Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

PowerShell – Configure Active Directory Permissions to Join Computer to the Domain

In order for MDT to join machines into the domain you need to create an account and configure permissions in Active Directory.

These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

  1. On DC01, using Active Directory User and Computers, browse to / Contoso / Service Accounts.
  2. Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
    1. Name: MDT_JD
    2. User logon name: MDT_JD
    3. Password: P@ssw0rd
    4. User must change password at next logon: Clear
    5. User cannot change password: Select
    6. Password never expires: Select
  3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
    Set-Location C:\Setup\Scripts
    .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
  4. The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
    1. Scope: This object and all descendant objects
      1. Create Computer objects
      2. Delete Computer objects
    2. Scope: Descendant Computer objects
      1. Read All Properties
      2. Write All Properties
      3. Read Permissions
      4. Modify Permissions
      5. Change Password
      6. Reset Password
      7. Validated write to DNS host name
      8. Validated write to service principal name

Decrypt Drive Then Wait Till Complete

I need to decrypt the D drive on devices performing a REFRESH task sequence. It is one thing to decrypt it, and another to wait till it has finished. This script will wait till the whole drive is decrypted.

I modified the PowerShell script from and it preformed perfectly.

Find and replace the C: with the drive letter. Then add into the task sequence.

Here is the script in case the page disappears:

$ComputerName = “.”
$BitLockerDrive = Get-Wmiobject -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -ComputerName $ComputerName -Filter “DriveLetter=’C:'”
$Status = $BitLockerDrive.GetConversionStatus()
if ($Status.ConversionStatus -eq 0) {
elseif ($Status.ConversionStatus -eq 1) {
    Invoke-Command {manage-bde.exe -off C:}
    Start-Sleep 3
    do {
        $BitLockerDrive = Get-Wmiobject -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -ComputerName $ComputerName -Filter “DriveLetter=’C:'”
        $Status = $BitLockerDrive.GetConversionStatus()
        Start-Sleep 15
    until ($Status.ConversionStatus -eq 0)
if ($Status.ConversionStatus -eq 0) {

Michael Niehaus Notes from TechEd North America

As we were going through our TechEd North America deployment pre-conference today, we showed a lot of links for pages of interest.  Here is a list of those (at least the ones I remembered):

Also, be sure to look for the session slides on