Windows 10 Startup Fails After SysPrep

1

I've been battling with this issue for a week now. I'm hoping someone can help. Here is the backstory: Starting with a base Windows 10 image at build 1703, I updated to Windows 10 20H2. Everything went fine. In fact we have updated 200 of these systems the same way and using the same ISO with no issues. The PC is HP EliteDesk 800 G2 SFF

Prior to the 20H2 update, I am able to successfully sysprep and deploy the image without issues. After the 20H2 update, sysprep runs fine and shuts down the system, ready to capture the new image. The problem occurs during the first boot after sysprep. Windows setup stops with the error "Windows setup could not configure Windows to run on this computer's hardware" I have tried all kinds of things based on searching this issue, including:

  • running sysyprep without specifying and answer file, sysprep /generalize /oobe
  • starting sysprep both from audit mode and then not from audit mode
  • checking device manager for any errors before running sysprep
  • updating the storage drivers, chipset drivers, and video drivers
  • removing all user accounts except for the built-in accounts
  • assigning a password to the built-in administrator account
  • enabling (and disabling) the built-in administrator account
  • disabling Windows defender (no other AV is on the system)
  • running system file checker (sfc /scannow) and checkdisk (chkdsk /f)
  • removing the group policy folders from windows/system32
  • probably several other things that I have forgot to mention

Here are is the relevant part of setupact.log:

2021-02-12 07:16:04, Info                  SYSPRP ActionPlatform::LaunchModule: Executing method 'CryptoSysPrep_Specialize' from C:\Windows\system32\capisp.dll
2021-02-12 07:16:04, Info                         capisp.dll::CheckIFCryptoSysPrepSpecialized: returning 0
2021-02-12 07:16:04, Info                  CBS    TI: --- Initializing Trusted Installer ---
2021-02-12 07:16:04, Info                  CBS    TI: Last boot time: 2021-02-12 07:15:45.500
2021-02-12 07:16:04, Info                  CBS    Starting TrustedInstaller initialization.
2021-02-12 07:16:04, Info                  CBS    Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:4
2021-02-12 07:16:04, Info                  CBS    Lock: New lock added: CCbsPublicSessionClassFactory, level: 30, total lock:5
2021-02-12 07:16:04, Info                  CBS    Lock: New lock added: WinlogonNotifyLock, level: 8, total lock:6
2021-02-12 07:16:04, Info                  CBS    Ending TrustedInstaller initialization.
2021-02-12 07:16:04, Info                  CBS    Starting the TrustedInstaller main loop.
2021-02-12 07:16:04, Info                  CBS    Running under Setup's First boot, setting idle time to 30 minutes
2021-02-12 07:16:04, Info                  CBS    TrustedInstaller service starts successfully.
2021-02-12 07:16:04, Info                  CBS    Setup in progress, aborting startup processing checks.
2021-02-12 07:16:04, Info                  CBS    Startup processing thread terminated normally
2021-02-12 07:16:04, Info                  CBS    TI: Startup Processing completes, release startup processing lock.
2021-02-12 07:16:49, Info                         capisp.dll::CryptoSysPrep_Specialize: assigned CAPI machine guid "124eee6a-4493-4872-a69b-378a55ab51d8"
2021-02-12 07:16:49, Info                         capisp.dll::LsaOpenPolicy failed: c0020003
2021-02-12 07:16:49, Info                         capisp.dll::CryptoSysPrep_Specialize: DisableAdministratorIfApplicable failed
2021-02-12 07:16:49, Info                         capisp.dll::CryptoSysPrep_Specialize: returning 65b
2021-02-12 07:16:49, Error                 SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'CryptoSysPrep_Specialize' from C:\Windows\system32\capisp.dll; dwRet = 0x65b
2021-02-12 07:16:49, Error                 SYSPRP SysprepSession::ExecuteAction: Failed during sysprepModule operation; dwRet = 0x65b
2021-02-12 07:16:49, Error                 SYSPRP SysprepSession::ExecuteInternal: Error in executing action for Microsoft-Windows-Cryptography; dwRet = 0x65b
2021-02-12 07:16:49, Error                 SYSPRP SysprepSession::Execute: Error in executing actions from C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml; dwRet = 0x65b
2021-02-12 07:16:49, Info                  SYSPRP SysprepSession::Execute: Sysprep mode was not specified, deleting it from registry
2021-02-12 07:16:49, Error                 SYSPRP RunPlatformActions:Failed while executing Sysprep session actions; dwRet = 0x65b
2021-02-12 07:16:49, Info                  SYSPRP Callback_Specialize: Internal Providers Specialized Failed. System can't proceed to handle Internal Providers
2021-02-12 07:16:49, Info                  SYSPRP Callback_Specialize: Specialize return: [1627]
2021-02-12 07:16:49, Error      [0x0f0435] SYSPRP Callback_Specialize: An error occurred while either deciding if we need to specialize or while specializing; dwRet = 0x65b[gle=0x00000002]
2021-02-12 07:16:49, Info       [0x0640ae] IBSLIB PublishMessage: Publishing message [Windows Setup could not configure Windows to run on this computer's hardware.]

Despite everything I have tried, it stops at the same point every time with the same message and the same logged errors. I did some research on the code c0020003 generated from the LsaOpenPolicy function and it appears to be an HRESULT code that maps to RPC_NT_INVALID_BINDING and the purpose of LsaOpenPolicy is to get a handle on the Windows policy object. Based on that, I'm guessing that for some reason, the LsaOpenPolicy function is not able to get get a handle on the policy object which might explain why the attempt to disable the administrator account on the next line also fails.

