Applying your Extended Security Updates (ESU) MAK to Windows 7 with SCCM

Over the last couple of years, the main focus of IT within many medium to large organisations has been migrating their users from Windows 7 to Windows 10. As of January 14th, 2020, Windows 7 is no longer receiving the monthly security updates it has been receiving since it was released 10 years ago. This means that any organisation with Windows 7 clients still in use is at an ever-increasing risk of attackers using this weaker link to compromise their network.

For organisations willing to pay, Microsoft is offering an additional 3 years of support for Windows 7 through their Extended Security Updates (ESU) program. If you are enrolled in this program you will be provided a MAK to install on the Windows 7 clients that you wish to continue receiving updates on (good for as many seats as you have paid for). Part 1 of this guide will go through the process of verifying the key you have is working by manually installing it on a Windows 7 device and installing the ESU test update Microsoft published. Part 2 will go through the process of deploying the key using SCCM.

A few other notes about this:

The ESU MAK you receive will be good for Windows 7 Professional, Enterprise and Ultimate (there are no separate SKUs for each edition of Windows). It will also work on both x86 and x64 versions of Windows 7.

Your existing Windows 7 updating mechanism will continue to work once you have activated the ESU MAK on the client. Whether you use SCCM, WSUS or simply allow devices to go out directly to the internet for updates, you do not need to make any changes. The updates will continue to be downloaded post January 2020 and will appear in Software Center or in the Windows Update control panel applet if the ESU MAK has been applied to that device.

This guide will be assuming your clients will be internet connected when you activate the ESU MAK. If that is not the case you may need to use the Volume Activation Management Tool as detailed in Microsoft’s blog post on this subject.

Part 1 – Manually installing your ESU MAK on a Windows 7 device

Before you start deploying this to every Windows 7 device still in use, you may want to install it on one device to prove that it is valid, and to test that your updates delivery mechanism is working. Microsoft published a test update that doesn’t do anything to the device but does use the same logic to detect whether or not a valid ESU MAK has been installed. You can use this to test the end to end process before the first real patches come out in February. This update is KB4528069.

To start, check for new updates on your Windows 7 device and verify that you do not see KB4528069 in the list of available updates:

List of available updates before the ESU MAK key has been applied

Open an administrative CMD prompt and type slmgr.vbs /dlv. This will bring up a window that shows your current licensing situation, and it is likely to look something like this:

License Info Before ESU MAK key applied

Next you need to install your ESU MAK. To do this, enter the command slmgr.vbs /ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY, replacing this made-up key with your key. You should get a success message that looks like this:

ESU MAK Key Install Success

If you do not get a success message, it may be because Windows 7 does not recognise the key. This is because support for these ESU MAK keys was only introduced in the September 2019 and October 2019 monthly updates for Windows 7 (which in turn require the SHA-2 code signing support update released in March 2019). If you have an issue installing your key, ensure that these are installed and try again.

Once you have successfully installed the key you can verify that Windows has accepted it by once again using the command slmgr.vbs /dlv. This time you should see this:

License Info After Installing ESU MAK Key

As you can see it has not yet been activated. To activate it, you will need the Activation ID for the ESU SKU, which you can see here is “77db037b-95c3-48d7-a3ab-a9c6d41093e0”. In fact, Microsoft has already published what these will be for all 3 years of the ESU program, because they will be the same for everyone:

ESU Program ESU SKU (or Activation) ID
Windows 7 SP1 (Client)  
Year 1 77db037b-95c3-48d7-a3ab-a9c6d41093e0
Year 2 0e00c25d-8795-4fb7-9572-3803d91b6880
Year 3 4220f546-f522-46df-8202-4d07afd26454
Windows Server 2008/R2 (Server)
Year 1 553673ed-6ddf-419c-a153-b760283472fd
Year 2 04fa0286-fa74-401e-bbe9-fbfbb158010d
Year 3 16c08c85-0c8b-4009-9b2b-f1f7319e45f9

Table taken from https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-to-get-extended-security-updates-for-eligible-windows/ba-p/917807

To activate the key, use the command slmgr.vbs -ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0. You should get a window pop up to tell you the activation has been successful.

