How to create an automated install for Windows Server 2019

If you want to automate a Windows install, you must create a .XML file containing the responses to any prompts for input. Microsoft provides a tool to create these .XML files. It's called the Windows System Image Manager (WSIM). WSIM is port of the Windows Assessment and Deployment Kit (Windows ADK). You can get the Windows ADK via https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

The Windows System Image Manager is fairly complicated to use and it requires a Windows machine. Since I don't use WSIM very often, I'm documenting the settings I use most frequently when I create a new .XML response file.

Installing the Windows System Image Manager (WSIM)

You'll need a Windows machine to run Windows System Image Manager. I use a Windows virtual machine on my Mac that I created with VMware Fusion. The WSIM tool doesn't require many resources to run. I find that WSIM runs just fine a virtual machine with 1 processor core and 2GB of memory.

Download the Windows Assessment and Deployment Kit to get the WSIM install.

The only feature you need to select is Deployment Tools to install the Windows System Imagne Manger (WSIM).

Next download and install the Windows Assessment and Deployment Kit for Windows 8.1 Update and follow the installation instructions to update your install. This update is required to fix issues reading the install.wim files for Windows Server 2019 and Windows 8.1.

Create and select a Windows catalog file

Next grab a copy of the ISO for the version of Windows you want to install. You'll need to create a catalog (.CLG) file from the install.wim file located in the image. A catalog file is a small file that contains an index of all the files in the install.wim. That way you can choose packages and components to install without needing to the 5-7GB install.wim file. Also, you can store a .CLG file in source control as they are only around 1-2MB in size.

Mount the Windows ISO. Under the \sources subdirectory, you should find the install.wim file.

Copy that install.wim file to a local drive that has read-write access. If you don't and try to index the .wim file on the read-only mount, you'll get this lovely error.

To index the install.wim and create a .CLG file, launch Windows System Manager - you'll find it under the Windows Kits folder on your start menu.

Choose File > Select Windows Image... from the Windows System Image Manager menu:

Then open the install.wim file for the version of the Windows install you wish to automate.

Some versions of Windows include multiple installs. If so, you will be prompted to choose the correct one:

Then Windows System Manager will prompted to get elevated permissions to create the catalog file:

If you see this error, make sure you copy the install.wim file to a writeable location, like your Desktop (I warned you earlier!):

It will take MANY minutes to index all the files in the install.wim. Go and get a coffee. Once the indexing is done, you'll see the Components and Packages in the Windows Image page of WSIM:

I would recommend storing the .CLG files in source control alongside your .XML response files. You'll need the corresponding .CLG file for the version of Windows to add anything new to a .XML response file in WSIM.

You'll find the .clg file created in the same directory as your install.wim. That's why WSIM needed a writeable location.

I like to put my .clg under the same absolute path \wsim so multiple people can edit the WSIM .XML files stored in source control. The WSIM tool uses absolute paths in .clg files not relative ones. I would also recommend taking the time hit and creating a whole batch of .clg files for your .iso so you don't have to remember where you got it originally when created the .clg file.

Testing your .XML response file

You'll need to create a floppy disk image on which to place your test autounattend.xml file.

Download a blank floppy disk image from here: https://forums.virtualbox.org/download/file.php?id=4594

Mount it on your Mac, copy in your autounattend.xml then unmount.

In a Windows image with your Windows ISO, add a floppy, selecting your unattend.img file with the autounattend.xml file on it.

When you boot your Windows ISO it will read the settings in the autoaunttend.xml file on the floppy.

WSIM Settings to make a Windows Server 2019 install completely silent

You must configure the following settings to make a Windows Server 2019 install completely silent.

• Create a new answer file with File > New Answer File in WSIM.
• File > Save Answer File as autounattend.xml

The Components foler will be filled with blank components, as shown:

The following the directions to create sections for each action:

• Disable the language and other preferences dialog
• Disable the product key prompt
• Disable the Select Operating System dialog
• Disable the EULA dialog
• Disable the Disk Allocation dialog
• Disable the Administrator password prompt

Disabling the Language and other preferences dialog

The settings in this section will provide input to the language and other preferences prompt:

In the Windows Image pane, select the component amd64_Microsoft-Windows-International-Core-WinPE_10.0.17763.1_neutral. Right-click and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

Disabling the Product Key dialog

The settings in this section will disable prompts for a product key.

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on UserData/ProductKey and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

If you are using volume licensed edition of Windows, you can use one of the KMS Client Setup Keys listed here: https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys Using a KMS key is also a great way to test your automation.

