Troubleshoot Sysprep & Windows Defender ATP

Troubleshoot Sysprep & Windows Defender ATP

When you attempt to Sysprep an image, Nerdio Manager can return an error that states Error: Wait for temp VM to stop timed out.

The Sysprep logs provide the following:

SYSPRP ActionPlatform::DeleteValue: Error from RegDeleteValueW for value senseGuid under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Advanced Threat Protection; dwRet = 0x5

SYSPRP SysprepSession::ExecuteAction: Failed during deleteValue operation; dwRet = 0x5

SYSPRP SysprepSession::ExecuteInternal: Error in executing action for Windows-SenseClient-Service

The reason you get this error is because Windows Defender for ATP, and its associated policies, have been deployed on the source image. You can further validate this by looking at the services and registry key.

Locate a service called Windows Defender Advanced Threat Protection Service.

You can see a registry key under HKLM\Software\Micosoft\Windows\Windows Advanced Threat Protection. The senseGuid and senseId values are what Sysprep attempts to remove, but it fails due to the protection of the client.

Resolve the error

“Offboard” the client from Defender for ATP. This enables the registry key to be deleted by removing the protection of the registry keys and services.

To resolve the problem:

  1. Contact the person who manages the Defender for ATP Environment and have them navigate to Settings > Endpoints.

  2. Select the Local Script Method and download the script.

  3. Copy the image to your source image.

  4. On your source image, run the Offboarding script.

    After running the Offboarding script, the registry keys can now be removed by the Sysprep process.

  5. Verify that the Windows Defender Advanced Threat Protection Service service is not running and is set to Manual.

Tip: It is recommended that you do not install Defender for Endpoint on your source image, but install it on your session hosts after they have been deployed. This can be done via Group Policy, MEM, or other methods. See Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR for details.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.