ESU MAK Key Activating Success

Now you can run slmgr.vbs /dlv one last time to see the final state of your licensing:

License Info After Activating

This time the License Status shows as Licensed!

Now it is time to test that KB4528069 will appear and install on this device. Start another scan for patches and allow some time for the scan to complete. After a while, open Software Center or Windows Updates and you should see the following:

List Of Updates After ESU MAK Key Activation

Install it and confirm that your ESU updates are working as expected.

Part 2 – Deploying your Windows 7 ESU MAK to multiple devices using SCCM

Once you have confirmed your key is working, you no doubt want to install it on all remaining Windows 7 devices in your estate. The easiest way to do this is with a simple batch script deployed via SCCM.

First of all, if you do not already have one, create a collection that contains the Windows 7 devices you wish to install the ESU MAK on. If you simply want to create a collection that automatically contains any Windows 7 device connected to your SCCM, you can use the following query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system where OperatingSystemNameandVersion like '%Workstation 6.1%' ORDER BY SMS_R_SYSTEM.ResourceID

Next create a batch script containing the following commands:

@echo off
cscript //B "%windir%\system32\slmgr.vbs" /ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY
cscript //B "%windir%\system32\slmgr.vbs" /ato 77db037b-95c3-48d7-a3ab-a9c6d41093e0

Once again replace the made-up key here with your ESU MAK.

Batch Script For Activating ESU MAK

Copy this script to a network location that is accessible by SCCM.

In the SCCM console, go to Software Library > Packages and in the ribbon click Create Package.  Fill in fields such as Name, Description and tick “This package contains source files” and enter the network location where you put the batch script.

ESU MAK Package Creation 1

On the next screen select “Standard program”, and on the next screen give the Program a name. The command line should be cmd /c activate_windows7esu.cmd and in the Run drop down menu you should select Hidden. This will ensure that when this runs on the client, the user does not see the CMD box appear (however briefly). Make sure the name of the script matches what you called it.

ESU MAK Package Creation 2

You can complete the rest of the wizard by clicking Next and Finish. Once created, distribute this package to your Distribution Points, and finally deploy it to the collection containing Windows 7 devices. When deploying, ensure you make it a Required deployment, set the Assignment schedule to “As soon as possible” and in the User Experience section make sure that Software installation is allowed outside of maintenance windows. This will allow the script to run as soon as possible on your Windows 7 devices.

Hopefully this will get you well on your way to continuing to receive Windows 7 updates over the next few months, and fingers crossed you’re not far from eliminating Windows 7 from your estate completely!

Bonus fun: What happens if you try to install the test update, KB4528069, on a Windows 7 device that you have not activated your ESU MAK on? It simply fails to install:

KB4528069 Fails to Install

 

 

Buy Me A Coffee

The mystery of the invisible System Center Configuration Manager update

Since mid-December 2019 I have been trying to update my SCCM lab environment from 1906 to 1910. For the first few weeks of release it was in the early update ring, but no matter how many times I ran the PowerShell script to enable early updating, the update would not appear in the Updates and Servicing node in SCCM.

Oh well, no matter, I thought. Perhaps it’s buggy and has been pulled, or maybe there’s just some odd reason my environment isn’t compatible. I’ll just wait for the general release.

General release comes and goes… and still no update. What’s going on?! I am 100% certain that my Service connection point is set to Online, I have restarted the SMS_EXECUTIVE service so many times, and also restarted the whole server just to be as thorough as possible! I know my server has internet connectivity because the Software update point is happily downloading and applying the January 2020 updates to my servers and clients. And finally, I have checked dmpdownloader.log, CMUpdate.log and hman.log and there are no obvious errors in there to tell me why I’m not seeing the latest update.

(Okay – that paragraph was a overblown way to tell you what you should definitely check if you haven’t already, before you continue to read).

So, what was going on?

Delving a little deeper in the hman.log file, I did find the following two errors:

CServerStatusReporter::DeliverToStatusManager(): ERROR: Cannot deliver status message to SMS_STATUS_MANAGER, could not write the message to varfile E:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box\statmsgs\90sna58w.SVF due to a file error: The file or directory is corrupted and unreadable.

