Create a Golden Image of a Session Host

Create a Golden Image to deploy for Session Hosts via the MyCloudIT platform.

Overview

This guide will assist you to create a golden image and then deploy session hosts from this image. A MyCloudIT golden image is a 'copy' of a AVD or RDS session host. It includes everything on the disk and can include:

  • Windows operating system and patches
  • Installed Software and updates
  • Software settings
  • User settings

This "image" may also be referred to as a golden image, clone image, master image, sysprep image, or base image. The primary advantages of using a golden image are:

  • Reduce errors
  • Reduce management complexities
  • Increase consistency
  • Improved user experience
  • Save on deployment costs
  • Save on technical support costs
  • Assist with down time
  • Reduce backup requirements

Acronyms used in this document:

  • AAD - Azure Active Directory (Microsoft cloud hosted as a service)
  • AD - Active Directory (An instance of an Microsoft Active Directory Domain Services install on a physical server, VM in azure, etc)
  • AADC - Azure Active Directory Connect (One of Microsoft's systems you can use for facilitating AD hybrid identity)
  • AADC-CS - Azure Active Directory Connect Cloud Sync (One of Microsoft's systems you can use for facilitating AD hybrid identity)
  • AVD - Azure Virtual Desktop (Microsoft's platform for delivering Windows shared/personal virtual desktops/applications via Azure)
  • RDS - Remote Desktop Services (Microsoft's suite of services for delivering thin clients with a full desktop or 'remote apps' via the Windows server operating system)

Process Overview

Creating a Golden Image is done in 5 primary steps:

  1. Choose a base image.
  2. Clone a session host.
  3. Sysprep the cloned session host.
  4. Create the Golden Image.
  5. Delete the cloned images and resources.

Step 1 - Choose a Base Image

First select the base image to create the golden image. There are two options:

  • Option 1: Clone an existing session host that is already configured the way you want it.
  1. Log on to the session host console as an administrator (See Appendix A).
  2. Create a local user with administrator access (See Appendix B).
  3. If your RDS or AVD deployment uses FSLogix (most AVD deployments do), perform steps in Appendix F.
  4. Deallocate the session host.
  • Option 2 (Recommended): Deploy a fresh collection/host-pool and configure it from scratch to use it for future image updates.
  1. Log in to the MyCloudIT portal and, if applicable, navigate to the correct customer.
  2. Navigate to Manage > Deployments, Choose your deployment by clicking the blue dot to select it.
  3. After deployment selection, in the Collection/Host-Pool section, click on the + Add button.
  4. Follow the wizard to create a fresh new collection/host-pool with one session host.
    • It is recommended to name the collection differently. An example name for the collection/host-pool  could be: "GoldenImage-Pool"
    • We suggest session index be set to something like 901 to make it clear this is the master VM.
  5. Log on to the session host console as an administrator (see Appendix A).
  6. Create a local user with administrator access (see Appendix B).
  7. If your RDS or AVD deployment uses FSLogix (most AVD deployments do), perform steps in Appendix F.
  8. Customize the session host with windows updates, software installation, settings etc (See Appendix C).
  9. Deallocate the session host.

The advantage of option 2 is that you will not be bringing any existing technical, user or legacy issues from a currently in use session host. The other advantage is that over time, Windows and other software can degrade in performance and starting 'fresh' can resolve this. This session host (if never used by users) can then be used going forward as the base for all image updates.

  • Note: When using option 2, you will need to deploy the golden image to your primary collection / host-pool during downtime to test it. In larger environments, you may deploy it to a test collection / host-pool for testing.

Contact MCIT support for advice for your specific requirements and the options to best suit your business.

Step 2 - Clone a Session Host

  1. Log in to the MyCloudIT portal and, if applicable, navigate to the correct customer.
  2. Navigate to Manage > Deployments, Choose your deployment by clicking the blue dot to select it.
  3. The Collections/Host Pool table is populated, click the ellipses next to your collection/host-pool and click Hosts.
    1. Note: If option 2 in step 1 was chosen, you will select your new collection/host pool (for example: GoldenImage-Pool).
  4. Select the session host you wish to clone (chosen in Part 1) and click on the Clone button.
    1. Warning: Make sure there are no users on your chosen session host as the clone process will shut down the virtual machine.
  5. Follow the steps of the clone wizard. The following recommendations are:
    1. Keep the resource group setting as the default suggested (yourRG-Name-clone).
    2. Make sure the target location is the same as the source location.
    3. Keep the VM Name setting as the default suggested (yourSH-Name-clone).
    4. Use the same VM size that will be used for the final production session host. We do not recommend anything less than a D2_v3.
    5. Leave the network settings default as this is only a temporary network, it will be deleted later.
  6. Once you have started the clone process it will take from 10 to 30 minutes to complete.
    1. Warning: At this point port TCP 3389 will be open to the public for this cloned VM. This is fine for a few hours as the connection requires authentication. If you plan to work on this clone for more than a few hours we recommend updating the network security group rule to allow only your IP address to stop brute force attempts on the clone. 

