Call4Cloud | MMP-C | Autopilot | Device Preparation

Building a Windows 7 Image

Patch My Pc | install & update thousands of apps

Although Windows 7 end of life is rapidly approaching (see Windows lifecycle fact sheet for details), a lot of organizations are still deploying it. There’s nothing wrong with this in and of itself unless you are spedning way too much time building and maintaining your images. Below I pesent my standard steps for building a clean Windows 7 image — “clean” because I highly recommend that you always use a clean image built on a clean reference system instead of trying to layer on and re-sysypreping  a reference system.

[ms_alert icon=”fa-pencil” background_color=”#00274c” text_color=”#f5f5f5″ border_width=”0″ border_radius=”2″ box_shadow=”no” dismissable=”no” class=”” id=””]Updated 2 September 2017 to include other optional hotfixes.[/ms_alert]

What You’ll Need

Each of the above is available for both x86 and x64. If you are creating images for both architectures, then you’ll have two sets of files and will need to adjust the following steps appropriately to account for this.

[ms_panel title=”Other Optional Updates” title_color=”#f5f5f5″ border_color=”#00274c” title_background_color=”#00274c” border_radius=”2″ class=”” id=””]The other [optional] updates can also be added during your build and capture task sequence or deployment task sequence using the same process as in Injecting .NET Framework 3.5 During a Windows 10 Task Sequence and Deploying Windows 7 to systems with NVMe drives. It’s totally debatable as to which is better and I’m not sure if there really is a right or wrong answer for these updates.
It’s kind of strange that those listed above aren’t included in the Windows 7 quality rollups as the whole point of the rollups was to make sure everyone is on the same baseline version of Windows including hotfixes. It is what it is though.[/ms_panel]

Step 1: Prepare the update files

  1. Create a top level folder and a sub-structure to contain all of the files. For this example I created the following:
    • Win7-ImageBuild
      • April 2015 servicing stack update for Windows 7
      • Convenience rollup update for Windows 7 SP1
      • Cumulative security update for Internet Explorer 11
      • Image
      • Internet Explorer 11
      • Internet Explorer 11 Prereqs
      • Monthly Win 7 Rollup
      • Mount
      • Other
      • Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7
  2. Mount the Windows 7 Service Pack 1 media and copy the image.wim file from the sources sub-directory — it’s the largest file and easy to find. Alternatively, use a tool like 7-zip to simply extract this file.
    • Rename image.wim to something meaningful like Win7-SP1-Ent-x64-media-Aug2017.wim. Note that aug2017 in the file name reflects when we are updating the image so that you can distinguish it from past builds and know when you created it.
    • Move the .wim file to the Image sub-folder.
  3. Extract the Internet Explorer 11 files to the Internet Explorer 11 sub-folder.
    • IE11-Windows6.1-x64-en-us.exe /x:<fullpath>\Win7-ImageBuild\Internet Explorer 11
  4. Copy the “other” updates to the Other sub-folder.
  5. Copy the rest of the .msu files into their appropriate folders.

Step 2: Use DISM to update the Image

You can do this manually or with a simple batch script. I prefer the later. Order is very important here as some of these updates have dependencies on the other updates.

Here’s a simple batch file that will get the job done in the correct order based on the folder names I have above. This batch file assumes that it (the batch file itself) exists in the Win7-ImageBuild folder and is run from there.

dism /mount-wim /wimfile:"%~dp0Image\Win7-SP1-Ent-x64-media-Aug2017.wim" /mountdir:"%~dp0Mount" /index:1
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11 Prereqs"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11\IE-Win7.CAB"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11\IE-Hyphenation-en.MSU"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Internet Explorer 11\IE-Spelling-en.MSU"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0April 2015 servicing stack update for Windows 7\Windows6.1-KB3020369-x64.msu"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Convenience rollup update for Windows 7 SP1\windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Monthly Win 7 Rollup"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Cumulative security update for Internet Explorer 11"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7"
dism /image:"%~dp0Mount" /add-package /packagepath:"%~dp0Other" 
dism /unmount-wim /mountdir:"%~dp0Mount" /commit

The above will take a little while to run, but when it’s done, you’ll have an up to date, clean Windows 7 image that you can now use in your build and capture process.

