Creating an Activated Windows Server 2008 R2 VMware Template using Microsoft Sysprep
I’ve been experimenting with creating a good Windows Server 2008 R2 template for VMware vSphere 4 and wondered just how many times Microsoft would allow an activation on the same MSDN license key (Multiple Activation) for the OS. I often deploy multiple servers at a time and am always fearful of activating since I don’t want the key to be shut off. Typically I only run these servers for short periods of time so not activating is no big deal, however in longer running projects I often have no choice but to either activate or destroy and redeploy. With information that I’ve come across on the Internet, I’ve managed to consolidate a method that does not break the Windows Server 2008 activation, while still sysprep’ing and generating a new SID.
This process can be used for other virtualized environments as well I’m sure, but in this case I created it for VMware vSphere.
Create and Activate a Windows Server 2008 R2 VM.
Download the WAIK (Windows Automated Installation Kit) from Microsoft. This is a pretty good sized download (almost 2 GB if I remember correctly) so go and grab a cup of coffee or something, or watch the Jack Bauer Power Hour (also known as ‘24’), or something to pass the time while downloading. You’ll also need a copy of the Windows Server 2008 R2 DVD, so if you don’t have that handy, log into your MSDN account and pull it down as well.
After downloading the WAIK, install it on your workstation. You do not need to run it from the target machine. I configured this on my Win 7 development box. We’re going to create an unattend.xml file to be used with Sysprep to configure the template.
After the WAIK install, run Windows System Image Manager (WSIM) (located in Start > Programs > Microsoft Windows AIK > Windows System Image Manager by default). Insert your Windows Server 2008 R2 DVD into your local drive, or mount the image. You’ll need files from it.
Choose File > Select Windows Image…
Navigate to your server CD/DVD in the Select a Windows Image browser. Inside the ‘Sources’ directory, choose the version of Windows Server that you want to create the unattend file for.
This should add the Catalog information to the lower left hand area of WSIM as seen below.
Create or Open an Answer File in the ‘Answer File’ area of WSIM.
Expand Components and drag and drop to the ‘Answer File’ area as pictured and described:
- Under 3 Generalize
- amd64_Microsoft-Windows-OutOfBoxExperience_neutral
- amd64_Microsoft-Windows-Security-SPP_neutral
- amd64_Microsoft-Windows-ServerManager-SvrMgrNc_Neutral
- Under 4 Specialize
- amd64_Microsoft-Windows-IE-InternetExplorer_neutral
- amd64_Microsoft-Windows-Shell-Setup_neutral
- Under 7 oobeSystem
- amd64_Microsoft-Windows-International-Core_neutral
- amd64_Microsoft-Windows-Shell-Setup_neutral
In case you’re like me and wondered if amd64 meant that it was for amd processors, the amd64_… items are for all 64 bit platforms whether Intel or AMD.
Keep in mind that 99% of these settings are personal choice for my template. The ONE that really matters is coming up very shortly.
Clicking on the items in the middle ‘Answer File’, I made the following adjustments using the area on the right ‘… properties’. The item in bold below (amd_64_Microsoft-Windows-Security-SPP_neutral: SkipRearm = 1) setting is the setting that will keep Windows from needing to reactivate after Sysprep has been run.
- 3 generalize
- amd64_Microsoft-Windows-OutOfBoxExperience_neutral
- DoNotOpenInitialConfigurationTasksAtLogon = true
- amd64_Microsoft-Windows-Security-SPP_neutral
- SkipRearm = 1
- amd64_Microsoft-Windows-ServerManager-SvrMgrNc_neutral
- DoNotOpenServerManagerAtLogon = true
- 4 specialize
- amd64_Microsoft-Windows-IE-InternetExplorer_neutral
- DisableAccelerators = true
- DisableFirstRunWizard = true (this one really drives me nuts)
- Home_Page = about:blank
- ShowCompatibilityViewButton = true
- TrustedSites = [any sites that you want to automatically be trusted by the browser – separated by semi-colons]
- amd64_Microsoft-Windows-Shell-Setup_neutral
- ProductKey = [your product key… can’t have mine.