Disabling the Select Operating System dialog

The settings in this section will provide input to the Select Operating System dialog:

In the Windows Image page, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on ImageInstall/OSImage/InstallFrom/Metadata and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

NOTE: Make sure the /IMAGE/NAME value matches the Windows Server 2019 image flavour you selected. Possible values are:

• Windows Server 2019 SERVERDATACENTER
• Windows Server 2019 SERVERDATACENTERCORE
• Windows Server 2019 SERVERSTANDARD
• Windows Server 2019 SERVERSTANDARDCORE

Disabling the EULA dialog

The settings in this section will provide input to the EULA dialog:

In the Windows Image page, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on UserData and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

Disabling the Disk Allocation dialog

The settings in this section will provide input to the Disk Allocation dialog:

You'll need to allocate disk differently depending on whether you are using a UEFI-based PC or BIOS-based PC. Most modern PCs (and virtual machines) are UEFI-based.

Disabling the Disk Allocation dialog (UEFI/Secure Boot)

Here's the default partition layout for UEFI-based machines:

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions

• The EFI System partition (ESP) must be formatted using the FAT32 filesystem. For drives that are using 4K native sectors, the minimum size is 260MB. For 512 byte sector drives, you can get away with using 100MB for the ESP.
• You must use UEFI disk allocation if you are using Advanced Format 4Kn drives.
• The recommended size for the Microsoft reserved partition (MSR) is 16MB.
• The MSR is used to help with partition management. The MSR is a reserved partition that does not receive a partition ID. It cannot store user data.
• Recovery partition is optional. We won't provision it in this example.

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on DiskConfiguration/Disk and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on DiskConfiguration/Disk/CreatePartitions/CreatePartition and choose Add Setting to Pass 1 windowsPE.

In the Answer File Pane, right-click on DiskConfiguration/Disk/CreatePartition and choose Insert New CreatePartition from the menu.

Using the Answer File Properties and Settings panes, configure the following settings in CreatePartition (Order = "1"):

Right click on CreatePartitions in the Answer File window and choose Insert New CreatePartition to add the SYS partition. Using the Answer File Properties and Settings panes, configure the following settings:

Right click on CreatePartitions in the Answer File window and choose Insert New CreatePartition to add the Primary partition. Using the Answer File Properties and Settings panes, configure the following settings:

NOTE: Don't worry about getting the size exact - just set it to a reasonable minimum. In the next setting, we will extend the partition to fill all remaining disk space on the drive.

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on DiskConfiguration/Disk/ModifyPartitions/ModifyPartition and choose Add Setting to Pass 1 windowsPE.

Right click on ModifyPartitions in the Answer File window and choose Insert New ModifyPartition to add the Primary partition. Using the Answer File Properties and Settings panes, configure the following settings:

Right-click on DiskConfiguration/Disk/ModifyPartitions/ModifyPartition and choose Add setting to Pass 1 windowsPE. Using the Answer File Properties and Settings panes, configure the following settings:

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on ImageInstall/OSImage/InstallTo and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

Disabling the Disk Allocation dialog (Legacy BIOS)

Here's the default partition layout for legacy BIOS machines:

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-biosmbr-based-hard-drive-partitions

• Each bootable drive must contain a system partition. The system partition must be configured as the active partition.
• The minimum size of the System partition is 100 MB. On Windows 2016 the recommended System Reserved Partition size is 500 MB.
• The Windows partition must be at least 20 GB in size and formatted using the NTFS file system.
• The Windows partition has a maximum size limit of 2 TB on BIOS machines.
• The recovery partition is optional. We won't provision it in this example.

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on DiskConfiguration/Disk and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

In the Answer File pane, right-click on DiskConfiguration/Disk/CreatePartition and choose Insert New CreatePartition from the menu to create a new System Reserved Partition.  This is used to store Boot Configuration Data and BitLocker Drive Encryption files. On Windows 2019 the recommended System Reserved Partition size is 500MB. You aren't required to create System Reserved Partition, but either way the boot files take space on your hard drive and most people would expect them to be on a separate partition.

Using the Answer File Properties and Settings panes, configure the following settings for the System Reserved Partition:

Then create at least one partition for your Windows OS install.

In the Answer File pane, right-click on DiskConfiguration/Disk/CreatePartition and choose Insert New CreatePartition from the menu to create a new operating system partition.

Using the Answer File Properties and Settings panes, configure the following settings:

In the Answer File pane, right-click on DiskConfiguration/Disk [DiskID="0"]/ModifyPartitions and choose Insert New ModifyPartition from the menu:

Using the Answer File Properties and Settings panes, configure the following settings for the System Reserved partition:

In the Answer File pane, right-click on DiskConfiguration/Disk [DiskID="0"]/ModifyPartitions and choose Insert New ModifyPartition from the menu for the OS partition:

In the Windows Image pane, select the component amd64_Microsoft-Windows-Setup_10.0.17763.1_neutral. Right-click on DiskConfiguration/Disk and choose Add Setting to Pass 1 windowsPE.

