence, you
can edit the task sequence from the Task Sequences node by right-clicking the task sequence and then
clicking Edit.
To create an operating system deployment task sequence, complete the following steps:
1. In the Configuration Manager console, in the Software Library workspace, in the Operating
Systems folder, click the Task Sequences node.
2. To start the Create Task Sequence Wizard, right-click the Task Sequences node, point to New, and
then click Create Task Sequence.
3. On the Create a New Task Sequence page, select Install an existing image package, and then
click Next.
The wizard then takes you through a series of pages that require you to provide information related to
creating an operating system deployment task sequence. The following table discusses these pages and
the information that you must provide on each page.
Page Configuration settings
Task Sequence • A descriptive name for the task sequence.

Information
• An optional comment.
• The boot image to use with the task sequence.
Install Windows • The operating system image package to deploy a new operating system
to a destination computer.
• The edition within the operating system image package.
• The licensing information.
• The Enable the account and specify the local administrator password
setting, which must be selected to enable the local administrator account.
• The Password and Confirm password boxes, which are optional.
Note: If you use the same password for all the local administrator accounts,
and if that password becomes compromised, all your systems will be
vulnerable to security threats.
Configure Network • A Windows domain that you join and the domain and organizational unit
(OU) to join.
• An account with join domain permissions. You should never use a domain
administrator account, because the user name and password are
temporarily stored on the target system without encryption.
Install Configuration • The Configuration Manager client package to use.

Manager
• The installation properties for the client software to be configured,
according to the needs of the environment.
State Migration • Whether to capture the user state and, if so, whether to configure the
package for USMT.
• Whether to capture Windows and network settings.
Include Updates • All software updates.

• Mandatory software updates.
• None.
Install Applications • Existing applications that you can select to be installed as part of the
After you complete the Create Task Sequence Wizard, you can choose to deploy or edit the new task
sequence.
Deploying an operating system deployment task sequence

You deploy the operating system deployment task sequence in the same manner that you deployed the
build and capture a reference operating system image task sequence. That is, you deploy a task sequence
to a collection by using the Deploy Software Wizard.
The wizard takes you through a series of pages that require you to provide information related to
deploying an operating system deployment task sequence. The following table lists these pages and the
information you must provide on each page.
Content • The groups or distribution points to copy the content to
Deployment Settings • The purpose of the deployment: available or required

• The priority of the deployment: normal or high
• The deployment option you want to use:
o Only Configuration Manager clients
o Configuration Manager clients, media, and PXE boot
o Only media and PXE boot
o Only media and PXE boot (hidden)
Scheduling • The date you want this deployment to be available, with enough time for
the content to replicate
• The date you want this deployment to expire
• Any mandatory assignment times if the deployment is required
User Experience • Whether to show a status bar

• How to behave if a maintenance window is configured on the collection
• Whether this task sequence can be used across the Internet
Alerts • An alert threshold for failed deployments
Distribution Points • How clients will interact with the distribution points to retrieve content
for this deployment
Additional Reading: For more information about task sequence steps, including those for
enabling BitLocker, configuring UEFI settings, and partitioning disks, refer to Task Sequence Steps
in Configuration Manager: http://aka.ms/fjamr0.
Considerations for integrating applications and software updates by using

a task sequence
It is possible to install software as part of your
operating deployment by integrating it into your
task sequence.
You must select software with installation options
that meet the following criteria:
• It must run under the Local System account

and not the signed-in user account.
• It should not interact with the desktop; the

application must run silently or in an
unattended mode.
• It must not initiate a computer restart on its

own. The program must request a computer restart by using a 3010 return code. This helps to ensure
that the task sequence step properly handles the computer restart.
Furthermore, the packages and applications that you want to install must be created in Configuration
Manager and distributed to your distribution points.
You can use either the Install Package task sequence step or the Install Application task sequence step to
install software as part of the task sequence. When either of these steps run, the installation starts
immediately without waiting for a policy polling interval.
Because the Configuration Manager client handles the actual installation, like it does for any other
software deployment, you must place your Install Package or Install Application steps after the Setup
Windows and Configuration Manager step, which is responsible for installing and registering the
Configuration Manager client.
Installing software by using an Install Application step in a task sequence

To add an Install Application task sequence step, complete the following steps:
1. In the Configuration Manager console, select the Software Library workspace, expand Operating
Systems, and then click the Task Sequence node.
2. In the details pane, right-click the task sequence you want to add the Install Application step to, and
then select Edit.
3. In the Task Sequence Editor, click the Setup Windows and Configuration Manager step.
4. Click Add, select Software, and then click Install Application.
5. On the Properties tab of the Install Application step, in the Name box, type the name of the
application—for example, Microsoft XML Notepad 2007.
6. Verify that the Install the following application option is selected, and then click new (sun icon).
7. In the Select the application to install window, select the application, and then click OK.
8. If you want to add another application, repeat steps 6 and 7.
Installing software by using an Install Package step in a task sequence

To add an Install Package task sequence step, complete the following steps:
2. In the, pane, right-click the task sequence you want to add the Install Package step to, and then
select Edit.
4. Click Add, select Software, and then click Install Package.
5. On the Properties tab of the Install Package step, in the Name box, type the name of the
application—for example, Microsoft XML Notepad 2007.
6. Verify that the Install a single software package option is selected, and then click Browse.
7. In the Select the software package to install window, select the package, and then click OK. In the
Program box, select the program you want to run.
8. If you want to add another package, repeat steps 4 through 7.
Instead of adding several Install Application or Install Package steps, you can install them by using a
dynamic variable list:
1. In the Configuration Manager console, select the Assets and Compliance workspace, click Device
Collections, and then right-click the collection that you have deployed the task sequence to.
2. In the Properties window of the collection, click the Collection Variables tab, and then click new
(sun icon).
3. In the <New> Variable window, in the Name box, type AdatumApps001, and then in the Value box,
type Microsoft Office 2016.
4. Repeat step 3 to add another application by specifying another variable that uses AdatumApps002
as the Name and Microsoft Skype for Business as the Value.
Note: The name of the variable can be any combination of letters appended with a three-
digit number, beginning with 001 for the first entry. The value of the variable must be the name
of the application as it appears in the Configuration Manager console when using applications.
When using packages, it must be PackageID:Program.
5. To use the variable list to install either applications or packages, edit your task sequence, and then
select your Install Application or Install Package step.
6. On the Properties page of the Install Application or Install Package step, select Install applications
according to dynamic variable list or Install software packages according to dynamic variable
list, respectively, and then in the Base variable name box, type the first part of the variable name—
for example, AdatumApps.
You can also choose to install software updates as part of your operating system deployment. The
following requirements must be met:
• The software update feature in Configuration Manager must be enabled.
• All the software updates you want to install must be downloaded and distributed to your distribution
points.
• The software updates must be deployed and targeted to the same collection that you used as the
target for your task sequence.
• The Software Updates Agent must be enabled.
You use the Install Software Updates task sequence step to install software updates as part of the task
sequence. The Create Task Sequence Wizard adds the Install Software Updates step if you choose to install
either mandatory software updates or all software updates.
If you manually add the Install Software Updates step, you must place it after the Setup Windows and
Configuration Manager step, which is responsible for installing and registering the Configuration Manager
client. The reason is that the Configuration Manager client handles the actual installation, like any other
software update deployment.
Adding the Install Software Updates step to a task sequence

To add an Install Software Updates task sequence step, complete the following steps:
2. In the details pane, right-click the task sequence you want to add the Install Software Updates step to,
and then select Edit.
4. Click Add, select Software and then click Install Software Updates.
5. On the Properties tab of the Install Software Updates step, select either Mandatory Software
Updates or All Software Updates.
6. Click OK to close the Task Sequence Editor.

Methods for running an installation task sequence

Five methods exist to initiate a task sequence to a
destination computer:
• Configuration Manager client
• PXE boot
• Boot media
• Standalone media
• Prestaged media
Regardless of the method that you use, the Task

Sequence Wizard runs and connects to a
management point to find the appropriate
deployment task sequence to run.
Configuration Manager client

You typically use this initiation method with an operating system refresh, in-place upgrade, or side-by-
side migration. This initiation method requires that all destination computers be Configuration Manager
clients.
When installing a new operating system on an existing Configuration Manager client, you deploy the task
sequence to the client just as you do for any other application. You can configure the task sequence as
required so that it starts as soon as the client gets the policy from a management point. You also can
schedule the task sequence to run later or enable an end user to start it manually.
PXE boot
You typically use this initiation method with new hardware—for either a bare-metal installation or the
deployment phase of a side-by-side migration.
In addition, you can use PXE to initiate operating system deployments to computers that are both known
and unknown to Configuration Manager.
When a destination computer that is configured for PXE boot starts, the client uses PXE to find a bootable
image to download and start. The PXE-enabled distribution point responds to PXE requests from
computers on the network. The client then downloads the boot image and starts Windows PE and the
Task Sequence Wizard.
Boot media
You typically use this initiation method with a bare-metal installation or an operating system refresh. You
often use boot media if your hardware does not support PXE boot, if manual initiation of the deployment
process is preferable, or if you do not want to add PXE support to the network infrastructure.
You can use Configuration Manager to deploy an operating system image to a new, bare-metal computer
or to a computer that is new to your Configuration Manager site by performing the following procedure:
1. Deploy the task sequence to the appropriate collection.
2. Create bootable media that will initiate operating system deployment by performing the following
procedure:
a. Right-click the Task Sequences node, and then click Create Task Sequence Media to start the
Task Sequence Media Wizard.
b. Click Bootable media as the media type:

 Dynamic media. You can use this type of media in any site.
 Site-based media. You can use this type of media only in a site, and it requires that you
specify the management point to contact in the site that is used.
c. Specify the media type as USB flash drive or CD/DVD set. A CD/DVD set requires a file name
and creates an ISO image file.
d. Specify the security settings, such as Enable unknown computer support, password protect the
media, and then select the certificate option you want to use.
e. Choose a boot image and distribution point from which to download the selected boot image.
f. Specify one or more management points the media-booted computer accesses.
g. Specify any variables or prestart commands to run.
3. Prepare the boot media from the created files, and then start the system from the media. After the
system starts Windows PE, the deployment begins.
Stand-alone media
You typically use this initiation method with a bare-metal installation or an operating system refresh in
locations with bandwidth concerns. You can also use this method when a network access policy prohibits
physically connecting a computer to the network before specified security updates have been applied to
that computer.
You can use Configuration Manager to deploy an operating system image to a new, bare-metal
computer, even if the computer cannot reach the Configuration Manager site, by using standalone media.
To do so, perform the following procedure:
1. Create stand-alone media that installs an operating system image:
a. Right-click the Task Sequences node, and then click Create Task Sequence Media to launch
the Task Sequence Media Wizard.
b. Select the Stand-alone media type.
c. Specify the media type as USB flash drive or CD/DVD set. A CD/DVD set requires a file name
and creates an ISO image file. Depending on the size of the image, it image might span multiple
pieces of media.
Note: If you choose to use a CD/DVD set, you must burn the ISO image file or files that the
wizard generates to a CD/DVD set.
d. Specify the security settings to password protect the media.
e. Specify the task sequence to deploy.
f. Add a distribution point from which to download the media-creation content.
g. Specify any variables or prestart commands to run.

2. Start the system from the media. After the system starts Windows PE, the installation begins.
Prestaged media
You typically use this initiation method with a bare-metal installation to prepare a hard drive for a
computer. Original equipment manufacturers (OEMs) typically use this initiation method to prepare
systems for delivery.
You can use Configuration Manager to deploy an operating system image that can be copied to a hard
drive for deployment by performing the following procedure:
1. Create prestaged media that installs an operating system image:
a. Right-click Task Sequences, and then click Create Task Sequence Media to launch the Task
Sequence Media Wizard.
b. Select the Prestaged media type.
c. Specify the media properties, including the location to create the file and the name of the file.
d. Specify the security settings to password protect the media, enable unknown computer support,
use device affinity, and select the certificate options.
e. Specify the task sequence you want to use.

f. Specify the boot image you want to use for the media and the distribution point from which to
download it.
g. Specify the operating system installation image you want to use.
h. Specify any applications you want to add to the prestaged media.
i. Specify any packages you want to add to the prestaged media.
j. Specify any driver packages you want to add to the prestaged media.
k. Specify the distribution point from where to download content, which the deployment of the task
sequence requires, by using the prestaged media.
l. Specify any variables or prestart commands to run.

m. Import the prestaged media image as an operating system image.
2. Create a custom task sequence to deploy the image, or send the .wim file to your OEM.
Question: In your work environment, which deployment scenario and method are you most
likely to use?
Maintaining software updates for system images

In Configuration Manager, you can apply software
updates to your .wim images offline. You can
specify the software updates to apply to an image
by using the Update Operating System Image
Wizard. You can also configure approved software
updates to apply on a schedule. When a schedule
is set, Configuration Manager uses Deployment
Image Servicing and Management (DISM) to
apply the updates to an image. You can also use
DISM to manually apply software updates.
Note: You must install and configure a software update point before you can use offline
servicing for your operating system images.
Only software updates that support Component Based Servicing (CBS) can be used with offline servicing,
and that normally includes operating system updates. Software updates for Internet Explorer, .NET, and
Office do not support CBS. Thus, they cannot be used with offline servicing and must be applied when the
full operating system is running.
To configure software updates for an existing operating system image, complete the following steps:
1. In the Software Library workspace, expand Operating Systems, and then click Operating System
Images.
2. Right-click the operating system image you want to configure for offline servicing, and then click
Schedule Updates.
3. In the Schedule Updates Wizard, on the Choose Updates page, select the updates you want to apply
to the operating system image, and then click Next.
4. On the Set Schedule page, specify the schedule for the updates, and then click Next.
5. On the Summary page, click Next.
6. On the Completion page, click Close.
Process for updating the operating system image

When the time for the scheduled software updates occurs, the site server runs the following steps to
update the operating system image:
1. Copy the .wim file from its source location to a temporary folder.
2. Mount the .wim file on a temporary folder.
3. Use DISM to apply the software updates to the mounted image.
4. Unmount the updated .wim file, and then copy it to the source location of the original .wim file.
Note: Configuration Manager maintains a copy of the original .wim file in case you need to
revert the changes. However, Configuration Manager keeps only one version of the .wim file prior
to a software update. This means that when you update the image again, the original version of
the .wim file is deleted.
Troubleshooting operating system deployment

Log files and reports help you to troubleshoot
Log files
Operating system deployment uses the log files
described in the following table when recording
information related to its components.
Log file Location Information recorded
CreateTSMedia.log On the SMS Provider server: Information generated

during the creation of
• If the SMS Provider is installed on the site
bootable media and capture
server, the file is located at C:\Program
media
Files (x86)\Microsoft Configuration
Manager\AdminConsole\AdminUILog.
• If the SMS Provider is installed on
another server, the file is located at
C:\smsprov\logs.
Setupact.log, At %Windir%. The Sysprep and setup logs

Setupapi.log, and
Setuperr.log
CCMSetup.log At %Windir%\ccmsetup. CCMSetup.exe actions
SMSTS.log On the destination computer: General operating system

deployment and task
• If the task sequence completes when
sequence log events
running in the full operating system with
a Configuration Manager client installed
on the computer, the file is located at
C:\Windows\CCM \logs.
running in the full operating system with
no Configuration Manager client installed
on the computer, the file is located at
%Temp%\SMSTSLOG.
running in Windows PE, the file is located
at <largest fixed partition>\SMSTSLOG.
• In Windows PE, task sequences create the
log at X:\windows\temp\SMSTSLOG.
Because this is stored in RAM, the log will
be lost if the system is restarted. If the
boot image has command-line support
available, you can press F8 to open the
command prompt and access the
SMSTS.log file.
Reports
You can use reports to monitor an operating system deployment. Configuration Manager provides four
categories of reports that provide information about task sequences. The categories of the reports and
some of the reports in each category are:
• Task Sequence – Deployment Status:
o All the system resources in a specific state for a specific task sequence deployment available to
unknown computers
o A status summary of a specific task sequence deployment
• Task Sequence – Deployments:
o All the task sequence deployments available to unknown computers
o The progress of a running task sequence

• Task Sequence – Progress:
o The progress of operating system deployment task sequences
o The status of all unknown computers

• Task Sequence – References:
o Content referenced by a specific task sequence
Question: You have a task sequence that deploys Windows 10 Enterprise (x64), and you
want to deploy it to a newly purchased computer that is not known by Configuration
Manager. What should you do next?
Question: You have created a task sequence that will install Windows 10 Enterprise, and you
want to deploy it on a few computers while minimizing the impact on your network. Which
deployment method is best suited to accomplish this task?
Lab B: Deploying operating system images for bare-metal

installations
Scenario
The Image Engineering team has created a new reference image. You need to use Configuration Manager
to deploy this new image to several newly purchased desktop computers.
Objectives
After completing this lab, the students will be able to:
• Import an image into Configuration Manager.
• Import a computer object into Configuration Manager.
• Create a task sequence to deploy an image.
• Deploy an image.
Lab Setup

Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. If the virtual machines are not still
running from the previous lab, complete the following steps:
5. Repeat steps 2 through 4 for virtual machine 20695C-LON-CFG.
Exercise 1: Preparing the operating system image

Scenario
In this exercise, you will import a reference image into Configuration Manager and distribute it to the
distribution point. Then you will import a computer object into Configuration Manager.
1. Import the reference image.
2. Distribute the image to the LON-CFG distribution point.
3. Import a computer object.

 Task 1: Import the reference image

1. In the Configuration Manager console, click the Software Library workspace, and then expand
Operating Systems.
2. Right-click Operating System Images, and then select Add Operating System image.
3. On the Data Source page, in the Path box, type \\LON-CFG\e$\Sources\Install.wim, and then click
Next.
4. On the General page, in the Name box, type Windows 10 Enterprise (x64) Evaluation, and then
click Next.
 Task 2: Distribute the image to the LON-CFG distribution point

1. Right-click the Windows 10 Enterprise (x64) Evaluation image, and then select Distribute
Content.
2. On the General page, click Next.
3. On the Content Destination page, add the image to the LON-CFG.ADATUM.COM distribution
point.
4. On the Content Destination and Summary pages, click Next.

6. Repeat refreshing the Windows 10 Enterprise (x64) Evaluation image periodically until the status
shows Success. This should take around five minutes.
 Task 3: Import a computer object

1. In Hyper-V Manager on your host computer, select the 20695C-LON-REF1 virtual machine.
2. In the details pane for the 20695C-LON-REF1 virtual machine, click the Networking tab, and then
from the Adapter column, write down the media access control (MAC) address.
3. In the Configuration Manager console, click the Assets and Compliance workspace, right-click the
Devices node, and then select Import Computer Information.
4. On the Select Source page, select Import single computer, and then click Next.
5. On the Single Computer page, type the following information, and then click Next:
o Computer Name: LON-REF1
o MAC address: <the MAC address you wrote down>
6. On the Data Preview page, verify the information, and then click Next.
7. On the Choose Target Collection page, select Add computers to the following collection, select
the Adatum production image collection, and then click OK.
8. On the Choose Target Collection page, click Next.
10. On the Confirmation page, click Close.

11. Click the Device Collections node, and then update the membership for the All Systems and
Adatum production image collections.
12. When the Member Count column changes to 1, double-click the Adatum production image
collection, and then see the computer you have added.
Results: After completing this exercise, you will have imported a pre-created image into Configuration
Manager and distributed that image to the distribution point. You will have created a computer object for
LON-IMG and placed it in the Adatum production image collection.
Exercise 2: Creating a task sequence to deploy an image

Scenario
In this exercise, you will create and modify a task sequence to deploy an existing image to client
computers.

1. Create a task sequence to install an existing image.
2. Edit a task sequence.
 Task 1: Create a task sequence to install an existing image

1. In the Configuration Manager console, right-click Task Sequences, and then select Create Task
Sequence.
2. Use the Create Task Sequence Wizard to create an Install an existing image package task sequence
with the information in the following table.
Task Sequence • Task sequence name: Deploy Windows 10 Enterprise (x64)

Information Evaluation
• Boot image: Boot image (x64) 10.0.10240.16384 en-US
Install Windows • Use the Windows 10 Enterprise (x64) Evaluation en-US image
that you imported earlier.
• Remove the check mark next to Configure task sequence for
use with BitLocker.
• Local administrator account: Enable account and specify the
local administrator password
• Password: Pa$$w0rd
Configure Network • Join the Adatum.com domain.

• Use the Adatum\Administrator account credentials to join the
domain.
• Use London Clients as the OU.
Install Configuration • Use the Configuration Manager Client Package.

Manager
State Migration • Remove all the check marks.
Include Updates • None.
Install Applications • None.
 Task 2: Edit a task sequence

• Edit the Deploy Windows 10 Enterprise (x64) Evaluation task sequence, and then make the
following changes:
o Modify the Apply Windows Settings step with the following:

 User Name: A. Datum IT Services
 Organization name: A. Datum
Results: After this exercise, you will have created and edited a task sequence to deploy an existing image.
Exercise 3: Deploying an image

Scenario
You have imported and distributed the captured operating system image, and you have created a task
sequence to deploy the imported image. You will deploy the task sequence to the Adatum production
image collection, which contains one of the newly purchased computers.
1. Deploy an image installation task sequence by using PXE.

 Task 1: Deploy an image installation task sequence by using PXE

1. Right-click Deploy Windows 10 Enterprise (x64) Evaluation, and then click Deploy.
2. Use the Deploy Software Wizard to deploy the task sequence to the Adatum production image
collection.
3. On the Deployment Settings page, select the following:
o Purpose: Available
o Make Available to the following: Only media and PXE
4. Complete the rest of Deploy Software Wizard with the default settings.
 Task 2: Start 20695C-LON-REF1

1. In Hyper-V Manager, right-click 20695C-LON-REF1, and then in the Actions pane, click Connect.
2. In the Virtual Machine Connection window, select Action, and then click Start.
3. When LON-REF1 boots, click inside the Virtual Machine Connection window, and when prompted,
press F12.
Note: Wait for the boot image to be staged and for the computer to boot into
Windows PE.
4. In the Welcome to the Task Sequence Wizard, type Pa$$w0rd, and then click Next.
5. In the Task Sequence Wizard window, click Next.
6. Monitor the deployment. The task sequence will take approximately 15 minutes to complete.
7. After the deployment is complete, sign in to LON-REF1 as Adatum\Administrator with the password
Pa$$w0rd, and then verify that the computer is named LON-REF1.

following steps:
4. Repeat steps 2 and 3 for 20695C-LON-CFG and 20695C-LON-REF1.
Results: After this exercise, you will have deployed the task sequence and installed the operating system
image on LON-REF1.
Question: When would you include an application in the install an existing image task
sequence rather than in the build and capture task sequence?
Question: In your work environment, will you use USMT for state migration?

Best Practices
Supplement or modify the following best practices for your own work situations:
• Implement access controls to protect bootable media. When you create bootable media, you should
always assign a password and control physical access to the media.
• Always install the most-recent security updates on a reference computer. Starting with an up-to-date
reference computer helps to decrease the window of vulnerability for newly deployed computers.
• If you are deploying operating systems to unknown computers, implement access controls to prevent
unauthorized computers from connecting to the network. Although deploying operating systems to
unknown computers can be a convenient way to deploy multiple computers on demand, it can also
allow a malicious hacker to add a trusted computer on your network. It also can deploy an operating
system image to computers that have not yet been discovered by Configuration Manager by mistake.
Review Questions
Question: How can operating system deployment assist in managing your organization’s
systems?
Question: What packages can you use for operating system deployment?
Question: Why would you use a task sequence outside of operating system deployment?
Question: Why should you import computer information into the Configuration Manager
database before deployment?
Question: You are creating a new image for a new corporate standard laptop. You discover
that the accelerometer driver is not automatically installed during operating system
deployment. What can you do to install the accelerometer driver without user intervention?
Tools
Tool Use for Where to find it
MDT 2013 Update 2 Managing deployment images http://aka.ms/V6gnxw

10-1
Module 10
Integrating MDT and Configuration Manager for
Contents:
Lesson 1: Integrating deployment tools with Configuration Manager 10-2
Lesson 2: Integrating MDT with Configuration Manager 10-6
Lab A: Integrating MDT and Configuration Manager for operating system

deployment 10-20
Lab B: Configuring UDI 10-29
Module Overview
You can use both Microsoft Deployment Toolkit (MDT) 2013 Update 2 and Microsoft System Center
Configuration Manager (Configuration Manager) to deploy operating systems, manage deployment
resources, and deploy applications, updates, and service-deployment resources. Determining which of
these two solutions you should use depends on the scale of your organization’s management. Typically,
organizations that have fewer than 500 devices use MDT 2013 Update 2, while organizations that have
more than 500 devices use Configuration Manager. Although MDT 2013 Update 2 is used primarily for
deployment, Configuration Manager can be used to perform several tasks in addition to deployment.
MDT 2013 Update 2 is a free Solution Accelerator, while Configuration Manager requires a System Center
license. In this module, you will learn how to integrate these tools to complement each other’s features.
Objectives
• Integrate MDT 2013 Update 2 and Center Configuration Manager to ensure an effective operating
system deployment.
• Deploy Windows 10 by using an MDT task sequence.
• Deploy Windows 10 by using a user-driven installation (UDI) task sequence.

10-2 Integrating MDT and Configuration Manager for operating system deployment
Lesson 1
Integrating deployment tools with Configuration Manager
Integrating MDT 2013 Update 2 with Configuration Manager can enhance your organization’s
deployment solutions significantly. When you use both products together, the tools' features complement
each other. This enables you to manage an operating system deployment centrally. In this lesson, you will
examine the benefits of and process for integrating MDT 2013 Update 2 and Configuration Manager.
Lesson Objectives
• Explain the benefits of integrating MDT and Configuration Manager.
• Explain how to enable the integration of Configuration Manager.
• Describe the additional tools that you can use for deployment.
Benefits of integrating MDT and Configuration Manager

When you integrate MDT 2013 Update 2 with
the Configuration Manager operating system
deployment function, you add approximately 280
enhancements to operating system deployment.
The following sections list the most commonly
used features that you receive by integrating MDT
2013 Update 2 with Configuration Manager.
Dynamic deployment
UDI is part of MDT. Integrating MDT 2013
Update 2 with Configuration Manager adds the
UDI feature to Configuration Manager. With UDI,
you can allow your users to interact with some of
the operating system deployment steps such as naming the machines, choosing an organizational unit
(OU), choosing apps, and other choices based on their needs. The administrator can control the level of
interaction available to users, which offers greater flexibility in an organization’s operating system
deployment solution.
MDT, unlike Configuration Manager, can use the local administrator account to complete a deployment,
whereas Configuration Manager deploys under the Local System account. Therefore, you have greater
flexibility when you use MDT to deploy operating systems, because you can adjust the configuration’s
look and feel, and then use the CopyProfile setting to customize settings in the Default User profile.
After integrating MDT 2013 Update 2 and Configuration Manager, you can provide additional instructions
from the MDT rules, without increasing the complexity of the task sequence. This means that you can
store Configuration Manager task sequence settings in the CustomSettings.ini file or the MDT database,
which ultimately reduces the number of separate steps in the task sequences. You also can use the
Suspend function in MDT to suspend a task sequence in the middle of a deployment capture. This allows
you to make configuration changes manually that you cannot otherwise automate. You should not rely on
this as a standard practice, unless you have no other choice. Pausing a task sequence to make manual
changes defeats the purpose of the automatic deployment feature in MDT.
Reference image creation

You can also use the standalone MDT 2013 Update 2 software to separately create and manage reference
images that you use for operating system deployment. MDT 2013 Update 2 provides a single creation
point for reference images. You can reuse the images created with MDT in many different environments
such as Configuration Manager, MDT, Virtual Desktop Infrastructure (VDI), Virtual Machine Manager 2012
or newer, or Windows Deployment Services. Creating a reference image in MDT is potentially less
complicated and therefore quicker than using the Configuration Manager method.
Simulation environment for operating system deployment

Integrating MDT 2013 Update 2 provides a simulation environment for an operating system deployment
with Configuration Manager. By setting up MDT rules, you can test your deployment options quickly, and
verify whether they are working properly, without performing a complete deployment.
Real-time monitoring
Integrating MDT 2013 Update 2 also enables you to monitor deployments in real time. Microsoft
Diagnostics and Recovery Toolkit (DaRT), which is part of the Microsoft Desktop Optimization Pack
(MDOP), is used to connect remotely to a Windows Preinstallation Environment (Windows PE)
deployment preinstall task sequence step. You can view the real-time deployment from the MDT
Deployment Workbench, or you can use a variety of tools, such as Windows PowerShell, a web browser,
Event Viewer, Office Excel 2013, or any script or app that can read information from an open data feed.
Optional Deployment Wizard

By integrating MDT 2013 Update 2 with Configuration Manager, you enable user interaction by utilizing a
UDI deployment. The integration adds the UDI Wizard Designer, which enables the administrator to
customize the screens that a user would see during a UDI deployment. You can configure the display that
a user sees, and hide those items that you do not want a user to choose.
Zero-touch installation, lite-touch installation, and UDI deployments

There might be scenarios in which you do not want users to interact with a deployment. You might want
the entire deployment to complete automatically, including the installation of apps and the addition of
user data, so that the user simply can sign in and start working as soon as the deployment finishes.
Additionally, you might not wish to have any user interaction with a deployment project, especially if a
large number of deployments will occur simultaneously. This type of deployment is a zero-touch
installation (ZTI). You can implement a ZTI only by using Configuration Manager. In a lite-touch
installation (LTI) scenario, a user might have to start a deployment with an action as simple as pressing a
key, but would not need to interact further with the deployment. You can implement an LTI deployment
only by using MDT. For a UDI deployment, you need to integrate MDT with Configuration Manager.
Demonstration: Enabling Configuration Manager integration

In this demonstration, you will learn how to:
• Install the MDT 2013 Update 2 and run the ConfigMgr Integration app.
• Set up the Deployment Workbench console for monitoring.

• Create a new database for MDT.
• Verify the MDT integration in Configuration Manager.

Demonstration Steps
Install MDT 2013 Update 2 and run the ConfigMgr Integration app
1. From the E:\Software\MDT2013 folder, install the MicrosoftDeploymentToolkit2013_x64.msi file.
Select the default for all option pages of the installation wizard. Make sure that you close the
Configuration Manager console before you begin the installation.
2. On the Apps page, run the Configure ConfigMgr Integration app, and accept all the defaults in the
installation wizard. Ensure the following values are used:
o Site Server Name: LON-CFG.Adatum.com
o Site code: S01
Set up the Deployment Workbench console for monitoring

1. On the Apps page, run the Deployment Workbench app.
2. In the Deployment Workbench console, create a new deployment share and then accept all of the
default options in the New Deployment Share Wizard.
3. In the MDT Deployment Share properties, enable monitoring.
Create a new database for MDT

• Under the MDT Deployment Share (C:\DeploymentShare)\Advanced Configuration\Database
node, select New Database, and then create an MDT database with the following properties (all
other properties should use default values):
o SQL Server name: LON-CFG
o Database name: MDT_DB
o SQL Share: DeploymentShare$
Verify the MDT integration in Configuration Manager

1. Open the Configuration Manager console, and confirm that the integration was successful.
2. If the new item Create MDT Task Sequence does not appear, sign out of LON-CFG, sign in again as
Adatum\administrator with the password Pa$$word, and repeat step 1.
3. After the information successfully appears, close the Configuration Manager console.
Overview of additional deployment tools

When you integrate MDT 2013 Update 2 with
Configuration Manager, you can use several
available tools during operating system
deployment, including the CopyProfile setting,
the UDI Wizard Designer, and DaRT.
You can use the CopyProfile setting to copy a

customized profile to the default user profile. This
means that all new users on a machine will get a
copy of your customized profile. After you make
the desired customizations to the profile you wish
to copy, you enable CopyProfile by setting it to
Yes in your unattend.xml file.
You can use the UDI Wizard Designer to modify the behavior of the UDI Wizard when using UDI. This is
discussed in detail in the topic Working with UDI deployment, later in this module.
DaRT
DaRT is part of the MDOP, and to obtain it, you require a license agreement with Microsoft. You can use
DaRT to connect remotely into the Windows PE preinstall task sequence during a deployment. You might
want to interact with the UDI custom user screens during this phase. The DaRT Remote Control
component enables you to do this without being physically present at the location to which you are
deploying.
Note: MDOP 2015 is required to fully support Windows 10.
Before starting a build of the boot image in the Configuration Manager console, you must add the DaRT
components by using the following procedure:
1. Install DaRT 10 on the computer that is running the integrated MDT and Configuration Manager
console. In most cases, this is the site server.
2. Copy the DaRT Tools cabinet files to the MDT distribution folder. There are two sets of cabinet files.
There is one each for 32-bit and 64-bit architectures, respectively. The default location for these files
when DaRT is installed is C:\Program Files\Microsoft DaRT\v10. There are specific locations to which
you should copy them so that the boot image can incorporate them. Copy the Toolsx86.cab file to
C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86, and copy the
Toolsx64.cab file to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64.
After you integrate MDT 2013 Update 2 with Configuration Manager successfully, you will find a new
Create Boot Image using MDT menu option on the Boot Images ribbon of the Software Library
workspace. This item is also available on the context menu that appears when you right-click the Boot
Images node in the Software Library workspace. You then create a boot image by using the MDT 2013
Update 2 Wizard.
On the Components page of the wizard, you will see a Microsoft Diagnostics Recovery and Toolkit
(DaRT) check box. Selecting this check box includes DaRT in the boot image, and it allows you to connect
remotely to a deployment at the Windows PE deployment phase. To do this, after a deployment begins,
go to the MDT Deployment Workbench, and then expand and select the Monitoring node.
Right-click the deployment name found in the details pane, and then click the DaRT Remote Control
menu item. This opens a connection window to the computer that is deploying, and allows you to observe
and enter data that displays on the custom configuration screens. However, note that the DaRT Remote
Control only works during the Windows PE phase. After this phase is complete, the deployment reboots
the computer, and the process moves to the post-install phase. Because this phase does not run in
Windows PE, but rather in the context of the installed operating system, the remote control is no longer
available, so you can close the Remote Control window.
Again, by integrating MDT, you can monitor a deployment in real time. Aside from accessing the DaRT
Remote Control tool mentioned above, the MDT Deployment Workbench monitoring capabilities show
the deployment’s status, the current step of the deployment, the overall completion percentage, and the
elapsed time.
Question: What are the benefits of integrating MDT 2013 Update 2 with Configuration
Manager?
Question: To create a database for MDT 2013 Update 2, is it required to use MDT 2013
Update 2 with Configuration Manager?
Lesson 2
Integrating MDT with Configuration Manager
You must take several steps during deployment if you want to integrate MDT 2013 Update 2 and
Configuration Manager. In this lesson, you will examine how the integration of MDT and Configuration
Manager enables you to create and modify boot images, boot media, and MDT-related task sequences.
You will learn how to enhance operating system deployments by using UDI. You will also review the
CustomSettings.ini file, the UDI Designer, and the various ways that you can add the Configuration
Manager client to newly deployed systems.
Lesson Objectives
• Describe the MDT-integrated boot-disk options.
• Explain how to create an MDT-related task sequence.

• Describe how to customize the MDT configuration files.
• Describe the methods that are used to add a target computer to the site database.
• Describe UDI deployments.
• Explain how to create a UDI task sequence and customize the behavior of the UDI Wizard.
Overview of the MDT-integrated boot-disk options

Integrating MDT 2013 Update 2 and
Configuration Manager provides you with extra
options that you can use to add components and
features to a boot image. To access these options,
in the Configuration Manager console, within the
Software Library workspace, click Operating
Systems, click Boot Images, and then click
Create Boot Image using MDT. When you click
this option, a wizard called Create Boot Image
using MDT starts. You can use this wizard to
create an MDT boot image to start a deployment
process. The following are the various pages of
the Create Boot Image using MDT Wizard:
• Package Source. You can use the wizard’s first page to specify the package source directory that will
store the new boot image. Note that you must provide a Universal Naming Convention (UNC) share
name. However, you can browse directly to a lettered drive and folder, which will result in an error.
Therefore, you should not use a lettered drive; you should only use a UNC share. The deployment
finds the boot-image location through the network, and a drive letter is considered local rather than
from another computer. Additionally, there is a note stating that the Windows ADK must be installed
on the computer that is running this wizard, and that after you create the boot image, you will need
to distribute it manually to the distribution points before you can use it in a task sequence.
• General Settings. You can use this page to provide a name, version, and comment to the create boot
image. You must provide at least the name. However, it is a best practice to use the comments
section to spell out the purpose of the boot image and other pertinent facts that are related to it.
• Options. You can use this page to specify the platform or architecture of the boot image as either 32
bit (x86) or 64 bit (x64). This page also has a section to set the boot image’s scratch-space size (in
megabytes). MDT 2013 Update 2 with Configuration Manager uses Windows PE version 10, which can
set its scratch space dynamically. Therefore, you do not have to specify a scratch-space size setting.
Regardless of what you select, if there is at least 1 gigabyte (GB) of memory on the deployed
computer, Windows PE 10 will assign 512 megabytes (MB) of scratch space.
• Components. You can use this page to specify the optional Windows PE feature packs that you
might want to add to the boot image. Use this page to access the DaRT Remote Connection by
adding the DaRT feature pack. Note that DaRT will not appear in this list until you install it locally
and copy the cabinet files to the correct locations.
Additional Reading: For a complete list of the optional feature packages (Optional
Components) that you can add to Windows PE, refer to WinPE: Add packages (Optional
Components Reference): http://aka.ms/C6maq3.
• Customization. You can use this page to set prestart command settings. A prestart command is a
script or executable file that runs prior to the task sequence and allows possible interaction with a
user in Windows PE. You can accomplish several tasks by using a prestart command, such as
prompting a user for information or querying a task-sequence variable for information. For example,
you may want to prompt the installation technician to determine in which department to deploy the
operating system. You then can save that information as a variable and add task sequence steps, such
as adding specific software later for that department. The prestart command is run before the task
sequence policy downloads from the management point.
Additional Reading: For information on how to create a script to use for the prestart
command, distribute the content associated with the prestart command, or configure the prestart
command in media, refer to Prestart Commands for Task Sequence Media in Configuration
Manager: http://aka.ms/X8kzz4.
You also can use the Customization page to add additional files to the boot image and to use a
custom background bitmap file. You should store both in a UNC path, which you add to the text box
if you select these options. There is a check box named Enable command support (F8), which opens
an interactive command prompt that you can use for troubleshooting purposes. You can access it by
pressing the F8 key when starting the boot image. This option is selected by default.
• Summary. This page displays all the options that you have selected, and you can use the Previous
button to correct any issues that you find. Clicking the Next button will create a boot image. A
progress bar appears, and it can take several minutes to create the boot image. After this, the
Confirmation page displays the status of the completed wizard.
You now can further configure the boot image from its Properties sheet, which has 10 separate tabs with
settings that you can configure in each tab, including the:
• General and Customization tabs, which have the same functionality as the similarly named tabs in
the Create Boot Image using MDT Wizard.
• Content Locations tab, which shows the distribution point or distribution point groups to which the
boot image deploys.
• Data Access tab, which you can use to configure how the boot image is stored on the distribution
points.
• Data Source tab, which you can use to specify the Windows image file that holds the boot image.
This tab provides several options for configuring deployment settings, including the ability to use
binary differential replication and deploy from a Pre-Boot EXecution Environment (PXE)-enabled
distribution point. You also can schedule distribution point updates in the Data Source tab.
• Distribution Settings tab, which you can use to set a distribution priority to the boot image and set
preferred distribution points. You also can use this tab to specify the behavior that occurs when you
enable a distribution point for prestaged content, which is either automatically downloading content,
downloading changes only, or manually copying the boot image to the distribution point.
• Drivers tab, which you can use to add driver packages to the boot image. This is often necessary,
especially when you acquire new equipment. You can use the Optional Components tab to see the
components previously selected during the wizard, or even add components at this time.
• Images tab, which lists various property values. If you change these values by using an external tool,
you can reload the property values here.
• Security tab, which you can use to specify administrative users and their permissions for the boot
image.
Creating an MDT-related task sequence

To verify MDT 2013 Update 2 integration with
Configuration Manager, open the Configuration
Manager console, in the Software Library
workspace, expand Operating Systems, and then
right-click the Task Sequence node. You should
see a new item in the list called Create MDT Task
Sequence, which confirms that the integration
was successful. When you select Create MDT
Task Sequence, the Create MDT Task Sequence
Wizard opens. This is a complex wizard with
numerous pages from which you can perform
different actions, cause functions to run, or apply
settings. The following are the pages in this wizard:
• The Choose Template page, which includes a drop-down list of five predefined templates that you
can use for the task sequence that you are creating. Note that when you create a task sequence
directly with Configuration Manager, rather than using the MDT integrated wizard, you do not have
access to any task sequence templates. When you use MDT 2013 Update 2 independent of the
Deployment Workbench, there are nine templates available. However, in the Create MDT Task
Sequence Wizard, there are five task sequence templates available. They are:
o Client Task Sequence
o Client Replace Task Sequence
o Microsoft Deployment Custom Task Sequence
o Server Task Sequence
o User Driven Installation Replace Task Sequence

You should create task sequences using one of the above MDT task sequence templates. You could
create the task sequence manually, but we do not recommend this.
• The General page, which you can use to set the task sequence name (required) and any comments
that describe it. You can add a detailed comment, because these comments can help you or other
administrators understand what the task sequence does.
• The Details page, which you can use to join a workgroup or a domain, set the account to do so,
specify the user and organization name (required), and add the product key. You can also choose to
leave the built-in administrator account disabled (recommended) or enable it and specify the
password.
• The Capture Settings page, which you can use to configure the task sequence to either capture or
not capture an image. The default is to not capture an image. If you choose to capture an image, you
can set the destination for the captured image file and the account that has permissions to do so.
• The Boot Image page, in which you can specify the boot image to use, such as the one created with
the Create Boot Image using MDT Wizard, or you can specify a new boot image package, which you
must create. Similar to the pages in the Create Boot Image using MDT Wizard, the Boot Image page
contains several subpages, including General settings, Options, Components, and Customization.
Note that the Windows 10 ADK must be installed on the machine running the wizard to create new
boot image package. Also note that you must provide a specific boot image or create one before you
click Next on this page.
• The MDT Package page, which has a default option called Specify an existing Microsoft
Deployment Toolkit Files package. You must use the Browse button to select this package. The
first time you create an MDT task sequence, you are required to select the Create a new Microsoft
Deployment Toolkit Files package, which can be used by subsequent MDT Task sequences. You
must supply a UNC share name for the package source folder. This takes you to a MDT Details page,
in which you can input the name (required) and other details about the package that you are
creating. If you choose the default action, which is Specify an existing Microsoft Deployment
Toolkit Files package to use, the next main page will appear.
• The OS Image page, which provides several choices. You can use an existing .wim file or install one
from an original source media file, such as an installation DVD. The default choice is Specify an
existing OS image, and you can use the Browse button to select one (required). If none are
available, which is possible if you have not created one yet, you can choose the Create a new OS
image option instead. With this option, you can specify the .wim file location, and the package source
folder to which you want to copy it. You also can choose the options to use an existing installation
package or create a new operating system installation package, which often is on installation media.
Operating system installation image files are files from an installation source, whereas operating
system image files are .wim files without the associated setup files found in installation media. If you
select one of these create options, the Image Details and Install Source pages will be shown. On
these pages, you supply an image name (required), version, and comments. Instead of creating a new
one, if you select an existing operating image or operating system install image with more than one
index, the OS Image Index page opens. On this page, you can select the index number from the
.wim file that you are using.
• The Deployment Method page, which provides two choices, Perform a Zero Touch Installation
with no user interaction or Perform a User-Driven Installation. The ZTI option is selected by
default. If you choose the UDI option, a wizard will run at the beginning of the operating system
deployment that enables you to choose various installation options.
After you select the deployment method, several package pages display, each with a different type of
package. In each of these pages, you can choose a package that already exists or you can create a new
one. The following list describes the available package pages:
• The Client Package page, which you can use to specify the Configuration Manager client package.
You can specify an existing package, which provides choices that are identical to the MDT Package
page above. Alternatively, you can create a new Configuration Manager client package.
• The USMT Package page, which provides choices that are similar to the Client Package page, except
that you can specify an existing User State Migration Tool (USMT) package or create a new one. If you
select Create a new USMT package, you must specify the package source directory that will store
the new USMT package. Note that you must provide a UNC share name. If a new USMT package is
created, the USMT Details page opens and lets you specify the name, version, and other details
about the package.
• The Settings Package page, which you can use to specify the settings package. The settings package
will include two files, CustomSettings.ini and Unattend.xml. The first time you create an MDT task
sequence, you are required to select Create a new Settings package, which can be used by
subsequent MDT task sequences. You must supply a UNC share name for the package source folder.
If a new settings package is created, the Settings Details page opens and lets you specify the name,
version, and other details about the package.
• The Sysprep Package page, which does not provide any choices. It just states “No Sysprep page is
required.” The System Preparation Tool (Sysprep) is required only when you are capturing a Windows
XP or Windows Server 2003 image. However, these operating systems are no longer supported.
• The Summary page, which displays all of the options that you have selected. You can use the
Previous button to correct any issues that you see here. Clicking the Next button starts the creation
of the task sequence. A progress bar appears, and it can take several minutes for the task sequence to
create, because an operating system image also might be created.
• The Confirmation page, which displays the status of the completed wizard.
Customizing MDT configuration files

MDT uses two configuration files, Bootstrap.ini
and CustomSettings.ini. Both reside initially in the
Control folder of the deployment share. When
modified for use, these files are stored in the
source location of the applicable settings package.
You modify them in the source location rather
than the initial location. You can read and modify
both files from within the MDT Deployment
Workbench by going to the deployment share’s
properties and selecting the Rules tab. Both files
are typical .ini files that have various headings in
square brackets, followed by a list of properties
and values separated by an equal sign.
Editing task sequences to perform CustomSettings.ini modifications

You can apply certain settings based on the task sequence ID that you select, either at startup or by
specifying it in the LiteTouch.vbs script. However, issues can result because of which the proper
CustomSettings.ini file mignt not be parsed correctly. Suppose you had two task sequences, one with the
ID of CAPTURE-W10 and the other with an ID of INSTALL-W10. The first performs the installation by using
the Standard Client Task Sequence, and the second captures a prebuilt workstation by using the Sysprep
and Capture task sequence.
The corresponding CustomSettings.ini file appears as follows.
The CustomSettings.ini file
[Settings]
Priority=TaskSequenceID, Default
Properties=MyCustomProperty
[Default]
OSInstall=Y
SkipTaskSequence=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipUserData=YES
SkipDomainMembership=NO
SkipLocaleSelection=YES
SkipTimeZone=YES
TimeZoneName=GMT Standard Time
UILanguage=en-us
UserLocale=en-us
OrgName=Adatum
_SMSTSOrgName=S01
_SMSTSPackageName=%TaskSequenceName% on %OSDComputerName%
[INSTALL-W10]
DoCapture=NO
SkipCapture=YES
JoinDomain=adatum.com
DomainAdmin=Administrator
DomainAdminDomain=adatum.com
DomainAdminPassword=Pa$$w0rd
MachineObjectOU=ou=LondonClients,dc=adatum,dc=com
[CAPTURE-W10]
SkipCapture=NO
DoCapture=YES
You might expect that when you select your task sequence, it loads the settings for that task sequence
prior to execution. However, in this scenario, you do not want a Sysprep and Capture task to join the
domain. Therefore, you also want the task sequence to actually perform the sysprep and capture.
Conversely, if you perform the Standard Client Task Sequence task, you want the task sequence to join
the domain, but not attempt to capture the system.
The issue becomes apparent when you run the CAPTURE-W10 ID, because it first reads the settings for the
task sequence and then reads the default settings. However, when you select the task, either at start up or
by using the LiteTouch.vbs file, it does not reload the CustomSettings.ini. Instead, it applies only the
default settings.
To ensure the CustomSettings.ini file processes completely, modify the DeployWiz_SelectTS.vbs script in
your Deployment Share\Scripts folder, and then modify your CustomSettings.ini file. The modification to
the DeployWiz_SelectTS.vbs script causes MDT to run ZTIGather.wsf again. This forces MDT to parse the
CustomSettings.ini again and load the task sequence. You can make several changes to the
DeployWiz_SelectTS.vbs script, specifically in the ValidateTSList function.
Find the line containing Dim sTemplate, and then add the following two lines after it, as shown below.
Dim sTemplate
Dim sCmd
Set Oshell = createObject("Wscript.shell")
Then find the line that contains the following.
oLogging.CreateEntry "DeploymentType = " & oProperties("DeploymentType"), LogTypeInfo.

