How to build a Windows 2016 VMware Template

This is a template outline I have used several times and am very happy with it.  It should work great for you and if not then let me know.  I did this with vSphere 6.0 U2a and Windows 2016.  I also used the vSphere Web Client as you will see in the screenshots.  I will keep this article current by using it as necessary and improving it when I learn something new so keep an eye on it.  I have more articles on templates and you can find them all – including this one here.

I would also like to mention that you do not have to do everything I do below.  While it works for me and is a good idea for me, it may not be a good idea for you. For example, if you don’t have a server in the DMZ, and all your servers are always on your domain, than maybe much of the manual config I do below is better off done in your GPO.

Things to get ready

You should have the following handy when you start.

  • vSphere infrastructure
  • Windows 2016 ISO up on your virtual infrastructure – and know where it is!
  • Windows PID
  • You will need to use a utility to copy the profile that you can find here.  This is important as Microsoft has been working since Win2K8 to make it difficult to copy a profile.  We do a bunch of customization as a user, and we want to copy it to the the default user so after our template is used to provision as a new VM, new users will get our customization.
  • You should have the VMRC ready to use, as it is a much better experience then using the normal remote console.  Find the bits here to install on your work machine, and you can read a little about it here. The VMRC is a most excellent way to do this sort of thing so I recommend you be quite familiar with it if you are not.  It is what I use for all console sessions now.


BTW, I am putting what I consider is more than I need to in terms of instructions and screenshots.  This is to make sure I can help the people that need more help, but yet I am trying to not put too much so I don’t put off those who don’t need more help.  You can always skim through if you only need a little help.  I do more configuration of the virtual machine below then I need to.  Some of my config can be done by GPO.  However, I like to be careful, and I think a little extra work on the VM before it becomes a template is good.  After all, it may not be used on the domain after all.

Virtual Machine and Operating System

  • Create a new virtual machine.  Use a good name.  For example I use w2k16-TPL  (fifteen character limit here to remember).
  • I use a 50 GB drive C:, 1 vCPU, and 4 GB of RAM.  Both vCPU and memory can be changed later after you deploy from this template.
  • You should change your Network type to VMXNET3, and attach the Win2K16 ISO.  See below for an example of what this should look like.


  • As we create this virtual machine, we need to make some changes before we power it on.  So change to VM Options as seen above in the screenshot.
  • Note: if you enable UEFI boot, you will be able to use Secure Boot in vSphere 6.5.  Why?  This would protect you from root kits.  If a root kit takes over the VM during boot it will be determined and  boot will not complete.  When I can I will document this better.
  • We need to Enable the next boot to enter BIOS setup. See below for what this should look like.


  • Before we power up, I like to use the Tags and Notes to identify this VM.  I find this useful, especially in big environments.


  • Now we can power up and select the Launch Remote Console option – as seen below. This is the very nice to work in VMRC option.


  • You should see the BIOS when you get the console open. I am doing this with VMRC on a Mac, so it looks a tiny bit different then if you do it on Windows.


  • Now change to Advanced, and than I/O Device Configuration.
  • We want to disable the Serial, Parallel ports, and the Floppy controller.

IO devices - disabled

  • Now you can hit F10 to Save and Exit and you should boot right to the OS install.  If it doesn’t then when that happens to me it is due to my forgetting to connect the ISO.  You can change to the vSphere Web Client and connect the CD in the VM settings area and by the time you return to the Console it should be installing.  You may have to hit the Send Ctrl+Alt+Delete button to help.
  • The first place the OS stops and waits for you is seen below.


  • You can just hit Next to continue.
  • As we are using the VMRC we can actually use our mouse here.
  • You will need to enter a license.  I have to type it in as I am not able to do copy and paste successfully! I have been asked why I license my template.  A template gets lots of attention, and they enable fast and tuned provisioning.  I customize a template a lot so it is around for a long time so it needs a license.
  • The next screen gives you a choice between installing with a Desktop Experience or not.  I suggest that you make an informed decision.  What is this template going to be used for? Unlike in Win2K12 you cannot change your mind later.  As I am going to use this template for things like Veeam, SQL, and other things that I still need the GUI version I am going to do this with the Desktop Experience.


  • Next to continue.
  • Accept the license and let’s go.
  • In the next screen you will be prompted to select a Type of Installation.

Make sure to use Custom choice

  • I see as in Win2K12 the wrong choice is see selected here in Win2K16.  Not sure why so make sure to use the Custom choice.
  • The next screen will ask you about where to install Windows.  We can actually hit Next.


  • Now we wait, and watch.

Watch now ....

  • It takes a while.
  • We will need to add a password to the administrator account.