I have completely ran out of ideas, so I am hoping someone can provide some other suggestions to try

windows-10
windows-10-v1703
sysprep
windows-10-v20h2
asked on Super User Feb 13, 2021 by jwitt

2 Answers

1

Sysprep or Feature Update Failure

Perform the below steps before and/or after any Windows 10 feature update or sysprep operation. After any feature update install completes, log into the computer, and then restart it one time. Run these steps as a post update cleanup task after a login and restart post feature update completion.

There are also some additional consideration items to perform should none of these steps help resolve the problem.

  1. Log onto the machine as local administrator and confirm the login is successful

  2. Go to Control Panel | System | Advanced system settings | Advanced tab | User Profiles section | Settings

  3. Highlight and delete all Account Unknown accounts and any other accounts one-by-one other than Default Profile and the local administrator account you are signed on as now. enter image description here

  4. Run the below elevated as administrator after you remove all unknown profiles from the system as specified in step #3. Ignore all command errors and just let it complete.

    Get-AppXpackage -AllUsers | Remove-AppxPackage;

Get-AppxPackage | % { 
    Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" 
    };

Get-AppxPackage -AllUsers | % { 
    Add-AppxPackage -Register "$($_.InstallLocation)\appxmanifest.xml" -DisableDevelopmentMode 
    };

  5. Run the below PowerShell elevated and let it finish

    PowerShell Elevated

    Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\*' | % {
    New-ItemProperty -Path $_.PSPath -Name StateFlags0001 -Value 2 -PropertyType DWord -Force
};
Start-Process -FilePath CleanMgr.exe -ArgumentList '/sagerun:1'

  6. Run the below DISM.exe processes admin elevated below one by one until they all complete.

    DISM.exe /online /Cleanup-Image /StartComponentCleanup
DISM.exe /online /Cleanup-Image /SPSuperseded
DISM.exe /online /cleanup-image /restorehealth

Additional Considerations

  • Purge HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows keys before running sysprep to blow away any registry set policies which may be set

  • Look over gpedit.msc and look for and set any policies set to Not Configured and reboot and log back on if any were found before you run sysprep

  • Obviously you do not want the machine to be joined to any domain while being sysprep'd so ensure that's not an issue

  • Check for any services.msc services that are set to run as a domain credential and if any are found, set those to disabled, or delete software to remove, or run sc commands to delete those.

    Be sure to reboot after removing or disabling when or if found and confirm they are gone once logged back on, and then run sysprep.

  • As per advice from the Sysprep generalize fails post, look over the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList registry keys and see if the profile for any user account there points to a drive other than C:\Users\<UserAccountName> and fix that and confirm fixed with a reboot, and then run sysprep afterwards. Look at the ProfileImagePath values for each profile GUID from those keys.

answered on Super User Feb 15, 2021 by Pillsbury IT Doughboy • edited Feb 28, 2021 by Pillsbury IT Doughboy
1

@Drink More Pimp Juice IT gave me a lot of good suggestions to try, some of which eventually led me to what worked. Here is what finally worked for me:

After applying the 1703 image, but before any updates were installed:

  1. I removed the appx packages that I knew were causing problems with my previous sysprep attempts.
  • Get-AppPackage Microsoft.Messaging* | Remove-AppxPackage -allUser

  • Get-AppPackage Microsoft.OneConnect* | Remove-AppxPackage -allUser 

  • Get-AppPackage AD2F1837.HPPrinterControl* | Remove-AppxPackage -allUser

  • Get-AppPackage Microsoft.Windows.Cortana* | Remove-AppxPackage -allUser
  1. While still on 1703, I ran sysprep /generalize /oobe (no answer file specified)
  2. Upon the first boot afer sysyprep, I went through the guided process of setting up a new account, lets call it TempAccount1
  3. While logged on as TempAccount1, I installed Win10 version 1903 as an intermediate update. After the update was complete, I logged back in under TempAccount1
  4. I once again removed the 4 appx packages using the same commands as in step 1.
  5. I ran sysyprep /generalize /oobe (again with no answer file specified)
  6. Upon the first boot after sysprep I created another new account, call it TempAccount2
  7. While logged on as TempAccount2, I installed Win 10 version 20H2, allowed it to complete and then logged back on as TempAccount2
  8. I once again removed the 4 appx packages using the same commands as in step 1.
  9. I believe the problem was most likely fixed at this point, but because I was still testing, I ran sysypep again without specifying an answer file, sysprep /generalize /oobe just to see if it was going to work
  10. For the first time, window 10 20H2 fully booted after running sysprep, so I was fairly confident the issue was fixed at this point. I went through the guided process one last time to set up a new account, call it TempAccount3.
  11. I logged on as TempAcount 3 and started audit mode, sysprep /audit
  12. From audit mode, I deleted the three temp accounts I created previously, TempAccount1, TempAccount2, and TempAccount3.
  13. I deleted all the unknown profiles from System>>Advanced System Settings>>Advanced Tab>>User Profiles>>Settings
  14. Once again removed the 4 appx packages outlined in step 1
  15. Ran sysprep /generalize /oobe /unattend:c:\myUnattendFile.xml and success at last!

I can't say for certain that all these steps were necessary, but after 2 weeks of troubleshooting this issues, I'm not inclined to go back and keep troubleshooting to try and narrow it down further.

Hopefully this will help someone else down the road. Many thanks to @Drink More Pimp Juice IT for the numerous suggestions offered, some of which eventually led me to the solution.

answered on Super User Feb 21, 2021 by jwitt

User contributions licensed under CC BY-SA 3.0