Fixing why Sysprep fails in Windows 10 due to Windows Store updates

When creating reference images for Windows 10, Sysprep is going to fail if the machine have Internet access, and have enough time to start updating it's built-in applications, or install new ones as part of the consumer experience feature. This post is about preventing that from happening, and is a companion to uber-guide on building Windows 10 reference images in the real world:

The issue is explained in a KB from Microsoft, but it's workaround are not very good for automation purposes.

Sysprep fails after you remove or update Windows Store apps that include built-in Windows images
http://support.microsoft.com/en-us/kb/2769827

Note #1: This is a quite long post, and if you just want the fix, scroll to the end, to the Fixing the problem section. But if you want to pick some background info, and possibly learn something new in the process, continue as you were 🙂

Note #2: I have seen a few other workarounds, including temporarily disable/enable Internet access etc. but this post takes care of the problem once and for all 🙂

Symptom

If modern apps in Windows 10 are being updated during the build and capture of a reference image, Sysprep may fail because it cannot remove the update. Note that this doesn't happen all the time, it's a timing issue, but it sure happen often enough to be an issue.

If that happens you will get the following error in the BDD.LOG and LTISysprep.log log files:

Expected image state is IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE, actual image state is IMAGE_STATE_COMPLETE, sysprep did not succeed.
FAILURE ( 6192 ): ERROR – Sysprep did not complete successfully, check C:windowssystem32syspreppanthersetupact.log for details

image

Then, in the C:WindowsSystem32SysprepPanthersetuperr.log you see the following (or similar):

Error                 SYSPRP Package Microsoft.DesktopAppInstaller_1.0.1471.0_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Error                 SYSPRP Failed to remove apps for the current user: 0x80073cf2.
Error                 SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.
Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralizeValidate' from C:WindowsSystem32AppxSysprep.dll; dwRet = 0x3cf2
Error                 SYSPRP SysprepSession::Validate: Error in validating actions from C:WindowsSystem32SysprepActionFilesGeneralize.xml; dwRet = 0x3cf2
Error                 SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x3cf2
Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
Error      [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2

 Error from MDT when sysprep fails
This is what it looks like during the MDT build and capture process.

More Details of the modern apps

Now, the above log is quite obvious, an app named Microsoft.DesktopAppInstaller_1.0.1471.0 was being installed or updated, and Sysprep could not remove it.

To see which modern applications that you have in your system, for the Administrator user account in this case. You can just run Get-AppxPackage in a PowerShell prompt, or (Get-AppxPackage).count to see the number of apps. For a Windows 10 v1607 CB machine, that did not update any built-in updates, I had 54 apps installed. Whereas as system which had been allowed to update them had 58 apps.

getappnoupdates
A Windows 10 v1607 CB machine with no updates allowed, showing 54 apps.

getappwithupdates
A Windows 10 v1607 CB machine with updates allowed, showing 58 apps.

But what about apps being actually updated? Well, you can get additional info via the Event Viewer. You go to Microsoft / Windows / AppXDeployment-Server / Microsoft-Windows-AppXDeploymentServer / Operational and filter on Event ID 478 to see successful updates.

Eventviewer
The Event Viewer with a filter on ID 478 showing installations of modern apps.

More PowerShell

You can also view this using PowerShell, but you have to use the Get-WinEvent cmdlet, because Get-EventLog can handle only classic event logs (System/Setup/Application etc.).  So here is the command to list installations/updates for Windows 10 applications.

Get-WinEvent -LogName "Microsoft-Windows-AppXDeploymentServer/Operational" | Where-Object {$_.ID -eq 478} | Select TimeCreated,Message | Format-Table -AutoSize -Wrap

PowerShell listing of app preventing Sysprep
Using PowerShell to list event log entries of installed/updated applications in Windows 10.

If you compare the count of apps, from the event log, from a system having the apps being updated or not (by simply putting the command in parentheses, and add a .count), you find that a system allowed to have the apps updated will have over hundred of apps, whereas as system with no Internet access, or updates being disabled will have less than hundred.

Below is the out from a system without updates to the modern apps in Window
s 10 v1607 CB, a total of 82 entries for the apps. Another machine that I deployed, and allowed it to update, it ended up with 136 entries for the apps.

Count of apps
A Windows 10 machine with no updates, showing 82 entries for apps in the event log.

Count of apps from system with updates
A Windows 10 machine with updates, showing 136 entries for apps in the event log.

Fixing the problem

The obvious fix for the problem is denying the virtual machine Internet access, but still allow updates via local WSUS server, so the following:

1. Install a local WSUS server, approve the needed updates, and configure MDT to use it (WSUSServer variable)

2. Then, when creating the Windows 10 reference image, make sure the virtual machine doesn't have Internet access.

No Internet access means no updates breaking Sysprep 🙂

Update: Seems like setting HideShell=YES in cs.ini also prevents apps from coming down. Of course that also stops you from doing anything interactive during the build and capture process, but hopefully you don't need that once you nailed your task sequence. Big thanks to Roman Zuravljov for that tip.

