How to build a Windows 2012 R2 VMware Template

This is a template outline I have used several times and am very happy with it.  It should work great for you and if not then let me know.  I did this with vSphere 5.5 U1 and Windows 2012 R2.  I also used the vSphere Web Client as you will see in the screenshots.  I will keep this article current by using it as necessary and improving it when I learn something new so keep an eye on it.  I have more articles on templates and you can find them all – including this one here.

Things to get ready

You should have the following handy when you start.

  • vSphere infrastructure
  • Windows 2012 R2 ISO up on your virtual infrastructure – and know where it is!
  • Windows PID
  • You will need to use a utility to copy the profile that you can find here.  This is important as Microsoft has been working since Win2K8 to make it difficult to copy a profile – that we do a bunch of customization in, to the default user so after our template is used to provision, new users will get our customization.
  • You might consider to use the Microsoft EMET tool to secure your Windows 2012 template but I have not done that yet and am in fact hesitating.
  • You should have the VMRC ready to use, as it is a much better experience then using the normal remote console.  Find the bits here to install on your work machine, and you can read a little about it here.

Note: I am not installing the PVSCSI driver in this process.  I may add a new article for that, or update this one. Not sure yet.  I should also note that I am not using PVSCSI in any of my labs currently but plan on in the near future.


BTW, I am putting what I consider is more than I need to in terms of instructions and screenshots.  This is to make sure I can help the people that need more help, but yet I am trying to not put too much so I don’t put off those who don’t need more help.  You can always skim through if you only need a little help.  Update – Thanks to a comment from @vStorage I thought I would add a little more info on the process.  I do more configuration of the virtual machine below then I need to.  Some of my config can be done by GPO.  However, I like to be careful, and I think a little extra work on the VM before it becomes a template is good.  After all, it may not be used on the domain after all.

Virtual Machine and Operating System

  • Create a new virtual machine.  Use a good name.  For example I use wn2k12r2STD-TPL  (fifteen character limit here to remember).
  • I use a 40 GB drive C:, 1 vCPU, and 4 GB of RAM.  Both of those can be changed later after you deploy from this template.
  • You should change your Network type to VMXNET3, and attach the Win2K12R2 ISO.  See below for an example of what this should look like.
VM virtual hardware info
VM virtual hardware info
  • Note: this is the time we would do PVSCSI if we were doing that.  I will add that later but for now we will not cover it off.
  • Once we have this virtual machine created, we need to make some changes before we power it on.  So right+click on the VM and select Settings and change to VM Options.
  • We need to Enable the next boot to enter BIOS setup, and we need to Disable logging.  See below for what this should look like.
VM options to change
VM options to change
  • Before we power up, I like to use the Tags and Notes to identify this VM.  I find this useful, especially in big environments.
Notes and Tags Info
Notes and Tags Info
  • Now we can power up.  Do that and than use the right+click to open a console.  You should see the BIOS when you get the console open.
main BIOS screen for a VM
main BIOS screen for a VM
  • Now change to Advanced, and than I/O Device Configuration.
  • We want to disable the Serial, Parallel ports, and the Floppy controller.  Note, if we were doing the PVSCSI we would have to disable the floppy controller after the VM had the OS installed and running as the driver for PVSCSI is floppy based.
IO devices - disabled
IO devices – disabled
  • Now you can hit F10 to Save and Exit and you should boot right to the OS install.  If it doesn’t then when that happens to me it is due to my forgetting to connect the ISO.  You can change to the vSphere Web Client and connect the CD in the VM settings area and by the time you return to the Console it should be installing.  You may have to hit the Send Ctrl+Alt+Delete button to help.
  • The first place the OS stops and waits for you is seen below.


