Microsoft is making Windows image customisation more and more difficult

This post is based on my very subjective, personal opinion That opinion in its turn is based on some facts about changes in Windows versions, starting with Windows 10 version 1709.

Please, don't take this wrong. I am still a huge Windows fan. I just don't like the changes Windows developer teams have made to how Audit Mode and the built-in administrator behave.

I do a lot of image customisation, A new version of Windows is released, I customise it on a reference machine in Audit Mode, sysprep it, capture the WIM image, and create my install media. In fact, I do this with almost every new Windows build released to Windows Insider Dev Channel.

FACT:

Version 1709 enabled Store and Store apps for the built-in administrator account. It also allowed user to switch the built-in admin account to a Microsoft account, the problem being that the account cannot be switched back to a local account. Once done, and you lose control of your MS account, you are screwed.

WHAT CHANGED:

Up to version 1703, the only Store app working when signed in as the built-in admin was Windows Settings. Not even Edge browser could be used:



If you wanted to use Internet in Audit Mode, which by default signs user in with built-in admin account, you had to use Internet Explorer. This made complete sense. When signed in as built-in admin, there should be no reason whatsoever to let that user access Microsoft Store and apps, or switch this local built-in admin account to a Microsoft account, especially considering that this switch is irreversible.

As no Store apps could not be used, Store could not update them, and they could not be provisioned. Generalizing a Windows image with sysprep was easy, it worked flawlessly.

I tried to find Microsoft documentation to explain app provisioning for those interested, this was the closest match:


So, in W10 version 1709 and up to version 1901, you simply removed app provisioning from all other Store apps than Store itself, using command shown in @Brink's excellent tutorial on our sister site Ten Forums, see its Option 12 Step 4:


Next blow came in W10 version 1902. Suddenly, there were a few native system apps not allowing user to remove their provisioning, thus causing generalizing the image to fail:

<package name> was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.

Click to expand...

Option 12 Step 4 in above mentioned tutorial on Ten Forums stopped working at this point, failing always completely, or latest after removing provisioning from a few apps:



Modifying the command a bit, making it first list all provisioned apps in a Grid-View table, allowing me to select apps to remove provisioning, I narrowed it down to these six native system apps:



OK, what happens now when reference machine is connected to Internet, and you have done your customizations, removed provisioning from apps when possible, and finally sysprep: the sysprep using /generalize switch usually fails.

MY WORKAROUND:

Workaround I use is far from perfect, but at least it works. I have a created a VHD file called Assets.vhdx. I mount it on my host machine every time I need to add or remove something on it. I always use a Hyper-V virtual machine as my reference machine. When starting to create a new custom image, I create a new VM for that, adding this Assets VHD file as its secondary VHD, and making sure that VM has no network connection. This makes it impossible for Windows Update and / or Microsoft Store to start updating and provisioning any apps.

I then install all software I need from offline installers or ISO files on Assets VHD file, make the changes in registry and visual aspects, generalize with sysprep, and capture the image.

Not perfect. Better would be, if Micosoft had not made these ridiculous changes for built-in admin account and Audit Mode.

Kari