But what if the preceding fix is not an option?

What if you need Internet access for other reasons?

Or can't install a local WSUS server for some reason?

Well, keep on reading

Fix the sysprep issues by adding a script to disable Store Updates as well as Consumer Experience Apps

Simply add a script that sets the the needed registry values during the offline WinPE phase. So that Windows Store updates and the Consumer Experience features are disabled even before Windows 10 starts the first time. Very Shiny.

Note #1: The script has a dependency to ZTIUtility.vbs, so if put it into another folder, make sure to copy ZTIUtility.vbs with it, or update the reference in line 2 of the script.

Note #2: Disabling the Consumer Experience feature is only available for Enterprise and Education editions of Windows 10. So if your using Windows 10 Pro, you have to either disable Internet access or try the HideShell=YES settings in cs.ini.

Here is the script: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Config-DisableWindowsStoreUpdates.wsf

1. Copy the script to your deployment share / scripts folder, and configure your build and capture task sequence to run it in the Postinstall phase (WinPE phase).

Name: Disable Windows Store Updates
Command line: cscript.exe "%SCRIPTROOT%\Config-DisableWindowsStoreUpdates.wsf"

image
Task Sequence configured to disable updates of Windows Store applications during the first WinPE phase.

Enabling updates once again before capture

Unless you are enabling these features via GPO during deployment, it makes sense to enable them once again just before capture. Again in the offline WinPE phase.

Note: Also this script has a dependency to ZTIUtility.vbs, so if put it into another folder, make sure to copy ZTIUtility.vbs with it, or update the reference in line 2 of the script.

Here is the script: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Config-EnableWindowsStoreUpdates.wsf

1. Copy the script to your deployment share / scripts folder, and configure your build and capture task sequence to run it in the end of the State Restore phase (second WinPE phase).

Name: Enable Windows Store Updates
Command line: cscript.exe "%SCRIPTROOT%\Config-EnableWindowsStoreUpdates.wsf"

image
Task Sequence configured to enable updates of Windows Store applications just before capture.

Written by Johan Arwidmark.

About the author

Johan Arwidmark

5 1 vote
Article Rating
Subscribe
Notify of
guest
19 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Chris Falls
Chris Falls
1 year ago

Johan,
Line 5 of the Config-EnableWindowsStoreUpdates.wsf is missing a "Then" Statement. Also, Thank you for all that you do….

Matt
Matt
2 years ago

Regarding the Enable/Disable Windows Store scripts: I think I followed your instructions for setting up these two scripts. When running the TS, however, I am met with failure. The error message is: Failed to run the action: Disable Windows Store Updates. Incorrect function. (Error: 00000001; Source: Windows) I added the scripts to the script directory and set the steps up according to the instructions laid out in this post. Additionally, I read the entire post https://deploymentresearch.com/fixing-why-sysprep-fails-in-windows-10-due-to-windows-store-updates/ update: using version 1909, i ran the image creation and it didnt fail on the part which causes the need for these scripts anyway.… Read more »

Chris Falls
Chris Falls
1 year ago

IS there a resolution for this??

Docfxit
Docfxit
2 years ago

I'm getting an error when I run the script to Disable Windows Store Updates in Win10 Pro 1903. The error is:
Property LogPath is now = C:\MININT\SMSOSD\OSDLOGS
Microsoft Deployment Toolkit version: 6.3.8330.1000
Property Debug is now = FALSE
Getting crrent OS drive letter
Current OS drive letter is
About to configure offline registry settings
Windows version applied to harddrive is
Load the offline registry file
Unable to find the new OS registry file; Windows Store settings cannot be updated.

Do you have any ideas what I might be doing wrong?

Isaac Oliveira
Isaac Oliveira
2 years ago

Hi, i tryed to enable windows store updates using your script when we reboot the system and starts the second Windows PE phase, but the script got error and didn't capture the .wim. If you can help me on this case, please.

Isaac Oliveira
Isaac Oliveira
2 years ago

Hello Johan,
Thanks for your reply. I maked mistake when i copied cscript.exe "%SCRIPTROOT%\Config-EnableWindowsStoreUpdates.wsf", i dont know how but when i pasted this parameter, his insert space between % and \. After i saw this fail, i repair and done kkkk. So, in windows 10 pro i needed to use another script that remove all of Built-in apps to got capture the reference image.

Paul Ackland
Paul Ackland
2 years ago

Can you use this process with Win 10 Enterprise as well?

Alain NGATCHOU
Alain NGATCHOU
2 years ago

Hi,

I have the same issue. But i solve it by cleaning up (remove) all other users profile except local administrator's.

Craig Schultz
Craig Schultz
1 year ago
Reply to  Alain NGATCHOU

Removing all profiles except local worked for me too.

Ken Baker
Ken Baker
2 years ago

You've missed the \ in your command line


>