Windows Server 2016 Core Build Notes

Lasted Updated: March.29.2019

This post will document my settings for a fresh Windows Server 2016 Core Build
These notes will hopefully serve as the basis for complete automation in the future

Building a new Windows Server 2016 Virtual Template

Begin the installation process by creating a new virtual machine instance using vCenter Web Client and booting into the Windows Server 2016 installation media.

  • Login to the vCenter Client or Web Client – Select Home\Inventory\VMs and Templates view
  • Expand and select <vCenter>\<datacenter>\<Folder>\1.Templates\ folder
  • Right-click, select New Virtual Machine, select Custom, and click Next
  • Type Virtual Machine Name: TMPL-Windows 2016 STD Core, click Next
  • Select Host\Cluster location: CLUSTER01, click Next
  • Select Root of Host for Resource Pool
  • Select an available Storage location: <datastore>, click Next
  • Select Virtual Machine Version 11, click Next
  • Select Microsoft Windows Server 2016 (64-bit), click Next
  • Select 1 Virtual CPU, click Next
  • Select 4 GB Memory, click Next
  • Select 1 Network Adapter with VMXNET3 type, click Next
    • NIC1 – <VLAN Description>
  • Select VMware Paravirtual SCSI Controller type, click Next
  • Select “Create a new virtual disk”, click Next
  • Select 50 GB Disk Size, Thin Provision type, click Next
  • Select SCSI (0:0) Virtual Device Node, click Next
  • Review Virtual Machine settings, click Finish
  • Right-click on new Virtual Machine, select Edit Settings, click Options tab
  • Remove Floppy Drive 1
  • Under Options | Advanced | Memory CPU Hot Plug section, enable the Hot Add for both Memory and CPU
  • Under Boot Options select Force BIOS Setup
  • Click OK
  • Right-click on new Virtual Machine, select Open Console
  • Power on the Virtual Machine
  • Within the BIOS
    • Ensure the System Time and System Date are accurate
    • Set Legacy Diskette A: [Disabled]
    • Under Advanced | I/O Device Configuration Disable the following
    • Serial Port A:
    • Serial Port B:
    • Parallel Port:
    • Floppy Disk Controller:
  • Hit F10 to Save and Exit
  • Attach the Windows Server 2016 ISO Image through console attach iso
  • ISO Name: SW_DVD9_Win_Server_STD_CORE_2016_64Bit_English_04_DC_STD_MLF_x21_70526.iso
  • Connect through Virtual Machine Console – Attach ISO
  • Connect through CD Drive – Datastore ISO File Datastore|<volume1>\_ISOs\
  • If OS is not found hit enter to force boot from CD
  • On the Windows 2016 setup screen, keep the defaults and click on Next
    • Language to install (English – US)
    • Time & Current format (English – US)
    • Keyboard or input method (US)
  • On the Windows Setup screen click on Install
  • On the Select the operating system screen, click on Windows Server 2016 Standard and click on Next
  • On the License terms screen click on I accept the license terms and click Next
  • On the Which type of installation do you want, click on Custom: Install Windows Only (Advanced)
  • To load the Paravirtual driver we will need to attach the Vmware Tools Image
  • Edit Virtual Machine Settings and select CD/DVD Drive 1
  • Select Datastore ISO File
    • Select browse <datastore>\_VMTools\vmtools\Windows.iso
    • Under Device Status selected Connected
    • Return to Virtual Machine Console
    • Click Load Driver and Browse
    • VMware Tools > Program Files > VMware > VMware Tools > pvscsi > Win8 > amd64
    • Click next
    • Select the Displayed Driver and click next
    • Disconnect the Vmware tools ISO and Reconnect the Windows Server 2016.iso before continuing
  • On the Where do you want to install Windows, Select Drive 0
  • When prompted that Windows might create additional partitions, click on OK
  • Click on Next
  • Wait for the installation of Windows to complete (approx. 10 minutes)
  • On the Type a password for the built-in Administrator account, enter the standard Local Admin password used for Servers and click on Finish

