Although Windows 7 end of life is rapidly approaching (see Windows lifecycle fact sheet for details), a lot of organizations are still deploying it. There’s nothing wrong with this in and of itself unless you are spedning way too much time building and maintaining your images. Below I pesent my standard steps for building a clean Windows 7 image — “clean” because I highly recommend that you always use a clean image built on a clean reference system instead of trying to layer on and re-sysypreping a reference system.
What You’ll Need
- Windows 7 Service Pack 1 media
- It’s very important that its the SP1 media.
- Pro or Enterprise doesn’t matter.
- Internet Explore 11 prerequisite updates
- There are 9 .msu files in total.
- Internet Explorer 11
- The April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2
- The Convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- The latest Windows 7 monthly rollup.
- As of August 2017, this is KB4034664.
- The latest cumulative update for Internet Explorer 11
- As of August 2017, this is KB4025252.
- The latest security and quality rollup for .NET framework 3.5.1
- As of August 2017, this KB4019112.
- Other [optional] hotfixes required for your environment. Possibilities include the following:
Each of the above is available for both x86 and x64. If you are creating images for both architectures, then you’ll have two sets of files and will need to adjust the following steps appropriately to account for this.
Other Optional Updates
It’s kind of strange that those listed above aren’t included in the Windows 7 quality rollups as the whole point of the rollups was to make sure everyone is on the same baseline version of Windows including hotfixes. It is what it is though.
Step 1: Prepare the update files
- Create a top level folder and a sub-structure to contain all of the files. For this example I created the following:
- April 2015 servicing stack update for Windows 7
- Convenience rollup update for Windows 7 SP1
- Cumulative security update for Internet Explorer 11
- Internet Explorer 11
- Internet Explorer 11 Prereqs
- Monthly Win 7 Rollup
- Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7
- Mount the Windows 7 Service Pack 1 media and copy the image.wim file from the sources sub-directory — it’s the largest file and easy to find. Alternatively, use a tool like 7-zip to simply extract this file.
- Rename image.wim to something meaningful like Win7-SP1-Ent-x64-media-Aug2017.wim. Note that aug2017 in the file name reflects when we are updating the image so that you can distinguish it from past builds and know when you created it.
- Move the .wim file to the Image sub-folder.
- Extract the Internet Explorer 11 files to the Internet Explorer 11 sub-folder.
- IE11-Windows6.1-x64-en-us.exe /x:<fullpath>\Win7-ImageBuild\Internet Explorer 11
- Copy the “other” updates to the Other sub-folder.
- Copy the rest of the .msu files into their appropriate folders.
Step 2: Use DISM to update the Image
You can do this manually or with a simple batch script. I prefer the later. Order is very important here as some of these updates have dependencies on the other updates.
Here’s a simple batch file that will get the job done in the correct order based on the folder names I have above. This batch file assumes that it (the batch file itself) exists in the Win7-ImageBuild folder and is run from there.
dism /mount-wim /wimfile:"%~dp0Image\Win7-SP1-Ent-x64-media-Aug2017.wim" /mountdir:"%~dp0Mount" /index:1 dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11 Prereqs" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11\IE-Win7.CAB" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11\IE-Hyphenation-en.MSU" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11\IE-Spelling-en.MSU" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0April 2015 servicing stack update for Windows 7\Windows6.1-KB3020369-x64.msu" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Convenience rollup update for Windows 7 SP1\windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Monthly Win 7 Rollup" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Cumulative security update for Internet Explorer 11" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7" dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Other" dism /unmount-wim /mountdir:"%~dp0Mount" /commit
The above will take a little while to run, but when it’s done, you’ll have an up to date, clean Windows 7 image that you can now use in your build and capture process.
Step 3: Import into Configuration Manager
See the Add operating system images to Configuration Manager section on the Manage operating system images with System Center Configuration Manager page if you need help with this.
Step 4: Create and use in a build and capture task sequence to produce a final image
A lot of folks will want to use the image created in step 2 above and directly deploy it. I discourage this practice for two main reasons.
1. There are still other items to include before it’s enterprise ready IMO. Unfortunately, these items cannot be as easily injected into the image as above. These additional items include the following:
- Visual C++ Runtimes (both x86 and x64 if the image is x64)
- .NET Framework 4.7
- Windows Management Framework (WMF) 4.0 (this includes PowerShell 4.0)
- Windows Management Framework (WMF) 5.0 (this includes PowerShell 5.0 and requires that WMF 4.0 be installed first)
- Other common runtimes, libraries, or software that must or should exist on all systems.
Be wise and shrewd on the last item above. I’m not advocating for a fat image but I don’t rule them out either. In general, many organizations end up somewhere in the middle between fat and thin based upon their own unique organizational requirements, desires, and whims.
2. Update injection using DISM doesn’t necessarily install the updates. In general, it simply queues them up to be installed or finalized during Windows setup. This adds time and overhead to a process using and deploying the image. Running the image through a build and capture initiates Windows setup and finishes any remaining installations or tasks associated with the injected updates.
Step 5: Repeat as necessary with newer updates
You really shouldn’t have to repeat this process very often. The image created from step 2 or your build and capture task sequence can always have additional updates injected into using Offline Servicing in Configuration Manager. Doing this is usually pretty painless and simply takes a little bit of time. However, if you use the batch file above and a [fully automated] build and capture task sequence, then rebuilding the image using the above procedure (and any more current updates) won’t take much effort either and will also just take some time to complete. It’s your choice which way you go or how often you start clean.