How Do OEMs Create Factory Windows Images? Looking to Build a Clean Windows 11 Golden Image / Recovery Image

Posted by Cute_Ad_4906@reddit | sysadmin | View on Reddit | 34 comments

I'm trying to learn the proper workflow used by OEMs such as ASUS, Lenovo, Dell, and HP to create their factory Windows images, and I'd appreciate guidance from anyone with experience in Windows deployment, imaging, or system engineering.

My goal is to build a professional OEM-style recovery image for a specific Windows 11 PC model.

What I want to achieve:

Start with a completely fresh Windows 11 installation.
Install only the required drivers for the hardware.
Install a small set of essential applications.
Remove unnecessary temporary files, caches, logs, Windows Update remnants, and other clutter.
Capture the system into an image.
Deploy that image later and have the machine boot into OOBE exactly like a brand-new PC.

Essentially, I want the restored system to feel indistinguishable from a clean Windows installation, except that all required drivers and selected software are already present.

I'm not looking for a simple disk clone or backup image. I'm specifically interested in understanding the workflow behind OEM factory images and enterprise "golden image" deployments.

Some areas I'm trying to understand:

What is the current best practice for creating a Windows 11 golden image?
Should I use Sysprep with the /generalize and /oobe options before capturing?
How do OEMs preserve drivers while still presenting the end user with a first-boot OOBE experience?
What role do Unattend.xml files play in the process?
Is DISM still the preferred tool for capturing and deploying images, or are MDT and other deployment tools recommended?
How are drivers managed and injected into the image or driver store?
What is the recommended way to clean temporary files, logs, caches, and Windows Update leftovers before capture?
How do recovery partitions and factory reset mechanisms work on OEM systems?
What tools are typically used today (Windows ADK, WinPE, MDT, DISM, Configuration Manager, etc.)?
How do enterprises and OEMs maintain and update their golden images over time?

A few related topics I'm researching:

Sysprep best practices
Generalized vs non-generalized images
OOBE customization
Unattend.xml
DISM image capture and deployment
Driver injection and driver store management
Windows ADK and WinPE
MDT and enterprise deployment workflows
Recovery partitions
Push-button reset and factory recovery
Golden images and reference images

The image will only be deployed to the same hardware model, so cross-hardware compatibility is not a requirement.

If you've built OEM-style images, enterprise deployment images, recovery environments, or factory reset solutions, I'd appreciate any documentation, guides, recommended workflows, or lessons learned.

[-]

sccmjd@reddit

A few thoughts....

Get the iso for Windows from Microsoft. A manufacturer is doing the same thing. They just add their own "helpful" software and things to it. I guess drivers too.

Use a virtual machine to prep the image. Then you don't have to worry about drivers.

Only use one account. For some reason, if I had a second account, it just would not remove everything for the other account's Microsoft Store apps. That causes sysprep to error out.

You don't have to use an unattend file. It's one less thing to complicate things. You can do the sysyprep through the gui (with making a checkpoint on the VM first before you sysprep it).

Yes, for checking the generalize and oobe for sysprepping.

I don't worry about drivers in the image. Ideally, I don't want any drivers in the image. I just put the latest drivers on the specific machines after imaging.

You can do a disk cleanup before sysprepping. That will get rid of some garbage that doesn't need to be on the image.

I do resize the Recovery partition, now to about 1.3MB. I was moving it "to the left" of the C:/OS partition but Microsoft will probably put a new Recovery partition to the right at some point. I don't think they will if the existing recovery partition is big enough though. If C:/OS is all the way to the right, it makes it easier to clone to a larger hard drive later. Then again, it's not too much work to move the recovery partition and then expand C, and cloning to a larger hard drive isn't going to come up much in the future for me now I think.

I don't really maintain the golden image. I'm not super pressed for time. A lot of my machine are imaged 100% offline and then get OS updates moved over to them and installed. The latest drivers go after imaging too.