  • You can just hit Next to continue.
  • Of course that assumes you can actually mouse over to Next and click.  I do not have much luck with that and I find that the TAB key is more efficient – of course as no Tools installed yet to help! Again, with the VMRC in use this will work much easier.
  • You will need to enter a license.  I have to type it in as I am not able to do copy and paste successfully!
  • The next screen gives you a choice between installing Server Core, or Server with a GUI.  I suggest that you do the Server with a GUI.  It is more familiar and you can change to the Server Core later if necessary.
Server Core, or Server with a GUI - GUI Please!
Server Core, or Server with a GUI – GUI Please!
  • Again, the TAB key will help, and the arrow keys.
  • Accept the license and let’s go.
  • In the next screen you will be prompted to select a Type of Installation.
Make sure to use Custom choice
Make sure to use Custom choice
  • I was confused the first time I used this screen and I used the default choice which was wrong.  Not sure why it let me do that.  So make sure to use the Custom choice.
  • The next screen will ask you about where to install Windows.  We are not using PVSCSI so the disk is visible and we can actually hit Next.  If we were using PVSCSI I believe this is where we would load the required driver disk to see the disk.  (BTW, the floppy image is on a datastore.  You will need to browse to it via VM Settings, Floppy drive, Use existing floppy image, vmimages, floppies, and than select and use pvscsi-Windows2008.flp (or the appropriate floppy) file.)


  • Now we wait, and watch.
Watch now ....
Watch now ….
  • Like the screen says, there may be several restarts.
  • We will need to add a password to the administrator account.

Now we are done with the creation of the virtual machine, and install of the OS.  We now need to configure Win2K12R2.

OS Configuration – VMware Tools

I generally want to get VMware Tools installed and working so we can work a little easier (meaning that your mouse works now)!  If you work via the VMRC it will be much more pleasant.

  • We need to log in.
  • Once you are logged in, you will be in the Server Manager.  Change over to the vSphere Web Client and start the install of VMware Tools.  You will see the option for that on the Summary tab for the VM.  You can also find it when you right+click and select All vCenter Actions, followed by Guest OS and finally selecting Install VMware Tools.  See both of these options below.
Installing VMware Tools
Installing VMware Tools
  • Once you select you will see the option below.


  • I have had some odd experiences installing VMware Tools in Win2K12R2.  Sometimes it works best if you can click on the popup of how to handle the CD message.  Sometimes you can close and open the Console to make things work a bit better.  But this is frustrating.  In Win2K8 and Win2K8R2 this was manageable since the install could be unattended and just restart.  But for whatever reason I cannot do that any longer with Win2K12.
  • The best advice for this is stop the install (unmount is the term) and start it again if necessary.  Than use the TAB button. Use it to move to the Server Manager in the task bar.  Than use the arrow keys to arrow over to the Explorer option, and than use the TAB and arrow keys to maneuver through the Explorer until you can select the VM CD.


  • Now you can use the Return key to start the process.  Again the TAB key will help enormously and before you know it the mouse will work nice.  Restart when prompted.

OS Configuration – Tweaks and Tuning

In this phase we tweak the OS and get it ready for a wide range of potential use.  Meaning this is the template that is most general.  It will be used to make other templates that are more specific – such as SQL.  The changes below are the ones I make, and think useful but in this section you make the changes that work best for you and your organization.

  • We need to log in again so we can start making changes.  Yes, our mouse should work good now!
  • I like to get the Date / Time right first.  So first do the Time Zone.  Click on the Clock in the taskbar and select Change date and time settings …
  • When we first started all of this you may have noticed that the time of the VM was way off.  In fact it was in Zulu or Universal Time because the host time was when the VM started.  But now with the right Timezone it should be the right time.  If not, your ESXi host may have the wrong time.
  • I also like to have the 24 Hour clock in use so this is when I do that change (Change date and time, Change calendar settings, followed by changing to the Time tab).
  • We should be back in the Server Manager now.  Use the Local Server setting in the top left corner and you will see something like below.


  • We will make a number of changes here.
  • Lets start in the top right – we want to work with Manage \ Server Manager Properties.


  • Literally only one thing to change.  We want to select the check-box for Do not start Server Manager automatically at logon.  Don’t forget it is in the task bar all of the time – it has a toolbox in the icon.
  • Now we want to get fully patched.  Again in the top right, we can see Windows Update, and it shows as Not Configured.  Configure it as appropriate in your world.  On 2/10/16 when I went through this article again, it was around 170 patches for 1.65 GB and after that was done and I checked later there was still some outstanding.
  • Now update until there is no more patches.  Reboot as necessary.  BTW, the way I reboot is to right+click on the bottom left corner where you see the funny Windows icon.  Than use Shut down or sign out and select Restart.  This is a very powerful Right Click!


