EDR/XDR causes issues with Mount-WindowsImage and 24H2 ADK

[ashcrafa]

I recently came across this and decided to try it. I downloaded the files and ran the command to run windows updates and build a USB with autopilot and unattend files for Windows 10. However it keeps failing at creating the capture media, saying the "Mount-WindowsImage : The specified service does not exist." I have uninstalled and reinstalled ADK and WinPE add-on and the issue persists.

Do you have any recommendations?

FFUDevelopment.log

[rbalsleyMSFT]

Do you have a 3rd party EDR or AV solution installed? I just had another user have a similar issue. If so, try disabling or uninstalling to see if it works. You may need to put an exclusion rule in for the ADK path.

Thanks, Richard

---

From: ashcrafa @.> Sent: Wednesday, June 26, 2024 1:18:12 PM To: rbalsleyMSFT/FFU @.> Cc: Subscribed @.***> Subject: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

I recently came across this and decided to try it. I downloaded the files and ran the command to run windows updates and build a USB with autopilot and unattend files for Windows 10. However it keeps failing at creating the capture media, saying the "Mount-WindowsImage : The specified service does not exist." I have uninstalled and reinstalled ADK and WinPE add-on and the issue persists.

Do you have any recommendations?

FFUDevelopment.loghttps://github.com/user-attachments/files/15994660/FFUDevelopment.log

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BEM27P242D6GM6MMXLZJMOYJAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM3TMMJZGE4DGNQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ashcrafa]

We do have an EDR. I disabled it and the issue persisted. I did have a previous version, downloaded it in February, of ADK and WinPE that seemed to work fine before the upgrade for a different WinPE project.

Andrew Ashcraft

---

From: rbalsleyMSFT @.> Sent: Wednesday, June 26, 2024 3:56 PM To: rbalsleyMSFT/FFU @.> Cc: Andrew Ashcraft @.>; Author @.> Subject: [External Email] Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Do you have a 3rd party EDR or AV solution installed? I just had another user have a similar issue. If so, try disabling or uninstalling to see if it works. You may need to put an exclusion rule in for the ADK path.

Thanks, Richard

---

From: ashcrafa @.> Sent: Wednesday, June 26, 2024 1:18:12 PM To: rbalsleyMSFT/FFU @.> Cc: Subscribed @.***> Subject: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

I recently came across this and decided to try it. I downloaded the files and ran the command to run windows updates and build a USB with autopilot and unattend files for Windows 10. However it keeps failing at creating the capture media, saying the "Mount-WindowsImage : The specified service does not exist." I have uninstalled and reinstalled ADK and WinPE add-on and the issue persists.

Do you have any recommendations?

FFUDevelopment.loghttps://github.com/user-attachments/files/15994660/FFUDevelopment.log

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BEM27P242D6GM6MMXLZJMOYJAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM3TMMJZGE4DGNQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2192689775, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJPEY2HAVTPKI4YLVXHYXFLZJM2HNAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSGY4DSNZXGU. You are receiving this because you authored the thread.Message ID: @.***>

[rbalsleyMSFT]

Since the release of 24h2 ADK, you and the other user I mentioned are the first I've seen of these issues.

Can you attach your dism log and the output of fltmc from the command line after disabling your EDR? Fltmc will list the filter drivers on the system. My guess is that even disabled, the EDR filter driver is probably present. If you can uninstall it completely, the driver should be removed, and I hope that it works.

Thanks, Richard

---

From: ashcrafa @.> Sent: Wednesday, June 26, 2024 4:55:59 PM To: rbalsleyMSFT/FFU @.> Cc: Richard Balsley @.>; Comment @.> Subject: Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

We do have an EDR. I disabled it and the issue persisted. I did have a previous version, downloaded it in February, of ADK and WinPE that seemed to work fine before the upgrade for a different WinPE project.

Andrew Ashcraft Technology Specialist | Bonneville Joint School District 93 Office: (208)525-4493 ext. 9327 Email: @.***

---

From: rbalsleyMSFT @.> Sent: Wednesday, June 26, 2024 3:56 PM To: rbalsleyMSFT/FFU @.> Cc: Andrew Ashcraft @.>; Author @.> Subject: [External Email] Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Do you have a 3rd party EDR or AV solution installed? I just had another user have a similar issue. If so, try disabling or uninstalling to see if it works. You may need to put an exclusion rule in for the ADK path.

Thanks, Richard

---

From: ashcrafa @.> Sent: Wednesday, June 26, 2024 1:18:12 PM To: rbalsleyMSFT/FFU @.> Cc: Subscribed @.***> Subject: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

I recently came across this and decided to try it. I downloaded the files and ran the command to run windows updates and build a USB with autopilot and unattend files for Windows 10. However it keeps failing at creating the capture media, saying the "Mount-WindowsImage : The specified service does not exist." I have uninstalled and reinstalled ADK and WinPE add-on and the issue persists.

