VMware Horizon View – Windows 10 Golden Image Creation

In this blog post I describe the steps required to create a Virtual Machine template using Windows 10 from scratch. (the same procedure also works for Windows 7)

Only optimizations of the core OS are described, the impact of installed applications within the guest will also need to be evaluated.

Below are the steps to follow to create an optimized golden image for VDI

STEP 1: VMware Template Configuration

Create a new Virtual Machine using the vSphere Web client

    • Name: depending on naming convention standards (Note: use a name of less then 15 characters)
    • Location: depending on the environment
    • Compute Resource: depending on the environment
    • Storage: depending on the environment
    • Compatibility (=Hardware version): choose the highest available for your environment (depends on your version of ESXi)
    • vCPUs: 2
    • Memory: 3072 MB
    • Reserve all guest memory
    • HDD: 32 GB (disk size depends on the size of expected locally installed applications)
    • SCSI Controller: LSI Logic SAS
    • Network:
    • VLAN depending on the environment
    • Connect at Power On: YES
    • Adapter Type: VMXNET3
    • CD/DVD Drive:
    • Select “Datastore ISO File”
    • browse to the appropriate OS iso file
    • Connect at Power On: YES
    • Floppy Drive: Remove
    • Video Card:
    • Select “Specify Custom Settings”
    • Number of displays: 4
    • Total Video Memory: 128 MB
    • Enable 3D support: ONLY enable when you have a GPU card installed in the ESXi hosts
    • 3D renderer: Automatic
    • 3D Memory: 256 MB
    • Customise Hardware – VM Options tab
    • Boot options:
    • Force BIOS setup: Enable “The next time the virtual machine boots, force entry into the BIOS setup screen”
    • Advanced:
    • Settings:
    • Ensure “Enable logging” is unchecked
    • Configuration Parameters:
    • Edit Configuration Parameters
    • Add Row
    • Name: devices.hotplug
    • Value: false

Power on the newly created VM and open the console from within the vSphere client to change the BIOS settings

  • Go to the Advanced tab – I/O Device Configuration and disable Serial Ports, Parallel Ports and Floppy Disk Controllers
  • Go to the Boot tab and change the boot order so the Hard Disk is 1st and the CD-ROM drive is the 2nd boot device
  • Save and exit (F10)

STEP 2: OS Installation

Boot the VM from the Windows iso file

Ensure the language, time/currency format and keyboard/input method selections are correct and click “Next”

Click  “Install Windows”

Accept License terms and click “Next”

Select “Custom – Install Windows only”

Select the drive where you want to install Windows (There will be only one”) and click “Next”

Follow the Wizard to finalise a default Windows installation (using the “Express Settings”)

  • When asked to create a user, create a user with the name “temp”

STEP 3: Base Image Customizations

Install VMware Tools (default installation) and reboot VM

  • Note: If you intend to use a vShield Endpoint based solution to protect your Virtual Machines from viruses makes sure to also install the “NSX Network Introspection Driver” (previously called the “vShield Endpoint Thin Agent driver” or “Guest Introspection Driver”) which is not installed by default during a typical VMware Tools installation process. (Custom Install – Add VMCI driver\NSX Network Introspection Driver)

Reboot the desktop

Logon to the desktop using the “temp” user

Enable the local Administrator account

  • Right Click on the Start button – Computer Management – Local Users and Groups – Users
  • Check properties of the Administrator account
  • Uncheck “Disable account”
  • Check “Password never expires”
  • Click OK
  • Set a password

Logoff the desktop

Logon to the desktop using the local administrator account

Change Computer Name

  • Right Click on the Start button – Control Panel – System and Security – System
  • Click on “Change Settings” in the section “Computer name, domain and workgroup settings”
  • Click on “Change” next to “To rename this computer or change …”
  • Type the computername (depending on naming convention standards (Note: use a name of less then 15 characters))
  • Click OK
  • Reboot the desktop

Logon to the desktop using the local administrator account

Delete “temp” user profile

  • Right Click on the Start button – Control Panel – System and Security – System – Advanced System Settings – Advanced
  • Click the “Settings” button under the User Profile section
  • Highlight the “temp” account and click Delete

Delete “temp” user

  • Right Click on the Start button – Computer Management – Local Users and Groups – Users
  • Right Click “temp” user and choose Delete

Add/Remove he following features (if they are enabled) from the OS (unless you really need them) and reboot VM:

  • Right Click on the Start button – Control Panel – Programs – Programs and Features – Turn Windows Features on or off
  • Unselect the following default installed features:
    • Print and Document Services – Internet Printing Client
    • Print and Document Services – Windows Fax and Scan
  • Select the following features that are not installed by default
    • .NET Framework 3.5
    • Telnet Client

