This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OS Customization fails in VMware vm

We have a VMWare environment, I have done the guide on making a Golden image as specified here https://community.sophos.com/kb/en-us/120560. When I start the new vm it goes through the process of starting the OScustomization change hostname ,SID, etc., then fails with this error Windows could not finish configuring the system. To attempt to resume the configuration, restart the computer. I have done the same customization without sophos installed and it went through. What else do I need to do to get it to work? the OS is server 2016 in vmware 6.5.



This thread was automatically locked due to age.
  • Hi  

    Would you please suggest which steps you have followed from the KB article, I mean have you performed script-based steps or manual steps from the KB?

    Also, It'd great if you can provide us with the error which you are getting while customization of the Operating System.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I did the script based steps then I booted the template and manually ran the script as an admin then shutdown with the same results. 

  • Hi  

    Could you please provide the exact error it is showing or the screenshot of the same? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Here is a screenshot of the error.

     

  • Hi  

    Are you running the script with the logging? If yes, the logs will help us to narrow down the issue else I'd request you to request a remote session on the case which you have opened with the Support as it needs detail troubleshooting to get the problematic component.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    As per the support case, the VMware customization was failing because of the services which were hampering the customization. The assigned engineer provided that we need to put the batch file, in the end, to set the service to the automatic and then need to make sure that it is currently stopped.

    Also, there is a VMware KB article regarding the same issue which was provided to you.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi,

    I've been faced with the same problem. The cause is tamper protection.
    For the generalization with Sysprep to work, we had to deactivate the tamper protection!
    It seems that Tamper Protection blocks access to certain registry keys.

    When following the KBA, the last line of the SophosGoldImagePrep.txt script must be commented out.

    >echo Enable Tamper Protection
    >REM "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem


    This behavior occurs with Windows 2016. With Windows 2019 this is not necessary.

  • I worked with support and so far when we stop the MCS service it runs fine, now we need to create a startup script that runs once  to reenable the MCS service and then deletes itself if the server name is not the same as the golden image. 

  • Hi James, thanks for your update, it helped a lot [:)] We're experiencing the same problem with our Server 2019 Datacentre edition template in vSphere 6.7, running the unmodified gold image prep script (which works fine with VDI clients) we get the "Windows could not finish configuring the system" message and the Shift+F10 method of completing the process fails too. So using your suggestion we've modified the prep script to also re-configure both MCS Agent and Client services as Manual Start and leave Tamper Protection disabled, at which point the process runs fine. It's not a great fix as, like you say, the services then need re-enabling after deployment which is a pain. So see below our script to re-enable them, it's just a quick butchering of the gold image prep script just in reverse, it just needs to be scheduled to run on local administrator login and seems to do the trick. There's no real need to delete it afterwards either as it'll run so infrequently if ever (if you don't regularly login as local admin that is). We'll get a ticket logged with support too to ensure they're aware there's a continuing problem. Cheers, Ken.

    REM Sophos post-Gold Image Re-enable Services script

    rem @echo off
    set GOLD_IMAGE_HOSTNAME=CHANGE_ME

    echo Checking if the system is NOT the gold image anymore
    IF /i NOT "%COMPUTERNAME%" == "%GOLD_IMAGE_HOSTNAME%" GOTO RESET
    echo System is the gold image, exiting
    EXIT

    echo Checking if Sophos MCS Agent service is still Manual
    for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /v Start') do (
    if "%%i"=="0x3" goto RESET
    )

    echo Checking if Sophos MCS Client service is still Manual
    for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Client" /v Start') do (
    if "%%i"=="0x3" goto RESET
    )
    EXIT

    :RESET
    echo System is NOT the gold image, proceeding with restoring Sophos services

    echo Configure the services before starting them, otherwise they get locked down
    SC CONFIG "Sophos MCS Agent" start= auto | rem
    SC CONFIG "Sophos MCS Client" start= delayed-auto | rem

    echo Turning MCS Agent on and waiting 5 seconds
    SC START "Sophos MCS Agent" | rem
    TIMEOUT 5

    echo Turning MCS Client on and waiting 5 seconds
    TIMEOUT 5
    SC START "Sophos MCS Client" | rem

    echo Re-Enable Tamper Protection
    "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem