This is a template outline I have used several times and am very happy with it. It should work great for you and if not then let me know. I did this with vSphere 6.0 U2a and Windows 2016. I also used the vSphere Web Client as you will see in the screenshots. I will keep this article current by using it as necessary and improving it when I learn something new so keep an eye on it. I have more articles on templates and you can find them all – including this one here.
I would also like to mention that you do not have to do everything I do below. While it works for me and is a good idea for me, it may not be a good idea for you. For example, if you don’t have a server in the DMZ, and all your servers are always on your domain, than maybe much of the manual config I do below is better off done in your GPO.
Things to get ready
You should have the following handy when you start.
- vSphere infrastructure
- Windows 2016 ISO up on your virtual infrastructure – and know where it is!
- Windows PID
- You will need to use a utility to copy the profile that you can find here. This is important as Microsoft has been working since Win2K8 to make it difficult to copy a profile. We do a bunch of customization as a user, and we want to copy it to the the default user so after our template is used to provision as a new VM, new users will get our customization.
- You should have the VMRC ready to use, as it is a much better experience then using the normal remote console. Find the bits here to install on your work machine, and you can read a little about it here. The VMRC is a most excellent way to do this sort of thing so I recommend you be quite familiar with it if you are not. It is what I use for all console sessions now.
Process
BTW, I am putting what I consider is more than I need to in terms of instructions and screenshots. This is to make sure I can help the people that need more help, but yet I am trying to not put too much so I don’t put off those who don’t need more help. You can always skim through if you only need a little help. I do more configuration of the virtual machine below then I need to. Some of my config can be done by GPO. However, I like to be careful, and I think a little extra work on the VM before it becomes a template is good. After all, it may not be used on the domain after all.
Virtual Machine and Operating System
- Create a new virtual machine. Use a good name. For example I use w2k16-TPL (fifteen character limit here to remember).
- I use a 50 GB drive C:, 1 vCPU, and 4 GB of RAM. Both vCPU and memory can be changed later after you deploy from this template.
- You should change your Network type to VMXNET3, and attach the Win2K16 ISO. See below for an example of what this should look like.
- As we create this virtual machine, we need to make some changes before we power it on. So change to VM Options as seen above in the screenshot.
- Note: if you enable UEFI boot, you will be able to use Secure Boot in vSphere 6.5. Why? This would protect you from root kits. If a root kit takes over the VM during boot it will be determined and boot will not complete. When I can I will document this better.
- We need to Enable the next boot to enter BIOS setup. See below for what this should look like.
- Before we power up, I like to use the Tags and Notes to identify this VM. I find this useful, especially in big environments.
- Now we can power up and select the Launch Remote Console option – as seen below. This is the very nice to work in VMRC option.
- You should see the BIOS when you get the console open. I am doing this with VMRC on a Mac, so it looks a tiny bit different then if you do it on Windows.
- Now change to Advanced, and than I/O Device Configuration.
- We want to disable the Serial, Parallel ports, and the Floppy controller.
- Now you can hit F10 to Save and Exit and you should boot right to the OS install. If it doesn’t then when that happens to me it is due to my forgetting to connect the ISO. You can change to the vSphere Web Client and connect the CD in the VM settings area and by the time you return to the Console it should be installing. You may have to hit the Send Ctrl+Alt+Delete button to help.
- The first place the OS stops and waits for you is seen below.
- You can just hit Next to continue.
- As we are using the VMRC we can actually use our mouse here.
- You will need to enter a license. I have to type it in as I am not able to do copy and paste successfully! I have been asked why I license my template. A template gets lots of attention, and they enable fast and tuned provisioning. I customize a template a lot so it is around for a long time so it needs a license.
- The next screen gives you a choice between installing with a Desktop Experience or not. I suggest that you make an informed decision. What is this template going to be used for? Unlike in Win2K12 you cannot change your mind later. As I am going to use this template for things like Veeam, SQL, and other things that I still need the GUI version I am going to do this with the Desktop Experience.
- Next to continue.
- Accept the license and let’s go.
- In the next screen you will be prompted to select a Type of Installation.
- I see as in Win2K12 the wrong choice is see selected here in Win2K16. Not sure why so make sure to use the Custom choice.
- The next screen will ask you about where to install Windows. We can actually hit Next.
- Now we wait, and watch.
