Home > Blogs > Horizon Tech Blog

How to create a Windows 10 image for Horizon Cloud on Azure

Author: Felix Block, @fligh_MUC

Purpose of this article is to give you some best practices around cleaning a Windows 10 image to allow a Sysprep and the use of this image in Horizon Cloud on Azure. I faced a lot of problems when customer create a master image in Horizon Cloud on Azure due to AppX Packages in Windows 10. Very often the Sysprep failed and the VDI Assignment can’t be created. I collected below my tasks I personally do before sealing a Windows 10 to an Image.

VMware and Microsoft created already official KB articles on this (VMware KB 2079196; Microsoft KB 2769827) but I think it is still useful to explain the solution in detail. Please be aware that the following steps will remove all AppX Packages, disable the Windows Store and Windows Update on the machine. You can enable them after you created the farm inside Horizon Cloud i.e. via a GPO to meet your company requirements.

Environment Information:

Horizon Cloud on Azure 1.7 (965.0)

Windows 10 1803 (non N version) – October 2018 release in Azure

Install Horizon Agents

After you installed and configured the Horizon Agents (Horizon DaaS, Horizon Agent and (optional) the VMware User Environment Manager Agent) as described in our Horizon Cloud on Azure Admin Guide, you can prepare the Windows for the bootstrap with the Horizon Cloud on Azure Node. This is well described in our Admin guide, and therefore I will not cover this step in-detail in this article.

Make sure you do not have any GPO assigned to the Windows 10 which might change or enable Windows Updates, Application delivery or other tasks which might over write the following steps described in this article.

Before you start optimizing the image, make sure your Master VM is in an ‘Active’ state and displays the installed Horizon Cloud on Azure Agent version (make sure you follow the compatibility between your Horizon Node and your Agent pair).

You will see in the start menu of your Windows 10 VM a lot of applications which will cause most of the time Sysprep problems. We will now remove them step-by-step.

Create a new local account

The first thing after an initial deployment of a new Windows VM is to create a second local admin account on the VM. This account should be in the local group of administrators and not disabled. This account is a backup account in case the primary local account (which is used to run the Sysprep and domain join process i.e.) is locked.
Keep in mind, if the deployment of a new VM in a Horizon Farm is successful, Horizon will disable the primary local account for security reasons. That’s why I recommend having a second account ‘just in case’ to be able to access the VM.
If you can create multiple farms and you never phased problems accessing the VM, you can of course remove or disable the second local admin account with a GPO i.e.


Set Registry to stop Windows Store Apps

Disable automatic download of Windows Store apps

Registry Path Type Name Value
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore REG_DWORD AutoDownload 2
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 00000002 /f

Disable the Microsoft Consumer Experience

Registry Path Type Name Value
REG_DWORD DisableWindowsConsumerFeatures 1
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 00000001 /f

Disable Automatically Installing Suggested Apps

Registry Path Type Name Value
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager REG_DWORD SilentInstalledAppsEnabled 0
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v SilentInstalledAppsEnabled /t REG_DWORD /d 00000000 /f

Disable Windows Services and Scheduled Tasks

Registry Path Type Name Value
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ REG_DWORD NoAutoUpdate 1
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ /v NoAutoUpdate /t REG_DWORD /d 00000001 /f

Also, run this PS command:

Get-ScheduledTask -TaskPath "\Microsoft\Windows\WindowsUpdate\" | Disable-ScheduledTask

The next Scheduled Task can’t be disabled that easy. We first need to change the permissions before we can disable this task

takeown /F C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator /A /R

icacls C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator /grant Administrators:F /T

Get-ScheduledTask -TaskPath "\Microsoft\Windows\UpdateOrchestrator\" | Disable-ScheduledTask

Stop and disable the Windows Update Service

Stop-Service wuauserv

Set-Service wuauserv -StartupType Disabled

Stop and disable the Microsoft Store Install Service

Stop-Service InstallService

Set-Service InstallService -StartupType Disabled

Remove the Appx packages

In Powershell (run as Administrator), run these commands:

Import-Module Appx
Import-Module Dism

To get an overview what AppX packages from Microsoft are installed, you can run:

Get-AppxPackage -AllUsers | ft Name, PackageFullName -AutoSize

Now, you need to decide which AppX packages you can remove. To be 99% safe that the Sysprep will work, you can uninstall all packages. You can do this with the below PowerShell command. But be careful, this command will remove ALL AppX Packages on your VM.

Get-AppxPackage -AllUsers | Remove-Appxpackage

After this is done, remove the AppX provisioned packages via

Get-AppXProvisionedPackage -online | Remove-AppxProvisionedPackage –online

I recommend restarting your VM to allow Windows to remove the Apps from the start menu.
After the restart, you should run the commands above again to make sure all apps are removed.

Finally, remove from all your user accounts pre-provisioned packages by executing the following command (replace the <PackageName> with the name of existing provisioned packages)

Remove-ProvisionedAppxPackage –PackageName <PackageName>

Perform another reboot and you should see no apps in your start menu

You are now ready to convert your Master VM into an Image via the Horizon Cloud Control Plane. If this is done, you can build your Assignment and check if the Sysprep work and allows Horizon Cloud to build your VDI desktops. Please also check our VMware OS Optimization Tool for additional optimizations on the Windows. We have a Horizon Cloud template prepared and you can find this Fling at https://labs.vmware.com/flings/vmware-os-optimization-tool.

If you still have problems with your Sysprep, you can check the Setupact logfile under C:\Windows\System32\Sysprep\Panther\ for AppX packages which block the Sysprep process.

This entry was posted in Uncategorized on by .
Peter Bjork

About Peter Bjork

Peter Bjork is a Senior Staff Architect, Technical Marketing at VMware. He specializes in Identity and Access Management. He's widely appreciated as a speaker at events like VMworld, VMUG and vFORUM. He is the author of two books as well as numerous white papers and blog posts. When the work day is over, Peter volunteers as a Scout leader for the local Sea Scout troop outside Stockholm, Sweden. Twitter: @thepeb.

One thought on “How to create a Windows 10 image for Horizon Cloud on Azure

Leave a Reply

Your email address will not be published. Required fields are marked *