Windows Assessment and Deployment Kit
The Windows Assessment and Deployment Kit (ADK) is a suite of tools and technologies developed by Microsoft to assist IT professionals, system builders, and original equipment manufacturers (OEMs) in customizing, assessing, and deploying Windows operating systems on a large scale.[1] It enables the evaluation of system performance and quality, the creation of tailored Windows images, and the automation of deployment processes for environments ranging from enterprise networks to manufacturing lines.[2] The ADK supports Windows 11 (including versions 25H2 and 24H2), Windows 10 (end of support in October 2025), Windows Server 2025, and Windows Server 2022, with its latest release being version 10.1.26100.2454 from December 2024, which includes security fixes and enhancements like Arm64 WinPE support for HTA scripts.[1][3][4] Key components of the ADK are divided into assessment and deployment categories to address different phases of Windows management. The assessment tools, such as the Windows Assessment Toolkit and Windows Performance Toolkit (WPT), allow users to diagnose hardware and software issues, measure performance metrics like battery life and system responsiveness, and establish baselines for quality control through simulated user scenarios and event tracing.[2] Meanwhile, deployment tools include Windows Preinstallation Environment (WinPE) for creating bootable media, Sysprep for generalizing and preparing images, Deployment Image Servicing and Management (DISM) for servicing offline images, and the Windows System Image Manager (WSIM) for automating setup configurations via answer files.[1][5] Additional features like the Windows Recovery Environment (Windows RE) support troubleshooting and repair, while the Windows Configuration Designer (previously known as Windows Imaging and Configuration Designer or ICD) facilitates provisioning packages for desktop and IoT Core editions.[5][3] For IT professionals, the ADK streamlines scenarios such as mounting and updating Windows images with DISM, capturing customized installations for reuse, and generating bootable USB drives with WinPE for offline deployments or data recovery.[5] It integrates with broader Microsoft ecosystems, including the Microsoft Deployment Toolkit (MDT), to enable lite-touch and zero-touch installations, ensuring compatibility across x86, x64, and Arm64 architectures while phasing out legacy support like 32-bit WinPE since the Windows 11 22H2 release.[1][3] Recent updates emphasize security, with patches addressing installer vulnerabilities and updated signing for boot binaries, making the ADK essential for maintaining up-to-date, secure Windows environments in organizational settings.[3]Introduction
Definition and Purpose
The Windows Assessment and Deployment Kit (ADK) is a collection of tools provided by Microsoft designed to help customize, assess, and deploy Windows operating system images at scale.[1] It enables users to prepare tailored Windows installations for various environments, from individual devices to large enterprise networks, by offering utilities for image modification, performance evaluation, and deployment automation.[2] The primary purposes of the ADK include preparing and customizing OS images for efficient deployment, testing application compatibility to ensure smooth operation on target systems, evaluating system and application performance under real-world conditions, and automating the rollout of Windows in enterprise settings to reduce manual effort and errors.[1] These capabilities address key challenges in IT management, such as maintaining consistency across deployments and verifying hardware-software interactions before production use.[5] Targeted at IT administrators, original equipment manufacturers (OEMs), and system builders, the ADK supports the deployment of Windows 11 (versions 25H2, 24H2, and earlier supported versions), Windows 10 (all supported editions), and Windows Server (such as 2025 and 2022).[1] For instance, tools like Windows Preinstallation Environment (WinPE) and Deployment Image Servicing and Management (DISM) facilitate booting into a minimal environment for image servicing and capture.[5]Key Features and Capabilities
The Windows Assessment and Deployment Kit (ADK) features a modular structure that allows users to selectively install components tailored to specific needs in assessment, deployment, and migration workflows, including tools like the Windows Assessment Toolkit, Windows Performance Toolkit, and Deployment Tools for customized setups without requiring the full kit.[6] This design supports efficient resource allocation for IT professionals and OEMs, enabling targeted use cases such as performance evaluation or OS imaging.[1] A core capability is support for image-based deployment, which facilitates the creation, customization, and servicing of Windows images through tools like Deployment Image Servicing and Management (DISM) for offline modifications and Windows Preinstallation Environment (WinPE) for bootable environments that allow driver integration and script execution during installation.[5] Users can customize boot environments by adding optional components to WinPE, such as networking or scripting support, to streamline automated deployments across diverse hardware.[7] Additionally, the ADK integrates seamlessly with enterprise management solutions like Microsoft Endpoint Configuration Manager (MECM) and the Microsoft Deployment Toolkit (MDT), providing essential WinPE boot images and OS imaging tools required for large-scale task sequence and lite-touch deployments.[8][9] The kit offers robust capabilities for hardware validation, performance benchmarking, and compatibility testing, with the Assessment Toolkit enabling stress tests and reliability evaluations on devices, while the Performance Toolkit analyzes system traces to identify bottlenecks in CPU, memory, and disk usage.[6] These features ensure Windows compatibility across hardware configurations, supporting validation against Microsoft standards without deep dives into individual tool mechanics. As of May 2025, the ADK version 10.1.26100.2454 (originally released December 2024) was republished to fix a security vulnerability in the installer (CVE-related to WiX binary hijack, GHSA-rf39-3f98-xr7r).[1][10] Earlier enhancements include expanded ARM64 support in WinPE, such as HTML Application (HTA) functionality added in December 2024 for broader device compatibility in deployment scenarios, and supply chain security features introduced in May 2024, incorporating tools like sbom-tool for generating Software Bill of Materials (SBOMs) and CoseSignTool for signing them to enhance transparency and integrity in software supply chains.[3]History