Add the following two lines after it, as follows:
oLogging.CreateEntry "DeploymentType = " & oProperties("DeploymentType"), LogTypeInfo
sCmd = "wscript.exe """ & oUtility.ScriptDir & "\ZTIGather.wsf"""
oItem = oSHell.Run(sCmd, , true)
When you perform a ZTI by using Configuration Manager, the Deployment Workbench uses a template
version of the CustomSettings.ini file as a basis for a customized version of CustomSettings.ini.
The following is the template version of the CustomSettings.ini file.
[Settings]
Priority=Default
[Default]
OSInstall=Y
ScanStateArgs=/v:5 /o /c
LoadStateArgs=/v:5 /c /lac
This template does not contain sufficient settings to deploy Windows successfully to a target computer.
However, you can customize the file further by using the Deployment Workbench. The Create MDT Task
Sequence Wizard copies an unmodified version of the CustomSettings.ini template. Modify this version of
the CustomSettings.ini file to include the target computer-specific configuration values. After you modify
the file, update the distribution points for the Microsoft Deployment Files package so that the changes are
available to the task sequences, by using the following procedure:
1. On the taskbar, click Microsoft System Center Configuration Manager Console.

2. In the Configuration Manager console, in the navigation pane, click Software Library.
3. In the Software Library workspace, go to Overview/Operating Systems/Task Sequences.
4. Click the Task Sequence tab. Right-click the task sequence that you wish to change, and then click
Properties.
5. If the task you are modifying is a Standard Client Task, you must modify the Gather Local Only
action, which resides in the Initialization section. Change the action from Gather Only Local Data to
Gather Local Data And Process Rules.
6. In the text box immediately below that setting, enter the following:
%DeployRoot%\Control\CustomSettings.ini.
7. Apply the setting, and then click OK.

Adding the target computer to the site database
By default, Configuration Manager will only

interact with known computers. Therefore, if you
want to deploy an operating system to a
computer that is not known by Configuration
Manager, additional configuration is needed.
You will have to add that computer to the
Configuration Manager database by using the
Import Computer Information Wizard or use the
unknown computers support.
A computer is considered unknown by

Configuration Manager if:
• The computer does not have Configuration

Manager client installed on it.
• The computer is not imported into the site database.
• The computer has not been discovered by Configuration Manager.
Import computer information

The Import Computer Information Wizard lets you import information, either for a single computer or for
multiple computers, by using an import file. You must create the import file in the CSV format before you
run the Import Computer Information Wizard.
The file must include the computer name, SMBIOS GUID (12 hex characters), or media access control
(MAC) address (32 hex characters) with each value separated by a comma.
The following is a sample import file:
LON-CL6,11111111-1111-1111-1111-111111111116,25:12:15:A0:B9:A1
LON-CL7,11111111-1111-1111-1111-111111111117,25:12:15:A0:B9:A2
LON-CL8,11111111-1111-1111-1111-111111111118,25:12:15:A0:B9:A3
LON-CL9,11111111-1111-1111-1111-111111111119,25:12:15:A0:B9:A4
LON-CL10,11111111-1111-1111-1111-111111111110,25:12:15:A0:B9:A5
The following table describes the pages and settings within the Import Computer Information Wizard.
Page Description
Select Source On this page, you can select Import computers using a
file to specify a file that contains the computer
information to import. You can select Import a single
computer to specify information related to that one
computer.
Single Computer On this page, you can specify the computer name, MAC
address, and/or SMBIOS GUID. Optionally, you can
create a computer association by entering a name of a
reference computer from which the user state and
settings will be migrated to the new computer.
Data Preview On this page, you can review the computer information.
Page Description
Choose Target Collection On this page, you can add new computers to an existing
Configuration Manager collection. You can choose either
Add new computers only to the All Systems
collection or Add computers to the following
collection. If you choose Add computers to the
following collection, the computer is added to the
collection that you choose and to the All Systems
collection.
Summary On this page, you can review the import settings.
Unknown computer support

Another option when dealing with unknown computers is to use the unknown computer support. Because
Configuration Manager database has no records about an unknown computer, prior to the deployment of
a task sequence, you must configure the following:
• You must deploy the task sequence to the All Unknown Computers collection.
• You must enable unknown computer support for your PXE-enabled distribution point or media.
Two unknown computer objects, one for 32-bit (x86) computers and the other for 64-bit (x64) computers,
are located in the All Unknown Computers collection. These objects are not real computers, but instead
serve as placeholders that Configuration Manager uses as targets for the deployment.
When an unknown computer boots, Configuration Manager recognizes it as an un-provisioned computer,

and not as an unknown discovered computer. The computer receives the task sequences deployed to the
All Unknown Computers collection, which installs an operating system together with the Configuration
Manager client. A record for the computer, including the real MAC address, is created in the appropriate
collection. In case the deployment fails before the operating system and the Configuration Manager client
are installed, a record named Unknown will be created for the computer in the All Systems collection.
To enable unknown computer support, perform the following steps in the Configuration Manager
console:
1. Select the Administration workspace, and then expand Site Configuration. Click the Servers and
Site System Roles node.
2. In the details pane, select the PXE-enabled distribution point, and in the preview, right-click
Distribution point, and then select Properties.
3. In the Distribution Point Properties dialog box, click the PXE tab, and then select Enable unknown
computer support. In the Configuration Manager dialog box, click OK.
To enable unknown computer support for bootable or prestaged media, perform the following steps in
the Configuration Manager console:
1. Select the Software Library workspace, and then expand Operating Systems.
2. Right-click the Task Sequence node, and then select Create Task Sequence Media.
3. In the Create Task Sequence Media Wizard, select either Bootable Media or Prestaged Media.
4. On the Security page, ensure that Enable unknown computer support is selected. Generally, it is
selected by default. Proceed through the rest of the wizard by making appropriate choices.
Demonstration: Importing computers by using the Import Computer

Information Wizard
In this demonstration, you will learn how to:
• Import a single computer by using the Import Computer Information Wizard.
• Create a .csv file containing multiple computers.
• Import multiple computers by using the .csv file.
Demonstration Steps
2. In the Assets and Compliance workspace, right-click the Devices node, and select Import
Computer Information.
3. On the Select Source page, select Import single computer, and click Next.
4. On the Single Computer page, use LON-CL12 as the computer name and 112233AABBCC as the
MAC address. Click Next.
5. On the Data Preview page, click Next.
6. On the Choose Target Collection page, select Add computers to the following collection, click
Browse, and then select All Workstations. Click OK and Next.
9. Update the membership for the All Systems collection.
10. Wait 20 seconds, and then refresh the All Systems collection.
11. Repeat the last two steps for the All Workstations collection.
12. When the Member count column changes to 1, view the members of the All Workstations
collection. You should now see the computer you have added.
13. Open Notepad and create a file with the following information. Save it as Computers.csv:
o LON-CL6,25:12:15:A0:B9:A1
o LON-CL7,25:12:15:A0:B9:A2
o LON-CL8,25:12:15:A0:B9:A3
o LON-CL9,25:12:15:A0:B9:A4
o LON-CL10,25:12:15:A0:B9:A5
Each entry must be on a separate line.

14. Click the Assets and Compliance workspace, and run the Import Computer Information Wizard.
15. On the Select Source page, select Import computers using a file, and then click Next.
16. On the Choose Mapping page, click Browse, and then select the Computers.csv file.
17. In the File preview section, verify that Column1 is Assign As Name. Click Column2 and assign it as
MAC address. Then, click Next.
18. On the Data Preview page, click Next.

19. On the Choose Target Collection page, select Add computers to the following collection, click
Browse, and select the All Workstations collection. Click OK, and then click Next.
22. Click the Device Collections node, and update the membership of the All Systems collection.
23. Wait 20 seconds, and then refresh the All Systems collection.
24. Repeat the last two steps for the All Workstations collection.
25. When the Member count column changes to 6, see the members for the All Workstations
collection. You should see the computers you have imported.
Introduction to UDI deployments

UDI is a part of MDT 2013 Update 2 and is
installed when you integrate MDT 2013 Update 2
with Configuration Manager.
UDI is a solution that empowers the end user to

customize and control various settings associated
with an operating system deployment, and then
drives the installation. You can configure end-user
interaction by using the UDI Wizard, which is
displayed to the end user before the actual
deployment starts. Furthermore, you can
customize the UDI Wizard to meet the business'
needs.
The following settings can be configured through UDI:
• Computer Name
• Domain information
• OU information
• Language Settings and Language packs

• Bitlocker
• Applications to install
UDI in MDT 2013 Update 2 supports all the common operating system deployment scenarios that you
typically use in enterprises. The three supported deployment scenarios are:
• New Computer. Use for deploying a new computer (bare-metal) that does not have an operating
system installed.
• Refresh. Use for redeploying an existing computer. This scenario performs a clean setup, but keeps
files and settings. However, it does not retain apps.
• Replace. This is similar to the Refresh scenario, except that you deploy to a new computer, and use
the USMT to pull and replace user information from the old computer to the new computer.
Even though UDI is designed with the end user in mind, technicians or IT supporters can also use it when
deploying operating systems, and it could even replace your old custom HTML Applications (HTAs) and
front-end GUIs. Furthermore, it provides an easy-to-use interface for people who want to be prompted
for a computer name during a deployment to a bare-metal machine.
Working with UDI deployments

To create a UDI task sequence, you must ensure
that the following requirements are met:
• Install MDT 2013 Update 2 on the

Configuration Manager Site Server.
• MDT 2013 Update 2 is integrated with

Configuration Manager by running the
Configure ConfigMgr integration application.
Note: Please refer to the demonstration task

Install MDT 2013 Update 2 and run the
ConfigMgr Integration covered in the
demonstration in the first lesson of this module on how to do this.
• Create MDT 2013 Update 2 boot images, one for x86 and one for x64. You must distribute these to
the distribution point by running the Distribute Content Wizard in the Software Library workspace,
from within the Configuration Manager console.
• Create an MDT 2013 Update 2 task sequence by running the Create MDT Task Sequence Wizard in
the Software Library workspace.
Note: Refer to the topic Creating an MDT-Related task sequence earlier in this module
for guidance on how to do this.
On the Deployment Method page of the Create MDT Task Sequence Wizard, you must select Perform a
User Driven Installation to activate the UDI Wizard in the task sequence. The wizard automatically sets
the task sequence variable SkipWizard to NO in the Set Variable for Wizard task-sequence steps.
UDI Wizard Designer

The UDI Wizard Designer is a powerful tool that you can use to customize the behavior of the UDI Wizard.
You can use it to create custom pages and tailor the default pages that an end user or technician sees and
interacts with immediately prior to the deployment or after the deployment has finished.
You can extend the built-in functionality that UDI provides by developing your own custom page editors
by using programming languages such as C#, C++, or Microsoft Visual Basic .NET.
Reference Links: For more information about UDI development, refer to User Driven
Installation – Developers Guide: http://aka.ms/Ywvmct.
The UDI Wizard Designer is added when you install MDT 2013 Update 2. The first time that you run the
UDI Wizard Designer, you can create a new default configuration that you can modify. You can drag and
drop pages from the page library onto the Flow Designer for stage groups, stages, and pages. A stage
group is a collection of wizard pages that users see when performing a particular deployment. By default,
there are three stage groups that reflect the most common MDT deployment scenarios:
• New Computer. Use for deploying a new computer that does not have an operating system.
• Refresh. Use for redeploying an existing computer. This scenario performs a clean setup, but keeps
files and settings. However, it does not retain apps.
• Replace. This is similar to the Refresh scenario, except that you deploy to a new computer, and use
the USMT to pull and replace user information from the old computer to the new computer.
You can use the UDI Wizard Designer to modify the stage groups by adding pages from the page library,
which enables you to provide more choices for your users who are receiving a deployment. There are
pages to add apps and languages, configure BitLocker, add reboots, and other customizations. Note that
the UDI Wizard Designer is a supplement to UDI. You still create task sequences to perform the
deployment, but the UDI Wizard Designer lets you modify user interactions that you have put into the
deployment, and it requires user responses.
UDI Wizard configuration

The UDI Wizard Designer saves most of its information in the UDIWizard_Config.xml file. The application
specific information is saved in the UDIWizard_Config.app.xml file. These files can be found in the Script
folder in the source location of the MDT toolkit package.
By default, the UDI task sequence templates look for the UDIWizard_Config.xml file to load their
configuration. You can change the name of this file to anything you choose, as you long as you modify
the UDI Wizard task sequence steps with the definition of the new file name.
Find the UDI Wizard task sequence steps in the task sequence and append the following code marked in
bold below in the Command Prompt window.
Configure the UDI Wizard to use a configuration file with a non-default name
cscript.exe "%DeployRoot%\Scripts\UDIWizard.wsf"
/definition:NameOfUDIWizardConfigFile.xml
Customizing the CustomSettings.ini file for UDI

The UDI Wizard uses many predefined variables, which are read or set when the wizard runs. These
variables can be preset through the CustomSettings.ini file so that the end user or technician does not
have to input all the values. This can be especially useful when joining a domain because the end user or
technician might not know the account and password, or you might not want those individuals to know
the password because of security implications.
To predefine the Domain Joining Account and password, you can edit the CustomSettings.ini file, which
you can find in the source location of the MDT toolkit package. You can edit the file by adding to it the
following lines that are marked in bold.
UDI CustomSettings.ini settings

[Settings]
Priority=Default
[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=NO
SkipProductKey=YES
OSDDiskPart=TRUE
OSDJoinAccount=DOMAIN\DomainJoinAccount
OSDJoinPassword=DomainJoinAccountPassword
The custom settings package needs to be updated on the distribution point whenever a change is made
to the files. Any failure to do so will result in the task sequence using the old copy of the files.
Question: What is the name of the variable used to automate the selection of full format of
the target machine’s hard disk? What value would you assign to it to enable this?
Question: How can you add a computer to the Configuration Manager database?
Question: Which file do you use to control the behavior of MDT?
Question: What is the name of the file in which the UDI Wizard Designer saves most of its
information?
Lab A: Integrating MDT and Configuration Manager for

Scenario
A. Datum Corporation wants to use MDT and Configuration Manager to take advantage of the extra
functionality that this integration provides. You are the administrator, and you need to test the
integration. You will run the integration wizard, and use the MDT wizards to configure the task sequences.
You then will test the task sequence by upgrading an existing computer on the network to Windows 10.
Objectives
• Integrate MDT and Configuration Manager.
• Create an MDT boot disk.
• Create and deploy an MDT-related task sequence with Configuration Manager.
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-CFG, 20695C-LON-CL3

Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 through 4 for 20695C-LON-CFG and 20695C-LON-CL3.
Exercise 1: Integrating MDT and Configuration Manager

Scenario
Before you integrate MDT with Configuration Manager, you decide to prepare a target computer for an
MDT-integrated Configuration Manager deployment, and then create an account to join the new
operating system to the domain. After performing these tasks, you plan to install and integrate MDT 2013
Update 2 with Configuration Manager.
1. Prepare LON-CL3 for capturing user data.
2. Create a domain join account and set permissions.

3. View the default Configuration Manager console items.
4. Install MDT.
5. Run the integration wizard to integrate MDT.
6. Configure monitoring for the Deployment Workbench console.
7. Verify the MDT integration in Configuration Manager.
8. Configure the client settings.
9. Configure the network access account.
 Task 1: Prepare LON-CL3 for capturing user data

1. On LON-CL3, copy the cmtrace.exe tool from \\LON-CFG\C$\Program Files\Microsoft
Configuration Manager\tools\, paste it onto the LON-CL3 desktop, and then run it to set it as
the default for log files.
2. On the LON-CL3 desktop, create a folder named Projects and a shortcut for C:\Windows
\notepad.exe named Notepad.
3. Copy the file C:\Windows\CCM\Logs\CcmExec.log, and then paste it into the Projects folder.
4. Shut down LON-CL3. Do not revert it because you will use it in Exercise 3.
 Task 2: Create a domain join account and set permissions

1. On LON-DC1, open Active Directory User and Computers, create a new user account in the Users
container named CMDomainJoin for the full name and User Logon name, and use the password
Pa$$w0rd. Clear the User must change password at next logon check box.
2. Run Windows PowerShell as Administrator, and type the following cmdlets, pressing Enter after
each one:
Set-ExecutionPolicy –ExecutionPolicy RemoteSigned –Force

Set-Location –Path E:\Labfiles\Scripts
.\Set-OUPermissions.ps1 –Account CMDomainJoin –TargetOU “OU=London Clients”
 Task 3: View the default Configuration Manager console items

2. In the Software Library workspace, expand Operating Systems, and then right-click Task
Sequences. You should see the following items in the list:
o Create Task Sequence
o Create Task Sequence Media
o Import Task Sequence
o Folder
 Task 4: Install MDT

1. On LON-CFG, close the Configuration Manager console.
2. Open File Explorer, and then browse to E:\Software\MDT2013.
3. Install MicrosoftDeploymentToolkit2013_x64.msi. Select the default options on all the pages of

the installation wizard.
 Task 5: Run the integration wizard to integrate MDT

1. On LON-CFG, click to the Apps page, and then run the Configure ConfigMgr Integration app as an
Administrator.
2. Accept all defaults for the installation wizard, ensuring the following values for the settings:
o Site code: S01
 Task 6: Configure monitoring for the Deployment Workbench console

1. On LON-CFG, on the Apps page, run the Deployment Workbench app by clicking it.
2. In the Deployment Workbench console, create a new deployment folder and share in
E:\DeploymentSource by right-clicking Deployment Shares. Name the deployment folder
DeploymentSource$, and then accept all the other default options in the New Deployment
Share Wizard.
3. In the properties of the MDT Deployment Share, in the Monitoring tab, enable monitoring.
4. Close Deployment Workbench.
 Task 7: Verify the MDT integration in Configuration Manager

1. Open the Configuration Manager console.
2. In the Software Library workspace, expand Operating Systems, and then right-click Task
Sequences. You should see a new Create MDT Task Sequence item in the list.
 Task 8: Configure the client settings

1. In the Configuration Manager console, click the Administration workspace, and then click Client
Settings.
2. Open the properties window of Default Client Settings.
3. On the Computer Agent node, change the Organization name displayed in Software Center to
Adatum.
 Task 9: Configure the network access account

Configuration, and then click Sites.
2. Right-click S01 – Adatum Site, click Configure Site Components, and then click Software
Distribution.
3. On the Network Access Account tab, configure the ADATUM\NetworkAccess user account (select
New Account) and the password Pa$$w0rd as the network access account. Use the Verify option to
verify that the account can connect to the \\LON-DC1\sysvol network share.
Results: After completing this exercise, you should have installed MDT and integrated it with
Exercise 2: Creating an MDT boot image

Scenario
You now plan to create an MDT boot image to test the MDT integration with Configuration Manager. You
also decide to integrate DaRT 10 into the MDT boot image to enable remote deployment management.
1. Install DaRT 10, and copy the cabinet files to the appropriate location.
2. Run the Create Boot Image using MDT Wizard to create a customized MDT boot image.
3. Create an operating-system image.
4. Add drivers for Windows PE 5.0.
 Task 1: Install DaRT 10, and copy the cabinet files to the appropriate location
1. On LON-CFG, open File Explorer, and then navigate to \\LON-DC1\Labfiles\DaRT\x64.
2. Right-click MSDaRT100.msi, and then choose Install. Complete the wizard by using the default
settings, as follows:
a. On the Welcome to the Microsoft DaRT 10 Setup Wizard page, click Next.
b. On the End-User License Agreement page, click I Agree.
c. On the Microsoft Update page, click I don’t want to use Microsoft Update, and then
click Next.
d. On the Select Installation Folder page, click Next.
e. On the Setup Options page, click Next.
f. On the Ready to Install page, click Install.
g. After you receive the message You have successfully completed the Microsoft DaRT 10
Setup Wizard, click Finish.
3. Using File Explorer, go to the C:\Program Files\Microsoft DaRT\v10 folder, and then copy the
Toolsx64.cab file to the C:\Program Files\Microsoft Deployment Toolkit\Templates
\Distribution\Tools\x64 folder.
4. Using File Explorer, go to the C:\Program Files\Microsoft DaRT\v10 folder. Copy the Toolsx86.cab
file to the C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86
folder.
5. Close File Explorer.
 Task 2: Run the Create Boot Image using MDT Wizard to create a customized MDT
boot image
1. On LON-CFG, create a folder named CMSources on the E drive, and share it with Authenticated
Users and give full control.
2. Create the following subfolders in the CMSources folder: OSD and Software.
3. Create the following subfolders in the OSD folder:
o OSD\BootImages
o OSD\DriverPackages
o OSD\DriverSources
o OSD\MDT 2013
o OSD\OSImages
o OSD\MDTSettings
4. In the Software folder, create a subfolder named Microsoft. Finally, in the OSD\BootImages folder,
create the following subfolders: WinPE10x64 and WinPE10x64-MDT.
5. In the Configuration Manager console, under the Software Library workspace, in the Operating
Systems\Boot Images node, right-click Boot Images, and then select Create Boot Image using
MDT.
6. Complete the Create Boot Image using MDT Wizard with the following values:
a. Package source folder to be created (UNC path): \\LON-CFG\CMSources\OSD\BootImages

\WinPE10x64-MDT
b. Name: Lab10 MDT Boot Image
c. Comments: MDT Boot Image for Lab 10
d. Options: x64 and Scratch Space: 512 MB
e. Components: Windows PowerShell and Microsoft Diagnostics and Recovery Toolkit (DaRT)
Note: This step will take approximately 8 to 10 minutes to complete.
7. Use the Distribute Content Wizard to distribute the Lab10 MDT Boot Image to the LON-CFG
distribution point, ensuring that the Lab10 MDT Boot Image Content Status circle is green.
8. Enable the Deploy this boot image from the PXE-enabled distribution point found in the Data
Source tab of Lab10 Boot Image properties.
After a few minutes, observe the new folder named for the Image ID of Lab10 MDT Boot Image
created in the C:\SMSPKGSIG\ folder.
 Task 3: Create an operating-system image

1. In File Explorer, copy the E:\Sources\install.wim file into the E:\CMSources\OSD\OSimages folder.
2. Rename install.wim to Win10TH2Entx64-Eval.wim.
3. In Configuration Manager, in the Software Library workspace, go to the Operating Systems

\Operating System Images node, right-click Operating System Images, and then click Add
Operating System Image.
4. Complete the Add Operating System Image Wizard with the following values:
a. On the Data Source page, specify the path as \\LON-CFG\CMSources\OSD\OSImages

\Win10TH2Entx64-Eval.wim.
b. On the General page, specify the name as Win10Ent x64 Eval.
5. Use the Distribute Content Wizard to distribute Win10 x64 Eval to the LON-CFG distribution point,
ensuring that the Win10Ent x64 Eval Content Status is successful. It might take several minutes.
Click Refresh on the ribbon to update the status.
 Task 4: Add drivers for Windows PE 5.0

1. Using File Explorer, copy the content of the E:\Software\Drivers folder to the E:\CMSources\OSD
\DriverSources folder.
2. In the Configuration Manager console, in the Software Library workspace, right-click the Drivers
node, and then select Import Driver.
3. In the Import New Driver Wizard, accept all the default values except the following:
a. For Import all drivers in the following network path (UNC), specify \\LON-CFG\CMSources
\OSD\DriverSources\HyperVx64.
b. On the Specify the details for the imported driver page, clear Hide drivers that are not
digitally signed, and then create a category named Hyper-V Drivers.
Results: After completing this exercise, you should have created the MDT boot image.
Exercise 3: Creating and deploying an MDT task sequence by using

Scenario
You now decide to create an MDT task sequence in Configuration Manager, and then test the
deployment to a collection that contains the target computer.
1. Use the MDT Task Sequence Wizard to create an MDT task sequence that will upgrade an existing
network computer.
2. Edit the new task sequence and distribute content.
3. Create a collection for LON-CL3.
4. Deploy the new task sequence to upgrade an existing computer to Windows 10.
5. Start the computer upgrade.
 Task 1: Use the MDT Task Sequence Wizard to create an MDT task sequence that will
upgrade an existing network computer
1. In the Configuration Manager console, select the Software Library workspace, and then navigate to
the Operating Systems\Task Sequences node.
2. Right-click Task Sequences, and then select Create MDT Task Sequence.
3. The Create MDT Task Sequence Wizard opens. Complete the pages on the wizard as follows:
a. On the Choose Template page, select Client Task Sequence.
b. On the General page, in the Name text box, enter MDT Client Upgrade.
c. In the Task sequence comments text box, enter MDT Task Sequence to upgrade a Windows
7 client to Windows 10 with migrated user state.
d. On the Details page, select Join a Domain, and enter Adatum.com as the Domain Name.
e. Click Set, and in the For the user name text box, enter adatum\CMDomainJoin, with the
password Pa$$w0rd.
f. In the Organizational name text box, enter Adatum.
g. On the Capture Settings page, accept the default (no capture).
h. On the Boot Image page, in Specify an existing boot image package, click Browse, and then
enter Lab10 Boot Image en-US.
i. On the MDT Package page, in the Create a new Microsoft Deployment Toolkit Files
package, Package source folder to be created (UNC Path) text box, enter \\LON-CFG
\CMSources\OSD\MDT 2013.
j. On the MDT Details page, in the Name text box, enter MDT 2013 Update 2 Toolkit.
k. On the OS Image page, in Specify an existing OS image, click Browse and then in Select a
Package, select Win10Ent x64 Eval en-US.
l. On the Deployment Method page, select Perform a “Zero Touch Installation” OS

deployment, with no user interaction.
m. On the Client Package page, in the Specify an existing ConfigMgr client package text box,
click Browse and in Select a Package, select Microsoft Corporation Configuration Manager
Client Package.
n. On the USMT Package page, in the Specify an existing USMT package text box, click Browse,
and then in Select a Package, select Microsoft Corporation User State Migration Tool for
Windows 8 10.0.10240.16384.
o. On the Settings Package page, in the Create a new settings package section, under Package
source folder to be created (UNC Path), enter \\LON-CFG\CMSources\OSD\MDTSettings.
p. On the Settings Details page, in the Name text box, enter Windows 10 x64 Settings.
q. On the Sysprep Package page, accept the default (no Sysprep).
r. Click Next on the Summary page, and then, when complete, click Finish.
 Task 2: Edit the new task sequence and distribute content

1. In the details pane of the Configuration Manager console, in the Software Library workspace, under
the Operating Systems\Task Sequences node, right-click MDT Client Upgrade, and then select
Edit.
The MDT Client Upgrade Task Sequence Editor will appear.
2. In the Initialization group, select the first Format and Partition Disk (UEFI) action, and then in the
Volume list, delete the first three volumes.
3. Repeat the same action, but this time, do this for the Format and Partition Disk (UEFI) step that you
find in the Script does not exist or no partitions group.
4. Click Capture User State, and then note the Properties pane of the Capture User State step. Ensure
Capture all user profiles by using standard options is selected, and then select Enable verbose
logging. Ensure that Copy by using file system access is selected and that Continue if some files
cannot be captured is selected.
5. In the PostInstall group, select Apply Windows Settings, select Enable the account and specify
the local administrator, and then type Pa$$w0rd in the Password and Confirm Password text
boxes.
6. In the PostInstall group, select Apply Network Settings, and then configure the Domain OU value
to use the Adatum/London Clients organizational unit (OU). You can browse for values.
7. Click OK.
8. Use the Distribute Content Wizard to distribute the MDT Client Upgrade task sequence to the
LON-CFG distribution point.
 Task 3: Create a collection for LON-CL3

1. In the Configuration Manager console, in the Assets and Compliance workspace, right-click Device
Collections, and then click Create Device Collection.
2. In the Create Device Collection Wizard, select the following settings:
o Name: Clients to Upgrade
o Comment: Clients that are scheduled to be Upgraded via the MDT Client Upgrade task
sequence.
o Select Collection: All Systems
o Create a membership rule that adds a direct rule that has the following properties:
 Resource class: System Resource
 Attribute name: Name (both of these are the defaults)
 Value: LON-CL3
3. In Device Collections, right-click All Unknown Computers, and then select Properties.
4. On the Collection Variables tab, create a new variable with the following settings:
o Name: OSDComputerName
o Clear the Do not display this value in the Configuration Manager console check box.
 Task 4: Deploy the new task sequence to upgrade an existing computer to

Windows 10
1. In the Configuration Manager console, within the Software Library workspace, under the Operating
Systems\Task Sequences node, right-click MDT Client Upgrade in the task sequence details pane,
and then select Deploy.
2. In the Deploy Software Wizard, ensure that the following settings are configured as specified and that
all other pages use the default settings:
a. On the General page, in the Collection text box, enter Clients to Upgrade.
b. On the User Experience page, ensure Show Task Sequence progress, System restart (if
required to complete the installation) and Commit changes at deadline or during a
maintenance window (requires restart) are selected.
c. Click Next on all the remaining pages, and then after completion, click Close.
 Task 5: Start the computer upgrade

1. In Hyper-V Manager on the host, start and connect to 20695C-LON-CL3.
2. Sign in as Adatum\Administrator with the password Pa$$w0rd.
3. In Control Panel, click the System and Security, Configuration Manager item, and then on the
Actions tab, run the Machine Policy Retrieval & Evaluation Cycle.
4. When the New Software is Available notification appears in the Notification area, double-click it to
open Software Center.
5. Run the MDT Client Upgrade task sequence.
Note: The entire upgrade takes approximately two hours. Due to the limited amount of
time available for this lab, you can stop the upgrade by reverting the 20695C-LON-CL3 virtual
machine. This will complete the lab.
Results: After completing this exercise, you should have created and deployed an MDT task sequence.

When you are finished with the lab, keep all of the virtual machines running. The virtual machines in their
current state are required for the next lab/module.
Question: What is the purpose of creating the Clients to Upgrade collection, and how would you
use it?
Question: Why did you install DaRT before you started the MDT boot image?
Lab B: Configuring UDI

Scenario
As an administrator at A. Datum Corporation, you are tasked with deploying new systems to end users.
You decided to let the users make some of the deployment decisions. You will create a UDI task sequence
to provide the users with the options you are allowing them to choose.
Objectives
• Create a UDI task sequence.
• Deploy Windows 10 by using a UDI task sequence.
Lab Setup
Virtual machines: 20695C-LON-DC1, 20695C-LON-CFG, 20695C-LON-REF1

Password: Pa$$w0rd
The required virtual machines should still be running from the previous Lab tasks. If they are not then
perform the following:
o Domain: Adatum
Exercise 1: Creating a UDI task sequence

Scenario
To deploy an operating system by using UDI, you must first create a UDI-enabled task sequence. You
must then configure the XML files that control the behavior of the UDI Wizard.
1. Create a UDI task sequence.
2. Edit the MDT UDI task sequence.
3. Configure the UDIWizard_Config.xml file to control the UDI Wizard behavior.
4. Edit the CustomSettings.ini file to prepopulate Domain Join Credentials in UDI Wizard.
5. Update distribution points with the updated MDT 2013 Update 2 and MDT settings packages.
 Task 1: Create a UDI task sequence

1. In the Configuration Manager console, select the Software Library workspace, and then navigate to
the Operating Systems\Task Sequences node.
2. Right-click Task Sequences and then select Create MDT Task Sequence.
3. The Create MDT Task Sequence Wizard opens. Complete the pages of the wizard as follows, clicking
Next after each page is complete:
a. On the Choose Template page, select Client Task Sequence.
b. On the General page, in the Name text box, enter MDT UDI.
c. In the Task sequence comments box, enter MDT UDI Task Sequence used to deploy
Windows 10 to a new computer.
d. On the Details page, select Join a Domain, and enter Adatum.com as the domain name.
e. Click Set, and in the For the user name text box, enter adatum\CMDomainJoin, with a
password of Pa$$w0rd.
f. In the Organizational name text box, enter Adatum.
g. On the Capture Settings page, accept the default (no capture).
h. On the Boot Image page, in Specify an existing boot image package, click Browse, and then
enter Lab10 MDT Boot Image en-US.
i. On the MDT Package page, click Specify an existing Microsoft Deployment Toolkit Files
package, and then click Browse.
j. In the Select a Package window, select MDT 2013 Update 2 Toolkit.
k. On the OS Image page, in Specify an existing OS image, click Browse, and then select
Win10Ent x64 Eval en-US.
l. On the Deployment Method page, select Perform a “User- Driven Installation”.
m. On the Client Package page, in Specify an existing ConfigMgr client package, click Browse,
and select Microsoft Corporation Configuration Manager Client Package.
n. On the USMT Package page, in Specify an existing USMT package, click Browse, and then
select Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384.
o. On the Settings Package page, select Specify an existing settings package, click Browse, and
then select Windows 10 x64 Settings.
p. On the Sysprep Package page, accept the default (no Sysprep).
q. Click Next on the Summary page, and then, when complete, click Finish.
 Task 2: Edit the MDT UDI task sequence

1. In the details pane of the Configuration Manager console, in the Software Library workspace, under
the Operating Systems\Task Sequences node, right-click MDT UDI, and then select Edit.
The MDT UDI Task Sequence Editor appears.
2. In the Initialization group, select the first Format and Partition Disk (UEFI) step, and then in the
Volume list, delete the first three volumes.
3. Repeat the same action, but this time for the Format and Partition Disk (UEFI) step that you find in
the Script does not exist or no partitions group.
4. In the PostInstall group, select Apply Windows Settings, select Enable the account and specify
the local administrator, and then type Pa$$w0rd in the Password and Confirm Password text
boxes.
5. In the PostInstall group, select Apply Network Settings, and then configure the Domain OU value
to use the Adatum/London Clients OU. You can browse for values.
6. Click OK.
 Task 3: Configure the UDIWizard_Config.xml file to control the UDI Wizard behavior
1. Start the UDI Wizard Designer and on the ribbon of the UDI Wizard Designer, click Configuration
Manager.
2. In the UDI Wizard Designer, click Open, navigate to E:\CMSources\OSD\MDT 2013\Scripts, and
then open the UDIWizard_Config.xml file.
3. Expand the Stage: NEWCOMPUTER section, and select the Install Programs page.
4. In the Site Settings window, type LON-CFG.adatum.com as the Site Server Name. Click Validate
Site. In the Application Collection text box, type MDT UDI Apps Ref. Click OK.
5. In the Stage: NEWCOMPUTER section, select the Welcome page, and click the Configure tab at the
top of the preview pane.
6. On the Welcome page under the Message heading, click right before the word Deployment and
then type Adatum OS followed by a space. The entire sentence should now read Welcome to the
Adatum OS Deployment Wizard. Click the Flow tab.
7. In the Stage: NEWCOMPUTER section, right-click the BitLocker page and select Remove Item, and
then click Yes.
8. Repeat the actions in previous step to remove: Select Target, Administrator Password and User
Device Affinity. You should have seven pages left in the Stage: NEWCOMPUTER section.
9. In the Stage: NEWCOMPUTER section, select the Volume page, and click the Configure tab. Click
the down arrow next to Image Combo Behavior.
10. In the Image Combo Box section, right-click the Windows 7 RTM images item, and then select
Select an Operating System Image.
11. Select Win10Ent x64 Eval, and then type Windows 10 Enterprise x64 Eval as Display Name.
Click OK.
12. Under the User Data and Settings section, expand User Data Combo Behavior. Select Format:
Clean all data on the target volume during install and click Unlocked. It should now read Locked.
Click the Flow tab.
13. In the Stage: NEWCOMPUTER section, select the New Computer Details page, and click the
Configure tab. Expand Network Details.
14. In the Domain or Workgroup Radio Buttons section, click Domain, and then click Unlocked.
15. Expand Domains and OUs, and then click Add Domain. In the Create or Edit Domain Information
window, type adatum.com as Domain Name and Adatum as Friendly name. Then click OK.
16. Right-click Adatum/adatum.com, and then select Search Domain for OUs. Select London Clients,
and then click OK.
17. Right-click Adatum/adatum.com, and then select Search Domain for OUs. Select Computers, and
then click OK.
18. Expand the Domain Join Credentials section, click the Unlocked button next to the User Name text
box and Password text box. Click the Flow tab.
19. In the Stage: NEWCOMPUTER section, select the Language page, and then click the Configure tab.
Expand Region and Language Defaults.
20. In Time Zone box, select (UTC) Coordinated Universal Time, and then click Unlocked. Click the
Flow tab.
21. In the Stage: NEWCOMPUTER section, select the Install Programs page and click the Configure
tab. Right-click General Software, and then click Remove Item. When prompted, click Yes.
22. Click Add Group, and type Adatum Software as the name. Then click OK.
23. Right-click Adatum Software, and then click Add Software to Group. In the Add Software To Group
Wizard, select I want to add a Package/Program, and then click Next.
24. Type Microsoft PowerPoint Viewer as the Display Name. In the Search for 32 Bit Program
section, click Select.
25. Click Search, and then select Microsoft PowerPoint Viewer. Then click OK.
26. In the Search for 32 Bit Program section, next to Program, select Per-system unattended, and
then click Finish.
27. Right-click Adatum Software, and then click Add Software to Group. In the Add Software To Group
Wizard, select I want to add an Application, and click Next.
28. Type XML Notepad 2007 as Display Name. In the Search for Application section, click Select.
29. Click Search, and then select XML Notepad 2007. Click OK, and then click Finish.
30. In the Software and Groups section, select Microsoft PowerPoint Viewer.
31. In the UDI Wizard Designer, click Save As. Click Save, and then click Yes. Then click OK.
32. Close the UDI Wizard Designer.
 Task 4: Edit the CustomSettings.ini file to prepopulate Domain Join Credentials in

UDI Wizard
1. Using File Explorer, browse to E:\CMSources\OSD\MDTSettings and edit the CustomSettings.ini
file.
2. Insert the following two lines of code last in the file:
OSDJoinAccount=ADATUM\CMDomainJoin
OSDJoinPassword=Pa$$w0rd
The CustomSettings.ini should now look like this:
[Settings]
Priority=Default
[Default]
OSInstall=Y
SkipCapture=YES
SkipProductKey=YES
3. Save the file and close Notepad.

 Task 5: Update distribution points with the updated MDT 2013 Update 2 and
MDT settings packages
• In the Configuration Manager console, within the Software Library workspace, in the Application
Management\Packages node, select the MDT 2013 Update 2 Toolkit and Windows 10 x64
Settings packages. Select Update Distribution Points, and then click OK.
Results: After completing this exercise, you should have created a working UDI task sequence, which will
enable you to deploy Windows 10 to new computer.
Exercise 2: Deploying Windows 10 by using a UDI task sequence

Scenario
You have completed all necessary configuration for a UDI task sequence and are ready to deploy
Windows 10 to a new computer using the UDI Wizard.

1. Deploy the UDI task sequence to the Unknown Computers collection.
2. Start the UDI task-sequence deployment.
 Task 1: Deploy the UDI task sequence to the Unknown Computers collection
1. In the Configuration Manager console, within the Software Library workspace, in the Operating
Systems\Task Sequences node, right-click MDT UDI in the task-sequence details pane, and click
Deploy.
2. On the General page, click Browse, and then click OK. In the Select Collection window, select All
Unknown Computers, click OK, and then click Next.
3. On the Deployment Settings page, under the Make available to the following heading, select
Only media and PXE, and then click Next.
4. On the Scheduling page, click Next.
5. On the User Experience page, click Next.

6. On the Alerts page, click Next.
7. On the Distribution Points page, click Next.
 Task 2: Start the UDI task-sequence deployment

1. Start Hyper-V Manager, right-click the 20695C-LON-REF1 virtual machine, and select Settings.
2. In the Settings for 20695-LON-REF1 on host window, click the DVD Drive node under IDE
Controller 1.
3. In the Media section, click Browse, and browse to D:\Program Files\Microsoft Learning
\20695\Drives. Select the MDT-UDI-BootMedia.iso file and click Open. Then click OK.
4. Start the 20695C-LON-REF1, and then click Connect.
5. On the Welcome to the Task Sequence Wizard page, click Next.
6. On the Select a task sequence to run page, select MDT UDI, and then click Next.
7. On the Edit Task Sequence Variables page, click Next.
Note: It will take a few minutes to download the MDT Toolkit package.
8. On the Ready to start page, click Finish. The machine will reboot.
9. On the Welcome page, click Next.
10. On the Volume page, select the Windows 10 Enterprise x64 Eval image, and click Next.
11. On the Deployment Readiness page, click Next.

