Windows 7 - sysprep

Posted on 2016-08-17
Medium Priority
Last Modified: 2016-10-27
Hello experts,
I've just been introduced to one of my clients who has an onsite local engineer supporting the 50 of users/machines at this particular site
The site has been having all sorts of issues relating to roaming profiles for thier Windows 7 users, as well as machines not registering in wsus console
Found out the the way this tech is deploying machines, his essentially cloning machine without any Sys prep, and his admament this won't cause any issues, can you advise if this would be correct, what are the disadvantages of not Sys prepping a machine before capture, what sort of issues can it introduce further down the line
Question by:craigleenz
LVL 12

Assisted Solution

Sandeep earned 400 total points
ID: 41759168
If sysprep is not used all the system will have similar SID which will trouble you to add in WSUS. When such cloned machines are added in WSUS they face issues. To fix WSUS issues on such Cloned machine you can try this script on those Machines.

This script you can run on all those machine or simply configure it through GPO as Start Up script until the issue is fixed.

Create a batch file named ResetSUSClientID.bat using the text below:

Rem – Batch script to delete duplicate SusClientIDs
Rem – Implement this script as a “Startup” or “Logon”  script
Rem – Script creates an output file called %Systemdrive%\SUSClientID.log
Rem – If the %Systemdrive%\SUSClientID.log is already present, then the script simply exits

@Echo off
if exist %systemdrive%\SUSClientID.log goto end
net stop wuauserv
net stop bits
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v PingID /f  > %systemdrive%\SUSClientID.log 2>&1
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v AccountDomainSid /f  >> %systemdrive%\SUSClientID.log 2>&1
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v SusClientId /f  >> %systemdrive%\SUSClientID.log 2>&1
net start wuauserv
wuauclt.exe /resetauthorization /detectnow          
LVL 12

Expert Comment

ID: 41759169
If you wish to run SysPrep on all those machine, you can use such Answer file and run it with SysPrep when those systems are getting built.


Hope this Helps
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 400 total points
ID: 41759171
An experienced administrator will say "absolutely!" and describe all sorts of scenarios in which the existence of two systems with the same SID could create a black hole that swallows up the planet. They've taken on faith what we all have accepted for years: Duplicate SIDs are the highest form of evil.

Even Mark Russinovich, a software engineer and author who works for Microsoft as a technical fellow, believed that multiple machines with the same SID on the same network would pose a security risk.

LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 800 total points
ID: 41759483
It's very simple:

Sysprep is the only supported method of cloning.  The only thing I've heard of actually being an issue is WSUS.  HOWEVER, because non-sysprep'd systems are NOT SUPPORTED by Microsoft, you never know when a patch changes something and something else is affected.  Microsoft would only TEST against sysprep'd systems, so there could be issues at any time.  Bottom line, ALWAYS SYSPREP.  Redeploy those machines properly.  You should never put your network in an unsupported state unless you absolutely have to and then you should be looking for ways back to supported ASAP.
LVL 19

Accepted Solution

Mike T earned 400 total points
ID: 41761743

The question I always have is simple: why would you NOT ever run sysprep? It's not like it's some horribly complicated act that forces you to wait until there's a blue moon on a Tuesday, and you have to sacirfice a goat.

You just double-click Or run a command line and wait 5 whole minutes.

As mentioned above:
a) the outcome of NOT running sysprep is not predictable; no-one can say it definitely breaks XYZ, but it might
b) the one and only method of imaging a system that Microsoft supports is running sysprep. They don't care what imaging tool you use (ghost, imagex, Acronis etc.) - they just mandate you run sysprep to "avoid issues".

The bottom line is you run sysprep in case it might cause unpredictable behaviour,
If you don't the risk of seeing behaviour you cannot explain is that much greater and yes, you have NO support from MS.

Given that, just run it and get on with life.
Note, when cloning you won't get "similar" SIDs you will get identical ones, which is what you want to avoid.

Finally, one thing I would add is if you forget about the SID altogether, sysprep does a lot more on top of changing the SID than you would have to do manually, which I'm guessing your admin might not do either.

Resets Windows Product Activation
clears out MRU entries e.g. so the system doesn't have your username in
Strips the computer name;
Puts the machine in a workgroup if it's not already
Uninstalls plug and play device drivers, which reduces the risk of hardware compatibility problems
Clears the eventlog (with the reseal option)
Deletes restore points
Removes the local administrator’s profile/disables the account; so you don’t accidentally copy your admin files to every PC in the company!
Boots to Audit mode so you can install third-party applications and device drivers
Runs mini-setup at first boot afterwards, so NOW you name the machine

For me, those are the real reasons to run sysprep. The duplicate SID is more of a "safer to do it than not and risk your boss standing at your desk to explain why you didn't do it" thing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Learn how to use the free Acronis True Image app to easily transfer data between iPhones and Android phones.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question