Origins and Early Development
The Windows Assessment and Deployment Kit (ADK) traces its origins to the Windows Automated Installation Kit (AIK), a set of tools introduced by Microsoft to facilitate the deployment of Windows Vista in 2006. The AIK was designed to enable corporate IT professionals to perform unattended installations, capture disk images using tools like ImageX, and create bootable Windows Preinstallation Environment (WinPE) media, addressing the limitations of manual deployment processes prevalent during the Windows XP era.[11] This kit emerged in response to growing enterprise demands for automated operating system imaging and customization following the widespread adoption of Windows XP, where slipstreaming service packs and drivers often required time-consuming manual interventions or reliance on third-party solutions.[12] With the release of Windows 7 in 2009, the AIK evolved into version 2.0, incorporating enhancements such as Windows PE 3.0 for improved scripting and network support, the Deployment Image Servicing and Management (DISM) tool for offline image servicing, and integration with the User State Migration Tool (USMT) 4.0 to streamline user data transfers during upgrades. These updates aimed to standardize enterprise deployments by reducing image variants, automating task sequences, and minimizing hardware dependencies, thereby replacing ad-hoc methods with repeatable, scalable processes that lowered costs and deployment times. The AIK's focus remained on imaging and deployment, building directly on Vista's image-based setup to support high-volume rollouts in corporate environments transitioning from Windows XP.[13][12] The transition to the ADK occurred with Windows 8 in 2012, when Microsoft rebranded and expanded the toolkit to encompass not only deployment but also assessment and performance evaluation capabilities, such as the Windows Assessment Toolkit for hardware validation and the Windows Performance Toolkit for diagnostics. This evolution reflected Microsoft's goal to provide a comprehensive suite for end-to-end Windows customization and testing, further standardizing tools for enterprise IT while incorporating modern components like an updated WinPE for broader compatibility.[1][14]Version History and Major Releases
The Windows Assessment and Deployment Kit (ADK) has evolved in tandem with major Windows operating system releases, with versions aligned to support deployment and assessment needs for each iteration. The initial ADK for Windows 8, version 8.100, was released in June 2012 to facilitate image customization and testing for that platform. This was followed by the ADK for Windows 8.1 in October 2013, which introduced enhancements for updated deployment scenarios. The transition to Windows 10 marked a versioning shift, with the initial ADK release in July 2015 under build 10.0.10240, supporting the inaugural version 1507 of the OS. Subsequent ADK versions have tracked Windows 10's semi-annual feature updates and Windows 11's releases, culminating in the latest ADK 10.1.26100.2454, updated in December 2024, which supports Windows 11 version 25H2 along with prior Windows 10 and 11 builds.[15][1] Key changes in major releases include structural shifts for better modularity. Starting with the ADK for Windows 10 version 1809 in October 2018, the Windows Preinstallation Environment (WinPE) was separated into a standalone add-on package, allowing independent updates without requiring a full ADK reinstall. Support for 32-bit WinPE was discontinued in ADK versions released after the Windows 10 version 2004 add-on (May 2020), reflecting the shift away from x86 architectures in modern deployments; the last compatible 32-bit WinPE was available in the add-on for Windows 10 version 2004. Recent 2024 updates include, in the May release (build 10.1.26100.1), neural processing unit (NPU) analysis capabilities within the Windows Performance Toolkit. The December 2024 release (build 10.1.26100.2454) added support for ARM64 HTML Applications (HTA) in WinPE, enabling advanced hardware assessment for AI workloads.[16][1][3] Deprecations have streamlined the toolkit by removing legacy components. In May 2024, the Registry Hive Recovery Tools were eliminated from the ADK, as they were primarily needed for compatibility with Windows 8 and earlier systems. The App-V Sequencer reached end-of-life announcement status, with support concluding in April 2026 as part of the broader Microsoft Desktop Optimization Pack (MDOP) lifecycle.[3][17] The ADK follows a servicing model with monthly patches to address security vulnerabilities, compatibility issues, and minor enhancements, ensuring alignment with Windows Update cycles without necessitating full version upgrades. These patches are cumulative and can be applied to supported ADK installations starting from build 10.1.26100.2454.[18]Installation and Setup
Downloading and Installation Process