12. On the New Computer Details page, type LON-CL4 as the Computer Name.
Notice that the Domain Join Credentials have been filled in automatically. They have been read
from the CustomSettings.ini file.
Then click Next.
13. On the Language page, click Next.
14. On the Install Programs page, select XML Notepad 2007, and then click Next.
15. On the Summary page, click Finish. The deployment starts.
Note: If time permits, you can leave the virtual machines running to finish the deployment,
while your instructor starts on the next module. You should ask your instructor for guidance
regarding this.
16. On the Deployment Complete page, click the Welcome, Deployment Summary, and Applications
Installed tabs to verify the installation. Then click Start Windows.
17. Sign in by using adatum\administrator as the username and Pa$$w0rd as the password.
Results: After completing this exercise, you should have deployed Windows 10 to a new computer by
using a UDI task sequence.

steps.
4. Repeat steps 2 and 3 for 20695C-LON-CFG, 20695C-LON-CL3, and 20695C-LON-REF1.
Question: Why did you have to update the distribution points with the MDT 2013 Update 2
toolkit package after you made the changes to UDI Wizard xml files?
Question: What must you do to integrate MDT 2013 Update 2 with Configuration Manager?

Review Questions
Question: Can you use the UDI Wizard Designer to make changes to a task sequence?
Question: You have made changes to the CustomSettings.ini file in the MDT Deployment
Workbench. What is it important for you to do next?
Question: Where can you find a new, bare-metal computer’s SMSBIOS globally unique
identifier (GUID) and media access control (MAC) address?
Tools
Microsoft A Solution Accelerator for http://aka.ms/V6gnxw

Deployment operating system and
Toolkit 2013 application deployment.
Update 2 MDT 2013 supports
deployment of Windows 10,
Windows 8.1, Windows 8,
Windows 7, Windows Server
2012 R2, Windows Server
2012, and Windows Server
2008 R2.
Windows ADK for Windows ADK is a collection http://aka.ms/Jjdlao (direct download

Windows 10 of tools that you can use to link)
customize, assess, and
deploy Windows operating
systems to new computers.
DaRT Remote Use to connect remotely into Included with the MDOP, only available
Control the Windows PE preinstall from a Microsoft Software Assurance
task sequence during a subscription.
deployment. More information about the MDOP can
be found here: http://aka.ms/Wdqu3p.
UDI Wizard A graphically oriented Installed as part of MDT 2013 Update 2. It

Designer program that lets you can be downloaded from here:
creates custom pages that a http://aka.ms/V6gnxw.
user sees when you deploy a
system.
11-1
Module 11
Activating clients and managing additional configuration
settings
Contents:
Lesson 1: Solutions for volume license activation 11-2
Lesson 2: Determining additional client configuration settings 11-14
Lab: Configuring additional settings for computer clients 11-26
Module Overview
After you deploy a Windows 10 client system and run all the task sequences, you must complete some
administrative configuration steps. Windows 10 activates differently from earlier client versions, because
you do not normally enter the product key during the initial installation. You do so after the installation
or deployment, and then activation takes place. Additionally, you can set up clients with several
specifications, such as locking down the Start menu and providing custom power options, mapped drives,
and printer assignments.
Objectives
• Explain the solutions for volume license activation.
• Configure additional settings for client computers.

11-2 Activating clients and managing additional configuration settings
Lesson 1
Solutions for volume license activation
Product activation is a requirement of the Windows 10 operating system. It requires validation for each
Windows 10 license through an online activation service at Microsoft, either by phone, through the Key
Management Service (KMS), or through Active Directory Domain Services (AD DS). Activation enhances
protection from software piracy and helps you to manage the operating system and application instances
within an environment. In this lesson, you will learn how activation works. You will also learn about the
volume activation models to consider for an effective Windows 10 desktop deployment.
Lesson Objectives
• Describe license activation.
• Explain volume activation technologies.

• Explain how Active Directory-based activation works.
• Describe how to install the Volume Activation Services role.
• Explain how KMS activation works.
• Describe tools for managing activation.
• Explain how to activate Microsoft Office 2016.
• Explain how to implement activation solutions in a multisite environment.
What is license activation?

All editions of Windows 10 and of Windows Server
2012 and later require activation. Activation
confirms the status of a Windows product and
helps ensure that the product key is not
compromised. The activation process establishes a
relationship between the software’s product key
and a specific installation of that software on a
device. The activation processes for Windows 10
and Windows Server 2012 R2 are identical to the
processes that Windows 8 and Windows Server
2012 use.
Unlike Windows 7, Windows 10 does not have a

grace period. You must activate Windows 10 and Windows Server 2012 R2 immediately upon installation.
Failing to activate these Windows and Windows Server operating systems prevents users from completing
customization, and the computer will shut down every hour. In earlier versions of the Windows operating
system, you could use the Windows Genuine Advantage tool to validate that your copy of Windows was
genuine. You could then choose to activate your copy of Windows. This caused confusion for users who
thought activation and validation were interchangeable. In Windows 10 and Windows Server 2012 R2,
activation and validation occur at the same time.
If you want to evaluate Windows 10 or Windows Server 2012 R2, Microsoft provides a separate evaluation
edition available through the TechNet Evaluation Center. Windows 10 Enterprise has a 90-day evaluation,
and Windows Server 2012 R2 has a 180-day evaluation. Both have a built-in product key, so you do not
need to enter one. However, you do need to activate each one online. You can convert the evaluation
version of Windows Server R2 to a retail version. However, you cannot do so for Windows 10.
If you are using the Windows Server 2012 R2 Datacenter edition as a Microsoft Hyper-V host, any virtual
machines with the Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, or Windows
Server 2012 R2 Essentials edition are automatically activated via the host’s activated license. You do not
need to take further action to activate these virtual machines.
Three main activation methods exist:
• Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete the activation after installing
the operating system. The license terms prohibit reimaging by using original equipment manufacturer
(OEM) or retail media.
• OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 10. You perform OEM Activation by associating the operating system with the computer
system BIOS.
• Microsoft Volume Licensing. Microsoft Volume Licensing (volume activation) comprises a series of
software licensing programs that are tailored to the size and purchasing methods of your
organization. Volume customers set up Microsoft Volume Licensing agreements, which might include
Windows upgrade benefits and other benefits related to value-added software and services. Microsoft
Volume Licensing customers use Volume Activation Services to assist in using the various activation
models, which consist of Active Directory-based activation, KMS activation, and multiple activation
key (MAK) activation.
If you do not activate Windows 10 or Windows Server 2012 R2, the operating system reverts to Reduced
Functionality Mode:
• The desktop background is set to black.
• Persistent notification remind the user that the operating system is illegitimate.
• The computer shuts down every hour.

Sometimes, the activation process fails or concludes that the key is counterfeit or stolen. In such cases, the
activation process marks the operating system as non-genuine.
Technologies for volume activation

Volume activation provides a simple and security-
enhanced activation experience for enterprise
organizations, while addressing issues associated
with generic volume license keys (GVLKs). Volume
activation provides system administrators with the
ability to centrally manage and protect product
keys, and it provides several flexible deployment
options that activate enterprise computers
regardless of the organization’s size.
Volume activation models

Enterprise environments use three main volume activation models and a service that runs on Windows
Server 2012 R2. Depending on your organization’s needs and network infrastructure, you can use any or
all of the options associated with these models:
• Volume Activation Services. A server role in Windows Server 2012 R2 that allows you to automate and
simplify the issuance and management of Microsoft software volume licenses for a variety of
scenarios and environments. When you use Volume Activation Services, you can install and configure
KMS and enable Active Directory-based activation.
• KMS. A role service that allows an organization to activate operating systems within its network from
a computer where a KMS host has been installed. KMS allows IT professionals to complete activations
on their local networks, eliminating the need for individual computers to connect to Microsoft for
product activation. KMS does not require a dedicated system, and it can coexist on a system that
provides other services. By default, volume licensing editions of Windows 10 and Windows Server
2012 R2 connect to a system that hosts the KMS service to request activation. No action is required
from the user. You can use KMS for managed environments where more than 25 physical or virtual
Windows client operating systems are consistently connected to the organization’s network or for
environments with five or more server computers.
• Active Directory-based activation. A role service that allows you to use AD DS to store activation
objects, which can greatly simplify the maintenance of Volume Activation Services for a network.
When you use Active Directory-based activation, you do not need a KMS server. Activation requests
are processed during client computer startup. Any computer that is running Windows 8 or later or
Windows Server 2012 or later, that has a generic VLK, and that is connected to a domain will activate
automatically and transparently. These computers will stay activated as long as they remain members
of the domain and maintain periodic contact with a domain controller. Activation takes place after
the licensing service starts. When this service starts, the computer running Windows 8 or later or
Windows Server 2012 or later connects to AD DS automatically, receives the activation object, and
activates without user intervention.
• MAK activation. A model that uses product keys that can activate a specific number of computers. If
you do not control the use of VLKs, excessive activations can cause depletion of the activation pool.
You do not use MAKs to install Windows 10 but to activate the operating system after installation.
You can use MAKs to activate any Windows 10 volume edition.
Additional Reading: For more information, refer to Volume Activation for Windows 10:
http://aka.ms/T5383c.
How Active Directory-based activation works

In an environment that uses Active Directory-
based activation, the volume activation process
is as follows:
1. An enterprise administrator installs the Active

Directory-based activation role service on a
domain controller, including the KMS host
key. The administrator then activates the KMS
host key with the Microsoft-hosted activation
services. Administrators can complete this
installation from any computer that has the
Volume Activation Management Tool (VAMT)
console.
2. When a domain member computer that is running Windows Server 2012 or later or Windows 8 or
later and that has a generic VLK starts, the licensing service on the client automatically queries the
domain controller for licensing information.
Note: You cannot use Active Directory-based activation to license computers that are not
domain members.
3. If the licensing service on the client finds a valid activation object, activation proceeds silently without
requiring any user intervention. The same renewal guidelines apply to both Active Directory-based
activation and KMS activation.
4. If the licensing service on the client does not find volume licensing information in AD DS, a client that
is running Windows Server 2012 or later or Windows 8 or later looks for a KMS host and then
attempts activation by following the KMS activation process.
Active Directory-based activation greatly simplifies the process of activating clients that are running
Windows 8 or later or Windows Server 2012 or later. It requires the Windows Server 2012 AD DS schema.
Although you cannot directly edit activation objects, an administrator can use advanced AD DS tools to
view each activation object and configure security access control lists for the activation objects to restrict
access as needed. If necessary, administrators can delete activation objects. On a local client, a user with
read/write permission for the activation object can use the command prompt to perform these functions.
Many organizations have complex volume licensing infrastructures to support KMS and Office
installations. To add Active Directory-based activation to these environments, administrators must assess
their current implementations and determine what role Active Directory-based activation will play in their
environments.
An important point to consider is how to upgrade operating systems and applications to versions that
support Active Directory-based activation. For environments that exclusively run Windows 8 and later and
Windows Server 2012 and later, Active Directory-based activation is a suitable option for activating all
clients and servers, and you might be able to remove any KMS hosts.
If an environment will continue to contain earlier versions of volume-licensed operating systems and
applications, administrators will need a KMS host to maintain the activation status in addition to enabling
Active Directory-based activation for clients that are running Windows 8 and later and Windows Server
2012 and later.
You also can use Active Directory-based activation to activate volume license editions of Office 2016 that
are running on Windows 8 or later operating systems and that are domain members.
Take these planning considerations into account when working with Active Directory-based activation:
• You do not need an additional host server. Your existing domain controllers can support activating
clients, with the following limitations:
o You cannot configure Active Directory-based activation on read-only domain controllers.
o You cannot use Active Directory-based activation with non-Microsoft directory services.
o AD DS must exist at the Windows Server 2012 schema level to store activation objects.
o Domain controllers running earlier versions of Windows Server can activate clients after their
schemas update by using the Windows Server 2012 version of Adprep.exe.
• You need only one activation object forest.
Demonstration: Install the Volume Activation Services role

In this demonstration, you will learn how to add the Volume Activation Services role.
Demonstration Steps
1. On LON-SVR2, start Server Manager, select Manage, and then click Add Roles and Features.
2. On the Before you begin page, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, click Next.

5. On the Select server roles page, select Volume Activation Services. When prompted, click Add
Features, and then click Next.
6. On the Select features page, click Next.
7. On the Volume Activation Services page, click Next.
8. On the Confirm installation selections page, click Install.
9. On the Installation progress page, click Close.

10. Click Notifications, which is the flag with the yellow exclamation point (!). Click Volume Activation
Tools. The Volume Activation Tools Wizard opens. Click Close and then click Yes.
Note: Because of the configuration of the virtual machines, the activation of the KMS server
cannot be demonstrated.
How KMS activation works

When organizations use KMS, they can perform
local activations for computers in a managed
environment without the need for those
computers to individually connect to Microsoft.
You can enable KMS functionality on a physical
computer or virtual machine that runs Windows
Server 2012 R2, Windows Server 2012, or
Windows Server 2008 or on a Windows 10,
Windows 8.1, Windows 8, or Windows 7
computer.
Note: You must update installations of KMS that run on Windows 7 and Windows Server
2008 R2 to activate Windows 10 by installing the hotfix at http://aka.ms/Nsvi4k.
Additional Reading: You must update installations of KMS that run on Windows 8.1,
Windows 8, Windows Server 2012 R2, and Windows Server 2012 to activate Windows 10 by
installing the hotfix at http://aka.ms/E34ryg.
After you download and install the hotfix, you must do the following:
1. Restart the computer.
2. Acquire a new KMS host key from the Microsoft Volume Licensing Service Center.
3. Go to your KMS host, and uninstall the old KMS host key by using the slmgr.vbs /upk command.
4. On the KMS host, install the new KMS host key by using the slmgr.vbs /ipk AAAAA-BBBBB-CCCCC-
DDDDD-EEEEE command.
5. Run the slmrg.vbs /ato command on the KMS host to activate the KMS host key.
You cannot update installations of KMS on Windows Server 2003 to support the activation of clients that
are running Windows 10 or Windows Server 2012 R2.
Windows Server 2012 and later versions and Windows 8 and later versions include KMS. After you
initialize KMS, the KMS activation infrastructure is self-maintaining. The KMS service does not require
dedicated computers and can coexist with other services.
A single KMS host can support an almost unlimited number of KMS clients. Most organizations can
operate with just two KMS hosts for their entire infrastructure: one primary KMS host and a backup host
for redundancy.
Implementing KMS activation

To enable KMS functionality, you install a KMS host key on the KMS host and then activate it either by
phone or by using an online web service at Microsoft. Note that you can use a single KMS host key six
times, so if you are installing seven or more KMS hosts, you must purchase another host key. Start the
Command Prompt window on the host computer by using elevated privileges, and then run the following
command.
cscript C:\windows\system32\slmgr.vbs -ipk <KmsKey>

During installation, a KMS host automatically attempts to publish its existence and location in the Domain
Name System (DNS) in the form of a host (A record) and a service record (SRV record). This provides the
ability for both domain members and standalone computers to activate against the KMS infrastructure.
Client computers dynamically locate the KMS host by using the SRV record found in DNS or the
connection information manually configured in the registry. Client computers then use the information
returned from the KMS host to self-activate.
KMS activation considerations

If you decide to implement KMS activation, consider the following factors:
• Client computers that are not activated attempt to connect with the KMS host every two hours.
• To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.
• After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration date extends another 180 days.
• Client computers connect to the KMS host for activation by using anonymous remote procedure calls
(RPCs) over TCP/IP and by using default port 1688. You can configure this port information. The
connection is anonymous, allowing workgroup computers to communicate with the KMS host. You
might need to configure the firewall and the router network to pass communications for the TCP port
that will be used.
• To use KMS activation with Windows 10 or Windows Server 2012 R2, the computer must have the
qualifying operating system license as part of a new computer purchase, and it must contain a
Windows marker in the BIOS.
• A minimum threshold exists for KMS activation. Before you can activate any computer through KMS,
at least the following minimum numbers of clients need to exist for different KMS licenses:
o Windows 2008 Server and later: five clients
o Office 2013: five clients
o Windows 7 and later: 25 clients
Note: The individual servers or clients can be running any combination of approved
operating systems. For example, if you have 12 Windows 10 clients and 13 Windows 7 clients,
you meet the minimum threshold of 25 clients. However, if the total number of activated clients
drops below 25 or 5, depending on the operating system or product, new activations cannot take
place until the minimum requirement is met. Because KMS activations last for 180 days, those
that are activated in this scenario will remain activated for the entire period. However, if the
minimum requirement is not met when the time period expires, those clients will revert to a state
of not activated.
VAMT activation management

VAMT allows organizations to automate and
centrally manage the volume and retail activation
process for Windows operating systems, Office
apps, and certain other Microsoft products. VAMT
can manage volume activation by using MAK or
KMS. VAMT is a standard Microsoft Management
Console (MMC) snap-in that requires MMC 3.0.
You can install VAMT on any computer that is
running Windows 10, Windows 8.1, Windows 8,
Windows 7, Windows Server 2012 R2, Windows
Server 2012, or Windows Server 2008 R2. VAMT is
available only in an EN-US (x86) package.
VAMT is available as a free download as part of the Windows Assessment and Deployment Kit (Windows
ADK) for Windows 10. You need VAMT 3.1 to administer Windows 10, which comes with the Windows
ADK for Windows 10. You can use VAMT to manage and specify a group of computers to be activated
based on the following:
• AD DS
• Workgroup names
• IP addresses
• Computer names
VAMT provides a single graphical user interface for managing activations and performing other
activation-related tasks, such as:
• Adding and removing computers. You can use VAMT to discover computers in the local environment.
VAMT can discover computers by a query to AD DS, by workgroup name, by individual computer
name or IP address, or via a general Lightweight Directory Access Protocol query.
• Discovering products. You can use VAMT to discover Windows operating systems, Windows Server
operating systems, Office programs, and other products installed on client computers.
• Monitoring activation status. You can collect activation information about each product, including the
last five characters of the product key being used, the current licensing state (such as Licensed, Grace,
or Unlicensed), and the product edition information.
• Managing product keys. You can store multiple product keys and use VAMT to install them to remote
client products. You can also determine the number of activations remaining for MAKs.
• Managing activation data. VAMT stores activation data in an SQL database. You can export this data
to other VAMT hosts or to an archive in XML format.
New features in VAMT 3.0

The following features are new or updated in VAMT 3.0:
• The user interface. The updated user interface makes volume activation and license management a
one-console process.
• Data storage. Data storage in a Microsoft SQL Server database provides greater scalability and speed.
• Licensing reports. Five new volume licensing reports provide virtually instant licensing status
information for every computer in the database:
o At Risk Products Report
o Duplicate CMID Report
o MAK Usage Report

o Unlicensed Products Report
o Volume Activation by Authority Report
• Windows PowerShell command-line interface cmdlets. A Windows PowerShell module for VAMT
replaces the Vamt.exe command-line interface.
• Support for proxy authentication. If you are on a network that requires a user name and password to
reach the Internet, VAMT allows you to sign in and perform proxy activation.
• Active Directory-based activation. VAMT can activate an Active Directory-based activation object
either online or by proxy. When you deploy an Active Directory-based activation, any new qualifying
computers joined to the domain are automatically activated.
Note: VAMT 3.1, which is available in the Windows ADK for Windows 10, does not have
new features. However, it has several updates and fixes applied.
Deprecated and removed features in VAMT 3.0

The following features that existed in previous versions of VAMT have been deprecated or removed from
VAMT 3.0:
• Data storage in computer information list (.cil) files. VAMT no longer stores data in .cil files but rather
in a SQL Server database. You can import data currently stored in .cil files into VAMT. Data that you
export from VAMT is saved in a .cilx file.
• The Vamt.exe command-line interface. Vamt.exe is no longer available and has been replaced by a
Windows PowerShell module.
Additional Reading: For more information, refer to Import and Export VAMT Data:
http://aka.ms/Dzwia6.
Activating Office 2016

Microsoft has simplified the process of activating
Office 2016. When you install a standalone version
of Office 2016, such as Office Home and Student
2016, Office Home and Business 2016, or Office
Professional 2016, you have to provide a product
key during the installation. After the installation is
complete, and if the computer has Internet
connectivity, Office 2016 will automatically
activate over the Internet, without user
involvement. This also applies to an existing Office
installation on a computer that you reinstall. For
example, if you reinstall Office 2016 on the same
computer on which you previously activated Office 2016, the reinstalled Office 2016 will silently reactivate
without user or administrator input, as long as you have an Internet connection. If you significantly
change the hardware environment, Office 2016 might require reactivation. In that case, the Reactivation
Wizard runs and prompts you for the product key.
Activating Office 365

Many versions of Office 365 exist, and in each case, Office 365 automatically activates. To see which
products are installed on your computer, open Office 365, click File, click Account, and then click
Manage your account. Retail versions of Office 2013 are usable on one computer. However, if you use
the subscription products in Office 365 Home, Office 365 Business, or Office 365 ProPlus, you can install
Office on as many as five devices. In the Office 365 portal, users can see the devices that have activated
Office 365. If five devices are already activated, the user has the ability to remove an activation and apply
it to a different device.
Note: Office 365 ProPlus refers to the Office 365 versions of Office 2016.
Volume license activation of Office 2016

Volume license versions of Office 2016 can use either MAK or KMS activation. If you use MAK, you need
to connect to the Internet or use a phone to complete the activation. You have to do very little after you
connect to the Internet. The Activation Wizard automatically completes the activation. If you are not
connected to the Internet, the Activation Wizard displays a message stating that no connection exists and
that you must activate over the phone. If you choose phone activation, the wizard requests your
country/region and then displays a toll-free number that you must call. This number will be appropriate
for your geographical location. The wizard also displays an installation ID, which you provide when you
call. You then get a confirmation ID, which you type in the wizard at the confirmation ID location.
All that KMS activation requires is a functioning KMS infrastructure and the Office 2016 KMS product key
added to the KMS server. For KMS to begin activation, the minimum threshold of five Office 2016
installations must exist. For the client, KMS activation then takes place automatically.
Implementing activation solutions in a multisite environment

The volume activation method that organizations
use depends on their particular network
configuration. To select the best activation
method or methods, assess the organization’s
network environment to identify how different
groups of computers connect to the network.
Some of the important configuration
characteristics to identify are connectivity to the
corporate network, Internet access, and the
number of computers that regularly connect to
the corporate network. Most medium-to-large
organizations use a combination of activation
methods because of the varied ways in which their client computers connect to their networks.
Active Directory-based activation

We recommend Active Directory-based activation when a Windows Server 2012 domain controller exists
and all member computers belong to the domain. Unlike KMS activation, you do not need to meet any
thresholds before activating clients or servers. You can use Windows Server 2008 R2 and Windows Server
2008 domain controllers if you update the AD DS schema to include Windows Server 2012 schema
objects. When domain-joined computers connect through their domain controller, they will be activated,
regardless of their location. This simplifies the multisite activation requirements. As long as a domain
controller is present, such as in an AD DS site object, volume activation occurs. However, you cannot
configure Active Directory-based activation on read-only domain controllers (RODCs).
KMS activation
We recommend KMS activation for nondomain computers that are connected to the organization’s core
network or that have periodic connectivity, such as offsite computers. Administrators should modify their
environment’s firewall configurations to ensure that the appropriate exceptions are enabled for KMS
traffic. If you need to change the firewall or other default options later, you can open the VAMT console
and then modify the configuration. Additionally, if you have an RODC that services clients in a remote
location, KMS can run on that RODC and activate clients, whereas Active Directory-based activation
cannot.
MAK proxy activation

If a client computer is not connected to the Internet, such as one in a remote or highly secure location
that is not connected to the Internet, you can use another MAK validation option. This is a MAK proxy
activation, in which VAMT does the following:
1. Installs a MAK product key on the client computer.
2. Retrieves the installation ID from the target computer.
3. Transmits the installation ID to Microsoft on behalf of the client.
4. Obtains a confirmation ID.
5. Activates the client computer by installing the confirmation ID.

You can use the following planning table to ensure that all computers are associated with an activation
option.
Criterion Number of computers Activation method
The number of computers running Unlimited, but only with Active Directory-based
Windows Server 2012 or Windows domain membership activation
10 that will connect to the network
at least once every 180 days, either
directly or through a virtual private
network (VPN)
The number of computers not 25 clients or more KMS activation

running Windows Server 2012 or
Windows 10 that will connect to the
network at least once every 180
days, either directly or through a
VPN, where the KMS activation
threshold is met
The number of computers that do Limited only by the MAK activation

not connect to network at least purchased number of
once every 180 days activations
Criterion Number of computers Activation method
The number of computers running 25 clients or more Active Directory-based

Windows Server 2012 or Windows activation or KMS
10 in isolated networks that connect activation
at least once every 180 days to the
core network
The number of computers not 25 clients or more KMS activation

running Windows Server 2012 or
Windows 8 in isolated networks that
can contact a KMS host
The number of computers in Limited only by the MAK activation

isolated networks where the KMS purchased number of
activation threshold is not met activations
Question: You have installed the Volume Activation Services role and configured Active
Directory-based activation. You join a Windows 7 Enterprise computer to the domain, but it
will not activate. What is the problem?
Question: If you configure your KMS host to not publish DNS records to DNS, what must
you do for the KMS client to be able to find the KMS host?
Lesson 2
Determining additional client configuration settings
After deployment, a Windows 10 computer might need additional configuration. You can use the
deployment tools to deploy an operating system as well as to load programs and apps, apply updates
and drivers, and migrate user data. Beyond these deployment tasks, you can use various tools, particularly
AD DS Group Policy, to further adjust a Windows 10 client’s configuration. In this lesson, you will learn
about post-deployment configuration and Group Policy preferences.
Lesson Objectives
• Describe the benefits of using proven customization solutions.
• Describe the common Windows 10 Start menu options.
• Describe how to configure the Windows 10 Start menu.

• Explain how to configure power plans.
• Describe how to centrally manage power plans.
• Explain how to manage Windows updates.
• Describe how to configure Group Policy settings and preferences.
Discussion: Using proven customization solutions

When you deploy Windows 10, it already has a
well-known configuration. If it belongs to an
AD DS domain, it will have several security
settings predefined through the domain’s Group
Policy settings. There are even local Group Policy
settings that contain default security settings for
any Windows 10 clients that are standalone or not
connected to the domain. Beyond these settings,
what further configurations do you need?
Spend a few minutes discussing the

post-deployment configuration stage, and
consider how your organization performs this
stage. Be prepared to share information about your organization’s post-deployment configuration,
such as:
• Does your organization have a standard desktop or Start screen configuration?
• Do you provide further desktop security? If so, what do you typically do?
• Can security enhancements cause unintended lockdowns?
• How do you deal with formerly used or locally created software?

• How much administrative access do you allow users to have to their systems?
• Which Group Policy settings do you think you will find useful in your organization?
Managing the Windows 10 Start menu

In Windows 10, the Start menu has been
reintroduced, and it replaces the Start screen from
Windows 8.1 and Windows 8. The Start menu in
Windows 10 includes Windows apps, which are
tile based, and its configurable tiles can display
live information and provide users with an
interactive hub experience. The Start menu also
displays desktop apps together with the most-
used apps as well as shortcuts to File Explorer,
Settings, Power. and All apps.
Live Tiles
Many of the tiles on the Start menu give you real-
time information from a particular app, and they are known as Live Tiles. For example, Live Tiles might
display the number of emails you have waiting or the sender and subject of those emails. They might
show your calendar appointments, currency exchange rates, stock-market values, or the latest
photographs in your collection.
Managing data consumption

The updated information that Live Tiles present often needs an Internet connection to the data sources.
This can lead to the over-consumption of a data plan’s data rate, but you can manage this consumption.
You can stop Live Tile updates by right-clicking the tile, clicking More, and then clicking Turn live tile
off. To stop all Live Tile bandwidth consumption, you need to do this for every Live Tile that you have.
Setting a metered connection

You can make a wireless connection a metered connection and limit the data usage of the Live Tiles.
However, note that you cannot set a wired connection as a metered connection. To set a wireless
connection as metered, click Start, click Settings, click Network & Internet, click Advanced options,
and then click the toggle button next to Set as metered connection.
Limiting data usage

You can turn off the communications of apps that are running in the background, which will help to limit
your data usage. To do so, click Start, click Settings, click Privacy, select Background apps, and then
click the toggle button next to each app to disable the app’s ability to receive info, send notifications, and
stay up-to-date.
Using AD DS GPOs
You can also centrally manage the Start menu items by using AD DS Group Policy Objects (GPOs), and
you can enforce several settings by using local Group Policy settings, as well.
Note: Windows RT devices cannot belong to a domain, so applying any policy to Windows
RT devices requires the use of a local Group Policy setting. Additionally, you must turn on the
Group Policy Client service, which is disabled by default on Windows RT device.
For Windows 10 clients in domains, the AD DS Group Policy settings provide a rich collection of
configurable settings. Settings exist to prevent updates on Live Tiles. This neither restricts bandwidth
nor allows some updates to get through but suspends all Live Tile updates.
Applying user restrictions

In some cases, it might be necessary to restrict a user’s ability to make changes to the Start menu. To do
so, you can use the Prevent users from customizing their Start Screen Group Policy setting that exists
in the User Configuration/Administrative Templates/Start Menu and Taskbar. However, by enabling this
setting, you prevent any changes to the Start menu, including its Live Tiles and apps, so users will not be
able to customize the Start menu. To customize the user’s Start menu, you can use the Start Screen
Layout Group Policy setting in the same location. This Group Policy setting allows you to customize and
then apply a preconfigured Start menu to Windows 10 computers and to prevent users from changing
those settings. The steps involved begin with creating a custom Start menu on a reference computer. You
then install all the wanted apps, set their tile sizes and properties, and create an .xml file that specifies the
Start menu layout on the reference computer. You do this in Windows PowerShell by using the Export-
StartLayout cmdlet, with parameters for the file path and file name and with the xml parameter that
saves the file as XML data. You can then import the .xml file into the Start Layout File box in the Start
Screen Layout Group Policy setting. The next time users sign in to their Windows 10 computers, their
Start menus will have the customized apps and tiles that you selected. They will not be able to remove or
alter these apps and tiles or to add new tiles.
Your organization needs to carefully consider whether to apply such restrictions. One of the benefits of
the Windows 10 Start menu is how user friendly and customizable it is for individual users. In most cases,
you want your users to be able to set their Start menus and tiles according to their own needs and
preferences. You can also apply the layout by using the Import-StartLayout cmdlet, which sets a default
configuration but does not enforce it.
Demonstration: Configuring the Windows 10 Start menu

In this demonstration, you will learn how to create a custom Windows 10 Start menu, export the Start
menu layout .xml file, import the Start menu layout into a GPO, apply the GPO, and test the results.
Demonstration Steps
Create a custom Windows 10 Start menu
1. On LON-CL1, click Start.
2. Resize the Mail tile to Large.
3. Resize the Calendar tile to Wide.
4. Place the Microsoft Edge tile next to the Calendar tile.
5. Place the Store tile under the Calendar tile.

6. Place the Weather tile under the Store tile.
7. Place the Skype video tile under the Weather tile.
8. Place the Phone Companion tile next to the OneNote tile in the second column.
9. Remove the Money tile.
10. Remove all the tiles with the small icons and no text on them. Five of these should exist.
11. Click All apps. Find Notepad in the Windows Accessories group, and then add it to the Start menu.
12. Place the Notepad tile next to the OneNote tile in the second column.
Export the Start menu layout .xml file

1. Run Windows PowerShell as an administrator, type the following cmdlet, and then press Enter.
Export-StartLayout –path \\LON-DC1\E$\Labfiles\AdatumLayout.xml
3. Open File Explorer, navigate to E:\Labfiles\, and then verify that you can see the AdatumLayout.xml
file.
Import the Start menu layout into a GPO

1. On LON-DC1, open the Group Policy Management Console (GPMC), and then in the Adatum.com
domain, create and link a new GPO named Adatum W10 Start menu.
2. Edit the Adatum W10 Start menu GPO in the Group Policy Management Editor, select User
Configuration, Polices, Administrative Templates, and then select Start Menu and Taskbar, Start
Screen Layout.
3. Enable the Start Menu and Taskbar, Start Screen Layout setting, and then in the Start Layout File
box, type \\LON-DC1\E$\Labfiles\AdatumLayout.xml.
4. Add the comment A custom Start menu developed on LON-CL1 by using Microsoft Notepad.
Note: The file location that you specify must be a location to which all user accounts have
read access.
Apply the GPO, and test the results

1. On LON-CL2, click Start, and then note the apps and tiles and their placement on the Start menu.
2. Sign out, and then sign back in to LON-CL2 as Adatum\Administrator with the password
Pa$$w0rd.
3. Examine the Start menu. It should have the custom Start menu applied.
4. Attempt to drag and unpin some of the tiles. You should be unable to do so.
Configuring power plans

Computing devices need electrical power,
regardless of whether they are stationary or
mobile. One of the main concerns with mobile
devices that use stored electrical power is that
the power in the battery is limited and depletes
over time. Another issue for many organizations is
the power consumption by all of the different
devices a business owns. Conserving power
reduces business expenses and impacts the
environment less.
Power plans
In Windows 10, you can create power plans, which are groups of settings that govern power consumption
and operations. By default, three preconfigured power plans exist: Balanced, Power saver, and High
performance. You can adjust and save any of these power plans or save one of them as a new power plan,
or you can create your own power plan. The following table describes the three preconfigured plans.
Power plan Energy usage Screen brightness System activity
Balanced A medium Turns off the display Measures ongoing activity and,
amount after a specified amount when in use, continues to provide
of time full power to all system
components
Power Saver The least By default, powers off Saves energy by reducing system
the display after five performance whenever possible
minutes of inactivity
High The most Sets the display at its Keeps the system’s disk drive,
performance brightest memory, and processor
continuously supplied with power
If the computer is a portable device, such as a tablet or laptop, you can use separate settings within each
plan for when the device is on battery or plugged in. Because you can adjust and save each plan, an
option in each plan allows you to restore the default settings.
You can access the power plans by opening Control Panel, clicking Hardware and Sound, and then
clicking Power Options. You also can type Power Plans on the Start menu.
Configuration options
The Power Options control panel item includes many options. The left pane contains a list of the settings:
• Require a password on wakeup. This setting allows you to ensure that when a computer resumes
from a hibernated state, the screen will be locked until the user presents credentials. By default, this
setting is off.
• Choose what the power buttons do. Most devices have a power button, and many have a sleep
button, as well. For mobile devices with both buttons, this setting includes an On battery and
Plugged in column with four choices for each button, including Do nothing, Hibernate, Sleep, and
Shut down. Some devices do not have a Sleep or Hibernate option. Certain devices also have a
Shutdown settings section on the Power button page, which includes the following check boxes:
o Turn on fast startup. Allows the Windows operating system to save system information to a file
that it uses to start up when you power on the computer.
o Sleep. Suspends power to the hard drive and display but keeps power supplied to the processor
and memory.
o Hibernate. Writes all the activity in memory to a file and then shuts down all power, but allows
the file to reanimate memory with the same values when power is supplied.
o Lock. Locks the screen and requires the user to reenter credentials before resuming operations.
Note: Not all devices have all of these settings. Several of the settings apply to particular
hardware that is not present on all devices.
• Create a power plan. When you click this setting, the Create a Power Plan Wizard appears. In this
wizard, you can select one of the three default plans, save it with a custom name, and then change
the default plan settings on the wizard’s Edit Plan Settings page. This page has three options: Turn
off the display, Put the computer to sleep, and Adjust plan brightness. You select the Turn off
the display and Put the computer to sleep values from a list that has options with a scale from one
minute to five hours or never. You change the Adjust plan brightness values by using a slider bar
from fully dim to the maximum brightness.
• Choose when to turn off the display. This setting takes you to an Edit Plan Settings page that is
identical to the one in the Create a Power Plan Wizard.
• Change when the computer sleeps. This setting has options that are identical to those in the
Choose when to turn off the display setting.
The Power Options control panel item also lists the default and custom-created power plans. When you
click Change plan settings to access a particular power plan, the Change advanced power settings
setting becomes available. This setting opens the Power Options dialog box, which has a list of options
that you can expand and individually select. These options include settings for the battery, hard disk,
graphics, multimedia, and universal serial bus.
Centrally managing power plans

You can easily create custom power plans and
apply them to individual computers. A variable
approach better serves the various power
requirements of different computers. However,
this can be a challenge to implement if your
organization has dozens of distinct power needs
and thousands of individual computers.
Using OUs
You can centralize power plans through AD DS
Group Policy settings and the organizational units
(OUs) that contain the different types of
computers needing different plans. The use of
OUs is important if you want to create a well-managed centralized policy. Depending on your
organization’s needs, OU structural requirements might conflict, so you need to carefully consider all of
them. However, a common OU structure uses a hierarchy of OUs for computers. For example, the top of
your hierarchy might have two major categories: servers and clients. You can then categorize the servers
according to the roles or functions that they perform, or you can categorize the clients as desktops,
laptops, and tablets. Each category can have its own GPOs containing unique power plans that link to a
specific OU. Larger organizations with multiple geographical regions might have a higher-level OU based
on a particular city or region.
Controlling power management settings by using Group Policy

You can use several available settings to configure power options in a GPO. The Power Management node
is under the Computer Configuration/Policies/Administrative Templates/System node in the GPMC. It has
several subnodes, including Button Settings, Hard Disk Settings, Notification Settings, Sleep Settings, and
Video and Display Settings. Two individual settings also exist: Specify a custom active power plan and
Specify an active plan.
The Specify a custom active power plan setting can import a power plan from an existing computer by
using that that power plan’s globally unique identifier (GUID). To export a computer’s power plan and
activate it on a group of computers, perform the following steps:
1. Use the Powercfg.exe command-line tool to export a computer’s active power plan.
2. Place the power plan’s GUID into the Specify a custom active power plan setting in the Group
Policy setting.
3. Import the exported file and GUID to every computer. All the computers linked to this Group Policy
setting then have the same power settings, and the various options to change the power plan on any
of these computers are unavailable.
Note: You can use a sign-in script to import the exported file and GUID to every computer.
Another way to centrally manage power settings is to use a Group Policy preference. You can use such a
preference in several ways to modify a computer’s power plan and other options. For example, to export a
computer’s power plan to a group of computers by using a Group Policy preference, perform the
following steps:
1. Create a new power plan in Computer Configuration/Preferences/Control Panel Settings
/Power Options. Right-click the Power Options node, point to New, and then click Power Plan
(At least Windows 7).
2. When the New Power Plan (At least Windows 7) Properties window opens, on the Advanced settings
tab, a list with the various plans is available. Because the preceding policy setting is a plan on the
domain controller, it is accessible here, and you can select it as your preferred power plan.
By making the plan preferred, you get a result almost exactly like that from the Specify a custom active
power plan setting, except that the user will be allowed to change the plan and all of its elements and to
create or apply a different plan. This is the key difference between a Group Policy setting and a Group
Policy preference: Group Policy settings are enforced, but Group Policy preferences are not.
You can also use several other Group Policy preferences. Access them from the list of items that you can
expand and modify when you navigate to the New Power Plan (At least Windows 7) Properties window
and then click the Advanced settings tab. These settings include options for hard disk, sleep, power
buttons and lid, PCI express, processor power management, display, and battery. Additional settings exist,
such as requiring a password on wakeup. On the Common tab, you can use targeting, and the Targeting
Editor can check whether a battery is present or the computer is portable. among other configurations.
Using Configuration Manager

You can also use Microsoft System Center Configuration Manager (Configuration Manager) to deploy and
centrally manage power plans on individual computers. You can create a collection to receive the power
plan settings. If a computer belongs to multiple collections that each apply a different power plan, the
following actions occur:
• If multiple power setting values are applied to a computer, the least restrictive value is used.
• If different wakeup times are applied, the time closest to midnight is used.
Managing Windows software updates

Windows software updates play an important part
in helping to prevent security breaches and
catastrophic failures. We recommend that you
apply Windows software updates as quickly as
possible when they release. This is especially
important when the updates relate to security
and newly discovered flaws.
In many cases, a Windows software update

requires a system restart. For client computers
with single users, the user can defer the restart
until a later time. In some cases, the user can
restart after completing ongoing work and then
saving and closing files. However, for servers, the restart situation can be much more involved and even
problematic. Some servers conduct operations around the clock, and even a brief restart can mean an
interruption of the services that the server provides. To avoid issues, many IT departments prefer to
carefully manage software updates, especially those that target servers.
Using WSUS to manage updates

Many organizations use Windows Server Update Services (WSUS), which is a role that you can install on
Windows Server 2012 R2. You can then configure WSUS to connect to Microsoft Update servers, and
depending on your needs, your system administrators can examine and download the software updates
that apply to their systems. They can test the software updates and then apply those that do not present
problems. Additionally, they can allow Microsoft to push the software updates directly through the
organizational WSUS server, which is a typical scenario with respect to security updates and hotfixes. The
WSUS administrators can also control the application of software updates and any subsequent restarts.
In Control Panel, you can set the local computer’s Windows Update functionality. You can allow all
software updates to download and run as required, or you can prevent the application of any update.
However, preventing application and security updates can be detrimental to security and contrary to well-
known best practices. You can apply Windows Update settings from an AD DS GPO so that users cannot
locally adjust these settings, or you can use Group Policy to configure computers to use the WSUS server
to retrieve and configure Windows software updates. You can find these settings in the Group Policy
Management Editor in the Computer Configuration/Polices/Administrative Templates/Windows
Components/Windows Update node. This node contains several significant settings that you can apply,
such as Configure Automatic Updates.
In the Configure Automatic Updates setting, you can set the main Windows Update settings, such as
automatically downloading and installing software updates when available, or downloading and notifying
you when software updates are available. You can also configure Windows simply to notify you when
software updates are available for download but to take no further action. For example, when you choose
to automatically download and schedule the installation of software updates, you can also specify the
time and the day of the week that Windows Update will apply any available updates. When you apply this
setting option, the local Windows Update settings in Control Panel are unavailable for all users, who
cannot change these settings.
Another setting in the Windows Update node is Specify intranet Microsoft Update service location.
This setting provides you with the ability to specify the URL of your WSUS server. This means that clients
configured to get automatic software updates will go to the WSUS server instead of the Windows Update
site to look for and apply most updates. This node also contains many other settings that deal with
restarts and notifications. Additionally, you can use Configuration Manager to manage software updates.
The Group Policy settings for Configuration Manager are the same as the WSUS settings already
discussed.
Using Configuration Manager to manage updates

You can use Configuration Manager to centrally manage Windows Update by using a set of tools and
resources that can help you to manage, deploy, and monitor software updates in your enterprise.
Configuring Group Policy preferences

You can configure several preferences in a GPO.
However, Group Policy preferences, unlike Group
Policy settings, are not enforced. Therefore, any
users to whom the preferences are applied can
typically change them if they have the correct
permissions.
Note: Many local settings still require

administrator credentials to configure.
You can apply Group Policy preferences to

computers and users, and each configuration container includes a Preferences node. Typically, computer
configuration preferences apply to any user of that computer, whereas user configuration preferences
apply to the specific user that signs in, regardless of the computer being used.
Each container’s Preferences node has two subnodes: Windows Settings and Control Panel Settings. The
individual items in each of these subnodes might differ depending on whether they exist in a computer or
user configuration main node:
• The settings available in the Computer Configuration/Preferences/Windows Settings node
include Environment, Files, Folders, Ini Files, Registry, Network Shares, and Shortcuts.
• The settings available in the User Preferences Windows Settings node include Applications, Drive
Maps, Environment, Files, Folders, Ini Files, Registry, and Shortcuts.
• The Control Panel settings in the Computer Configuration node include Data Sources, Devices,
Folder Options, Local Users and Groups, Network Options, Power Options, Printers, and
Scheduled Tasks and Services.
• The Control Panel settings in the User Configuration node include all the same settings as the
Computer Configuration node, except Services. Additionally, the User Configuration node
contains the Internet Settings, Regional Options, and Start Menu settings that are not present in
the Computer Configuration node.
The User Configuration/Preferences/Control Panel Settings/Internet Settings node allows an administrator

to customize individual user options found in Internet Explorer and to treat these settings as a collective
overall policy. When you right-click this node and then click New, you can choose which version of
Internet Explorer to configure: Internet Explorer 5 and 6, Internet Explorer 7, Internet Explorer 8
and 9, or Internet Explorer 10. After you select your Internet Explorer version, the New Internet
Explorer # Properties dialog box appears, where the number sign (#) is the version of Internet Explorer
that you chose. The tabs and settings are identical to those in the Internet Options dialog box in Internet
Explorer.
In the Internet Options dialog box in Internet Explorer, on the Advanced tab, you can select or clear
numerous check boxes, depending on the behavior that you want to achieve. These check boxes are also
present on the Advanced tab in the New Internet Explorer # Properties dialog box, but each check box
has a green circle beside it. This means that they are all available to select. However, if you press F8, the
circles all become red circles with a line through them, which means they are ignored. Press F5 and they
become green with no line once more. By pressing F6 and F7, you can switch individual items in the list
between available (green with no line) and ignored (red with a line), rather than switching all of them at
once.
Drive mapping
Two common domain-level functions that you can perform for users is to provide them with certain
shares that you map as drive letters and to make printers available. Traditionally, you do this by using a
sign-in script. However, with Group Policy preferences, you can map drives, assign printers, and configure
several other settings without having to write and manage sign-in scripts.
Item-level targeting
Item-level targeting lets you set the scope for a particular Group Policy preference, including selecting
which user, security group, or computer you want to apply a preference to. You can also have multiple
item-level targets and then link them with an AND or an OR operator. When you use the AND operator,
all the item-level targets must be true. When you use the OR operator, only one of the item-level targets
must be true. For example, you can have two targets with an AND operator, as follows: the user is a
member of the security group ADATUM\Research AND the NetBIOS computer name is LON-CL1. In this
case, both conditions must be met: the user must be in the Research group, and the computer name
must be LON-CL1. If either condition is not met, such as the user being in the Marketing group or the
computer being LON-CL2, the preference will not be available. With an OR operator instead of an AND
operator, the user can be in the Marketing group, or the computer can be LON-CL2, but not both.
Creating, replacing, updating, and deleting mappings

When you create a mapped drive in the Windows Settings/Drive Maps node under the User configuration
node, you can select an action to perform from the Action list. The available actions are Create, Replace,
Update, and Delete. Depending on the action that you select, the Drive Maps details pane lists it
according to differently colored icons. If you hear a discussion of colors with respect to the Create,
Replace, Update and Delete actions, this refers to the following color distinctions:
• Green triangle. Represents Create, which makes a new mapped drive for the users in the container to
which you link the Group Policy.
• Red triangle. Represents Replace, which removes a drive mapping if one exists for this share and then
creates a new one. If no drive mapping exists, selecting this action creates a new one.
• Yellow triangle. Represents Update, which is similar to the Replace action in that if a drive mapping
does not exist, it will create one. However, unlike Replace, this action will not first remove an existing
mapped drive but simply change any values to the new values found in the Update properties. The
Update action is the default in the New Drive Properties dialog box.
• Red X. Represents Delete, which simply removes a drive mapping if it exists.

