Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

Windows Virtual Golden Image “Do’s and Don’ts”

By: Percy Alexander

Through my experience creating¬† Windows Virtual Golden Images for clients recovering from ransomware incidents, I have some personal Dos and Don’ts for endpoint imaging. There are various technical methods for creating images; this method of creating a client’s golden images is in a Microsoft Hyper-V virtual workspace for subsequent deployment to various client endpoint devices.

Keep in mind these are not considered gospel. You may do some of these same things yourself. Your endpoint recovery situation may dictate otherwise.

Keep it Simple

In building and deploying Windows 10/11 images for client endpoint deployment, keep the image as simple as possible:

  • Fully patch the Microsoft OS. Invoke Microsoft Update repeatedly until the image is entirely up to date. Make sure all endpoint devices are fully patched prior to deployment.
  • Clients have various manufacturers and models of desktops, laptops, and kiosks. Do not add hardware-specific drivers to the image. Windows will download any required hardware-specific drivers after image deployment. This allows for a single Golden Image and not multiple hardware-dependent images.
  • Set Windows Update Advanced Options:
    1. ¬† When you update Windows, turn on ‘Receive Updates’ for other Microsoft products. The updates will ensure Microsoft Office products are current.
    2. Turn on “show a notification” when your PC requires a restart to finish updating. The notifications will inform the user of a pending reboot requirement without auto rebooting the system after any updates requiring a reboot are installed.
  • Install any client organization requirement of .NET Framework versions.
  • I have found most of my clients require Google Chrome and Adobe Acrobat Reader to be installed in the image.

Every Client is Unique

Organizations do not change versions of Office very often. It is best to always discern the organization’s strategy for MS Office and Office 365 before installing. Whichever Microsoft Office version is in the image is up to the client. If the client uses a specific Microsoft Office version and is not looking to move to O365, install the client-requested office version in the image.

As an external consultant building images for client recovery from an incident, I do not recommend adding client-specific applications to the image. Recovery consultants are not the clients’ IT or MSP support. We are onsite for a limited time to recover the client’s endpoint environment. Suppose the addition of any client-specific application creates problems in the deployment of the image. In that case, we do not have the luxury of understanding the client applications(s) or spending the time to debug. After recovery teams leave the client site, we cannot support those client-specific applications. Simplicity is therefore essential post-incident. Keeping things simple helps clients get back up and running quickly and sustain the client’s environment once the recovery teams depart.

It is best to utilize an embedded answer file in the image to speed up image deployment to the endpoints. Zero Touch imaging automates the need to respond to the basic Windows Setup prompts manually.

Finally, make certain to obtain client test endpoints to determine the test results of the deployment of your Golden Image.

Key Takeaways

Following a ransomware incident and the involvement of a recovery team, these simple Windows imaging steps help to ensure business interruption is minimized. Using this simple approach reduces wasted downtime during the recovery and remediation engagement process. The approach outlined above circumvents potential issues surrounding betterment, scope creep, and ultimately delivers a clean desktop environment for the client.



Percy Alexander is a Senior Consultant Desktop Team Lead on BreachQuest’s Recovery & Remediation team. Percy has had a progressive career in IT: analyzing, programming, developing, testing, maintaining, consulting, managing, and providing operations support within various industries. He has had over twenty-five years of IT experience, in which eighteen years were spent in a direct technical, managerial, and supervisory capacity. Percy has managed various programming, help desk, Windows administration, data center, and telecom test labs operations support teams.


Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights


Elevated Pulse – Cybersecurity Risks in Healthcare

Read more


Top Cybersecurity Priorities

Read more