Now we are done with the creation of the virtual machine, and install of the OS.  We now need to configure Win2K16.

OS Configuration – VMware Tools

I generally want to get VMware Tools installed and working so we can work a little easier (meaning that your mouse works better)!

  • We need to log in – I am still working in the same VMRC session.
  • Once you are logged in, you will be in the Server Manager.  Change over to the vSphere Web Client and start the install of VMware Tools.  You will see the option for that on the Summary tab for the VM.  You can also find it when you right+click and select All vCenter Actions, followed by Guest OS and finally selecting Install VMware Tools.  See both of these options below.

Installing VMware Tools

  • Once you select you will see the option below.


  • I have had some odd experiences installing VMware Tools in the past, but it seems easy enough in Win2K16 so long as you open up the DVD, and Run as Admin on the setup64. I wrote up this issue in this article.


  • Normal install now, and you can Restart when prompted.

OS Configuration – Tweaks and Tuning

In this phase we tweak the OS and get it ready for a wide range of potential use.  Meaning this is the template that is most general.  It will be used to make other templates that are more specific – such as SQL.  The changes below are the ones I make, and think useful but in this section you make the changes that work best for you and your organization.

  • We need to log in again so we can start making changes.  Yes, I am still using the VMRC.
  • I like to get the Date / Time right first.  So first do the Time Zone.  Click on the Clock in the taskbar and select Adjust date / time.
  • When we first started all of this you may have noticed that the time of the VM was way off.  In fact it was in Zulu or Universal Time because the host time was when the VM started.  But now with the right Timezone it should be the right time.  If not, your ESXi host may have the wrong time.
  • I also like to have the 24 Hour clock in use so this is when I do that change (Adjust date / time, scroll down to Change date and time formats).  See below what it will look like after the change to 24 hour clock.


  • We should be back in the Server Manager now.  Use the Local Server setting in the top left corner and you will see something like below.


  • We will make a number of changes here.
  • Lets start in the top right – we want to work with Manage \ Server Manager Properties.


  • Literally only one thing to change.  We want to select the check-box for Do not start Server Manager automatically at logon.
  • Now we want to get fully patched.  Again in the top right, we can see Windows Update.  Configure it as necessary.
  • Now update until there is no more patches.  Reboot as necessary.  It feels like to me that patching has taken longer then the darn install.  BTW, the way I reboot is to right+click on the bottom left corner where you see the funny Windows icon.  Than use Shut down or sign out and select Restart.  This is a very powerful Right Click!


  • See all of the choice on this menu?  Very handy.
  • You can also remove the CD now from the VM.  It is done via Edit Settings on the Summary screen in the vSphere Web Client.
  • Once you restart, and log back in, please start up the Server Manager again.  If necessary it is the first tile on the desktop.
  • Select Local Server again.
  • You should start with Computer name and change it to match your VM name.  You will be limited to 15 characters and that is a little tight so there may be a change.  Restart later.
  • You can use the Advanced option here on System Properties (found in Server Manager by clicking on Computer Name) to tweak the Performance in Visual Effects for Adjust for best performance.


  • Also on the Advanced tab you can change the Startup and Recovery settings so that the Time to display is changed from 30 to 5.  Some people will deselect the option to Automatically restart here but it is something rather to think about.
  • While in here remove the swap (page) file – we will add it back later (found in Performance Settings / Advanced).
  • Now tweak the Firewall if necessary.
  • Do you need to change the Remote Management option – I suggest not if you are not sure.
  • You very likely need to change the Remote Desktop option.  To add users (or even better groups) it is a little hard if you are not in the domain.  If you cannot, during deployment from the template when the server is added to the domain you can manage the users (using for example Restricted Groups).
  • We will tweak the network now.  We likely do not need QoS Packet Scheduler.  By the way, when you are back in Server Manager if you do not see what you think you should, than use the Refresh button at the top of the screen and it will update things so they look more appropriate. You can click on the IPv4 in Ethernet0.
  • Windows Update should show that we have done updates.
  • In the Feedback & Diagnostics Settings area you can determine what Diagnostic and usage data you want to share with MS.  I actually select Full as I know how good for me it is for them to have that info.
  • Often people will change IE Enhanced Security Configuration to off.  I am turning it off for Administrators.
  • Now we should add features.  Scroll to the bottom of the Server Manager page.