Demonstration: Configuring Group Policy settings and preferences

In this demonstration, you will learn how to create two drive mappings to the same share but for different
groups, create power preferences, and test the Client User Preferences Group Policy setting.
Demonstration Steps
Create two drive mappings to the same share but for different groups
1. On LON-DC1, open the GPMC.
2. In the GPMC, at the Adatum.com domain level, click Create a GPO in this domain, and Link
it here.
Note: If you see a Group Policy Management dialog box, when you open the GPMC,
close the dialog box by clicking the red X. Then close the GPMC and reopen it.
3. Name the new GPO ClientUserPreferences.
4. Edit the new GPO, and then in the console tree, expand User Configuration, expand Preferences,
and then click Windows Settings.
5. Scroll down, and then double-click Drive Maps. This opens the configuration pane for the drive
maps.
6. Create a new mapped drive with the following settings.
o Action: Update
o Location: \\LON-DC1\Labfiles
o Label as: IT Department Labfiles
o Drive letter: L
o Hide/show this drive: Show this drive

7. Click the Common tab, and configure the following settings:
o Options common to all items: Item-level Targeting
o New Item: Security Group
o Enter the object name to select: IT
8. Create another drive mapping by using the same settings that you did for the previous one, except
for the following:
o Label as: Marketing Group Labfiles
o Targeting, Security Group, Enter the object name to select: Marketing

Create power preferences

1. Expand User Configuration, expand Preferences, expand Control Panel Settings, and then click
Power Options.
2. Create a new power plan with the following settings:
o Action: Update
o High Performance
o Set as the active power plan
o Display: Turn off display after
o Plugged in (minutes): 0
Note: If you see a Group Policy Management dialog box, when you close the GPMC,
close the dialog box by clicking the red X. Then close the GPMC.
Test the Client User Preferences Group Policy setting

1. As an administrator, on LON-CL1, in File Explorer, examine the folders. You should not have the
mapped drive.
3. Sign in to LON-CL1 as Adatum\Holly with the password Pa$$w0rd.

4. In File Explorer, examine the folders. You should have the mapped drive labeled IT Department
Labfiles (L:).
5. In Control Panel, click Hardware and Sound, and then click Power Options. You should have High
Performance, with the Turn off the display option set to Never.
7. Sign in to LON-CL1 as Adatum\Kari with the password Pa$$w0rd.

8. In File Explorer, examine the folders. You should have the mapped drive labeled Marketing Group
Labfiles (L:).
9. In Control Panel, click Hardware and Sound, and then click Power Options. You should have High
Performance, with the Turn off the display option set to Never.
Question: What is the name of the Windows PowerShell cmdlet that is used to export a
custom Start menu from a reference computer?
Question: What is the Powercfg.exe command-line tool used for?
Question: Verify the correctness of the statement by placing a mark in the column to the
right.
Statement Answer
Group Policy preferences are enforced just like

Group Policy settings.
Lab: Configuring additional settings for computer clients

Scenario
To help you follow security guidelines for and properly manage a deployed client computer environment,
you need to learn how to set up a common Windows 10 Start menu, manage power plans, and deploy
security settings by using GPOs. You decide to test this functionality with two users: Holly in the IT
Department and Kari in Marketing. If all goes according to plan, you will implement these solutions across
the Adatum domain.
Objectives
• Create and deploy a common Windows 10 Start menu and custom power plan.
• Use a GPO to deploy preferences to Windows 10 clients that have recently deployed.
Lab Setup
Estimated Time: 45 Minutes
Virtual machines: 20695C-LON-DC1, 20695C-LON-CL1, and 20695C-LON-CL2
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, complete
the following steps:

5. Repeat steps 2 through 4 for virtual machines 20695C-LON-CL1 and 20695C-LON-CL2.
Exercise 1: Planning for Windows 10 customization

Scenario
Holly Franklin, the IT Manager at A. Datum Corporation, has asked you to look into a recurring problem.
Users in the contractors’ office use any available Windows 10 computer to personalize their Start menus.
The Contracting Management office wants to limit contractors to a smaller set of apps on the Start menu
and essentially lock them down. Holly has asked you to look for solutions that allow you to set a standard
Start menu that can be locked down for the contractors’ office. Additionally, when the computers go into
hibernation, it can take several minutes to restart them, depending on the processing that was taking
place at the initial hibernation. Holly wants you to turn off hibernation on these computers.
Supporting documentation: Email thread with Holly

From: Holly Franklin [holly@adatum.com]
Sent: March 12, 2016 09:30
To: Dan Drayton [ddrayton@adatum.com]
Subject: Contractors’ office Windows 10 Start menu issues; hibernation
Dan,
The people in the contractors’ office, who use any available Windows 10 computer, are personalizing their
Start menus, which causes complaints from others who subsequently use the same computer. Can you
please look into solutions for setting a standard contractors’ office Start menu that can be locked down?
Also, when these computers go into hibernation, it can take several minutes to restart them, depending
on the processing that was taking place at the initial hibernation. Please take a look at turning off
hibernation on these computers.
Thanks,
Holly
From: Dan Drayton [ddrayton@adatum.com]
Sent: March 12, 2016 11:15
To: Holly Franklin [holly@adatum.com]
Subject: Re: Contractors’ office Windows 10 Start menu issues; hibernation
Hi Holly,
I have read through some documentation on the Microsoft TechNet site about advanced Windows 10
Group Policy settings. There is a lot we can do by using Group Policy preferences. With these preferences
set, we can do the following:
• Set a standard Start menu for all contractors’ office computers
• Turn off hibernation
I also spoke to Kari Tran, the person in Marketing who is responsible for the contractors’ office. She also
wants the contractors’ office computers to keep the display turned on and other power options turned on,
so a visiting contractor will have instant access. She wants different mapped drives for the contractors and
the ability to select default printers depending on the user. She agreed to help with the testing. To that
end, my research from TechNet says we can also do the following:
• Set power plan options

• Set mapped drives depending on the department the user is from
• Set up shared printers, even for those individual users who might need a certain printer to be the
default printer
I want to go ahead and start testing. Kari has already agreed to help. I need another user to test, as well.
Do you know anyone who can help?
Thanks,
Dan
From: Holly Franklin [Holly@adatum.com]
Sent: March 12, 2016 14:30
To: Dan Drayton [ddrayton@adatum.com]
Subject: Re: Contractors’ office Windows 10 Start menu issues; hibernation
Hi Dan,
Well, because it is summertime, a lot of people are on vacation. That means I have far fewer emergency
meetings to attend. The IT department is a bit understaffed this week, but I am not busy. I will be glad to
help you as a test user. Sounds like fun!
Holly
1. Read the supporting documentation

• Read the supporting documentation.
Results: After completing this exercise, you should have a plan for Windows 10 customization.
Exercise 2: Creating a common Windows Start menu and custom

power plan
Scenario
You must create a GPO to set a standard Start menu layout and power plan to ensure that client
computers do not hibernate. You will then test several Windows 10 computers to ensure that the results
are what you expect.
1. Customize the Start menu, export the Start menu layout, and update the Group Policy settings to
display the new layout when users sign in.
2. Set a power plan to ensure that client computers do not hibernate.
 Task 1: Customize the Start menu, export the Start menu layout, and update the
Group Policy settings to display the new layout when users sign in

1. On LON-CL1, click the Start button.
2. Resize the Mail tile to Large.
3. Resize the Calendar tile to Wide.

4. Place the Microsoft Edge tile next to the Calendar tile.
5. Place the Store tile under the Calendar tile.
6. Place the Weather tile under the Store tile.
7. Place the Skype video tile under the Weather tile.
8. Place the Phone Companion tile next to the OneNote tile in the second column.
9. Remove the Money tile.
10. Remove all the tiles with the small icons and no text on them. Five of these should exist.
11. Click All apps. Find Notepad in the Windows Accessories group, and then add it to the Start menu.
12. Place the Notepad tile next to the OneNote tile in the second column.

1. Run Windows PowerShell as an administrator, type the following, and then press Enter.
3. Open File Explorer, navigate to E:\Labfiles\, and then verify that you can see the AdatumLayout.xml
file.

1. On LON-DC1, open the GPMC, and then in the Adatum.com domain, create and link a new GPO
named Adatum W10 Start menu.
2. Edit the Adatum W10 Start menu GPO, and in the Group Policy Management Editor, expand User
Configuration, expand Polices, expand Administrative Templates, and then select Start Menu
and Taskbar, Start Screen Layout.
3. Enable the Start Menu and Taskbar, Start Screen Layout setting, and then in the Start Layout File
box, type \\LON-DC1\E$\Labfiles\AdatumLayout.xml.
4. Add a comment A custom Start menu developed on LON-CL1 with Notepad.
Note: The file location that you specify must be a location to which all user accounts have
read access.

1. On LON-CL2, click Start, and then note the apps and tiles on it and their placement.
2. Sign out and then sign back in to LON-CL2 as Adatum\Administrator with the password Pa$$w0rd.
3. Examine the Start menu. It should have the custom Start menu applied.
5. Attempt to pin an app to the Start menu. You should be unable to do that, as well.
 Task 2: Set a power plan to ensure that client computers do not hibernate
1. On LON-DC1, open the GPMC, and then create and link a new GPO named PowerSettings to the
London Clients OU.
2. In the Group Policy Management Editor, in Computer Configuration/Administrative Templates

/Windows Components/File Explorer, disable the Show hibernate in the power options menu
setting.
3. Browse to Computer Configuration, Preferences, expand Control Panel Settings, and then click
Power Options.
4. Create a new power plan with the following settings:
o Action: Update
o High Performance
o Set as the active power plan.
o Sleep, Hibernate after:

 On Battery (minutes): 0
 Plugged in (minutes): 0
o Display: Turn off display after
 Plugged in (minutes): 0
5. When finished, close the Group Policy Management Editor to save the PowerSettings GPO.
6. On LON-CL2, restart the computer, and then sign in as Adatum\Administrator with the password
Pa$$w0rd.
7. In Control Panel, click Hardware and Sound, and then click Power Options. Ensure that the High
performance power plan is turned on, with Turn off the display set to Never.
Results: After completing this exercise, you should have created a common Windows 10 Start menu and a
custom power plan.
Exercise 3: Create a client preferences GPO

Scenario
Now that the previous tests have gone according to your plan, you decide to create a GPO with user
preferences that fulfill the requirements that Kari requested. You will use Kari and Holly to test the results
and ensure that the preferences are installed correctly.
1. Create and deploy a GPO to set client preferences for printers and mapped drivers for Windows 10
users.
2. Test the client preferences by signing in as different users.
 Task 1: Create and deploy a GPO to set client preferences for printers and mapped
drivers for Windows 10 users
1. On LON-DC1, in Server Manager, in Add Roles and Features, install the Print and Document
Services role.
2. Open the Print Management console tree, expand Print Servers, LON-DC1 (local), and then select
Printers.
3. Create two new printers by using the following settings:
o First printer:
 LPT1: (Printer Port)
 Manufacturer: KONICA MINOLTA
 Printer: KONICA MINOLTA PS Color Laser Class Driver
 Printer Name and Share name: KONICA MINOLTA PS Color Laser
o Second printer:
 LPT2: (Printer Port)
 Manufacturer: HP
 Printer: HP Color Laserjet 1600 Class Driver
 Printer Name and Share name: HP Color Laserjet 1600
4. On LON-DC1, open the GPMC.
5. In the GPMC, at the Adatum.com domain level, click Create a GPO in this domain, and Link it
here.
6. Name the new GPO ClientUserPreferences, and then edit the GPO to create two drive mappings, as
follows:
o Expand User Configuration, expand Preferences, click Windows Settings, double-click Drive
Maps, and then create a new mapped drive with the following settings:
 Action: Update
 Location: \\LON-DC1\Labfiles
 Label as: IT Department Labfiles
 Drive letter: L
 Hide/show this drive: Show this drive
o Click the Common tab, and then configure the following settings:
 Options common to all items, Item-level Targeting
 New Item: Security Group
 Enter the object name to select: IT
 New Item: Computer Name
 Enter the object name to select: LON-CL1
o Create another drive mapping by using the same settings, when you created the drive mapping
for IT Department Labfiles, except for the following:
 Label as: Marketing Group Labfiles
 As Targeting, select Security Group. Enter the object name to select: Marketing
 New Item: Computer Name
 Enter the object name to select: LON-CL2
7. Create two printer preferences, as follows:
o Expand User Configuration, expand Preferences, Expand Control Panel Settings, Expand
Printers, create a new shared printer with the following settings:
 Action: Update
 Share path: \\LON-DC1\ KONICA MINOLTA PS Color Laser
 Select the Common tab, with the following settings:
 New Item: User
 Enter the object name to select: ADATUM\Holly (SID match)
o Create a new, shared printer with the following settings:
 Action: Update
 Share path: \\LON-DC1\ HP Color Laserjet 1600
o Select the Set this printer as the default printer check box.
o Click the Common tab, and configure the following settings:
 New Item: User
 Enter the object name to select: ADATUM\Kari (Hensien) (SID match)
 Task 2: Test the client preferences by signing in as different users

1. As an administrator, on LON-CL1, in File Explorer, examine the folders. You should not have the
mapped drive.
Note: If you receive the message Windows couldn´t connect to the System Event
Notification Service service, click OK and retry step 3.
4. In File Explorer, examine the folders. You should have the mapped drive labeled IT Department
Labfiles (L:).
5. In Control Panel, click Hardware and Sound, and then click Devices and Printers. You should have
the KONICA MINOLTA PS Color Laser on lon-dc1 printer, with the KONICA MINOLTA PS Color
Laser as the default printer.
7. Sign out of LON-CL2, if necessary.
9. In File Explorer, examine the folders. You should have the mapped drive labeled as Marketing Group
Labfiles (L:).
10. In Control Panel, click Hardware and Sound, and then click Devices and Printers. You should have
the HP Color Laserjet 1600 on lon-dc1 printer, with the HP Color Laserjet 1600 set as the default
printer.
Results: After completing this exercise, you should have signed in as different users on LON-CL1 and
LON-CL2 and verified the preferences that you configured.

After you complete the lab, revert all virtual machines to their initial state by performing the following
steps:
4. Repeat steps 2 and 3 for 20695C-LON-CL1 and 20695C-LON-CL2.
Question: In the PowerSettings GPO, why did you disable the Show hibernate in the power
options menu setting?
Question: In Exercise 2, why did the administrator restart LON-CL2? What could you have
done to achieve the same outcome without a restart?

A customized power plan deployed with a GPO

does not appear on computers in the GPO’s scope.
KMS has been properly set up but has not activated

any clients.
Review Questions
Question: What does item-level targeting enable you to configure in a Group Policy
preference?
Question: How do you activate a Windows Server 2012 R2 Standard Edition virtual machine
that is running on an activated Windows Server 2012 R2 Datacenter Edition computer?
Question: What is the tool you can use to import and export a customized power plan?
Tools
The following table describes the tools used in this module.
Windows ADK for Customize, assess, and deploy For more information, refer to Windows
Windows 10 Windows operating systems to new 10 ADK download (direct download
computers. This collection of tools link): http://aka.ms/Flsuee
contains VAMT 3.1, which you
cannot download separately.
Microsoft SQL Server Function as the default database Included with the Windows ADK for
2012 Express installed with the Windows ADK. Windows 10
VAMT also needs access to this
database.
You can use a separate SQL Server

database. However, you will have to
manually provide connections to
the database.
Powercfg.exe Let you create, export, import, and Included in Windows operating systems
manage custom power plans. This is
a command-line utility.
12-1
Module 12
Deploying Office 2016
Contents:
Lesson 1: Methods for deploying Microsoft Office 2016 editions 12-2
Lesson 2: Customizing Office deployments 12-13
Lesson 3: Deploy Office 2016 by using Office 365 12-20
Lesson 4: Managing Office settings 12-25
Lesson 5: Introducing Windows Store for Business 12-31
Lesson 6: Distributing apps using the Windows Store for Business 12-35
Lab: Deploying Microsoft Office 2016 by using the Office Customization Tool 12-39
Module Overview
For most computer users, a computer’s usefulness depends on the apps that are installed on it. Computers
in the business world are essential tools that enhance overall productivity and profitability. Microsoft
Office 2016 and previous Office versions provide a suite of productivity tools that are in use across the
globe. Apart from deploying and performing the initial operating system configurations, it is essential to
deploy productivity tools such as Microsoft Office, to provide a complete user-centric solution. In this
module, you will see how to deploy and configure Microsoft Office 2016.
Objectives
• Describe the methods available for deploying Microsoft Office 2016 editions.
• Customize Office 2016 deployments.
• Deploy Office 2016 by using Office 365.
• Manage Office 2016 settings.

12-2 Deploying Office 2016
Lesson 1
Methods for deploying Microsoft Office 2016 editions
You can deploy Office 2016 by using traditional methods such as loading the program directly from a
disk on the computer itself. However, for deployment in larger enterprises, you most likely require a
centralized solution that you can use to distribute software quickly and simultaneously to thousands of
devices. Combining Office 365 with a subscription to the software as a service (SaaS) solution from
Microsoft provides you with additional methods for deploying Office 2016. In this lesson, you will examine
the different Office 2016 deployment methods and the various factors that those approaches involve.
Lesson Objectives
• Describe the system requirements for deploying Office 2016.
• Explain the various Office 2016 deployment methods.

• Explain the purpose and functionality of Office 365 ProPlus.
• Describe the considerations for activating Office 2016.
• Determine a suitable deployment method.
• Compare a 32-bit architecture to a 64-bit architecture.
• Use a standard desktop image.
System requirements for Office 2016

Office 2016 is a suite of programs and services
that are available to you, depending on the
version that you purchase. Office 2016 includes
a wide variety of applications, which include:
• Microsoft Word, which is a word-processing

program.
• Microsoft Outlook, which is a comprehensive

email, calendar, and messaging client.
• Microsoft Excel, a spreadsheet and data-
manipulation software program.
• Microsoft PowerPoint, which is a presentation

client.
• Microsoft OneNote, which is a collaborative note-taking application.
• Microsoft Access, which is a full database tool.

• Microsoft Visio, which is a flow-charting and diagraming tool.
You will have access to some or all of these applications, depending on the Microsoft Office edition that
you purchase or to which you or your enterprise subscribes.
The following editions of Office 2016 retail, volume license, and with Office 365 as a subscription service,
are available:
• Office Home and Student 2016.This subscription service is a retail version that includes the following
core applications only: Word, Excel, PowerPoint, and OneNote.
• Office Professional. This subscription service is a retail version that includes core applications plus
Outlook, Access, and Microsoft Publisher.
• Office Home and Business 2016. This subscription service is a retail version that includes the core
applications plus Outlook.
• Office Professional Plus 2016. This subscription service is available through volume licensing and
includes core applications plus Outlook, Publisher, and Access.
• Office Standard 2016. This subscription service is available through volume licensing and includes
core applications plus Outlook, and Access.
• Office 365 Personal. This subscription service is for a single user license and includes core applications
plus Outlook, Publisher, and Access.
• Office 365 ProPlus. This subscription service includes core applications plus Outlook, Publisher, Access,
and Skype for Business.
• Office 365 Home. This subscription service is for up to five installations and includes core applications
plus Outlook, Publisher, and Access.
• Office 365 University. This subscription service is priced specially for university students only and
includes core applications plus Outlook, Publisher, and Access.
Note: There are similar Office 2016 editions available for Mac operating systems.
Office Online
Office Online, formerly known as Office Web Apps, allows you to use various Office 2016 applications
through a browser window without requiring you to have Office or an Office application installed on the
local computer. Office Online includes Word, PowerPoint, Excel, and Outlook. It also offers access to the
online Calendar, OneDrive, People, and Outlook.com web mail. Individual users can download a free
version of Office Online through OneDrive, and enterprise organizations can get Office Online through an
Office 365 subscription.
The following table lists the system requirements to run a downloaded local version of Office 2016.
1 gigahertz (GHz) or faster x86-bit or x64-bit processor with

Processor
Streaming SIMD Extensions 2 (SSE2) instruction set
Memory (RAM) 2 gigabytes (GB) random access memory (RAM)

4 GB RAM for Mac
Hard disk 3.0 GB available

6.0 GB for Mac
Display Graphics hardware acceleration requires a DirectX10 graphics card

and a 1280x800 or higher resolution monitor
1 gigahertz (GHz) or faster x86-bit or x64-bit processor with

Processor
Streaming SIMD Extensions 2 (SSE2) instruction set
Operating system Office 365

Office 365 also offers Office Online, which does not have operating
system requirements aside from your operating system’s
manufacturer must support Office Online. Additionally, note that
while Office 365 ProPlus is part of the Office 365 family, it does not
run within a browser window; instead, it is considered to be a locally
installed version.
Local versions
Office 2016 can run on 32-bit or 64-bit versions of Windows
operating systems. When you run Office 2016 32-bit on a 64-bit
version, the program runs in the 32-bit layer of the Windows
operating system.
Office 2016 32-bit:
Windows 7 (32-bit or 64-bit)
Windows 8.1 (32-bit or 64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2012 (64-bit)
Office 2016 64-bit:
Windows 7 (64-bit)
Windows 8 (64-bit)
Windows 8.1 (64-bit)
Windows 10 (64-bit)
Windows Server 2012 (64-bit)
Note: Microsoft does not support Installing side-by-side 32-bit and
64-bit editions of Office. For example, side-by-side installations of
Office 2016 32-bit with Office 2016 64-bit, or Excel 2016 64-bit and
Visio 2016 32-bit are not supported.
Browser Internet Explorer 8 and newer, Microsoft Edge,; Mozilla Firefox 10.x
and newer; Apple Safari 5.x; or Google Chrome 17.x.
Microsoft .NET Framework .NET Framework 3.5, 4.0, or 4.5

version
Multi-touch A touch-enabled device is required to use any multi-touch

functionality. All features and functionality are available by using a
keyboard, mouse, or other standard or accessible input device. Note
that new touch features are optimized for use with Windows 10.
Additional considerations and Some functionality might vary based on the system configuration.
requirements Some features might require additional or advanced hardware or
server connectivity.
Windows RT includes an already-installed version of Office Home & Student 2016 RT. It includes cloud-
enabled versions of Excel, Word, PowerPoint, and OneNote, which are optimized to run on Windows RT
hardware.
Deployment methods for Microsoft Office 2016

There are two main methods to deploy Office
2016: the traditional method of using the
Windows Installer, and the Click-to-Run
technology that was introduced in Office 365.
The Windows Installer method allows for
centralized deployment. The Windows installer
method is associated with volume license media,
while click to run is associated with single license
Office 2016 retail product keys or Office 365
subscriptions.
Using Windows Installer

You can use Windows installer to deploy Office
2016 with the following methods:
• Use media or a network share that contains the Setup.exe and associated files and libraries, and then
install it manually on a single workstation.
• Automate deployment with Windows Installer by using one of several deployment tools, including:
o Group Policy objects (GPOs)
o Microsoft Deployment Toolkit (MDT) task sequencing

o Application deployment with Microsoft System Center 2012 Configuration Manager
(Configuration Manager)
In most cases, automated deployment requires the use of the Office Customization Tool (OCT) to
create a transform file that will run a silent Office 2016 installation. The transform file can be used to
customize the installation. The OCT is available only with volume-licensed versions of Windows
Installer–based Office 2016, Office 2013, Office 2010, and Office 2007.
Note: The OCT is located in the root Admin folder on the installation media, which you can
copy to a network share. Lesson 2 of this module provides more specifics about using OCT.
• Purchase a Microsoft Intune subscription, and deploy Office 2016 in a similar manner to System
Center 2012 Configuration Manager.
• Create a reference image that contains a licensed version of Office 2016, and deploy that image to
various target systems.
• Deploy a virtualized instance of the Office 2016 application.
• Install Office 2016 on Windows Server 2008 R2 or newer that is running Remote Desktop Services
(RDS), and allow clients to connect to Office 2016 on that RDS server.
Note: Automated deployment and multiuse of Office 2016 requires a volume license rather
than a retail license. Systems purchased with an original equipment manufacturer (OEM)–
installed Office 2016 suite generally use a retail license for the product.
Using Click-to-Run
Click-to-Run uses a streaming and virtualization technology based on Microsoft Application Virtualization
(App-V). When you use the streaming capabilities in the Click-to-Run deployment method, you open and
start to use Office 2016 before it completes installation. When you open Office 2016 and begin using it
before installation completes, the rest of the software downloads in the background. If you attempt to use
a feature that is not downloaded and installed, Click-to-Run will download and install that feature
immediately.
This streaming function is similar to streaming videos from the Internet. You can start watching the first
part of the video even though the entire video has not yet downloaded. Click-to-Run versions of
Microsoft Office 2016 are licensed either as a retail version, which requires one product key for one
installation, or as a subscription to Office 365 ProPlus. There is no volume license for Click-to-Run. You
should use Windows Installer for volume licenses.
What is Office 365 ProPlus?

Office 365 ProPlus is a full version of Office 2016
that installs locally on a device. It has the same
functionality and features as the retail and
volume-license versions. However, the difference
between Office 365 ProPlus and the retail or
volume-license versions of Office 2016 is that you
can download Office 365 ProPlus only when you
have a subscription to Office 365, depending
upon the subscription level. Another benefit of
Office 365 ProPlus is that with a valid subscription,
users can install it on as many as five separate
devices.
Office 365 ProPlus includes Word, PowerPoint, Outlook, Excel, Access, Skype for Business, OneNote, and
Publisher. It typically does not include Microsoft Project and Visio, although you can get these tools
depending on the level of Office 365 subscription that you acquire.
To install Office 365 ProPlus, users must have a license through their Office 365 subscription. To install it
directly from the Office 365 portal, users also must have Internet connectivity. Once Office 365 ProPlus
installs, users do not have to be connected continuously to the Internet to use it. However, users must
communicate back to the Office 365 service at least every 30 days to prevent Office 365 ProPlus from
switching to a limited functionality mode. Before users can install Office 365 ProPlus directly from the
Office 365 portal, they must be local administrators on their device. Otherwise, an administrator must
install Office 365 ProPlus to the user’s device or use another method to centrally deploy it.
As an Office 365 administrator, you also can use other methods to deploy Office 365 ProPlus, rather than
letting users install it directly. Typically, you download the Office 365 ProPlus files, and then use a local
deployment method to install the program to the user’s devices. This method allows you to:
• Decide which individual Office programs are installed.
• Decide the network location from which to install Office 365 ProPlus.
• Choose how to update Office 365 ProPlus after installation.
• Determine on which computers to install Office 365 ProPlus.
• Determine which users, if any, get the 64-bit version of Office 365 ProPlus.
• Choose which languages are available to install.
The deployment methods available from which you can choose are the same as the Office 2016 volume-
license versions, which include a GPO startup-script installation, MDT 2013, Configuration Manager, and
Microsoft Intune.
You also can also prevent users from installing Office 365 ProPlus from the portal entirely by performing
the following procedure:
1. Sign in to Office 365 with your administrator account.
2. Click Office 365 admin center, click Service settings, and then click user software.
3. In the Manage user software through Office 365 section, clear the Office and Skype for Business
check box.
Activation considerations
You need to activate Office 2016 and Office 365
ProPlus, including the volume-license versions.
Without activation, the products revert to a
minimal functionality state after a period of time.
To keep the Office 365 ProPlus programs fully
functional, it is important to make sure that your
subscriptions are up to date on all product
activations.
Options for activating Office 2016

volume licenses
Retail licenses require that when you first run any
of the Office 2016 programs on any computer,
you must enter a product key in the Activate Office Wizard . For volume-license versions, you can use a
variety of activation methods. These methods include Active Directory–based activation, Key Management
Services (KMS) server activation, and multiple activation key (MAK) activation. Whether you use KMS or
MAK depends on what kind of volume licenses your organization purchased. Note that KMS server
activation requires a minimum of five clients requesting activation for Office 2016 before it begins
granting activation to any of them.
The Active Directory activation method does not require the same minimum requirement as the KMS
activation option.
To use Active Directory activation for Office 2016, you need to download
Office2016VolumeLicensePack_4285-1000_en_us_x86.exe from the Microsoft Office 2016 Volume License
Pack website.
Note: Note that other architectures and languages are available to download on the
Microsoft Office 2016 Volume License Pack website as well.
When you run the downloaded file, it starts the Volume Activation Tools Wizard. On the wizard, you have
the option to click the Active Directory based Activation radio button, and on the next page, type in
the KMS key. The computer on which you do this initially must have Internet access so that it can connect
to Microsoft to validate the KMS key. However, there is a phone-validation option if Internet access is not
available.
Office 365 ProPlus licensing and activation

Licensing and activation for Office 365 ProPlus is different from volume licensing. Before users install
ProPlus, they must be licensed for the appropriate Office 365 plan in the Office 365 portal. After a user
downloads and installs Office 365 ProPlus on a device, Office 365 ProPlus communicates with both the
Office Licensing Service and the Activation and Validation Service to obtain and activate a product key for
it. Then, once a day (or whenever the user connects to the Internet), the computer contacts the Activation
and Validation Service to ensure its license still is valid.
The computer needs to do this at least once every 30 days. If more than 30 days go by without this check,
Office 365 ProPlus goes into reduced functionality mode until it can contact the Activation and Validation
Service. If an administrator deploys Office 365 ProPlus, rather than a user downloading and installing it,
the same activation check occurs after the installation is complete, and the same 30-day requirement is in
effect.
Determining a deployment method

Different organizations might have different
conditions that warrant the use of one
deployment method over another. For example, a
smaller organization with a few dozen users might
find it easier to simply store the Office 2016
installation files on a network share, and then let
users connect to and run the installation
themselves. However, organizations with
thousands of users and computers might use
Configuration Manager to automate the Office
2016 installation process, and might use elaborate
decision trees to decide how, when, and where
the deployment should occur. Other organizations might determine that users should have their own
Office 365 subscriptions, as they likely have multiple devices and can take advantages of licensing as many
as five of their devices.
Deployment considerations
You should weigh carefully the consequences of the various deployment methods and determine the
strategy that best suits your organization. Some common questions to consider when determining which
deployment method to use include:
• Are users the local administrators on their computers? To install Office 2016 by using Click-to-Run or
Setup.exe, users need local administrator permissions on their computers. If they do, you can use
Group Policy computer startup scripts or a software-distribution product to install Office 2016.
• What is the total number of users to which you are deploying Office 2016? If you have to deploy
Office 2016 to several hundred or more users, you might want to use a software distribution product
such as Configuration Manager to help automate deployment. While Configuration Manager requires
a license, your organization can recoup the purchase cost quickly due to cost savings in reduced
administrator labor.
• Do the client devices support the system requirements for Office? If not, you can use RDS features to
provide users with Office 2016, or in some cases the Office Online portion of Office 365. Office Online
users can access Word, PowerPoint, Excel, and Outlook through a web browser without having to
install an Office 2016 application on the local computer.
• Where are users located? Geographically separated users can install Office from a location that is
near to them. For example, branch-office users can use a local network installation point with the
Office 2016 installation programs for installing directly, or you can use a software distribution
program to use the branch’s local network installation point and utilize that location’s source files.
• Are there other programs installed on the client devices? You can install only one version of Office on
any one device. For example, you cannot have Office 2010 and Office 2016 running on the same
computer. However, there might be instances where this type of configuration is necessary, such as
when you have developed a local application that requires an older version of Office. In this situation,
you could use virtualization technologies, such as RDS or App-V.
Office deployment considerations

Consider the following factors when using the following deployment methods for Office 2016:
• Local installation source. The local installation deployment method uses installation files that are on
removable media such as a DVD USB, or that a user copies to a local hard drive, and then runs from
that location. The user performing this installation must have administrator permissions on the
computer.
• Network installation point. This deployment method allows a user to make a connection to the
network installation, and run Setup.exe from that location. However, this requires that the user have
local administrator privileges. If that is not possible, then the user should use another method such as
a GPO or software distribution product to run the setup files from the same network installation
point.
• GPO computer startup script. This deployment method typically requires a volume-licensed version of
Office 2016 or an Office 365 subscription. In this scenario, you use a script that runs when the
computer starts, and it uses the setup files found in the network installation point.
Note: You cannot use a GPO software installation to run Office 2016, which requires an
.msi, .mst, or .zap file.
• Software distribution product. This deployment method is similar to using a GPO startup script, and
requires a volume license or an Office 365 subscription. You can perform advanced and complex
deployments by using a software distribution product such as Configuration Manager 2012 R2 or
Microsoft Intune. You then can configure numerous decision trees on how, when, and under what
conditions you want to allow installation of Office 2016. For example, you might need to make
certain version of Office 2016 available to different users, depending on their job function, or to
different devices, depending on their location.
• Virtualization technology. This deployment method allows you to use RDS or App-V to make
Office 2016 available to users. If you use RDS, the Office 2016 installation does not occur on the client
device, but instead runs on the Windows Server that is running the RDS role. Users then will use a
local installation on that server to run Office 2016, while still using their local printers, disk storage,
display, and other peripherals, even if their connection is via a wide area network (WAN) link. You can
deploy Remote Desktop Gateways (RD Gateways) and other role services of RDS to allow for a more
stable network configuration. The benefit of using RDS is that you only need to ensure that the
Windows Server that is running RDS meets the system requirements for Office 2016. You do not need
to worry about the users’ devices. In cases where the organization cannot afford to upgrade every
device, or cannot provide a local installation for that device, the RDS solution can provide significant
cost savings.
Note: Deploying Office 2016 on a RDS server requires a volume-license version of Office
2016. You cannot use Office 2016 ProPlus from Office 365 or a retail version of Office 2016
because the license is always associated with a specific user.
If you are using Virtual Desktop Infrastructure (VDI), you can use Office 365 ProPlus providing the virtual
desktop is assigned to a single user. Another solution is to provide Office 2016 as an application that you
virtualize by using App-V. This requires App-V 5.0 with service pack 2 (SP2). (Earlier versions of App-V
cannot support Office 2016.) In this scenario, you would create an application package by using the Office
Deployment Tool, and then deploy it either through Configuration Manager or the App-V server, or by
using Windows PowerShell. The Managing Office Settings lesson of this module provides more details
about App-V deployment of Office 2016.
Standard desktop image. This deployment method allows you to create a deployable image with Office
2016 installed already, and then use a deployment tool such as MDT 2013 or Configuration Manager
2012 R2 to deploy the image to other devices. An advantage to this method is that you ensure that the
configuration of all devices is identical. You use a volume license in this configuration to ensure activation
of all Office 2016 instances. You also can use Office 365 ProPlus, if a subscribed user signs in to the device.
32-bit vs. 64-bit architecture

While there is a 64-bit version of Office 2016, we
recommend that in most instances you deploy the
32-bit version. This is because most non-Microsoft
Office add-ons use 32-bit architecture, and if you
use the Office 2016 64-bit version with these add-
ons, they most likely will fail. Compatibility with
other apps also might be an issue. Therefore, you
must plan carefully when you are deploying a 64-
bit version of Office 2016. You need to know the
architecture of each add-on and app that uses
Office 2016 before deploying the 64-bit version to
ensure that these compatibility issues do not arise.
Other factors that affect the installation of the Office 2016 64-bit version include:
• The 64-bit version runs only on a 64-bit operating system.
• You cannot run both the 32-bit and 64-bit versions of an earlier Office version on the same computer.
• If you are upgrading from an earlier Office version, such as Office 2013, it must match the
architecture of the version that you are upgrading. Therefore, you cannot upgrade 32-bit Office 2013
to 64-bit Office 2016. You could replace the 32-bit version with the 64-bit version, but that would
require you to uninstall Office 2013 first.
• Some programs block the installation of the 64-bit version of Office 2016.
However, there are benefits of using the 64-bit version. For example:
• The 64-bit version handles much larger data sets in Excel, Access and Project. If you have users
working with large data sets, you should consider using the 64-bit Office 2016.
• The 32-bit version has a file size limit of 2 GB, while the 64-bit version does not have a file-size limit,
except for the physical memory and resource limits on the system on which it runs. You should weigh
this benefit carefully with the possibility that other apps and add-ons might not work for users. If this
is not an issue, consider using the 64-bit version.
Using a standard desktop image

You can use a reference computer with an
instance of Office 2016 installed on it, and then
image the computer with an imaging tool, such as
MDT 2013 or Configuration Manager 2012 R2.
You also can use Office 2016 ProPlus, but first you
must use the Office Deployment Tool for Click-to-
Run. The Office Deployment Tool is a free
download from the Microsoft Download Center,
and you use it to download the Office 2016
ProPlus software from your Office 365 portal.
Activation issues
When you create an image with Office 2016, you
must use a volume-license version. If you do not do this, you could have activation issues after the image
deploys. This is because you cannot activate non-volume license versions more than once. Therefore, if
you use the KMS activation option, you must start at least five deployed devices with Office 2016 before
activation of these devices occurs. After you reach the threshold of five devices, all subsequently deployed
devices activate immediately. If you use AD DS to activate, you do not need to have five deployed devices
already running. However, Office 2016 must be installed on domain-joined computers.
If you use the MAK activation option, the MAK product key is incremented by one for each deployed
device with Office 2016 until the total number of count of installations for the MAK reaches your licensing
limit. You can add a MAK key by using the OCT or the PIDKEY element in the Config.xml file. (The next
lesson in this module details the customization of the Config.xml file.) When you use the MAK activation
option, you must be aware of the total number of activations assigned to the MAK key that you have
purchased, and that you have consumed. You can use the Volume Activation Management Tool (VAMT)
to determine these numbers.
When you deploy an image with Office 365 ProPlus, it is important that you do not start Office 365
ProPlus on the reference computer. Starting any of the Office ProPlus programs (such as Word 2016) will
cause the program to attempt an automatic online activation. This activation accrues against the
subscription of the user who started the program, which in the case of a reference image could be your
administrator account. Because the Office 365 subscription allows each subscribed user to install Office
ProPlus on as many as five devices, your administrator account will quickly reach its maximum. Even if
another user subsequently signs in to a deployed target computer, Office 365 ProPlus will not attempt to
activate for that user. Instead, you will need to delete Office ProPlus, and then reinstall it for that user.
However, you can avoid this by not starting any of the Office 365 ProPlus programs on the reference
computer. After you deploy the reference image to the target computer, when the designated user opens
any of the Office 365 ProPlus programs, it will activate properly against that user’s subscription.
Note: The System Preparation Tool (Sysprep) does not remove the Office 365 ProPlus
activation.
Using an image
You can customize the reference computer’s Office 2016 installation by using the OCT to create a Setup
customization file in the form of a Windows Installer patch file with an .msp extension, which is applied
when setup is run. When you make an image of a reference computer that has Office 2016 installed
already, you can deploy the standard desktop image multiple times with Office 2016 on it. However, when
each Office instance is first used, it goes through the initial activation and setup wizards. You can use the
OCT to customize additional deployment settings for Office 2016 so that it will be ready for the user when
the entire deployment finishes.
You can use the evaluation version of Office 2016 temporarily on an image before a user deploys the
image for use. You then can rearm that evaluation version so that you can capture the reference
computer image and change the product key to a volume license version once you deploy that image to
a target computer. To rearm the evaluation version, go to the Program Files or Program Files (x86)
directory, depending whether you installed the 64-bit or 32-bit version of Office 2016. The Microsoft
Office\Office 15 subfolder contains an executable file named OSPPREARM.EXE. Right-click
OSPPREARM.EXE, and then click Run as Administrator, or run the executable in a command prompt
window that you launch as an Administrator.
This process allows Office 2016 to run for a 30-day grace period in which reduced functionality mode is
not applied. You can rearm up to five times unless you activate Office by using a KMS host. If you exhaust
all of your rearm options, you can rearm one final time by using a KMS host to activate Office. Note that
this procedure is not for a deployed target computer, but rather for the reference image only.
You can use a number of software deployment products depending on your organization’s needs. You
could use:
• The Windows Assessment and Deployment Kit (Windows ADK) and the older imagex.exe command-
line program to create and deploy images. However, the process is labor-intensive, and you cannot
centralize it easily.
• The Deployment Image Servicing and Management tool (DISM) has extended much of the
imagex.exe functionality within it, and it is the primary tool that you can use to create and deploy
images manually in Windows 8 and newer Windows operating systems. However, like imagex.exe, it is
difficult to centralize.
Note: You cannot use either of these tools to create task sequences to customize a
deployment. Essentially, the image that you made or captured previously deploys to another
individual system.
• MDT 2016 and the Configuration Manager offers efficient methods of capturing and deploying
images, and you can use either based on your organization’s needs and abilities. Both methods allow
for deployment of the customized .msp files that you created with the OCT as part of their respective
task sequences.
Statement Answer
You cannot upgrade a 32-bit version of Office to a 64-

bit version.
Question: How often does a computer with Office 365 ProPlus installed have to
communicate with the Activation and Validation Service?
Lesson 2
Customizing Office deployments
One of the main benefits of using a software deployment product is that it allows you to centralize the
process and reuse components. Therefore, once you configure the deployment, you can reassemble and
deploy the product as necessary. While you can interactively install Office 2016 on a local computer, you
also can deploy Office 2016 by using a software deployment product. You can do this by creating an
unintended installation of Office 2016 by using the Office Customization Tool.
Lesson Objectives
• Explain how to use the OCT.
• Explain how to use the Config.xml file.
• Describe how to add additional language support.

