Microsoft is making Windows image customisation more and more difficult


Kari

PhD in Malt Based Liquids
Pro User
VIP
Local time
6:26 AM
Posts
811
Location
Expat from Finland in Leipzig Germany
OS
Windows 11 PRO x64 Dev

This post is based on my very subjective, personal opinion That opinion in its turn is based on some facts about changes in Windows versions, starting with Windows 10 version 1709.

Please, don't take this wrong. I am still a huge Windows fan. I just don't like the changes Windows developer teams have made to how Audit Mode and the built-in administrator behave.



I do a lot of image customisation, A new version of Windows is released, I customise it on a reference machine in Audit Mode, sysprep it, capture the WIM image, and create my install media. In fact, I do this with almost every new Windows build released to Windows Insider Dev Channel.

FACT:

Version 1709 enabled Store and Store apps for the built-in administrator account. It also allowed user to switch the built-in admin account to a Microsoft account, the problem being that the account cannot be switched back to a local account. Once done, and you lose control of your MS account, you are screwed.

WHAT CHANGED:

Up to version 1703, the only Store app working when signed in as the built-in admin was Windows Settings. Not even Edge browser could be used:

Apps not available for built-in admin.jpg

If you wanted to use Internet in Audit Mode, which by default signs user in with built-in admin account, you had to use Internet Explorer. This made complete sense. When signed in as built-in admin, there should be no reason whatsoever to let that user access Microsoft Store and apps, or switch this local built-in admin account to a Microsoft account, especially considering that this switch is irreversible.

As no Store apps could not be used, Store could not update them, and they could not be provisioned. Generalizing a Windows image with sysprep was easy, it worked flawlessly.

I tried to find Microsoft documentation to explain app provisioning for those interested, this was the closest match:


So, in W10 version 1709 and up to version 1901, you simply removed app provisioning from all other Store apps than Store itself, using command shown in @Brink's excellent tutorial on our sister site Ten Forums, see its Option 12 Step 4:


Next blow came in W10 version 1902. Suddenly, there were a few native system apps not allowing user to remove their provisioning, thus causing generalizing the image to fail:

<package name> was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.

Option 12 Step 4 in above mentioned tutorial on Ten Forums stopped working at this point, failing always completely, or latest after removing provisioning from a few apps:

Removing provisioning fails.jpg

Modifying the command a bit, making it first list all provisioned apps in a Grid-View table, allowing me to select apps to remove provisioning, I narrowed it down to these six native system apps:

Apps provisioning cannot be removed.jpg

OK, what happens now when reference machine is connected to Internet, and you have done your customizations, removed provisioning from apps when possible, and finally sysprep: the sysprep using /generalize switch usually fails.

MY WORKAROUND:

Workaround I use is far from perfect, but at least it works. I have a created a VHD file called Assets.vhdx. I mount it on my host machine every time I need to add or remove something on it. I always use a Hyper-V virtual machine as my reference machine. When starting to create a new custom image, I create a new VM for that, adding this Assets VHD file as its secondary VHD, and making sure that VM has no network connection. This makes it impossible for Windows Update and / or Microsoft Store to start updating and provisioning any apps.

I then install all software I need from offline installers or ISO files on Assets VHD file, make the changes in registry and visual aspects, generalize with sysprep, and capture the image.

Not perfect. Better would be, if Micosoft had not made these ridiculous changes for built-in admin account and Audit Mode.

Kari
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 PRO x64 Dev
    Manufacturer/Model
    Hyper-V Virtual Machine (host in System 2 specs)
    CPU
    Intel Core i7-8550U
    Memory
    6 GB
    Graphics Card(s)
    Microsoft Hyper-V Video
    Monitor(s) Displays
    Laptop display (17.1") & Samsung U28E590 (27.7")
  • Operating System
    Windows 11 PRO x64 Dev Channel
    Computer type
    Laptop
    Manufacturer/Model
    HP HP ProBook 470 G5
    CPU
    Intel Core i7-8550U
    Motherboard
    HP 837F KBC Version 02.3D.00
    Memory
    16 GB
    Graphics card(s)
    Intel(R) UHD Graphics 620 & NVIDIA GeForce 930MX
    Sound Card
    Conexant ISST Audio
    Monitor(s) Displays
    Laptop display (17.1") & Samsung U28E590 (27.7")
    Hard Drives
    128 GB SSD & 1 TB HDD
    Mouse
    Wireless Logitech MSX mouse
    Keyboard
    Wireless Logitech MK710 keyboard
    Internet Speed
    100 Mbps down, 20 Mbps up
    Browser
    Edge Chromium Dev Channel
    Antivirus
    Windows Defender
    Other Info
    2 * 3 TB USB HDD
    6 TB WD Mirror NAS
Back
Top Bottom