Things to have ready
- VMware Infrastructure – I am using a vCenter 6.0 U2 environment patched to current. I am also using the vSphere Web Client – and so should you – and so my screenshots reflect that client usage.
- Windows 10 ISO up in your infrastructure – and know where it is!
- PID – have the Windows license handy.
- Any software you like to have installed in a template – you will see below what I like to have and links to them
- You will need to use a utility to copy the profile that you can find here. This is important as Microsoft has been working since Win2K8 to make it difficult to copy a profile – this is important since a lot of our customization will be done as ourselves or by any account other then default. We will want to copy that customization to the default user profile so other new users will get it.
- You should have the VMRC ready to use, as it is a much better experience then using the normal remote console. Find the bits here to install on your work machine, and you can read a little about it here.
Virtual Machine and Operating System
- Since this is going to end up as a desktop – likely in a VDI environment too – I like to have it as a 32 GB disk, and 2x vCPU, with 3 GB of memory. I sometimes will clone the template and set it up as a new template with different parameters – like more vCPU and memory and use it for a specific VDI pool – such as for admins.
- Create a new VM, and give it a good name. I will use win10TPL – remember there is a 15 character limit you should work within.
- Change processor and memory as appropriate.
- I like to use the Paravirtual controller, but it is hard to do now so use LSI Logic SAS.
- You should change the network to vmxnet3,
- Attach the Win10 ISO.
- I like to tweak the video settings to 4 displays / 128 MB memory, to avoid issues in View.
- Change to the VM Options tab, and expand Boot options.
- We need to Enable The next boot to enter BIOS setup. See below for what this should look like.
- Update: I now also change to use EFI to boot. Do the OS boot change, then power off and change the settings in the BIOS area and you are done. Find out how to do the OS changes in this article. You should be aware if you do use EFI that means you do not have to use BIOS to remove parallel or serial ports as you can do that in the VM settings.
- Before we power up, I like to take care of tags and annotations.
- Now we can power up, and we boot to BIOS.
- Now change to Advanced, and than I/O Device Configuration.
- We want to disable the Serial, Parallel ports, and the Floppy controller.
- I also like to change to the Boot menu and make sure that CDROM is at the top.
- Now you can hit F10 to Save and Exit and you should boot right to the OS install. If it doesn’t then when that happens to me it is due to my forgetting to connect the ISO. You can change to the vSphere Web Client and connect the CD in the VM Settings area and by the time you return to the Console it should be installing.
- Note that in the screenshot above that it a VMRC window. You can tell that due to the controls seen in it. While it is from a Mac, it will be quite similar to Windows, and this is what you should be using – the VMRC console is most excellent. Which is why I mention way above you should be using it and provide links.
- The first place the OS stops and waits for you is seen below.
- You can just hit Next to continue. BTW, I get to this screen by clicking on the Launch Console in the vSphere Web Client – on the VM Summary screen – as seen below.
- Just do a normal install (which is Custom – Install Windows only) to get things working.
OS Configuration – VMware Tools
- Has the VM restarted successfully and ready for log in? It does restart a few times during the OS install.
- You will be prompted when it is ready for human interaction.
- I do in fact license my templates as I keep them around for a long time.
- When you do the VMware Tools, you trigger it in the VM Summary in the vSphere Web Client. See the screenshot below.
- When you trigger the tool install you will see this message.
- When you Mount, normally you will see when you change back to the console the following screen.
- The typical install is best normally, unless you have a reason to do something different.
- After the tools are installed you should reboot. Now you don’t need to use Tab (thanks goodness) as the mouse works!
OS Configuration – Tweaks and Tuning
In this phase we tweak the OS and get it ready for a wide range of potential use. Meaning this is the template that is most general. It will be used to make other templates that are more specific – such as View desktop template. The changes below are the ones I make, and think useful but in this section you make the changes that work best for you and your organization.
- We need to log in again so we can start making changes. Yes, our mouse should work good now!
- I like to get the Date / Time right first. So first do the Time Zone. Start by clicking on the date in the bottom right corner of the screen. Select Date and time settings, Change timezone, pick the right timezone.
- I like to use the 24 Hour clock and if you want to do that too click on the Clock in the taskbar and select Date and time settings, Change Date and Time formats, Change calendar settings, and make the appropriate changes.
- When we first started all of this you may have noticed that the time of the VM was way off. In fact it was in Zulu or Universal Time because the host time was when the VM started. But now with the right Timezone it should be the right time. If not, your ESXi host may have the wrong time.
- Now lets patch. Use Windows Update which I start from the Ask me anything field.
- We should enable the Administrator account and set a password on it. Right+Click on Start, select Computer Management, Users, and finally Administrator. Give it a password and enabled it.
- I like to turn off the System Restore as patching seems to work pretty good and I have backups! So not using it saves disk space and makes some things – like patching faster. After you right+click Start (windows icon), Control Panel, select System & Security, followed by System and you will see the following screen.
- We start with System Protection. Now you should see the screen below. And note it is now turned off by default? Nice.
- While we are still on the properties screen, we can enable Remote Desktop support. Select Remote Settings on the properties screen – as seen above. You can now enable remote assistance and remote desktop as per your needs. In my case both on. You may be prompted about power savings, but ignore it for now as we will deal with it shortly.
- Still on the properties screen, we use Advanced System Settings now. We start with Performance.
- We want to adjust for best performance.
- Now change to the Advanced tab, so we can set the min and max of the page file to 3072 (or whatever RAM setting you are using. People sometimes leave System Managed as the choice. More frequently now then in the past.
- After you select OK, we want to work in Startup and Recovery.
- I only make one change here and that is to display a list of operating systems for 5 seconds. But I know customers that make more changes in this area.
- Two OK buttons are what we do to get back out to the desktop. You may need to restart.
- You should change – while on the System screen the Windows name – I make it the same as the VM. Restart.
- I will normally activate Windows now, as my template is kept for a long time and while only occasional on to be updated it will eventually cause me an issue if I don’t activate it now. This might save you from some odd sysprep errors during VM deployment from template. I see this less in Win 10. But I still suggest licensing your templates if you value them as I do.
- Now we need to adjust the power profile. Start in the Control Panel, then System and Security, and finally Power Options.
- There is a few things to do here. Start with the option Choose when to turn off the display.
- You can set to never both when to turn the monitor off, and when to put the computer to sleep.
- Now select Control Panel Home. Follow that by Appearance and Personalization.
- We want to turn off sounds, and the screen saver.
- First access Change sound effects and change the profile to No Sounds.
- Next access Change screen saver and make sure it is set to none
- Working from the Control Panel, select Programs. Follow that by selecting Turn Windows features on or off.
- Scroll through the list until you find Telnet Client, and select it.
- You should remove the following installed features.
- Print and Document Services – Internet Printing Client
- Print and Document Services – Windows Fax and Scan.
- You may need to restart and that is OK if you do.
- We should disable the index on drive C:. Use Explorer to explore This PC and right+click on drive C: and select Properties. You will see at the bottom of the screen the option to disable indexing – it is Allow files on this drive to have contents indexed – deselect the box for it. You can enable indexing on your data drives like H: or whatever using GPO. There may be a few files that cannot be removed from the index – just ignore them.
- Now we should defragment the drive. This option is on the Tools tab.: and follow that by selecting the Optimize option. While you are here you should disable the weekly optimize option as it is not necessary.
- Now we need to do a cleanup of the disk using the command c:\windows\system32\cleanmgr /sageset:1 and then select all the boxes you can – I do all.
- I suggest turning off automatic Store updates. This article can help with that.
- Another change that you might consider is look at this list of services and use it as a guide to disable services. The more you disable the better but think about them. For example do not disable anything Defender if that is your anti-malware too.
- You may wish to remove ONE drive and you can find help to do that in this article.
Incidentally, this would be the time that you would use the VMware OS Optimization Tool, but I am not as I don’t have time to fiddle with it. Here is an article you can learn more about using the VMware OSOT as well as obtain a Win10 template for OSOT. I will work on this one day and do an article about using it in concert with a template update.
Configuration – Installing Optional Software
We only install software here that we really need and is useful for most users. Some of what I install is listed below. Remember this template is general and will be used to make the View desktop template (with the addition of the View specific software) or any other software. So software that will be used by most users like – anti – malware, Acrobat Reader, maybe some helpdesk or troubleshooting tools should be installed.
- Bginfo – find it here and info on making it work here.
- Acrobat Reader – make sure to open it to accept the EULA and update if necessary.
- Google Chrome
- Firefox – just in case!
- Autoruns – a great tool to make sure you know what starts with your OS.
- Process Explorer – a great tool for troubleshooting.
- 7-Zip – from here, more flexible than what is built in – for example can extract ISO.
- PowerCLI – from here – a very useful admin tool!
- Notepad++ – from here – nice editor for PowerCLI or other things.
- Something that many would consider not optional is antivirus software. I would suggest you need to do a scan as one of the last actions too.
- The VMRC should be installed if you will manage VMs – from here. I had some issues with this. VMware has this article and this article but it did not help me. I had to uninstall the CIP, and PowerCLI, and restarted. Then I could install it, and install PowerCLI and CIP again. Update – just did the VMRC again and no problems on a later build of Win10 and with v9 of the VMRC.
- Plus, again if you are doing vSphere stuff 6.0x you should get the CIP from vSphere 5.5 U3a (or later) as that works great for integrated log in.
- Disable OneDrive – see how in this. Unless you want to keep it. This article may also help.
Note: For things like Chrome and Acrobat they will install fine since they have installers and they can be seen or used by other users logging in as you might expect. For things like BgInfo and Autoruns which have no installer it is more complex. Basically you will create a Utilities program group for them and install them manually. This is an example of software that is harder to install via GPO since they have no MSI. For this and other reasons that is why we need to manage the profile – meaning to copy the profile I have been working under to the default user.
Note2: I also make a few other changes. I like to see file extensions, and I like to get rid of some of the extra cruft in the All Programs area. But to each his own.