Reboot the desktop

Logon to the desktop using the local administrator account

Cleanup manager:

  • Open a command prompt
  • Run c:\windows\system32\cleanmgr /sageset:1
  • check all the boxes of items you want to delete
  • Click “OK”

Copy file vdi_cleanup.bat to c:\windows\system32

Run Windows update, install all the latest patches and service packs and reboot VM

  • Click on the Start button – Settings – Update & Security – Check for Updates
  • Install the necessary Windows updates
  • Reboot VM
  • Note: Repeat this process until all Windows updates have been installed)

As described in the VMware Horizon 7.2 documentation some additional hot fixed need to be applied (only required for Windows 7)

VMware OS Optimization tool:

Shutdown the desktop

Disconnect the installation media in the VM properties in the VMware vSphere (web) Client (set to “Client Device”)

Power on the desktop

Logon to the desktop using the local administrator account

Pre-compile .NET framework assemblies

  • Open an elevated Windows command prompt.
  • Navigate to the C:\Windows\Microsoft.NET\Framework\v4.0.30319 directory.
  • Type ngen.exe update /force
  • Type ngen.exe executequeueditems

Set Power Options to high

  • Right Click on the Start button – Control Panel – Hardware and Sound – Power Options
  • Click “Show Additional Power Plans”
  • Choose “High Performance”
  • Click “Create a Power Plan”
  • Choose “High Performance”
  • Plan name: type “VDI”
  • Click Next
  • Turn off the display: Select “Never”
  • Put the computer to sleep: Select “Never”
  • Click “Create”

Enable VerboseStatus

  • Open a command prompt
  • REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v verbosestatus /t REG_DWORD /d 1 /f

Disable some Active Setup components of Windows

  • As per VMware KB 2100337 logon time will be a lot faster when disabling all the Active Setup components of Windows.
  • Delete stubpath under
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}”
    • “HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}”

Configure paging file size

    • Right Click on the Start button – Control Panel – System and Security – System – Advanced System Settings – Advanced
    • Click the “Settings” button in the “Performance” section
    • Select “Advanced” tab
    • Click the “Change” button under the “Virtual Memory” section
    • De-select “Automatically manage paging file size for all drives”
    • Select “Custom Size”
    • Initial size (MB): 3072 (equals the amount of memory of the VM)
  • Maximum Size (MB): 3072 (equals the amount of memory of the VM)
  • Click “Set”
  • Click “OK”
  • Reboot VM

STEP 4: Install Horizon View Agent

Logon to the desktop using the local administrator account

Install the VMware Horizon View Agent

    • Note: Make sure that the version of the VMware Horizon View Agent you are using is compatible with the View Connection server version you will be using. Version 7.01 was used in this article.
    • Network Protocol Communication: IPv4
    • Features to be installed (depending on the environment. The displayed options also depend on the Agent version):
    • Core: Yes
    • USB redirection: Yes
    • Real-Time Audio-Video: Yes
    • VMware Horizon View Composer Agent:
      • “Yes” if View Composer will be used
      • “No” if Instant Clone technology will be used
    • VMware Horizon Instant Clone Agent:
      • “No” if View Composer will be used
      • “Yes” If  Instant Clone technology will be used
    • Client Drive Redirection: Yes
    • Virtual Printing: Yes
    • vRealize Operations Desktop Agent:
      • “Yes” if vRops for Horizon will be used
      • “No” if vRops for Horizon will not be used
    • VMware Horizon View Persona Management:
      • “Yes” if Horizon View Persona Management will be used
      • “No” if another persona management solution will be used (e.g. UEM)
    • Scanner Redirection: No
    • Smartcard Redirection: No
    • Serial Port Redirection: No
    • VMware Audio: Yes
    • Flash Redirection: Yes
    • Note: An explanation of all these above features for Horizon View 7.2.x can be found here
    • Remote Desktop Protocol Configuration
  • Select “Enable the Remote Dekstop capability on this computer”

Reboot VM

Optional : Join the VM to your Active Directory Domain

Optional: Add an Active Directory group containing the users/groups which will be allowed to open Remote Desktop connections to the VM (= all users/groups which will be allowed to connect to a VMware View Desktop)

  • Note: This can also be done (and is preferred to be done) via an Active Directory Group Policy: Restricted Groups GPO – Remote Desktop Users

Reboot VM

STEP 5: Installation of some standard applications (OPTIONAL STEP)

Install the latest version of Adobe Flash Player:

Install the latest version of Adobe Reader

  • Browse to http://get.adobe.com/reader with Internet Explorer
  • Do not select the option to install “McAfee Security Scan Plus”, “Google Toolbar”, …
  • Manually check for and install updates
  • Enable the “Adobe PDF LInk Helper” add-on
  • Delete shortcut which was added to the desktop
  • REG ADD “HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown” /v bUpdater /t REG_DWORD /d 0 /f
  • REG ADD “HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown” /v Mode /t REG_DWORD /d 0 /f
  • sc stop AdobeARMservice
  • sc config AdobeARMservice start= disabled
  • Adobe Reader test: https://courses.worldcampus.psu.edu/public/diagnostics/Acrobat.html

Install the latest version of Adobe Shockwave player

Install the latest version of Java (install both 32 and 64 bit on a Win7 64-bit OS)

Install Microsoft Silverlight

Reboot VM

Shutdown VM

STEP 6: Clean up

Open an elevated Windows command prompt

Run vdi_cleanup.bat

Take a Snapshot of your golden image

18 Comments

  1. Pingback: VMware User Environment Manager 9.2 – Installing and Configuring – ITuDA

  2. Howdy, please correct the following

    Enable VerboseStatus
    Open a command prompt
    REG ADD HKLM\Software\\Microsoft\Windows\CurrentVersion\Policies\System /v verbosestatus /t REG_DWORD /d 1 /f

    You have TWO “\\” in between Software and Microsoft. Had to increase the screen size because of bad vision. Copy and Paste in RDP session throws errors. Might help others.

  3. I am building out Windows 10 1703 golden image for my Floating linked clone pool. Just wondering how is everyone handing profile issue. I have been on this for past two weeks and not getting anywhere. Hope someone can point me in right direction. When I import my answer file into Vcenter and use that during my pool creation view starts to create the pool and the clones but getting stuck on customization for long time and will come back with error customization timed out. If I use syspre file from Vcenter and go through that process it will create my floating linked clones and without any issues but my profile is not the same and all the changes I had made on the golden image are not flowing through properly. Any help would be greatly appreciate it.

  4. Hitesh,

    I recently found myself in the same situation as you, I followed this guide to the letter but could not get any of the systems to complete the customization. We were able to test with Manual Pool and had no problems, but the Linked clones would not work.

    Apparently we had missed an important pre-requisite. A KMS server must be available to complete the activation or you must disable the requirement. MAK keys cannot be used.

    I ran across this article, but thought nothing of it since we did not have the error that was displayed.

    https://virtualhobbit.com/2016/09/20/trialling-windows-10-linked-clones-with-vmware-horizon-view-7/

    But, it reminded me that I was going to have to complete the setup of my KMS server and add the Win10 keys anyway. So I added the keys and activated them for AD activation… Suddenly, my existing broken composer jobs completed… Win10 Linked clones were able to be logged in to and used with no problem…

    Not sure if this is the situation that you have , but I thought it was worth noting the requirement for others that might have this problem.

      1. Just thought I’d come back and say thanks for responding to my question, and confirm that this article is still proving resourceful for some, even now! I have this bookmarked whenever I need to work on W10-Horizon7 images.

  5. Thanks you so much for your write up, it’s really helpful.
    I’ve just got a question. Your write up doesn’t mention going into audit mode and sysprep like a vmware guide does (https://techzone.vmware.com/creating-optimized-windows-image-vmware-horizon-virtual-desktop#1150987). I don’t fully understand the sysprep & generalisation process for VMs. I’ll be creating an instant clone pool to begin with so should i be doing this?
    Thanks again
    Mike

    1. Mike,
      Nice to hear that an article I wrote more then 4 years ago is still valuable.
      The generalization and sysprep steps are not really needed.
      I am using VMware’s quickprep to create instant clone pools and never had a single issue with it.
      Regards,
      Lieven

    2. I’m glad you asked this and I’m happy to see Lieven replied. I was also confused by that article. I had been creating master images for years and never had used that method.

      I also saw people mention in the VMware OS Optimization Tool comments page (https://flings.vmware.com/vmware-os-optimization-tool?src=WWW_HrzOld_Resources_MAndO_OSOptimization#comments) similar sentiments. Some found it created more issues.

      I’ll stick to creating them like I always have – quite similar to this.

  6. Useful article.

    I am trying to use VM customization to join desktop to AD and add to particular OU, but there is no such option, I don’t want to save script on golden image with password for joining domain, other option is to use RSAT (netdom), but with RSAT tool end user can access AD.

    Any idea?

    Thanks
    Raheel

    1. There is no need to join the Golden Imqge to the domain.
      During the pool provisioning the provisioning process (guest customisation) will take care of this. While defining the pool settings you can specify the AD Container where the provisioned VDIs should be added to.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.