Fixing why Sysprep fails in Windows 10 or Windows 11 due to Windows Store updates

When creating reference images for Windows 10 or Windows 11, Sysprep is very likely to fail if the machine has Internet access, and have enough time to start updating it's built-in applications, or install new ones as part of the consumer experience feature. This post is about preventing that from happening, and is a companion to my guides on building Windows 10 and Windows 11 reference images.

The issue is explained in a KB from Microsoft, but it's workaround are not very good for automation purposes.

Sysprep fails after you remove or update Windows Store apps that include built-in Windows images

Note #1: This is a quite long post, and if you just want the fix, scroll to the end, to the Fixing the problem section. But if you want to pick some background info, and possibly learn something new in the process, continue as you were 🙂

Note #2: Lately I have started to simply limit Internet access to the virtual machines I'm using for reference images, especially for Windows 11 that is quite aggressive in updating for example the OneDrive application.


If modern apps in Windows 10 are being updated during the build and capture of a reference image, Sysprep may fail because it cannot remove the update. Note that this doesn't happen all the time, it's a timing issue, but it sure happen often enough to be an issue.

If that happens you will get the following error in the BDD.LOG and LTISysprep.log log files:

Expected image state is IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE, actual image state is IMAGE_STATE_COMPLETE, sysprep did not succeed.
FAILURE ( 6192 ): ERROR – Sysprep did not complete successfully, check C:windowssystem32syspreppanthersetupact.log for details


Then, in the C:WindowsSystem32SysprepPanthersetuperr.log you see the following (or similar):

Error                 SYSPRP Package Microsoft.DesktopAppInstaller_1.0.1471.0_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Error                 SYSPRP Failed to remove apps for the current user: 0x80073cf2.
Error                 SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.
Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralizeValidate' from C:WindowsSystem32AppxSysprep.dll; dwRet = 0x3cf2
Error                 SYSPRP SysprepSession::Validate: Error in validating actions from C:WindowsSystem32SysprepActionFilesGeneralize.xml; dwRet = 0x3cf2
Error                 SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x3cf2
Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
Error      [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2

 Error from MDT when sysprep fails
This is what it looks like during the MDT build and capture process.

More Details of the modern apps

Now, the above log is quite obvious, an app named Microsoft.DesktopAppInstaller_1.0.1471.0 was being installed or updated, and Sysprep could not remove it.

To see which modern applications that you have in your system, for the Administrator user account in this case. You can just run Get-AppxPackage in a PowerShell prompt, or (Get-AppxPackage).count to see the number of apps. For a Windows 10 v1607 CB machine, that did not update any built-in updates, I had 54 apps installed. Whereas as system which had been allowed to update them had 58 apps.

A Windows 10 v1607 CB machine with no updates allowed, showing 54 apps.

A Windows 10 v1607 CB machine with updates allowed, showing 58 apps.

But what about apps being actually updated? Well, you can get additional info via the Event Viewer. You go to Microsoft / Windows / AppXDeployment-Server / Microsoft-Windows-AppXDeploymentServer / Operational and filter on Event ID 478 to see successful updates.

The Event Viewer with a filter on ID 478 showing installations of modern apps.

More PowerShell

You can also view this using PowerShell, but you have to use the Get-WinEvent cmdlet, because Get-EventLog can handle only classic event logs (System/Setup/Application etc.).  So here is the command to list installations/updates for Windows 10 applications.

Get-WinEvent -LogName "Microsoft-Windows-AppXDeploymentServer/Operational" | Where-Object {$_.ID -eq 478} | Select TimeCreated,Message | Format-Table -AutoSize -Wrap

PowerShell listing of app preventing Sysprep
Using PowerShell to list event log entries of installed/updated applications in Windows 10.

If you compare the count of apps, from the event log, from a system having the apps being updated or not (by simply putting the command in parentheses, and add a .count), you find that a system allowed to have the apps updated will have over hundred of apps, whereas as system with no Internet access, or updates being disabled will have less than hundred.

Below is the out from a system without updates to the modern apps in Window
s 10 v1607 CB, a total of 82 entries for the apps. Another machine that I deployed, and allowed it to update, it ended up with 136 entries for the apps.

Count of apps
A Windows 10 machine with no updates, showing 82 entries for apps in the event log.

Count of apps from system with updates
A Windows 10 machine with updates, showing 136 entries for apps in the event log.

Fixing the problem

The obvious fix for the problem is denying the virtual machine Internet access. No Internet access means no updates breaking Sysprep 🙂

Update: Seems like setting HideShell=YES in cs.ini also prevents apps from coming down. Of course, that also stops you from doing anything interactive during the build and capture process, but hopefully you don't need that once you nailed your task sequence. Big thanks to Roman Zuravljov for that tip.

But what if the preceding fix is not an option?

What if you need Internet access for other reasons? Well, keep on reading

Fix the Sysprep issues by adding a script to disable Store Updates as well as Consumer Experience Apps

Simply add a script that sets the needed registry values during the offline WinPE phase. So that Windows Store updates and the Consumer Experience features are disabled even before Windows 10 starts the first time. Very Shiny.

Note #1: The script has a dependency to ZTIUtility.vbs, so if put it into another folder, make sure to copy ZTIUtility.vbs with it, or update the reference in line 2 of the script.

Note #2: Disabling the Consumer Experience feature is only available for Enterprise and Education editions of Windows 10. So, if your using Windows 10 or Windows 11 Pro, you have to either disable Internet access or try the HideShell=YES settings in cs.ini.