  • See all of the choice on this menu?  Very handy.
  • Once you restart, and log back in, please start up the Server Manager again.  It is the first icon in your task bar.
  • Select Local Server again.
  • You should start with Computer name and change it to match your VM name.  You will be limited to 15 characters and that is a little tight so there may be a change.  Restart later.
  • You can use the Advanced option here on System Properties (found in Server Manager by clicking on Computer Name) to tweak the Performance in Visual Effects for Adjust for best performance.


  • Also on the Advanced tab you can change the Startup and Recovery settings so that the Time to display is changed from 30 to 5.  Some people will deselect the option to Automatically restart here but it is something rather to think about.
  • While in here remove the swap (page) file – we will add it back later (found in Performance Settings / Advanced).
  • Now tweak the Firewall if necessary.
  • Do you need to change the Remote Management option – I suggest not if you are not sure.
  • You very likely need to change the Remote Desktop option.  To add users (or even better groups) it is a little hard if you are not in the domain.  If you cannot, during deployment from the template when the server is added to the domain you can manage the users (using for example Restricted Groups).
  • We will tweak the network now.  We likely do not need QoS Packet Scheduler or TCP/IP v6.  By the way, when you are back in Server Manager if you do not see what you think you should, than use the Refresh button at the top of the screen and it will update things so they look more appropriate. You can click on the IPv4 in Ethernet0.  Update, MS recommends we keep IPv6.  See updates at the bottom for more info.
  • Windows Update may show never updated but it has been so ignore that.
  • We generally want to enable Windows Error Reporting and Customer Experience Improvement Program.  Both of these end up helping users and we are users so that is good!
  • Often people will change IE Enhanced Security Configuration to off.  I am turning it off for Administrators.
  • Now we should add features.  Scroll to the bottom of the Server Manager page.


  • Now you can select Add Roles and Features from under the Tasks menu.
  • Roles is where you would add things like IIS.
  • I like to add Telnet Client as a feature to help with testing.  This is where you might add things like .NET or IPAM.
  • Now leave Server Manager.
  • I like to pin IE to my Task Bar.  So click on the Window icon in the bottom left.  This will change your desktop to Aero.
  • Now right+click on IE and select Pin to taskbar.  Now return to the normal desktop.
  • Right+Click on the Window icon in the lower left corner and select Control Panel, followed by Hardware.
  • We want to use High performance in the power plan.  You can also set the Turn off Display here to never.
  • Now start IE and save the home page as About:blank.
  • We need to make a change at the command line before we restart.  So right + click on the Windows icon at the lower left and select Command Prompt (Admin).
  • Use the following command at the command line.

powercfg -h off

  • We should disable the index on drive C:.  Use Explorer to explore This PC and right+click on drive C: and select Properties.  You will see at the bottom of the screen the option to disable indexing – you will need to deselect the check-box “Allow files on this drive to have contents ….”.
  • Now we should defragment the drive. This option is on the Tools tab.: and select the Optimize option.
  • While you are here you should disable the weekly optimize option as it is not necessary.
  • Often people will want to lower or disable the User Account Settings.  You can do that by right+click on the Windows icon in lower left corner and select Control Panel, followed by System and Security, than select Change User Account Control Settings.  Chose the setting that is best for you.
  • Now we should restart.

Configuration – Installing software

We only install software here that we really need and is useful for most users.  Some of what I install is listed below.  Remember this template is general and will be used to make the SQL template (with the addition of SQL) or any other software.  So software that will be used by most users like – anti – malware, Acrobat Reader, maybe some helpdesk or troubleshooting tools should be installed..

  • Bginfo – see this for help.
  • Acrobat Reader – make sure to open it to accept the EULA and update if necessary.
  • Google Chrome
  • Autoruns – a great tool to make sure you know what starts with your server.
  • Process Explorer – a great tool for troubleshooting.
  • 7-Zip – from here more flexible than what is built in – for example can extract ISO.
  • Thanks to StuartM I now suggest installing the Sysmon utility which you can find here.  You may not want it running all of the time but you might.
  • Generally by now I am prompted to activate the Microsoft license.  I do let it activate.  If you don’t you may have some issues with sysprep.  You can see more about this in this article.

Note: For things like Chrome and Acrobat they will install fine since they have installers and they can be found on the Aero Desktop as you might expect.  For things like BgInfo and Autoruns which have no installer it is more complex.  Use the info in the BgInfo article to help.  Basically you will create a Utilities program group for them and install them manually.  This is an example of software that is harder to install via GPO since they have no MSI.