  • Now you can select Add Roles and Features from under the Tasks menu.
  • Roles is where you would add things like IIS.
  • I like to add Telnet Client as a feature to help with testing.  This is where you might add things like .NET or IPAM.
  • Now leave Server Manager.
  • Right+Click on the Window icon in the lower left corner and select Control Panel, followed by Hardware.
  • We want to use High performance in the power plan.  You can also set the Turn off Display here to never.
  • Now start IE and save the home page as About:blank.
  • We need to make a change at the command line before we restart.  So right + click on the Windows icon at the lower left and select Command Prompt (Admin).
  • Use the following command at the command line (I have had trouble confirming it is necessary on Win2K16 but I can say it doesn’t cause an error!).

powercfg -h off

  • We should disable the index on drive C:.  Use Explorer to explore This PC and right+click on drive C: and select Properties.  You will see at the bottom of the screen the option to disable indexing – you will need to deselect the check-box “Allow files on this drive to have contents ….”. It will take a few minutes to complete this.
  • Now we should defragment the drive. This option is on the Tools tab.: and select the Optimize option. Yes, it does take a while.
  • While you are here you should disable the weekly optimize option as it is not necessary.
  • Often people will want to lower or disable the User Account Settings.  You can do that by right+click on the Windows icon in lower left corner and select Control Panel, followed by System and Security, than select Change User Account Control Settings.  Chose the setting that is best for you.
  • I go into Settings and search for Turn System icons on or off and turn off the Volume.
  • Now we should restart.

Configuration – Installing software

We only install software here that we really need and is useful for most users.  Some of what I install is listed below.  Remember this template is general and will be used to make the SQL template (with the addition of SQL) or any other software.  So software that will be used by most users like – anti – malware, Acrobat Reader, maybe some helpdesk or troubleshooting tools should be installed..

  • Bginfo – see this for help.
  • Acrobat Reader – make sure to open it to accept the EULA and update if necessary.
  • Google Chrome
  • Autoruns – a great tool to make sure you know what starts with your server.
  • Process Explorer – a great tool for troubleshooting.
  • 7-Zip – from here and is more flexible than what is built in – for example can extract ISO.
  • Thanks to StuartM I now suggest thinking about installing the Sysmon utility which you can find here.  You may not want it running all of the time but you might. It is a very powerful tool and can help educate and investigate.
  • Generally by now I am prompted to activate the Microsoft license.  I do let it activate.  If you don’t you may have some issues with sysprep.  You can see more about this in this article.

Note: For things like Chrome and Acrobat they will install fine since they have installers and they can be found on the Desktop as you might expect.  For things like BgInfo and Autoruns which have no installer it is more complex.  Use the info in the BgInfo article to help.  Basically you will create a Utilities program group for them and install them manually.  This is an example of software that is harder to install via GPO since they have no MSI. If you know how to create an MSI from scratch that is a handy thing to do for BgInfo and Autoruns.

Note2: For the things that are not programs like Reader or Chrome, but rather things like Bginfo, or Autoruns, they were not seen in the Utilities folder when selected under the Start menu.  It took time, like 20 minutes and two restarts before they were seen there.  No idea WTF but at least they are there.  In Win2K12 it was right away. In a VM deployed from this template they were seen right away.

Ready to make it a template?

We are ready to make this virtual machine a template now.  If you have connected it to the domain previously, for reasons such as getting the GPO’s to help configure it you should remove it from the network now.

  • Enable the swap file.
    • Start Server Manager, select Local Server
    • Click on Workgroup, than select Advanced
    • Select Settings in Performance.
    • Now select Advanced and select Change in the Virtual Memory section.
    • You can select Automatically manage paging file size for all drives if that works for your organization.  I should mention that I like to have a separate drive and put the paging file on it – when it makes sense.
  • If necessary remove this VM from the domain and restart.
  • I always like to check Windows Update before I finish and yes, today I did find a bunch of updates that I did not find earlier.  So I update and restart as necessary.
  • Disconnect the ISO and reset to Client Device – if not already done.
  • Update: this has caused issues from one of my readers.  It depends on what patches are installed. The issue is serious enough to not do this. Remove the backup copies of the patches – use this command (at the command prompt (as admin)) – dism /online /cleanup-image /StartComponentCleanup /ResetBase – note – this may take a few minutes – about 10 for me but that can go up as more patches are applied! It will look something like:


  • Empty the trash.
  • A new idea is to empty the event logs.  Which is a good idea.  Use PowerShell and the following snippet.

Clear-EventLog -LogName (GEt-EventLog -List).log

  • Make sure you are really ready to proceed!
  • We now need to manage the profile
    • We first install the Copy Profile tool – called DefProf.
    • Now create a temporary domain or local admin account, and log on as that user.
    • We use it to copy your profile to the Default Profile – so execute defprof your_account_name and you are done.  This is done so new users will get the configuration you have done as yourself.
    • When that is done we remove the tool (in the latest version it seems to do that itself),
    • Delete the temp account you created – if appropriate.
    • And shut the VM down.
  • Once the VM is shut down we are ready to turn it into a template.
  • I generally now do an update in the Notes section to account for what I have done.