Step 3: Import into Configuration Manager

See the Add operating system images to Configuration Manager section on the Manage operating system images with System Center Configuration Manager page if you need help with this.

Step 4: Create and use in a build and capture task sequence to produce a final image

A lot of folks will want to use the image created in step 2 above and directly deploy it. I discourage this practice for two main reasons.

1. There are still other items to include before it’s enterprise ready IMO. Unfortunately, these items cannot be as easily injected into the image as above. These additional items include the following:

  • Visual C++ Runtimes (both x86 and x64 if the image is x64)
  • .NET Framework 4.7
  • Windows Management Framework (WMF) 4.0 (this includes PowerShell 4.0)
  • Windows Management Framework (WMF) 5.0 (this includes PowerShell 5.0 and requires that WMF 4.0 be installed first)
  • Other common runtimes, libraries, or software that must or should exist on all systems.

Be wise and shrewd on the last item above. I’m not advocating for a fat image but I don’t rule them out either. In general, many organizations end up somewhere in the middle between fat and thin based upon their own unique organizational requirements, desires, and whims.

2. Update injection using DISM doesn’t necessarily install the updates. In general, it simply queues them up to be installed or finalized during Windows setup. This adds time and overhead to a process using and deploying the image. Running the image through a build and capture initiates Windows setup and finishes any remaining installations or tasks associated with the injected updates.

Step 5: Repeat as necessary with newer updates

You really shouldn’t have to repeat this process very often. The image created from step 2 or your build and capture task sequence can always have additional updates injected into using Offline Servicing in Configuration Manager. Doing this is usually pretty painless and simply takes a little bit of time. However, if you use the batch file above and a [fully automated] build and capture task sequence, then rebuilding the image using the above procedure (and any more current updates) won’t take much effort either and will also just take some time to complete. It’s your choice which way you go or how often you start clean.

11 thoughts on “Building a Windows 7 Image

  1. Nice post, thanks 🙂

    Are the 3 “other [optional] Hotfixes” listed in there not included in KB3125574 (Convenience Rollup)?

  2. Hi Jason,
    Thanks for your article, which I use for our Windows Server 2008 R2 (incl. SP1) Enterprise OS Deployment.
    Is the Enterprise Rollup Hotfix kb2775511 after all these updates still necessary or not ?

    1. It is not needed as it is included in the Convenience Rollup — actually, all of the updates in 2775511 are included in the Convenience Rollup so 2775511 is not explicitly needed anymore.

  3. Another question, Jason!

    I create our Reference Images with MDT 8443 (and ADK 1607) and want to get an image for Windows Server 2012 R2 with the latest Microsoft Updates as you described in this article for Windows 7.
    Do you know which Updates are necessary (dependencies) for just including the latest CU? (KB4038792 is the actual version from september 12, 2017).
    I use the so-called November Update ISO Version from Windows Server 2012 R2 – which means KB2919355 is included – as a baseline.

    Thanks for your support.
    But just include the latest CU from Microsoft does not work for me

    1. Hi Peter,

      I can’t say I’ve tried explicitly with Server 2012 R2 so don’t know the full answer here. I see if I can research it a bit and get an answer.

    1. To my knowledge and IME, it needs to be installed before any recent CUs. While writing this post I tried a few different permutations (not all of them of course) and it was definitely required.

  4. Hi Jason,

    Do you mean I have to install/integrate the latest monthly rollup and then the Convenience Rollup?

    I copied all the msu files to one folder and use dism to add them to the wim file and then got the pending issue while some msu files can not be added.

Leave a Reply

Your email address will not be published. Required fields are marked *

3  +  7  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.