question

StefanFalk-3370 avatar image
0 Votes"
StefanFalk-3370 asked WilliamParry-8059 commented

Sysprep of a Windows Server 2019 leads to a machine where we cannot logon

Hello everybody,

we routinely deployed Windows Server 2016 terminal servers by cloning and sysprepping them from a template (using a PowerShell script). The very same with Windows Server 2019 fails, and even if we manually just clone the template VM, start it (disconnected from the network), sysprep it (OOBE, generalize, reboot), the following symptoms occur:

1) Sysprep takes 15 - 20 minutes (compared to, say, 5 minutes normally)

2) Sysprep does not ask for a new local Administrator password.

3) The machine boots, but we cannot log on a s a local Administrator. This is regardless of whether we
- clone and sysprep manually,
- include a C:\Windows\Setup\Scripts\SetupComplete.cmd with "net user administrator /active:yes" in the template (see https://kb.vmware.com/s/article/2034622), or
- use our PowerShell script which normally injects a fixed Administrator password via the sysprep answer file.

Has something changed in sysprep's behaviour between Windows Server 2016 and 2019?

Best Regards,
Stefan Falk

windows-server-setup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

Hello Stefan,

Please understand that VMware is not Microsoft product, if you want to use vmware to deploy Windows Server 2016 terminal servers, you’d better ask for help from vmware support.
Go back to sysprep, manually sysprep server 2019 has nothing different with server 2016, normal processes are:
1.Installing Windows Server 2019 onto a new server
2.Configuring customizations and updates onto your new server
3.Running Sysprep to prepare and shut down your master server
4.Creating your master image of the drive
5.Building new servers using copies of the master image
Or use unattended file
1.Create unattendfile with Windows System Image Manager.
2.Copy your unattendedfile.xml file to the \system32\sysprep folder
3.Run CMD as Administrator
4.sysprep.exe /generalize /oobe /unattended:yourunattendedfile.xml
Next, you could Add a Custom Script to Windows Setup
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-a-custom-script-to-windows-setup


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StefanFalk-3370 avatar image
0 Votes"
StefanFalk-3370 answered

Hello TeemoTang,

Thanks for your input.

As to avoid the VMware provisioning or our PowerShell provisioning script, we tried to just make a copy of the VM and sysprep it totally manually. To I think we have no cause to assume the problem is related to VMware. We are, of course, aware, that Microsoft could not support a VMware case.

The question remains: What could be wrong with the Windows Server 2019 machine that would cause sysprep to somehow result in an unknown local Administrator password or a disabled local Administrator account?

Best Regards,
Stefan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PieseFordro avatar image
0 Votes"
PieseFordro answered

These steps are best
1.Installing Windows Server 2019 onto a new server
2.Configuring customizations and updates onto your new server
3.Running Sysprep to prepare and shut down your master server
4.Creating your master image of the drive
5.Building new servers using copies of the master image
Or use unattended file
1.Create unattendfile with Windows System Image Manager.
2.Copy your unattendedfile.xml file to the \system32\sysprep folder
3.Run CMD as Administrator
4.sysprep.exe /generalize /oobe /unattended:yourunattendedfile.xml
Next, you could Add a Custom Script to Windows Setup

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StefanFalk-3370 avatar image
1 Vote"
StefanFalk-3370 answered

Hello PieseFordro,

Thank you. Yes, that is exactly what we do normally. We have sysprepped many servers at many customer's sites both manually and automatically. The point is really simple here:

1) A freshly installed machine.
2) Sysprep it with no customization file at all.
3) The result is a machine on which you cannot logon using the local Administratory account.

And we wonder what could be wrong, as there should hardly be an opportunity to make a mistake here.

Best Regards,
Stefan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StefanFalk-3370 avatar image
0 Votes"
StefanFalk-3370 answered AlyssaH-5815 commented

Hello PieseFordro,

If it cannot be answered why the machine is left unusable by sysprep, is there a way to get to the sysprep log? I guess we could only attach the virtual disk to another, running machine and look there, right?

Best Regards,
Stefan

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sysprep Log Files
Generalize %WINDIR%\System32\Sysprep\Panther
Specialize %WINDIR%\Panther
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep-process-overview

0 Votes 0 ·

Hello TeemoTang,

Thanks for your input. I know the location of the syspep logs. The problem is that we cannot logon to the machin after it got sysprepped, to get to those logs. We will try to attach the VMs disk as a second disk to another VM and see the log files from there.

Regards,
Stefan

0 Votes 0 ·

Hi Stefan,

Did you ever figure this out? I am running into the same issue after hardening our image with CIS benchmarks. Same sysprep script ran fine before hardening, just trying to track down what we over-secured to prevent proper sysprepping. Hoping our issue is similar enough and maybe whatever worked for you will work for us too.

Thanks!
--Alyssa

0 Votes 0 ·
Show more comments
StefanFalk-3370 avatar image
0 Votes"
StefanFalk-3370 answered WaltonT-9822 published

Hello everybody,

we used the very same script for another customer using VMware and could deploy Windows Server 2019 terminal servers from a template VM with no problem at all. I still have no clue what's going wrong with that one customer where it does not work any more. The next step should be to try to attach the vmdk to another VM to get to the sysprep log files. I'll return here when I have results.

Best Regards,
Stefan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Running into the same issue myself, I'm wondering if its related to LAPS on Server 2019? That's the only difference I can perceive between my working and non-working clone to VM environments.

0 Votes 0 ·
StefanFalk-3673 avatar image
0 Votes"
StefanFalk-3673 answered WilliamParry-8059 commented

Hello everybody,

Waltont-9882's posting reminded me to post.

a) We did not use LAPS there.

b) The problem got solved once we did not have special characters such as ` and = and ? and ß (a German national character) and " in the local administrator password.

Hope this helps you, too.

Best Regards,
Stefan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Brilliant, this did help me out, I had run through sysprep and capturing images in Azure on a Sandbox subscription and all was fine. Then I came to do the same in production and I couldn't seem to get it to work. However I found your post here and so I replicated the same password for the local admin from the Sandbox in the production environment and it's looking good.

My password which caused issues had / % * characters. I also have drive letter issues, so I run sysprep with a cmd script:

 reg export HKLM\SYSTEM\MountedDevices D:\MountedDevices.reg
 C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /quit
 Reg import D:\MountedDevices.reg
 shutdown /s

Hopefully that'll be useful to someone as well.

Finally, worth noting? It's the password of the local admin on the VM when running sysprep, not the local admin when deploying the captured image as a VM, I tried that and it didn't help.

0 Votes 0 ·