  • Now we use right+click on the VM, select All vCenter Actions and Convert to Template as seen below.


  • Done.  We now have a Windows 2016 template.

 Deploy from Template

I suspect everyone knows how to deploy from this new template? I can confirm that passwords put into the custom specification with the Web Client works fine now at 6.0 U2.  I also suggest using the following commands in the Run Once part of the customization specification.

  • powercfg -h off
  • bcdedit /timeout 5

I have seen a lot of different things done via Run Once.  Scripts for example that install applications, or do inventory related tasks, so remember that and you can use it as you need.

I have had questions of the Windows SID and how we are not using sysprep so how is it managed?  In the last step of the Customization Specification you have an option to change the SID.  This is a legit option that works good.  See the screen below:

As you can see this is the default option.  If you do not use a customization specification as part of your template deployment you will not get a new SID but that is the least of your issues.  You must use a custom spec when you deploy from template.

Here is an article that will step you through the creation and use of a custom spec.


You should test by deploying from your template.  The things I check first and quick is if the VM is attached to the domain.  The fast way to do this is in the vSphere Web Client.  Look to see if the the VM has a FQDN rather than something else.


Some other things to check include:

  • Do you see the wallpaper as you think you should?  Meaning BGinfo information should be seen.
  • Do you see the Utilities folder that you created and including the things inside it like BGInfo and Autoruns?
  • 7Zip, and Chrome usually come through just fine.

Things to think about

  • I believe that if the User Profile Manager tool works for you that it should be purchased.
  • If you are doing a template that has a bunch of drive letters – like a SQL server, you will lose the order of those drive letters after you deploy.  It can be fixed – problem avoided – if you use the info in this article.  Thanks Michael for this! I don’t see this when there is two drive letters but I understand you will with more then 2 or 3.

Updating your Template

You should update your template approximately once every month or so.  This will allow you to catch any outstanding patches for the OS as well as application patches.  Just convert the template to virtual machine, turn it on, patch, than restart it, and convert it to template.  You may consider joining it to your domain to catch new GPO type stuff that may be sticky but remember to remove it from the domain before you turn it back into the template.


I found useful information in a variety of places.  In particular at the links below.

  • My own Win2K12 template for VMware article
  • CloudPhysics tells you when you last updated your template – here
  • Not able to deploy from my win7 template – here
  • My own Linux template for VMware article
  • Turns out that SIDs are not the issue we all think they are – here, but we still need to get a new SID for other reasons, like for example WSUS.


I plan on keeping this page updated with what I am using and what works well!  I will use this section to update you with what I updated when I do updates.

  • 5/12/19 – found some PowerShell that actually works to clear event logs.  So added it in here. For DTC servers, and sometimes SQL servers you need to do this – article.
  • 3/26/18 – Updated the template – running under vSphere 6.5 Update 1g with no issues.  Added another code snippet that clears some logs.  Frustrating, even asked around for help but no luck with a magic script to clear all the logs.
  • 3/11/18 – added the link to the custom spec article.
  • 3/3/18 – Thanks to a reader letting me know, and doing some excellent testing the command above to remove the backup copies of the patches is not struck out and recommended you do not do it.  It is not an issue that hits everyone, but it is not good so we are playing it safe.
  • 2/8/18 – added a little more info on SID above, and another screenshot. I think that people miss the custom spec option so I added a few words around that – do use a custom spec.
  • 3/8/17 – two people – one a co-worker – has said if they use my template articles that all the VMs deployed from them will have the same SID.  That has not been true for so many years I was shocked, but since two people have said that I need to do something.  Here below is a screenshot in the custom spec that reassures those people – I hope.

  • 3/2/17 – added the code snippet to clear event logs.
  • 12/12/16 – added the comment about using UEFI boot.

As always, comments welcome and in fact appreciated!  Also, if you have suggestions on how to make this better please let me know.


=== END ===

108 thoughts on “How to build a Windows 2016 VMware Template

  1. Thank you Michael, once again you have made a very nice easy to follow Template Guide. Do you know if there is a way to make the “Lock Screen” background sticky?

    1. Hi Magnus,

      Can you provide a little more detail for me? Do you mean you want the BGInfo screen to be the lock screen? I am not quite sure what you mean.


      1. I mean the screen background visible just before ctrl alt del at logon or when locking computer if logged in. I solved it by adding a GPO for it. Then defprof made sure it stays in the clones.

  2. Thank you for a good guide, if you want a larger disk block size we use this setup:

    Press Shift+F10 after selecting time and keyboard language in setup of Windows.
    A CMD promt will be visable.
    Start ”Diskpart” and run this:
    List disk
    Select disk 0
    Create partition primary size=350
    Format quick
    Create partition primary
    Format fs=ntfs unit=16K quick

    Go ahead and install Windows but do not select format, it will destroy the Diskpart work and you will have a 4KB block size instead, just select the large partition and next.

    This will create a 350MB primary partition for Windows boot and Another primary partition with 16K block size for Windows C:\

    After installation you can check the block size with this command from a CMD prompt:
    “fsutil fsinfo ntfsinfo C:”
    Look for ”Bytes Per Cluster”, it should be 16384 for 16K block size.

    If you would like better deduplication ratio in 3PAR SSD storage, this is recommended block size.

      1. Unfortunately I tried to create a template for 2016 yesterday and I could not install Server 2016 using EFI Bios setting and the above Diskpart routine I normally do with Server 2012R2.
        Even if I did convert the disk to GPT before creating the partitions.

        Found an odd instruction from Technet how to set up partitions for Server 2016.

        It will probably end up with 2 alternatives:
        1. Standard BIOS setting and 16K block size on C:\
        2. EFI BIOS setting and no manual Diskpart action at all (4K block size).

        It depends on the benefit of using EFI BIOS.
        I have to read more about it before i decide.

      2. Added the command “Select partition 1” and “Active” otherwise it will not accept to install Windows during setup of Server 2016.

        List disk
        Select disk 0
        Create partition primary size=350
        Format quick
        Create partition primary
        Format fs=ntfs unit=16K quick
        Select partition 1

    1. You need to create the first partition (the System Reserved partition) with size=500 for Windows 10/2016. I was encountering an error using 350MB (what I use for Server 2012) and read that Server 2016 has increased the size to 500MB.

  3. Interesting…all these years I have been using a custom sysprep file to get the CopyProfile option available. And then with Windows 2012R2, this stopped working with VMware and I had to actually call sysprep manually from an interactive session. I am definitely going to have to check out the defprof utility. Thanks for the awesome tip.

  4. Any problems with Start menu icons? Seems like if you delete the setup profile, all shortcut icons go generic. This leads me to believe there is some link back to the original setup profile…which is probably a bad thing.

    1. I got this the first time I logged in with a new profile but after logging off and back on again, the icons were showing properly. (Server 2016)

  5. Clear Event Log script works but throws an error:

    “Attempted to perform an unauthorized operation.”

    Looks like it can’t clear the System log because it’s logging the events that are clearing other logs. You can manually clear the System log after.

  6. The Clear Event Log script works but throws an error “Attempted to perform an unauthorized operation.”

    From the looks of it, it’s trying to clear the System log while simultaneously creating log entries about clearing the other logs… You can clear the System log manually after.

      1. thank you for this excellent article.

        A few additions, comments:

        You can also use this in powershell to clear logs:

        Wevtutil el | ForEach { wevtutil cl “$_”}

        two errors of access denied will pop up

        Failed to clear log Microsoft-Windows-LiveId/AnaIytic. Access is denied.
        Failed to clear log Microsoft-Windows-LiveId/OperationaI. Access is denied.

        additionally I would recommend to disable xbox related/client facing services,with service.msc
        Set “Xbox Live Related Services” to Disabled
        Set “Mapsbroker” Service to Disabled

        Remove Scheduled Tasks Related to Xbox Live with powershell:
        Get-ScheduledTask XblGameSaveTask | Disable-ScheduledTask
        Get-ScheduledTask XblGameSaveTaskLogon | Disable-ScheduledTask

        Disable Defrag scheduled task with powershell command:
        Get-ScheduledTask ScheduledDefrag | Disable-ScheduledTask

        Remove Defender Feature
        Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

        or only disable On Access with powershell:
        Set-MpPreference -DisableRealtimeMonitoring $true

  7. I started using Windows Server 2016 recently, installing on the vmware environment, I noticed that the mouse pointer disappear, that’s only happen when installing a fresh install, and make a little difficult to install the VMware Tools.

    Do you have any suggestion ?

    1. Hi Michel,

      I can see how this is frustrating. I wonder if you are using the latest VMRC? More info on that can be found here. Also, are you using fairly current VMware? Meaning 6.0 U3 or 6.5 or later? If you are good on these I suggest you talk to VMware support.

      Sorry not more help,


  8. Used this to create our Server 2016 templates. Should have read your server 2012 comments 1st. Ran into the susclientid duplication with WSUS. Found my way back to your site researching it!

    I have found a script that I use to reset the SID.