Error: Failed to move file E:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\ForwardingMsg\___CABConfigMgr.Update.Manifest.MCM to E:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD\ConfigMgr.Update.Manifest.CAB, Win32 error = 1392

When I attempted to navigate to “E:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box\statmsgs” I got an error message telling me the location was corrupted and unreadable!

Message box showing the file location is currupt and unreadable
Oops – my screenshot shows statmsgs.old. That’s because I already fixed it before posting this article.

I got the same error when I tried to navigate to “E:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\CFD”. I’m not entirely certain how these two locations became corrupted, but thankfully Windows Explorer allowed me to rename them to “statmsgs.old” and “CFD.old” respectively, and then re-create the folders.

Once I restarted the SMS_EXECUTIVE service once more, hman.log finally filled up with information about the new update and the download proceeded. Finally, I have my update!

Configuration Manager 1910 finally appears

In all seriousness, this may be a very marginal case and may not be the reason you can’t see the latest update for SCCM. However, it seemed worth documenting; just in case someone else has the same symptom!

I would suggest clicking Check for updates in the Updates and Servicing node and then paying close attention to your hman.log file for any errors similar to the ones I found. Bear in mind that it might be different folders that cause errors for you, so keep an eye out for any errors with files being moved between inboxes.

Anyway, I’m off to go play with new SCCM features…!

 

Buy Me A Coffee

Download Window 10 Enterprise 1909 with the Media Creation Tool (including en-GB and other language versions)

The November 2019 update to Windows 10 is now available to download using the Media Creation Tool. Using the GUI, you can download the consumer ISO which contains the Home, Professional and Education SKUs of Windows 10.

If you want to download the Enterprise version of Windows 10, but don’t have access to Microsoft VLSC, Visual Studio or Action Pack subscriptions, it is possible to download it using the Media Creation Tool if you know the right command line switches.

To download Windows 10 Enterprise 1909 using the Media Creation Tool, log in with a local administrator account (for some reason it isn’t good enough to run the tool using Run as administrator, you actually do have to be logged in as an administrator) and download the tool. Open a CMD prompt and change directory to the directory you saved the Media Creation Tool in, and enter the following command:

MediaCreationTool1909.exe /Eula Accept /Retail /MediaLangCode en-US /MediaArch x64 /MediaEdition Enterprise

When you’re prompted for a product key, you can use the Windows 10 Enterprise KMS client key from this site on Microsoft Docs.

This will download an ISO that contains the various Enterprise SKUs (Enterprise, Enterprise N, Education, Education N, Professional and Professional N) with en-US installed and set to default. If you’d prefer to get en-GB, use the following command:

MediaCreationTool1909.exe /Eula Accept /Retail /MediaLangCode en-GB /MediaArch x64 /MediaEdition Enterprise

This will download an ISO containing the same SKUs as above, but with en-GB installed and set to default.

As far as I can tell, this works for any of the language pack region tags listed on this site. So, for example, to download Windows 10 Enterprise 1909 with French installed and set to the default language, you can use this command:

MediaCreationTool1909.exe /Eula Accept /Retail /MediaLangCode fr-FR /MediaArch x64 /MediaEdition Enterprise

If you don’t specify the /MediaLangCode switch it will default to downloading an ISO with the same language pack as the OS you are running it from.

If you want to download the 32-bit version of Windows 10 Enterprise instead, you should change /MediaArch to x86.

When you have downloaded the ISO, you may unpack it and find that the it does not contain an install.wim, but instead contains install.esd in the sources directory. Depending on what you are doing, you may need the .wim file (for example, if you’re planning to use it with SCCM). Thankfully obtaining a .wim file from the .esd is quite straightforward using DISM.

Open a CMD prompt and use the following command (changing the path for /WimFile to match where your install.esd file is):

dism.exe /Get-WimInfo /WimFile:C:\Temp\Windows10_1909\sources\install.esd

This will list each of the SKUs in the install.esd file. Make a note of the index of the SKU you want (in my case, I want the Enterprise SKU which is index 3).

