OS Customization fails in VMware vm

Hi James Cook2 

Would you please suggest which steps you have followed from the KB article, I mean have you performed script-based steps or manual steps from the KB?

Also, It'd great if you can provide us with the error which you are getting while customization of the Operating System.

I did the script based steps then I booted the template and manually ran the script as an admin then shutdown with the same results. 

Hi James Cook2 

Could you please provide the exact error it is showing or the screenshot of the same? 

Here is a screenshot of the error.

Hi James Cook2 

Are you running the script with the logging? If yes, the logs will help us to narrow down the issue else I'd request you to request a remote session on the case which you have opened with the Support as it needs detail troubleshooting to get the problematic component.

Hi James Cook2 

As per the support case, the VMware customization was failing because of the services which were hampering the customization. The assigned engineer provided that we need to put the batch file, in the end, to set the service to the automatic and then need to make sure that it is currently stopped.

Also, there is a VMware KB article regarding the same issue which was provided to you.

Hi,

I've been faced with the same problem. The cause is tamper protection.
For the generalization with Sysprep to work, we had to deactivate the tamper protection!
It seems that Tamper Protection blocks access to certain registry keys.

When following the KBA, the last line of the SophosGoldImagePrep.txt script must be commented out.

>echo Enable Tamper Protection
>REM "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem

This behavior occurs with Windows 2016. With Windows 2019 this is not necessary.

I worked with support and so far when we stop the MCS service it runs fine, now we need to create a startup script that runs once  to reenable the MCS service and then deletes itself if the server name is not the same as the golden image. 

Hi James, thanks for your update, it helped a lot [:)] We're experiencing the same problem with our Server 2019 Datacentre edition template in vSphere 6.7, running the unmodified gold image prep script (which works fine with VDI clients) we get the "Windows could not finish configuring the system" message and the Shift+F10 method of completing the process fails too. So using your suggestion we've modified the prep script to also re-configure both MCS Agent and Client services as Manual Start and leave Tamper Protection disabled, at which point the process runs fine. It's not a great fix as, like you say, the services then need re-enabling after deployment which is a pain. So see below our script to re-enable them, it's just a quick butchering of the gold image prep script just in reverse, it just needs to be scheduled to run on local administrator login and seems to do the trick. There's no real need to delete it afterwards either as it'll run so infrequently if ever (if you don't regularly login as local admin that is). We'll get a ticket logged with support too to ensure they're aware there's a continuing problem. Cheers, Ken.

REM Sophos post-Gold Image Re-enable Services script

rem @echo off
set GOLD_IMAGE_HOSTNAME=CHANGE_ME

echo Checking if the system is NOT the gold image anymore
IF /i NOT "%COMPUTERNAME%" == "%GOLD_IMAGE_HOSTNAME%" GOTO RESET
echo System is the gold image, exiting
EXIT

echo Checking if Sophos MCS Agent service is still Manual
for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /v Start') do (
if "%%i"=="0x3" goto RESET
)

echo Checking if Sophos MCS Client service is still Manual
for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Client" /v Start') do (
if "%%i"=="0x3" goto RESET
)
EXIT

:RESET
echo System is NOT the gold image, proceeding with restoring Sophos services

echo Configure the services before starting them, otherwise they get locked down
SC CONFIG "Sophos MCS Agent" start= auto | rem
SC CONFIG "Sophos MCS Client" start= delayed-auto | rem

echo Turning MCS Agent on and waiting 5 seconds
SC START "Sophos MCS Agent" | rem
TIMEOUT 5

echo Turning MCS Client on and waiting 5 seconds
TIMEOUT 5
SC START "Sophos MCS Client" | rem

echo Re-Enable Tamper Protection
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem