Cleaning up apps to keep Windows 10 sysprep happy
As we documented at https://support.microsoft.com/en-sg/help/2769827/sysprep-fails-after-you-remove-or-update-windows-store-apps-that-inclu, sysprep will fail when creating a custom Windows 10 image if there are any apps installed during the image creation process that aren’t also provisioned in the OS. Depending on how you create your image, this can be problematic because during the process (typically an MDT or ConfigMgr task sequence), the Microsoft Store can download and install stuff from the internet. And when that happens, you’ll see error messages logged by sysprep (which you can find in the C:\Windows\System32\Sysprep\Panther\Setupact.log file) like this:
SYSPRP Package Microsoft.MicrosoftOfficeHub_17.8830.7600.0_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
The longer your image creation process takes, the more likely such a failure is. That also means this failure can be sporadic: sometimes you’ll sysprep before the Store installs updates, other times you won’t.
So how do you fix this? My favorite way: Don’t build your images on a VM that has internet access, since there’s no way the Microsoft Store can download any apps when there is no internet connectivity. Or you can try to purposely disable internet access, using something like Brandon’s blog.
But if you want to have internet access or need internet access, there are other ways. You can follow Johan’s blog, which leverages existing Group Policy settings (which are a little tricky to set on a workgroup machine when creating an image, but there are scripts to help with that). Or you can add an extra step to the task sequence to clean up the offending apps prior to running sysprep. Just to see how hard that would be, I decided to try it – turns out it’s not that bad.
But first, let’s set up a repro. The easiest way to do that is to add a step to an MDT task sequence to suspend the task sequence. Then you can launch the Store, force the installation of app updates, install other apps (I installed Facebook manually for good measure), etc. (And if you think doing this manually has any value, e.g. trying to get new versions of the apps in your image, you would be wrong.)
So now I have a VM that is guaranteed to fail. So let’s look at what I’ve added to the task sequence to fix this:
That step is placed right before the “Execute Sysprep” step (so if you are doing a sysprep-only task sequence execution, you would want to add it to the “Sysprep Only” group too). The full command line:
powershell.exe -executionpolicy bypass -file %ScriptRoot%\RemoveUserApps.ps1
Resuming the task sequence shows the step running:
Then sysprep runs:
And if that succeeds, the machine will reboot to Windows PE and capture the image.
So yeah, success!
The script itself is attached to a zip file at the bottom of this blog. While it gets the job done, it’s not perfect:
- It tries to remove framework packages (basically, dependencies) and fails. No big deal, as sysprep doesn’t really care about these. Ideally the script would filter these out, but it’s not worth the effort.
- It can’t count. It tries to count up the number of apps that it removes, but doesn’t take into account failures (e.g. those same framework packages). Error handling wasn’t worth the effort.
Feel free to try it out yourself.