DISM Get-WimInfo

Now use the following command to create an install.wim file which contains the SKU you want:

dism.exe /Export-Image /SourceImageFile:C:\Temp\Windows10_1909\sources\install.esd /SourceIndex:3 /DestinationImageFile:C:\Temp\Windows10_1909\sources\install.wim /Compress:max /CheckIntegrity

Make sure the path for /SourceImageFile and /DestinationImageFile are correct for you and change the /SourceIndex to match the index you noted earlier.

DISM Convert ESD

Once that is done you can delete the install.esd file if you want, to save space.

Unfortunately, I have found no way to get the LTSC version, or older versions of Windows 10 using this tool.

 

Buy Me A Coffee

An error occured while retrieving policy for this computer (0x80004005) when PXE booting from a USB stick

You may have run into the following error when you use a USB stick to PXE boot your device in preparation for running an SCCM Task Sequence:

Failed to Run Task Sequence - 0x80004005

However, other devices that you PXE boot from the network are working fine. What’s going on?

It could be a number of fairly quick things to troubleshoot, such as checking that the time and date on the device are the same as on the SCCM server and checking whether or not the device is already in SCCM (and therefore may not be receiving advertisements for Task Sequences).

If neither of those work, you’ll need to check the SMSTS.log file on the device. This can exist in a number of different places, however if the Task Sequence has not even begun, you should find it in X:\Windows\temp\SMSTSLog\smsts.log.

Let’s say you open the log file and you see the following error messages:

USB PXE Boot Error

At first glance this would suggest that there is an issue with the time or date on the device being incorrect, and you should definitely double check whether or not that is the case. However, if you are certain it is not the problem, there is one other thing it might be that is not obvious at all from the error messages.

When you go through the Create Task Sequence Media Wizard to create the USB PXE image, one of the steps requires you to specify the start and end date for the self-signed certificate that is used for HTTP communication:

Create Task Sequence Media Wizard - Self-Signed Certificate

By default this is set to one year, and if you attempt to PXE boot from a USB stick using this image after the certificate expiration date, you will receive the error “An error occurred while retrieving policy for this computer (0x80004005)” and your SMSTS.log file will contain the errors in the screenshot above.

To solve this issue, go through the Create Task Sequence Media Wizard once again to generate a new image with a certificate that is in date. Perhaps also consider increasing the validity period of the certificate from one year to three.

 

Buy Me A Coffee

Using Enterprise Mode in Microsoft Edge and Internet Explorer 11

Enterprise Mode is a feature that shipped in Internet Explorer 11 for Windows 10, and was also introduced to Internet Explorer 11 in Windows 7 and 8.1 in April 2014 that should be seriously considered by any organisation still hoping to complete their Windows 10 migrations before end of support in January 2020, but are worried that their older web applications may not work in the latest version of Internet Explorer.

Enterprise Mode has two functions depending on which browser you are using; In Microsoft Edge it can be used to automatically redirect certain website to IE11 (Edge itself does not do any compatibility rendering, it simply shifts you over to IE11 to do that). In IE11, it can be used to open specified sites in certain document modes or in IE8 or IE7 Enterprise Mode which offers greater emulation of those browsers.

To start, you must enable Enterprise Mode in both Edge and IE11 separately. Yes, there are two places in Group Policy where you have to enable this feature to fully utilise it.

For Microsoft Edge:
Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Edge > Configure the Enterprise Mode Site List

For Internet Explorer 11:
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Use the Enterprise Mode IE website list

When you have enabled them, you are also required to enter a path where your site list can be found. This can either be a URL (if you have an internal web server to host it) or a file share location (such as \\fileserver.domain.com\SiteList\sitelist.xml).