] - RegisteredOrganization = [your company name]
- RegisteredOwner = [your name]
- TimeZone = [your time zone – Mountain Standard Time]
- 7 oobeSystem
- amd64_Microsoft-Windows-International-Core_neutral
- InputLocale = [your localization info ie. en-US]
- SystemLocale = [your localization info ie. en-US]
- UILanguage = [your localization info ie. en-US]
- UserLocale = [your localization info ie. en-US]
- amd64_Microsoft-Windows-Shell-Setup_neutral
- (click the plus sign to get to these) Display > Color Depth = 32
- Display > HorizontalResolution = [your preferred width – ie. 1024]
- Display > VerticalResolution = [your preferred height – ie. 768]
- OOBE > HideEULAPage = true
- UserAccounts > AdministratorPassword = [your local admin password]
You can check out the documentation and continue customizing until your heart is content. Once again, the important flag to set is SkipRearm = 1. This will prevent you from having to reactivate Windows.
When your customization is complete, go to File > Save Answer File. I named mine ‘unattend.xml’.
In your Windows Server 2008 R2 virtual machine, copy the unattend.xml file into the following path:
c:\windows\system32\sysprep\
Create the following path if it doesn’t exist:
c:\windows\setup\scripts\
Inside the ‘scripts’ directory, create a text file with the following line inside:
del /Q /F c:\windows\system32\sysprep\unattend.xml
This will delete the unattend.xml file that you have stored after sysprep completes, otherwise the file will still be there. Name the file ‘SetupComplete.cmd’. It is VERY important to make sure that you give this file the .cmd extension and not allow it to keep the .txt extension. Make sure that ‘hide file extensions for known file types’ is unchecked inside the folder view options. You should see an icon similar to the one below, instead of the typical text file icon.
You’re almost ready to Sysprep the environment now.
I cloned the VM at this point so that I would have a clean environment in which to go back and make changes to, like running Windows Updates, etc., for when I need to generate a new template or an updated template.
Read the following paragraphs in their entirety before doing anything further. You can lose your template if you reboot a sysprep’ed VM.
If you’ve made all the changes / installations / etc. to the OS and have your unattend file configuration completed, on the server, from the command prompt (you should run the command prompt as Administrator), run the following commands.
cd c:\windows\system32\sysprep\
sysprep /generalize /oobe /shutdown /unattend:unattend.xml
This ‘sysprep’ command tells sysprep to use configuration information from the ‘generalize’ node and ‘oobe’ node of the xml file. The ‘specialize’ section will run automatically and does not need to be included as a parameter. The ‘shutdown’ switch tells the system to shutdown after sysprep completes, in case you were wondering.
After sysprep finishes running and the system shuts down, it is VERY IMPORTANT that you DO NOT START THE SERVER (as in reboot). Upon reboot, sysprep will run it’s commands and you will have a new system. If you do this, you just lost your template, though I guess nothing would stop you from simply sysprep’ing your system again.
In vCenter, immediately right-click this virtual machine and select ‘Template’ > ‘Clone to Template’ or ‘Convert to Template’ based on what you want to do with the original.
When deploying a virtual machine from this template, make sure to choose ‘Do Not Customize’ in the Deploy Template wizard > Guest Customization screen. Your customizations are already baked into the OS thanks to Microsoft. When you boot the new VM, you will see sysprep configuring the OS.
Thanks to all the bloggers out there whose information helped me to consolidate this post. Also, thanks Microsoft for including this feature and providing such thorough documentation.
About the author
- More at
Worked like a charm, brother! Great post! The only thing I had to do different was to modify the syntax to sysprep the machine. It needed the parameter before the file name. (/unattend:)
sysprep /generalize /oobe /shutdown /unattend:unattend.xml
Thanks for the note Frank! Updated the blog to reflect that.
This didn’t seem to work for me. I’m running x86. The name of one of the options didn’t exist but i have Microsoft-Windows-Security-Licensing-SLC, and I set SkipRearm = 1 on that one.
