Building Windows 7 Images in 2017

Hi everyone, my name is Nicholas Jones, System Center Configuration Manager Premier Field Engineer, and I’d like to share some work I’ve been doing on building and capturing images. You might be a little surprised to see a blog post on building Windows 7 images on an official Microsoft blog. Make no mistake: we recommend our customers switch to Windows 10 to take advantage of huge advancements in security.

While we advise our customers to switch to our most secure platform, Windows 10, we realize many of you must support and deploy Windows 7 while your migration projects are underway. If that is the case, we want to ensure you’re deploying Windows 7 with all needed security updates.

Second to the security conversation, there is potential to save your company some serious man hours. Imagine your company is deploying roughly 100 Windows 7 instances per week. Now imagine if we were installing dozens of updates, on the fly, during or after that process. That could easily add 30 minutes to the deployment. Multiply that by 100, and well, you can do the math…

I’ll be using System Center Configuration Manager for this tutorial, mainly because that’s my specialty, but these instructions can be adapted for other products. I realize many people use MDT to build their images, so that they can customize the default user profile and maybe for other reasons. The goal of this exercise is to have a Windows 7 image that can be deployed which minimizes, if not completed eliminates, updates required by Microsoft Update. This article does assume that you have a working knowledge of Operating System Deployment in Configuration Manager, so I won’t be covering things like content distribution and creating task sequence deployments.

Sounds simple, right? Let’s get started.

First, we will need a copy of Windows 7 SP1. You can grab the ISO from your Volume Licensing Site. Make sure you have the SP1 copy and not RTM. In the Configuration Manager console, we will need to copy the install.wim file from the ISO to our source share, like in the screenshot below. The exact path you use will vary on your environment.

We’ll import that WIM to Configuration Manager, and name it something like “Window 7 SP1 x86 – Original”. Any name is fine, but make sure it’s obvious this image is only used for building and capturing reference images. You wouldn’t want to slip this in to a production task sequence.

After our image imports, we can move on to creating the task sequence. Go through the steps of creating a basic build and capture task sequence and make sure to reference the image we just imported. It will look like this when you’re done:

So, why can’t we stop here? Because there have been so many dramatic changes to Windows 7 over the years, it’s going to take a few special steps to make sure our build and capture actually works. The Install Updates step simply will not install the hundreds of updates you would need. On top of that, the Windows Update Agent that is built in to the original Windows 7 SP1 media may not work reliably. There is also the change to Windows servicing that happened late last year and the convenience update we released, so we’re going to use those to our advantage.

Here is the complete task sequence (ignore the disabled Capture section):

Let’s talk about the logic here and walk through the steps.

The first custom section you’ll notice is called “Install standalone updates”. The goal here is to get the convenience update installed, and to get a decently modern Windows Update Agent installed. The convenience update requires a servicing stack update, so we’re installing that first.

…next is the convenience update.

…and finally, we have the March 2016 WUA. (If you come across a newer WUA, use that instead.) You’ll want to follow this with a restart.

You’ll also notice that I’m installing KB3177467 at the end of this group. Due to a known issue when installing this update with other updates, I really did not have much success with this project until I separated this update from the others.

So far, things are straightforward. What comes next is a little odd and specific to Configuration Manager, so hopefully I can explain this well enough. I wanted to create two groups of updates to install during this build and capture. I want one group to go first, then a second group to be evaluated last. The logic behind this is to apply whichever Security Monthly Quality update is available first, then apply all of the remaining updates that are needed.

I create two Software Update Groups (SUG) for this.

“Windows 7 Build Required” contains the latest Security Monthly Quality update (January 2017 at the time of this writing). I want this update to apply before any other updates, so it’s deployed to my build collection as required.

“Windows 7 Build” consists of all the remaining updates that the image needs, post convenience update and Security Monthly Quality update. I want to apply these last, so I deploy it as available.

Back to the task sequence:

Install Updates 1 and 2 are set to only install required updates. This ensures we’re only looking at the small update group which contains the monthly update. I repeat this step twice, just in case I add some updates to that group later, which are prerequisites for other updates in the same group. If you’re only installing the monthly rollup, you can remove the second group of ‘Install Update, Set TS Variable, Restart Computer’.

On the third through fifth steps, I’m checking for all software updates. This allows the process to check the remaining updates after the monthly rollup has been installed.

I repeat this three times to catch all of the updates. The Set Task Sequence Variable steps set SMSTSWaitForSecondReboot to 600, just in case I’m running into a Configuration Manager specific problem with updates requiring two restarts.

Identifying the updates that are needed in that second group is tough. You could run through this process with only the ‘required’ updates, then perform a scan and see what is left. That is the method I used. It’s tedious, but it works. If you have a better solution, let me know in the comments.

Wrapping up the task sequence, I have an additional group for any updates that didn’t install previously. This could be due to the update not being released to the WSUS channel, or it could just be problematic installing with other updates. These are the ones I came up with. If you find more, you could add them to this group.

They simply call the WUSA command to install the updates, followed by a restart, sysprep, and image capture.

Remember, the goal of this blog was simply to be able to create a Windows 7 image that would minimize or eliminate any updates needed during or immediately after deployment. There could still be hotfixes or other updates that you should install.

If you have any success stories, suggestions, or other comments that relate to this writing, please share them. Also, please let me know if you find updates that were missed. I hope to keep this article updated over time.


Nicholas Jones