Note #3: This script was initially developed for Windows 10 1709 and Windows 10 1809. I have not done much testing on newer versions of Windows 10, nor Windows 11. These days I typically just disable Internet access on the VM I'm building 🙂

Here is the script:

1. Copy the script to your deployment share / scripts folder, and configure your build and capture task sequence to run it in the Postinstall phase (WinPE phase).

Name: Disable Windows Store Updates
Command line: cscript.exe "%SCRIPTROOT%\Config-DisableWindowsStoreUpdates.wsf"

Task Sequence configured to disable updates of Windows Store applications during the first WinPE phase.

Enabling updates once again before capture

Unless you are enabling these features via GPO during deployment, it makes sense to enable them once again just before capture. Again in the offline WinPE phase.

Note: Also this script has a dependency to ZTIUtility.vbs, so if put it into another folder, make sure to copy ZTIUtility.vbs with it, or update the reference in line 2 of the script.

Here is the script:

1. Copy the script to your deployment share / scripts folder, and configure your build and capture task sequence to run it in the end of the State Restore phase (second WinPE phase).

Name: Enable Windows Store Updates
Command line: cscript.exe "%SCRIPTROOT%\Config-EnableWindowsStoreUpdates.wsf"

Task Sequence configured to enable updates of Windows Store applications just before capture.

Written by Johan Arwidmark.

About the author

Johan Arwidmark

5 1 vote
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
Amar Honnungar
Amar Honnungar
10 months ago
  1. Navigate to C:\windows\system32\ and search for the sysprep folder, go to properties change the ownership of the folder to to the local admin by changing the permissions in Advance menu.
  2.  After you take the ownership of the folder you can open sysprep\actionfiles and edit the Generalize.xml and remove the following entry from there.

<assemblyIdentity name="Microsoft-Windows-AppX-Sysprep" version="10.0.18362.356" publicKeyToken="31bf3856ad364e35" processorArchitecture="amd64" versionScope="NonSxS"></assemblyIdentity>
<sysprepOrder order="0x1A00"></sysprepOrder>
<sysprepValidate methodName="SysprepGeneralizeValidate" moduleName="$(runtime.system32)\AppxSysprep.dll"></sysprepValidate>
<sysprepModule methodName="SysprepGeneralize" moduleName="$(runtime.system32)\AppxSysprep.dll"></sysprepModule></imaging><imaging exclude="">

  1. Save as the Generalize.xml on any desired location and then rename the existing Generalize.xml to old and replace it with the new one.
  2. Run sysprep Generalize and see if that works for you.
9 months ago
Reply to  Amar Honnungar

It works….! Thanks

Bavo Bostoen
Bavo Bostoen
11 months ago

Hallo Johan, I tried running a VM gen2 with modern NIC etc and could use PXE and create an MDT reference image but the sysprep/capture step would fail at the end of the TS, as opposed to when I try it with a gen1 VM with legacy network adapter. So is the gen1 + legacy NIC still a requirement, even with latest Windows Server 2022 and ADK for Win 11? (meaning everything on latest version) I'm asking because I thought the gen1/legacy adapter requirement was only for making PXE work in a Hyper-V VM (this works without problem now with… Read more »

1 year ago

I used the scripts and it didn't work, the hideshell did.

Chris Falls
Chris Falls
2 years ago

Line 5 of the Config-EnableWindowsStoreUpdates.wsf is missing a "Then" Statement. Also, Thank you for all that you do….

3 years ago

Regarding the Enable/Disable Windows Store scripts: I think I followed your instructions for setting up these two scripts. When running the TS, however, I am met with failure. The error message is: Failed to run the action: Disable Windows Store Updates. Incorrect function. (Error: 00000001; Source: Windows) I added the scripts to the script directory and set the steps up according to the instructions laid out in this post. Additionally, I read the entire post update: using version 1909, i ran the image creation and it didnt fail on the part which causes the need for these scripts anyway.… Read more »

Chris Falls
Chris Falls
2 years ago

IS there a resolution for this??

3 years ago

I'm getting an error when I run the script to Disable Windows Store Updates in Win10 Pro 1903. The error is:
Property LogPath is now = C:\MININT\SMSOSD\OSDLOGS
Microsoft Deployment Toolkit version: 6.3.8330.1000
Property Debug is now = FALSE
Getting crrent OS drive letter
Current OS drive letter is
About to configure offline registry settings
Windows version applied to harddrive is
Load the offline registry file
Unable to find the new OS registry file; Windows Store settings cannot be updated.

Do you have any ideas what I might be doing wrong?

Isaac Oliveira
Isaac Oliveira
3 years ago

Hi, i tryed to enable windows store updates using your script when we reboot the system and starts the second Windows PE phase, but the script got error and didn't capture the .wim. If you can help me on this case, please.

Isaac Oliveira
Isaac Oliveira
3 years ago

Hello Johan,
Thanks for your reply. I maked mistake when i copied cscript.exe "%SCRIPTROOT%\Config-EnableWindowsStoreUpdates.wsf", i dont know how but when i pasted this parameter, his insert space between % and \. After i saw this fail, i repair and done kkkk. So, in windows 10 pro i needed to use another script that remove all of Built-in apps to got capture the reference image.

Paul Ackland
Paul Ackland
3 years ago

Can you use this process with Win 10 Enterprise as well?

3 years ago


I have the same issue. But i solve it by cleaning up (remove) all other users profile except local administrator's.

Craig Schultz
Craig Schultz
2 years ago
Reply to  Alain NGATCHOU

Removing all profiles except local worked for me too.

Ken Baker
Ken Baker
3 years ago

You've missed the \ in your command line