Ready to make it a template?

We are ready to make this virtual machine a template now.  If you have connected it to the domain previously, for reasons such as getting the GPO’s to help configure it you should remove it from the network now.

  • Enable the swap file.
    • Start Server Manager, select Local Server
    • Click on Workgroup, than select Advanced
    • Select Settings in Performance.
    • Now select Advanced and select Change in the Virtual Memory section.
    • You can select Automatically manage paging file size for all drives if that works for your organization.  I should mention that I like to have a separate drive and put the paging file on it.
  • If necessary remove this VM from the domain and restart.
  • I always like to check Windows Update before I finish and yes, today I did find a bunch of updates that I did no find earlier.  So I update and restart as necessary.
  • Disconnect the ISO and reset to Client Device.
  • Remove the backup copies of the patches – use this command – dism /online /cleanup-image /StartComponentCleanup /ResetBase – note – this may take a few minutes!
  • Make sure you are really ready to proceed!
  • We now need to manage the profile
    • We first install the Copy Profile tool – called DefProf.
    • We use it to copy my profile to the Default Profile – unzip, and execute defprof your_account_name and you are done.
    • When that is done we remove the tool,
    • And shut the VM down.
  • Once the VM is shut down we are ready to turn it into a template.
  • I generally now do an update in the Notes section to account for what I have done.


  • Now we use right+click on the VM, select All vCenter Actions and Convert to Template as seen below.


  • Done.  We now have a Windows 2012 R2 template.

 Deploy from Template

I suspect everyone knows how to deploy from this new template but remember that any passwords put into the customization script should be done using the vSphere Client and not the vSphere Web Client.  I also suggest using the following commands in the Run Once part of the customization specification.

  • powercfg -h off
  • bcdedit /timeout 5

I have seen a lot of different things done via Run Once.  Scripts for example that install applications, or do inventory related tasks, so remember that and you can use it as you need.  Always test your deploy from template.  In particular make sure the joining the domain works.

If you need help with custom spec you can learn how to create, and use them in this article.

Things to think about

  • I believe that if the User Profile Manager tool works for you that it should be purchased.
  • If you are doing a template that has a bunch of drive letters – like a SQL server, you will lose the order of those drive letters after you deploy.  It can be fixed – problem avoided – if you use the info in this article.  Thanks Michael for this!

Updating your Template

You should update your template approximately once every month or so.  This will allow you to catch any outstanding patches for the OS as well as application patches.  Just convert the template to virtual machine, turn it on, patch, than restart it, and convert it to template.  You may consider joining it to your domain to catch new GPO type stuff that may be sticky but remember to remove it from the domain before you turn it back into the template.


I found useful information in a variety of places.  In particular at the links below.

  • How to build a Windows 2012 VMware Template – here
  • In-the-Lab: Windows Server 2008 R2 Template for VMware – here
  • Microsoft Windows Server 2012 Tips – here
  • Windows Server 2012 R2 Template on ESXi 5.5 vSphere – here
  • CopyProfile help from Microsoft – here
  • Microsoft EMET 5.0 tool – here
  • Windows guest customization fails after cloning a VM – here


I plan on keeping this page updated with what I am using and what works well!  I will use this section to update you with what I updated when I do updates.

  • 3/11/18 – added the link for help with custom spec.
  • v2.5 – 7/21/16 – Thanks to Matt, I found out I had an old like for the VMRC.  It has now been fixed. And I made the screenshots bigger – so I could seem them better.
  • v2.5 – 2/10/16 – went through this again, made a few small changes for clarity.
  • v2.4 – 2/1/16 – Thanks to @sak68 I found out that Microsoft recommends to not disable IPv6.  Very surprised but you can see more here. A  little disappointing actually, as I think that this is a little odd.
  • v2.4 – 7/11/15 – added link that helps with troubleshooting and a situation to be avoided.
  • v2.4 – 3/4/15 – added the comment about how DISM might take a little while.
  • v2.4 – 1/4/15 – added some verbage and link to Michael Websters article on Dude Where’s my Drive Letters?
  • v2.4 – 11/5/14 – added link to Sysmon – thanks to Stuart for the suggestion.
  • v2.31 – 8/10/14 – added the link to the EMET tool.
  • v2.3 – 7/27/14 – added the command to remove the backup copies of Windows Update patches – thanks to Andreas for this.
  • v2.2 – 7/20/14 – miscellaneous grammar and spelling updates.
  • v2.1 – 7/18/14 – updated with DefProf instead of User Profile Manager 2.6.
  • v2.0 – 6/14/14 – updated with updated process and new tool (thanks to Chip for the idea on using the tool).
  • v1.3 – 5/26/14 – updated various areas to make it smoother and more clear.
  • v1.2 – 5/25/14 – don’t use the Update suggestions above.  Found some odd stuff when updating Win2K12 templates so I need to confirm things.
  • v1.2 – 5/18/14 – miscellaneous grammar and spelling plus some small clarification.
  • v1.1 – 5/18/14 – added info on process (thanks @vStorage) and info on BGInfo (thanks @seanpmassey).
  • v1.0 – 5/17/14 – first published.