• Use the OCT and Config.xml file.
Using the OCT

There are several methods available for deploying
Office 2016. In the case of deploying volume-
license versions of Office 2016, you can create
customized deployment packages. The setup
program controls the Office 2016 installation. You
can customize the setup program to specify how
the installation runs beyond the normal defaults
and the interactions that the program has with a
user. For example, you can run the installation
without user interaction, add the correct product
key, and provide answers to the Microsoft
Software License Terms on behalf of users. You
then can specify an organization name or a different installation location.
The OCT customizes Office 2016 deployments and you can use it as your primary tool for unified setup,
customization, and maintenance of Office 2016. The OCT saves your customizations into a Windows
Installer patch file, which is applied at setup or during maintenance mode operations.
The OCT is available only in the Office volume-license versions, and not in the retail versions. To verify
whether have a volume-license version of Office 2016, check the installation disk to see if it contains a
folder named Admin. If it does, the disk is a volume-license edition. If it does not, then it is the retail
version. There are both 32-bit and 64-bit versions of the OCT.
To start the OCT, run setup.exe /admin from either the x86 (32-bit) or x64 (64-bit) folder, depending
upon the edition that you wish to customize. Most installations will use the x86 (32-bit) folder to run the
OCT in 32-bit.
When you open the OCT console, a console tree displays with five major nodes: Welcome, Setup,
Features, Additional Content, and Outlook. Except for the Welcome node, each node has a number of
subnodes that relate to specific customizations that you can make.
You can use the following main nodes in the OCT to customize an installation of Office 2016 and to
perform the following tasks:
• Welcome. The Welcome node does not have any configurable options or settings, and instead
contains basic information about using the OCT tool.
• Setup. You can use this node to specify installation options. The available subnodes include:
o Install location and organization name. From this subnode, you can configure the default
folder in which Office 2016 installs, and provide the organizational name.
o Additional network sources. Use this subnode to identify different network installation points
that you can use if the original installation point is not available.
o Licensing and user interface. From here, you can select the type of volume-license product key
that you want to use: KMS, or MAK. If you select the MAK option, you can specify the 25-
character key, which is encrypted in the output file. You also can select the I accept the terms of
the License Agreement option, and then then set the Display level, which sets whether the user
will see any interactive prompts or dialog boxes. Selecting None means that the entire install is
silent, and the user does not see anything. You also can enable the Completion notice option,
prevent canceling of the installation, and enable Suppress modal, which you typically use in
conjunction with the None display method.
o Remove previous installations. The default setting for this is to remove all previous Office
versions. However, you also have the option of removing selected programs from the Office suite,
such as Word or PowerPoint.
o Add installations and run programs. Use these command-line executables and possible
arguments only when Office first installs. Ensure that any commands that run do not require a
restart that interrupts the Office installation at that point.
o Office security settings. These settings apply only to the initial installation of an Office
deployment. Subsequently, users can change most settings. We recommend using GPOs to
control most of the security that you can set here.
o Modify setup properties: From this subnode you can add setup properties to the initial Office
installation. Most of the setup properties were replaced from previous Office versions to the
various settings that you now can find directly in the OCT. Therefore, in most cases, you will not
add any setup properties.
• Features. You can use this node to customize installation of Office applications and features. The
available subnodes include:
o Modify user settings. This subnode has a separate pane of expandable objects representing the
various Office suite programs. You can change the default user settings for each program. In
addition, for some applications, you can change the computers settings, as well. These settings
apply to the initial Office installation, and, except for computer settings, the user can change
these at a later date.
Note: For changing and enforcing the user settings permanently, you can use a GPO.
To configure an application, expand the application’s folder and subfolders in the user settings
navigation pane until the setting that you want to configure appears in the details pane, and
then choose and double-click the setting. The actions available are Not Configured (the
default) Enabled, and Disabled. These actions apply in the same way in which a GPO setting
applies. However, unlike the GPO setting, they are not enforced.
o Set feature installation states. From this subnode you can configure whether a given Office
suite program and any subcomponent of that program are installed. The states available are:
 Run from My Computer
 Run all from My Computer
 Installed on First Use
 Not Available
o The feature options are:
 Hidden
 Locked
 Reset
Note: Hidden means that the user will not see the option, and refers to the features state in
the installation user interface (UI) only—not its actual installation state. In a silent installation, all
options are hidden by default.
• Additional content. Use this node to add or remove files, registry entries, or shortcuts when Office is
installed. The available subnodes include:
o Add files. From this subnode, you can specify the files to add to the target computer. These files
then are copied into the setup customization file when you save it and exit the OCT. Large files
can increase the size of the customization file, and subsequently increase the time that is required
to create them. If you want to revise a file that is included in the saved customization file already,
you must open the customization file in the OCT, remove the file from the Add files list, add the
revised version, and then resave the customization file. Users that remove, repair, or reinstall
Office have the custom files removed or reinstalled with Office. Setup does not reinstall a custom
file if the file has changed.
o Remove files. In this subnode you can create a list of files to remove from the target computer
during the Office installation.
o Add registry entries: Use this subnode to create a list of registry entries to add to target
computers. Do not use this subnode to add GPO-based registry keys, as GPO settings will prevail
in any case. Instead, use a GPO for such settings.
o Remove registry entries. From this subnode you can create a list of registry entries to remove
from target computers. Users that remove, repair, or reinstall Office have the custom registry
entries removed.
o Configure shortcuts. This subnode allows you to add shortcuts to files that are present already
on a target computer. However, there is a known issue with shortcuts that causes the following
error message: “Invalid start in folder. Please try again.” You can prevent this by typing a single
open bracket ([) in the Start in field.
• Outlook. Use this node to set the default profile, add email accounts, and specify Exchange settings.
The available subnodes include:
o Outlook profile. The default for this setting is to prompt users to create an Outlook profile the
first time that they run Outlook. Otherwise, you can choose to customize the profile. You can
modify the default profile, or modify a profile selected by name. You can create a new profile,
but you must supply a name for it here. Finally, you can create a profile by using an Outlook
profile file (.prf).
o Add accounts. You can add accounts only when you modify the default profile directly above. If
you accept the default Outlook profile, there is nothing to select in this node. If you have
included a new or different profile, you then must add the account name of the user profile here,
and specify a default delivery location to a .pst file for new email messages.
o Export settings. You can export settings only when you modify the default profile location,
similar to the Add accounts option. If you change the default profile, this setting allows you to
export the Outlook profile settings that you have defined in a .prf file.
o Specify Send/Receive groups. You cannot configure settings here if you do not change the
default profile location.
After you create the .msp file, but before you use it for a customized Office 2016 deployment, copy it to
the \updates directory in the deployment share’s root. This causes Setup.exe to read the .msp file and the
Config.xml file when setup launches.
Using the Config.xml file

You use the Config.xml file to configure
installation tasks, and then edit the Config.xml file
to customize the installation. The setup program
reads the settings in the Config.xml file, and
applies them as required.
Note: Config.xml is not installed or cached

on target computers.
You can configure some of the settings that you

configure in the OCT by using the Config.xml file.
However, using the OCT to customize the installation of Office 2016 is a better option for these
overlapping settings. The Config.xml settings will take precedence over the OCT if you configure them to
apply to the same items.
You use the Config.xml file to perform the following installation tasks:
• Specify the network installation point.
• Select the core product to install.
• Customize Setup options, such as logging and the location of the .msp file and software updates.
• Set installation options, such as user and company name.

• Copy the Local Install Source to the user's computer without installing Office.
• Add or remove language packs from the installation.
You also can use the Config.xml file for maintenance operations, such as adding or removing features,
repairs, and removing installations. To do this, you must run Setup.exe again from the original source.
When setup first runs, it looks for a copy of Config.xml in the same folder in which Setup.exe resides. If it
does not find it, Setup uses the Config.xml files found in the core product folders that came from the
installation media. Each product folder has a default Config.xml file for that product, such as Word 2016.
XML
XML is a markup language that users can read and that provides machine programming with a
representation of arbitrary data structures, such as those found in web services. It uses a structure of angle
brackets that contain an element that begins with < and end with />. These delimiters enclose words
representing a particular element with possible attributes, an equal sign, and the actual value, often in
quotes. For example, to set the name of the company you could use the following:
<COMPANYNAME Value="Contoso" />
In this example, COMPANYNAME is the element, and the attribute value is Contoso. Some elements will
have an attribute named for the particular setting rather than the word Value. The Config.xml file adheres
to this format. The top-level element is the Configuration element, which is required. All other elements
must appear in this element.
Note: For more information about the Reference for Click-to-Run configuration.xml file
refer to: http://aka.ms/Hqgf9n.
Adding additional language support

To specify the additional language packs that you
want to install, you must use the Config.xml file.
You use the AddLanguage element to add a
particular language pack during Office 2016
Setup. You can use the RemoveLanguage
element to remove a language pack, if it exists in
an Office installation on an existing computer.
Before you can use Config.xml to deploy language

packs you must copy the language packs that you
need from the installation or source media to the
network installation point. You then must copy all
of the language pack files and folders from the
source media to the same network location. Do this for each language pack that you wish to deploy.
When you are prompted to overwrite duplicate files, choose No, so that the last language pack does not
overwrite the previous language pack, but retains all files in the same folder.
When you use the OCT to customize settings, you do not have to configure any settings for a particular
language, because all settings configured in the OCT are language neutral. Office Setup installs only the
language-specific elements that you need for the products that you are installing. It does not install the
complete language pack; instead, you must install the complete language pack for every product in Office
2016 separately. However, this works only if there is an existing installation of an Office 2016 product on
the computer. For example, to add the Russian language pack, you would run the language pack setup
from the root of the network installation point for the Office 2016 Multi-Language Pack or Office 2016
Language Pack, and then specify the path of the Config.xml file on the command line by typing the
following:
\\server\share\Office15\LP\Setup.exe /Config \\server\share\Office15\LP\RU

\OMUI.ru-ru\Config.xml
In this example, if the English language pack is installed already, users also can use the Russian language.
You can view a list of languages that are installed for Office 2016, either during the initial installation or
during a separate installation of a language pack, by reviewing the registry in the following locations:
• HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\LanguageResources\HelpLanguage
• HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\LanguageResources\UILanguage
If you are not adding the entire language pack, you still can install the language pack during the setup
process by adding the <AddLanguage> element to the Config.xml file. Instead of editing the Config.xml
file, copy it, and then save it with a different name. You then can reference the edited copy on the
command line using the /config parameter, and then set the value of the Id attribute to the language tag
that corresponds to the language that you want to install. For example, the Russian language tag value
would be ru-ru. You can specify more than one language by including additional <AddLanguage>
elements and attributes. You specify which language to use for the Shell UI by setting the
<ShellTransform> attribute of the <AddLanguage> element. For example, the following element
would add Russian and French:
<AddLanguage Id="ru-ru" ShellTransform="yes"/> <AddLanguage Id="fr-fr" />
If you want every user to have Office 2016 in Russian and French, you would insert the following
elements:
<AddLanguage Id="match" ShellTransform="yes"/>

<AddLanguage Id="ru-ru" />
<AddLanguage Id="fr-fr" />
Demonstration: Using the OCT and the Config.xml file

In this demonstration, you will see how to customize an Office 2016 installation by using the OCT and the
Config.xml file.
Demonstration Steps
Run the OCT
1. On LON-DC1, open a Command Prompt window as administrator, and then navigate to the
E:\Labfiles\Office_Professional_2016 Source directory.
2. In the Command Prompt window, type setup.exe /admin.
3. In the OCT, create a new setup customization file for Microsoft Office Professional Plus 2016 (64-bit).
4. Click the Install location and organization name node, and then provide Adatum as the
Organization name.
5. Click the Licensing and user interface subnode, and then ensure that the Use KMS client key
option is selected. Select both the I accept the terms of the license agreement, Display level:
None, and the Suppress modal check boxes.
6. Save the file as E:\Labfiles\Office_Professional_2016\Updates\AdatumOffice.msp.
7. Open Microsoft File Explorer, and then verify that AdatumOffice.msp displays in
E:\Labfiles\Office_Professional_2016\Updates\.
Customize the Config.xml installation file

1. In File Explorer, navigate to E:\Labfiles\Office_Professional_2016\proplusr.ww, and then edit the
Config.xml file.
Note: Except for the first and last elements, all other elements are commented out with the
<! – > tag.
2. Edit the first three commented-out elements to remove the commented-out tags. The code should
appear as follows:
<Logging Type="standard" Path="%temp%" Template="Microsoft Office Professional Plus

Setup(*).txt" />
<USERNAME Value="Student" />
<COMPANYNAME Value="A. Datum" />
3. In the File drop-down list box, click Save, and then click Exit.
Statement Answer
The OCT is available to for both retail and volume-

license versions of Office.
Question: If conflicting settings are configured in both the Config.xml and the OCT, which
will have precedence?
Lesson 3
Deploy Office 2016 by using Office 365
More often, businesses today are utilizing subscription-based software as a service (SaaS). SaaS provides
the infrastructure to support a service, thereby eliminating that responsibility from the organization.
Office 365 is a SaaS offering that allows users to install Office 365 ProPlus on as many as five separate
devices, with only one user subscription. In this lesson, you will see how Office 365 ProPlus uses the Click-
to-Run installation, and learn about the methods for managing those installations. You also will examine
coexistence issues with respect to Office 365 ProPlus.
Lesson Objectives
• Describe how to customize an Office 365 deployment.
• Describe how to stream the installation payload.

• Explain how to use the Click-To-Run installer.
• Describe how to automate updates.
• Describe coexistence issues between Office 2016 and Office 365.
Office 365 deployment customizations

One of the key differences between Office 2016
volume-license products and Office 365 ProPlus is
that ProPlus uses a subscription service to activate
Office rather than a key. Subscription-usage
consumption is computed against individual users,
back to the Office 365 service rather than a
particular product key. Additionally, Office 365
ProPlus uses Click-to-Run to install, but you also
can customize this to provide settings that are
available when a user first runs Office 365 ProPlus.
You can manage an Office 365 ProPlus

deployment centrally by using the ODT to
customize Click-to-Run installations and allowing users to install Click-to-Run for Office 365 products
from an on-premises location. You can download the ODT for Click-to-Run from the Microsoft Download
Center site. The download includes a sample Configuration.xml file. To customize an installation,
administrators extract the ODT, which creates a customized Configuration.xml file.
The Configuration.xml file specifies the installation instructions for Click-to-Run, including:
• Installing the product, and what languages to use.
• Determining any products and languages to remove.
• Providing an installation source-path location for the Click-to-Run files.
• Specifying the UI level to display.
• Providing any logging options.
• Updating behavior for the product.

You also can use GPOs to enforce user and computer settings for Click-to-Run in Office 365 ProPlus
installations. When you use GPOs, the installation instructions are applied whenever someone uses
Click-to-Run.
The default installation option for Office 365 ProPlus is for subscribed users to install the program on their
devices by using Click-to-Run from the Office 365 website. To deploy a customized Office 365 ProPlus
installation, such as providing an on-premises copy of the Office 365 ProPlus installation files, you use the
ODT. After you download the ODT, you can run the setup.exe program from the command line with the
following parameters:
• /download: Enables you to generate a Click-to-Run for a local Office 365 installation source.
• /configure: Configures Click-to-Run for Office 365 clients.
• /packager: Creates an App-V package.
Each of these parameters modifies the Configuration.xml file, which you then use during the Office 365
ProPlus deployment. For example, you can use the setup.exe /configure parameter to create a
Configuration.xml file that installs Office 365 ProPlus from an on-premises source on a share named
OfficeC2R on LON-SVR1, and then to accept and not display the license agreement, as shown in the
following configuration file example:
<Configuration>
<Add SourcePath="\\LON-SVR1\OfficeC2R" OfficeClientEdition="32">
<Product ID="O365ProPlusRetail" >
<Language ID="en-us" />
</Product>
</Add>
<Display Level="None" AcceptEULA="TRUE" />
</Configuration>
Note: You can download the Office 2016 Deployment Tool for Click-to-Run from the
Microsoft Download Center at: http://aka.ms/Xbrsbe.
Streaming the installation payload

Click-to-Run uses a streaming and virtualization
technology based on application virtualization.
This allows you to open and use Office 365
ProPlus before it completes installation. When you
open Office 365 ProPlus and begin using it, the
portion that has downloaded is run, while the rest
of Office 365 ProPlus downloads in the
background. If you try to use a feature that has
not yet finished downloading and installing, Click-
to-Run stops what it is currently downloading, and
immediately downloads and installs that feature.
Therefore, the time interval between starting to
install Office 365 ProPlus and its first use can be as little as one minute. After the full installation is
complete, all of the Office 365 ProPlus products run directly on the device.
When you start the installation, the streaming starts immediately. The IntegratedOffice.exe process moves
to System Context when 10 percent of content is streamed, and Office programs could be launched at
around 15 percent. This usually is within two minutes of starting the installation. The streaming data is
cached as it comes in, and Office caching focuses on any user-launched programs and features. Finally,
when about 90 percent of the data has been streamed, Office installs add-ins, licensing, and other
features.
Using the Click-To-Run installer

Using Click-to-Run offers several advantages,
including:
• Side-by-side support to run the new

Office 365 ProPlus with previous Office
versions
• Discretely providing software updates without

interrupting users
• Customizable with Office add-ins, dependent

applications, and Office apps
• Faster installation and first-run experiences, in
comparison to traditional Office installations
• Flexible deployment and installation options
Although Office 365 ProPlus uses application virtualization, other system objects can interact with it, and
you will not have to sequence add-ins into Office. Previous Office versions required this. Office 365
ProPlus uses application virtualization, which means that you can run it alongside other Office versions,
such as Office 2010. This can be helpful when you have an older, customized utility that is based on an
earlier version, yet you still need to run Office 365 ProPlus.
When users attempt to perform Click-to-Run installations themselves, if they have a standard user account
then they cannot install and configure the software by default. Rather than making all of your users local
administrators, you can create a deployment package to install Office 365 ProPlus for those users.
When you want Office 365 ProPlus to install directly from an on-premises location, Click-to-Run
integrates with existing IT service-management tools and processes. This enables you to manage
deployments by using products such as Configuration Manager 2012 or MDT 2013. The ODT builds the
Configuration.xml file with the SourcePath removed, and no Office build or folder is present where the
setup.exe file is located. Your deployment product then calls the Office 365 streaming service, and installs
ProPlus according to the version number, architecture, language, and other parameters that you have
assigned in the Configuration.xml file that you built with the ODT.
Automating updates
Updates in Office 365 ProPlus occur by default
and are received from Office 365 when available.
The update service is a scheduled task that runs
daily. You also can configure updates to look on-
premises at a defined network location, such as
with a Universal Naming Convention (UNC) or
HTTP. You can provide the source files for update,
and then the update service will check for newer
versions and copy them to that location. If pulling
files from the Internet to the client will not work
for your organization due to bandwidth
requirements, you can install them from the
distribution share.
Office 365 manages updates differently from Office 2016, because of its ability to stream. Every month,
Microsoft provides a new build of Office 365 ProPlus at the Office 365 website. When a device that runs
Office 365 ProPlus detects that a new build is available, the difference—or delta—between the new and
the existing build streams in the background. Office 365 then installs the deltas when Office processes are
not running. Therefore, with the default Office 365 ProPlus configuration, the office installation is always
up-to-date. These monthly builds might encompass security updates, other updates, and functionality
improvements. All updates are cumulative, so each build contains all the other previous builds.
Administrators can customize an organization’s update configuration by controlling whether the Windows
operating system searches for and applies updates automatically, and from which source it retrieves the
automatic updates. These updates run under the system context, so users do not need local administrative
rights on their devices to run the updates. Office 365 ProPlus updates are different, from Windows
updates and Windows Update does not provide them. If you need to use a centralized administration
update product (such as Windows Server Update Services (WSUS) or Configuration Manager) to deploy
updates, you can do so for Office 356 ProPlus by configuring the update source through the ODT, which
builds the .xml file. In this case, Office 365 devices will receive the update builds from your WSUS or
Configuration Manager system.
The following table describes the update functionality method and the .xml file code that is necessary to
use the functionality.
Update method .xml element
Automatically from Office 365 <Updates Enabled="TRUE" />

Or
<Updates Enabled="TRUE" UpdatePath="" />
Automatically from an on-premises location <Updates Enabled="TRUE" UpdatePath="

\\LON-SVR1\Tested\OfficeProPlus\" />
Rerunning Setup.exe <Updates Enabled="FALSE" />
Note: Update functionality is disabled during setup, and the client does not check for
updates until installation completes.
Coexistence issues
Office 2016 and Office 365 ProPlus are similar in
many ways. They both have the same system
requirements, and Microsoft still recommends the
32-bit version for most users. The functionality of
the various programs that make up the Office
suite are the same as well.
The biggest difference between Office 2016 and

Office 365 ProPlus is in how you deploy, license,
and activate them. The Windows Installer–based
volume-license versions have not changed. If you
use Click-to-Run to deploy Office 365 ProPlus,
activation occurs by subscription. Users need an
Internet connection initially when they first activate and use Office 365 ProPlus, and then again at least
every 30 days, so that Office 365 ProPlus can remain activated.
For organizations that are deploying both Office 2016 and Office 365 ProPlus, you should ensure users
who are using the Office 365 ProPlus version have the required subscription, which means that they need
an account in Office 365. You can integrate Office 365 with AD DS to provide users with a single sign-on
(SSO) experience, but this functionality is beyond this lesson’s scope. Additionally, as mentioned before,
when a device does not connect at least every 30 days to check activation, the ProPlus version will switch
to a reduced functionality mode. In this mode, when users open a ProPlus product such as Word, a pop-
up window will display informing them that the product has been deactivated and they are required
either to provide a key, or sign in to Office 365.
You can install Office 365 ProPlus on computers that already have Office 2016 installed, providing the
Office 2016 architecture is not 64-bit. You cannot install Office 365 ProPlus on devices that already have
64-bit Office 2016 installed, and if you try you will get an error message if you try to use the Click-to-Run
installer. If you install both an Office 2016 volume license version and Office 365 ProPlus on the same
Windows 10 computer, only one version of the two will be active.
Statement Answer
Office 365 ProPlus requires that you enter a product

key before it can be downloaded and installed.
Question: How are updates applied to Office 365 ProPlus?

Lesson 4
Managing Office settings
Managing Office 2016 includes more than just installation and deployment. In this lesson, you will
learn about post-deployment tasks and management functions. This includes using new Group Policy
administrative templates for Office 2016, and adding and removing Office 2016 products after the initial
installation.
Lesson Objectives
• Explain how to use Office 365 to manage settings.
• Explain how to use GPOs with AD DS to manage Office 2016.
• Describe how to add and remove Office 2016 components.
Using Office 365 to manage settings

When you deploy Office 365 ProPlus to local
devices, you need to assign every user who
receives Office 365 ProPlus as an Office 365 user.
Monthly charges for various Office 365 plans are
based on the total number of users and the type
of plan. For example, a full plan, such as Office
365 Enterprise E4, costs more per month per user
than less expensive plans that support fewer
features, such as Office 365 Enterprise E1.
Depending on your organization’s needs, you can
choose from a variety of plans at different prices.
Administrating Office 365

While an Office 365 subscription can alleviate much of the administrative burden of maintaining your own
servers, Office 365 is not designed to be administrator-free. An organization’s administrator must perform
several tasks and functions in Office 365. Office 365 has a web-based administration portal that lets you
manage various Office 365 settings, in addition to creating and managing users and deploying software.
The administration portal provides several other tasks, screens, and wizards. However, a detailed
explanation of these additional capabilities is beyond this lesson’s scope.
Deploying Office 365 ProPlus centrally

You can deploy Office ProPlus centrally by using the ODT Click-to-Run tool. On the Office 365
Dashboard, under Service Settings, the User software page contains the hyperlink Learn how to
download and deploy software. Clicking this hyperlink opens a page with instructions and links to
download the ODT.
On the Office 365 admin center Active Users page, you can select an individual user by clicking their
hyperlinked name. When their named page opens, clicking the licenses node in the console tree reveals
the licenses assigned to this user. By default, all users have the full complement of products for the
particular subscription plan of Office 365. However, as an administrator, you can limit these. To prevent
users from using Click-to-Run from the Office 365 portal, clear the Office 365 ProPlus check box, which
will make Office 365 ProPlus unavailable to that user.
The Service Settings page contains the Updates tab, which allows you to choose how new features and
updates are delivered to your organization. You can choose between Standard release and First release.
• Standard release delivers new features and updates to all Office 365 users when they are released to
the general public by Microsoft. This is the default selection.
• First release provides two options:
o Deliver early updates and new features to your entire organization before they are released to
the general public.
o Select specific people to get early updates and new features before they are released to the
general public.
Office 365 user’s portal

The Office 365 portal page contains configuration options for the individual user. In the upper-right
corner of the ribbon is a gear-shaped icon beside the user’s name. When the user clicks this icon, an
Office 365 settings context menu appears. Clicking the Office 365 settings link takes the user to the
settings page with a software link. This software link displays all of the devices on which the user has
Office 365 ProPlus installed and allows you to deactivate any of those devices. A message also displays
regarding how many remaining installs are available.
On the lower part of the page, clicking the Install button starts Click-to-Run for the user’s device. If your
organization’s administrator unchecks the Office 365 ProPlus check box, as described above, this Install
button is not available to individual users.
By default, all of the Office 365 ProPlus products are installed, including Word, Excel, PowerPoint,
OneNote, Access, Publisher, Outlook, Lync, and InfoPath. To exclude some of these products, uncheck the
Office ProPlus check box, and then deploy Office 365 ProPlus centrally (as described previously) and use
the ExcludeApp element in the Configuration.xml file that you create when you install the ODT.
Using GPOs to manage Office 2016

Using GPOs is the most efficient way to enforce
settings across a domain, organization unit (OU),
and even for individual user and computers
settings. You can use GPOs for both Windows
Installer–based Office 2016 and Office 365 ProPlus
settings.
GPO settings are written to registry settings on a

local computer. Users without administrative
privileges cannot change these registry settings.
You can find most of the registry settings available
through GPOs in the Administrative Templates in
both the Computer Configuration Policies and
User Configuration Policies nodes.
Office 2016 administrative templates

To use the Office 2016 administrative templates, you must first download and add them separately. After
installing the templates, you can use the Office 2016 Administrative Template to control how Office 2016
applications:
• Connect to the Internet.
• Manage Office 2016 application security.
• Make a standard Office 2016 configuration on users’ computers that provides for uniformity and ease
of management.
You can even hide various options and settings that users typically do not need, and which can be
confusing to users to run. The Office 2016 administrative template is installed in the User Configuration
\Policies\Administrative Templates node. Within this node are several main node folders:
• Microsoft Access 2016
• Microsoft Excel 2016
• Microsoft InfoPath 2016

• Microsoft Lync 2016
• Microsoft Office 2016
• Microsoft OneNote 2016

• Microsoft Outlook 2016
• Microsoft PowerPoint 2016
• Microsoft Project 2016
• Microsoft Publisher 2016
• Microsoft SharePoint Designer 2016
• Microsoft Visio 2016
• Microsoft Word 2016
Each of these subnode folders has several subnodes with individual settings that apply to particular
functionality for that Office 2016 product. In some cases, a main node might have a dozen or more
subnodes, some with scores of individual settings. For example, the Microsoft Office 2016 node has almost
40 subnodes, and some these subnodes have additional subnodes that reside under them.
Download and install the Office 2016 administrative templates

To use the Office 2016 Administrative Templates, you first must download them from the Microsoft
Download Center. You can choose either the 32-bit or the 64-bit version, depending on your Office 2016
architecture. The download also includes the OCT files for the various Office 2016 products, which
requires the architecture version that is appropriate for Office 2016.
After the download completes, run the AdminTemplates_xxbit.exe (where xx is the architecture: 32 or 64).
This extracts the .ADMX xml files that house the settings, and the .ADML files, which contain the language
for that particular setting. Additionally, the \Admin folder contains the OCT files.
The Group Policy Central Store

To use the additional .ADMX and .ADML files, you can create the Group Policy Central Store. The Central
Store is on the domain controller’s SYSVOL share, and replicates to all of the domain’s controllers. This
makes the same set of group policy template files available to all group policy administrators in multiple
locations. You should copy the .ADMX files into a new folder on the domain controller, preferably the
domain controller that is hosting the PDC emulator role, and name it Policy Definitions. Create it at
%systemroot%\sysvol\domain\polices. When you expand the admintemplates_xxbit.exe file, it creates
several subfolders in the \Admin directory that are named for the language in use.
The .ADMX files are language neutral, and you must add the corresponding .ADML language files so that
an administrator can read the setting in the Group Policy Editor’s administrative template. For example, to
use the U.S. English files in the Office 2016 administrative templates, you would add the en-US folder to
the following location: %systemroot%\sysvol\domain\policies\PolicyDefinitions. The PolicyDefinitions
folder would then contain all of the Office 2016 administrative template’s .ADMX files, and the en-US
folder will have all of the Office 2016 administrative template’s .ADML files in it.
After you do this, you can open any GPO in the Group Policy editor and view the User
Configuration\Policies\Administrative Templates folder. On the Administrative Templates node, it will say
Administrative Templates: Policy definitions (ADMX) retrieved from the Central Store, and the folders
below it are named for the various Microsoft Office 2016 products.
When users first run Microsoft Office, they have the option to run the First Run movie, and then Office
runs the First things first informational package. You can use the Group Policy Office 2016 Administrative
Templates to suppress this behavior.
Key Office 2016 administrative template settings

To disable the First Run Movie, in the Group Policy Editor, browse to User Configuration\Administrative
Templates\Microsoft Office 2016\First Run, and select settings with the values that the following table
describes.
Setting Value
Disable First Run Movie Enabled
Disable Office First Run on application boot Enabled
Disable Opt-in Wizard on first run Enabled
Enable Customer Experience Improvement Disabled

Program
Allow including screenshot with Office Feedback Disabled
Send Office Feedback Disabled
To disable the “First things First” information browse go to User Configuration\Administrative Templates
\Microsoft Office 2016\Privacy\Trust Center and enable the Disable Opt-in Wizard on first run setting.
Note: In total, there are several hundred possible Office 2016 administrative template
settings. Nearly all of these settings appear in the OCT as well. This means that you can configure
the settings initially without enforcing them, and then use only the OCT, and not set the Group
Policies.
Additional Reading: For more information about New Group Policy and OTC settings,
refer to: http://aka.ms/K5doui.
Adding or removing additional Office 2016 components

You can run the OCT to create or change a Setup
customization file in the form of a Windows
Installer patch file (.msp). For example, you can
add or remove features, change user settings, and
add or remove files or registry entries. You
essentially redeploy the .msp package with new
features that you add, or existing features that
you remove.
To customize an .msp file, perform the following

procedure:
1. Open an elevated command prompt at the

directory root or network-installation point
that contains the Office 2016 source files.
2. Type the following command, and then press Enter:
setup.exe /admin
3. In the Select Product window, click the Open an existing Setup customization file option, and then
click OK.
4. In the Open window, find your .msp file. Select it, and then click the Open button.
5. In the console tree, choose an area of customization, choose the option that you want to customize,
and then customize the installation in the details pane .For example, to remove Access 2016 from the
installation:
a. In the Features section of the console tree, click Set feature installation states.
b. In the details pane, expand Microsoft Office, click the Microsoft Office Access drop-down
arrow, and then on the context menu, click Not Available.
6. After you finish customizing the installation, on the File menu, click Save.
7. You also can choose Save As, then specify a new, unique name for the customization file by using an
.msp file-name extension, and then choose Save. For example, in a previous demonstration, we saved
the customized setup file as adatumOffice.msp. You could save this file as
adatumOfficeNoAccess.msp.
8. Now you can deploy and apply the .msp to users' computers by using your selected deployment
method.
To add Office 2016 components, you can reverse step five in the preceding procedure, and then select
Run from My Computer rather than Not Available.
When using the ODT to deploy Office 365 ProPlus, you can customize the Configuration.xml file to
remove specific Office programs. To do this, you make a new Configuration.xml file or modify an existing
file, and then use the ExcludeApp element to identify the program for removal. If you are removing more
than one program, you can add additional ExcludeApp elements for those programs. This list of
programs to remove goes in the Add section of the Configuration.xml file, and not the Remove section.
When you finish, save the Configuration.xml file, and then run the ODT on the user’s computer by using
the setup.exe /configure command and the Configuration.xml file.
You also can add Office 365 ProPlus programs to an existing Office 365 ProPlus installation by modifying
the Configuration.xml that you created previously to delete the ExcludeApp elements. When you use the
setup.exe /configure command with this configuration.xml file again, it will install all programs that are
not in an ExcludeApp element.
Question: How can you prevent users from using Click-to-Run from the Office 365 portal?
Statement Answer
You must download and add the Office 2016

Administrative Templates to the Group Policy
Management Editor.
Lesson 5
Introducing Windows Store for Business
Managing line of business (LOB) applications distribution has always been difficult in large organizations.
Different departments need access to various LOB apps. Information technology (IT) departments often
are required to manage hundreds of apps. Windows Store for Business provides a central place for you to
manage and distribute apps for the entire organization.
Lesson Objectives
• Provide an overview of Windows Store for Business.
• Describe the prerequisites for Windows Store for Business.
• Describe the applications supported by Windows Store for Business.
Overview of Windows Store for Business

Windows Store for Business is an Internet-based
service that allows you to purchase and license
Windows Store applications for distribution within
your business organization. It provides a portal
that acts as a single location for organizations to
acquire and distribute apps for Windows 10
devices. Windows Store for Business is designed to
be user friendly. Users can browse the store, install
publicly-available apps, and view and download
apps that have been customized for your
company in a private section of the store.
Users sign in to Windows Store for Business using
their valid Microsoft Azure organizational ID and credentials. They will see the apps divided into
categories such as ‘Project and Task Management’ and ‘Finance and Analytics’. Users only need to click on
the icon of the app and then they can read the details about the app and if they wish to install it, just click
the Get the app button.
Note: At the time of this writing, apps in the Windows Store for Business are free. Over
time as paid apps become more available there will be more options.
The store is backed by Azure Active Directory (Azure AD). Organizations must have an Azure AD tenant in
order to access the Windows Store for Business. You can purchase apps for users individually or in volume.
Windows Store for Business has thousands of apps separated into multiple categories. You can manage
apps in the portal through a private store dedicated to your organization. Windows Store for Business also
provides a way for external or in-house developers to upload apps that are commissioned by your
organization. You can purchase apps for users individually or in volume.
Windows Store for Business prerequisites

Windows Store for Business is an internet-based
service, and therefore there are only a few
prerequisites for utilization.
Software requirements
For administration of the store, you need a
compatible browser. Supported browsers include:
• Internet Explorer 11 or later
• Microsoft Edge
• The latest version of Google Chrome

• The latest version of Mozilla Firefox
Note: Other current browsers might work, but you will need to test compatibility.
Note: Users consuming the apps must be running Windows 10, version 1511 or later.
Organizational requirements
To use Windows Store for Business, you must have an Azure AD tenant, and the first person to sign into
the Windows Store for Business must be the global admin for that organization’s Azure AD tenant. The
global admin can then give access to the organization’s users.
Employees accessing online apps from the store directly require valid Azure AD accounts. If you use a
management tool to distribute and manage online-licensed apps, then all employees will need Azure AD
accounts.
Note: Azure AD accounts are not required for employees to use offline-licensed apps.
Offline-licensed apps are discussed later in this module.
Proxy requirements
If your organization does not allow computers to connect directly to the internet and instead requires
them to connect through a proxy, then the following URLs must be accessible:
• login.live.com
• login.windows.net
• account.live.com
• clientconfig.passport.net
• windowsphone.com
• *.wns.windows.com
• *.microsoft.com
• *.msftncsi.com/ncsi.txt
Applications supported by the Windows Store for Business

Organizations are required to support dozens or
even hundreds of apps for various platforms, such
as mobile devices, tablets, or desktops. This has
always proved a difficult task, and each
organization has their own internal process for
supporting their apps. The Windows Store for
Business can simplify this task by providing a place
for all users in the organization to find and install
apps. The Windows Store for Business has
thousands of apps in multiple categories.
Many companies develop their own custom apps

to be used for their specific business
requirements. Some companies develop them in-house while others hire other companies to develop
them. You can allow developers to add LOB apps to your private store in the Windows Store for Business.
Licensing of apps is an important part of the application life cycle. Licensing ensures that you are in
compliance and that your users are running valid instances of software.
Note: Licensing also is addressed in the Windows Store for Business.
Universal Windows apps for Windows 10

The Windows Store for Business supports a new type of app, Universal Windows apps for Windows 10.
Universal Windows apps for Windows 10 are apps that use a common set of application programming
interfaces (APIs_ to allow non-Microsoft developers or independent software vendors (ISVs) to write apps
using one set of business logic, and a single, consistent user interface (UI) that will run on all Windows 10
devices.
Windows 10 Apps in Windows Store for Business do not have to support all platforms, but must support
at least one of the following Windows 10 platforms:
• Windows 10 desktops
• Windows 10 phones
• Windows 10 Xbox
• Windows 10 Internet of Things (IOT) devices
• Windows 10 servers
• Windows 10 Surface Hub
• Windows 10 HoloLens
• Windows 10 *all devices*
When a user click on the tile for an app, the web page describing that app will have a field named works
on that lists the types of devices on which this app will run.
Adding LOB apps

You can add LOB apps to an area of the store reserved for your company by inviting a developer or ISV to
become an LOB publisher for your organization. Once established as an LOB publisher, the developer can
submit the app to the store and tag it for your company only. Once submitted, you can accept the app
and distribute it to employees.
Licensing apps
There are two ways to license apps: online, and offline. Online licensing is the default licensing mode. In
the online licensing mode, users and devices are required to connect to the Windows Store for Business
and download the app and its license. This requires the users to have a valid account to connect to the
Offline licensing allows you to cache apps and their licenses, and then distribute them throughout your
environment. This allows you to deploy apps to users and devices when they are not connected to the
Windows Store for Business
Statement Answer
Users must have a valid Azure AD account to access

the Windows Store for Business.
Statement Answer
Universal app for Windows 10 will run on any

Windows 10 device.
Lesson 6
Distributing apps using the Windows Store for Business
Acquiring apps is the first step in using the Windows Store for Business. Distributing the apps is the next
step. Windows Store for Business provides mechanisms to store and distribute apps to your organization’s
users. This lesson will examine the storage and distribution options for the Windows Store for Business.
Lesson Objectives
• Describe the Windows Store for Business private store.
• Distribute apps using a mobile device management tool.

• Distribute apps offline.
Using the Windows Store for Business private store

The private store is created for your organization
during the Windows Store for Business sign-up
process. Once created, you add apps to the
private store to make those apps available to your
employees. Users connecting to Windows Store
for Business from Windows 10 devices will see the
private store as a tab in the top menu bar. Only
apps using the online license model can be added
to the private store.
Adding apps to the private store

Once you sign into the Windows Store for
Business, you can click on the Shop link on the
menu bar to find apps that you want to purchase. Once you purchase the app, it is added to your
organization’s inventory. A dialog box allows you to choose how to distribute the app. You can choose
from the following options:
• Add to your private store where all people in your organization can find and install it. This
option adds the app directly to the private store.
• Assign it to people. This option allows you to assign the app directly to a user or group. Those users
will receive an email with a link to install the app on their devices.
• Distribute later. This option adds the app to your inventory, from where you can add it to the
private store, or assign it later.
Note: It can take up to 12 hours for an app to appear in the private store after assignment.
You can add or remove an app from your private store at any time by using the Action menu on the
Inventory page.
Installing an app from the private store

Users sign in and connect to the Windows Store for Business using their Azure AD credentials. Clicking on
the private store tab, which typically has the name of your organization, allows your users to browse the
private store and select and install any app in the private store.
Distributing apps using a mobile device management tool

Today, more mobile devices are being used to run
corporate apps. Windows 10 devices can be
registered in Azure AD and enrolled into mobile
device management. Once a device enrolls into
mobile device management, you can enforce
corporate polices, and add or remove apps. You
can configure a mobile device management tool
to synchronize with your inventory in the
Windows Store for Business and distribute apps.
To accomplish this, you first must install your

mobile device management tool into your Azure
AD. The management tool must be registered as
an Azure AD application in your organization’s tenant in order to authenticate against the Store for
Business. You add the tool using the following steps:
1. Sign into the Azure Portal as a global administrator.
2. Choose your AD DS.
3. Under Applications, find your application and add it to your directory.

Once you have added your mobile device management tool to your Azure AD, you can configure it in the
Windows Store for Business by performing the following steps:
1. Sign in to the Windows Store for Business.

2. Under the Settings menu, click Management Tool. The list of the management tools you have
added will display.
3. Choose the tool that you wish to synchronize with Windows Store for Business, and click Activate.
Each management tool will have its own method of distributing apps from your inventory.
Reference Links: For more information about management tools for Windows Store for
Business, refer to: http://aka.ms/Weegwq.
Acquiring and distributing offline apps

Offline licensing allows you to download apps
and their licenses, and then distribute them
throughout your environment, even to devices
that are not connected to the internet. This
enables organizations to deploy apps to users or
devices without those users having to connect to
the Windows Store for Business.
Benefits of offline apps

Offline apps provide organizations with a different
way to deploy Windows Store for Business apps.
This is useful in scenarios where:
• Your users do not have internet access.
• You want to add Windows Store for Business apps to your custom deployment image, or deploy
them with either Deployment Image Servicing and Management (DISM), or Windows Imaging and
Configuration Designer (Windows ICD).
• Your users do not have Azure AD accounts, and you want to deploy offline apps to these users.
Acquiring offline apps

You purchase offline apps in the same manner as other apps. To acquire offline apps, complete the
following high-level steps:
1. Sign in to the Windows Store for Business with an account that has app purchasing rights.
2. Use the Settings menu to select Offline licensing.