To create your site list, start by downloading the Enterprise Mode Site List Manager tool. That is assuming you are working with Windows 10 clients. If you are working with Windows 7 or 8.1 clients, download this tool instead. Once you’ve installed it you are given an easy interface to generate a valid XML file for the site list. Just for fun, let’s take my site and configure Edge to open it in IE11, and IE11 to render it in IE8 compatibility mode:

Adding my site to Enterprise Mode

Let’s see what that looks like in the resulting XML:

Adding my site to Enterprise Mode XML

A few things to take away from this:

1) The site list is on version 2. This matters because if this does not increment each time you make a change, Edge and IE11 will not honour the change.
2) The site URL is just the main domain and does not include the https:// or any subdomains. In this case, any URL containing kevinstreet.co.uk will redirect to IE11 (for example, https://reallyoldapp.kevinstreet.co.uk or https://kevinstreet.co.uk/reallyoldapp will redirect to IE11). If you only want a specific subdomain to redirect to IE11 then you should specify that subdomain.
3) The selected compatibility is IE8 Enterprise Mode.
4) The site will be opened in IE11. If a user tries to open it in Microsoft Edge, IE11 will automatically open and navigate to the page.

With the site populated with sites (presumably not actually with my site!) and the site list XML saved to the location you specified in the GPO, open Microsoft Edge and test browsing to the site you specified. It may not work immediately! Edge takes approximately 60 seconds from the time it is opened to check for a new version of the site list and apply it (as does IE11).

Super handy tip: If you want to confirm that your site list is working, in both Edge and IE11, type about:compat in the URL to get a list of websites and their prescribed behaviour. You even get a Force update button to speed up the process of updating the site list. Very useful if you are in the process of adding sites and want to quickly test that your configuration is working.

Compatibility Settings

Once you’re sure both Edge and IE11 are using the latest version of the site list, retry browsing to a URL you specified. In Edge, it should automatically open in IE11 and open in the specified compatibility mode.

My site in Internet Explorer Enterprise Mode
Gosh my site looks pretty bad being rendered as if it was open in Internet Explorer 8!

As you can see from the image above, the site has loaded in Enterprise Mode (this is clear because the of the little blue icon that appears next to the URL). This icon only appears when you select Enterprise Mode as a compatibility mode, it does not appear if you select a document mode. You can still confirm that it has worked by browsing to the site and pressing F12 to open the Developer Tools, then selecting the Emulation tab. In here you will see that the Document mode and Browser profile are configured as you specified in the site list.

Bonus cool stuff: Google Chrome also has a version of this, called Legacy Browser Support. This is particularly cool because you can configure it with Group Policy and it can use the same site list as Edge and IE11, so no need to maintain separate lists! Click here to learn more about Google Chrome Legacy Browser Support for Windows.

 

Buy Me A Coffee

Making iSBEM and Jet Reports work in Windows 10

This may be quite a niche post, but if it helps just one person overcome a “run-time error 5” whenever they try to run one of the iSBEM databases or an “Access Denied”1 error when trying to run a report powered by Jet Reports then it’s worth it!

In Windows 10 the built-in antimalware solution, Windows Defender, has a feature known as Windows Defender Exploit Guard. You can read up about this feature in more detail here, but one of its features in particular, the attack surface reduction rules, can sometimes prevent certain behaviour working in Microsoft Office applications.

Looking more closely at the attack surface reduction rules, you can see that a few of them are tailored specifically at Microsoft Office applications. In my experience the rule “Block all Office applications from creating child processes” can prevent the external processes needed by iSBEM and Jet Reports from running, which causes the errors mentioned above. You can quite easily check if this is the case by attempting to run an iSBEM database or Jet Report and getting the error, then open the Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational and looking for any warning or error level events that indicate that Windows Defender blocked the process from running.

If you do find the block event in the Event Viewer, you can create an exclusion to prevent it from being blocked. This can either be done in Group Policy or PowerShell. Open Group Policy editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction. In here, one of the policies that can be configured is “Exclude files and paths from Attack Surface Reduction rules”, and you can use this to add your exclusions. You can use wildcards and environment variables to ensure the exclusions you add will work regardless of where they apply (for more details on that see this article). Try to make your exclusions as specific as possible so that you still get as much protection from Windows Defender Exploit Guard as possible!

