There are two options for customizing instant-clone Windows virtual machines (VMs) during the creation process: VMware ClonePrep and Microsoft Sysprep.

Note: This page describes the guest customization options for Windows instant clones. For information on customizing Linux instant clones, see Using ClonePrep to Customize Linux Desktops.

ClonePrep is a VMware customization process run during instant clone deployment to personalize each desktop clone created from the parent image.

Sysprep is a Microsoft tool to deploy the configured operation system installation from a base image. The desktop can then be customized based on an answer script.

Guest Customization Options

ClonePrep and Sysprep ensure that all instant clones join an Active Directory domain. When you use ClonePrep, the clones have the same computer security identifiers (SIDs) as the golden image. If you need instant clones to have different SIDs from one another and from the golden image, use Sysprep. ClonePrep also preserves the globally unique identifiers (GUIDs) of applications, although some applications generate a new GUID during customization. For more guidance on the different clone types, see KB 2003797.

When you add an instant clone desktop pool, whether you are using ClonePrep or Sysprep, you can specify a script so that it runs immediately after a clone is created and another script to run before the clone is powered off.

  • Running Scripts

    ClonePrep and Sysprep use the Windows CreateProcess API to run scripts. Your script can invoke any process that can be created with the CreateProcess API. For example, cmd, vbscript, exe, and batch-file processes work with the API.

    ClonePrep and Sysprep pass the path of the script as the second parameter to the CreateProcess API and sets the first parameter to NULL. For example, if the script path is c:\myscript.cmd, the call to CreateProcess is CreateProcess(NULL,c:\myscript.cmd,...).

  • Providing Paths to Scripts

    You can specify the scripts when you create or edit the desktop pool. The scripts must reside on the golden image. You cannot use a UNC path to a network share.

    If you use a scripting language that needs an interpreter to run the script, the script path must start with the interpreter executable. For example, instead of specifying C:\script\myvb.vbs, you must specify C:\windows\system32\cscript.exe c:\script\myvb.vbs.

    Important: Put the customization scripts in a secure folder to prevent unauthorized access.
  • Script Timeout Limit

    By default, ClonePrep and Sysprep terminate a script if the execution takes longer than 20 seconds. You can increase this timeout limit. For details, see Increase the Timeout Limit for ClonePrep Customization Scripts on a Windows Machine.

    Alternatively, you can specify a script that runs another script or process that takes a long time to run.

  • Script Account

    ClonePrep and Sysprep run the scripts using the same account that the VMware Horizon Instant Clone Agent service uses. By default, this account is Local System. Do not change this login account. If you do, the clones can fail to start.

  • Process Privileges

    For security reasons, certain Windows operating system privileges are removed from the VMware Horizon Instant Clone Agent process that runs customization scripts. The scripts cannot perform actions that require those privileges.

    The process that runs scripts do not have the following privileges:

    • SeCreateTokenPrivilege
    • SeTakeOwnershipPrivilege
    • SeSecurityPrivilege
    • SeSystemEnvironmentPrivilege
    • SeLoadDriverPrivilege
    • SeSystemtimePrivilege
    • SeUndockPrivilege
    • SeManageVolumePrivilege
    • SeLockMemoryPrivilege
    • SeIncreaseBasePriorityPrivilege
    • SeCreatePermanentPrivilege
    • SeDebugPrivilege
    • SeAuditPrivilege
  • Script Logs

    ClonePrep and Sysprep write messages to a log file located in C:\ProgramData\Vmware\VDM\Logs.

Sysprep Guest Customization (with pre-created computer account)

You can provision an instant clone desktop pool with Microsoft Sysprep customization. In this workflow, Horizon will pre-create the computer accounts. You can also set pre-shutdown and post-synchronization scripts when using Sysprep customization.

Note the following information regarding Sysprep in Microsoft Windows guests.
  • Microsoft Sysprep process might fail for certain Appx packages installed on the golden image VM. You must manually remove these Appx packages from the golden image VM for clone provisioning to complete. See the Microsoft support site.
  • Sysprep can fail because there are Windows updates pending. To prevent this, run a Microsoft Windows update on the golden image VM and consider disabling the Microsoft Windows update service for instant clone. You can also check the Windows update page to confirm that there are no pending updates or errors displayed.
  • By default, Sysprep generalize disables the built-in administrator account. If there is no other user account on the golden image VM, and if clone customization fails, users are not able to log in to the clone VM to collect debug information. When attempting to log in as local administrator, users will see a message on login screen saying 'Your account has been disabled. Please see your system administrator.' To resolve this issue, create new user accounts on the golden image VM following the instructions on the Microsoft support site.
  • A vTPM device can be added to instant clones with ClonePrep or Microsoft Sysprep guest customization. Instant clone Smart Provisioning uses Mode B (clones created without parent VM) by default. However, if you are using a vTPM device on ESXi hosts with versions older than 7.0 update 3f then Smart Provisioning will select Mode A (clones created with parent VM). See KB 81026 for changing provisioning modes.

Sysprep Guest Customization (without pre-created computer account)

In this guest customization, Microsoft Sysprep will pre-create the computer accounts, not Horizon. If your AD environment is complex and consists of multiple sites and datacenters, you may run into provisioning issues described in this KB https://kb.vmware.com/s/article/2147129. Only a small portion of customers with multiple AD sites and datacenters have faced this issue. Use Sysprep guest customization without pre-created computer account to automatically select AD site for instant clone pool creation globally or at the pool level. Enabling the feature at the pool level allows you to test the new provisioning workflow on a test pool before enabling it globally for all pools using this workflow. See Enabling Sysprep Guest Customization (without pre-created computer account).