    #Deletes these 2 keys
    REG Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
    REG Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /f

    #Stops windows updates and removes old logs that reference that susid
    gpupdate /force
    net stop wuauserv /y
    net stop BITS /y
    rd C:\WINDOWS\SoftwareDistribution /s /Q
    del “c:\windows\windowsupdate.log”

    #Starts the windows update service and checks into the WSUS server
    net start wuauserv /y
    wuauclt.exe /resetauthorization /detectnow

    1. Hi Tony,

      Yes, I often use the rune once. It is quite useful. I do the two samples I mention in the article. I have seen customers that use it to do .MSI files to install software too. I have also seen PowerCLI and Powershell commands executed from the run once.


  9. Hi Michael,
    it’s a professional guide. Thanks.

    I have a problem. After create a VM of our template, during the installation the computer name is not take over. What ist the problem.

    Best regards,

    1. It sounds like the customization is not being executed. Meaning, that when you deploy from the template you created, that it deploys with no customization. Did you create the customization? There is some info in the article about troubleshooting. Make sure your customizaton is built and used during the deploy.

      Also, you could also call VMware for support if you have bought your licenses and still have support.


  10. Hi Michael. Thank You!
    Under the folder options i do 2 things:
    “Hide extensions for known file types” <-disable
    "show me all files" <- so hidden files are shown

    kind regards

  11. Hi Michael,

    nice write-up – thanks a lot.
    Just as FYI:
    Today I tested the template deployment of a Windows Server 2016 on vSphere 6.5 U1 with multiple disks and it worked as expected without the linked script or any re-configuration for changed drive letters.
    I used two disks on a lsi sas adapter and multiple disks on virtual NVMe controllers.

    This makes life a lot easier…

    1. HI Marcel,

      You are not missing sysprep. You do not see it, but it is working under the covers. You will not have any problems due to not seeing it.


  12. Great work as usual. Do people still sysprep there image before converting it over to a template or do they stick with “Generate New Security ID (SID) within Vsphere Guest Customization. I understand people use to sysprep to create an unattended file to leveraging the CopyProfile option but with Defprof any point of syspreping anymore?

    1. Hi there,

      No, I do not use sysprep manually. That is covered by the VMware guest customization. If VMware was not involved then yes, I would use sysprep.


      1. Great thank you for the reply and clarification. Do you recommend placing the page file on a separate disk sizing it appropriately?

  13. Hi Mike,
    very interesting blog. But i have one question: how does an update from the user profile work? i tried that and after i run defprof for update the profile, the icons on the startmenu are broken (not displayed) for every new user…..


    1. Hi Peter,

      I am sorry but I don’t quite understand the question. I have not see the icon issue you mention. Can you provide more details?



  14. Hi Michael,

    I’M not to sure about not running sysprep after following all those step.

    Are you saying that there is no more need of running sysprep because VMware will doing during the convert process?

    As people as already said, thanks for this article. Very helpful.

    Best regards.

  15. Hello Michael.
    You describe in your blog to select “change the SID” within vm guest customization. Changing the SID is different from running sysprep. Sysprep is the only Microsoft supported way to create an image. I advise to add the step with sysprep just before the shutdown (the sysprep will shutdown the computer) and before creation of the template. And also not using the “change the SID” option.

    1. My words were not chosen well. Do not run sysprep when you are working on a vSphere template. What VMware does when it does the customization is something that works and is supported. The end result will be on a domain – if you want – and it will be healthy and proper. It is entirely possible that behind the scenes sysprep is used.


  16. Hi Michael,

    Me again. I’m now to DISM command and it seems to be stuck at 70.4%. It is running since almost 2 hours. What should I do?


  17. The command to clear the Event Log does not work for me. There is an “Attempted to perform an unauthorized operation” error, even when running from an elevated command line.

  18. Hello, great article. One question, i might be missing something, but in esxi 6.5 or vpshere 6.5 where can i find the option to generate a new SID?

    1. Hi there,

      In the customizaiton wizard, the very last step is where you can disable or enable the generation of the SID. It is called Set Operating System Options and there is only one choice there – Generate New Security ID (SID).

      Hope that this helps and makes it more clear but let me know if not.


      1. Hello Michael, I was also searching for the SID option in the 6.5 version, but I cannot find it either. As I mentioned earlier, I still believe the new SID option is -not- supported by Microsoft, as it is not the same as sysprep. Sysprep will also delete a lot of stuff and the last action is shutdown the computer so then your image is ready to deploy or use in an template.

      2. I explained where the SID option is, and it is supported, and it does work. I have built many servers over the many years from this and other templates and Microsoft has helped me a few times and made no complaints or negative comments on my template articles. And I have shown them to MS people before. This is not a new SID option but one that has been around for a long time. The wizard does build a sysprep file and you can use your own sysprep files too.