A really simplified workflow might be..... Use a VM. Use the correct type of VM so it works with UEFI physical machines. Install Windows off the iso from Microsoft. (Make a checkpoint and try sysprepping it make sure it works from the very beginning. Then rollback the checkpoint and continue.)Update that and install whatever software and settings changes you want. Watch out for software that uses a unique identifier and can't be generalized -- If you have that, then just install it after imaging. Chances are it probably needs an update later anyway. Checkpoint the VM as you go so you can always go back without too much effort to recreate what you just did. When it's done for software and things, do a disk cleanup. You can also defrag the disk -- Even though it's a VM and possibly also running on an SSD, if you defragment it, it still will squish all the file parts together more. Shrink the OS drive down (and then I guess move the Recovery partition all the way on the right over to the left if C is shrunk, so yeah, moving the recovery partition might be easier). Then you've got the allocated partitions on the VM shrunk down as much as possible. Checkpoint the VM. Sysprep it and have it do a full shutdown. That VM never gets started up again after it's sysprepped. Capture the image with whatever cloning software you like. Probably roll it back to the last pre-sysprep checkpoint so it's ready for more if you need to (except then if you do windows updates or something, you'll probably want to do another disk clean up and more defragging to shrink it down more again). If it's just windows updates though, it might not be worth the time to constantly update the golden image compared to just letting imaged machines do another OS update. More likely, at some point you might change something in your set up or realize you forgot a detail or two in the golden image, and then those might be more worthwhile to go back and change on the golden image.

Best practice? Does it matter if it works for you and if you end up with the same set up as other method? Imaging completely offline appeals to me and works for my set up. I've also been able to image machines while travelling or offsite with possibly no internet.

The basic idea is sysprepping from a Microsoft iso though, nothing from the OEM. OEM to me means bloat with whatever extra crap they install. A trial version of Office. A trial version of Adobe software. Then you have that garbage to deal with on the machine and never quite know if it interferes with something else later in the life of the machine.

On the physical machine that gets imaged, you need to do things like allow network or usb booting, disable secure boot, maybe switch RAID v AHCI hard drive type, etc., in order to apply the image.

valar12@reddit

https://aka.ms/ffu

itskdog@reddit

Nice to know there's an official shortlink for that!

rbalsleyMSFT@reddit

Been one for awhile

u/valar12 is pretty good about sharing just the short link without context 😉

You do quality work and I’m a shameless consumer. Thank you!

dustojnikhummer@reddit

Is this an official project? On aka.ms?

That’s a Microsoft owned domain. They use it throughout their documentation.

Yeah I know what aka.ms is, just the FFU Repo doesn't seem to be MS affiliated.

It's not under the main microsoft repo, but I own and maintain FFU Builder.

accidentlife@reddit

The creator is a Microsoft engineer. The account that owns the repo is a Microsoft account.

Cute_Ad_4906@reddit (OP)

thanks

WayneH_nz@reddit

Cool. thanks

unccvince@reddit

WAPT deployment has all the features that you're looking for, so yes, the problem is solved with an industrial grade solution. It's just a little slower, because the method installs everything one after the other, but it gets you reproductibility and automation while you sleep or drink coffee with your friends.

KyleK924@reddit

Just use autopilot, you can get it to a point there you barely need to touch a new device.

Previous-Low4715@reddit

I’d just look at autopilot if I were learning something new today

SquizzOC@reddit

Serious question, is there any benefit to running a “Golden Image” these days?

gaybatman75-6@reddit

The only situations I can think of are niche cases like the offline windows 7 machines I have for some older engineering software that they don't want to pay to replace.

Depending on how your process is structured, golden images can be much quicker.

cmorgasm@reddit

I can truly only think of situations where there's an app that can't be installed via AP or Intune, and having it there from the get-go is simplest. Apply the image and have it be ready to run through AP once the user boots it up and the app will still be there.

Arudinne@reddit

We don't use it anymore, but we used to use Mitel Micollab and I was never able to reliably automate the installation of it.

I was so happy when we moved from Mitel to RingCentral (because I'm not in charge of it)!