3. On the Offline licensing page, select the check box to Show offline licensed apps to people
shopping in the store.
4. Click the Shop tab on the menu bar, and search for offline apps. All offline apps that you purchase
will be added to your inventory.
Distributing offline apps

You cannot distribute offline apps from the Windows Store for Business. However, you have three options
for distributing offline apps:
• Use DISM to add these apps to a custom image before deployment.
• Use Windows ICD to create provisioning packages that can be applied to deployments.
• Use a management server such as Configuration Manager.
Statement Answer
The global administrator must create the private store

for your organization.
Statement Answer
Valid users can install offline apps directly from the

Lab: Deploying Microsoft Office 2016 by using the Office

Customization Tool
Scenario
You need to learn how to use the OCT and create customized deployments in order to help you plan
an effective Microsoft Office 2016 deployment strategy. Kari Tran, the manager of the A. Datum
Corporation’s IT department, has asked that you automate deployment of Office Professional 2016. You
know that all of the London client systems were reimaged recently, but the reimaging did not include the
latest version of Microsoft Office. Therefore, you will evaluate the OCT, and use it to create an Office
Professional 2016 deployment that A. Datum could customize.
Objectives
After completing this lab, you should be able to:
• Customize an Office 2016 deployment by using the OCT.
• Deploy Office 2016 from an on-premises network installation point.
Lab Setup
Virtual machines: 20695C-LON-DC1 and 20695C-LON-CL2
Password: Pa$$w0rd
1. On the host computer start Hyper-V Manager.
o Domain: Adatum
5. Repeat steps 2 through 4 for 20695C-LON-CL2, after LON-DC1 is at the sign in screen.
Exercise 1: Using the Microsoft Office Customization Tool (OCT) to

customize a Microsoft Office 2016 deployment
Scenario
You are tasked to create an on-premises Office 2016 deployment. You receive the following email from
Kari Tran, the IT Department manager:
Dan Drayton
From: Kari Tran [ktran@Adatum.com] Sent: 22 July 2:30 PM To: Dan Drayton [ddrayton@adatum.com]
Subject: Automated Office Professional 2016 deployment
Dan,
Go ahead and use the Office Customization Tool to create a test deployment of the volume license
version of Office 2016 Professional we bought. I need you to create a customization that does not install
Access or Publisher. These applications are not required for employees.
For the time being, we are going to continue deploying apps to the client systems post-installation.
As for the rest of the features, I like the idea of eliminating the First run movie, and since we’re using KMS,
not having the users accept the EULA or activate Office.
Thanks,
Kari
You decide to create a deployment package using the OCT.
1. Create a customized Office 2016 deployment file by using the OCT.
 Task 1: Create a customized Office 2016 deployment file by using the OCT
1. On LON-DC1, open a Command Prompt window as administrator, and then navigate to the
e:\Labfiles\Office_Professional_2016 directory.
2. At the command prompt, type setup.exe /admin. This opens the OCT.
3. Ensure that the Create a new Setup customization file for the following product option is
selected for the Product name Microsoft Office Professional Plus 2016 (64-bit).
4. Select Adatum as the organization name.
5. Select the Licensing and user interface subnode, and then click the Use KMS client key radio
button.
6. Select the I accept the terms of the license agreement. Display level: Basic check box, select the
Completion notice check box, and then clear the No cancel check boxes.
7. In Office Security settings, ensure that the Unsafe ActiveX initialization has the Do not prompt
and disable all controls option selected.
8. In the Modify setup properties item, add the HIDEUPDATEUI item with a value of TRUE.
9. In the Features area, in the Modify user settings item, in the Privacy/Trust Center, under
Microsoft Office 2016, enable the Disable Opt-in Wizard on first run property.
10. Under Microsoft Office 2016, in First Run, enable both the Disable First Run Movie and Disable
Office First Run on application boot properties.
11. In the Set feature installation states item, select Microsoft Office 2016, and then set Microsoft
Access and Publisher to Not Available.
12. Save the File as \\LON-DC1\Labfiles\ Office_Professional_2016\Updates\AdatumOffice.msp, and

then close the OCT.
13. Open File Explorer, and then verify in E:\Labfiles\ Office_Professional_2016\Updates that
AdatumOffice.msp displays.
Results: At the end of this exercise, you should have created a customized Office 2016 deployment file.
Exercise 2: Deploying a customized version of Office 2016

Scenario
Now that you have created and saved the customized.msp file, you must test it. Observe the installation to
ensure it goes according to the OCT. When finished, you will ensure that Access and Publisher did not
install. Verify that the “First things first” windows and the Office movie do not run.
1. Connect to network share as an authorized user and deploy Office 2016.
2. Prepare for the end of the course.
 Task 1: Connect to network share as an authorized user and deploy Office 2016
1. Switch to LON-CL2.
2. Open a Command Prompt window as an Administrator.
3. Type the following commands, pressing Enter at the end of each line:
Net use x: \\LON-DC1\Labfiles\ Office_Professional_2016

X:
Setup.exe
Note: The Microsoft Office installation window opens and begins to install Office 2016.
Since you used the Basic option in the OCT, the progress displays without the ability to cancel.
After approximately 15 minutes, the installation will complete.
4. Click the Start menu, and click All apps.
Note: Access 2016 and Publisher 2016 should not appear.
5. Open Word 2016 to verify the First things first window does not run.

 Task 2: Prepare for the end of the course

following steps:

4. Repeat steps 2 to 3 20695C-LON-CL2.
Results: At the end of this exercise, you should have successful installed Office 2016 from the .msp file.
Question: In the lab, you altered settings in the OCT and saved them as an .msp file. You
then altered settings in the Config.xml file. What would be the result of the installation if the
Config.xml settings that you specified differ from the settings that you saved in the .msp file?
Question: Why did you copy the AdatumOffice.msp file to the Updates directory in the
second exercise?

The customizations that you configured in

the .msp file are not being applied.
Office 365 users are receiving activation

errors.
Review Question
Question: What are the key differences between the OCT and the Office Deployment Tool?

Remember that the user performing the Office 2016 installation needs to have administrative rights on
the local machine to install the program successfully.
Tools
Office Customization Tool Use to make customizations to Volume license versions

volume-license versions of of the Office 2016
Office 2016 installation installation files.
settings. Setup.exe in the /admin
folder launches the OCT.
Office Deployment Tool for Use to make customized Free download from the
Click-to-Run installation settings for the Microsoft Download
Office 365 ProPlus and Center at:
associated subscription http://aka.ms/C9la91.
products.
Group Policy Administrative Use to enforce a wide variety Free download from the
Templates for Office 2016 of settings for Office 2016 and Microsoft Download
associated products. Center at:
http://aka.ms/C9la91.
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Assessing the network environment for

supporting operating system and application deployment
Lab: Assessing the network environment for
supporting operating system and
application deployment
Exercise 1: Collecting hardware and application inventory by using
 Task 1: Configure hardware inventory
1. On LON-CFG, on the taskbar, click Configuration Manager Console.
2. In the Configuration Manager console, click Administration, click Client Settings, and then click
Default Client Settings.
3. On the Home tab, in the Properties group, click Properties.
4. In the Default Settings dialog box, click Hardware Inventory.
5. In the Device Settings list, configure the following:
o Enable hardware inventory on clients: Yes
o Hardware inventory schedule: Click Schedule in the Configure Client Setting dialog box,
configure the Simple schedule to Run every 1 days, and then click OK to close the Configure
Client Setting dialog box.
6. Click OK to close the Default Settings dialog box.
8. Right-click the Start button and then click Control Panel.
9. In Control Panel, click the System and Security link.
10. Scroll to the bottom, and then click Configuration Manager.
11. In the Configuration Manager Properties dialog box, click the Actions tab.
12. Select Hardware Inventory Cycle, and then click Run Now. A message displays that specifies that
the selected cycle will run and might take several minutes to finish. Click OK.
13. Click OK to close the Configuration Manager Properties dialog box.
 Task 2: Review inventory data

1. On LON-CFG, in the Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, click Devices. In the Details pane, make note of the Client
and Client Activity columns for LON-CL1. The Client column should show Yes and the Client
Activity should show Active.
3. Click LON-CL1. On the Home tab, in the Device group, click Start, and then click Resource Explorer.
The Resource Explorer window opens.
L1-2 Assessing the network environment for supporting operating system and application deployment
4. Expand the Hardware node. Take note of the hardware inventory collected for the client. Specifically
review the following nodes:
o Disk Partitions
o Installed Applications
o Operating System
5. Close the Resource Explorer window.
6. Close the Configuration Manager console.
Results: After completing this exercise, you should have collected hardware inventory from the client
computers and reviewed the information about your client computers’ configuration.
Exercise 2: Using MAP to determine infrastructure readiness

 Task 1: Create a sample database and perform an inventory on sample clients
2. Click Start, click All Apps, expand Microsoft Assessment and Planning Toolkit, and click the
Microsoft Assessment and Planning Toolkit. Wait for MAP to start. It might take approximately 30
to 60 seconds.
3. In the Microsoft Assessment and Planning Toolkit dialog box, in the Create or a select a
database section, click Create an inventory database. In the Name text box, type Client
Assessment, and in the Description section, type Initial assessment of Adatum clients. Click OK.
4. In the console tree, select Overview, and in the Where to start section, click Perform an Inventory.
The Inventory and Assessment Wizard starts.
5. On the Inventory Scenarios page, under Choose your scenario, select the Windows computers
check box, and then click Next.
6. On the Discovery Methods page, in the Select which methods to use to discover computers
section, ensure that Use Active Directory Domain Services (AD DS) is selected, and then click Next.
7. On the Active Directory Credentials page, enter the following information in the text boxes, and
then click Next:
o Domain: Adatum.com
o Domain account: administrator@adatum.com
8. On the Active Directory Options page, ensure that Find all computers in all domains, containers,
and organizational units is selected, and then click Next.
9. On the All Computers Credentials page, click Create.

10. In the Account Entry window, type the following, click Save, and then click Next:
o Account name: administrator@adatum.com
o Password and Confirm password: Pa$$w0rd

Deploying Windows Desktops and Enterprise Applications L1-3
11. On the Credentials Order page, click Next.
12. On the Summary page, click Finish. The Status window opens. In the Status window, click the Details
down arrow. Observe that after some time, data starts to appear in the Computer Discovery and
Collector Status sections. Note that some failures might occur for various reasons, such as the
machine has not been started. Click Close when the assessment is complete.
 Task 2: Review reports to determine infrastructure readiness

1. In the Overview section, examine the Environment Summary.
2. Click the Desktop node in the console tree, and then click the Windows 10 Readiness item. Observe
the Details section and the number of Ready for Windows 10 computers.
3. While viewing the Windows 10 Readiness summary, click Generate Windows 10 Readiness Report
in the Options pane. Click Close in the Status window after the report generates.
Note: It might take a few minutes for the Generate Windows 10 Readiness Report link to
display.
4. Click the View drop-down list box at the top of the console, and then select Saved reports.
5. Open the Microsoft Excel worksheet report that is named Windows10Assessment and that includes
the date of the process. Examine the various workbooks, and then close Excel.
Results: After completing this exercise, you should have determined how many of the client computers
are ready for a Windows 10 upgrade.
 Task 3: Prepare for the next module

following steps:
4. Repeat steps 2 and 3 for 20695C-LON-CFG and 20695C-LON-CL1.

L2-5
Module 2: Determining operating system

deployment strategies
Lab: Determining operating system
deployment strategies
Exercise 1: Identifying operating system deployment strategies for
a small network
 Task 1: Read the Exercise Scenario
• Read the documentation in the lab exercise scenario.

Answer the questions in the proposals section of the A. Datum Automated Client Installation and
Deployment Strategy document:
High Touch with Retail Media would be applicable, since you cannot use High Touch with a Standard
Image for an upgrade, and each user has a different set of applications.
2. Which deployment technologies would you consider to implement the client-upgrade plan?
You should consider Windows SIM for the answer file, and the retail media technology for the setup
program.

o Windows 10 media
o Windows SIM
o A removable storage device to store the answer file (Unattend.xml)
Results: After completing this exercise, you should have planned an operating system deployment
strategy for the Miami remote office.
L2-6 Determining operating system deployment strategies
Exercise 2: Identifying operating system deployment strategies for a

medium-sized network

A lite touch strategy would be applicable, since Configuration Manager is unavailable, and there are
more than 300 devices to which to deploy.
2. Which deployment technologies would you consider to implement the server-upgrade plan?
Windows ADK, MDT 2013 Update 1, Windows Deployment Services, and an image containing the
bare operating system without applications.
o Volume licensed media
o MAP tool
o Windows ADK for Windows 10
o MDT 2013 Update 1
o File server on which to store the distribution share
strategy for the Montreal regional office.
Exercise 3: Identifying operating system deployment strategies for an

Enterprise Network

A zero touch deployment strategy would be applicable, because Configuration Manager is available,
and there are more than 500 devices to which you must deploy.
Windows ADK, MDT 2013 Update 1, and Configuration Manager.

o Volume licensed media
o MAP
o Windows ADK for Windows 10
o MDT 2013 Update 1
o Configuration Manager and its prerequisites
strategy for the U.S. offices.
Exercise 4: Installing the Windows ADK

 Task 1: Install Windows ADK
1. On LON-CL1, on the taskbar, click File Explorer.
2. Navigate to \\LON-DC1\E$\labfiles\WADK.
3. Double-click adksetup.exe.
4. In Windows Assessment and Deployment Kit - Windows 10, on the Specify Location page,
click Next.
5. On the Windows Kits Privacy page, click Next.
6. On the License Agreement page, click Accept.
7. On the Select the features you want to install page, make sure only the following features are
selected, and then click Install:
o Deployment Tools
o Windows Preinstallation Environment (Windows PE)
o Imaging and Configuration Designer (ICD)
o User State Migration Tool (USMT)

8. On the Welcome to the Windows Assessment and Deployment Kit - Windows 10! page,
click Close.
9. If prompted to restart the computer click No.

L2-8 Determining operating system deployment strategies
 Task 2: Verify the results of the installation, and identify the tools that have
been installed
1. Open File Explorer.
2. Navigate to C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\.
3. Take note of the various features that have been installed, including:
o Deployment Tools
o Windows Preinstallation Environment
o Imaging and Configuration Designer
o User State Migration Tool


Results: After completing this exercise, you should have installed the Windows ADK on LON-CL1.
L3-9
Module 3: Assessing application compatibility

Lab: Assessing application compatibility
Exercise 1: Analyzing applications for potential compatibility issues
 Task 1: Configure the ACT
2. On the taskbar, click File Explorer.
3. In File Explorer, in the details pane, double-click Local Disk (C:).
4. On the toolbar, click Home, and then click New folder.
5. Type ACTLogs, and then press Enter.
7. Point to the lower-left corner of the screen, and then click the Start charm.
8. On the Start screen, click Application Compatibility Manager.

9. On the Welcome to the ACT Configuration Wizard page, click Next.
10. On the Do you want to use this computer to run an ACT Log Processing Service page, ensure
that Yes is selected, and then click Next.
11. On the Configure Your ACT Database Settings page, next to SQL Server, select (local)\ADK, and
then click Connect.
12. On the Configure Your ACT Database Settings page, next to Database, type ACTDB, and then
click Next.
13. On the Configure Your ACT Database Settings page, click Next.
14. On the Configure Your Log File Location page, next to Path, type C:\ACTLogs.
15. On the Configure Your Log File Location page, next to Share as, ensure that ACTLogs is entered,
and then click Next.
16. On the Configure Your ACT Log Processing Service Account page, ensure that Local System is
selected, and then click Next.
17. On the Congratulations page, clear all check boxes, and then click Finish. The Microsoft Application
Compatibility Manager console opens.
18. On the Tools menu, click Settings.
19. In the Settings box, on the Settings page, verify that LON-DC1\ADK is configured as the SQL
Server, and that ACTDB is configured as the Database.
20. Under Log Processing Settings, verify that the This computer is configured as a Log Processing
Service check box is selected.
21. Verify that the Log Processing Service Account is configured as a Local System Account.
22. Verify that the Log Share is configured to be \\LON-DC1\ACTLogs.
23. Click the Preferences tab.
24. Under Community Settings, verify that the Yes, I want to join the ACT Community check box is
selected.
L3-10 Assessing application compatibility
25. To close the Settings window, click OK.
26. Right-click the taskbar, and then click Task Manager.
27. In the Task Manager window, click More details, click the Services tab, and locate the
ACTLogProcessor service.
28. Verify that the ACT Log Processing Service has a Status of Running. If it does not, right-click the
service, and then click Start.
29. Close the Task Manager.
 Task 2: Create data collection packages

2. On the File menu, click New to create a new data collection package.
3. In the Create a data collection package window, click Inventory collection package.
4. On the Set up your inventory package page, in the Package Name section, in the Name box, type
SalesInventoryPKG.
5. On the Set up your inventory package page, in the Label box, type Sales Inventory, and then click
Create.
6. In the Save Data Collection Package window, delete the text in the address box, type
\\LON-DC1\Labfiles, press Enter, and then click Save.
7. On the Next steps for your inventory collection package page, click Finish.
8. In the Microsoft Application Compatibility Manager, on the File menu, click New to create a new
data collection package.
9. In the Create a data-collection package window, click Runtime analysis package.
10. On the Set up your runtime analysis package page, in the Package Name section, in the Name
box, type SalesRuntimePKG.
11. On the Set up your runtime analysis package page, in the Label box, type Sales Runtime, and
then click Create.
12. In the Save Data Collection Package window, delete the text in the address box, type
\\LON-DC1\Labfiles, press Enter, and then click Save.
13. On the Next steps for your runtime analysis collection package page, click Finish.
 Task 3: Install data collection packages

3. In File Explorer, in the address box, type \\LON-DC1\Labfiles, and then press Enter.
4. In File Explorer, double-click SalesInventoryPKG.
5. In File Explorer, double-click SalesRuntimePKG.

 Task 4: Organize and analyze the application inventory

2. In the Application Compatibility Manager window, in the navigation pane, click Analyze.
3. In the details pane, under the Windows 10 Reports\Computers node, verify that LON-CL1 has
reported information.
4. Double-click LON-CL1 to view reported data. Close the LON-CL1 window.

5. In the Windows 10 Reports section, click Applications. Verify that applications are reported.
6. Click the Devices node, and verify that devices are reported.
Note: It might take a few minutes for the device list to populate. You might see just a few
devices initially. You can come back to this node later to see all devices detected.
7. Under Windows 10 Reports, in the navigation pane, click Applications, and then select Microsoft
Office Excel Viewer.
8. On the Actions menu, click Assign Categories.
9. In the Assign Categories window, click Category List.
10. In the Category List window, under Categories, click Add, type Sales, and then press Enter.
11. In the Category List window, under Subcategories, click Add, type Customer Service, and then press
Enter.
12. In the Category List window, click OK.
13. In the Assign Categories window, select the Customer Service check box, and then click OK.
14. Click Microsoft Office Excel Viewer.
15. On the Actions menu, click Set Deployment Status.
16. In the Set Deployment Status window, click Ready to Deploy, and then click OK.
Results: After completing this exercise, you should have analyzed applications for potential compatibility
issues.
Exercise 2: Mitigating application compatibility issues

 Task 1: Identify application compatibility issues
2. Click to the Start menu, type Compatibility, and then click Microsoft Compatibility Monitor.
3. In the User Account Control window, type Adatum\Administrator as the username and Pa$$w0rd
as the password, and then click Yes.
4. In the Using Microsoft Compatibility Monitor window, click Close.
5. In the Compatibility Monitor window, click the Advanced Tools icon, and then click Monitor and
Launch Standard User Analyzer.
6. In the Standard User Analyzer window, under the App Info tab, click Browse.
L3-12 Assessing application compatibility
7. In the Browse for Application window, expand This PC, expand Local Disk (C:), expand Program
Files (x86), click StockViewer, and then double-click StockViewer.exe.
8. In the Standard User Analyzer window, under the App Info tab, clear the Elevate check box, and
then click Launch.
9. In the Warning window, click Yes.
10. In the User Account Control window, type Adatum\Administrator as the username and Pa$$w0rd
as the password, and then click Yes.
11. In the Permission Denied dialog box, click OK.

12. On the StockViewer toolbar, click Trends. When you see the Error dialog box, click OK.
13. Click the Tools menu, and then click Options. When you see the Stock Viewer dialog box, click
Continue.
14. Click the Tools menu, and then click Show Me a Star. When you see the Unsupported Version
dialog box, click OK.
15. Close the StockViewer application.
 Task 2: View and synchronize application compatibility information

1. In the Standard User Analyzer window, click Name Space, and then take note of the two entries. The
CreateFileMappingW application programming interface (API) calls result in the application trying to
create a file.
2. In the Standard User Analyzer window, click Other Objects, and then take note of the single entry.
The OpenEventW API call results in the application trying to access an event that another process is
handling.
3. In the Mitigation menu, click Apply Mitigations, and then in the Mitigate AppCompat Issues
dialog box, click Apply.
4. Close the Standard User Analyzer window.

5. Close the Compatibility Monitor window.
6. In the Upload Required window, click Yes.

When you have finished the lab, revert all virtual machines back to their initial state:
3. In the Revert Virtual Machines dialog box, click Revert.
Results: After completing this exercise, you will have mitigated application compatibility issues by using
Microsoft Application Compatibility Toolkit (ACT).
L4-13
Module 4: Planning and implementing user state migration

Lab: Planning and implementing
user state migration
Exercise 1: Planning for user state migration
 Task 1: Complete the USMT Planning Job Aid

• Based on the information in the email, you should be able to complete the User State Migration Tool
(USMT) Planning Job Aid that is in the lab scenario.
Migration scenario PC Refresh PC Replace
PC Replace X
Which operating Windows 7 32 bit Windows 7 64 bit

system are you
from?
Windows 8 32 bit
64 bit
Windows 8.1 32 bit
64 bit

system are you
to?
Windows 8 32 bit
64 bit
Windows 8.1 32 bit
64 bit
Windows 10 64 bit Windows 10 64 bit

L4-14 Planning and implementing user state migration
Migration store type Local store
Remote store X
Encrypted
Compressed X
Hard-link
Accounts to be Local accounts X Do not migrate local

migrated admin
Domain accounts X
Application settings to
be migrated
Custom folders to be C:\ResearchApps

migrated
Are there encrypted Yes X Should be migrated

files? without decryption
No
Operating system Shared video Should not be migrated

settings to be
migrated Shared music Should not be migrated
Shared pictures Should not be migrated
XML files to use in the Config.XML X

migration
MigApp.XML X
MigUser.XML X
Custom.XML file X Folders.XML

Results: After completing this exercise, you will have planned for user state migration.
Exercise 2: Creating and customizing USMT XML files

 Task 1: Create a Config.xml file
2. Click Start, type cmd, and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
Net Use F: \\LON-DC1\USMT
4. At the command prompt, type F:, and then press Enter. Type the following command and press Enter:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
The creation of the Config.xml file will begin. This can take several minutes to complete.
5. At the command prompt, type notepad config.xml, and then press Enter.
6. To exclude Shared Video, under the Documents node, modify the line to match the following code:
component displayname="Shared Video" migrate="no"
7. Under the Documents node, modify the line to match the following code:
component displayname="Shared Music" migrate="no"
8. Under the Documents node, modify the line to match the following code:
component displayname="Shared Pictures" migrate="no"
 Task 2: Create a custom migration XML file

1. At the command prompt, type notepad folders.xml, and then press Enter.
2. Maximize the Notepad window. This is a custom XML file that migrates a specific folder called
ResearchApp to the destination computers.
3. Change the variable <Foldername> to ResearchApp. The entire line should read as follows:
<pattern type= "File">C:\ResearchApp\* [*]</pattern>
Results: After completing this exercise, you will have created and customized XML files to use with the
User State Migration Tool (USMT).
L4-16 Planning and implementing user state migration
Exercise 3: Capturing and restoring a user state by using the USMT

 Task 1: Create user state for a research user on the source computer
2. Right-click on the Desktop, click New, and then select Text document. Name the text file
Allies file.txt.
3. Open Windows Explorer, and then navigate to the C:\Users\Public\Public Pictures folder.
4. Click New folder on the toolbar, and then name the folder Our pictures.
 Task 2: Capture a user state from a source computer

2. Click Start, type cmd, and then press Enter.
3. If necessary, change to drive F.

4. At the command prompt, type the following, and then press Enter:
Scanstate \\LON-DC1\MigrationStore /i:migapp.xml /i:miguser.xml /i:folders.xml

/config:config.xml /o /efs:copyraw /ue:%computername%\LocalAdmin
 Task 3: Restore user state to the destination computer

2. From the Start menu, type cmd, and then press Enter.
3. At the command prompt, type Net Use F: \\LON-DC1\USMT, and then press Enter.
4. At the command prompt, type F:, and then press Enter.
Loadstate \\LON-DC1\MigrationStore /i:migapp.xml /i:miguser.xml /i:folders.xml

/lac:Pa$$w0rd /lae
6. When the LoadState task completes, sign out of LON-CL1.
 Task 4: Verify that user state migration is successful

2. Verify that the Allies file.txt exists on the desktop.
3. Open File Explorer, and then navigate to the C:\Users\Public\Public Pictures folder.
4. Verify that the Our pictures folder has not been migrated.
5. Navigate to the C:\ folder.
6. Verify that the C:\ResearchApp folder has been migrated.
9. From the Start menu, type cmd, and then press Enter.
Net user
11. Verify that DBService is listed, while LocalAdmin is not, in the list of local users on LON-CL1.
12. If DBService is not listed, then right-click the Windows button on the taskbar and click Computer
Management. Expand Local Users and Groups and click Users. DBService should be listed here.

When you are finished with the lab, revert all virtual machines to their initial state:
4. Repeat the steps for 20695C-LON-CL1 and 20695C-LON-CL3.
Results: After completing this exercise, you will have captured and restored user state by using USMT.
L5-19
Module 5: Determining an image management strategy

Lab: Determining an image management
strategy
Exercise 1: Assessing business requirements to support an image
management strategy
 Task 1: Plan the image management strategy
Create an image management strategy that addresses the following questions:
• What types of images do you need: thick, thin, or hybrid?
Answers might vary. However, hybrid images seem to be the best solution, because there are
applications that apply to multiple users.
• How will you address the applications that your users utilize within the company?
Answers will vary, but could include installing Microsoft Office in the images and installing all other
applications during or after the operating system deployment.
• How many images and .wim files will you require?
Answers will vary, but could include one Windows image file (.wim file) for Windows 8.1 64-bit and
one .wim file for Windows 10 64-bit operating systems. A .wim file for Windows 7 32-bit operating
system needs to be available for the Sydney location. Each .wim file contains multiple images, one for
each language pack. When you must reimage current systems, you will upgrade them to Windows 10.
• How will you address multiple vendor models?
Answers will vary, but could include using only hardware that supports Plug and Play, unless there are
no alternatives. Stage any common drivers in the Plug and Play store and make any other drivers
available during installation. Additionally, you should replace any systems that do not support Plug
and Play when you require a new image.
• What will you include in the image?
Answers will vary, but could include language packs, common applications, and Plug and Play drivers.
• How will you address driver requirements?
Answers will vary, but could include installing boot-critical drivers in the image and installing other
Plug and Play drivers during operating system deployment.
• How will you address storage considerations for the image-management strategy?
Answers will vary, but could include reducing the number of images in use and taking advantage of
the single instancing in .wim files.
• How will you maintain changes within the images?
Answers will vary, but should include a combination of offline and online servicing.
L5-20 Determining an image management strategy
 Task 2: Discuss the suggested proposals

• Discuss the suggested proposals.
Results: After completing this exercise, you should have identified requirements and then planned an
image management strategy.
L6-21
Module 6: Preparing for deployments by using the

Windows ADK
Lab A: Preparing the imaging and
Windows PE environment
Exercise 1: Configuring a custom Windows PE environment
 Task 1: Set up the Windows PE build environment
1. On LON-CFG, open the Start screen, type Deployment, right-click Deployment and Imaging Tools
Environment, and then click Run as administrator.
2. In the Administrator: Deployment and Imaging Tools Environment window, create the directory
structure by typing the following command, and then pressing Enter:
3. Minimize the Deployment and Imaging Tools Environment window.
4. Click File Explorer on the taskbar.
5. In the navigation pane, expand Allfiles (E:), expand WinPE64, expand Media, and then click
Sources.
Note: Note the size of the Boot.wim file. It will be 212,277 kilobytes (KB).
 Task 2: Mount the base Windows PE image
1. On the taskbar, double click the Windows PowerShell icon.
Note: The version of Deployment Image Servicing and Management (DISM) tool installed
with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 is not the
same as the version in the default Windows PowerShell console (version: 6.3.9600.16384). You
must add the correct DISM module for the current version of Windows ADK. The reason this is so
is the version that is in Windows PowerShell is for Windows Server 2012 R2, while the version in
the latest Windows ADK is for Windows 10.

L6-22 Preparing for deployments by using the Windows ADK
3. In the Administrator: Windows PowerShell window, mount the Boot.wim image by typing the
following command, and then pressing Enter:

E:\Winpe64\Mount
 Task 3: Add drivers and optional components to the Windows PE image

1. To add the Microsoft Hyper-V drivers to the Windows PE image, type the following command, and
then press Enter:

-Recurse -ForceUnsigned
Note: The third-party drivers you injected into the image will be listed. Confirm that the
last one on the list has a Published Name of oem9.inf.
2. To add support for the Windows PowerShell command-line interface to the Windows PE image, type
the following commands, and then press Enter after each:
CD “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment kit\Windows

preInstallation Environment\amd64\WinPE_OCs”
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-NetFX.cab
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-WMI.cab
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-PowerShell.cab
Add-WindowsPackage –Path E:\winpe64\mount –PackagePath .\WinPE-DismCmdlets.cab
Note: Each Add-WindowsPackage cmdlet might take several minutes.
Note: To avoid syntax errors, copy and paste the commands from the
E:\Labfiles\Mod06\Mod06_DISM_Powershell.txt file into the Windows PowerShell command
prompt.
Note: After each Windows PowerShell cmdlet, ensure that the operation completes
successfully.
 Task 4: Save changes and dismount the image

1. Commit the changes to the Windows PE image by typing the following command, and then pressing
Enter:
2. Use File Explorer to view the contents of the E:\Winpe64\media\Sources folder. Note the new size
of the Boot.wim file.
3. Close File Explorer and Windows PowerShell.

 Task 5: Create Windows PE media

1. To create an International Organization for Standardization (ISO) image of the Boot.wim that you can
use to create boot media, restore the Deployment and Imaging Tools Environment window, and then
run the following commands, pressing Enter after each command:
MD E:\BootISO
MakeWinpeMedia /iso E:\Winpe64 E:\BootISO\WinPEx64.iso
2. Use File Explorer to open the E:\BootISO folder, and then ensure that the WinPEx64.iso file was
created.

Leave the virtual machines running for the next lab. Do not revert.
Results: After completing this exercise, you should have customized the Windows Preinstallation
Environment (Windows PE) image and created an .iso file of the image.
Lab B: Building a reference image by using

Windows SIM and Sysprep
Exercise 1: Building custom answer files by using Windows SIM
 Task 1: Create a new answer file, on a virtual floppy disk, by using Windows SIM
1. In the 20695C-LON-CFG virtual machine connection window, click Media, point to Diskette Drive,
and then click Insert Disk.
2. Navigate to D:\Program Files\Microsoft Learning\20695\Drives, select the reference.vfd file, and

then click Open.
3. On LON-CFG, on the taskbar, click File Explorer. Right-click Floppy Disk Drive (A:), and then click
Format.
4. In the Format Floppy Disk Drive (A:) window, click Start.
5. In the Format Floppy Disk Drive (A:) warning window, click OK.
6. In the Format Floppy Disk Drive (A:) Format Complete window, click OK.
7. In the Format Floppy Disk Drive (A:) window, click Close.
9. Open the Start screen, and then type Windows System. Locate and click Windows System Image
Manager from the list.
10. In Windows System Image Manager, click File, and then click Select Windows Image.
11. In the Select a Windows Image dialog box, browse to the E:\sources folder, select install.wim, and
then click Open.
12. In the Windows System Image Manager message box, click Yes. The catalog creation will take a
few minutes.
13. In the Answer File pane, right-click Create or open an answer file, and then click Open Answer File.
14. In the Open dialog box, browse to the E:\Labfiles\Mod06 folder, select
Autounattend_x64_BIOS_sample.xml, and then click Open.
15. In the Windows System Image Manager pop-up window, click Yes to associate the answer file with
the image.
16. In the Windows System Image Manager, click File, and then click Save Answer File As.
17. In the Save As dialog box, click This PC, double-click Floppy Disk Drive (A:), in the File name field,
type Autounattend, and then click Save.
 Task 2: Add and configure component and component settings

1. In the Answer File pane, expand 1 WindowsPE, expand amd64_Microsoft-Windows-
Setup_neutral, select UserData, and then in the FullName field, type your name. In the
Organization field, type Adatum.
2. Expand UserData, right-click ProductKey, click Delete, and then click Yes.
3. In the Windows Image pane, expand Components, right-click amd64_Microsoft-Windows-

UnattendedJoin_10.0.10586.0_neutral, and then click Add Setting to Pass 4 specialize.
4. In the Answer File pane, under 4 specialize, select amd64_Microsoft-Windows-Shell-

Setup_neutral. In the ComputerName field, type Reference.
5. Expand amd64_Microsoft-Windows-Shell-Setup_neutral, right-click and delete the

OEMInformation component, and then click Yes.
Note: In the list of component names, note that after amd64_Microsoft-Windows, the
rest of the component name is alphabetically listed.
6. Under 4 specialize, expand amd64_Microsoft-Windows-UnattendedJoin__neutral, select

Identification, and then in the JoinWorkgroup field, type imaging.
7. In the Windows Image pane, under Components, right-click amd64_Microsoft-Windows-

International-Core_10.0.10586.0_neutral, and then click Add Setting to Pass 7 oobeSystem.
8. In the Windows Image pane, under Components, expand amd64_Microsoft-Windows-Shell-

Setup_10.0.10586.0_neutral, right-click OOBE, and then click Add Setting to Pass 7 oobeSystem.
9. In the Windows Image pane, under amd64_Microsoft-Windows-Shell-

Setup_10.0.10586.0_neutral, expand UserAccounts, right-click AdministratorPassword, and then
click Add Setting to Pass 7 oobeSystem.
10. In the Windows Image pane, under amd64_Microsoft-Windows-Shell-

Setup_10.0.10586.0_neutral, User Accounts, expand LocalAccounts, right-click LocalAccount, and
then click Add Setting to Pass 7 oobeSystem.
11. In the Answer File pane, under 7 oobeSystem, select amd64_Microsoft-Windows-International-

Core_neutral. In the InputLocale, UILanguage and UserLocale fields, type en-us.
12. In the Answer File pane, under 7 oobeSystem, select amd64_Microsoft-Windows-Shell-

Setup_neutral.
13. In the TimeZone field, type Pacific Standard Time.
14. Select OOBE, in the HideEULAPage line, click the drop-down list, and then select true.
15. In the NetworkLocation line, click the drop-down list, and then select Work.
16. Expand UserAccounts, select AdministratorPassword, right-click the Value label, and then select
Write Empty String.
17. Expand LocalAccounts, and then select LocalAccount. In the DisplayName field, type your full
name. In the Group field, type Administrators, and then in the Name field, type your first name.
18. Expand LocalAccount[Name=”yourname”], select Password, and then in the Value field, type
Pa$$w0rd.
19. In the Windows Image pane (directly beneath Components), expand Packages, expand Foundation,
right-click amd64_Microsoft-Windows-Foundation-Package_10.0.10586.0, and then click Add to
Answer File.
20. In the Answer File pane, expand Packages, expand Foundation, and then select amd64_Microsoft-
Windows-Foundation-Package_10.0.10586.0.
21. In the Microsoft-Windows-Foundation-Package Properties pane, expand Microsoft-Hyper-V-All,

right-click Microsoft-Hyper-V-Tools-All, and then click Enable Parent Features. If the Windows
System Image Manager dialog box opens, click Yes.
22. Expand Microsoft-Hyper-V-Tools-All, and then enable Microsoft-Hyper-V-Management-Clients

and Microsoft-Hyper-V-Management-PowerShell.
 Task 3: Validate and save the answer file

1. In the Windows System Image Manager, click Tools, and then click Validate Answer File.
Note: You will see warnings that say The setting has not been modified. It will not be
saved to the answer file. You will also see a warning that the Setting NetworkLocation has
been deprecated in the Windows image. You can ignore these warnings.
2. In the Windows System Image Manager, click File, and then click Save Answer File.
3. In the Windows System Image Manager, click File, and then click Close Answer File.
 Task 4: Create an answer file to preserve the profile

1. In Windows System Image Manager, click the File menu, and then click New Answer File.
2. In the Windows Image pane, expand Components, right-click amd64_Microsoft-Windows-Shell-

Setup__10.0.10586.0_neutral, and then click Add Setting to Pass 4 specialize.
3. In the Answer File pane, select the Components\4_specialize\amd64-Microsoft-Windows-Shell-

Setup_neutral folder.
4. In the Microsoft-Windows-Shell-Setup Properties pane, in the Settings section, set the value of
CopyProfile to true.
5. Click File, and then click Save answer file as.
6. In the Save As dialog box, ensure you are still saving to the Floppy Disk Drive (A:). In the File name
field, type CopyProfile, and then click Save.
7. Click File, and then click Exit to close Windows System Image Manager.
8. In the 20695C-LON-CFG window, click Media, point to Diskette Drive, and then click Eject
Reference.vfd.
Results: After completing this exercise, you should have created an answer file on a virtual floppy disk by
using Windows System Image Manager (Windows SIM), added components and packages to the answer
file, and validated and saved the answer file.
Exercise 2: Installing a reference computer by using a custom answer file

 Task 1: Mount the Windows 10 media, and start the unattended installation
1. In Hyper-V Manager, double-click 20695C-LON-REF1.
2. In the 20695C-LON-REF1 window, click Media, point to Diskette Drive, and then click Insert Disk.
3. Browse to D:\Program Files\Microsoft Learning\20695\Drives. Select the reference.vfd file, and

then click Open.
4. In the 20695C-LON-REF1 window, click Media, point to DVD Drive, and then click Insert Disk.
5. Browse to D:\Program Files\Microsoft Learning\20695\Drives, select Win10TH2Ent_Eval.iso, and

then click Open.
Note: The installation can take 30 minutes.
 Task 2: Verify that answer file settings have applied

1. Once the installation has completed, in the Get going fast page window, click Use express settings.
2. Sign in to LON-REF1 by using the local account you provided in the answer file. If the Networks
configuration window opens, click No.
3. In the Start search bar, type Hyper-V. The search results should include the Hyper-V Manager
feature you added.
4. Right-click the Start button and select Control Panel.

5. Click the View by drop-down list box, and then select Small icons.
6. In the Control Panel, click System.
7. Read the listings in the System window. In Computer name, domain and workgroup settings, you
should see that the Computer name is Reference and the Workgroup is imaging.
8. Right-click the Start button, and then click Computer Management.
9. In Computer Management, expand Local Users and Groups, and then select the Users container.
Note: Your user account displays the full name and description that you entered in the
answer file.
10. Double-click your user account, and then click the Member Of tab. You should see that your account
is a member of the Administrators group. Click Cancel to close the window.
11. In Computer Management, click Disk Management. You should see the System partition is 350
megabyte (MB).
13. In the 20695C-LON-REF1 window, click Media, click DVD Drive, and then click Eject
Win10TH2Ent_Eval.iso.ISO.
Results: After completing this exercise, you should have mounted the Windows 10 media, performed an
unattended installation, and verified that the answer-file settings were applied.
Exercise 3: Customizing your image in the audit mode and preserving the
profile changes by using Sysprep
 Task 1: Boot into the audit mode and configure changes as required
1. On LON-REF1, right-click the Start button, and then click Run.
2. Type \\LON-CFG\E$\Software, click OK, and in the Enter network credentials dialog box, type
Adatum\Administrator in the User name field, and then type Pa$$w0rd in the Password field.
3. Select the Remember my credentials check box, and then click OK.
4. Double-click the Office Viewers folder, double-click the PPTViewer folder, and then double-click
PowerPointViewer.exe.
5. In the User Account Control dialog box, click Yes.
6. Select the Click here to accept the Microsoft Software License Terms check box, and then click
Continue.
7. In the Microsoft PowerPoint Viewer Setup window, click Next, and then click Install.
8. When installation completes, click OK.
10. Right-click the Start button, and then select Command Prompt, (admin).
11. In the User Account Control dialog box, click Yes.
12. In the Administrator: Command Prompt window type the following and then press Enter:
CD Sysprep
13. In the Administrator: Command Prompt window type the following and then press Enter:
Sysprep /audit /reboot
14. After the reboot, LON-REF1 will sign in as the Administrator automatically, by using a blank
password. This will take 5–10 minutes to complete. Ignore the Sysprep dialog box for the time being.
15. Right-click the Start button and select Control Panel.

16. Click the View by drop-down list box, and then select Small icons.
17. In the Control Panel, click System.
18. In the System window, click Advanced system settings.
19. In the System Properties dialog box, click Advanced, and then in the User Profiles section, click
Settings.
20. Select the profile for your user account, and then click Delete. In the Confirm Delete dialog box,
click Yes.
21. In the User Profiles dialog box, click OK.
22. In the System Properties dialog box, click OK.

23. Right-click the Start button, click Computer Management, expand Local Users and Groups, and
then select Users.
24. Right-click your user account, and then click Delete.
25. In the Local Users and Groups pop-up window, click Yes, and then click OK.
26. Close all open windows, including the System Preparation Tool 3.14 dialog box.
27. Click the Start button, and then click All Apps.
28. Locate and right-click Microsoft PowerPoint Viewer, and then click Pin to Start. Verify that it
appears on the Start screen.
29. Return to All Apps. Expand Windows Accessories, right-click Snipping Tool, expand More, and
then click Pin to taskbar.
30. Press the Esc key to go to the desktop, and then verify that the Snipping Tool appears on the taskbar.
 Task 2: Run Sysprep with the /generalize, /oobe, /shutdown, and /unattend switches
1. On LON-REF1, right-click the Start button, and then select Command Prompt (admin).
2. At the Administrator: Command Prompt window, type the following, and then press Enter:
CD C:\Windows\System32\Sysprep
3. At the Administrator: Command Prompt window, type the following command, and then press Enter:
Sysprep /generalize /oobe /shutdown /unattend:A:\copyprofile.xml
Note: After completing this step, you might see an error message that states A fatal error
occurred while trying to sysprep the machine. This is due to a corrupt CopyProfile.xml file
being saved to the floppy disk. To address this issue, redo the “Create an answer file to preserve
the profile” lab task from Exercise 1. Save the answer file to the floppy disk as indicated.

Keep all virtual machines in their current state for the next lab. Do not revert them.
Results: After completing this exercise, you should have the Windows 10 reference system generalized
and ready for imaging.
Lab C: Capturing and servicing a

reference image
Exercise 1: Capturing a reference system image
 Task 1: Boot the reference computer by using Windows PE
2. In the 20695C-LON-REF1 window, click Media, point to DVD Drive, and then click Insert Disk.
3. Browse to D:\Program Files\Microsoft Learning\20695\Drives, select WinPEx64.iso, and then

click Open.
4. Start 20695C-LON-REF1. When prompted, hit a key to start from the DVD.
 Task 2: Use Diskpart to assign a drive letter

1. From the command prompt, type Diskpart, and then press Enter.
2. From the Diskpart prompt, type the following commands, pressing Enter after each one:
Select disk 0
List partition
Select partition 2
Assign letter R
Exit
 Task 3: Use DISM to capture the reference image to the shared network folder
Net Use G: \\LON-CFG\E$\images /User:Adatum\Administrator
2. When prompted, type the password Pa$$w0rd. Ensure that the command completes successfully.
DISM /Capture-Image /Imagefile:G:\Win10.wim /CaptureDir:R:\ /Name:”Adatum Windows 10”
Note: For a few minutes, the cursor will continue to sit at the prompt, but then the image
save will begin. At that point, you can shut down the virtual machine. Also, be careful if you copy
and paste the above command, as the quotation marks around the “Adatum Windows 10” might
be changed in the command prompt window.
4. In the 20695C-LON-REF1 window, click Action, and then click Revert.

5. In the Revert Virtual Machine dialog box, click Revert. Do not revert the other virtual machines.
Results: After completing this exercise, you should have booted the reference machine into your
customized Windows PE image, used Diskpart to assign a drive letter, and used DISM commands to
capture the image to the shared network folder.
Lab D: Using the Windows ICD

Exercise 1: Create a provisioning package
 Task 1: Create a new provisioning package for all Windows 10 editions
1. On LON-CFG, click the Start button, type Windows in the search box, and then click Windows
Imaging and Configuration Designer from the search results list.
2. On the Windows ICD Start page, click the New provisioning package icon.
3. In the New Project Wizard, on the Enter project details page, in the Name field, type LabDPP.
4. In the Project folder location, click Browse.
5. In the Browse for Folder dialog box, select the Allfiles (E:) drive, and then select Images.
6. Click Make New Folder, and in the text box, type WICD. Ensure that WICD is selected, and then click
OK. In the Description area, type Provisioning Package for Lab D, and then click Next.
7. On the Choose which settings to view and configure page, select Common to all Windows
desktop editions, and then click Next.
8. On the Import a provisioning package (optional) page, click Finish. This creates the new LabDPP
project and the LabDPP customization page will open.
 Task 2: Use the Windows ICD to add the designated customizations

1. On LON-CFG, with the Windows ICD console still open, in the Available customization pane, note the
View drop-down list. Ensure that All settings is selected.
2. Expand the Deployment Assets console tree item, and then select Driver Set.
3. In the Drivers Set details pane, click Browse, in the Browse For Folder window, navigate to Allfiles
(E:)\Software\Drivers\point64, and then click OK.
4. In the Driver Set details pane, in the Name field, type IntelliPoint Drivers, and then click Add.
5. In the Runtime settings console tree item, select and expand Folders, and then select
PublicDocuments.
6. In the details pane, click Browse. In the Open dialog box, navigate to Allfiles (E:)\Labfiles\Mod06,
select Mod06_DISM_Powershell.txt, and then click Open.
7. In the Relative path to directory on target device field, type AdatumData, and then click Add.
 Task 3: Save the provisioning package to LON-CFG

1. In the ribbon, click the Export item, and then in the context menu, click Provisioning package.
2. In the Build window, under Owner, in the OEM drop-down list, change the value to IT Admin, and
then click Next.
3. On the Select security details for the provisioning package page, click Next.
4. On the Select where to save the provisioning package page, in the text box, type
\\lon-cfg\e$\images\labDpp.ppkg, and then click Next.
5. On the Build the provisioning package page, click Build, and then click Finish.
6. In the Windows Imaging and Configuration Designer console, click the File menu item, and then
select Close project in the context menu.
7. On the taskbar, open File Explorer.