Step 3 - Sysprep the Cloned Session Host

The System Preparation tool (sysprep) is a Microsoft tool for generalizing a Windows installation so it can then be used as the base image for multiple computers (in our case session hosts). For general information on sysprep see Microsoft documentation here. 

  1. Log in to the MyCloudIT portal and, if applicable, navigate to the correct customer.
  2. Navigate to Manage > Deployments, Choose your deployment by clicking the blue dot to select it.
  3. The Collections/Host Pool table is populated, click the ellipses next to your collection/host-pool and click View Clones.
    1. Note: If option 2 in step 1 was chosen, you will select your new collection/host pool (for example: GoldenImage-Pool).
    2. Warning: If the new VM does not show up in View Clones, please wait unit it does. Do not RDP to the VM until it shows up here as this could corrupt the VM. If the clone does not show up within 45 minutes, please contact MCIT support and we can check what in your image may have held up the process.
  4. Select your virtual machine.
  5. Connect via RDP to the virtual machine as the local administrator user you created.
    1. If you chose option 1 in step 1, you will now need to Customize the session host with windows updates, software installation, settings etc (See Appendix C).
    2. It is recommend to remove various profiles (See Appendix E).
    3. If you use FSLogix for RDS or AVD/WVD, see Appendix F.
  6. You will now have to sysprep the clone:
    1. Open powershell as administrator.
    2. Type: hostname.
      1. Warning: Confirm the hostname is correct (you should be in the powershell window of the clone virtual machine). If not, do not sysprep the machine.
    3. Paste the following command (if this does not work, see Appendix D): C:\Windows\system32\sysprep\sysprep.exe /quiet /generalize /oobe /shutdown
      1. If Sysprep runs but fails, the log can be found at: %WINDIR%\System32\Sysprep\Panther\setupact.log
    4. Wait for the virtual machine state to be "stopped", this can take from 10 to 180 minutes, depending on complexity and performance of the VM
  7. Log back into the MyCloudIT portal and, if applicable, navigate to the correct customer.
  8. Navigate to Manage > Deployments, Choose your deployment by clicking the blue dot to select it.
    1. Note: If option 2 in step 1 was chosen, you will select your new collection/host pool (for example: GoldenImage-Pool).
      The Collections/Host Pool table is populated, click the ellipses next to your collection/host-pool and click View Clones.
  9. Select your virtual machine.
  10. Click Sysprep link and click on the Confirm button.
  11. Deallocate the clone virtual machine

Step 4 - Create the Golden Image

We will now create our final golden image from the cloned / syspreped machine.

  1. Log back into the MyCloudIT portal and, if applicable, navigate to the correct customer.
  2. Navigate to Manage > Deployments, Choose your deployment by clicking the blue dot to select it.
    1. Note: If option 2 in step 1 was chosen, you will select your new collection/host pool (for example: GoldenImage-Pool).
  3. The Collections/Host Pool table is populated, click the ellipses next to your collection/host-pool and click View Clones.
  4. Select your virtual machine.
  5. Click on the + Create Image button.
  6. Follow the wizard to create a golden image. The following recommendations are:
    1. Use an existing resource group, choose your main deployment's resource group
      1. Warning: Do not put the golden image in the clone resource group as that will be part of the clean-up/delete process.
    2. Give the image a name and version, example: "Collection1-v010-IMG."
    3. Give some detailed notes of the things you have done to this session host and the original VM you cloned from. Also add if you are using option 1 or 2 in step 1.
  7. Please wait for 10 minutes while the image is generated until proceeding to Step 5.
  8. You will find your golden image by navigating to Manage > Images then selecting your image.

Step 5 - Delete the Clone

Once a clone has been Syspreped, it is essentially destroyed as Azure will not allow you to (easily) turn on that virtual machine again. Since there is no use for it now after we have created the golden image, it is recommended to delete the clone and its associated resources.

  1. Log back into the MyCloudIT portal and, if applicable, navigate to the correct customer.
  2. Navigate to Manage > Deployments, Choose your deployment by clicking the blue dot to select it.
    1. Note: If option 2 in step 1 was chosen, you will select your new collection/host pool (for example: GoldenImage-Pool).
  3. The Collections/Host Pool table is populated, click the ellipses next to your collection/host-pool and click View Clones.
  4. Choose your virtual machine clone.
  5. Click on the + Delete Clone button.
  6. In the modal, select 'I Confirm' and click on the Delete button.

Next Steps:

After the golden image has been created, you can create a new session host with the image. In addition, you can manage and update your golden image. Please see the following:

      Appendix

      Appendix A: Log on to the Session Host

      Connect by clicking "Connect" in the Azure portal on the MSDC VM, then remote desktop to the session host by using its name. Example command: "mstsc /admin /v:spark-RDSH-0"

      • The MCIT portal button is in development and will be available soon. When it is this document will be updated.

      Appendix B: Create a local administrator user

      Create a local administrator user account. This user is local to this windows machine and not a Domain / Active Directory account. This can be done various ways, including in the computer management tool.

      Another way is via powershell (run as administrator) with the below three commands:

      • net user localadmin aS3curePwd$$ /add
      • net localgroup administrators localadmin /add
      • WMIC USERACCOUNT WHERE "Name='localadmin'" SET PasswordExpires=FALSE

      Note: Change "aS3curePwd$$" to your own complex password that is not the same as any other password.

      Warning: Do not run the below on a domain controller.

      Appendix C: Customize a Session Host

      Once you log into the session host, the common steps administrators perform are:

      • Install all Windows updates
      • Install all user software (examples: Adobe reader, Microsoft Office). Pro Tip for RDS: You may need to use RDS install mode when installing applications
      • Configure per machine settings that are not centralized
      • Configure per user settings that are not centralized
      • Tune the OS and software
      • Add RMM / Monitoring tools
      • Install anti-malware / anti-virus
      • Restart the session host multiple times during the above configurations

      Appendix D: Sysprep Alternate Method

      If Sysprep does not work, an alternate method is open powershell as administrator and perform the following:

      1. Type: hostname
      2. Warning: Confirm the hostname is correct (that you are in a powershell window of the clone virtual machine). If not, do not sysprep the machine!
      3. Type: c:
      4. Type: cd $Env:windir\System32\Sysprep\
      5. Type: .\sysprep.exe
      6. Select: OOBE (options shown in the screenshot)
        System Preparation Tool 3.14 
System Preparation Tool (Sysprep) prepares the machine for 
hardvvare independence and deanup. 
System Cleanup Action 
Enter System Out-of-Box Experience (OOBE) 
Gener alize 
Shutdown Options 
Shu tdown
      7. Select: Generalize
      8. Select: Shutdown
      9. Select: OK
      10. Wait for the virtual machine state to be "stopped", this can take from 10 to 180 minutes depending on complexity and performance of the VM

        Appendix E: Delete profiles on the clone before Sysprep

        We recommend you remove any profiles (except the local administrator profile and the default profile). To achieve this perform the following:

        1. Reboot (restart) the session host clone and log on with your new localadmin user.
        2. Press Win+R on the keyboard or bring up a powershell window.
        3. Type the following: SystemPropertiesAdvanced and press enter.
        4. Under "User Profiles" click "Settings".
        5. Select the profile you wish to remove and click "Delete".
        6. Do this for all profiles except localadmin and default profile.

        Appendix F: FSLogix Considerations for Image Creation

        Microsoft FSLogix is a set of solutions that enhance, enable, and simplify non-persistent Windows computing environments. The primary component of FSLogix that MyCloudIT integrates with is the set of features to allow centrally stored roaming AD-User profiles.

        If your RDS or AVD/WVD deployment uses FSLogix, you may need to consider the below options. Note that most MCIT deployed AVD deployments use FSLogix.

        You will want to add the local administrator user you created in Step 1 to the FSLogix exclude group. So that when you log on to the clone FSLogix, it does not try to load a roaming profile for you as it will not be able to by design and may fail to login/logoff/save-settings correctly.

        • This can be done various ways including in the computer management tool.
        • Another way is via powershell (runas administrator) with the following command:
          • net localgroup "FSLogix Profile Exclude List" localadmin /add
        • You do not need to perform the following unless you are having trouble with FSLogix profile not logging on or off the clone correctly or other related issues.
          • In some cases, if you are having issues with golden images, you may need to disable FSLogix profiles on the virtual machine you plan to clone. This can be done various ways but way is via powershell (runas administrator) with the following command:
            • Set-ItemProperty -Path "HKLM:\Software\FSLogix\Profiles" -Name "Enabled" -Value 0
          • When you create a new session host from a golden image you will need to re-enable FSLogix Profiles on the Session Hosts:
            • Set-ItemProperty -Path "HKLM:\Software\FSLogix\Profiles" -Name "Enabled" -Value 1