Using the Answer File Properties and Settings panes, configure the following:

Disabling the Administrator password prompt

The settings in this section will provide input to the Administrator password prompt.

As you enter passwords in WSIM, you may want to consider unchecking Tools > Hide Sensitive Data so that passwords are saved in plain text. Unless you have some other system for tracking passwords, there is no easy way to go backwards from the encrypted password to the plain text version if you forget ;-)

In the Windows Image pane, select the component amd64_Microsoft-Windows-Shell-Setup_10.0.17763.1_neutral. Right-click on UserAccounts/AdministratorPassword and choose Add Setting to Pass 7 oobeSystem.

Right-click on UserAccounts/AdministratorPassword and choose Add Setting to Pass 7 oobeSystem. Using the Answer File Properties and Settings panes, configure the following:

Additional WSIM Settings for Windows Server 2019

Disabling network discovery

The settings in this section will disable the Network Discovery prompt on first login.

I'm not aware of there being some setting to manage Network Discovery settings, so you'll have to resort to modifying the registry to disable the prompt.

To turn off network discovery prompt for all users:

reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff /f

You may also want to follow this up by running the command to set your preferred Network Discovery settings:

To disable network discovery for all network profiles:

netsh advfirewall firewall set rule group="Network Discovery" new enable=No

To turn on network discovery for all network profiles:

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

In the Windows Image pane, select the component amd64_Microsoft-Windows-Shell-Setup_10.0.17763.1_neutral. Right-click on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.

• CommandLine = reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff /f
• Description = Disable network discovery prompt for all users
• Order = 10

Do not show Server Manager at login

In the Windows Image pane, select the component amd64_Microsoft-Windows-Shell-Setup_10.0.17763.1_neutral. Right-click on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.

Using the Answer File Properties and Settings panes, configure the following:

• DoNotOpenServerManagerAtLogon = true

Enable Remote Desktop Protocol (RDP)

In the Windows Image pane, select the component amd64_Microsoft-Windows-TerminalServices-LocalSessionManager_10.0.17763.1_neutral. Right-click and choose Add Setting to Pass 4 specialize. Using the Answer File Properties and Settings panes, configure the following:

• fDenyTSConnections = false

In the Windows Image pane, select the component amd64_Networking-MPSSVC-Svc_10.0.17763.107_neutral, right-click on FirewallGroups/FirewallGroup and choose Add Setting to Pass 4 specialize. Using the Answer File Properties and Settings panes, configure the following settings:

• Active = true
• Group = Remote Desktop
• Key = RemoteDesktop
• Profile = all

In the Windows Image pane, select the component amd64_Microsoft-Windows-TerminalServices-RDP-WinStationExtensions_10.0.17763.1_neutral, right-click and choose Add Setting to Pass 4 specialize. Using the Answer File Properties and Settings panes, configure the following settings:

• SecurityLayer = 1
• UserAuthentication = 0

Set proxy for Windows update

I'm not aware of there being some setting to manage proxy settings for Windows Update that still works in recent versions of Windows, so you'll have to resort to modifying the registry to disable the prompt.

You can use the netsh utility to set the proxy settings for Windows Update.

To set up a basic proxy server:

netsh winhttp set _proxy ip-or-host_:_port_

There's a second parameter to add a list of hosts for which the proxy will not be used, called a bypass list. The list is semicolon-delimited:

netsh winhttp set _proxy ip-or-host_:_port_ "bar;*.foo.com"

A special parameter called <local> will add all short-name hosts without an fqdn to the bypass list:

netsh winhttp set myproxy:80 "<local>;bar"

In the Windows Image pane, select the component amd64_Microsoft-Windows-Shell-Setup_10.0.17763.1_neutral.

Right-click on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.

Using the Answer File Properties and Settings panes, configure the following:

• CommandLine = netsh set proxy myproxy "127.0.0.1;localhost;bar"
• Description = Set proxy for Windows Update
• Order = 20

Disable Internet Explorer Enhanced Security (ESC)

In the Windows Image pane, select the component amd64_Microsoft-Windows-IE-ESC_neutral. Right-click and choose Add Setting to Pass 4 specialize. Using the Answer File Properties and Settings panes, configure the following:

• IEHardenAdmin = false
• IEHardenUser = false

Disable Internet Explorer First Run Wizard

In the Windows Image pane, select the component amd64_Microsoft-Windows-IE-InternetExplorer_neutral. Right-click and choose Add Setting to Pass 4 specialize. Using the Answer File Properties and Settings panes, configure the following:

• DisableFirstRunWizard = true
• DisableOOBAccelerators = false
• Home_Page = about:blank