Here is what I did that even more disturbing is that it’s loosing activating just by doing a simple clone (even before sysprep). I activated the copy, shut it down, cloned it to a new one (not customizing anything — basically making a copy) and then starting up the copy. Everything is technically still the same (with the exception of the underlying VMWare UUID and the MAC address). At that point in time it still complains that it has 3 days to activate. Running the original in another window and it’s still activated.
It’s not really a super issue as I have several keys but we’ve alreay run into issues with keys in the past moving VM’s to different hardware, and having to reactivate it again.
Great Article! One thing you can also do though, you can just import the xml file into the vCenter customization specifications, and then you don’t have to sysprep every time you make a change, you can continue to work with your template as normal, shut it down, and vSphere will deploy the customization during the template deployment process.
@Gary: What OS were you doing this on? I’ve only tested it on R2, which is 64-bit.
@Justin: Thanks for the update Justin! That’s a great point I didn’t even consider.
The AIK you link to is the 2003 / XP one (which hasn’t worked so far for me) – surely it should be the 2008 R2 / Win7 one?
http://www.microsoft.com/downloads/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en
@Simon: Thanks for the heads-up on the AIK link. I’ve updated the blog post to reflect the 2008R2 and Win7 AIK.
Thanks for a great article, this helped me track down a couple of small details that were messing up my sysprep process. I am curious about somthing though… I’m Running VMWare ESX 3.5U3, machines hosted on NFS storage volumes. I’ve created a 2008R2 Standard template, activated it, and prepped it as indicated in your article. When deploying an image from the template, a new VMWare UUID/biosID is created for the resulting machine. This seems to break the activation of my machine every time. I’m confident that the SkipRearm parameter is being applied, because the resulting machine still has 3 available rearms after cloning (verified using slmgr.vbs /dlv) Has anyone else seen this behavior, or know of a way to circumvent it? I’ve tested with a MSDN MAK we have available as well as an “unlimited” SPLA key and both give the same results.
@Drew: Unfortunately I haven’t played around with ESX 3.5 and a 2008R2 template so I don’t have any info on that. If I get a chance to stand it up in a lab I’ll do so and post back comments here, but it will likely not be anytime soon. Good luck and I hope you’re able to find a solution. Please let us know if you do.
@clement: Thanks for the response. I know the answer here is probably “get current” on the VMWare side, and that project is in the pipeline, so I’ll certainly let you all know if it resolves my issues. I have done a little more testing and can now say without a doubt that a base clone (even without using syprep to re-sid/rename) will cause a new UUID to be created and break the windows activation of the R2 machine. I have a few other things to try but I think it may be a lost cause on 3.5. Thanks again.
@Drew: Best of luck with it. I hope something works out for you before the upgrade since the pipeline may be a ways off. If I come across anything that matches your needs in my Internet travels, lab experimentation, or client work, I’ll be sure to post it back here, and send you an email to let you know.
By the way, you might want to also consider a Microsoft license server on your local network. I don’t know the exact specifications for it, but you can set up a remote activation system that will allow you/your organization to manage the licenses without the need for Internet activation. This is how users can install activation based software on secure / private networks without the need to pick up the phone and call MS with every activation. I know it’s only a patch, but may help you in the interim between now and your upgrade.
I’m looking to add this under the following tag
vim.vm.customization.SysprepText
into a VMware generated customisation script XML
Everytime I try to import the value I get an invalid XML import, if someones managed to do this successfully please include it in the comments.
Found this guide, and followed it to the letter (Win2k8R2). Deployed to an ESXi4.1 host, but the final VM still requested re-authentication. I definately included SkipRearm and included our MAK key in the unattend.xml file.
I have a couple of questions about this;
Do you enter the product key in the same format as a manual activation? e.g. xxxxx(dash)xxxxx(dash)xxx etc
If there are any errors in the unattend.xml file, will the whole file be rejected, or just the line with errors?
I added the time zone as (in my case); GMT. Is this acceptable, or does it need to be set to the full text?
@Tony, I’ll answer what I can…
On the product key: Yes, I entered the product key with the dashes included.
Errors in the unattend file: I’m not sure about this. I would assume that an error would only error out that line, but with the way things are thrown together sometimes, it is entirely possible that a single error will corrupt the sysprep or at least corrupt that section of the sysprep.