8. In File Explorer, in the address bar, type E:\Images.
9. Note the file named labDpp.ppkg.
Results: After completing this exercise, you should have created a provisioning image and stored it in a
networkshared folder location.
Exercise 2: Creating a Windows 10 deployment package

 Task 1: Create a new Windows image customization
1. On LON-CFG, in the Windows ICD Start page, click the New Windows image customization icon.
2. In the New Project Wizard, on the Enter project details page, in the Name field, type LabDBuild.
3. In the Project folder location, click Browse.
4. In the Browse for Folder dialog box, select the Allfiles (E:) drive, and then select Image.
5. Under Images, click WICD.

6. Click Make New Folder, in the text box, type LabDBuildIMG, ensure that WICD is selected, and then
click OK.
7. In the Description area, type Create a Windows 10 Desktop image for Lab D, and then click Next.
 Task 2: Import the .wim image

1. On the Select imaging source format page, note that the only selection available is The Windows
image is based on a Windows image (WIM) file, which is already selected. Click Next.
2. While still in the New Project Wizard, on the Select image page, click Browse, and in the Open
dialog box, select Allfiles (E:)\Sources. Select the Install.wim file, and then click Open.
3. Note that there is only one available image on install.wim. Click Next.
 Task 3: Import the provisioning package

1. While still in the New Project Wizard, on the Import a provisioning package (optional) page, click
Browse.
2. In the Open dialog box, navigate to \\lon-cfg\e$\images.
3. Select the labDpp.ppkg file that you created earlier, click Open, and then click Finish.
4. In the Import Successful dialog box, click OK.
 Task 4: Create a Full Flash Update (FFU) image and save it to LON-CFG
1. In the Windows ICD console, from the ribbon, click the Create menu, and then select Clean install
media. This will open the Build Wizard.
2. On the Select the image format to build page, select FFU, and then click Next.
3. On the Select where to save the files page, in the text box, type E:\Images\WICD\LabDBuildIMG
\LabDBuild.ffu, and then click Next.
4. On the Build the Windows image page, make note of the selected options, and then click Build.
5. The build step begins. Note the progress bar on the Build the Windows image page. It will take
several minutes to build the FFU file.
6. On the All done! page, click Finish.
7. While still on LON-CFG, open File Explorer.
8. Navigate to Allfiles (E:)\Images\WICD\LabDBuildIMG.
9. Examine the folder contents. You should see the LabDBuild.ffu file. You can export the .ffu file to a
USB removable drive or a secure digital card (SD card) for deployment to a Windows 10 desktop.

following steps:
4. Repeat steps 2 and 3 for 20695C-LON-CFG.
Results: After completing this exercise, you should have created the Windows 10 FFU image to meet the
deployment requirements for the IT department.
L7-35
Module 7: Supporting PXE-initiated and multicast operating

system deployments
Lab: Configuring Windows DS to support

PXE and multicast operating system
deployments
Exercise 1: Planning the Windows DS environment
 Task 1: Read the supporting documentation and complete the design table
• Based on the information in the email you should be able to complete the Windows DS Configuration
Job Aid that is located in the exercise scenario in the student manual.
Server on which to LON-DC1

install Windows DS
Drive and folder to E:\RemoteInstall

save images to
Windows DS AD Y
installation mode
Stand-alone N
Additional options to Option 60 Y

set in DHCP
Option 66 Y 172.16.0.10
Option 67 Y boot\x64\pxeboot.com
Deploy to which Unknown Y

clients
Known Y
Require administrator N
approval
Join clients to Yes Y

domain
No
L7-36 Supporting PXE-initiated and multicast operating system deployments
Location for Domain Adatum.com domain

computer accounts
in AD OU London Clients OU
Computer naming Default Windows DS Y

format
Other, specify N
Should multicast be No
supported and if yes,
how should it be Yes 1 speed N
configured
2 speeds N
3 speeds Y
DHCP multicast N
scope
Windows DS default Y
Results: After completing this exercise, you should have filled out the table that leads to a design concept
for the Windows DS deployment to support multiple subnets within the organization. Be sure that the
plan also covers Windows DS configuration requirements.
Exercise 2: Installing and configuring the Windows DS server role

 Task 1: Install the Windows DS server role
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. Open Windows PowerShell as an administrator.
3. Run the following command to install the Windows DS role and the management tools:
Install-WindowsFeature –Name WDS –IncludeManagementTools
4. Close Windows PowerShell.
 Task 2: Configure Windows DS

1. In Server Manager, in the Tools menu, click Windows Deployment Services.
2. In the Windows Deployment Services console, expand Servers, right-click LON-DC1.Adatum.com,

and then click Configure Server.
3. Click Next.
4. Ensure that Integrated with Active Directory is selected, and then click Next.
5. Type E:\RemoteInstall as the path, and then click Next.
6. Ensure that both check boxes are selected, and then click Next.
7. Click the Respond to all client computers option, and then click Next.
8. Notice if an error message appears before you click Finish. If you received a message stating “The
service did not respond to the start or control request in a timely fashion”, then right-click
LON-DC1.Adatum.com, click All Tasks, and then click Start. Click OK.
9. Right-click LON-DC1.Adatum.com, and then click Properties.
10. Click the AD DS tab, and then click the The following location option. Click Browse, expand
Adatum and then click the London Clients OU, and then click OK.
11. Click the Multicast tab, and then in the Transfer settings area, click the Separate clients into three
sessions (slow, medium, fast) option.
12. Click OK.
 Task 3: Add images to Windows DS

1. In Hyper-V Manager, double-click 20695C-LON-DC1.
2. In the 20695C-LON-DC1 window, click Media, point to DVD Drive, and then click Insert Disk.
3. Browse to D:\Program Files\Microsoft Learning\20695\Drives, select Win10TH2Ent_Eval.iso, and
then click Open.
4. In the Windows Deployment Services console, in the console tree, expand LON-DC1.Adatum.com.
5. Right-click Boot Images, and then click Add Boot Image.
6. In the Add Image Wizard, on the Image File page, click Browse.
7. In the Select Windows Image File dialog box, in the navigation pane, expand This PC, double-click
DVD Drive (D:), double-click sources, and then double-click boot.wim.
8. On the Image File page, click Next.
9. On the Image Metadata page, click Next.

11. On the Task Progress page, click Finish.
12. In the Windows Deployment Services console, right-click Install Images, and then click Add Image
Group.
13. In the Add Image Group dialog box, in the Enter a name for the image group text box, type
Windows 10, and then click OK.
14. In the Windows Deployment Services console, right-click Windows 10, and then click Add Install
Image.
15. In the Add Image Wizard, on the Image File page, click Browse.
16. In the File name text box, type D:\sources\install.wim, and then click Open.
17. On the Image File page, click Next.
18. On the Available Images page, click Next.
20. On the Task Progress page, click Finish.

L7-38 Supporting PXE-initiated and multicast operating system deployments
 Task 4: Configure multicast transmission

1. In the Windows Deployment Services console, click Windows 10, right-click Windows 10 Enterprise
Evaluation, and then click Create Multicast Transmission.
2. In the Create Multicast Transmission Wizard, on the Transmission Name page, type London
MultiCast. Click Next.
3. On the Multicast Type page, click Next.
4. On the Operation Complete page, click Finish.
5. In the Windows Deployment Services console, in the console tree, expand Multicast Transmissions,
click London Multicast, and then check that no clients are connected.
 Task 5: Deploy Windows 10 via multicast

2. In the 20695C-LON-REF1 window, click File, and then click Settings.
3. Click BIOS in the Hardware section, and then in the Startup Order list, click the Legacy Network
Adapter.
4. Click Move Up twice or until Legacy Network Adapter is at the top of the list.
5. Click OK.
6. In the 20695C-LON-REF1 window, click Action, and then click Start.
7. When prompted, press F12 to PXE boot.
8. In the Windows Setup window, click Next.

9. In the Connect to LON-DC1.Adatum.com window, sign in as Adatum\Administrator with the
password Pa$$w0rd.
10. On the Select the operating system you want to install page, click Next.
11. On the Where do you want to install Windows page, click OK to dismiss the Windows Setup
dialog box, and then click Next.
12. When the Installing Windows page appears and the installation begins, switch to LON-DC1.
13. In the Windows Deployment Services console, click the Refresh button on the toolbar. Notice that
one client is connected.
Note: At this point, you can end the lab.


4. Repeat steps 2 and 3 for 20695C-LON-REF1.
Results: After completing this exercise, you should have deployed and configured Windows DS to support
the imaging environment. You will have also performed a Windows DS multicast deployment of
Windows 10.
L8-41
Module 8: Implementing operating system deployment by

using the MDT
Lab: Operating system deployment
using the MDT
Exercise 1: Planning for the MDT environment
• Read the lab scenario, including the email exchange between Cora Bauer and Robert Bevins.
 Task 2: Update the MDT planning job aid

• Fill in the following worksheet:
Question Answer
Where will you store your distribution LON-SVR1

files?
What is your imaging and source-file Use the Windows 10 source files on LON-DC1 to
strategy? create a custom Windows 10 image on the
deployment server
Will you deploy the image from You will create custom images
Windows media, or will you create
custom images?
Will you need to create custom boot Yes, for Windows DS

images?
How will you deploy applications? You will not deploy any at this time
Are you going to migrate user-state No

settings?
Do you want to back up the No

computers prior to deployment?
Do you want to use Windows Not at this time

BitLocker Drive Encryption?
Will you deploy 32-bit, 64-bit, or both 64 bit only

types of operating systems?
Will you deploy multiple editions of No

the Windows operating system?
L8-42 Implementing operating system deployment by using the MDT
Question Answer
What deployment scenarios are you The current scenario is to deploy to new computers
planning? only
Results: Students will have a plan that outlines how they will configure MDT at the London location
Exercise 2: Installing MDT 2013 Update 2, and addressing MDT

prerequisites
 Task 1: Install MDT 2013 Update 2
1. On LON-SVR1, on the taskbar, click File Explorer.
2. In the File Explorer address bar, type \\LON-DC1\Labfiles\MDT2013, and then press Enter.
3. Right-click MicrosoftDeploymentToolkit2013_x64.msi, and then click Install.
4. In the Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000), on the Welcome page, click
Next.
5. On the End-User License Agreement page, select the I accept the terms in the License
Agreement check box, and then click Next.
6. On the Custom Setup page, click Next.

7. On the Customer Experience Improvement Program page, ensure the I don’t want to join the
program at this time option is selected, and then click Next.
8. On the Ready to Install Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) page,
click Install.
9. On the Completed the Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) Setup
Wizard page, click Finish.
 Task 2: Add the Windows ADK prerequisite files

1. In File Explorer, in the address bar, type \\LON-DC1\Labfiles\WADK, and then press Enter.
2. Right-click adksetup.exe, and then click Run as administrator. When prompted to add or remove
features, click Continue.
3. On the Select the features you want to change page, select the check boxes next to Deployment
Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tool
(USMT). Deselect the check box for Volume Activation Management Tool (VAMT), and then click
Change.

4. When the installation is complete, on the Welcome to the Assessment and Deployment Kit -
Windows 10 page, click Close.
Results: After completing this exercise, you should have installed MDT 2013 Update 2 and Windows ADK
for Windows 10 on the technician server.
Exercise 3: Creating and configuring the deployment share

 Task 1: Open the deployment workbench, and create a deployment share
1. On LON-SVR1, open the Start screen, click the circled down arrow key, and then click Deployment
Workbench NEW.
2. In the Deployment Workbench console, right-click Deployment Shares, and then click New
Deployment Share.
3. In the New Deployment Share Wizard, on the Path page, take note of the default path, and then click
Next.
4. On the Share page, take note of the default share name, and then click Next.
5. On the Descriptive Name page, click Next.
6. On the Options page, click Next.

8. On the Confirmation page, click Finish.
 Task 2: Add operating system files to the deployment share

1. On LON-SVR1, in the 20695C-LON-SVR1 on localhost – Virtual Machine Connection window, click
Media, point to DVD Drive, and then click Insert Disk.
2. In the Open dialog box, browse to D:\Program files\Microsoft Learning\20695\Drives.
3. Click Win10TH2Ent_EVAL.iso, and then click Open.
4. In the Deployment Workbench, expand Deployment Shares, and then expand MDT Deployment
Share (C:\DeploymentShare). Right-click the Operating Systems folder, and then click Import
Operating System.
5. In the Import Operating System Wizard, on the OS Type page, select the Full set of source files
option, and then click Next.
6. On the Source page, in the Source directory text box, type D:\, and then click Next.
7. On the Destination page, in the Destination directory name text box, type Windows10x64, and
then click Next.

 Task 3: Add device drivers to the deployment share

1. In the Deployment Workbench, right-click the Out-of-Box Drivers node, and then click New Folder.
2. In the New Folder Wizard, on the General Settings page, in the Folder name text box, type
Intellipoint Drivers, and then click Next.

5. Expand Out-of-Box Drivers, select and right-click the Intellipoint Drivers folder, and then click
Import Drivers.
6. In the Import Driver Wizard, on the Specify Drivers page, in the Driver source directory text box,
type \\LON-DC1\Labfiles\Drivers\point64, and then click Next.
 Task 4: Create a task sequence to deploy and capture a reference computer

1. In the Deployment Workbench, right-click the Task Sequences node, and then select New Folder.
2. On the General Settings page, in the Folder name text box, type Windows 10, and then click Next.
5. Right-click the Windows 10 folder, and then click New Task Sequence.
6. In the New Task Sequence Wizard, on the General Settings page, in the Task sequence ID text box,
type LON-001.
7. In the Task sequence name text box, type Deploy Windows 10, and then click Next.
8. On the Select Template page, select the Standard Client Task Sequence from the task sequence
templates drop-down list box, and then click Next.
9. On the Select OS page, click Windows 10 Enterprise Evaluation Technical Preview in

Windows10x64 install.wim, and then click Next.
10. On the Specify Product Key page, click Do not specify a product key at this time, and then click
Next.
11. On the OS Settings page, in the Full Name text box, type adatum\Administrator. In the
Organization text box, type Adatum, and then click Next.
12. On the Admin Password page, in the Administrator Password and Please confirm Administrator
Password text boxes, type Pa$$w0rd, and then click Next.
15. Expand Task Sequences, click the Windows 10 node, right-click the Deploy Windows 10 task
sequence, and then click Properties.
16. In the Properties dialog box, click the Task Sequence tab.
17. Expand Preinstall, click Inject Drivers, and then from the Choose a selection profile drop-down list
box, click the Nothing selection.
18. Click OK to close the Deploy Windows 10 Properties window.

 Task 5: Modify the customsettings.ini file to store log files, and skip unused pages in
the deployment wizard
1. Right-click the MDT Deployment Share (C:\DeploymentShare), and then click Properties.
2. In the Properties dialog box, on the Rules tab, change the SkipComputerBackup=NO entry to
SkipComputerBackup=YES, and change the SkipBitLocker=NO entry to be SkipBitLocker=YES.
3. Add the following lines to the [Default] section, and then click OK:
o SkipUserData=YES
o SLShare=\\Lon-DC1\Labfiles\DeployLogs
 Task 6: Install and configure the Windows DS role

1. On the desktop, on the taskbar, right-click the Windows PowerShell icon, and then click Run as
Administrator.
2. In the Windows PowerShell window, type the following command, and then press Enter:
Install-WindowsFeature –Name WDS -ComputerName LON-SVR1 -IncludeManagementTools
3. Close the Windows PowerShell command window.
4. Open Server Manager, click the Tools drop-down list box, and then click Windows Deployment
Services.
5. In the left pane of the Windows Deployment Services snap-in, expand Servers.
6. Right-click LON-SVR1.adautm.com, and then click Configure Server.
7. On the Before you begin page, click Next.
8. On the Install options page, click Integrated with Active Directory, and then click Next.
9. On the Remote Installation Folder Locations page, choose the default path c:\RemoteInstall, and
then click Next.
10. In the System Volume Warning pop-up window, click Yes.
11. On the PXE Server Initial Settings page, click the Respond to all client computers (known and
unknown) option, and then click Next.
Note: This will complete the configuration of Windows DS.
12. When the configuration completes, clear the Add images to the server now check box, and then
click Finish.
13. In the Windows Deployment Services snap-in, in the details pane, right-click Install Images, and then
click Add Install Image.
14. In the Add Image Wizard, in the Create an image group named text box, type MDTImage, and
then click Next.
15. On the Image file page, click Browse, and in the Select Windows Image File pop-up window, browse
to C:\DeplaymentShare\Operating Systems\Windows10x64\Sources. Select Install.wim, click
Open, and then click Next.
16. On the Available Images page, click Next.
17. On the Summary page, click Next, and then click Finish.
Note: This process takes approximately five minutes to complete.
 Task 7: Configure and update the deployment share

1. Return to the Deployment Workbench, right-click the MDT Deployment Share
(C:\DeploymentShare), and then click Properties.
2. In the Properties dialog box, on the General tab, clear the x86 check box, and then select the
Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows
Deployment Services) check box.
3. Click the Windows PE tab and ensure that the Platform drop-down list box displays x86. Clear the
Generate a Lite Touch bootable ISO image check box, and then click OK.
4. Right-click MDT Deployment Share (C:\DeploymentShare), and then click Update Deployment
Share.
5. In the Update Deployment Share Wizard, on the Options page, click Next.
Note: This update takes approximately 10 to 15 minutes to complete.
8. Return to the Windows Deployment Services, and click the Multicast Transmission folder. Ensure
that a multicast transmission named MDT Share DeploymentShare$ auto-cast transmission has
been created.
Results: After completing this exercise, you should have ensured that the deployment share is ready
to use.
Exercise 4: Deploying and capturing a reference operating system image

 Task 1: Start the reference computer, and complete the Windows
Deployment Wizard
1. On the host computer, open Hyper-V Manager, and then connect to 20695C-LON-REF1.
2. In the Settings for 20695C-LON-REF1 window, click Media, point to DVD Drive, and then click
Insert Disk.
3. Browse to the D:\Program Files\Microsoft Learning\20695\Drives folder, select
LiteTouchPE_x64.iso, and then click Open.
5. In the MDT window, click Run the Deployment Wizard to install a new Operating System.
6. In the User Credentials dialog box, in the User Name text box, type Administrator. In the
Password text box, type Pa$$w0rd, in the Domain field, type Adatum, and then click OK.
7. In the Windows Deployment Wizard, on the Task Sequence page, select the Deploy Windows 10
option, and then click Next.
8. On the Computer Details page, in the Computer name text box, type Reference, and then
click Next.
9. On the Locale and Time page, click Next.
10. On the Capture Image page, select the Capture an image of this reference computer option, and
then click Next.
11. On the Ready page, click Details, review the settings, and then click Begin.
Note: This procedure takes approximately 90 minutes to complete.
 Task 2: Review the deployment summary, and verify the capture of the reference
computer
1. On LON-REF1, verify that the Deployment Summary window displays Success - Operating system
deployment completed successfully, and then click Finish.
2. After LON-REF1 restarts, sign in as Administrator with the password Pa$$w0rd.
3. Switch back to LON-SVR1.

4. On the taskbar, click the File Explorer icon.
5. In File Explorer, expand drive C, expand DeploymentShare, and then expand Captures.
6. Verify that a file named LON-001.wim displays.
8. On the taskbar, click the File Explorer icon.
9. In File Explorer, expand drive E, expand Labfiles, expand Deploylogs, and then expand Reference.
Note the deployment logs that display.
10. Close all open windows, and then sign out of all virtual machines.

steps:
1. On the host computer, start Hyper V Manager.
2. In the Virtual Machines list, right click 20695C-LON-DC1, and then click Revert.
4. Repeat steps 2 and 3 for 20695C-LON-REF1 and 20695C-LON-SVR1.
Results: After completing this exercise, you should have deployed and captured a reference computer.
L9-49
Module 9: Managing operating system deployment

Lab A: Preparing the site for operating
system deployment
Exercise 1: Managing the site system roles used to support operating
system deployment
 Task 1: Enable PXE on the distribution point
1. On LON-CFG, on the taskbar, click Configuration Manager console.
2. Click the Administration workspace, expand the Site Configuration folder, and then click the
Servers and Site System Roles node.
3. In the details pane, select \\LON-CFG.adatum.com and then in the preview pane, right-click the
Distribution point role. Click Properties.
4. In the Distribution point Properties dialog box, on the PXE tab, select the Enable PXE support for
clients check box. In the Review Required ports for PXE dialog box, click Yes.
5. Select the Allow this distribution point to respond to incoming PXE requests and Enable
unknown computer support check boxes.
6. In the Configuration Manager message box, click OK.
7. In the Password and Confirm password boxes, under Require a password when computers use
PXE, type Pa$$w0rd.
8. Next to the User device affinity box, select Allow user device affinity with manual approval.
9. In the Distribution point Properties dialog box, click OK.
10. Click the Monitoring workspace, expand Distribution Status, and then click Distribution Point
Configuration Status.
11. Right-click \\LON-CFG.Adatum.com, and then click Refresh. Repeat periodically until the PXE
column displays Yes.
 Task 2: Add the state migration point role

1. On LON-CFG, on the taskbar, click Configuration Manager console.
2. Click the Administration workspace, expand Site Configuration, and then click Servers and Site
System Roles.
3. In the results pane, right-click \\LON-CFG.Adatum.com, and then click Add Site System Roles.
4. In the Add Site System Roles Wizard, on the General page, click Next.
5. On the Proxy page, click Next.

6. On the System Role Selection page, select the State migration point check box, and then
click Next.
7. On the State migration point page, click new (sun icon).
8. In the Storage Folder Settings dialog box, in the Storage folder box, type E:\UserState, and then
click OK.
9. On the State migration point page, click Next.

L9-50 Managing operating system deployment
10. On the Boundary Groups page, click Next.
 Task 3: Configure the Network Access account

1. Click the Administration workspace, and then click Sites. In the results pane, right-click
S01 - Adatum Site.
2. Select Configure Site Components, and then click Software Distribution.
3. In the Software Distribution Component Properties dialog box, click the Network Access
Account tab.
4. Click Specify the account that accesses network locations.

5. Click new (sun icon), and then click New Account.
6. In the Windows User Account dialog box, in the User name box, type Adatum\NetworkAccess, in
the Password box, type Pa$$w0rd, and then in the Confirm password box, type Pa$$w0rd.
7. Click Verify, and in the Network share box, type \\LON-CFG\SMS_S01, and then click Test
connection. In the Configuration Manager dialog box, click OK, and then in the Windows User
Account dialog box, click OK.
8. In the Software Distribution Components Properties dialog box, click OK.
Results: After this exercise, you should have enabled PXE on the distribution point and configured the
Network Access account to support Configuration Manager operating system deployment.
Exercise 2: Managing packages to support operating system deployment

 Task 1: Import Hyper-V drivers
1. In the navigation pane, click Software Library, expand Operating Systems, click and then right-click
Drivers, and then click Import Driver.
2. In the Import New Driver Wizard, on the Locate Driver page, click Browse.
3. In the Select Folder dialog box, in the Folder box, type \\LON-CFG\Software\Drivers\HyperVx64,
and then click Select Folder.
4. On the Locate Driver page, click Next. Wait for the driver validation to complete.
5. On the Driver Details page, remove the check mark next to Hide drivers that are not digitally
signed.
6. Click Categories, and then in the Manage Administrative Categories dialog box, click Create.
7. In the Create Administrative Category dialog box, type 64-bit Drivers, and then click OK.
8. In the Manage Administrative Categories dialog box, click Create.
9. In the Create Administrative Category dialog box, type Hyper-V Drivers, and then click OK.
10. In the Manage Administrative Categories dialog box, click OK.

11. On the Driver Details page, click Next.
12. On the Add Driver to Packages page, click New Package.

13. In the Create Driver Package dialog box, in the Name box, type Hyper-V Drivers, and in the Path
box, type \\LON-CFG\E$\Source\Drivers, and then click OK.
14. On the Add Driver to Packages page, click Next.
15. On the Add Driver to Boot Images page, click Next.
 Task 2: Distribute a driver package

1. In the navigation pane, click Software Library, expand Operating Systems, and then click Driver
Packages.
2. Right-click the Hyper-V Drivers package, and then click Distribute Content.
4. On the Content Destination page, click Add, and then click Distribution Point.
5. In the Add Distribution Points dialog box, select the LON-CFG.ADATUM.COM check box, and then
click OK.
8. Right-click the Hyper-V Drivers package, and then click Refresh.
Note: Repeat this step periodically until Content Status shows Success. This should take
about one minute.
 Task 3: Modify the boot images

1. In the navigation pane, click Boot Images, right-click Boot image (x86), and then click Properties.
2. Click the Customization tab, and then select the Enable command support (testing only)
check box.
click OK twice.
5. Click the Data Source tab, and then verify that the Deploy this boot image from the PXE-enabled
7. In the Configuration Manager dialog box, click Yes.
8. In the Update Distribution Points Wizard, on the Summary page, click Next. Wait for the completion,
and then on the Completion page, click Close.
9. In the navigation pane, click Boot Images, right-click Boot image (x64), and then click Properties.
10. Click the Customization tab, and then select the Enable command support (testing only)
check box.
click OK twice.
13. Click the Data Source tab, and then verify that the Deploy this boot image from the PXE-enabled
14. Click the Drivers tab, and then click new (sun icon).
15. In the Select a driver dialog box, remove all selections, select Microsoft Hyper-V Network
Adapter, and then click OK.
17. In the Configuration Manager dialog box, click Yes.
18. In the Update Distribution Points Wizard, on the Summary page, click Next, and then on the
Completion page, click Close.
 Task 4: Distribute the boot images

1. Click Boot image (x64), Ctrl+click Boot image (x86), right-click Boot image (x64), and then click
Distribute Content.
4. In the Add Distribution Points dialog box, select LON-CFG.ADATUM.COM and then click OK.
7. Right-click one of the packages, and then click Refresh.
Note: Perform this step for the other package. Repeat this step periodically until both
packages show a status of Success. This should take about one minute.
 Task 5: Distribute the USMT package

1. Under Application Management, click Packages.
2. Click the User State Migration Tool for Windows 10 package, right-click the User State Migration
Tool for Windows 10, and then click Distribute Content.
5. In the Add Distribution Points dialog box, select the LON-CFG.Adatum.com check box, and then
click OK.
8. Right-click the User State Migration Tool for Windows 10 package, and then click Refresh.
Note: Repeat this step until the package shows a status of Success. This should take about
one minute.

Leave all the virtual machines running for use in the next lab.
Results: After this exercise, you should have configured the boot images and created the driver package
that is required for operating system deployment.
Lab B: Deploying operating system images

for bare-metal installations
Exercise 1: Preparing the operating system image
 Task 1: Import the reference image
1. On LON-CFG, in the System Center Configuration Manager (Configuration Manager) console, click
the Software Library workspace, expand Operating Systems, and then click Operating System
Images.
2. On the ribbon, in the Create group, click Add Operating System Image.
3. In the Add Operating System Image Wizard, on the Data Source page, in the Path box, type
\\LON-CFG\e$\Sources\Install.wim, and then click Next.
4. On the General page, in the Name box, type Windows 10 Enterprise (x64) Evaluation and then
click Next.
 Task 2: Distribute the image to the LON-CFG distribution point

1. Right-click the Windows 10 Enterprise (x64) Evaluation image, and then select Distribute
Content.

3. On the Content Destination page, click Add, and then select Distribution Point.
4. In the Add Distribution Points dialog box, select the LON-CFG.ADATUM.COM check box, and then
click OK.
7. Right-click the Windows 10 Enterprise (x64) Evaluation image and then click Refresh. Repeat
periodically until the status shows Success. This should take around five minutes.
 Task 3: Import a computer object

1. In Microsoft Hyper-V Manager on your host computer, select the 20695C-LON-REF1 virtual machine.
2. In the details pane for the 20695C-LON-REF1 virtual machine, click the Networking tab, and then in
the Adapter column, find the media access control (MAC) address. You might need to expand the
Adapter column to fully see the MAC address. Write down the MAC address.
4. Click the Assets and Compliance workspace, right-click the Devices node, and then select Import
Computer Information.
5. On the Select Source page of the Import Computer Information Wizard, select Import single
computer, and then click Next.
6. On the Single Computer page, type the following information, and then click Next:
o Computer Name: LON-REF1
o MAC address: <the MAC address you wrote down>
7. On the Data Preview page, verify the name and MAC address, and then click Next.
8. On the Choose Target Collection page, select Add computers to the following collection, and
then click Browse.
9. In the Select Collection window, select the Adatum production image collection, and then click OK.
10. On the Choose Target Collection page, click Next.
11. On the Summary page, verify your selections, and then click Next.
13. Click the Device Collections node, right-click the All Systems collection, and then select Update
Membership. When prompted, click Yes.
14. Right-click the Adatum production image collection, and then select Update Membership. When
prompted, click Yes.
15. Click the Adatum production image collection, and then press F5 after ten seconds.
16. When the Member Count column changes to 1, right-click the Adatum production image
collection, and then select Show Members. You should now be able to see the computer you have
added.
Results: After completing this exercise, you will have imported a pre-created image into Configuration
Manager and distributed that image to the distribution point. You will have created a computer object for
LON-IMG and placed it in the Adatum production image collection.
Exercise 2: Creating a task sequence to deploy an image

 Task 1: Create a task sequence to install an existing image
1. On LON-CFG, in the Configuration Manager console, click the Software Library workspace, and then
expand Operating Systems.
2. Right-click Task Sequences, and then select Create Task Sequence.
3. In the Create Task Sequence Wizard, on the Create New Task Sequence page, click the Install an
existing image package option, and then click Next.
4. On the Task Sequence Information page, in the Task sequence name box, type Deploy Windows
10 Enterprise (x64) Evaluation, and then click Browse.
5. In the Select a Boot Image dialog box, click Boot image (x64) 10.0.10240.16384 en-US, and then
click OK.
6. On the Task Sequence Information page, click Next.
7. On the Install Windows page, click Browse.
8. In the Select an Operating System Image dialog box, click Windows 10 Enterprise (x64)
Evaluation en-US, and then click OK.
9. Remove the check mark next to Configure task sequence for use with BitLocker.
10. Click the Enable the account and specify the local administrator password option. In the
Password box, type Pa$$w0rd, in the Confirm password box, type Pa$$w0rd, and then click Next.
11. On the Configure Network page, select the Join a domain option.
12. In the area next to Domain, select Browse, click Adatum.com, and then click OK.
13. In the area next to Domain OU, click Browse, select London Clients, and then click OK.
14. Click Set.
15. In the Windows User Account dialog box, in the User name box, type Adatum\Administrator,
in the Password box, type Pa$$w0rd, in the Confirm password box, type Pa$$w0rd, and then
click OK.
16. On the Configure Network page, click Next.
17. On the Install Configuration Manager page, click Next.
18. On the State Migration page, remove all the check marks, and click Next.
19. On the Include Updates page, click Next.
20. On the Install Applications page, click Next.

 Task 2: Edit a task sequence

1. Right-click the Deploy Windows 10 Enterprise (x64) Evaluation task sequence, and then click Edit.
2. Click the Apply Windows Settings step.

3. In the User name box, type A. Datum IT Services, and then in the Organization name box, type
A. Datum.
4. In the Deploy Windows 10 Enterprise (x64) Evaluation Task Sequence Editor window, click OK.
Results: After this exercise, you will have created and edited a task sequence to deploy an existing image.
Exercise 3: Deploying an image

 Task 1: Deploy an image installation task sequence by using PXE
1. Right-click the Deploy Windows 10 Enterprise (x64) Evaluation task sequence, and then click
Deploy.
2. In the Deploy Software Wizard, on the General page, in the area next to Collection, click Browse.
When prompted, click OK.
3. In the Select Collection dialog box, select Adatum production image, and then click OK.
5. On the Deployment Settings page, next to Purpose, verify that Available is selected, and under
Make Available to the following, select Only media and PXE, and then click Next.
7. On the User Experience page, click Next.


 Task 2: Start 20695C-LON-REF1

1. On the host computer, in Hyper-V Manager, right-click 20695C-LON-REF1, and then in the Actions
pane, click Connect.
2. In the Virtual Machine Connection window, select Action, and then click Start.
3. When LON-REF1 boots, click inside the Virtual Machine Connection window, and when prompted,
press F12.
Note: Wait for the boot image to be staged and for the machine to boot into the Windows
Preinstallation Environment (Windows PE).
4. In the Welcome to the Task Sequence Wizard window, in the password box, type Pa$$w0rd, and
then click Next.
5. In the Task Sequence Wizard window, verify that the task sequence you created earlier is displayed
and selected, and then click Next.
6. Monitor the deployment. The task sequence will take approximately 15 minutes to complete.
7. After the deployment is complete, sign in to LON-REF1 as Adatum\Administrator with the password
Pa$$w0rd, and then verify that the computer is named LON-REF1.

following steps:
4. Repeat steps 2 and 3 for 20695C-LON-CFG and 20695C-LON-REF1.
Results: After this exercise, you will have deployed the task sequence and installed the operating system
image on LON-REF1.
L10-59
Module 10: Integrating MDT and Configuration Manager for

Lab A: Integrating MDT and Configuration
Manager for operating system deployment
Exercise 1: Integrating MDT and Configuration Manager
 Task 1: Prepare LON-CL3 for capturing user data
1. On LON-CL3, on the taskbar, click Windows Explorer.
2. In Windows Explorer, in the Address bar, type \\LON-CFG\C$\Program Files

\Microsoft Configuration Manager\tools\.
3. Right-click cmtrace.exe, and then click Copy. Close Windows Explorer. On the empty desktop of
LON-CL3, right-click and select Paste.
4. Double-click the cmtrace.exe icon on the desktop. In the Configuration Manager Trace Log Tool
window, click Yes. Close the Configuration Manager Trace Log Tool.
5. Right-click the empty space of the desktop, select New, select Folder, and then in the New Folder
icon text box, type Projects.
6. Right-click the empty space of the desktop, select New, and then select Shortcut. In the Create
Shortcut window, type C:\Windows\Notepad.exe in the text box, and then click Next.
7. In the Type a name for this shortcut text box, type Notepad, and then click Finish.
8. Open the Projects folder on the desktop, and in the Address bar, type C:\Windows\CCM\Logs, and
then press Enter. Right-click the CcmExec.log log, and then click Copy. Click the back arrow, and
then, in the empty space of the window, right-click and select Paste. This will add the CcmExec.log
file to the Projects folder on the desktop. You now should have three icons on the desktop: a folder
named Projects, the ccmtrace.exe tool, and a shortcut to Notepad.
9. Shut down LON-CL3. Do not revert it, as you will use it in Exercise 3.
 Task 2: Create a domain join account and set permissions

1. On LON-DC1, in Server Manager, click the Tools drop-down list box, and then click Active Directory
Users and Computers.
2. Expand Adatum.com, and then select the Users folder. Right-click the Users folder, point to New,
and then click User.
3. In the New Object – User window, in the Full name and User logon name text boxes, type
CMDomainJoin, and then click Next.
4. In the Password and Confirm Password text boxes, type Pa$$w0rd. Clear the User must change
password at next logon check box, click Next, and then click Finish.
5. Close Active Directory Users and Computers.
6. On the taskbar, right-click the Windows PowerShell icon, and then select Run as Administrator.
L10-60 Integrating MDT and Configuration Manager for operating system deployment
7. In Windows PowerShell, type the following cmdlets, and press Enter after each one:
Set-ExecutionPolicy –ExecutionPolicy RemoteSigned –Force

Set-Location –Path E:\Labfiles\Scripts
.\Set-OUPermissions.ps1 –Account CMDomainJoin –TargetOU “OU=London Clients”
8. When the script finishes, close Windows PowerShell.
 Task 3: View the default Configuration Manager console items

1. On LON-CFG, on the taskbar, click the Configuration Manager Console.
2. Click the Software Library workspace.
3. In the Software Library workspace, expand Operating Systems, and then click the Task Sequences
node.
4. Right-click Task Sequences. You should see the following items in the list:
o Create Task Sequence
o Create Task Sequence Media
o Import Task Sequence
o Folder
 Task 4: Install MDT

1. On LON-CFG, close the Configuration Manager console.
3. Browse to E:\Software\MDT2013, right-click MicrosoftDeploymentToolkit2013_x64.msi, and

then click Install.
4. In the Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) Setup Wizard, on the Welcome
page, click Next.
5. On the End-User License Agreement page, select I accept the terms in the License Agreement,
and then click Next.
6. On the Custom Setup page, click Next.
7. On the Customer Experience Improvement Program page, ensure that I don’t want to join the
program at this time is selected, and then click Next.
8. On the Ready to Install Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) page,
click Install.
9. On the Completed the Microsoft Deployment Toolkit 2013 Update 2 (6.3.8330.1000) Setup
Wizard page, click Finish.
 Task 5: Run the integration wizard to integrate MDT

1. On LON-CFG, on the Start screen, click the circled down arrow, and then right-click Configure
ConfigMgr Integration and select Run as administrator.
2. On the Options page of the Configure ConfigMgr Integration window, ensure that the following
settings are selected, and then click Next:
o Install the MDT extensions for Configuration Manager
o Install the MDT console extensions for System Center Configuration Manager
o Add the MDT task sequence actions to a System Center Configuration Manager server
o Site code: S01
 Task 6: Configure monitoring for the Deployment Workbench console

1. On LON-CFG, on the Start screen, click the circled down arrow, and then click Deployment
Workbench.
2. In the Deployment Workbench console, right-click Deployment Shares, and then click New
Deployment Share.
3. In the New Deployment Share Wizard, on the Path page, in the Deployment share path text box,
type E:\DeploymentSource, and then click Next.
4. On the Share page, in the Share name text box, type DeploymentSource$, and then click Next.
5. On the Descriptive Name page, click Next.

6. Review the Options page, and then click Next.
9. Expand the Deployment Shares node in the Deployment Workbench console, right-click MDT
Deployment Share (E:\DeploymentSource), and then select Properties.
10. In the MDT Deployment Share (E:\DeploymentSource) Properties window, select the Monitoring tab.
11. Select Enable monitoring for this deployment share, and then click OK.
12. Close Deployment Workbench.
 Task 7: Verify the MDT integration in Configuration Manager

1. On LON-CFG, on the taskbar, click the Configuration Manager Console.
2. Select the Software Library workspace.
3. In the Software Library workspace, expand Operating Systems, and then select the Task
Sequences node.
4. Right-click Task Sequences. You should see a new Create MDT Task Sequence item in the list.
 Task 8: Configure the client settings

1. In the Configuration Manager console, click the Administration workspace, and then select Client
Settings.
2. In the right pane, right-click Default Client Settings, and then select Properties.
3. Click the Computer Agent node in the console tree. In the Organization name displayed in
Software Center text box, type Adatum, and then click OK.
 Task 9: Configure the network access account

Configuration, and then click Sites.
2. Right-click S01 – Adatum Site, click Configure Site Components, and then click Software
Distribution.
3. In the Software Distribution Component Properties window, click the Network Access Account tab,
and then click Specify the account that accesses network locations. Click the New button, which
looks like a sun, and then select New Account.
4. In the Windows User Account window, in the User name text box, type ADATUM\NetworkAccess,
and in the Password and Confirm password text boxes, type Pa$$w0rd, and then click Verify.
5. In the Network share text box, type \\LON-DC1\SYSVOL, and then click the Test connection bar.
You should receive a Configuration Manager pop-up window with the following message: “The
connection was successfully verified”.
6. Click OK three times.
Results: After completing this exercise, you should have installed MDT and integrated it with
Exercise 2: Creating an MDT boot image

 Task 1: Install DaRT 10, and copy the cabinet files to the appropriate location
1. On LON-CFG, open File Explorer, and type \\LON-DC1\Labfiles\DaRT\x64 in the Address bar. Then
press Enter.
2. Right-click MSDaRT100.msi, and then choose Install. Answer the wizard by using the default
settings, as follows:
a. On the Welcome to the Microsoft DaRT 10 Setup Wizard page, click Next.
b. On the End-User License Agreement page, click I Agree.
c. On the Microsoft Update page, click I don’t want to use Microsoft Update, and then click
Next.
d. On the Select Installation Folder page, click Next.
e. On the Setup Options page, click Next.

f. On the Ready to Install page, click Install.
g. After you receive the message You have successfully completed the Microsoft DaRT 10
Setup Wizard, click Finish.
3. Using File Explorer, navigate to the C:\Program Files\Microsoft DaRT\v10 folder, right-click
Toolsx64.cab, select Copy. Navigate to C:\Program Files\Microsoft Deployment Toolkit
\Templates\Distribution\Tools\x64, and then in the empty space, right-click and select Paste.
4. Navigate to the C:\Program Files\Microsoft DaRT\v10 folder, right-click Toolsx86.cab, and then
select Copy. Navigate to C:\Program Files\Microsoft Deployment Toolkit\Templates
\Distribution\Tools\x86, and then in the empty space, right-click and select Paste.

 Task 2: Run the Create Boot Image using MDT wizard to create a customized MDT
boot image
1. On LON-CFG, create a folder named CMSources on the E drive. Right-click the CMSources folder
and click Properties.
2. In the CMSources Properties window, click the Sharing tab, and then click the Advanced Sharing
button.
3. In the Advanced Sharing window, select Share this folder, and then click the Permissions button.
4. In the Permissions for CMSources window, click Add and in the Enter the object names to select
box, type Authenticated Users.
5. Click Check Names, and verify that Authenticated Users is displayed underlined. Then click OK.
6. In the Permissions for CMSources window, select Authenticated Users and then select the Allow
check box next to Full Control. Click OK twice and then click Close.
7. Create the following subfolders in the CMSources folder: OSD and Software.
8. Next, create the following subfolders in the OSD folder:
o OSD\BootImages
o OSD\DriverPackages
o OSD\DriverSources
o OSD\MDT 2013
o OSD\OSImages
o OSD\MDTSettings
9. In the Software folder, create a subfolder named Microsoft. Finally, in the OSD\BootImages folder,
create the following subfolders: WinPE10x64 and WinPE10x64-MDT.
10. In the Configuration Manager console, click the Software Library workspace.
11. In the Software Library workspace, expand Operating Systems, and then select the Boot Images
node.
12. Right-click Boot Images, and then select Create Boot Image using MDT.
13. On the Package Source page, in the Package source folder to be created (UNC path) text box,
type \\LON-CFG\CMSources\OSD\BootImages\WinPE10x64-MDT, and then click Next.
14. On the General Settings page, in the Name text box, type Lab10 MDT Boot Image, and then in the
Comments text box, type MDT Boot Image for Lab 10. Click Next.
15. On the Options page, select x64, and then in the Scratch Space drop-down list box, select 512 MB,
and click Next.
16. On the Components page, ensure that the following check boxes are selected, and then click Next:
o Windows PowerShell
o Microsoft Diagnostics and Recovery Toolkit (DaRT)
17. On the Customization page, click Next.
18. On the Summary page, click Next. A progress bar will appear. It will take approximately 8 to 10
minutes to create the boot image.

20. In the Boot Images details pane, right-click Lab10 MDT Boot Image, and then select Distribute
Content.
21. The Distribute Content Wizard will appear. On the General page, click Next.
22. On the Specify the content destination page, click the Add drop-down arrow, and then select
Distribution point. In the Add Distribution Points window, select the check box next to
LON-CFG.ADATUM.COM, click OK, and then click Next.