Do you have any recommendations?

FFUDevelopment.loghttps://github.com/user-attachments/files/15994660/FFUDevelopment.log

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BEM27P242D6GM6MMXLZJMOYJAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM3TMMJZGE4DGNQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2192689775, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJPEY2HAVTPKI4YLVXHYXFLZJM2HNAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSGY4DSNZXGU. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2192807890, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BH7YRKNFMXG2JH4KF3ZJNII7AVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSHAYDOOBZGA. You are receiving this because you commented.Message ID: @.***>

[ashcrafa]

Attached is the dism log and the fltmc output. However I'm not familiar with that command, so if I didn't get the right output let me know.

Andrew

---

From: rbalsleyMSFT @.> Sent: Thursday, June 27, 2024 9:44 AM To: rbalsleyMSFT/FFU @.> Cc: Andrew Ashcraft @.>; Author @.> Subject: [External Email] Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Since the release of 24h2 ADK, you and the other user I mentioned are the first I've seen of these issues.

Can you attach your dism log and the output of fltmc from the command line after disabling your EDR? Fltmc will list the filter drivers on the system. My guess is that even disabled, the EDR filter driver is probably present. If you can uninstall it completely, the driver should be removed, and I hope that it works.

Thanks, Richard

---

From: ashcrafa @.> Sent: Wednesday, June 26, 2024 4:55:59 PM To: rbalsleyMSFT/FFU @.> Cc: Richard Balsley @.>; Comment @.> Subject: Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

We do have an EDR. I disabled it and the issue persisted. I did have a previous version, downloaded it in February, of ADK and WinPE that seemed to work fine before the upgrade for a different WinPE project.

Andrew

---

From: rbalsleyMSFT @.> Sent: Wednesday, June 26, 2024 3:56 PM To: rbalsleyMSFT/FFU @.> Cc: Andrew Ashcraft @.>; Author @.> Subject: [External Email] Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Do you have a 3rd party EDR or AV solution installed? I just had another user have a similar issue. If so, try disabling or uninstalling to see if it works. You may need to put an exclusion rule in for the ADK path.

Thanks, Richard

---

From: ashcrafa @.> Sent: Wednesday, June 26, 2024 1:18:12 PM To: rbalsleyMSFT/FFU @.> Cc: Subscribed @.***> Subject: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

I recently came across this and decided to try it. I downloaded the files and ran the command to run windows updates and build a USB with autopilot and unattend files for Windows 10. However it keeps failing at creating the capture media, saying the "Mount-WindowsImage : The specified service does not exist." I have uninstalled and reinstalled ADK and WinPE add-on and the issue persists.

Do you have any recommendations?

FFUDevelopment.loghttps://github.com/user-attachments/files/15994660/FFUDevelopment.log

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BEM27P242D6GM6MMXLZJMOYJAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM3TMMJZGE4DGNQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2192689775, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJPEY2HAVTPKI4YLVXHYXFLZJM2HNAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSGY4DSNZXGU. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2192807890, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BH7YRKNFMXG2JH4KF3ZJNII7AVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJSHAYDOOBZGA. You are receiving this because you commented.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2195051740, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJPEY2F7EQIKFMXR57KRFH3ZJQXMLAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJVGA2TCNZUGA. You are receiving this because you authored the thread.Message ID: @.***>

[ashcrafa]

It seems like the files did not get attached correctly. I am attaching them using a comment instead.

dism.log

Andrew

[rbalsleyMSFT]

That looks pretty good.

The dism log shows that you're running into a filter driver related issue.

If you were to mount a wim using dism manually, does that work?

You can also try to use dism from the installed ADK (Start - Windows Kits - Deployment and Imaging Tools environment). If you run it from that command prompt, it should use a newer version of dism.

[ashcrafa]

Mounting it manually fails as well.

-Andrew

[rbalsleyMSFT]

Definitely something on that machine that's causing dism from being able to mount a WIM.

Do you have access to another machine and can you test mounting a WIM manually?

[ashcrafa]

I was able to mount wim files successfully before upgrading to the latest ADK, which occurred when I ran the powershell script for the first time. I'm also going to build a machine without the EDR and test that. I apologize for the time lag between responses. I'm often out fixing stuff and appreciate your help.

-Andrew

[ashcrafa]

I was able to successfully create the flash drive using a base Windows 11 build. I also tried using another computer with the normal setup for us and it didn't work either with the latest ADK. I'm going reach out to our EDR support and see if they can help to make sure it isn't the EDR that is somehow blocking it.

Thanks for the help!

-Andrew

[rbalsleyMSFT]

That's good news. Glad to hear it's working on a base Windows 11 install.

Thanks, Richard

---

From: ashcrafa @.> Sent: Tuesday, July 9, 2024 6:27:37 AM To: rbalsleyMSFT/FFU @.> Cc: Richard Balsley @.>; Comment @.> Subject: Re: [rbalsleyMSFT/FFU] Create Capture Media Issue (Issue #31)

I was able to successfully create the flash drive using a base Windows 11 build. I also tried using another computer with the normal setup for us and it didn't work either with the latest ADK. I'm going reach out to our EDR support and see if they can help to make sure it isn't the EDR that is somehow blocking it.

Thanks for the help!

-Andrew

— Reply to this email directly, view it on GitHubhttps://github.com/rbalsleyMSFT/FFU/issues/31#issuecomment-2217744923, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMYE2BCUW47K7ZWU4OF7IC3ZLPQMTAVCNFSM6AAAAABJ6SUV7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJXG42DIOJSGM. You are receiving this because you commented.Message ID: @.***>

[HedgeComp]

Did you solve the EDR issue? I uninstalled the XDR we use but I still have the exact same experience and error. I am currently running 24H2 preview so I wonder if this could be part of the issue.?

[rbalsleyMSFT]

No.

Can you try a simple test? Install the 24H2 ADK (There isn't a preview, what's released is released, 24H2 is already RTM) and try and manually mount a windows image (use Mount-Windowsimage). Does that fail (it should)?

Next, uninstall the 24H2 ADK and install the Sept 2023 ADK and try Mount-WindowsImage and see if that works.

Also, what's your EDR?

[rbalsleyMSFT]

I also fear that this may be a problem with 24H2 (not just the ADK) when it gets released since I assume dism and dism API will be similar builds to what's in the ADK.

Can someone who's experiencing the issue do me a favor and download the latest Insider ISO from here

https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewiso

You'll want 26100.1150

Put your EDR on it and try and run Mount-WindowsImage and see if you see the same behavior. Don't install the ADK, just use vanilla Mount-WindowsImage.

[rbalsleyMSFT]

@zehadialam FYI - might need to make a variable to update the ADK ($UpdateADK) instead of forcing the install of the latest if it's not found. This would be 3 people with an EDR installed that are running into the same issue. Once I can get more data from folks, I'll see if I can track down someone internally to see if there are any known issues here.

[HedgeComp]

Richard, here's the results of the latest BUild and with and without the ADK installed:

hope this helps Cheers,

Scott

[rbalsleyMSFT]

@HedgeComp can you attach your c:\windows\logs\dism\dism.log file? It might be really large and you may need to zip it up. Also, if you have a WimMountADKSetup.log file in that folder, send that too. Thanks!

[HedgeComp]

Here you go..

WimMountAdkSetup.zip

I tried to see if there was a new preview of the ADK but it appears the Windows Insider Preview download of ADK and PE are still the May 24 versions. 10.1.26100.1

[rbalsleyMSFT]

Thanks. I just tried 26100.1150 with the 24H2 ADK and can't repro the behavior.

I'm wondering if the install of the new ADK, or the method that we're using (essentially powershell calling adksetup), somehow trips up the AV/EDR/XDR and doesn't completely install the ADK as it should.

I know this might be difficult to do, but would it be possible to uninstall the 24H2 ADK, then disable/remove the EDR, install the 24H2 ADK, then reenable/reinstall the EDR?

Actually, before we do that, do you have an adk and adkwinpeaddons folder in your user temp directory? C:\users\\appData\Local\Temp? If you do, can you send those over?

[HedgeComp]

is there a direct link to 26100.1150? or is this the same as the May 24 release? checking Add remove I only have 26100.1 ..

[rbalsleyMSFT]

Sorry, what i meant was I tried Windows 24H2 build 26100.1150 with the 24H2 ADK (which is 26100.1). There isn't a newer ADK release.

If you have those logs, that'd be helpful.

[HedgeComp]

I have gotten the script to run with Mount-WindowsImage. Not sure why this is working now but this was my sequence.

1. Uninstall the ADK and PE from contorl Panel
2. Test Mount-WindowsIMage (Vanilla Works)
3. Downloaded the "Other ADK versions" ADK 10.1.25398.1 (September 2023) https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install#other-adk-downloads
4. Test Mount-WindowsImage it works Still
5. I run your FFU deploy script. It detects not latest and it updates to 26100.1

6. After completion, I tried Mount-WindowsImage again and it is still working correctly.

Not sure how why the upgrade process worked but a straight install does not.

For reference, my first test run of your script, I did not have any ADK or PE environment installed, so your script installed it for me.

adk.zip

[rbalsleyMSFT]

That's strange. Thanks for the update.

[rbalsleyMSFT]

Closing this. If this is still a problem, open a new issue.