Yea, being in the telecom industry, we have a few apps that I can think of that are nightmares to deploy (basically anything from Accuver). Thankfully userbase needing them is small, so they can submit a ticket to request the install until we have EPM

MarzMan@reddit

No MS licenses\google shop?

pmormr@reddit

Apple's DEP + JAMF was the first time I saw this done "right". Being able to ship a device direct from the factory (depending on your config) and have it just automagically configure when the user boots it up is amazing. Been a while since I've been in the Microsoft game so hopefully autopilot is the same idea.

Not really. It’s just another albatross around your neck. I sold the switch to autopilot to my security team (who were obsessed with getting “gold images” tested by a third party for no real reason) as a switch to “gold configs”.

PixelSage-001@reddit

The standard OEM process relies on Sysprep and the Windows Assessment and Deployment Kit (ADK). You install Windows on a reference machine, enter Audit Mode (CTRL+SHIFT+F3 at OOBE), install your drivers/apps, clean up the profile, and then run sysprep.exe /generalize /oobe /shutdown. After shutdown, you boot into a WinPE environment and capture the partition to a WIM file using DISM.

If you want to make this process reproducible and clean, you should automate the build using a VM environment instead of doing it manually on physical hardware.

We automate our reference VM creation and image captures using Runable to sequence the steps. The runner spins up a Hyper-V instance, applies the base OS, injects the drivers via DISM, triggers Sysprep, and then packages the output WIM file. Doing this programmatically prevents human error and ensures the recovery image is identical every time you update a driver or application version.

alpha417@reddit

OEMs don't do that anymore.

ccsrpsw@reddit

OEMs ABSOLUTELY do do this still.

Otherwise explain how, when we need a new OS, we have to send Dell our (.wim) files?
Or why they have this little tool called "Dell Image Assist" that we can also use said files with?
Or why we need to specify which models its for so they can do driver injection?
Or why the Dell Bios Recovery has an option for stock windows or your designated image?

Its a key service - sure Autopilot/Intune/PDQ/whatever will do the other post install tasks, but getting it 90% done from the OEM is a big time server - boot, rename, add "up to date components via your platform of choice", reboot, done.

ok, then how do they do it? do you have any idea? can you shed some light on it.

Autopilot, etc... modern tools. It's not 2003 anymore

krilu@reddit

He's not talking about the recovery CD they used to ship with PCs. When you buy a Lenovo computer, the reason it comes with McAfee antivirus is because the OEM Lenovo uses a custom built OS image for their PCs before they leave the factory, likely run through MDT, or some other automation tool, and/or sysprep. They do not just install the release version direct from Microsoft. They use that, install their junk, and their partners' junk, sysprep it, apply that image to their PCs, then ship the PC out.

Bassflow@reddit

Sorry to burst your bubble. The oems are probably still running an in house version of ghost. Looking at you Lenovo Cloud Deploy.

muhnocannibalism@reddit

It mostly depends on the size of your software applications

Normally get the image where you want it, updates/software/etc.

Sysprep /generalize Boot to windows installation media, shift+f10, flsh drive capture image with dism scripts.

Then I build an unattended file that uses a windows installation drive that calls for the Dism apply image script, reboots device.

Basically runs exactly like a windows install but deploys the image en masses, from there its normally good practice to have a script you run after to change the name of the device/run any larger software installations/check for updates.

I run an imaging team so I do this all day everyday. I am the biggest believer is a a built-out image where you reinstall windows and deploy the applications/configs manually/automated scripts (unattended files are pretty much the greatest things ever) updates can be a lengthy process.

Autopilot is great to if your org supports it.

Golden image is not bad to have, tons of schools use it, pair it with Smart Deploy. Dism makes smart deploy pretty irrelevant tho imo.

techb00mer@reddit

Forget golden images, build new every time, OSDcloud

GremlinNZ@reddit

Building golden images is the old way, MDT for example is EOL.

Idea now is using Autopilot and policies to take a standard PC and configure it the way you want it.