OS Customization fails in VMware vm

Hi,

I've been faced with the same problem. The cause is tamper protection.
For the generalization with Sysprep to work, we had to deactivate the tamper protection!
It seems that Tamper Protection blocks access to certain registry keys.

When following the KBA, the last line of the SophosGoldImagePrep.txt script must be commented out.

>echo Enable Tamper Protection
>REM "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem

This behavior occurs with Windows 2016. With Windows 2019 this is not necessary.

I worked with support and so far when we stop the MCS service it runs fine, now we need to create a startup script that runs once  to reenable the MCS service and then deletes itself if the server name is not the same as the golden image. 

Hi James, thanks for your update, it helped a lot [:)] We're experiencing the same problem with our Server 2019 Datacentre edition template in vSphere 6.7, running the unmodified gold image prep script (which works fine with VDI clients) we get the "Windows could not finish configuring the system" message and the Shift+F10 method of completing the process fails too. So using your suggestion we've modified the prep script to also re-configure both MCS Agent and Client services as Manual Start and leave Tamper Protection disabled, at which point the process runs fine. It's not a great fix as, like you say, the services then need re-enabling after deployment which is a pain. So see below our script to re-enable them, it's just a quick butchering of the gold image prep script just in reverse, it just needs to be scheduled to run on local administrator login and seems to do the trick. There's no real need to delete it afterwards either as it'll run so infrequently if ever (if you don't regularly login as local admin that is). We'll get a ticket logged with support too to ensure they're aware there's a continuing problem. Cheers, Ken.

REM Sophos post-Gold Image Re-enable Services script

rem @echo off
set GOLD_IMAGE_HOSTNAME=CHANGE_ME

echo Checking if the system is NOT the gold image anymore
IF /i NOT "%COMPUTERNAME%" == "%GOLD_IMAGE_HOSTNAME%" GOTO RESET
echo System is the gold image, exiting
EXIT

echo Checking if Sophos MCS Agent service is still Manual
for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /v Start') do (
if "%%i"=="0x3" goto RESET
)

echo Checking if Sophos MCS Client service is still Manual
for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Client" /v Start') do (
if "%%i"=="0x3" goto RESET
)
EXIT

:RESET
echo System is NOT the gold image, proceeding with restoring Sophos services

echo Configure the services before starting them, otherwise they get locked down
SC CONFIG "Sophos MCS Agent" start= auto | rem
SC CONFIG "Sophos MCS Client" start= delayed-auto | rem

echo Turning MCS Agent on and waiting 5 seconds
SC START "Sophos MCS Agent" | rem
TIMEOUT 5

echo Turning MCS Client on and waiting 5 seconds
TIMEOUT 5
SC START "Sophos MCS Client" | rem

echo Re-Enable Tamper Protection
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem

Hi James, thanks for your update, it helped a lot [:)] We're experiencing the same problem with our Server 2019 Datacentre edition template in vSphere 6.7, running the unmodified gold image prep script (which works fine with VDI clients) we get the "Windows could not finish configuring the system" message and the Shift+F10 method of completing the process fails too. So using your suggestion we've modified the prep script to also re-configure both MCS Agent and Client services as Manual Start and leave Tamper Protection disabled, at which point the process runs fine. It's not a great fix as, like you say, the services then need re-enabling after deployment which is a pain. So see below our script to re-enable them, it's just a quick butchering of the gold image prep script just in reverse, it just needs to be scheduled to run on local administrator login and seems to do the trick. There's no real need to delete it afterwards either as it'll run so infrequently if ever (if you don't regularly login as local admin that is). We'll get a ticket logged with support too to ensure they're aware there's a continuing problem. Cheers, Ken.

REM Sophos post-Gold Image Re-enable Services script

rem @echo off
set GOLD_IMAGE_HOSTNAME=CHANGE_ME

echo Checking if the system is NOT the gold image anymore
IF /i NOT "%COMPUTERNAME%" == "%GOLD_IMAGE_HOSTNAME%" GOTO RESET
echo System is the gold image, exiting
EXIT

echo Checking if Sophos MCS Agent service is still Manual
for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent" /v Start') do (
if "%%i"=="0x3" goto RESET
)

echo Checking if Sophos MCS Client service is still Manual
for /f "tokens=3 " %%i in ('call reg query "HKLM\SYSTEM\CurrentControlSet\Services\Sophos MCS Client" /v Start') do (
if "%%i"=="0x3" goto RESET
)
EXIT

:RESET
echo System is NOT the gold image, proceeding with restoring Sophos services

echo Configure the services before starting them, otherwise they get locked down
SC CONFIG "Sophos MCS Agent" start= auto | rem
SC CONFIG "Sophos MCS Client" start= delayed-auto | rem

echo Turning MCS Agent on and waiting 5 seconds
SC START "Sophos MCS Agent" | rem
TIMEOUT 5

echo Turning MCS Client on and waiting 5 seconds
TIMEOUT 5
SC START "Sophos MCS Client" | rem

echo Re-Enable Tamper Protection
"C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe" -TPon | rem