The Windows Assessment and Deployment Kit (ADK) is available for download directly from the Microsoft Learn documentation site, which provides the adksetup.exe installer for the latest version, currently 10.1.26100.2454 as of December 2024. Organizations with volume licensing agreements can access downloads through the Microsoft 365 admin center, which has incorporated functionalities from the retired Volume Licensing Service Center. The Windows Preinstallation Environment (WinPE) add-on must be downloaded and installed separately after the main ADK, using adkwinpesetup.exe from the same site.[1][19] Installation requires a host system running a 64-bit edition of Windows 11 (version 24H2 or 25H2), Windows 10 (end of support October 14, 2025), Windows Server 2025, or Windows Server 2022, with at least 4 GB of RAM to support tool operations effectively. While the base installer does not explicitly mandate additional software prerequisites, certain configurations may require specific updates.[1][20] To install the ADK online, download and run adksetup.exe with administrator privileges; the setup wizard prompts for feature selection, such as Deployment Tools or Imaging and Configuration Designer, and completes the process with an option to install the WinPE add-on afterward. For air-gapped or offline environments, first download adksetup.exe and the optional offline content (using the /layout switch on an internet-connected machine to create a local source), then transfer the files to the target system and execute adksetup.exe /ceip off /quiet /features OptionId.All for a silent full installation, followed by running adkwinpesetup.exe similarly for the add-on.[1][21] Following installation, verify the ADK by navigating to the default path C:\Program Files (x86)\Windows Kits\10 and executing command-line tools like dism.exe /? from the Assessment and Deployment Kit's DISM subdirectory to confirm the tool version aligns with the installed ADK release. Successful verification indicates accessible binaries and proper integration with the system's PATH environment variable if configured.[1] Common issues during installation include incomplete downloads of optional components due to firewall restrictions or unstable connections, which can be mitigated by opting for the offline layout method to pre-fetch all files. Additionally, mismatched security updates on the host may prevent compatibility; for instance, applying the Servicing Stack Update KB5026361 is required before updating the WinPE add-on in certain configurations. Ensuring version compatibility between the ADK and WinPE add-on must be maintained to avoid deployment failures.[21][22][23]Component Selection and Configuration
During installation of the Windows Assessment and Deployment Kit (ADK), users can select specific features through the setup wizard to tailor the installation to their needs, such as deployment or assessment scenarios. Core options include the Deployment Tools feature, which provides essential utilities like the Deployment and Imaging Tools Environment, Sysprep, and the Deployment Image Servicing and Management (DISM) tool for image customization and servicing; and the Windows Imaging and Configuration Designer (ICD) for creating provisioning packages.[1] The Windows Preinstallation Environment (WinPE) is not selected during the main ADK installation but requires a separate add-on download and installer, which integrates WinPE support for creating bootable environments.[1] Optional components like the Windows Assessment Toolkit and Windows Performance Toolkit can also be chosen or deselected to avoid unnecessary disk space usage.[3] After installation, configuration involves verifying and adjusting environment variables to ensure tools are accessible from the command line. The ADK typically installs to%ProgramFiles(x86)%\Windows Kits\10\Assessment and Deployment Kit (or the equivalent path for 64-bit systems), and users must add subpaths to the system PATH variable, such as %ProgramFiles(x86)%\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM for DISM commands or %ProgramFiles(x86)%\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg for imaging tools.[24] This setup enables running ADK tools without specifying full paths in scripts or deployment workflows. Packages can be added post-install using DISM, particularly for WinPE enhancements, by mounting the image file (e.g., boot.wim) and applying .cab files from the installation directory.[24]
Customization of components, especially WinPE, allows enabling optional features to extend functionality for specific deployment tasks. To add optional WinPE components, first mount the WinPE image using DISM: Dism /Mount-Image /ImageFile:"C:\WinPE_amd64\media\sources\boot.wim" /index:1 /MountDir:"C:\WinPE_amd64\mount", then use the /Add-Package command to integrate packages from paths like C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs. For example, to enable PowerShell support, add the WinPE-PowerShell.cab along with dependencies like WinPE-WMI.cab, WinPE-NetFX.cab, and WinPE-Scripting.cab via sequential /Add-Package commands; for networking, include WinPE-Dot3Svc.cab to support IEEE 802.1X authentication.[25] After additions, unmount and commit changes with Dism /Unmount-Image /MountDir:"C:\WinPE_amd64\mount" /Commit to save the customized image.[24] These packages must match the ADK architecture (e.g., amd64 or arm64) and include language-specific variants if needed, such as WinPE-HTA_en-us.cab for HTML Applications in English.[25]
Best practices recommend minimal installations for targeted use cases to reduce footprint and complexity; for deployment-only scenarios, select just the Deployment Tools and WinPE add-on, omitting assessment tools unless required for performance testing.[1] In contrast, full installations including all features are advised for comprehensive environments involving both assessment and deployment. Always match the ADK version to the target Windows release (e.g., ADK for Windows 11 24H2) and test customizations in isolated setups to avoid compatibility issues.[1]
To keep the ADK current, apply servicing stack updates (SSU) and patches post-install, as these address security vulnerabilities and improve reliability without requiring a full reinstall. Download the latest patch zips for ADK 10.1.26100.2454 from the official servicing page (updated monthly as of November 2025), extract the .msp files, and apply them via an elevated command prompt with a loop script: for %i in (*.msp) do start /wait msiexec.exe /l* "%TEMP%\adkupdate\msiexec-%~nxi.log" /qn /p "%~fi", creating a log directory first for troubleshooting.[18] For WinPE images, integrate SSUs using DISM before cumulative updates to ensure the servicing stack handles subsequent patches correctly.[24] Regular checks of the servicing page are essential, as updates are released monthly.[18]
Current Components
Windows Assessment Toolkit
The Windows Assessment Toolkit is a component of the Windows Assessment and Deployment Kit (ADK) designed to evaluate hardware and software quality in Windows environments by simulating user scenarios and measuring system performance.[26] It enables IT professionals and developers to assess factors such as reliability, power efficiency, and device functionality on a local computer, helping diagnose issues and optimize configurations before deployment.[2] The toolkit integrates performance metrics to provide a holistic view of system behavior under various conditions.[26] At its core, the toolkit includes the Assessment Processing Toolkit (APT), which automates the execution of tests through command-line interfaces, such as AXE.exe, using scripts to run predefined or custom assessments.[26] Key assessments encompass battery life testing to measure power consumption during workloads, stress tests to evaluate system stability under load, and device metadata tests to verify hardware compatibility and functionality.[26] Additional tools like the Windows Assessment Console provide a graphical user interface for grouping assessments, creating jobs, and managing results, while the Assessment Platform serves as the underlying infrastructure for developing, executing, and displaying outcomes.[26] Prominent features include Modern Standby cycling to simulate sleep-wake transitions and assess power states, energy efficiency metrics for workloads like web browsing and application usage, and app automation scenarios that replicate real-world interactions such as Microsoft Edge or Teams sessions.[3] Usage typically involves invoking assessments via command-line tools like AXE.exe to generate detailed reports on system reliability, allowing users to identify bottlenecks in areas like boot times or resource utilization.[26] In May 2024, updates added new metrics for Hypervisor and Virtual Secure Mode (VSM) delays within the Boot performance (Full Boot) assessment, enhancing analysis of virtualization impacts.[3] Outputs from these assessments are primarily XML reports containing raw data, diagnostics, and summaries that can be analyzed in tools like Microsoft Excel or custom scripts for deeper insights into quality metrics.[26] These reports facilitate targeted improvements, such as optimizing drivers or firmware, to ensure robust performance in production environments.[2]Windows Performance Toolkit
The Windows Performance Toolkit (WPT) is a set of tools within the Windows Assessment and Deployment Kit (ADK) designed for capturing, analyzing, and visualizing system and application performance data on Windows operating systems.[27] It enables developers, IT professionals, and system testers to profile resource usage, identify inefficiencies, and optimize performance without requiring specialized hardware. The toolkit leverages Event Tracing for Windows (ETW) to collect detailed traces, supporting analysis on Windows 8 and later versions with .NET Framework 4.5 or higher.[28] The primary components of WPT are the Windows Performance Recorder (WPR) and the Windows Performance Analyzer (WPA). WPR serves as the recording tool, initiating ETW sessions to capture events such as CPU sampling, GPU activity, disk I/O operations, and, in recent updates, Neural Processing Unit (NPU) utilization.[29] Users can launch WPR through its graphical interface, wprui.exe, to select predefined profiles like "General" for broad system traces or custom XML configurations for targeted scenarios, generating .etl files that encapsulate the performance data.[29] WPA then processes these .etl files, rendering them as interactive graphs, tables, and timelines to reveal patterns in resource consumption and execution flows.[28] Key features include comprehensive sampling for hardware and software interactions, with visualizations highlighting bottlenecks in areas like processor threads, memory allocation, and storage latency. In the May 2024 release (version 11), WPT introduced NPU recording profiles in WPR—accessible via the commandwpr.exe -start NeuralProcessing -filemode or the "Resource Analysis" section in wprui.exe—for tracing AI workload efficiency on compatible hardware.[30] WPA enhancements in this update added dedicated NPU analysis tables and graphs showing adapter stacks, alongside new Gantt chart modes: "Combine as Grouped" for one-to-one relationships and "Combine as Related" for hierarchical parent-child views, improving timeline-based debugging.[30][28]
Advanced capabilities extend to plugin support, allowing custom views and analyses through the Microsoft Performance Toolkit SDK, an open-source library for building extensions that integrate seamlessly with WPA's interface.[31] The 2024 launcher improvements include a streamlined welcome screen in WPA, offering quick access to recent traces, plugin management, theme settings (light/dark mode), and pre-analysis configurations to enhance workflow efficiency.[30]
In practice, WPT is applied to diagnose performance issues in drivers, applications, and system calls by correlating ETW events to pinpoint high-latency operations or resource contention—for instance, revealing excessive context switches in a driver or I/O waits in an application.[27] This runtime tracing approach complements predefined assessments in the broader ADK, focusing on operational diagnostics rather than static benchmarks.[27]
Application Compatibility Tools
The Application Compatibility Tools within the Windows Assessment and Deployment Kit (ADK) primarily consist of the Compatibility Administrator (also known as AppCompatAdmin) and the Standard User Analyzer (SUA), which enable IT administrators and developers to identify, test, and mitigate compatibility issues for applications during Windows deployments.[32] These tools are part of the broader Microsoft Application Compatibility Toolkit (ACT), integrated for use with ADK to ensure legacy and third-party applications function correctly on newer Windows versions without requiring code modifications.[33] The Compatibility Administrator provides a graphical interface for creating and managing custom compatibility databases, while SUA focuses on analyzing privilege-related behaviors under User Account Control (UAC).[34] Key features include database mode in Compatibility Administrator, which supports both 32-bit and 64-bit custom databases to apply fixes for legacy applications, and runtime analysis capabilities that monitor API calls, file access, and registry interactions to detect potential conflicts.[35] Shims—small, transparent libraries that intercept and modify API behaviors—form the core of these fixes, allowing for targeted interventions such as version lying (e.g., reporting an older Windows version like XP to the application) or handling UAC prompts by simulating elevated privileges.[36] SUA complements this by generating reports on UAC-specific issues, toggling virtualization to emulate pre-Vista behaviors, and testing applications under standard user versus administrator contexts to identify elevation requirements.[37] These tools emphasize non-invasive solutions, prioritizing conceptual fixes over exhaustive logging to streamline testing. In usage, administrators launch Compatibility Administrator to build compatibility fix packages in the form of .sdb files via its GUI: after specifying the target executable, vendor, and location, users select appropriate shims or modes, test the application in a controlled environment, and save the database for deployment using tools like Sdbinst.exe or Group Policy.[38] For example, shims can be applied to resolve UAC-related failures by forcing administrative access or to lie about the OS version, enabling older applications to run seamlessly.[39] SUA operates similarly, running the application under restricted privileges to produce detailed logs and mitigation recommendations, often integrated into deployment workflows for batch testing.[34] Supported scenarios encompass migrating applications to newer Windows releases, such as from Windows 10 to 11, and managing transitions between 32-bit and 64-bit architectures by creating architecture-specific databases.[40] These tools remain relevant for Windows 11 deployments, aiding in compatibility assessments for security models like enhanced UAC and virtualization-based protections.[32]Windows Configuration Designer
Windows Configuration Designer (WCD) is a graphical user interface-based tool provided by Microsoft as part of the Windows Assessment and Deployment Kit (ADK), designed to enable IT administrators and original equipment manufacturers (OEMs) to create provisioning packages for customizing Windows configurations on client devices. This tool facilitates the application of settings such as edition upgrades from Home to Pro, installation of line-of-business applications, and enforcement of group policies without requiring a complete operating system image deployment. By generating self-contained provisioning packages in .ppkg format, WCD supports offline configuration, allowing devices to be prepared for use immediately after initial setup or reset.[41] Key features of WCD include project creation tailored for specific scenarios, such as enterprise deployments or OEM pre-configuration, through either simple wizards for common tasks—like setting device names, Wi-Fi profiles, or certificate installations—or an advanced editor for more granular control. Users can import existing provisioning packages or answer files to reuse configurations and incorporate custom commands or scripts to execute additional actions during provisioning. The tool leverages Configuration Service Providers (CSPs) to define settings, ensuring compatibility across Windows editions, including support for new capabilities in Windows 11 version 24H2, such as enhanced application deployment options via winget integration. Once configured, projects are exported as signed or encrypted .ppkg files, which can be distributed via USB, email, or shared storage for easy application.[42][43] As the successor to the legacy Imaging and Configuration Designer (ICD), WCD provides a more intuitive and extensible interface, streamlining the process for non-technical users while offering advanced customization for complex environments. This evolution reduces deployment time and complexity compared to traditional imaging methods, particularly for small- to medium-sized organizations managing tens to hundreds of devices. Provisioning packages created with WCD can be applied directly on target devices during out-of-box experience (OOBE) or via mobile device management (MDM) solutions like Microsoft Intune, enabling remote configuration without physical access.[44][41]Windows Preinstallation Environment
The Windows Preinstallation Environment (WinPE) is a minimal operating system version of Windows designed to enable booting a computer without a full installation of Windows, primarily for tasks such as deploying images, troubleshooting hardware issues, and performing recovery operations.[16] It provides a lightweight command-line interface that supports essential Windows components, including access to NTFS file systems, DiskPart for disk management, and networking capabilities, allowing technicians to prepare drives, apply or capture Windows images, and automate repairs on unbootable systems.[16] WinPE is not intended for everyday computing but serves as a temporary boot environment for IT professionals and deployment scenarios.[16] Key features of WinPE include the ability to create bootable media in formats such as ISO, USB, or virtual hard disk (VHD) using the MakeWinPEMedia tool, which facilitates easy distribution for deployment tasks.[45] Optional components can be added to extend functionality, such as WinPE-WMI for Windows Management Instrumentation support, WinPE-NetFx for .NET Framework integration, and WinPE-Scripting paired with WinPE-HTA for HTML Applications, with the latter now supporting ARM64 architecture as of the December 2024 ADK update (version 10.1.26100.2454).[25] These components are integrated during the build process to tailor WinPE for specific needs, like scripting automated setups or enabling secure startup features.[16] Additionally, WinPE supports security tools like BitLocker and Hyper-V integration for advanced recovery environments.[16] To use WinPE, administrators first employ the Copype.cmd script to generate a working directory of files for a specified architecture, such as AMD64 or ARM64, which requires the Windows ADK and WinPE add-on to be installed.