VMware Tools

  • From the Virtual Machine click Edit Settings, Select CD/Drive 1 and change Datastore ISO File to <datastore>\_VMTools\vmtools\windows.iso click OK
  • Login to the newly created server
  • From the Command Prompt
  • Change to D:\
  • Run VMware Tools Still attached (run setup64.exe) version 10.3.x
  • Click Next
  • Select Complete
    • Click Next
    • Click Install
    • Click Finish
    • Click Yes to Restart

OS Configuration

  • Login to the Desktop as the local Administrator account
  • To configure Core Edition, you run the command SCONFIG once logged into the desktop
  • Option 1: No Change leaves as workgroup
  • Option 2: Change the Computer Name to W2K16-Core, restart when prompted
  • Option 3: Do not add any additional local administrators
  • Option 4: Leave as Enabled
  • Option 5: Leave as DownloadOnly
  • Option 6: Click 6 to start the download and installation of latest Windows Updates
    • Select (A)ll updates
    • Note this may take some time
    • When you see the list select (A)ll to download and install the updates
    • Reboot the system when prompted
    • Re-Run the Updates after Login and install any additional patches
  • Option 7: Change to Enabled for Remote Desktop
    • Allow only clients running Remote Desktop with NLA (more secure)
  • Option 8: Network Settings should be left as DHCP
  • Option 9: Adjust Date, Time and Time Zone to EST with Daylight savings
  • Option 10: Set to Basic (need to disable this completely)
  • Option 11: Check that the server is activated against the KMS Server

Power Configuration

powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

secure channel (schannel) – iis crypto 2.0

Software details: https://www.nartac.com/Products/IISCrypto/

  • Software Location: \\server1\share1\
  • From the command prompt map a connection to
    • net use t: \\server1\share1
    • Enter Domain Username and Password
    • Change to the mapped drive and run ISSCrypto.exe
    • .\IISCrpto\ISSCrypto.exe
  • On the License Agreement screen click on Accept
  • Click on the Best Practices button, click OK and click on Apply, OK
  • Reboot the server

windows update (on premises wsus)

To be able to manage and report on installed Windows Security Updates i wish to point the server to the local on premises WSUS 2016 server. As the template is not joined to the domain we will be modifying the registry.

All keys can be found under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

The following commands will be needed at a minimum. For other Automatic Update configurations. Refer to the Microsoft site:

https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127499

  • reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v TargetGroup /t REG_SZ /d “Templates – Servers”
  • reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v TargetGroupEnabled /t REG_DWORD /d 1
  • reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v WUServer /t REG_SZ /d https://wsus.domain.local:8531
  • reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /v WUStatusServer /t REG_SZ /d https://wsus.domain.local:8531

Note: if you not using SSL on your WSUS then your ports will be different (8530)

To force check the server against your WSUS

  • wuauclt /detectnow /reportnow

Go to your WSUS Console and ensure the Servers are reporting in

Note: If you receive the following error code 80072F8F

I received the following code error when checking in with the on-premises WSUS Server. This is because i am using a SSL cert from an internal Certificate Authority

To fix this i have imported the Root and SUBCA into the template. If you are unsure talk to your Certificate Authority Administrator for assistance

  • certutil -addstore -enterprise -f -v root “root.cer”
  • certutil -addstore -CA -f “SUBCA.cer”

Windows Defender

Since i will be using a 3rd party product the following will remove the Windows Defender feature:

Update: 1
I have found that the above will cause problems when trying to pull the get-windowsupdatelog as it looks for a missing dll (that can be copied from a server with it installed to restore the functionality)

Update: 2
It seems really difficult to reinstall Windows-Defender when it has been removed proceed with caution!

Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

This should complete the template. If you have any other suggestion please comment below.

Be the first to comment on "Windows Server 2016 Core Build Notes"

Leave a comment

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.