If you wish to add exclusions using PowerShell, you should use the following command:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "Path to exclude"

For example, to unblock the iSBEM database you may use the following exclusion:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "%SYSTEMDRIVE%\NCM\iSBEM_v5.6.a\iSBEM_v5.6.a.mdb"

With that in place, test running the database again and continue to monitor the logs in  Event Viewer until all blocks have been identified and exclusions created.

1Of course an error like Access Denied isn’t necessarily being caused by Windows Defender, it could actually be a permission issue.

 

Buy Me A Coffee

Download Window 10 Enterprise 1903 with the Media Creation Tool (including en-GB and other language versions)

Update 19/12/2019: Microsoft no longer provides Windows 10 1809 or 1903 to people via the Media Creation Tool. See this post on how to download Windows 10 Enterprise 1909 using the Media Creation Tool.

The March (or that May?) 2019 version of Windows 10 is now availabe to download using the Media Creation Tool. Using the GUI you can download the consumer ISO which contains the Home, Professional and Education SKUs of Windows 10.

If you want to download the Enterprise version of Windows 10, but don’t have access to Microsoft VLSC, Visual Studio or Action Pack subscriptions, it is possible to download it using the Media Creation Tool if you know the right command line switches.

To download Windows 10 Enterprise 1903 using the Media Creation Tool, log in with a local administrator account (for some reason it isn’t good enough to run the tool using Run as administrator, you actually do have to be logged in as an administrator) and download the tool. Open a CMD prompt and change directory to the directory you saved the Media Creation Tool in, and enter the following command:

MediaCreationTool1903.exe /Eula Accept /Retail /MediaArch x64 /MediaEdition Enterprise

When you’re prompted for a product key, you can use the Windows 10 Enterprise KMS client key from this site on Microsoft Docs.

This will download an ISO that contains the various Enterprise SKUs (Enterprise, Enterprise N,  Education, Education N, Professional and Professional N) with en-US installed and set to default. If you’d prefer to get en-GB, use the following command:

MediaCreationTool1903.exe /Eula Accept /Retail /MediaLangCode en-GB /MediaArch x64 /MediaEdition Enterprise

This will download an ISO containing the same SKUs as above, but with en-GB installed and set to default.

As far as I can tell, this works for any of the language pack region tags listed on this site. So for example, to download Windows 10 Enterprise 1903 with French installed and set to the default language, you can use this command:

MediaCreationTool1903.exe /Eula Accept /Retail /MediaLangCode fr-FR /MediaArch x64 /MediaEdition Enterprise

If you want to download the 32-bit version of Windows 10 Enterprise instead, you should change /MediaArch to x86.

When you have downloaded the ISO you may unpack it to find that the it does not contain an install.wim, but instead contains install.esd in the sources directory. Depending on what you are doing, you may need the .wim file (for example, if you’re planning to use it with SCCM). Thankfully obtaining a .wim file from the .esd is quite straightforward using DISM.

Open a CMD prompt and use the following command (changing the path for /WimFile to match where your install.esd file is):

dism.exe /Get-WimInfo /WimFile:C:\Temp\Windows10_1903\sources\install.esd

This will list each of the SKUs in the install.esd file. Make a note of the index of the SKU you want (in my case, I want the Enterprise SKU which is index 3).

DISM Get-WimInfo

Now use the following command to create an install.wim file which contains the SKU you want:

dism.exe /Export-Image /SourceImageFile:C:\Temp\Windows10_1903\sources\install.esd /SourceIndex:3 /DestinationImageFile:C:\Temp\Windows10_1903\sources\install.wim /Compress:max /CheckIntegrity

Make sure the path for /SourceImageFile and /DestinationImageFile are correct for you and change the /SourceIndex to match the index you noted earlier.

dism.exe /Export-Image /SourceImageFile:C:TempWindows10_1903sourcesinstall.esd /SourceIndex:3 /DestinationImageFile:C:TempWindows10_1903sourcesinstall.wim /Compress:max /CheckIntegrity

Once that is done you can delete the install.esd file if you want, to save space.

This process also works with earlier versions of Windows 10.

 

Buy Me A Coffee