- It takes a while.
- We will need to add a password to the administrator account.
Now we are done with the creation of the virtual machine, and install of the OS. We now need to configure Win2K16.
OS Configuration – VMware Tools
I generally want to get VMware Tools installed and working so we can work a little easier (meaning that your mouse works better)!
- We need to log in – I am still working in the same VMRC session.
- Once you are logged in, you will be in the Server Manager. Change over to the vSphere Web Client and start the install of VMware Tools. You will see the option for that on the Summary tab for the VM. You can also find it when you right+click and select All vCenter Actions, followed by Guest OS and finally selecting Install VMware Tools. See both of these options below.
- Once you select you will see the option below.
- I have had some odd experiences installing VMware Tools in the past, but it seems easy enough in Win2K16 so long as you open up the DVD, and Run as Admin on the setup64. I wrote up this issue in this article.
- Normal install now, and you can Restart when prompted.
OS Configuration – Tweaks and Tuning
In this phase we tweak the OS and get it ready for a wide range of potential use. Meaning this is the template that is most general. It will be used to make other templates that are more specific – such as SQL. The changes below are the ones I make, and think useful but in this section you make the changes that work best for you and your organization.
- We need to log in again so we can start making changes. Yes, I am still using the VMRC.
- I like to get the Date / Time right first. So first do the Time Zone. Click on the Clock in the taskbar and select Adjust date / time.
- When we first started all of this you may have noticed that the time of the VM was way off. In fact it was in Zulu or Universal Time because the host time was when the VM started. But now with the right Timezone it should be the right time. If not, your ESXi host may have the wrong time.
- I also like to have the 24 Hour clock in use so this is when I do that change (Adjust date / time, scroll down to Change date and time formats). See below what it will look like after the change to 24 hour clock.
- We should be back in the Server Manager now. Use the Local Server setting in the top left corner and you will see something like below.
- We will make a number of changes here.
- Lets start in the top right – we want to work with Manage \ Server Manager Properties.
- Literally only one thing to change. We want to select the check-box for Do not start Server Manager automatically at logon.
- Now we want to get fully patched. Again in the top right, we can see Windows Update. Configure it as necessary.
- Now update until there is no more patches. Reboot as necessary. It feels like to me that patching has taken longer then the darn install. BTW, the way I reboot is to right+click on the bottom left corner where you see the funny Windows icon. Than use Shut down or sign out and select Restart. This is a very powerful Right Click!
- See all of the choice on this menu? Very handy.
- You can also remove the CD now from the VM. It is done via Edit Settings on the Summary screen in the vSphere Web Client.
- Once you restart, and log back in, please start up the Server Manager again. If necessary it is the first tile on the desktop.
- Select Local Server again.
- You should start with Computer name and change it to match your VM name. You will be limited to 15 characters and that is a little tight so there may be a change. Restart later.
- You can use the Advanced option here on System Properties (found in Server Manager by clicking on Computer Name) to tweak the Performance in Visual Effects for Adjust for best performance.
- Also on the Advanced tab you can change the Startup and Recovery settings so that the Time to display is changed from 30 to 5. Some people will deselect the option to Automatically restart here but it is something rather to think about.
- While in here remove the swap (page) file – we will add it back later (found in Performance Settings / Advanced).
- Now tweak the Firewall if necessary.
- Do you need to change the Remote Management option – I suggest not if you are not sure.
- You very likely need to change the Remote Desktop option. To add users (or even better groups) it is a little hard if you are not in the domain. If you cannot, during deployment from the template when the server is added to the domain you can manage the users (using for example Restricted Groups).
- We will tweak the network now. We likely do not need QoS Packet Scheduler. By the way, when you are back in Server Manager if you do not see what you think you should, than use the Refresh button at the top of the screen and it will update things so they look more appropriate. You can click on the IPv4 in Ethernet0.
- Windows Update should show that we have done updates.
- In the Feedback & Diagnostics Settings area you can determine what Diagnostic and usage data you want to share with MS. I actually select Full as I know how good for me it is for them to have that info.
- Often people will change IE Enhanced Security Configuration to off. I am turning it off for Administrators.
- Now we should add features. Scroll to the bottom of the Server Manager page.
- Now you can select Add Roles and Features from under the Tasks menu.
- Roles is where you would add things like IIS.