Time Zones: The time zones require an exact string format. “GMT” will not work. For GMT, use the text “GMT Standard Time”. To look up the time formats, you can use: “tzutil /l”. TZUTIL (time zone utility) is available under windows 7 installations, and likely server 2008 R2 though I haven’t confirmed this. The switch is an ‘L’ as in List.
Hope this helps. Let me know how this works out for you.
Good luck.
Thanks Clement, I really appreciate your time. I’ll make some changes to my unattend.xml file to reflect this. I have some more information on this now.
My testing involves the following;
Taking the .OVA template (built and exported from an ESXi 4.1 host), and importing this on a vSphere 4.0 cluster. Once imported, I ‘clone to template’, then start the resulting VM. I have confirmed that this works ok, and the resulting 2008R2 VM shows as activated. The cluster and ESXi4.1 host have full Internet connectivity.
I also have another totally standalone network, with an ESXi 4.1 host. This is the network I really need to be able to deploy the pre-activated 2008R2 VM’s on, but on this network, when I start the VM, 2008R2 shows as needing re-activation. I’m using exactly the same template, but as stated, this network has no Internet connectivity.
If I try the template on another (Internet connected) ESXi 4.1 host, this template works fine.
Any ideas?
Also tried this (http://www.mydigitallife.info/2009/09/24/how-to-backup-and-restore-windows-7-and-server-2008-r2-activation-status-activate-offline-on-reinstall/) as a possible workaround, taking the files from an auto-activated VM that worked ok using your method, but still no joy.
Just to get this VM activated, I went through MS’s automated phone activation system, which did work for the standalone VM.
@Tony: Not sure why you’re encountering what you’re encountering. Is it the VM that needs Internet connectivity, or the host itself? Can you try deploying the template to a host that has Internet connectivity but the VM is not connected to a vSwitch that has Internet connectivity?
Hi Clement, Thank you for documenting this process.
Would you have any idea what the best process for troubleshooting a failure that occurs after the “Power On” of a newly created vm post the successful build of a vm via “deploy from template”?
The new vm starts, but then hangs with the error:
———————————————————————
Install Windows (X)
———————————————————————
Windows could not finish configuring the system. To attempt to resume configuration, restart the system.
———————————————————————-
I click ok, it reboots and then hangs in same place with same error in a loop sequence – forever.
If I “power off” and the “power on” and perhaps a “reset” or two I can get the vm to boot into the gui. The activation and key are still correct and the name has been generalized. The SID changes so some of the sysprep must be working…
Any thoughts on the best log files to review or suggestions on fixing this type of issue?
Do you use the vmxnet3 driver or the e1000 on your nic? (just curious if it is a nic issue on w2008r2)
/suntzu
@suntzu: Can’t say I’ve run into the issue that you’re having. My guess would be that something was messed up in the actual VM that was being sysprepped and not your deployed VM, but again I’m not sure. This all worked right out of the box with no issues for me.
I’m using the E1000 driver. Which are you using?
The only log files that might show some data are the Windows log files, but I’m guessing you looked at those and didn’t find the problem?
Have you tried re-sysprepping to basically start with a fresh template?
Hi Clement, Thanks for the response. I am using the vmxnet3 and I am wondering if this may be the issue? I am not sure… As I indicated “everything” seems to be working providing I dork around with some reboots, which kind of sucks, but better then building from scratch
Again thanks for the blog post on this topic.
/suntzu
@suntzu: May be the OS having issues with the driver or the virtual hardware. If I get a chance, though it probably won’t be soon, I’ll try to create a template with the vmxnet3 driver and see if I can reproduce the problems that you’re having. That would prove it outright. I’ll respond again and maybe pop you an email after I get a chance to play with it.
@suntzu: Did you include the license key in the unattend file? Check out this post on RTFM Education: http://www.rtfm-ed.co.uk/2010/07/30/a-funny-experience-with-windows-7-sysprep-and-view-4-5/
This may apply to server 2k8 as well?
Please let me know if this works out for you.