      3. Thanks Michael, i’ll take a deeper look. Must be missing it. Upon creating from my template it doesn’t show any options like that. When i built a test box it had the same SID, so i used vmware converter to change the SID. Which worked, but i’m sure i’m missing something. Thanks.

      4. Hi Alex, I will update my article today with a screenshot to help and hopefully no one will miss it in the future. I will also include a link to a simple little tool to change the sid. Way more easier to use if necessary.


      5. Alex,

        I realized the issue for you might be is that you create the template, but when you deploy from it you do not use a custom spec. You must do that, and when you do you will see the option I mentioned.


    2. Hello,

      Thanks exactly what I was going to say. You need select the “customization option” when you select create new vm from template.

      As Michael states, you don’t require syspreping the vm before powering it off when using VMware and the customization. However if your virtualization is hyper-v than it’s a different story as sysprep is required but you will hit a limit of 3 sysprep allowed and this is where checkpoint aka snapshot will come in play which will allow to revert back to pre-sysprep allowing you to apply new updates and changes and sysprep again.

      MS will always claim it’s best practice to sysprep and will never say it’s never needed especially when using VMware customizer.

  19. Thanks for the great articles Mike. Very helpful. My question is on Windows Activation. Used to be you had three days or something to setup and try out Windows Server with full features. Windows 2016 doesn’t seem to have that., so activation with a MAK is necessary to complete some of the process. But what do you do after deployment of the template to get it to use the KMS server for activation? Is that a RunOnce you add, or a part of your deployment process after joining the domain?

    1. Hi Joesph,

      Glad the article is helpful. There are a few answers for how the licenses can work. I consider my templates valuable so I license them. I use a legit MSDN license as part of the provision from template. After the deploy and some sort of time, they activate themselves. Sometimes if I see an activate I push it. This works good in my lab. Outside of the lab, like at a customer site with KMS and it happens automatically – meaning you provision with no specified key. If the customer does not have the KMS type activation, you could deploy with a MAK license and it would work fine. I hope that this makes sense?


  20. Just wanted to give a heads up, depending on what updates you installed before running the cleanup script: dism /online /cleanup-image /StartComponentCleanup /ResetBase, this can cause all kinds of problems. A lot of windows updates and system configurations built about past updates. If you remove them you can have issues later down the road when you install updates or when you try and add additional roles and features. I tested this thoroughly after I started getting strange errors when trying to install additional roles. I even went as far as building a new server template exactly the same as you outlined and left out the script and everything worked great. Built the template again and included the script and again started having problems.

    1. Thanks for sharing this. Sounds like you tested it very well. While I have not run into problems myself, I will add a note about this to my article.

      I very much appreciate you sharing, but also so carefully testing.


  21. Another option to clear the logs using another iteration of the wevtutil command is this:

    wevtutil el | Foreach-Object {Write-Host “Clearing $_”; wevtutil cl “$_”}

    It should clear all of the logs.

    1. Hey George,

      I get errors on that command. “Foreach-Object” is not recognized. Any ideas? I did it at cmd run as admin, on Win2K16.


  22. Thanks for removing the DISM section. I was also bitten by DISM but was lucky enough to have made several snapshots during the process of creating the new image.

    1. Dism is fine. Just don’t use the /ResetBase flag if you ever plan on installing something from Windows Features On Demand again. Also, getting an error about file not found is normal due to a bug, but it’s harmless. Just restart afterwards. To save even more space, you can follow Microsoft’s instructions on resetting Windows Update components. But stop when it’s time to start services again. Instead, shut down, and convert to template.

  23. We have started to add the active directory module to our images to be able to use gMSA

      1. Everything in your article worked perfect for me today and greatly sped up the deployment process. Used the customization spec too. We are starting to use the windows MSA and gMSA accounts that require the active directory module to be installed on the Windows Servers to improve password security. It’s only a 5MB package so it has a minimal storage impact. Great blog!

  24. Hi Michael.
    Have you had the chance to look at Server 2019? Any plans on doing another excellent template white paper post? 🙂

    1. Hello there,

      I will certainly do one on Win2K19. I look forward to it. Not sure when but as soon as I can. Thanks for reminding me. I even have some interesting edits for the Win2K16 one too.


      1. Tried Defpro with Server2019 and sysprep failed after. Any luck with it yourself?

    1. HI Bens,

      My experience is to not change the tuning settings for VMXNet3 unless VMware support suggests it for solving a particular issue. The VMXNEt3 driver works very well it its standard config. I suggest you do not change the config of it without a very good reason.


  25. Michael

    First of all, great article.

