Sysprep or not Sysprep
Microsoft generally recommends using the System Preparation (Sysprep) tool when creating cloned images of Windows operating systems. Sysprep is a Microsoft tool that prepares a Windows installation for imaging, allowing the same image to be deployed on multiple computers while ensuring each system gets a unique identity.
Sysprep generalizes the Windows installation by removing system-specific information, such as the computer name and security identifier (SID).
It is not strictly necessary to sysprep your images. Windows has improved throughout the years the Hardware Abstraction Layer (HAL) that allows you to run the same image of Windows in very different hardware.
Sysprep in Host Provisioning
With Sysprep it is possible to perform a deployment without user interaction or Zero Touch Provisioning (ZTP), this is especially necessary in Host Provisioning since with each update, the system will revert to the original image that we have prepared, and it is necessary that the boot is clean as if no new deployment had occurred.
Sysprep divides the initial configuration into passes, not all of which are relevant in user interaction or with Host Provisioning. The passes relevant with Host Provisioning Services are as follows:
-
Generalize: executed when launching sysprep with the generalize parameter, in this phase all depersonalization actions are performed on the Generalize.xml file, removing specific and unique information from the system. It will disable and reset the administrator account password, and other tasks to configure Windows as if it were new.
-
Specialize: phase executed at the first boot after a generalization, hardware-specific system configurations are generated and applied. Creation of unique security identifiers, driver installation, network configuration or other Windows features via an answer file.
-
Audit: administrative phase used for operating system and user configuration, can be bypassed if domain policies are used for user or system configuration.
-
OOBE (Out of Box Experience): this phase occurs at the second reboot before the first user logon, and can be bypassed if domain policies are used for user or system configuration.
For more information on how Sysprep works, refer to Microsoft's documentation, this manual details the configurations required for a ZTP with an image or update using Host Provisioning.
Running SYSPREP in Host Provisioning
Once the configuration of the image to be distributed is complete, run SYSPREP with the following command as administrator:
%WINDIR%\System32\Sysprep.exe /oobe /generalize /shutdown /unattend:HPSUnattendFile.xml
The configuration file passed with the unattend parameter will give SYSPREP all the information it needs to boot the system without interaction or with other values useful for Host Provisioning such as no driver removal.
You can download a sample unattended configuration file for SYSPREP in the downloads section.
Answer file for unattended configuration
To create or validate an answer configuration file for SYSPREP, it is recommended to use the Windows ADK Kit imgmgr.exe tool.
The following are the most relevant aspects for Host Provisioning of the unattended configuration file provided as an example HPSUnattendedFile.xml
For a complete list of all packages and their possible values, see the configurable components reference on the web.
GENERALIZE pass
SYSPREP by default will remove third-party drivers on generalization, to avoid this, add this configuration the Generalize pass:
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>.
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
SPECIALIZE pass
Some useful settings in the answer file are the time zone or the Windows product key.
<RegisteredOrganization>My Company</RegisteredOrganization>
<TimeZone>Romance Standard Time</TimeZone>
<ProductKey>XXXXXX-XXXXXX-XXXX-XXXX-XXXX-XXXXXX-XXXX</ProductKey>
<RegisteredOwner>IT Systems</RegisteredOwner>
You can create commands that will be executed in the specialization pass, these commands will be especially useful to create configurations before the OOBE pass.
One command that can be commonly found in response files is the enable admin user which is disabled when generalizing an image, this is also necessary to avoid the user creation dialog in the OOBE pass.
<RunSynchronousCommand wcm:action="add">
<Description>enable admin account</Description>.
<Order>1</Order>.
<Path>net user admin /active:yes</Path>
</RunSynchronousCommand>
It is not necessary to set values for the computer name, join a domain or workgroup, Host Provisioning performs this configuration with each deployment.
OOBE Pass
System customization is performed with web screens designed to complete the system configuration with the values selected by the user, if there is no response file, or does not contain a valid configuration for these values, the user must enter the desired configuration, this should be avoided especially in Host Provisioning with SYSPREP, since each update would require a reconfiguration by the user or administrator. Everything needed to achieve Zero-Touch Deployment with Host Provisioning is detailed.
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideLocalAccountScreen>true</HideLocalAccountScreen>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<ProtectYourPC>3</ProtectYourPC>
</OOBE>
The SkipMachineOOBE and SkipUserOOBE configurations have been marked as obsolete and their use is not recommended, these values completely omit the OOBE pass, and although it is the fastest option, there are configurations that do not have default values such as ProtectYourPC, in this aspect the system could be left in an inconsistent state. Errors have also been detected such as not applying domain policies on first boot when using this option.
Host Provisioning Client automatically bypasses the initial patches installations that you can see for some miniutes "Now, we have important things to do."