Troubleshoot Sysprep & Windows Defender ATP
When a user attempts to Sysprep an image, they may get an error returned by Nerdio Manager that states Error: Wait for temp VM to stop timed out.
The Sysprep logs have the following:
SYSPRP ActionPlatform::DeleteValue: Error from RegDeleteValueW for value senseGuid under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Advanced Threat Protection; dwRet = 0x5
SYSPRP SysprepSession::ExecuteAction: Failed during deleteValue operation; dwRet = 0x5
SYSPRP SysprepSession::ExecuteInternal: Error in executing action for Windows-SenseClient-Service
The reason we get this error is because Windows Defender for ATP, and its associated policies, have been deployed on the master image. We can further validate this by looking at the services and registry key. You see a service called Windows Defender Advanced Threat Protection Service.
You also see a registry key under HKLM\Software\Micosoft\Windows\Windows Advanced Threat Protection. The senseGuid and senseId values are what Sysprep attempts to remove but it fails due to the protection of the client
To resolve this problem:
We need to “Offboard” the client from Defender for ATP. This enables the registry key to be deleted by removing the protection of the registry keys and services.
You need to find the person who managed the Defender for ATP Environment and have them navigate to Settings > Endpoints.
Select the Local Script Method and download the script.
Copy the image to your master image.
On your master image, run the script.
After running the Offboarding script, the registry keys can now be removed by the Sysprep process.
Verify that the Windows Defender Advanced Threat Protection Service service is not running and is set to Manual.
Tip: It is recommended that you do not install Defender for Endpoint on your master image, but install it on your session hosts after they have been deployed. This can be done via Group Policy, MEM, or other methods. See this Microsoft article for details.
Comments (0 comments)