Marcel
Marcel That's me: Marcel

What's wrong with Windows 10 and UWP and Sysprep?

What's wrong with Windows 10 and UWP and Sysprep?

I’m working in the WVD/AVD area and often create golden images to deploy session hosts for WVD/AVD - mainly based on Windows 10 Enterprise multi-session. To do that, I create a template VM in Azure based on Windows 10, joined it to the domain, install updates and applications, and create an image based on that VM. To make my life easier, I use WVDAdmin to generate the template and rolling it out later - but this is independent of the issue with Sysprep. One step of creating an image is to Sysprep the template image. I - or WVDAdmin is doing that - by running:

sysprep.exe /generalize /oobe /shutdown /mode:vm

Sometimes I run into an issue, and Sysprep stops work with an error message: Sysprep

Digging into the log file show the issue: Sysprep

Error: Package XXXXXXX was installed for a user, but not provisioned for all users.

The package various. Sometimes I got a part of a language pack or other internal app packages. To run into the problem with certainty, install an app from the Windows Store.

Let’s find out what happens, for doing that I installed different applications from the Windows Store into the VM and tried to Sysprep the VM. The first package blocking Sysprep was in this test “5319275A.WhatsAppDesktop_2.2027.10.0_x64__cv1g1gvanyjgm”

To get details of the package run the following PowerShell script with administrative privileges:

Get-AppxPackage -AllUsers | ? {$_.packagefullname.contains('5319275A.WhatsAppDesktop_2.2027.10.0_x64__cv1g1gvanyjgm')}

The returned object shows that this package is only installed for the local administrator (installing the apps from the Windows Store). The user querying this data (mm-admin) doesn’t have this package installed. Sysprep

Okay. Appx packages from the store are personnel and not shared with all users on a VM (to install appx packages for all users, you have to sideload the packages with DISM.exe). So I tried to remove this app from all users:_

Get-AppxPackage -AllUsers | ? {$_.packagefullname.contains('5319275A.WhatsAppDesktop_2.2027.10.0_x64__cv1g1gvanyjgm')} | Remove-AppxPackage -AllUsers

Ok. Sysprep again. The next issue occurs: Sysprep has the same problem with NetFlix - installed only for one user of the VM. Instead of removing the packages by trial and error, I found another way: Teach Sysprep to ignore this behavior. I guess it’s not a problem having an appx package assigned to only one user - even if it and administrative user.

I figured out that Sysprep uses an XML file with a set of rules preparing a VM. The rule-set for generalizing an image is stored in "C:\windows\System32\sysprep\ActionFiles\Generalize.xml"

To ignore the installed or update AppX package remove the following lines and save Generalize.xml (you have to take ownership of the file and give yourself permission to do that):

<sysprepOrder order="0x1A00"></sysprepOrder>
<sysprepValidate methodName="SysprepGeneralizeValidate" moduleName="$(runtime.system32)\AppxSysprep.dll"></sysprepValidate>
<sysprepModule methodName="SysprepGeneralize" moduleName="$(runtime.system32)\AppxSysprep.dll"></sysprepModule></imaging><imaging exclude=""><assemblyIdentity name="Microsoft-Windows-SecureBoot-FirmwareUpdate" version="10.0.19041.1" publicKeyToken="31bf3856ad364e35" processorArchitecture="amd64" versionScope="NonSxS"></assemblyIdentity>

Sysprep

After that Sysprep runs without an issue. Rolling out a session host based on the new image works, and even the user could logon without a problem (and yes: they don’t have the Store apps from the local admin - as expected).

Maybe there are some smarter ways to handle UWP and Sysprep (if you know one - let me know it, too). But this solves an issue creating or updating an image for WVD/AVD based on a template VM (golden image approach).