You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Search in All Title Contents

Fixing why Sysprep fails in Windows 10 due to Windows Store updates

Apr 13 2017

When creating reference images for Windows 10, Sysprep is going to fail if the machine have Internet access, and have enough time to start updating it’s built-in applications, or install new ones as part of the consumer experience feature. This post is about preventing that from happening, and is a companion to uber-guide on building Windows 10 reference images in the real world:

The issue is explained in a KB from Microsoft, but it’s workaround are not very good for automation purposes.

Sysprep fails after you remove or update Windows Store apps that include built-in Windows images

Note #1: This is a quite long post, and if you just want the fix, scroll to the end, to the Fixing the problem section. But if you want to pick some background info, and possibly learn something new in the process, continue as you were :)

Note #2: I have seen a few other workarounds, including temporarily disable/enable Internet access etc. but this post takes care of the problem once and for all :)



If modern apps in Windows 10 are being updated during the build and capture of a reference image, Sysprep may fail because it cannot remove the update. Note that this doesn’t happen all the time, it’s a timing issue, but it sure happen often enough to be an issue.

If that happens you will get the following error in the BDD.LOG and LTISysprep.log log files:

Expected image state is IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE, actual image state is IMAGE_STATE_COMPLETE, sysprep did not succeed.
FAILURE ( 6192 ): ERROR - Sysprep did not complete successfully, check C:\windows\system32\sysprep\panther\setupact.log for details


Then, in the C:\Windows\System32\Sysprep\Panther\setuperr.log you see the following (or similar):

Error                 SYSPRP Package Microsoft.DesktopAppInstaller_1.0.1471.0_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Error                 SYSPRP Failed to remove apps for the current user: 0x80073cf2.
Error                 SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.
Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralizeValidate' from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
Error                 SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
Error                 SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x3cf2
Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
Error      [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2


 Error from MDT when sysprep fails
This is what it looks like during the MDT build and capture process.


More Details of the modern apps

Now, the above log is quite obvious, an app named Microsoft.DesktopAppInstaller_1.0.1471.0 was being installed or updated, and Sysprep could not remove it.

To see which modern applications that you have in your system, for the Administrator user account in this case. You can just run Get-AppxPackage in a PowerShell prompt, or (Get-AppxPackage).count to see the number of apps. For a Windows 10 v1607 CB machine, that did not update any built-in updates, I had 54 apps installed. Whereas as system which had been allowed to update them had 58 apps.

A Windows 10 v1607 CB machine with no updates allowed, showing 54 apps.

A Windows 10 v1607 CB machine with updates allowed, showing 58 apps.

But what about apps being actually updated? Well, you can get additional info via the Event Viewer. You go to Microsoft / Windows / AppXDeployment-Server / Microsoft-Windows-AppXDeploymentServer / Operational and filter on Event ID 478 to see successful updates.

The Event Viewer with a filter on ID 478 showing installations of modern apps.


More PowerShell

You can also view this using PowerShell, but you have to use the Get-WinEvent cmdlet, because Get-EventLog can handle only classic event logs (System/Setup/Application etc.).  So here is the command to list installations/updates for Windows 10 applications.

Get-WinEvent -LogName "Microsoft-Windows-AppXDeploymentServer/Operational" | Where-Object {$_.ID -eq 478} | Select TimeCreated,Message | Format-Table -AutoSize –Wrap

PowerShell listing of app preventing Sysprep
Using PowerShell to list event log entries of installed/updated applications in Windows 10.

If you compare the count of apps, from the event log, from a system having the apps being updated or not (by simply putting the command in parentheses, and add a .count), you find that a system allowed to have the apps updated will have over hundred of apps, whereas as system with no Internet access, or updates being disabled will have less than hundred.

Below is the out from a system without updates to the modern apps in Windows 10 v1607 CB, a total of 82 entries for the apps. Another machine that I deployed, and allowed it to update, it ended up with 136 entries for the apps.

Count of apps
A Windows 10 machine with no updates, showing 82 entries for apps in the event log.

Count of apps from system with updates
A Windows 10 machine with updates, showing 136 entries for apps in the event log.


Fixing the problem

The obvious fix for the problem is denying the virtual machine Internet access, but still allow updates via local WSUS server, so the following:

1. Install a local WSUS server, approve the needed updates, and configure MDT to use it (WSUSServer variable)

2. Then, when creating the Windows 10 reference image, make sure the virtual machine doesn’t have Internet access.

No Internet access means no updates breaking Sysprep :)


Update: Seems like setting HideShell=YES in cs.ini also prevents apps from coming down. Of course that also stops you from doing anything interactive during the build and capture process, but hopefully you don’t need that once you nailed your task sequence. Big thanks to Roman Zuravljov for that tip.


But what if the preceding fix is not an option?

What if you need Internet access for other reasons?

Or can’t install a local WSUS server for some reason?

Well, keep on reading


Fix the sysprep issues by adding a script to disable Store Updates as well as Consumer Experience Apps

Simply add a script that sets the the needed registry values during the offline WinPE phase. So that Windows Store updates and the Consumer Experience features are disabled even before Windows 10 starts the first time. Very Shiny.

Note #1: The script has a dependency to ZTIUtility.vbs, so if put it into another folder, make sure to copy ZTIUtility.vbs with it, or update the reference in line 2 of the script.

Note #2: Disabling the Consumer Experience feature is only available for Enterprise and Education editions of Windows 10. So if your using Windows 10 Pro, you have to either disable Internet access or try the HideShell=YES settings in cs.ini.


Here is the script:

1. Copy the script to your deployment share / scripts folder, and configure your build and capture task sequence to run it in the Postinstall phase (WinPE phase).

Command line: cscript.exe "%SCRIPTROOT%\Config-DisableWindowsStoreUpdates.wsf"


Task Sequence configured to disable updates of Windows Store applications during the first WinPE phase.


Enabling updates once again before capture

Unless you are enabling these features via GPO during deployment, it makes sense to enable them once again just before capture. Again in the offline WinPE phase.

Note: Also this script has a dependency to ZTIUtility.vbs, so if put it into another folder, make sure to copy ZTIUtility.vbs with it, or update the reference in line 2 of the script.


Here is the script:

1. Copy the script to your deployment share / scripts folder, and configure your build and capture task sequence to run it in the end of the State Restore phase (second WinPE phase).

Command line: cscript.exe "%SCRIPTROOT%\Config-EnableWindowsStoreUpdates.wsf"


Task Sequence configured to enable updates of Windows Store applications just before capture.


Written by Johan Arwidmark.

Deployment News

Happy deployment, and thanks for reading!

What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive


Where you can meet us!

Live Stream Recordings
ConfigMgr 1806 and W10 OSD

5 Days - Mega Geek Week 
(multiple classes, ConfigMgr, OSD etc.)
- Johan Arwidmark, Mikael Nystrom...
Jun 10, 2019, Chicago, IL, US

4 Days - Windows 10 OSD Classes
- Johan Arwidmark
May 20, 2019, San Diego, CA, US
Jun 17, 2019, Culemborg, NL
Jul 8, 2019, Phoenix, AZ, US

5 days - ConfigMgr Classes
- Johan Arwidmark and Kent Agerlund
Apr 8, 2019, Chicago, IL, US
Apr 22, 2019, Houston, TX, US

Video-based trainings

MDT, Windows 10 and ConfigMgr Books

Contact Info