Sysprep with Windows 10

tramirez

Hello there, I just spun up my first FOG server and am going to be creating some test images before actually using this in our production network. I was wondering If I need to be sysprepping the PC I will capture an image from before creating the image or after? Should I do both so I have either or in case? Thank you!

george1421

Microsoft’s official stance is that you should always sysprep your golden image before capturing it for mass deployment. Sysprep resets certain system parameters back to default as well as preps the system for different hardware detection during WinSetup/OOBE. If you do not sysprep your image then all cloned images will have the same guid/sysid.

I have seen people capture a Dell 9410 (model doesn’t matter) with fog and then redeploy it to another Dell 9410 without a deployment issue. It does work going like for like hardware, but you will still have the same guid/sysid issue.

Now I can tell you some best practices (at least good ideas) you should consider when building a golden image.

1. Build your golden image on a VM. This will help when you are developing your golden images because you can make use of the snapshot function to roll back changes in case you do something destructive to the golden image.
2. Make that VM have 4-5 vCPU, 8GB of RAM with about a 70GB hard drive. The size of the hard dive may be expanding slightly, but keep the size smaller than the smallest hard drive you have in production.
3. Keep your golden image from reaching the internet if possible.
4. If your golden image is windows based do not connect it to AD before you image capture it, even if you disconnect it from the domain before capture. Just don’t ever connect it to AD because it tattoos the image.
5. If windows based use VLK media and keys.
6. If you plan on capturing Windows 20H1 or later make sure you switch your FOG installation to the dev-branch to get fog version 1.5.9.114 or later. That has fixes in it for the changes Microsoft made to 20H1 and later. Using a small golden image hard drive will also mask the issue with 20H1 without upgrading to FOG 1.5.9.114.
7. If you need to deploy hardware specific drivers you can use a FOG Postinstall script do send the right drives to the target computer. Then use setupcomplete.cmd script to call pnputil to load in the hardware specific drivers.

tramirez

@george1421
Awesome thank you so much! I know you could just change the guid and sid after deploying the image but thought sysprep could just eliminate that need. I definitely didn’t think of using a VM for the golden image! I currently have it all setup on it’s own wire gapped network so no internet & not connected to AD.
I think what I will do is use a VM for our base windows10 image, however we have specific programs needed to be deployed on a mass basis that require internet at time of install, so I may just do that with a physical PC but sysprep it before.
Apologies, but can you elaborate on “If windows based use VLK media and keys.” I don’t quite understand that part.
What would happen if you cloned it after it had been connected to AD and what would the process look like to fix any issues arisen from that? What about if the domain changes to something different from what was on the image?

george1421

@tramirez The VLK reference is to ensure you are using microsoft’s volume license key media. This will allow you to activate all of your windows images with a single license key (MAK or KMS). Having this media and key also ensures you have the microsoft license for image deployment. OEM media does not contain redistribution rights in the EULA.

The internet bit is to keep windows from automatically trying to update itself from the internet for your golden image. You may also need to set the delivery optimization registry key so your golden image doesn’t try to get windows updates from other windows 10 computers on your local LAN. All of this could cause sysprep to fail before image capture.

george1421

@tramirez said in Sysprep with Windows 10:

What would happen if you cloned it after it had been connected to AD and what would the process look like to fix any issues arisen from that? What about if the domain changes to something different from what was on the image?

I can’t answer that. I’ve followed the rules so I’ve never had to clean up after that.

While its not relevant for your setup. We always build our golden image using MDT to a VM. This gives us a clean and repeatable build each time. We use the light touch method so all of the applications are installed onto the golden image using MDT even click to run applications like Office365 and more traditional applications like SAP.

tramirez

@george1421 No worries, I was just curious! I think you’ve given me all the information I’ve needed. I appreciate your response time and assistance!:)