- I like to add Telnet Client as a feature to help with testing. This is where you might add things like .NET or IPAM.
- Now leave Server Manager.
- Right+Click on the Window icon in the lower left corner and select Control Panel, followed by Hardware.
- We want to use High performance in the power plan. You can also set the Turn off Display here to never.
- Now start IE and save the home page as About:blank.
- We need to make a change at the command line before we restart. So right + click on the Windows icon at the lower left and select Command Prompt (Admin).
- Use the following command at the command line (I have had trouble confirming it is necessary on Win2K16 but I can say it doesn’t cause an error!).
powercfg -h off
- We should disable the index on drive C:. Use Explorer to explore This PC and right+click on drive C: and select Properties. You will see at the bottom of the screen the option to disable indexing – you will need to deselect the check-box “Allow files on this drive to have contents ….”. It will take a few minutes to complete this.
- Now we should defragment the drive. This option is on the Tools tab.: and select the Optimize option. Yes, it does take a while.
- While you are here you should disable the weekly optimize option as it is not necessary.
- Often people will want to lower or disable the User Account Settings. You can do that by right+click on the Windows icon in lower left corner and select Control Panel, followed by System and Security, than select Change User Account Control Settings. Chose the setting that is best for you.
- I go into Settings and search for Turn System icons on or off and turn off the Volume.
- Now we should restart.
Configuration – Installing software
We only install software here that we really need and is useful for most users. Some of what I install is listed below. Remember this template is general and will be used to make the SQL template (with the addition of SQL) or any other software. So software that will be used by most users like – anti – malware, Acrobat Reader, maybe some helpdesk or troubleshooting tools should be installed..
- Bginfo – see this for help.
- Acrobat Reader – make sure to open it to accept the EULA and update if necessary.
- Google Chrome
- Autoruns – a great tool to make sure you know what starts with your server.
- Process Explorer – a great tool for troubleshooting.
- 7-Zip – from here and is more flexible than what is built in – for example can extract ISO.
- Thanks to StuartM I now suggest thinking about installing the Sysmon utility which you can find here. You may not want it running all of the time but you might. It is a very powerful tool and can help educate and investigate.
- Generally by now I am prompted to activate the Microsoft license. I do let it activate. If you don’t you may have some issues with sysprep. You can see more about this in this article.
Note: For things like Chrome and Acrobat they will install fine since they have installers and they can be found on the Desktop as you might expect. For things like BgInfo and Autoruns which have no installer it is more complex. Use the info in the BgInfo article to help. Basically you will create a Utilities program group for them and install them manually. This is an example of software that is harder to install via GPO since they have no MSI. If you know how to create an MSI from scratch that is a handy thing to do for BgInfo and Autoruns.
Note2: For the things that are not programs like Reader or Chrome, but rather things like Bginfo, or Autoruns, they were not seen in the Utilities folder when selected under the Start menu. It took time, like 20 minutes and two restarts before they were seen there. No idea WTF but at least they are there. In Win2K12 it was right away. In a VM deployed from this template they were seen right away.
Ready to make it a template?
We are ready to make this virtual machine a template now. If you have connected it to the domain previously, for reasons such as getting the GPO’s to help configure it you should remove it from the network now.
- Enable the swap file.
- Start Server Manager, select Local Server
- Click on Workgroup, than select Advanced
- Select Settings in Performance.
- Now select Advanced and select Change in the Virtual Memory section.
- You can select Automatically manage paging file size for all drives if that works for your organization. I should mention that I like to have a separate drive and put the paging file on it – when it makes sense.
- If necessary remove this VM from the domain and restart.
- I always like to check Windows Update before I finish and yes, today I did find a bunch of updates that I did not find earlier. So I update and restart as necessary.
- Disconnect the ISO and reset to Client Device – if not already done.
- Update: this has caused issues from one of my readers. It depends on what patches are installed. The issue is serious enough to not do this.
Remove the backup copies of the patches – use this command (at the command prompt (as admin)) – dism /online /cleanup-image /StartComponentCleanup /ResetBase – note – this may take a few minutes – about 10 for me but that can go up as more patches are applied! It will look something like:
- Empty the trash.
- A new idea is to empty the event logs. Which is a good idea. Use PowerShell and the following snippet.
Clear-EventLog -LogName (GEt-EventLog -List).log
- Make sure you are really ready to proceed!