[45] The resulting boot.wim file can then be mounted using Deployment Image Servicing and Management (DISM) tools for customization, such as injecting drivers or applying updates, before committing changes and creating the final media with MakeWinPEMedia.[24] This process ensures compatibility with target hardware, and WinPE can boot via Preboot Execution Environment (PXE) for network-based deployments.[16] WinPE operates under several limitations to maintain its minimal footprint: it automatically restarts after 72 hours of uptime, discards all changes upon reboot, and lacks support for features like file or Terminal Servers.[16] It requires at least 512 MB of RAM and is built on FAT32, restricting individual file sizes to 4 GB and drive partitions to 32 GB.[16] Support for 32-bit versions of WinPE ended with the WinPE add-on for Windows 10 version 2004 (10.1.19041), meaning subsequent ADK releases, including those for Windows 11, provide only 64-bit and ARM64 variants without cross-architecture application compatibility. Common scenarios for WinPE include preparing systems for Windows installation by formatting drives and injecting hardware-specific drivers to resolve compatibility issues during deployment.[24] It is also widely used in recovery situations, such as accessing data on failed drives or automating repairs through scripts, particularly in enterprise environments where PXE booting enables centralized image deployment across multiple devices.[16]Deployment Image Servicing and Management Tool
The Deployment Image Servicing and Management (DISM) tool is a command-line utility included in the Windows Assessment and Deployment Kit (ADK) that enables administrators and deployment specialists to service and manage Windows images offline or online. It supports operations on Windows Imaging Format (.wim), Encrypted Sparse Disk (.esd), Full Flash Update (.ffu), Virtual Hard Disk (.vhd or .vhdx), and split image files, allowing for the preparation of images prior to deployment without booting into the target environment.[46][47] Core functions of DISM include mounting images for modification, adding or removing features and packages, and enabling or disabling components to customize the image for specific deployment needs. For instance, administrators can mount a .wim or .esd file to a specified directory using the/Mount-Image command, which applies the image read-only or writable for servicing; the syntax is DISM /Mount-Image /ImageFile:<path_to_image> /[Index](/page/Index):<index> /MountDir:<mount_directory>, where options like /ReadOnly prevent changes to the source and /Optimize reduces temporary space usage.[47][48] After mounting, features such as optional Windows components can be enabled or disabled with /Enable-Feature or /Disable-Feature, while packages like updates or drivers are added via /Add-Package /PackagePath:<path_to_package.cab or .msu>.[49][48] Changes are committed and unmounted using /Commit and /Unmount-Image to ensure the image is updated safely.[47]
DISM operates in both offline mode, where images are serviced without loading the Windows environment, and online mode, targeting a running operating system for real-time updates. It replaces the legacy ImageX tool by providing enhanced image capture and apply capabilities; for example, /Capture-Image /ImageFile:<output.wim> /CaptureDir:<source_directory> /Name:<image_name> captures a drive or partition into a new .wim file, while /Apply-Image /ImageFile:<source.wim> /Index:<index> /ApplyDir:<target_partition> deploys it to a destination.[46][47] For optimization and repair, the /Cleanup-Image command scans the component store, removes superseded files, and restores health, with syntax like DISM /Online /Cleanup-Image /StartComponentCleanup for online systems or /RestoreHealth to fix corruption using a specified source.[48] This integrates with the System File Checker (SFC) tool, as DISM repairs the underlying component store that SFC depends on for verifying and replacing corrupted system files.[46][50]
DISM fully supports servicing for Windows 11 images, including the application of cumulative updates released through 2024, ensuring compatibility with modern security and feature enhancements.[51] Best practices emphasize running DISM with administrator privileges, disabling antivirus scanning on mount directories to avoid interference, and limiting concurrent mounts to 20 for performance reasons; additionally, the /LimitAccess option restricts DISM from accessing Windows Update or removable media as repair sources, ideal for read-only network shares or offline scenarios to maintain security and control.[50] Offline servicing is recommended over online for production images to minimize risks, with regular commits and integrity checks using /CheckIntegrity to validate .wim files post-operation.[50][47] In deployment workflows, DISM is often used within the Windows Preinstallation Environment (WinPE) to service images before applying them to target hardware.[46]
User State Migration Tool
The User State Migration Tool (USMT) is a command-line utility included in the Windows Assessment and Deployment Kit (ADK) designed to capture and restore user-specific data, including files, settings, and application configurations, during Windows operating system deployments.[52] It enables IT administrators to automate the migration of user states from source computers to destination systems, minimizing data loss and downtime in large-scale environments.[52] The primary components are ScanState.exe, which collects user data into a migration store, and LoadState.exe, which applies the captured data to the new installation.[53] USMT relies on customizable XML configuration files, such as MigApp.xml for application settings, MigUser.xml for user-specific configurations, and MigDocs.xml for document and media files, allowing precise control over what is migrated.[53] Key features of USMT include selective migration, where administrators can include or exclude specific files, folders, or settings via XML rules to optimize the process and avoid unnecessary data transfer.[54] For in-place upgrades, the hard-link option creates efficient, space-saving stores by linking files without duplicating them, which is particularly useful for refreshing existing hardware.[55] Additionally, USMT supports encryption of migration stores using the/encrypt parameter to secure sensitive user data during transfer over networks.[56] These capabilities ensure compatibility with enterprise security policies while handling diverse user profiles, including support for migrating settings from applications like Microsoft Office across versions.[54]
In practice, USMT operates via command-line interfaces; for example, to capture documents and settings, administrators run ScanState.exe \\server\share\mystore /i:MigDocs.xml /i:MigUser.xml /encrypt, specifying the store location and including relevant XML files.[55] Restoration follows with LoadState.exe \\server\share\mystore /i:MigDocs.xml, applying the data post-OS installation.[57] These commands can be integrated into scripts or tools like Microsoft Deployment Toolkit (MDT) for automated workflows.[58]
USMT is commonly used in side-by-side migrations, such as replacing old PCs with new ones by capturing states offline via Windows Preinstallation Environment (WinPE) and restoring to fresh installations, or in enterprise rollouts to prevent data loss during hardware refreshes.[59] In these scenarios, it facilitates smooth transitions for hundreds of users by storing data on network shares or local drives, ensuring business continuity.[59] The tool's latest version in the Windows ADK 10.1.26100.2454 (December 2024) enhances application compatibility for Windows 11 migrations, improving support for modern app settings and UWP packages.[3]
Volume Activation Management Tool
The Volume Activation Management Tool (VAMT) is a component of the Windows Assessment and Deployment Kit (ADK) designed to automate and centrally manage volume activation for Windows, Windows Server, Office, and select other Microsoft products in enterprise environments. It enables IT administrators to handle activations using Multiple Activation Keys (MAKs) or Key Management Service (KMS) methods, streamlining the process for large-scale deployments without requiring individual activations on each device. VAMT operates as a Microsoft Management Console (MMC) snap-in, supporting both online and offline scenarios to accommodate varied network configurations.[60][61] Key functionality includes centralized product key management, where administrators can download and install MAK, KMS host (CSVLK), KMS client setup (GVLK), or retail keys obtained from the Microsoft Volume Licensing Service Center (VLSC). It facilitates activation status reporting by discovering and tracking computers across Active Directory Domain Services (AD DS), workgroups, or via individual IP addresses and LDAP queries, allowing monitoring of licensing compliance and remaining activation counts for MAKs. VAMT supports offline proxy activation, in which the tool on a connected host computer proxies Installation IDs (IIDs) and Confirmation IDs (CIDs) to Microsoft activation services, enabling activation of disconnected clients in isolated networks or labs.[61][62][63] In terms of usage, the graphical user interface (GUI) provides a unified console for adding computers, discovering installed products, assigning keys, and performing activations, with data stored in a SQL Server database and exportable to XML for reporting. Administrators can generate prebuilt reports on activation status, product groups, and key usage to ensure compliance in volume licensing scenarios. For automation, VAMT integrates with PowerShell cmdlets, allowing command-line operations to manage keys, query statuses, and execute activations programmatically in scripts. The tool requires installation on a supported Windows client or server OS with at least 1 GHz processor, 1-2 GB RAM, and network access for HTTPS connections to Microsoft services.[63][60][62] VAMT supports all currently supported editions of Windows client and server OSes, including Windows 11, Windows Server 2025 and 2022, and Windows IoT Enterprise LTSC 2024, as well as corresponding Office versions under volume licensing agreements. Its benefits are particularly evident in reducing manual activation efforts in large deployments, minimizing administrative overhead, and ensuring consistent licensing across physical and virtual environments managed via Windows Management Instrumentation (WMI). By centralizing these tasks, VAMT helps organizations maintain activation compliance without direct internet access on every endpoint.[61][62]Windows System Image Manager
Windows System Image Manager (Windows SIM) is a graphical user interface tool within the Windows Assessment and Deployment Kit (ADK) designed to create and manage unattended answer files, primarily the autounattend.xml file, for automating Windows Setup processes.[64] It enables administrators and original equipment manufacturers (OEMs) to configure Windows installations without manual intervention, specifying settings such as language, partitioning, and default applications during deployment.[65] By leveraging this tool, users can generate XML-based files that integrate with Windows Setup to streamline large-scale imaging and deployment tasks.[66] A core feature of Windows SIM is its integration with catalog files (.clg), which provide metadata on available components and packages from a Windows image file (.wim), allowing for precise selection and configuration without directly loading the full image.[67] The tool includes built-in validation mechanisms to check XML syntax and ensure compatibility with the target Windows image, flagging errors such as invalid settings or missing dependencies in real time.[64] Its user interface consists of multiple panes, including the Windows Image pane for browsing components, the Answer File pane for organizing configuration passes, and the Properties pane for editing settings, which collectively facilitate intuitive management of deployment configurations.[68] In typical usage, Windows SIM begins with importing a Windows image (.wim) or an existing catalog file (.clg), after which users can add configuration passes—such as the windowsPE pass for initial setup, generalize for preparing the image, or specialize for post-install customizations like user accounts.