As always, comments welcome and in fact appreciated!  Also, if you have suggestions on how to make this better let me know.


=== END ===

100 thoughts on “How to build a Windows 2012 R2 VMware Template

  1. Hi Michael,

    I think it is worth to mention that you can significantly reduce the disk footprint of your Windows 2012 R2 template (and any machine deployed from it) by running

    dism /online /cleanup-image /StartComponentCleanup /ResetBase

    This will remove all file backups created by previous Windows Update installations. You won’t be able to uninstall any patch after that, but you will rarely need this, and the risk is well worth the several GB of disk space that this frees up.



      Two more suggestions to VM prep, as I do these for my View client template
      – “net stop wuauserv” then follow by “rd /s/q c:\windows\softwaredistribution” to get more disk space back
      – “ipconfig/release” – so there’s no possibility of conflicting IP addresses as you clone
      then finally shut it down

  2. Thanks Michael, Great walk through. I had a question though. Are you not running sysprep before converting to template?

    1. Hi there,
      No, I do not run sysprep before turning the VM into a template. I let the process of provisioning do that. Plus, I use the tool i mention in the article to copy the profile. So no need to do a sysprep before.


  3. Have an issue using this. My GM has a C: and S: drive s drive is for the swap file and it works fine. However when I convert to template and deploy from it. Once I join the domain I get a constant error that the pagefile needs to be recreated. Also seems the P drive was renamed to D in the joining of the domain.. Any ideas how to fix this? We just want the pagefile on S not c:

    1. Hello Glenn,
      In one of my old work labs we did the same thing as you with the swap file but we put it on D: and it came through just fine using my article. I wonder if you could try that? I think your issues are all related to how the drives are managed or rather not managed. You may want to talk to MS on this. I will try working with this next time I upgrade my template process.

      Sorry not more help!

  4. Tried using defprof directly from the website… version. I ran the executable from the desktop in the folder which was created after the unzip……but nothing glorious happened. I was trying to copy a base image from a workgroup only using the admin account. Is htere a tutorial for dummies. I went to the site but most of the guide references a domain account.

    1. Hi there,

      I did not do much with the tool. I copied it to a c:\utils folder that I stash various utilities in. I may have done a Run As Admin for it. Remember that your_account_name in the article is your account that you have done all of the customization with. It should be a local admin or better.

      Sorry not more help!


  5. Hi Michael, thanks for a great guide.
    I just followed your guide (to the letter!) to build a new Win2012R2 template for one of my new environments, thinking it would solve a deployment problem I have.
    Sadly, it did not solve anything, but maybe you know how to solve it?

    I’m deploying the template via the Windows Client, using a pretty basic Customization Specification (sets IP, runs some scripts for domainjoin etc), but the deployment process stops without any errors or logmessages at all right after the VM Event Log records “Started customization”. Some logs are written to c:\sysprep inside the VM, but that’s about it.
    A very frustrating issue, with no apparent solution, even over at VMware Communities (I’ve been working to solve this problem for 3 days now).

    VMware ESXi 5.5 U2
    VMware vCenter 5.5 build 2001466

    Any tips appreciated.

  6. Hello Michael, and thanks for a great guide.

    I followed your guide (to the letter) to create a new Win2012R2 template for one of my new environments, which I thought would solve a problem I’ve been experiencing. Sadly, it did not, but perhaps you can provide any tips or assistance on the matter?

    The template is deployed to a virtual machine via the Windows Client, using a basic customization specification (sets IP address, runs some scripts for domainjoin etc.), but once the VM is powered on after deployment, the customization process never runs correctly. In the VM Event Log (vCenter) I can see the entry for “Started Customization”, but not much happens after that. Inside the VM, I can see that some logs have been written to c:\sysprep which states that things are OK – although it does have entries about setting the NIC to DHCP, which is incorrect.
    All in all, customization never runs, and deployment ultimately fails.

    VMware ESXi 5.5 U2 build 1993072
    VMware vCenter 5.5 build 2001466

    Any tips would be greatly appreciated!

    1. Hi there,

      My guess is that you might have an issue with the scripts. Trying doing a deploy where your customization has no run once scripts assigned and see how it goes.

      I would also suggest that if you used the vSphere Web Client – like I do – you should re – enter the passwords for the admin account and joining of domain account password using the vSphere C# client.

      Also see if this KB article can help:

      If you still have no resolution, I suggest you submit the vC and ESXi logs and do a support call. If you figure things out please let me know what the issue was!

  7. Why do you defrag a VM? Doesn’t that end up inflating your VM if it’s otherwise thin provisioned?

    1. I do a defrag for efficiency and as a past habit. you are correct that in some circumstances it will inflate the VM disk. I asked others who do this and they agree that the do it, and that it might expand things, but it can help performance. I will add a note about this next update to my process.



    1. I do not use the tiles often so I had to go and look to see. But no, I do not have any examples of odd issues with tiles. I will be updating my template soon and will watch for this. Currently I have no idea on what to suggest.


  8. Does anybody clear their WSUS id? I have had problems in the past with other Windows versions where machines deployed from template would retain the WSUS id and so only one of them would appear in WSUS at any one time.

    Now when I create a template I delete
    SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientId and SusClientIdValidation

      1. No. I import a registry key to set the WSUS server.
        The template machine can then update itself using the internal server. If I don’t delete the SusClientID keys, when I deploy the machine (confirmed for windows 2003 and 2008 but not yet for 2012) we found that the machine would continue using the same wsus id whether or not it was joined to the domain… Since all the vms had the same id only the last one to update would appear in WSUS.

      1. Have you trued “wuauclt.exe /resetauthorization /detectnow /reportnow” after deploying the template?

  9. Thank you for this great article! I just want to mention that you sometimes use the word “than” instead of the correct word, then. For example, “Than use the TAB button…” and “Than use the arrow keys…” I thought you might want to correct it.

    1. Thanks for this. You are right, I quite have trouble with Then and Than. I am working to get it right. Sorry for the hassle of reading what has bad English in it. I will keep working on it.


  10. Does anyone have a Post template deployment checklist?

    For example, Check SID’s WSUS ID’s, etc.

    1. Thanks for this. Very good info. Not sure if I want to make this change on the template so that all virtual machines get it. Maybe yes, maybe not. But a very good reminder for everyone!


  11. Hey Micheal,

    Not sure if you are still responding to this article but, I am having an issue with the this.

    I have a very very vanilla template, win2k12 DC, VM Tools, no updates, chrome/adobe. Whenever I deploy from template I get a windows boot error screen or a corrupt disk error.

    Do you have any idea what may be the issue?

    1. I have never deployed a DC from a template. I always do the dcpromo after deployment. If you change the template to a VM, and start it does that work? If you could try that, and have it restart twice that would be good. Then try the deployment again.


      1. Sorry, I mean dc=datacenter edition. The vm template had no roles installed. Also changing the template back to a vm works without issue.

    1. I like to do some tweaks, and things like BGinfo, and I want to make sure that those program icons, or program links, are available to the new user logging in. I don’t want new users logging in after the deployment and have to look for things like a program link.


  12. I was able to make some tweaks to my own templates with ideas from your guide. The default profile copy info was particularly helpful. Thanks!

  13. Hi Michael,

    Thanks for the guide, this will be really helpful. How do you avoid any issues with conflicting SIDs when deploying multiple VMs from this template without SYSPREP? Is this something VMWare handles itself as part of it’s process?

    Thanks again,


    1. Hi Martin,

      If you don’t use the customization specification that VMware suggests (and I strongly suggest) there will be an issue with SID’s. I think there is a utility available via google called newsid.exe that you might think of using to avoid issues.

      But the customization spec is easy to use, and it does take care of providing new SIDs so you will not have an issue. I believe this is what you should use.


