Author: Felix Block, @fligh_MUC
Purpose of this article is to give you some best practices around cleaning a Windows 10 image to allow a Sysprep and the use of this image in Horizon Cloud on Azure. I faced a lot of problems when customer create a master image in Horizon Cloud on Azure due to AppX Packages in Windows 10. Very often the Sysprep failed and the VDI Assignment can’t be created. I collected below my tasks I personally do before sealing a Windows 10 to an Image.
VMware and Microsoft created already official KB articles on this (VMware KB 2079196; Microsoft KB 2769827) but I think it is still useful to explain the solution in detail. Please be aware that the following steps will remove all AppX Packages, disable the Windows Store and Windows Update on the machine. You can enable them after you created the farm inside Horizon Cloud i.e. via a GPO to meet your company requirements.
Horizon Cloud on Azure 1.7 (965.0)
Windows 10 1803 (non N version) – October 2018 release in Azure
Install Horizon Agents
After you installed and configured the Horizon Agents (Horizon DaaS, Horizon Agent and (optional) the VMware User Environment Manager Agent) as described in our Horizon Cloud on Azure Admin Guide, you can prepare the Windows for the bootstrap with the Horizon Cloud on Azure Node. This is well described in our Admin guide, and therefore I will not cover this step in-detail in this article.
Make sure you do not have any GPO assigned to the Windows 10 which might change or enable Windows Updates, Application delivery or other tasks which might over write the following steps described in this article.
Before you start optimizing the image, make sure your Master VM is in an ‘Active’ state and displays the installed Horizon Cloud on Azure Agent version (make sure you follow the compatibility between your Horizon Node and your Agent pair).
You will see in the start menu of your Windows 10 VM a lot of applications which will cause most of the time Sysprep problems. We will now remove them step-by-step.
Create a new local account
The first thing after an initial deployment of a new Windows VM is to create a second local admin account on the VM. This account should be in the local group of administrators and not disabled. This account is a backup account in case the primary local account (which is used to run the Sysprep and domain join process i.e.) is locked.
Keep in mind, if the deployment of a new VM in a Horizon Farm is successful, Horizon will disable the primary local account for security reasons. That’s why I recommend having a second account ‘just in case’ to be able to access the VM.
If you can create multiple farms and you never phased problems accessing the VM, you can of course remove or disable the second local admin account with a GPO i.e.
Set Registry to stop Windows Store Apps
Disable automatic download of Windows Store apps
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 00000002 /f
Disable the Microsoft Consumer Experience
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 00000001 /f
Disable Automatically Installing Suggested Apps
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v SilentInstalledAppsEnabled /t REG_DWORD /d 00000000 /f
Disable Windows Services and Scheduled Tasks
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ /v NoAutoUpdate /t REG_DWORD /d 00000001 /f
Also, run this PS command:
Get-ScheduledTask -TaskPath "\Microsoft\Windows\WindowsUpdate\" | Disable-ScheduledTask
The next Scheduled Task can’t be disabled that easy. We first need to change the permissions before we can disable this task
takeown /F C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator /A /R icacls C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator /grant Administrators:F /T Get-ScheduledTask -TaskPath "\Microsoft\Windows\UpdateOrchestrator\" | Disable-ScheduledTask
Stop and disable the Windows Update Service
Stop-Service wuauserv Set-Service wuauserv -StartupType Disabled
Stop and disable the Microsoft Store Install Service
Stop-Service InstallService Set-Service InstallService -StartupType Disabled
Remove the Appx packages
In Powershell (run as Administrator), run these commands:
Import-Module Appx Import-Module Dism
To get an overview what AppX packages from Microsoft are installed, you can run:
Get-AppxPackage -AllUsers | ft Name, PackageFullName -AutoSize
Now, you need to decide which AppX packages you can remove. To be 99% safe that the Sysprep will work, you can uninstall all packages. You can do this with the below PowerShell command. But be careful, this command will remove ALL AppX Packages on your VM.
Get-AppxPackage -AllUsers | Remove-Appxpackage
After this is done, remove the AppX provisioned packages via
Get-AppXProvisionedPackage -online | Remove-AppxProvisionedPackage –online
I recommend restarting your VM to allow Windows to remove the Apps from the start menu.
After the restart, you should run the commands above again to make sure all apps are removed.
Finally, remove from all your user accounts pre-provisioned packages by executing the following command (replace the <PackageName> with the name of existing provisioned packages)
Remove-ProvisionedAppxPackage –PackageName <PackageName>
Perform another reboot and you should see no apps in your start menu
You are now ready to convert your Master VM into an Image via the Horizon Cloud Control Plane. If this is done, you can build your Assignment and check if the Sysprep work and allows Horizon Cloud to build your VDI desktops. Please also check our VMware OS Optimization Tool for additional optimizations on the Windows. We have a Horizon Cloud template prepared and you can find this Fling at https://labs.vmware.com/flings/vmware-os-optimization-tool.
If you still have problems with your Sysprep, you can check the Setupact logfile under C:\Windows\System32\Sysprep\Panther\ for AppX packages which block the Sysprep process.