There are two options for customizing instant clone virtual machines during the creation process: VMware ClonePrep or Microsoft Sysprep.
ClonePrep is a VMware customization process run during instant clone deployment to personalize each desktop clone created from the parent image.
Sysprep is a Microsoft tool to deploy the configured operation system installation from a base image. The desktop can then be customized based on an answer script.
For more information about the differences between ClonePrep and Sysprep, see Choosing ClonePrep or Sysprep for Customizing Your Virtual Desktops.
ClonePrep Guest Customization
ClonePrep ensures that all instant clones join an Active Directory domain. The clones have the same computer security identifiers (SIDs) as the golden image. ClonePrep also preserves the globally unique identifiers (GUIDs) of applications, although some applications generate a new GUID during customization.
When you add an instant-clone desktop pool, you can specify a script so that it runs immediately after a clone is created and another script to run before the clone is powered off.
- How ClonePrep Runs Scripts
ClonePrep uses the Windows CreateProcess API to run scripts. Your script can invoke any process that can be created with the CreateProcess API. For example, cmd, vbscript, exe, and batch-file processes work with the API.
Specifically, ClonePrep passes the path of the script as the second parameter to the CreateProcess API and sets the first parameter to
NULL
. For example, if the script path is c:\myscript.cmd, the call to CreateProcess is CreateProcess(NULL,c:\myscript.cmd,...). - Providing Paths to ClonePrep Scripts
You can specify the scripts when you create or edit the desktop pool. The scripts must reside on the golden image. You cannot use a UNC path to a network share.
If you use a scripting language that needs an interpreter to run the script, the script path must start with the interpreter executable. For example, instead of specifying C:\script\myvb.vbs, you must specify C:\windows\system32\cscript.exe c:\script\myvb.vbs.
Important: Put the ClonePrep customization scripts in a secure folder to prevent unauthorized access. - ClonePrep Script Timeout Limit
By default, ClonePrep terminates a script if the execution takes longer than 20 seconds. You can increase this timeout limit. For details, see Increase the Timeout Limit for ClonePrep Customization Scripts.
Alternatively, you can specify a script that runs another script or process that takes a long time to run.
- ClonePrep Script Account
ClonePrep runs the scripts using the same account that the VMware Horizon Instant Clone Agent service uses. By default, this account is Local System. Do not change this login account. If you do, the clones can fail to start.
- ClonePrep Process Privileges
For security reasons, certain Windows operating system privileges are removed from the VMware Horizon Instant Clone Agent process that runs ClonePrep customization scripts. The scripts cannot perform actions that require those privileges.
The process that runs ClonePrep scripts do not have the following privileges:
- SeCreateTokenPrivilege
- SeTakeOwnershipPrivilege
- SeSecurityPrivilege
- SeSystemEnvironmentPrivilege
- SeLoadDriverPrivilege
- SeSystemtimePrivilege
- SeUndockPrivilege
- SeManageVolumePrivilege
- SeLockMemoryPrivilege
- SeIncreaseBasePriorityPrivilege
- SeCreatePermanentPrivilege
- SeDebugPrivilege
- SeAuditPrivilege
- ClonePrep Script Logs
ClonePrep writes messages to a log file located in C:\ProgramData\Vmware\VDM\Logs.
Sysprep Guest Customization
-
To run Sysprep on some older versions of Windows 10, you must remove Appx Packages installed for all users. In some newer updates of Windows 10, Sysprep automatically removes these packages so you do not have to do so. For instructions on removing Appx packages, see the Microsoft support site.
- Sysprep can fail because there are Windows updates pending. To prevent this, run a Microsoft Windows update on golden image VM and consider disabling the Microsoft Windows update service for instant clone. You can also check the Windows update page to confirm that there are no pending updates or errors displayed.
- By default, Sysprep generalize disables the built-in administrator account. If there is no other user account on the golden image VM, and if clone customization fails, users are not able to log in to the clone VM to collect debug information. When attempting to log in as local administrator, users will see a message on login screen saying 'Your account has been disabled. Please see your system administrator.' To resolve this issue, create new user accounts on the golden image VM following the instructions on the Microsoft support site.
- A vTPM device can be added to instant clones with ClonePrep or Microsoft Sysprep guest customization. If you are using Sysprep customization, and have smart provisioning enabled or have parent VMs disabled (Mode B), make sure that all hosts in the cluster are running ESXi 7.0 Update 3f or later.