      1. I finally got round to trying this out yesterday and it was great. Thanks again.

        One weird thing I found was that the NIC wasn’t connected on power on despite having that option selected and so very few of the customisation specifications applied. It happened both times on the two VMs I deployed, the first time I figured I must have forgot to choose to connect on power on but the second time it was definitely checked off but didn’t apply.

        Ever come across that before?

        This is on vSphere 5.1 if that makes any difference.

      2. Hi Martin,

        I have not seen this issue for some time. I think it was an old problem that was fixed. I would also suggest that you should confirm that your template is on the right network and can use the network before you turn it into a template. I would also suggest you try and update. While vSphere 6 might be too far out for you 5.5 U2 is a good level to be at if possible. And I tested my stuff on it and know it works as advertised.

        Sorry not more help,


  14. So I seem to be having trouble using the Defprof tool. I did all of my customizations on the Administrator profile (pretty much just bginfo) and then created a temp account to perform the copy profile since Defprof warned me about copying the profile while it was logged in. When I ran Defprof it asked if I wanted to install AppX manager service. I said no since I didn’t see that in your guide, and it said it copied the profile successfully. However, when I created a new user account and logged in there was no bginfo 🙁 Any thoughts/suggestions?


      1. Hey Michael,

        Any chance you’ve been able to replicate or have any thoughts on a solution for this problem? I had to go ahead and proceed with that computer, but I’m hoping to make a template out of a good, completed build following your guide here. I might try this a second time, but it takes quite a while to go through all the steps, so I don’t want to go through it all again for the same problem to occur 🙁



      2. Hi Moose,

        Sorry, I work at a startup and have a heavy workload. I have started on this a few times but have not gotten further then confirming he issue. I have someone to assist on this so hopefully in the next few days.

        Very sorry on delay!


      3. I understand – glad to hear you’ve got some help! I’ll hope to hear an update soon! 🙂

      4. Hello again,

        This has gotten werid. I was able to reproduce this. But today with two of us ready to solve it, there was no more issue. One thing I noticed is that I had done MS updates since I last tested. Will be working on this more tomorrow. Sorry no answer.


      5. Hello again,

        So I can consistently repeat this bad behavior. If I deploy from template, and log on with my domain cred’s I cannot start BGinfo or autoruns or procexp. But if I run Windows update, and restart, now I can click on those icons and start those apps. This does not explain the why or the what, and i apologize for that, but at least it works.


      6. Alright, I’ll have to try this out when I get a chance and see where I get with it. I’m not sure how soon I’ll be getting to setup another template though. I’ll keep you posted whenever I get to it!

  15. Do you guys actually make all these changes to production servers? Jesus. I wouldn’t want any of you near the stuff I manage. Workstation images are a different story ..

    1. HI Lee,

      Yes, in fact I do make these changes to production servers, and I have for years. It makes sense to me to add in troubleshooting, or consistency. Even some help for security related stuff.


  16. Where are the customization files stored, we just built a new VC 5.5 U2e and used the appliance this time rather than the windows based VC so far so good (1 day). But how can I move the customization specs to the new VC?

    1. Hi Tony, You should use the option to export when editing the files – it will not export the passwords in a usable state so you will need to update that. No UI here right now, but both C# and Web Client have option called Customization Specs on the ‘home’ screen where you can see all of the custom specs and export as needed.


  17. Having an issue recently with pushing out server 2012 R2 from vm template. I am able to activate windows with no issues from within the template. When I push out a server from the template using an answer file I created in vcenter the resulting server will not activate. The key is correct in the customization file. I have been pushing out vms for years here and have never run into this. Ideas? Thoughts?

    1. I am fighting a similar issue right now in that my View 7 desktops don’t join the domain during deployment. Used to wok fine but now doesn’t. And my Win2K12 is still working fine. I gave up and have reached out to VMware. Think maybe you should. You may find help or clue in %windir%\temp\vmware-imc on the deployed machine. Sorry not more help,


    1. Hi there, thanks for keeping track of things and contributing. I did not know Microsoft suggested keeping IPv6. The reasons are funny in that they suggest that they might start using it. Which is odd as think of what would need to be changed in our sites to support that. But I will update the article to reflect their suggestion. As for E1000e you can find that as of vSphere 5.1, that E1000e or VMXNET 3 are both supported. In fact your article talks abut the advantage that VMXNET3 brings and it is more then E1000b. The recommendation to use VMXNET3 is still appropriate and accurate.