25. With Lab10 Boot Image in the details pane still selected, click the Refresh icon on the ribbon.
26. At the bottom of the Summary pane, the Lab10 MDT Boot Image Content Status circle should be
green.
Note: It could take a few minutes for the Lab10 MDT Boot Image Content Status circle to
change from yellow to green.
27. In the details pane, right-click Lab10 MDT Boot Image, and then select Properties.
28. In the Lab10 MDT Boot Image Properties window, select the Data Source tab, select the Deploy this
boot image from the PXE-enabled distribution point check box, and then click OK.
29. In the taskbar, open File Explorer. Navigate to C:\SMSPKGSIG\. After a few minutes, a new folder
named for the Image ID found in the Lab10 MDT Boot Image column, which is in the details pane,
should appear.
 Task 3: Create an operating-system image

1. On the taskbar, click File Explorer. Browse to E:\Sources, and find the file named install.wim. Right-
click install.wim, and then click Copy.
2. In File Explorer, select the Allfiles (E:) drive, and then select CMSources\OSD\OSImages under it.
3. Right-click in the empty space of the OSImages folder, and then click Paste. After the copying
completes, rename install.wim to Win10TH2Entx64-Eval.wim. Close File Explorer.
4. In the Configuration Manager console, select the Software Library workspace, and in the console
tree, expand Operating Systems, and then select Operating System Images.
5. Right-click Operating System Images, and then select Add Operating System Image. The Add
Operating System Image Wizard opens.
6. On the Data Source page, in the Path text box, type \\LON-CFG\CMSources\OSD\OSImages
\Win10TH2Entx64-Eval.wim, and then click Next.
7. On the General page, in the Name text box, type Win10Ent x64 Eval, and then click Next.

10. In the details pane of Operating System Images, right-click Win10 x64 Eval, and then select
Distribute Content. The Distribute Content Wizard opens.
12. On the Content Destination page, click the Add down arrow, and then select Distribution Point.
13. In the Add Distribution Points window, select LON-CFG.ADATUM.COM , click OK, and then
click Next.
16. After approximately one minute, with Win10Ent x64 Eval still selected in the details pane, click the
Refresh icon on the ribbon. The Content Status circle at the bottom of the screen should be green
when completion is successful. If it is yellow, wait a few more minutes, and then click Refresh.
Continue to do this until it is green. It can take as long as five minutes.
 Task 4: Add drivers for Windows PE 5.0

1. On the taskbar, click File Explorer, and navigate to E:\Software\Drivers. Right-click the HyperVx64
folder, and then select Copy.
2. In File Explorer, navigate to E:\CMSources\OSD\DriverSources, and then in the empty space of the
details pane, right-click and click Paste.
3. Return to the Configuration Manager console, and in the Software Library workspace, navigate to
Operating Systems\Drivers. Right-click the Drivers node, and then click Import Driver.
4. In the Import New Driver Wizard, on the Specify a location to import driver page, below the
Import all drivers in the following network path (UNC) option, in the Source folder text box,
type \\LON-CFG\CMSources\OSD\DriverSources\HyperVx64, and then click Next.
5. On the Specify the details for the imported driver page, clear Hide drivers that are not digitally
signed. Click Categories, and then in the Manage Administrative Categories window, click Create.
6. In the Create Administrative Category text box, type Hyper-V Drivers, click OK twice, and then
click Next.
7. On the Select the packages to add the imported driver page, click Next.
8. On the Select drivers to include in the boot image page, click Next.
Results: After completing this exercise, you should have created the MDT boot image.
Exercise 3: Creating and deploying an MDT task sequence by using

 Task 1: Use the MDT Task Sequence Wizard to create an MDT task sequence that will
upgrade an existing network computer
1. In the Configuration Manager console, select the Software Library workspace.
Sequences node.
4. The Create MDT Task Sequence Wizard opens. On the Choose Template page, in the drop-down list
box, select Client Task Sequence, and then click Next.
5. On the General page, in the Task Sequence name text box, type MDT Client Upgrade, and in the
Task sequence comments text box, type MDT Task Sequence to upgrade a Windows 7 client to
Windows 10 with migrated user state, and then click Next.
6. On the Details page, click Join a domain, and then in the Domain text box, type Adatum.com.
Click Set.
7. In the Windows User Account window, in the User Name text box, type Adatum\CMDomainJoin,
and then in the Password and Confirm Password text boxes, type Pa$$word. Click OK. In the
Organization name text box, type Adatum, and then click Next.
8. On the Capture Settings page, click Next.
9. On the Boot Image page, ensure that Specify an existing boot image package is selected, and
then click the Browse button next to it.
10. In the Select a Package dialog box, select Lab10 MDT Boot Image en-US, click OK, and then
click Next.
11. On the MDT Package page, select Create a new Microsoft Deployment Toolkit Files package,
and in the Package source folder to be created (UNC Path) text box, type \\LON-CFG\CMSources
\OSD\MDT 2013, and then click Next.
12. On the MDT Details page, in the Name text box, type MDT 2013 Update 2 Toolkit, and then
click Next.
13. On the OS Image page, with Specify an existing OS image selected, click Browse. In the Select a
Package window, click Win10Ent x64 Eval en-US, click OK, and then click Next.
14. On the Deployment Method page, ensure that Perform a “Zero Touch Installation” OS
deployment, with no user interaction is selected, and then click Next.
15. On the Client Package page, ensure that Specify an existing ConfigMgr client package is selected,
and then click Browse.
16. In the Select a Package window, select Microsoft Corporation Configuration Manager Client
Package, click OK, and then click Next.
17. On the USMT Package page, ensure that Specify an existing USMT package is selected, and then
click Browse.
18. In the Select a Package dialog box, select Microsoft Corporation User State Migration Tool for
Windows 8 10.0.10240.16384, click OK, and then click Next.
19. On the Settings Package page, select Create a new settings package, and in the Package source
folder to be created (UNC Path) text box, type \\LON-CFG\CMSources\OSD\MDTSettings, and
then click Next.
20. On the Settings Details page, in the Name text box, type Windows 10 x64 Settings, and then click
Next.
21. On the Sysprep Package page, click Next.
22. On the Summary page, observe the selections that you made, and then click Next.
23. A progress bar will appear, and then on the Confirmation page, click Finish.
 Task 2: Edit the new task sequence and distribute content

1. On LON-CFG, in the Configuration Manager console, within the Software Library workspace, in the
Operating Systems\Task Sequences node, right-click MDT Client Upgrade in the task sequence
details pane, and then select Edit.
2. The MDT Client Upgrade Task Sequence Editor opens. Do not click OK until you complete all the
steps that are listed below.
Volume list, delete the following three volumes:
a. Click Windows RE Tools (Recovery), and then click the red X symbol directly above the
Volume list.
b. Click EFI (EFI), and then click the red X symbol directly above the Volume list.
c. Click MSR (MSR), and then click the red X symbol directly above the Volume list.
4. Repeat steps 3a through 3c for the Format and Partition Disk (UEFI) step that you find in the Script
does not exist or no partitions group.
5. Note the Capture User State item in the State Capture, Online USMT node. Click Capture User
State. Note the Properties pane of the Capture User State step, and then perform the following:
a. Ensure that Capture all user profiles by using standard options is selected.
b. Select Enable verbose logging.
c. Ensure that Copy by using file system access is selected.
d. Ensure that the Continue if some files cannot be captured is selected.
6. In the PostInstall group, select Apply Windows Settings, and then configure the following:
o Select Enable the account and specify the local administrator password, and then type
Pa$$w0rd in the Password and Confirm Password text boxes.
7. In the PostInstall group, select Apply Network Settings, and then click Browse beside Domain OU.
In the Browse for a Container dialog box, click London Clients, and then click OK (only in the
Browse for Container dialog box).
8. In the MDT Client Upgrade Task Sequence Editor, click OK.
9. In the Task Sequences Details pane, right-click MDT Client Upgrade, and then select Distribute
Content.
10. The Distribute Content Wizard opens. On the General page, click Next.
11. On the Content page, click Next.
12. On the Specify the content destination page, click the Add drop-down arrow, and then select
Distribution point. In the Add Distribution Points window, select LON-CFG.ADATUM.COM, click
OK, and then click Next.

 Task 3: Create a collection for LON-CL3

1. On LON-CFG, in the Configuration Manager console, select the Assets and Compliance workspace.
2. Right-click the Device Collections node, and then select Create Device Collection.
3. The Create Device Collection Wizard opens. In the Name text box, type Clients to Upgrade, and
then in the Comment text box, type Clients that are scheduled to be Upgraded via the MDT
Client Upgrade task sequence.
4. In the Limiting collection area, click Browse, and in the Select Collection window, select the All
Systems collection, click OK, and then click Next.
5. On the Membership Rules page, click the Add Rule drop-down list box, and then select Direct
Rule.
6. The Create Direct Membership Rule Wizard opens. On the Welcome page, click Next.
7. On the Search for Resources page, ensure the Resource class drop-down list box displays System
Resource and that the Attribute name drop-down list box displays Name (both of these are the
defaults). In the Value text box, type LON-CL3, and then click Next.
8. On the Select Resources page, select LON-CL3, and then click Next.
10. On the Completion page, click Close. You will return to the Create Device Collection Wizard.
11. On the Membership Rules page, click Next.
14. On the Device Collections tab, right-click All Unknown Computers, and then select Properties.
15. In the All Unknown Computers properties dialog box, click the Collection Variables tab.
16. Click the New icon (looks like a sun), and then in the Name text box, type OSDComputerName.
Clear Do not display this value in the Configuration Manager console, and then click OK twice.
 Task 4: Deploy the new task sequence to upgrade an existing computer to

Windows 10
Systems\Task Sequences node, right-click MDT Client Upgrade in the task sequence details pane,
and then select Deploy.
2. The Deploy Software Wizard opens. On the General page, beside Collection, click Browse. Click OK
when prompted.
3. In the Select Collection window, select Clients to Upgrade, click OK, and then click Next.
4. On the Deployment Settings page, click Next.
6. On the User Experience page, ensure that the following check boxes are selected, and then
click Next:
o Show Task Sequence progress
o System restart (if required to complete the installation)
o Commit changes at deadline or during a maintenance window (requires restart)

9. On the Summary page, review your selections, and then click Next.
 Task 5: Start the computer upgrade

2. In Hyper-V Manager, click 20695C-LON-CL3, and then in the Actions pane, click Start.
5. Click the Start button, and then select Control Panel.
6. In Control Panel, click System and Security.
7. In System and Security, double-click Configuration Manager.
8. In the Configuration Manager Properties window, click the Actions tab.

9. Select Machine Policy Retrieval & Evaluation Cycle, and then click Run Now.
10. In the Machine Policy Retrieval & Evaluation Cycle window, click OK.
11. Close the Configuration Manager Properties window and Control Panel.
12. When you receive a notification that states “New software is available”, click the notification. This
opens the Software Center.
13. Click the Available Software tab, select MDT Client Upgrade, and then click Install Selected.
14. In the Software Center dialog box, click Install Operating System.
15. The MDT Client Upgrade begins. It will take approximately two hours to run. Due to the limited time
for this lab, you can revert 20695C-LON-CL3 at this time.
 Task 6: Prepare for the next lab

When you are finished with the lab, keep all of the virtual machines running. The virtual machines in their
current state are required for the next lab/module.
Results: After completing this exercise, you should have created and deployed an MDT task sequence.
Lab B: Configuring UDI

Exercise 1: Creating a UDI task sequence
 Task 1: Create a UDI task sequence
1. In the Configuration Manager console, select the Software Library workspace.
Sequences node.
4. The Create MDT Task Sequence Wizard opens. On the Choose Template page, in the drop-down list
box, select Client Task Sequence, and then click Next.
5. On the General page, in the Task Sequence name text box, type MDT UDI, and in the Task
sequence comments text box, type MDT UDI Task Sequence used to deploy Windows 10 to a
new computer, and then click Next.
6. On the Details page, click Join a domain, and then in the Domain text box, type Adatum.com.
Click Set.
7. In the Windows User Account window, in the User Name text box, type Adatum\CMDomainJoin,
and then in the Password and Confirm Password text boxes, type Pa$$word. Click OK. In the
Organization name text box, type Adatum, and then click Next.
8. On the Capture Settings page, click Next.
9. On the Boot Image page, ensure Specify an existing boot image package is selected, and then
click the Browse button next to it.
10. In the Select a Package window, select Lab10 MDT Boot Image en-US, click OK, and then
click Next.
11. On the MDT Package page, click Specify an existing Microsoft Deployment Toolkit Files
package, and then click the Browse button that is next to it.
12. In the Select a Package window, select the MDT 2013 Update 2 Toolkit package, click OK, and then
click Next.
13. On the OS Image page, with Specify an existing OS image selected, click Browse. In the Select a
Package window, click Win10Ent x64 Eval en-US, click OK, and then click Next.
14. On the Deployment Method page, select Perform a “User-Driven Installation”, and then
click Next.
15. On the Client Package page, ensure that Specify an existing ConfigMgr client package is selected,
and then click Browse.
16. In the Select a Package window, select the Microsoft Corporation Configuration Manager Client
Package item, click OK, and then click Next.
17. On the USMT Package page, ensure that Specify an existing USMT package is selected, and then
click Browse.
18. In the Select a Package window, select the Microsoft Corporation User State Migration Tool for
Windows 8 10.0.10240.16384 item, click OK, and then click Next.
19. On the Settings Package page, select Specify an existing settings package, and then click Browse.
20. In the Select a Package window, select the Windows 10 x64 Settings item, click OK, and then
click Next.
21. On the Sysprep Package page, click Next.
22. On the Summary page, observe the selections that you made, and then click Next.
23. A progress bar will appear, and then on the Confirmation page, click Finish.
 Task 2: Edit the MDT UDI task sequence

1. On LON-CFG, in the Configuration Manager console, within the Software Library workspace, in the
Operating Systems\Task Sequences node, right-click MDT UDI in the task sequence details pane,
and then select Edit.
2. The MDT UDI Task Sequence Editor window opens. Do not click OK until you complete all the steps
that are listed below.
Volume list, delete the following three volumes as:
a. Select Windows RE Tools (Recovery), and then click the red X symbol directly above the
Volume list.
b. Select EFI (EFI), and then click the red X symbol directly above the Volume list.
c. Select MSR (MSR), and then click the red X symbol directly above the Volume list.
4. Now repeat steps 3a through 3c for the Format and Partition Disk (UEFI) step that you find in the
Script does not exist or no partitions group.
5. In the PostInstall group, select the Apply Windows Settings step, and then configure the following:
o Select Enable the account and specify the local administrator password, and then type
Pa$$w0rd in the Password and Confirm Password text boxes.
6. In the PostInstall group, select the Apply Network Settings step, and then click Browse beside
Domain OU. In the Browse for a Container dialog box, click London Clients, and then click OK
(only in the Browse for Container dialog box).
7. In the MDT UDI Task Sequence Editor window, click OK.
 Task 3: Configure the UDIWizard_Config.xml file to control the UDI Wizard behavior
1. On LON-CFG, on the Start screen, click the circled down arrow, and then click UDI Wizard Designer.
2. In the UDI Wizard Designer, click Open, and then browse to E:\CMSources\OSD\MDT 2013\Scripts.
Select the UDIWizard_Config.xml file, and then click Open.
3. Expand StageGroup: New Computer, and in the Stage: NEWCOMPUTER section, select the Install
Programs page.
4. On the ribbon of the UDI Wizard Designer, click Configuration Manager. The Site Settings window
opens.
5. In the Site Settings window, type LON-CFG.adatum.com as the Site Server Name, and then click
Validate Site. The Site Code should now be listed as S01. Next to the Application Collection field,
type MDT UDI Apps Ref, and then click OK.
6. In the Stage: NEWCOMPUTER section, select the Welcome page, and click the Configure tab at the
top of the preview pane.
7. In the Welcome Page window under the Message heading, click right before the word Deployment
and type Adatum OS following by a space. The entire sentence should read: Welcome to the
Adatum OS Deployment Wizard. Click the Flow tab.
8. In the Stage: NEWCOMPUTER section, right-click the BitLocker page, and then click Remove Item.
When prompted, click Yes.
9. Repeat the actions in previous step to remove the following pages: Select Target, Administrator
Password, and User Device Affinity. You should have seven pages left in the Stage:
NEWCOMPUTER section.
10. In the Stage: NEWCOMPUTER section, select the Volume page, and click the Configure tab at the
top of the preview pane. Click the down arrow next to the Image Combo Behavior heading.
11. In the Image Combo Box Values box, right-click the Windows 7 RTM images item, and click Select
an Operating System Image.
12. In the Select Operating System Image window, select Win10Ent x64 Eval, and in the Display Name
text box, type Windows 10 Enterprise x64 Eval. Then click OK.
13. Under the User Data and Settings section, click the down arrow next to User Data Combo
Behavior. Select Format: Clean all data on the target volume during install, and then click
Unlocked. It should now read Locked. Click the Flow tab.
14. In the Stage: NEWCOMPUTER section, select the New Computer Details page, and click the
Configure tab at the top of the preview pane. Click the down arrow next to the Network Details
heading.
15. In the Domain or Workgroup Radio Buttons section, click Domain, and then click Unlocked. It
should read Locked.
16. Click the down arrow next to the Domains and OUs heading, and then click Add Domain.
17. In the Create or Edit Domain Information window, type adatum.com in the Domain Name text box
and in the Friendly name text box, type Adatum. Then click OK.
18. Right-click the Adatum/adatum.com item and select Search Domain for OUs. In the Add OU from
Domain window, select London Clients and then click OK.
19. Right-click Adatum/adatum.com, and then click Search Domain for OUs. In the Add OU from
Domain window, select Computers, and then click OK.
20. In the Domain Join Credentials section, click the down arrow next to Domain Join Credentials.
Click the Unlocked button next to the User Name text box and Password text box. They should
both now read Locked. Click the Flow tab.
21. In the Stage: NEWCOMPUTER section, select the Language page, and click the Configure tab at
the top of the preview pane. Click the down arrow next to the Region and Language Defaults
heading.
22. In the Time Zone Combo Box, click the down arrow under the default value field, select (UTC)
Coordinated Universal Time, and then click Unlocked. It should read Locked. Click the Flow tab.
23. In the Stage: NEWCOMPUTER section, select the Install Programs page, and click the Configure
tab at the top of the preview pane. Under the Software and Groups heading, right-click General
Software, and click Remove Item. When prompted, click Yes.
24. Click Add Group, and type Adatum Software in the Name text box. Then click OK.
25. Right-click the Adatum Software item, and then click Add Software to Group. In Add Software To
Group Wizard, ensure that I want to add a Package/Program is selected, and then click Next.
26. In the Display Name text box, type Microsoft PowerPoint Viewer. In the Search for 32 Bit
Program section, click Select.
27. In the Search Packages window, click Search, and select the Microsoft PowerPoint Viewer item.
Then click OK.
28. In the Search for 32 Bit Program section, click the down arrow next to Program and select
Per-system unattended. Then click Finish.
29. Right-click the Adatum Software item, and then click Add Software to Group. In the Add Software
To Group Wizard, select I want to add an Application. Then click Next.
30. In the Display Name text box, type XML Notepad 2007. In the Search for Application section, click
Select.
31. In the Search Application window, click Search, and then select the XML Notepad 2007 item. Click
OK, and then click Finish.
32. In the Software and Groups section, select Microsoft PowerPoint Viewer.
33. On the ribbon of the UDI Wizard Designer, click Save As. The Save As dialog box opens. Click Save
and then when prompted, click Yes. Then click OK.
34. Close the UDI Wizard Designer.
 Task 4: Edit the CustomSettings.ini file to prepopulate Domain Join Credentials in

UDI Wizard
1. Click File Explorer on the taskbar and browse to E:\CMSources\OSD\MDTSettings. Right-click the
CustomSettings.ini file and select Edit.
2. In the CustomSettings.ini – Notepad window, place the cursor right after SkipProductKey= Yes and
press Enter.
3. Type the following two lines of code and press Enter after each:
The CustomSettings.ini should now look like this:
[Settings]
Priority=Default
[Default]
OSInstall=Y
SkipCapture=YES
SkipProductKey=YES
4. Click File, Save, and then close Notepad.

 Task 5: Update distribution points with the updated MDT 2013 Update 2 and
MDT settings packages
1. On LON-CFG, in the Configuration Manager console, within the Software Library workspace, expand
the Application Management node, and select Packages.
2. Select the MDT 2013 Update 2 Toolkit and Windows 10 x64 Settings packages by holding the Ctrl
key. Right-click one of the selected packages and select Update Distribution Points, and then when
prompted, click OK.
Results: After completing this exercise, you should have created a working UDI task sequence, which will
enable you to deploy Windows 10 to new computer.
Exercise 2: Deploying Windows 10 by using a UDI task sequence

 Task 1: Deploy the UDI task sequence to the Unknown Computers collection
Systems\Task Sequences node, right-click the MDT UDI item in the task sequence details pane, and
then select Deploy.
2. The Deploy Software Wizard opens. On the General page, beside Collection, click Browse. When
prompted, click OK.
3. In the Select Collection window, select All Unknown Computers, click OK, and then click Next.
4. On the Deployment Settings page, under the Make available to the following heading, select
Only media and PXE. Then click Next.
6. On the User Experience page, ensure that the following check boxes are selected, and then
click Next:
o Show Task Sequence progress
o System restart (if required to complete the installation)
o Commit changes at deadline or during a maintenance window (requires restart)
9. On the Summary page, review your selections, and then click Next.
 Task 2: Start the UDI task-sequence deployment

1. On the host computer, in the Hyper-V Manager, right-click the 20695C-LON-REF1 virtual machine,
and click Settings.
2. In the Settings for 20695C-LON-REF1 on host window, click the DVD Drive node under IDE
Controller 1.
3. In the Media section, select Image file and click Browse. Browse to D:\Program Files
\Microsoft Learning\20695\Drives. Select the MDT-UDI-BootMedia.iso file, and then click Open.
Then click OK.
4. On the host computer, in Hyper-V Manager, click 20695C-LON-REF1, and then in the Actions pane,
click Start.
6. In the Welcome to the Task Sequence Wizard window, click Next.
7. On the Select a task sequence to run page of the Task Sequence Wizard, select MDT UDI, and then
click Next.
8. On the Edit Task Sequence Variables page of the Task Sequence Wizard, click Next.
Note: It will take a few minutes to download the MDT toolkit package.
9. On the Ready to start page of the Task Sequence Wizard, click Finish. The machine will reboot.
10. On the Welcome page of the OSD wizard, click Next.

11. On the Volume page, click the down arrow next to Image selection, and select Windows 10
Enterprise x64 Eval. Then click Next.
12. On the Deployment Readiness page, click Next.
13. On the New Computer Details page, type LON-CL4 in the Computer Name text box.
14. Notice that the Domain Join Credentials have filled in automatically. They have been read from the
CustomSettings.ini file. Click Next.
15. On the Language page, click Next.
16. On the Install Programs page, select XML Notepad 2007, and then click Next.
17. On the Summary page, review your selections, and then click Finish. The deployment starts.
Note: If time permits, you can leave the virtual machines running to finish the deployment,
while your instructor starts on the next module. You should ask your instructor for guidance
regarding this.
18. On the Deployment Complete page, click the Welcome, Deployment Summary, and Applications
Installed tabs to verify the installation. Then click Start Windows.
19. Sign in by using adatum\administrator as the username and Pa$$w0rd as the password.
 Task 3: Prepare for the next module

steps:
4. Repeat steps 2 and 3 for 20695C-LON-CFG, 20695C-LON-CL3, and 20695C-LON-REF1.
Results: After completing this exercise, you should have deployed Windows 10 to a new computer by
using a UDI task sequence.
L11-77
Module 11: Activating clients and managing additional

configuration settings
Lab: Configuring additional settings for
computer clients
Exercise 1: Planning for Windows 10 customization
• Read the supporting documentation.
Results: After completing this exercise, you should have a plan for Windows 10 customization.
Exercise 2: Creating a common Windows Start menu and custom

power plan
 Task 1: Customize the Start menu, export the Start menu layout, and update the
Group Policy settings to display the new layout when users sign in

1. On LON-CL1, in the lower-left corner of the desktop, click Start to open the Start menu.
2. Right-click the Mail tile, and then on the context menu, click Resize, Large.
3. Right-click the Calendar tile, and then on the context menu, click Resize, Wide.
4. Drag the Microsoft Edge tile and place it next to the Calendar tile.
5. Drag the Store tile and place it under the Calendar tile.
6. Drag the Weather tile and place it under the Store tile.
7. Drag the Skype video tile and place it under the Weather tile.
8. Drag the Phone Companion tile and place it next to the OneNote tile in the second column.
9. Right-click the Money tile, and then on the context menu, click Unpin from Start.
10. Right-click all the tiles with the small icons and no text on them, and then click Unpin from Start.
Five of these should exist.
11. On the Start menu, click All apps. Scroll down to the Windows Accessories group, expand it, and
then right-click Notepad. On the context menu, click Pin to Start.
12. Drag the Notepad tile next to OneNote tile in the second column.
13. Click the text Life at a glance, delete it, and then type Online apps in the box that appears.
14. Click the text Play and explore, delete it, type Adatum apps in the box that appears, and then press
Enter.
L11-78 Activating clients and managing additional configuration settings

1. On the Start menu, type Windows PowerShell. The Search window opens.
2. Right-click Windows PowerShell, and then on the context menu, click Run as administrator.
3. In the Windows PowerShell window, type the following command, and then press Enter:
4. On LON-DC1, on the taskbar, click File Explorer.
5. In File Explorer, navigate to E:\Labfiles\, and then verify that you can see the AdatumLayout.xml
file.

1. On LON-DC1, in Server Manager, on the Tools menu, click Group Policy Management.
2. In the Group Policy Management Console (GPMC), in the console tree, expand Forest: Adatum.com,
Domains, right click Adatum.com, and then on the context menu, click Create a GPO in this
domain, and Link it here.
3. In the New GPO window, in the Name box, type Adatum W10 Start menu, and then click OK.
4. In the console tree, under Adatum.com, you should see a new Adatum W10 Start menu Group
Policy Object (GPO). Right-click the GPO, and then on the context menu, click Edit. This opens the
Group Policy Management Editor. Maximize it by clicking the square icon in the upper-right corner of
the console.
5. In the console tree, expand User Configuration, expand Polices, expand Administrative
Templates, and then click Start Menu and Taskbar.
6. In the details pane, click the Setting heading bar to alphabetize the settings.
7. Scroll down, and then double-click Start Screen Layout. This opens the configuration pane for the
Start screen layout.
8. In the configuration pane, click Enabled, and then in the Start Layout File box below it, type
\\LON-DC1\e$\Labfiles\AdatumLayout.xml. In the Comment box, type A custom Start menu
developed on LON-CL1 with Notepad, and then at the bottom of the configuration pane, click OK.
Note: The file location must be a location to which all user accounts have read access.
9. Close the Group Policy Management Editor and the GPMC.

1. On LON-CL2, on the desktop, click Start in the lower-left corner. Note the tiles and their position on
the Start menu of LON-CL2.
2. Click the Administrator icon at the top of the Start menu, and then click Sign out.
3. After the sign-out is complete, sign back in to LON-CL2 as Adatum\Administrator with the
password Pa$$w0rd.
4. On LON-CL2, click the Start button. Examine the Start menu. It should have the custom Start menu
applied.
6. Attempt to pin an app to the Start menu. You should be unable to do that, as well.
 Task 2: Set a power plan to ensure that client computers do not hibernate
2. In the GPMC, in the console tree, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click London Clients, and then click Create a GPO in this domain, and
Link it here.
3. In the New GPO window, in the Name box, type PowerSettings, and then click OK.
Note: In the console tree, under the London Clients node, you should see a new
PowerSettings GPO.
4. Right-click PowerSettings, and then click Edit. The Group Policy Management Editor opens.
Maximize it by clicking the square icon in the upper-right corner of the console.
5. In the console tree, expand Computer Configuration, expand Polices, expand Administrative
Templates, expand Windows Components, and then click File Explorer.
6. In the details pane, double-click the Show hibernate in the power options menu item.
7. In the Show hibernate in the power options menu window, click Disabled, and then click OK.
8. In the console tree, expand Computer Configuration, expand Preferences, expand Control Panel
Settings, and then click Power Options.
9. Right-click in the empty Power Options details pane, and then click New, Power Plan (At least
Windows 7).
10. In the New Power Plan (At least Windows 7) Properties window, in the Action list, ensure that
Update is selected, and then select High performance.
11. Select the Set as the active power plan check box.
12. In the list of items, click the plus sign (+) next to Sleep, and then click the plus sign (+) next to
Hibernate after.
13. Click On Battery (minutes), click Plugged in (minutes), and then ensure that both values are
set to 0 (zero).
14. In the list, click the plus sign (+) next to Display, click the plus sign (+) next to Turn off display after,
and then in the list that appears below this option, click Plugged in (minutes). Change the minutes
value from 15 to 0 (zero), and then click OK.
15. Close the Group Policy Management Editor and GPMC windows.
16. On LON-CL2, right-click Start, click Shut down or sign out, and then click Restart.
17. After LON-CL2 restarts, sign in as Adatum\Administrator with the password Pa$$w0rd.
18. Right-click Start, and then on the context menu, click Control Panel.
19. In Control Panel, click Hardware and Sound, and then click Power Options.
20. You should have the High Performance power option selected. Click Change plan settings.
21. Note that the Turn off the display list is set to Never. This is applied from the zero minutes setting
that you configured in the GPO.
Results: After completing this exercise, you should have created a common Windows 10 Start menu and a
custom power plan.
Exercise 3: Create a client preferences GPO

 Task 1: Create and deploy a GPO to set client preferences for printers and mapped
drivers for Windows 10 users
1. On LON-DC1, in Server Manager, on the Manage menu, click Add Roles and Features.
2. In the Add Roles and Features Wizard, click Next three times.
3. On the Select server roles page, select the Print and Document Services check box. In the Add
Roles and Features Wizard dialog box that appears, click Add Features, and then click Next.
4. On the Select features page, click Next.
5. On the Print and Document Services page, click Next.
6. On the Select role services page, verify that the Print Server item is selected, and then click Next.
7. On the Confirm installation selections page, click Install. When the installation is complete, click
Close.
8. On LON-DC1, in Server Manager, click Tools, and then on the context menu, click Print
Management.
9. In the Print Management console tree, expand Print Servers, LON-DC1 (local), and then click
Printers.
10. Right-click Printers, and then click Add Printer. The Network Printer Installation Wizard opens.
11. In the Network Printer Installation Wizard, click Add a new printer using an existing port, and then
click Next.
12. On the Printer Driver page, ensure that the Install a new driver option is selected, and then
click Next.
13. On the Printer Installation page, in the Manufacturer section, scroll down, and then select KONICA
MINOLTA. In the Printer section, scroll down, select KONICA MINOLTA PS Color Laser Class
Driver, and then click Next.
14. On the Printer Name and Sharing Settings page, ensure that the Printer Name and Share name
boxes contain KONICA MINOLTA PS Color Laser by removing Class Driver, and then click Next.
15. On the Printer Found page, click Next.
16. When the wizard completes, on the Completing the Network Printer Installation Wizard page,
select the Add another printer check box, and then click Finish.
17. On the Printer Installation page, ensure that the Add a new printer using an existing port option
is selected. In the list next to it, select the LPT2: (Printer Port) item, and then click Next.
18. On the Printer Driver page, ensure that the Install a new driver option is selected, and then
click Next.
19. On the Printer Installation page, in the Manufacturer section, scroll down, select HP, accept the
first printer HP Color Laserjet 1600 Class Driver, and then click Next.
20. On the Printer Name and Sharing Settings page, ensure that the Printer Name and Share name
boxes contain HP Color Laserjet 1600 by removing Class Driver, and then click Next.
21. On the Printer Found page, click Next.
22. When the Completing the Network Printer Installation Wizard page appears, do not select any
check boxes, and then click Finish.
24. In the GPMC, in the console tree, expand Forest: Adatum.com, expand Domains, right-click
Adatum.com, and then on the context menu, click Create a GPO in this domain, and Link it here.
25. In the New GPO window, in the Name box, type ClientUserPreferences, and then click OK.
26. In the console tree, under the Adatum.com node, you should see a new ClientUserPreferences
GPO. Right-click this GPO, and then on the context menu, click Edit. The Group Policy Management
Editor appears. Maximize it by clicking the square icon in the upper-right corner of the console.
27. In the console tree, expand User Configuration, expand Preferences, and then click Windows
Settings.
28. Click the Drive Maps node. This opens the configuration pane for the drive maps.
29. Right-click in the empty details pane, and then on the context menu, click New, Mapped Drive.
30. In the New Drive Properties dialog box, in the Action list, select Update.
31. In the Location box, type \\LON-DC1\Labfiles.
32. In the Label as box, type IT Department Labfiles.

33. In the Drive letter section, ensure that the Use option is selected, and then in the list, select the drive
letter L.
34. In the Hide/show this drive section, select Show this drive.
35. Click the Common tab. In the Options common to all items section, select the Item-level
Targeting check box, and then click Targeting. The Targeting Editor appears.
36. In the Targeting Editor, select New Item in the list, and then on the context menu, click Security
Group.
37. Next to the Group box, click the ellipsis button (…).
38. In the Select Group window, in the Enter the object name to select box, type IT, and then click OK.
39. Verify that the User in group option is selected.
40. Select New Item in the list, and then on the context menu, click Computer Name.
41. Next to the Computer Name box, click the ellipsis button (…).
42. In the Select Computer window that appears, in the Enter the object name to select box, type
LON-CL1, and then click OK three times.
43. Right-click in the empty details pane, and then on the context menu, click New, Mapped Drive.
44. In the New Drive Properties dialog box, in the Action list, click Update.
45. In the Location box, type \\LON-DC1\Labfiles.
46. In the Label as box, type Marketing Group Labfiles.
47. In the Drive letter section, ensure that the Use option is selected, and then in the list, select the drive
letter L.
48. In the Hide/show this drive section, select the Show this drive option.
49. Click the Common tab. In the Options common to all items section, select the Item-level
Targeting check box, and then click Targeting. The Targeting Editor appears.
50. In the Targeting Editor, in the New Item list, select Security Group.
51. Next to the Group box, click the ellipsis button (…).
52. In the Select Group window, in the Enter the object name to select box, type Marketing, and then
click OK.
53. Verify that the User in group option is selected.
54. Select the New Item list, and then click Computer Name.
55. Next to the Computer Name box, click the ellipsis button (…).
56. In the Select Computer window that appears, in the Enter the object name to select box, type
LON-CL2, and then click OK three times.
57. In the Group Policy Management Editor, expand User Configuration, expand Preferences, expand
Control Panel Settings, and then click Printers.
58. Right-click in the Printers detail pane, and then click New, Shared Printer.
59. In the New Shared Printer Properties dialog box, in the Share path box, type \\LON-DC1
\KONICA MINOLTA PS Color Laser.
60. Select the Set this printer as the default printer check box.
61. Click the Common tab, select the Item-level targeting check box, and then click Targeting.
62. In the Targeting Editor, in the New Item list, select User.
63. Next to the User box, click the ellipsis button (…).
64. In the Select User window that appears, in the Enter the object name to select box, type Holly,
click OK three times.
65. Right-click in the Printers detail pane, and then click New, Shared Printer.
66. In the New Shared Printer Properties dialog box, in the Share path box, type \\LON-DC1
\HP Color Laserjet 1600.
67. Select the Set this printer as the default printer check box.
68. Click the Common tab, select the Item-level targeting check box, and then click Targeting.
69. In the Targeting Editor, in the New Item list, select User.
70. Next to the User box, click the ellipsis button (…).
71. In the Select User window that appears, in the Enter the object name to select box, type Kari, and
then click Check Names.
72. In the Multiple Names Found dialog box, select the first name, Kari Hensien, and then click OK four
times.
73. Close the Group Policy Management Editor.
 Task 2: Test the client preferences by signing in as different users

1. If you are not already signed into LON-CL1 as an administrator, sign in as Adatum\Administrator
with the password Pa$$w0rd.
2. On LON-CL1, on the taskbar, click the File Explorer icon.
3. Examine the folders. You should not have the mapped drive.

6. On the desktop, on the taskbar, click the File Explorer icon.
7. Click This PC and then examine the folders. You should have the mapped drive labeled as
IT Department Labfiles (L:).
8. Right-click Start in the lower left of the taskbar, and then on the context menu, click Control Panel.
9. In Control Panel, click Hardware and Sound, and then click Devices and Printers.
10. You should have the KONICA MINOLTA PS Color Laser on lon-dc1 printer in the Printers section.
KONICA MINOLTA PS Color Laser should have a green check mark showing that it is the default
printer.
12. Sign out of LON-CL2, if necessary.
14. On LON-CL2, on the taskbar, click the File Explorer icon.
15. Click This PC and then examine the folders. You should have the mapped drive labeled Marketing
Group Labfiles (L:).
16. Right-click Start in the lower left of the taskbar, and then on the context menu, click Control Panel.
17. In Control Panel, click Hardware and Sound, and then click Devices and Printers.
18. You should have the HP Color Laserjet 1600 on lon-dc1 printer in the Printers section. HP Color
Laserjet 1600 should have a green check mark showing that it is the default printer.

After you complete the lab, revert all virtual machines to their initial state by performing the following
steps:

4. Repeat steps 2 and 3 for 20695C-LON-CL1 and 20695C-LON-CL2.
Results: After completing this exercise, you should have signed in as different users on LON-CL1 and
LON-CL2 and verified the preferences that you configured.
L12-85
Module 12: Deploying Office 2016

Lab: Deploying Microsoft Office 2016 by
using the Office Customization Tool
Exercise 1: Using the Microsoft Office Customization Tool (OCT) to
customize a Microsoft Office 2016 deployment
 Task 1: Create a customized Office 2016 deployment file by using the OCT
1. On LON-DC1, on the taskbar, click the Windows icon.
2. On the Start screen, type Cmd.
3. In the Search column, right-click the Command Prompt item, and then click Run as administrator.
4. In the Administrator: Command Prompt window, type E:, and then press Enter. At the command
prompt, type the following command, and then press Enter:
cd e:\Labfiles\Office_Professional_2016
setup.exe /admin
6. After the OCT opens, in the Select Product window, ensure that the Create a new Setup
customization file for the following product radio button is selected, and the Product name
window displays Microsoft Office Professional Plus 2016 (64-bit), and then click OK.
7. On the Welcome page, click the Setup node.
8. In the Organization name text box, type Adatum.
9. In the left pane, select the Licensing and user interface subnode.
10. In the details pane, verify that the default Use KMS client key radio button is selected.
11. Select the I accept the terms in the License Agreement check box. In the Display level drop-down
list box, select Basic.
12. Select the Completion notice check box.
13. Select the No cancel check box.
14. In the left pane, select the Office Security settings node.
15. At the bottom of the details pane, click the Unsafe ActiveX initialization drop-down list box, and
then click Do not prompt and disable all controls.
16. In the left pane, click the Modify Setup properties item.
17. In the details pane, click the Add button.
18. In the Add/Modify Property Value pop-up, in the Name text box, type HIDEUPDATEUI, in the
Value text box, type TRUE, and then click OK.
19. In the Features area of the console tree, select the Modify user settings item.
20. In the settings tree in the middle pane, select and expand Microsoft Office 2016, expand Privacy,
and then select Trust Center.
L12-86 Deploying Office 2016
21. In the details pane, double-click Disable Opt-in Wizard on first run. In the Disable Opt-in Wizard
on first run Properties dialog box, click Enabled, and then click OK.
22. Return to the settings tree in the middle pane, and under Microsoft Office 2016, scroll to the last
folder, and then select First Run.
23. In the details pane on the right side, double-click Disable First Run Movie.
24. In the Disable First Run Movie Properties dialog box, click Enabled, and then click OK.
25. In the details pane on the right side, double-click Disable Office First Run on application boot.
26. In the Disable Office First Run on application boot Properties dialog box, click Enabled, and then
click OK.
27. In the left pane, select the Set feature installation states item, and then in the details pane, expand
Microsoft Office.
28. In the Microsoft Access node, click the disk icon. In the drop-down menu, click Not Available.
29. Repeat step 28 for Microsoft Publisher.
30. In the top bar menu, click File, and then click Save.
31. In the Save as pop-up window, in the File name text box, type \\LON-DC1\labfiles
\Office_Professional_2016\Updates\AdatumOffice.msp, and then click Save.
32. Click File, and then click Exit.
33. In the pop-up window that displays, Do you really want to quit now?, click Yes.
34. On the desktop, on the taskbar, click the File Explorer icon.
35. In Microsoft File Explorer, browse to e:\Labfiles\Office_Professional_2016\Updates.

36. In the Updates directory, verify that the AdatumOffice.msp file displays.
Results: At the end of this exercise, you should have created a customized Office 2016 deployment file.
Exercise 2: Deploying a customized version of Office 2016

 Task 1: Connect to network share as an authorized user and deploy Office 2016
2. On the taskbar, click the Windows icon.

3. In the Search box, type cmd.
4. In the Search column results, right-click Command Prompt, and then click Run as administrator.
5. At the command prompt, type the following commands, pressing Enter after each line:
Net use x: \\LON-DC1\Labfiles\Office_Professional_2016

X:
Setup.exe
Note: In a few moments, the Microsoft Office installation window opens and begins to
install Office 2016. Since you used the Basic option in the OCT, the progress displays without the
ability to cancel. After approximately 15 minutes, the installation will complete.
6. In the Microsoft Office Professional Plus 2016 window, click Close.
7. On the desktop, on the taskbar, click the Windows icon.
8. On the Start menu, click All apps.
Note: Notice that under the letter ‘A’, Microsoft Access is not installed. Scroll down to the
letter ‘P’ section and notice that Microsoft PowerPoint 2016 is on the menu, but Microsoft
Publisher 2016 is not.
9. Scroll down further, and click Word 2016.

10. In Microsoft Word, on the Recent page, double-click the Blank document icon.
Note: You can begin typing, and the First things first window does not appear.
 Task 2: Prepare for the end of the course

following steps:
4. Repeat steps 2 to 3 20695C-LON-CL2.
Results: At the end of this exercise, you should have successfully installed Office 2016 from the .msp file.

20695C ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

You might also like

20695C ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

20695C ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

Product Number: 20695C

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

Revised July 2013

David Susemiehl – Content Developer

Dave Franklyn – Subject Matter Expert

Gary Dunlop – Subject Matter Expert

Orin Thomas – Subject Matter Expert

Michael Buchardt – Subject Matter Expert/Content Developer

Mark Wheatley – Technical Reviewer

Lesson 1: Overview of the enterprise desktop life cycle 1-2

Lesson 2: Assessing readiness for a desktop deployment by using

Lesson 3: Assessing deployment readiness by using MAP 1-20

Lab: Assessing the network environment for supporting operating system

Module Review and Takeaways 1-28

Module 2: Determining operating system deployment strategies

Lesson 5: Using a zero touch deployment strategy 2-19

Lesson 6: Alternative deployment strategies for Windows desktops 2-22

Module Review and Takeaways 2-35

Module 3: Assessing application compatibility

Lesson 2: Mitigating application compatibility issues 3-11

Lesson 3: Using ACT to address application compatibility issues 3-18

Lab: Assessing application compatibility 3-26

Module Review and Takeaways 3-30

Module 4: Planning and implementing user state migration

Lesson 1: Overview of user state migration 4-2

Lesson 2: Overview of USMT 10.0 4-7

Lesson 3: Planning user state migration 4-11

Lesson 4: Migrating user state by using USMT 4-22

Lab: Planning and implementing user state migration 4-39

Module Review and Takeaways 4-45

Module 5: Determining an image management strategy

Lesson 1: Overview of the Windows image file format 5-2

Lesson 2: Overview of image management 5-7

Lab: Determining an image management strategy 5-14

Module 6: Preparing for deployments by using the Windows ADK

Lesson 1: Overview of the Windows Setup and installation process 6-2

Lab A: Preparing the imaging and Windows PE environment 6-18

Lesson 3: Using Windows SIM and Sysprep to automate and prepare an

Lesson 4: Capturing and servicing a reference image by using DISM 6-36

Lesson 5: Using the Windows ICD 6-47

Lab D: Using the Windows ICD 6-59

Module Review and Takeaways 6-63

Module 7: Supporting PXE-initiated and multicast operating system

Lesson 1: Overview of PXE-initiated and multicast operating system

Lesson 2: Installing and configuring the Windows DS environment 7-11

Lab: Configuring Windows DS to support PXE and multicast operating system

Module Review and Takeaways 7-25

Module 8: Implementing operating system deployment by using the MDT

Lesson 1: Planning for the MDT environment 8-2