Create an S-Mode Image of Windows 10

A Quick Guide for the IT Pro

With the latest Windows 10 (Build 1809) release Windows 10 S was moved from an independent image on the installation media, to a mode you can apply to any SKU of windows 10. While in principle, this is a great addition to the application of the security features of S Mode, in practice this is added quite a layer of effort to the IT Pro’s life.
In this post, I plan on walking you through the process, that will give you Windows 10 in S Mode Images for your deployment.

Creating an install.wim file

With the recent changes to the installation media that Microsoft team released to the wild, the Windows Installation Media (WIM) file that many IT Pros are used to dealing with has been changed to an Electronic Software Deployment (ESD) File. Im going to note here, that you should copy the install.esd file from whatever installation source you acquired it from and put it somewhere you have R/W access to. Natively the installation media will only provide R/O access, and since we’re going to mount these files and make changes, we’re going to want that R/W ability. So once you’ve copied that file to a good spot, our first step is to convert to install.esd to an install.wim file. Each indexed image will need its own WIM file, at this time, I am currently unaware of a way to convert the entire ESD in to an all-up WIM.
We will be using the Deployment Image Servicing and Management (DISM) command tool to export the image files and create a .wim image from a .esd file using these steps:
1. Open Start.
2. Search for PowerShell, right-click the top result, select Run as administrator.
3. Type the following command to identify the index number of the edition you want to use and press Enter:

dism /Get-WimInfo /WimFile:C:\path\to\folder\sources\install.esd

In the command make sure to change the path to the sources folder with the install.esd file on your device.
4. Identify the index number for the edition you want. For example, we’re extracting Windows 10 Pro N, which in this case has an index number of 7.
For the 1809 installation media, the following is the list of the index:

1: Windows 10 Home
2: Windwos 10 Home N Edition
3: Windows 10 Single Language
4: Windows 10 Education
5: Windows 10 Education N Edition
6: Windows 10 Pro
7: Windows 10 Pro N Edition

5. Type the following command to create an install.wim file and press Enter:

dism /Export-Image /SourceImageFile:C:\path\to\folder\sources\install.esd /SourceIndex:7 /DestinationImageFile:C:\path\to\folder\sources\install.wim /Compress:Max /CheckIntegrity

In the command make sure to change the path to the sources folder with the install.esd file on your device.
Note: It is also a good idea to update the name of the Install.WIM file to reflect the Index ID, as each Image will need its own WIM file. In my example, you will see that I have named the install.WIM file “Windows10ProN_1809.wim”.

How to create an unattend.xml file to enable S mode on Windows 10

In order to create an answer file to enable S mode, you’ll need to use the Windows System Image Manager (SIM) feature from the Windows Assessment and Deployment Kit (ADK).

Installing Windows System Image Manager

You can follow these steps to install Windows SIM on your computer:
1. Download the Windows ADK installer for Windows 10 version 1809.
2. Double-click the adksetup.exe file to begin the installation.
3. Select the Install the Windows Assessment and Deployment Kit – Windows 10 to this computer option.
4. Click the Next button.
5. Select your privacy option.
6. Click the Next button.
7. Click the Accept button to agree to the license agreement.
8. Clear all preselected items.
9. Check the Deployment Tools package, which contains the Windows System Image Manager component.
10. Click the Install button.
11. Click the Close button.

Once you’ve completed the installation, you can continue setting up the environment to create an unattend.xml file using the Windows System Image Manager tool.

Setting up an answer file environment

In order to prepare the environment to create a new answer file project, do the following:
1. Open Start.
2. Search for Windows System Image Manager, click the top result to open the experience.
3. Click the File menu and select the Select Windows Image option.
4. Navigate to the folder you exported the Windows 10 files.
5. In the “sources” folder, select the install.wim image file, and click the Open button.
6. Select an edition of Windows 10 you want to use. (It’s always recommended to select the edition that you’re planning to install.)
7. Click the OK button.
8. If you get a message, click the Yes button to create a new catalog file. (This process will take some time, but it’s a one-time process. The .clg file will be saved in the same location where the install.wim is stored, and you can reuse it later on other projects.)
9. Click the File menu and select the Select Distribution Share option.
10. Navigate to the folder that you’re using to store the project folders and files.
11. On “Folder name,” type a name (such as Distribution) to create a folder to store additional project files.
12. Click the Open button.
13. Click the File menu and select the New Answer File option.

After completing the steps, you will now have the required environment to create an answer file.

Creating a Windows 10 answer file to enable S mode

Using an answer file you can completely customize the installation of Windows 10. However, we’re just configuring Windows 10 with S mode, as such will be setting up the offline servicing stage of the automation process.
In order to create the answer file to enable S mode, use these steps:
1. Under “Windows Image,” expand the Components folder.
2. Right-click the amd64_Microsoft_Windows_CodeIntegrity component, and select the Add Setting to Pass 2 offlineServicing option.
3. On the right side, under “Answer File,” select the amd64_Microsoft_Windows_CodeIntegrity component.
4. On the right side, under “Settings,” change the SkuPolicyRequired value to 1.
5. Click the Tools menu and select the Validate Answer File option.
6. If there are no errors, click the File menu, and select the Save Answer File As option.
7. Navigate to the folder you want to save the file.
8. Under “File name,” use the unattend.xml file name.
9. Click the Save button.
Once you’ve completed the steps, the unattend.xml file will be created, which you can now use to integrate into the Windows 10 image to enable S mode.
Inside the unattend.xml file the settings portion for offlineServicing should look like in the example below:

<settingspass=”offlineServicing”>

<componentname=”Microsoft-Windows-CodeIntegrity”

processorArchitecture=”amd64″

publicKeyToken=”31bf3856ad364e35″

language=”neutral”

versionScope=”nonSxS”

xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State“

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>

</component>

</settings>

How to modify image to enable S mode on Windows 10
you’ll be using the DISM command line tool in PowerShell to open and apply the unattend.xml file to an install.wim image, which will enable S mode during a normal installation of Windows 10.
To modify a Windows 10 image, use these steps:
1. Open Start.
2. Search for Windows PowerShell, right-click the top result, and select Run as administrator.
3. Type the following command to create a mounting point in the root of the drive and press Enter:

md c:\mount\windows

4. Type the following command to mount the install.wim image file and press Enter:

dism /Mount-Wim /WimFile:c:\path\to\sources\install.wim /index:1 /MountDir:C:\mount\windows

In the command make sure to change the path to the sources folder with the install.wim file on your PC.
5. Type the following command to create a folder called “Panther” inside the mounted image and press Enter:

md c:\mount\windows\Windows\Panther

6. Type the following command to import the unattend.xml file to the Panther folder and press Enter:

copy c:\path\to\folder\unattend.xml c:\mount\windows\Windows\Panther\unattend.xml

In the command make sure to change the location of the unattend.xml file you want to copy to the Panther’s folder.
7. Type the following command to apply the unattend.xml file to the mounted image and press Enter:

dism /Image=c:\mount\windows /Apply-Unattend=c:\mount\windows\Windows\Panther\unattend.xml

8. Close any application that may be accessing files in the mounted image. Otherwise, you’ll get errors.
9. Type the following command to save the changes and unmount the Windows 10 image and press Enter:

dism /Unmount-Image /MountDir:"c:\mount\windows" /commit

If you get an error indicating that the image couldn’t be unmounted, use the dism /cleanup-wim command to resolve the issue.
Quick Tip: Although Windows 10 in S mode will detect and install device drivers, sometimes, you may want to add drivers to the offline image manually if you have a particular piece of hardware as you won’t be able to install it after the installation.