    Here’s a tip I use for Win2012 and Win2016.

    When you try to install any Windows Server 2012 R2 / Windows Server 2016 role or feature, Windows requires the original setup files. You can use the CD and specify the path, or you can use the steps written below to set the path to for example a network location.

    1.Start the Local Group Policy Editor or Group Policy Management Console (gpedit.msc)

    2.Expand Computer Configuration, expand Administrative Templates, and then select System.

    3.Open the Specify settings for optional component installation and component repair Group Policy setting, and then select Enabled.

    4.Select the Contact Windows Update directly to download repair content instead of Windows Server Update Services (WSUS) check box, and specify the alternative path.

    First, using these instructions allows the foolproof installation of .Net 3.5 by adding roles and features if your organization has a WSUS server in place. Second, you don’t need to keep the ISO mounted on the server.

    Bob Morrison

  26. Has anyone had issues with a system prepared this way getting it’s certificate from a CA? We keep getting the error that the RPC server is unavailable. However it works fine with machines that are sysprepped and use SCCM for image deployment.
    Note: if we sysprep the image before making it a template and use a Custom Specification in vmware the vm’s nic will never connect on first reboot, even though it is checked to do so.

    Any help would be appreciated.

    1. Hello there,

      I do not have a CA, and of the many people I have talked with about my template articles none have mentioned if they have one or not. I am surprised that this template might impact the process of recieving a cert. Not sure when I will be able to test this but one day I will.

      If you learn more please share with me.


  27. Good comprehensive blog on how to create a golden image. The only issue I had was DefProf. We had a vm deployed from our image pentested and DefProf was flagged as a security risk with a CVSS score of 6.7 (medium).
    The problem was – The service was discovered with an unquoted service path: ForensiTAppxService: C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe
    The risk is an attacker can insert a malicious executable named ForensiTAppxService.exe at the path C:\Program eg C:\Program\ForensiTAppxService.exe if they have access to write a directory called “Program” in the root of C.
    I know it sounds picky but if your image is being pentested for a CIS level 1 baseline then it will be flagged. I decided to redo the image and skip the profile customization step. Thanks for the rest of the instructions, it helped me greatly.

    1. Hello Gilbert, thanks for sharing this. Next time I do a serious update of my template article I will see if there is an updated to DefProf, or if I can find info from them on this. What I find I will add to the article.


  28. Michael, thank you for such a comprehensive guide. I have one question at the Defprof part:

    “We now need to manage the profile

    We first install the Copy Profile tool – called DefProf.
    Now create a temporary domain or local admin account, and log on as that user.
    We use it to copy my / your profile to the Default Profile – so execute defprof your_account_name and you are done.”

    When executing the defprof your_account_name, which account name are you referencing ? The new temp account that we just created and logged into ?

    Thank you,

    1. Hi Eric, the account name is the one that you are not logged on as, and has all of the customization associated with it.

      Hope that helps,


  29. Just a quick question is there is way to for the template to get automatic windows update when it is a template? I have an wsus server.

    1. Hi Matt,

      There is no way for something to update a template when it is a template. YOu need to turn it into a VM first. You could likely script something.

      Personally, once a month or two I turn my templates in VMs, updated patches, utilities and whatever else and turn them back into templates. Maybe takes an hour.


  30. Hi there!
    I used this tutorial to build my Windows Server 2016 template and the following deployment. I used a W2016 original ISO, installed only three security updates(two monthly updates and one for the IP stack), programs installed, and admin profile customized and replicated to the default with DefProf.
    I’ve also executed the “DISM /online /cleanup-image /StartComponentCleanup /ResetBase”.
    I didn’t clean up logs, nor the “SoftwareDistribution” directory.
    I also updated my VMs customizing scripts, adding the KEY, the computer name, the IP, and generating new SIDs.
    So far, so good.

  31. I used your guides to create my 2012 template, then my 2016 template, and just created a Server 2019 template (using the 2016 instructions). I didn’t need to make any alterations for Server 2019. (I don’t use the DefProf parts of your guide, so I didn’t test that.)

    I’m very grateful to you for your work in putting this together. Thank-you!

  32. Thank you so much for this Michael White! I always come back to this when I want a template from scratch, which I like to do once a year.

    Two things I add to my default software is WinDirStat and Notepad++. WinDirStat is great for finding bloated folders and I always want Notepad++ nearby.

    1. Hi Chris, glad this helps out. I like your idea of NotePad++ in the template too. I often add it but it makes more sense in the template.

      Thanks for sharing,


  33. Thanks for this template, I have a few 2016 servers running like a charm. I was wondering if the guide will work to get a server 2019 template created?

Leave a Reply to Marcel Cancel reply