- We now need to manage the profile
- We first install the Copy Profile tool – called DefProf.
- Now create a temporary domain or local admin account, and log on as that user.
- We use it to copy your profile to the Default Profile – so execute defprof your_account_name and you are done. This is done so new users will get the configuration you have done as yourself.
- When that is done we remove the tool (in the latest version it seems to do that itself),
- Delete the temp account you created – if appropriate.
- And shut the VM down.
- Once the VM is shut down we are ready to turn it into a template.
- I generally now do an update in the Notes section to account for what I have done.
- Now we use right+click on the VM, select All vCenter Actions and Convert to Template as seen below.
- Done. We now have a Windows 2016 template.
Deploy from Template
I suspect everyone knows how to deploy from this new template? I can confirm that passwords put into the custom specification with the Web Client works fine now at 6.0 U2. I also suggest using the following commands in the Run Once part of the customization specification.
- powercfg -h off
- bcdedit /timeout 5
I have seen a lot of different things done via Run Once. Scripts for example that install applications, or do inventory related tasks, so remember that and you can use it as you need.
I have had questions of the Windows SID and how we are not using sysprep so how is it managed? In the last step of the Customization Specification you have an option to change the SID. This is a legit option that works good. See the screen below:
As you can see this is the default option. If you do not use a customization specification as part of your template deployment you will not get a new SID but that is the least of your issues. You must use a custom spec when you deploy from template.
Here is an article that will step you through the creation and use of a custom spec.
Test
You should test by deploying from your template. The things I check first and quick is if the VM is attached to the domain. The fast way to do this is in the vSphere Web Client. Look to see if the the VM has a FQDN rather than something else.
Some other things to check include:
- Do you see the wallpaper as you think you should? Meaning BGinfo information should be seen.
- Do you see the Utilities folder that you created and including the things inside it like BGInfo and Autoruns?
- 7Zip, and Chrome usually come through just fine.
Things to think about
- I believe that if the User Profile Manager tool works for you that it should be purchased.
- If you are doing a template that has a bunch of drive letters – like a SQL server, you will lose the order of those drive letters after you deploy. It can be fixed – problem avoided – if you use the info in this article. Thanks Michael for this! I don’t see this when there is two drive letters but I understand you will with more then 2 or 3.
Updating your Template
You should update your template approximately once every month or so. This will allow you to catch any outstanding patches for the OS as well as application patches. Just convert the template to virtual machine, turn it on, patch, than restart it, and convert it to template. You may consider joining it to your domain to catch new GPO type stuff that may be sticky but remember to remove it from the domain before you turn it back into the template.
Links
I found useful information in a variety of places. In particular at the links below.
- My own Win2K12 template for VMware article
- CloudPhysics tells you when you last updated your template – here
- Not able to deploy from my win7 template – here
- My own Linux template for VMware article
- Turns out that SIDs are not the issue we all think they are – here, but we still need to get a new SID for other reasons, like for example WSUS.
History
I plan on keeping this page updated with what I am using and what works well! I will use this section to update you with what I updated when I do updates.
- 5/12/19 – found some PowerShell that actually works to clear event logs. So added it in here. For DTC servers, and sometimes SQL servers you need to do this – article.
- 3/26/18 – Updated the template – running under vSphere 6.5 Update 1g with no issues. Added another code snippet that clears some logs. Frustrating, even asked around for help but no luck with a magic script to clear all the logs.
- 3/11/18 – added the link to the custom spec article.
- 3/3/18 – Thanks to a reader letting me know, and doing some excellent testing the command above to remove the backup copies of the patches is not struck out and recommended you do not do it. It is not an issue that hits everyone, but it is not good so we are playing it safe.
- 2/8/18 – added a little more info on SID above, and another screenshot. I think that people miss the custom spec option so I added a few words around that – do use a custom spec.
- 3/8/17 – two people – one a co-worker – has said if they use my template articles that all the VMs deployed from them will have the same SID. That has not been true for so many years I was shocked, but since two people have said that I need to do something. Here below is a screenshot in the custom spec that reassures those people – I hope.
- 3/2/17 – added the code snippet to clear event logs.
- 12/12/16 – added the comment about using UEFI boot.
As always, comments welcome and in fact appreciated! Also, if you have suggestions on how to make this better please let me know.
Michael
=== END ===