Test Time – before
Is this desktop ready for the prime time? Some things to check would include:
- Does the Boot / Snapshot time look right on your wallpaper?
- Is there any errors when you log in using your admin account?
- Does your installed software all start?
- Does a restart cause anything odd to occur at log in or otherwise?
Ready to Make it a template?
We are ready to make this virtual machine a template now.
- If necessary remove this VM from the domain and restart.
- I always like to check Windows Update before I finish and yes, today I did find a bunch of updates that I did not find earlier. So I update and restart as necessary. This took a long time. An update yesterday was small but today it took quite some time. There was some sort of big upgrade.
- Disconnect the ISO and reset to Client Device.
- Make sure you are really ready to proceed!
- We now need to manage the profile
- We first install the Copy Profile tool – called DefProf.
- We use it to copy my profile (with all the edits) to the Default Profile – so copy the tool to the local hard drive of the template, unzip, and execute defprof your_account_name and you are done – I have better success when I am not not logged in as me – who did all the customization – when I run the tool. So I create and use an account that is admin equivalent and called temp. Log in as it and run the defprof command and delete the temp account.
- When that is done we remove the tool,
- And shut the VM down.
- Once the VM is shut down we are ready to turn it into a template.
- If you did install anti-virus or anti-malware software you may need to do something so that when a VM is deployed from this template and starts up it is going to get its own identity for management purposes and not be the same as the installed copy on the template.
- I generally now do an update in the Notes section to account for what I have done.
Plus, when the testing confirms both the template, and the customization spec are good, I will clone the template for View use.
Deploy from Template
I suspect everyone knows how to deploy from this new template but remember that any passwords put into the customization script should be done using the vSphere Client and not the vSphere Web Client (this is a bug and I am sure it will fixed. Any day now). I also suggest using the following commands in the Run Once part of the customization specification.
- powercfg -h off
- bcdedit /timeout 5
I have seen a lot of different things done via Run Once. Scripts for example that install applications, or do inventory related tasks, so remember that and you can use it as you need. Always test your deploy from template before you use the template in VDI or automated anything. In particular make sure the joining the domain works. Troubleshooting template issues inside View or VRA operations is much tougher then it needs to be.
Here is a very nice article that is about the guest customization script in case that helps.
Test Time – after
Now that we have deployed a VM from our template we need to make sure it all works. This is testing our VM but also the custom specification. Some things to check include:
- Did our VM join the domain? This is most important.
- Can we RDP to the newly deployed VM successfully?
- Does a restart cause anything odd to occur at log in or otherwise?
Things to think about
- I like to create a customization spec before I deploy from template and that normally is just a copy and paste on an old one and small update for things like the IP address or license. You can learn more about creating and using custom spec’s in this article.
Here is some miscellaneous things to think about if you have troubles. The most common one is when you deploy a VM from the template it doesn’t join the domain.
- Check out this article of mine for ideas.
- Did you remove the VM from domain before you turned it into the template?
- Did you confirm that the account credentials in the spec to join the domain work?
Did you enter the passwords – both administrator account and the domain add account – using the vSphere Client. This was a bug once where entering the password via the vSphere Web Client would not work properly and I find myself a little skeptical that it was fixed.Confirmed fixed.
- Accounts should be in the format of firstname.lastname@example.org and not mwhite.
- Check the logs in c:\windows\temp\vmware-imc.
- Use this article to find the log location for sysprep (Win7 SP1).
Updating your Template
You should update your template approximately once every month or so. This will allow you to catch any outstanding patches for the OS as well as application patches. Just convert the template to virtual machine, turn it on, patch, than restart it, and convert it to template. You may consider joining it to your domain to catch new GPO type stuff that may be sticky but remember to remove it from the domain before you turn it back into the template. I know people that do this using VRO and how cool is that! Don’t forget about updating things like PowerCLI or the apps you have in the template.
Here are the links that may be helpful or useful somehow. They contributed to this article or may be helpful.
- My Windows 2012 template article was helpful too!
- My Windows 2016 template article might be helpful too!
- Bad PID causes Win2K8 to reboot continuously during deployment
- An alternative article on Win10 template creation
- Service list that shows good ones to disable.
- Boot with EFI can be done with help in this article. Background help in this one.
I plan on keeping this page updated with what I am using and what works well! I will use this section to update you with what I updated when I do updates.
- 2/12/19 – added a variety of links and comments around boot from EFI, services to disable, remove ONE drive and more.
- 3/11/18 – added the link to the custom spec article.
- 3/10/18 – added a missing link, and info on disabling Store updates.
- 4/14/17 – added a link to a guest customization script article.
- 3/8/17 – two people – one a co-worker – has said if they use my template articles that all the VMs deployed from them will have the same SID. That has not been true for so many years I was shocked, but since two people have said that I need to do something. Here below is a screenshot in the custom spec that reassures those people.
- 2/28/17 – updated and release.
- 7/9/16 – original work
Thanks for checking out my article – I hope it helps. I will keep this article current and that means updates so revisit if you use it for help. Questions and comments are always welcome.
=== END ===