The Windows guidance goes back many years: Before you can duplicate or clone a Windows installation (whether physically duplicating the disk drive or using some sort of VM-based snapshot or differencing disk technique), it is absolutely essential that the system be generalized using Sysprep.exe. That’s also called out in KB 314828:
When you deploy a duplicated or imaged Windows installation, it is required that the System Preparation (Sysprep) tool is used before the capture of the image…We do not provide support for computers that are set up by using SID-duplicating tools other than the System Preparation tool.
And in the Windows docs:
You must reseal, or generalize, a Windows image before you capture and deploy the image. For example, when you use the Sysprep tool to generalize an image, Sysprep removes all system-specific information and resets the computer…If you transfer a Windows image to a different computer, you must run the Sysprep command together with the /generalize option, even if the other computer has the same hardware configuration. The Sysprep /generalize command removes unique information from your Windows installation so that you can reuse that image on a different computer.
When you run Sysprep to generalize a computer, every Windows component gets the opportunity to remove stuff from the system: Registry keys, certificates, files, folders, etc. – anything that the component knows will cause issues if that installation were every cloned. But that doesn’t mean every component actually does that. Case in point: If you take a Windows 10 installation and join it to Azure AD or enroll it in Intune, the OS will receive multiple certificates tied to the specific device; additional enrollment and device ID information will be written to a variety of places in the registry; policy information and settings will be applied as well. And *none of that* will be removed by the sysprep /generalize process.
So what does that mean? Simple:
- Never clone a device that is joined to Azure AD or enrolled into an MDM service such as Intune.
If you don’t follow this advice, all of the devices using that image will look the same. Intune won’t be able to tell them apart when they all provide the same device ID and certificates. And you’ll end up with a mess. Avoid later headaches – don’t try it.
If you are going to create an image, follow a consistent, repeatable process (e.g. using MDT or ConfigMgr OSD), using a VM, running an automated task sequence that can complete the whole process. Do not join it to Azure AD or Active Directory; do not get it into a co-managed state (since that would be enrolled in Intune). Keep it in a workgroup, do your customizations, and run sysprep /generalize at the end of the process.
Or better yet, don’t do imaging at all and use Windows Autopilot…
Categories: Windows 10