When you build a reference machine, you must select the core software to include in the base layer carefully, as this software is distributed with the base layer to all end users.

Software considerations apply for image management and special instructions for specific software categories. See Reference Machine Software and Settings.

System-Level Software

For best results, include the following applications in the base layer:

  • Antivirus and security products

  • VPN or other connectivity software, such as iPass

  • Firewalls

  • Windows components and frameworks, such as .NET and Java

  • Global Windows configuration and settings changes

System-level software is sensitive to conflicting software. Endpoints must not receive conflicting software through other distribution methods. If a certain type of system-level software, for example an antivirus, is distributed with a base layer, do not distribute different versions of the same software or conflicting software through other software distribution mechanisms, and the reverse.

Include the organization VPN, antivirus, firewall applications, and the driver store in the minimal restore set.

Software Licensing

The base layer generally includes core applications that an organization uses, while more specialized applications are typically distributed with app layers. Verify that the software is suitable for mass distribution and uses a volume license that does not require machine-specific identification or individual manual activation.

Certain applications are protected by hardware-based identification methods or a unique license key that resides on the endpoint, for example, in a license file, and must not be distributed with the base or app layer or installed on the reference machine. The user can still install these applications on the endpoint or through software distribution solutions that target individual endpoints.

Most enterprise software is protected by a floating or volume license that eliminates this problem.

User-Specific Software

On the reference machine, install software as an administrator, and if the option exists, install software for all users. Exclude user profiles on the reference machine from the base layer so that you do not distribute them. Do not distribute software installed exclusively for a specific user, because it might not function properly.

For example, the Google Chrome default installation is to the current user profile. Make sure you install it for All Users if it is to be included in the base layer.

To ensure the presence of an application shortcut on the end user’s desktop or Programs menu, verify that the shortcut is correctly created when the application is installed on the reference machine. If it is not, create the shortcut manually in the All Users profile.

Applications that set up and use local user accounts or local groups, or both, might not function well on endpoints when the base layer is applied to them. Consequently, you must exclude definitions of local user accounts and local groups from the base layer.

OEM Software

Many hardware vendors include special software to enhance the user experience of their platforms. These applications can support specific hardware buttons, connection management capabilities, power management capabilities, and so on.

To include special software as part of the base layer, use the base layer only for compatible hardware. Do not preinstall hardware-specific software on a single base layer that you want to use for multiple hardware platforms.

Use App layering for OEM software.

Endpoint Security Software

Mirage does not distribute software that changes the Master Boot Record (MBR). Full disk encryption software usually modifies the MBR, so this type of software cannot be delivered with a base layer. Such software can still be installed on individual endpoints through an external delivery mechanism or during first-time provisioning.

Examples of disk encryption software that use pre-boot authentication are Checkpoint Full Disk Encryption, PGPDisk, Sophos SafeGuard, and McAfee Endpoint Encryption.


Mirage requires certain full disk encryption applications to be pre-configured before performing a Windows 7, Windows 8.1, or Windows 10 migration.

Certain security software products take measures to protect their software and do not allow other processes to modify their files. Software of this type cannot be updated through Mirage. Instead, you must use the update process recommended by the security vendor to implement central control and management of that software. Mirage does not interfere with or manipulate the operation of these security products, and does not override the security measures they provide.

BitLocker Support

Microsoft BitLocker, in Windows 7, Windows 8.1, and Windows 10, performs full disk encryption and is fully compatible with Mirage. The state of BitLocker is maintained and managed on each endpoint and does not propagate to the Mirage CVD in the data center.

After you use Boot USB to perform a bare metal restore, the BitLocker state is not preserved and the machine is not encrypted.

You can use BitLocker scenarios:

  • If BitLocker is enabled on the target endpoint. BitLocker remains enabled after Mirage restore, base layer update, or rebase operations, regardless of the BitLocker configuration in the original endpoint on which the CVD was running, or on the reference machine from which the base layer was captured.

  • If BitLocker is disabled on the target endpoint, it remains disabled after Mirage restore, base layer update, or rebase operations.


When you build a Windows 7, Windows 8.1, or Windows 10 base layer for migration purposes, verify that BitLocker is disabled on the reference machine. Otherwise the migration operations cannot be completed.