[69] For example, in the specialize pass, one might configure network settings or install drivers by selecting components from the image tree and applying properties. The tool supports multi-architecture environments, where the x86 version of Windows SIM can generate catalog files for x86, x64, and Arm-based Windows images, enabling cross-platform preparation on a single host.[67] Windows SIM integrates seamlessly with Windows Setup by applying the generated autounattend.xml file via the Setup.exe /unattend parameter, supporting both online and offline editing scenarios, such as mounting images with Deployment Image Servicing and Management (DISM) for pre-deployment modifications.[66] This approach offers significant advantages for OEM imaging, as it minimizes errors associated with manual XML authoring, ensures consistency across deployments, and accelerates the creation of customized images for enterprise or manufacturing environments.[65]Supply Chain Trust Tools
The Supply Chain Trust Tools were introduced in the Windows Assessment and Deployment Kit (ADK) version 10.1.26100.1, released in May 2024, to support enhanced security requirements for Windows 11 version 24H2 deployments. These tools enable the creation, signing, and validation of Software Bills of Materials (SBOMs), providing transparency into software components and their origins to mitigate supply chain risks. By integrating into deployment workflows, they help ensure the integrity of Windows images and applications during large-scale rollouts.[3] The core components are sbom-tool and CoseSignTool. The sbom-tool is an open-source utility designed for generating scalable SBOMs compatible with SPDX 2.2, SPDX 3.0 (in JSON format), and CSV standards. It leverages component detection mechanisms to scan build artifacts, such as project files (e.g., .csproj or package.json), and incorporates license information via APIs like ClearlyDefined, producing inventories that detail dependencies, versions, and suppliers. This facilitates vulnerability assessment and compliance verification in software ecosystems.[70][71] Complementing sbom-tool, CoseSignTool is a platform-agnostic command-line application for applying CBOR Object Signing and Encryption (COSE) signatures to SBOMs and other manifests, enabling cryptographic attestation of their authenticity and integrity. It supports signing operations that verify certificate chains and payload hashes, aligning with standards from the US Executive Order 14028 on Improving the Nation's Cybersecurity. Validation features allow downstream users to confirm the unaltered state of signed artifacts, reducing risks from tampering or unauthorized modifications. In practice, these tools integrate seamlessly into command-line build pipelines and CI/CD processes. For instance, sbom-tool can be invoked with commands likesbom-tool generate -b <build-path> -pn <package-name> to produce an SBOM from a drop directory, which is then signed using CoseSignTool sign <sbom-file> with a private key. This workflow supports verification of component authenticity during deployment, such as checking signatures against trusted roots in enterprise or OEM environments. Organizations use these capabilities to bolster supply chain security, ensuring traceable and verifiable software provenance for Windows-based systems.[71][74][3]
Former Components
ImageX
ImageX is a command-line tool included in the Windows Automated Installation Kit (WAIK) and early versions of the Windows Assessment and Deployment Kit (ADK) for capturing, applying, and managing Windows Imaging Format (.wim) files during system deployment.[75] It enabled the creation of exact copies of Windows installations, typically after running Sysprep, without requiring the full operating system to be booted, and was primarily operated from the Windows Preinstallation Environment (WinPE).[75] Common operations included capturing a drive with the/capture switch, such as imagex /capture C: install.wim "Windows Image" /compress maximum /check, or applying an image to a target volume using /apply.[76]
Introduced in 2006 as part of the initial release of the Windows AIK accompanying Windows Vista, ImageX represented a shift toward file-based imaging over sector-based methods, allowing for more efficient handling of large Windows installations through compression and single-file storage of multiple editions.[76] It supported offline imaging tasks, where users could boot into WinPE to capture or deploy images directly from a reference machine, facilitating customized deployments in enterprise environments without the need for mounting images in the host OS.[75] This tool was integral to early automated installation processes, enabling IT administrators to prepare and distribute standardized system images for Windows Vista and Windows 7.[76]
ImageX began to be phased out with the release of Windows 8 in 2012, when Microsoft deprecated it in favor of the more versatile Deployment Image Servicing and Management Tool (DISM), which incorporates ImageX's core imaging functions along with expanded capabilities.[77] It was removed from the ADK starting with the Windows 8 version and has not been included in subsequent releases.[77]
Among its key limitations, ImageX did not support offline servicing of mounted images, such as injecting updates or drivers without applying the entire image, and it was restricted to single-image operations per command, lacking the multi-session handling introduced in DISM.[46] Additionally, it could lose extended file attributes, fail to preserve sparsity in sparse files upon application, and mishandle certain symbolic links or junctions, potentially leading to inconsistencies in deployed systems.[75]
Despite its deprecation, ImageX remains available in legacy WAIK and early ADK installations for backward compatibility, particularly in environments maintaining Windows 7 deployments or older hardware configurations where DISM compatibility issues arise.[78] Its replacement functionality in modern workflows is handled by DISM commands like /Capture-Image and /Apply-Image.[78]