      BTW, you can see that VMXNET3 is recommended when you check the HCL as seen here.


  18. I just wanted to see if i’m seeing something new or missed a step.

    when disabling indexing for Drive C:

    i dont see a disable indexing check box, i see

    compress this drive
    allow files on this drive to have contents indexed in addition to file properties (checked by default)

    i removed the check and applied. it took almost an hour to apply this change to all the files in winsxs

    surely this isn’t how that was suppose to go, if so, you may elaborate on this a bit.

    i looked high and low for a disable indexing on drive c: for windows server 2012 r2

  19. Hey Mike,

    Great article! I’m new to this process and was just handed off the updating of the template on a monthly basis in my organization.

    I have one question on your comment “You may consider joining it to your domain to catch new GPO type stuff that may be sticky”.

    Does this mean that GPO settings in our AD hardening GPO’s remain on the server after adding the server to the domain and removing it again?


    1. Hi Mike, sorry for late response. Was on PTO. I am still an amateur GPO guy. But yes, there is some GPO config that will stay after you remove a server from the domain but not much and I do not know exactly what.


      1. Many (but not all – it’s the exceptions that prove a rule, right? :)) GPO settings stay unless explicitely over-ridden by a conflicting setting – if nothing conflicts, the setting “sticks”. This is one of the reasons why sometimes to cancel a GPO setting (automatic proxy configuration for IE for example), you actually have to negate the “enabled” setting for a period of time – just removing the GPO that set the option to “enabled” just leaves it sitting in an enabled state – a user can change it, but until they do, it stays in the last “state” that was set.

  20. Hi Michael,

    What do you think about the following template handling?
    Use “Clone to Template” function to make a template from the VM, instead of Converting. In that case you do not need to convert it back to Virtual Machine all times when you need to update the template.
    When the update is completed on the original VM, just delete the previous template and create a new one with “Clone to Template”.

    Many thanks,

    1. Hi Richard, sorry for late response. Been on PTO. What you describe will work. But I think of my template as a permanent thing. So it is licensed for example, so I don’t want to lose it. The convert back, or to, don’t take long so I am comfortable with it. Plus I have a good audit trail. But, if it works better for you then good!


  21. Do *not* disable or remove IPv6. It is critical for servers to register themselves in AD/DNS/etc for some services which they run.

    You can generally safely remove QoS Packet Scheduler, as well as the two Link-Layer services

      1. Yeah, my bad – I didn’t finish reading the section, you did call it out at the end of the sentence, and included a TechNet article link. Sorry! 🙂

  22. Hello Michael,
    And thank you for all your insights and guides throughout the years. It is really appreciated.

    Would you care to create a template instruction for Server 2016 and give us your insights?
    Best Regards,
    Nils Bernlo

  23. something to think about right before saving the golden image, clear all the event logs:

    (Get-WinEvent -ListLog *).logname | ForEach-Object {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog(“$psitem”)}

  24. Wouldnt you want to do sysprep?? this template of yours will deploy Windowa with same sid on all VMs.

    1. Hi there,

      This is the second time someone has said this to me. But no, this is not true. The VMware template deploy process will make sure the SID is not the same on all VMS. Positive and for sure.


  25. Great article!!
    What do you think about running CCleaner – Run Cleaner and Reg Cleaner?

    1. I like those tools, but when I build the template from scratch it seems to me that not much should need to be cleaned? I guess I should try it one day.

  26. disable 8dot3name creation is a good idea too : fsutil 8dot3name set 1

  27. Hi Michael,

    Great guide! Thanks so much for this. I have a question though. Is anyone else running into issues with the defprof tool. Whenever a new user profile is being created I receive an error that an application up upwpm2.exe fails to start. Then the start menu tiles error out for the user until you remove a tile (any tile). Any help with this would be greatly appreciated.

    1. Hello Fabian,

      I am sorry to hear of your trouble. I have not seen that issue myself, and I have not heard of anyone having this issue either. Next time I update my template I will see what happens and if I can learn anything. Is the account you are using defprof with a domain or local admin? That is important. Not sure of the cost, but if you buy defprof it does come with support.

      If I learn anything I will let you know, and update the article.


Leave a Reply