Save to My DOJO
Now that the masses have finally embraced Windows 10 as the next mainstream Windows operating system after many organizations skipped Windows 8 entirely, administrators and managed service providers (MSPs) should include Sysprep in their toolkits.
Windows 10 will likely be used by billions of devices over the next decade, so in response enterprises and service providers are now adopting it. However, these businesses are facing practical challenges, like how to deploy and maintain customized versions of Windows 10 across thousands of users. IT Departments should always preconfigure their users’ operating systems to ensure that the correct applications are installed for productivity, and the correct security settings are enabled to grant or block access to corporate network resources. This “master copy” guarantees that everyone has the correct configuration on their computers. It also helps the IT department by reducing their support costs and providing easier ongoing maintenance by simplifying their testing matrix every time that they want to make a change.
The challenge is that an identical copy of an OS cannot be used by multiple users simultaneously as system components like Actively Directory objects must be unique. This means that the master copy must be stripped of any unique identifiers, which is done using a Microsoft utility known as Sysprep (“System Preparation”). This blog will explain how Sysprep works and will also cover some special considerations for use with Windows 10.
Understanding How Sysprep Works
To create this master copy of an operating system, you will deploy the OS, its applications and settings on a computer or virtual machine. This configuration will then be saved as an image file, which is like a blueprint of the system. This master copy should include everything that your users will need, including:
- The OS
- Roles and Features
- Productivity Tools
- Third Party Software
- Custom Software
- Security Software
- Security Updates
- Identity Information
- File Access
- And all User and Application Settings
This image should then be saved and tested extensively in a production environment to ensure that everything works as expected.
Once this Windows 10 image is ready, it will be used as the baseline operating system which all users will receive when they join the company or update their hardware. To manage the creation and customization of images, a utility like Microsoft’s Deployment Image Servicing and Management (DISM) or the Microsoft Deployment Toolkit (MDT) will be used to configure Windows image (.wim) files or Hyper-V virtual hard disks (VHDs). Remember that this the master image itself cannot be distributed because it retains its own unique identifiers within the network, and having thousands of computers with the same security identifier (SID), Active Directory identity, and IP addresses would cause many problems. For this reason, images need to go through a scrubbing process to remove these characteristics which should not be copied to other computers. This process is called “generalization”, which is usually done with the Sysprep utility.
When this clean image is then deployed to a client, the unique identifying information which was removed must now be provided for the operating system to function. This can be entered by the user during the first system boot in Out-Of-Box Experience (OOBE) mode, including the computer name, account information, language selection, and network or domain connections. Some IT departments will also complete these final setup steps for each user through a privileged audit mode, or by using an answer file. An answer file is a list of variables which will get automatically entered during installation, such as unique computer names, IP addresses and other registry settings which were stripped during generalization.
Using Sysprep to Create Hyper-V Templates
A Hyper-V template is essentially a pre-configured virtual machine, which is conceptually similar to an image file. Hyper-V templates allow organizations to redeploy identical virtual machines with the same configuration. For Windows Server, this is commonly used to scale out a virtualized infrastructure when more capacity is needed. For Windows client, Hyper-V templates can be used for virtual desktop (VDI) scenarios where end users access a virtualized workstation. Just like with image files, these templates also need to be generalized to remove any uniquely identifying formation.
Organizations can also use Sysprep with Hyper-V virtual hard disks that contain the parent partition (operating system), effectively turning them into templates. If an organization is using System Center Virtual Machine Manager (SCVMM), they can use the VM Template and Library features to create a master copy, then they can enter the unique computer information during each deployment of a VM. Without SCVMM, admins can use DISM with Sysprep to take a VM’s virtual hard disk and generalize the image to create a Hyper-V template.
Using Sysprep with Windows 10
To be able to cope with the demand, administrators and managed service providers (MSPs) really should have Sysprep in their lockers. Sysprep in Windows 10 generally works the same as with previous operating systems, however, there are a few special considers that admins should be aware of.
- Sysprep will not work if the computer is connected to the Internet, so network access should be blocked after any applications are downloaded from the Internet.
- Windows Store “modern applications” will often cause failures during the generalization process. This appears to happen on the built-in apps which have been recently updated as documented in KB 2769827. These apps can be added later with a script that will run upon the first boot.
- Users have reported issues when upgrading from the early version of Windows 10 (1507 and 1511) to later version, then Sysprepping this image. It is recommended to start with the most recent public release, or at least version 1607.
- Always consider licensing! During the Sysprep process, the active product key from the image is removed, so a new license must be added after the image has been deployed. Most enterprises will use Active Directly Activation which will provide a volume product key. Service providers and MSPs may not be able to use this since they do not want the tenant joining their own domain, so instead, they can configure the template to connect to a Key Management Services (KMS) server to receive its activation keys. This process is documented in this Microsoft blog by Kirill Kotlyarenko.
Now you can see how Sysprep can help businesses deploy their customized Windows 10 images at scale. Remember that Sysprep is just one of the tools needed in the deployment process. For more information and a walkthrough of the entire imaging process, please check out Microsoft’s documentation on how to Modify a Windows Image.
Do let us know below if you have any questions or issues with this process. We’re more than happy to assist!
Thanks for reading!
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!