How to build a Windows 2016 VMware TemplateBase is from Michael White.

Last update: 18-06-2016, added some extra tips + problem with installing Vwmare tools from console.

Things to get ready, before starting vSphere infrastructure environment Windows 2016 ISO up on your virtual infrastructure Windows PID You should have the VMRC ready to use, as it is a much better experience then using the normal remote

console.  A little to read about it here. The VMRC is a most excellent way to do this sort of thing so I recommend you be quite familiar with it if you are not.  It is what I use for all console sessions now.

Process

Virtual Machine and Operating System

Create a new virtual machine.  Use a good name.  For example I use w2k16-TPL  (fifteen character limit here to remember).

I use a 50 GB drive C:, 1 vCPU, and 4 GB of RAM.  Both vCPU and memory can be changed later after you deploy from this template.

You should change your Network type to VMXNET3, and attach the Win2K16 ISO.  See below for an example of what this should look like.

As we create this virtual machine, we need to make some changes before we power it on.  So change to VM Options as seen above in the screenshot.

Note: if you enable UEFI boot, you will be able to use Secure Boot in vSphere 6.5.  Why?  This would protect you from root kits.  If a root kit takes over the VM during boot it will be determined and  boot will not complete.  When I can I will document this better.

We need to Enable the next boot to enter BIOS setup. See below for what this should look like.

Before we power up, I like to use the Tags and Notes to identify this VM.  I find this useful, especially in big environments.

Now we can power up and select the Launch Remote Console option – as seen below. This is the very nice to work in VMRC option.

You should see the BIOS when you get the console open. I am doing this with VMRC.

Now change to Advanced, and than I/O Device Configuration. We want to disable the Serial, Parallel ports, and the Floppy controller.

Now you can hit F10 to Save and Exit and you should boot right to the OS install.  If it doesn’t then when that happens to me it is due to my forgetting to connect the ISO.  You can change to the vSphere Web Client and connect the CD in the VM settings area and by the time you return to the Console it should be installing.  You may have to hit the Send Ctrl+Alt+Delete button to help.

The first place the OS stops and waits for you is seen below.

You can just hit Next to continue.

As we are using the VMRC we can actually use our mouse here. You will need to enter a license.  I have to type it in as I am not able to do copy and paste successfully! I

have been asked why I license my template.  A template gets lots of attention, and they enable fast and tuned provisioning.  I customize a template a lot so it is around for a long time so it needs a license.

The next screen gives you a choice between installing with a Desktop Experience or not.  I suggest that you make an informed decision.  What is this template going to be used for? Unlike in Win2K12 you cannot change your mind later.  As I am going to use this template for things like Veeam, SQL, and other things that I still need the GUI version I am going to do this with the Desktop Experience.

Next to continue. Accept the license and let’s go. In the next screen you will be prompted to select a Type of Installation.

I see as in Win2K12 the wrong choice is see selected here in Win2K16.  Not sure why so make sure to use the Custom choice.

The next screen will ask you about where to install Windows.  We can actually hit Next.

Now we wait, and watch.

It takes a while. We will need to add a password to the administrator account.

Now we are done with the creation of the virtual machine, and install of the OS.  We now need to configure Win2K16.

OS Configuration – VMware Tools

Install the Vmware tools directly from CD-rom as Admin !! BUG ????

I generally want to get VMware Tools installed and working so we can work a little easier (meaning that your mouse works better)!

We need to log in – I am still working in the same VMRC session. Once you are logged in, you will be in the Server Manager.  Change over to the vSphere Web Client and

start the install of VMware Tools.  You will see the option for that on the Summary tab for the VM.  You can also find it when you right+click and select All vCenter Actions, followed by Guest OS and finally selecting Install VMware Tools.  See both of these options below.

Once you select you will see the option below.

I have had some odd experiences installing VMware Tools in the past, but it seems easy enough in Win2K16 so long as you open up the DVD, and Run as Admin on the setup64.

OS Configuration – Tweaks and Tuning

In this phase we tweak the OS and get it ready for a wide range of potential use.  Meaning this is the template that is most general.  It will be used to make other templates that are more specific – such as SQL.  The changes below are the ones I make, and think useful but in this section you make the changes that work best for you and your organization.

We need to log in again so we can start making changes.  Yes, I am still using the VMRC. I like to get the Date / Time right first.  So first do the Time Zone.  Click on the Clock in the taskbar and

select Adjust date / time. When we first started all of this you may have noticed that the time of the VM was way off.  In fact it

was in Zulu or Universal Time because the host time was when the VM started.  But now with the right Timezone it should be the right time.  If not, your ESXi host may have the wrong time.

I also like to have the 24 Hour clock in use so this is when I do that change (Adjust date / time, scroll down to Change date and time formats).  See below what it will look like after the change to 24 hour clock.

We should be back in the Server Manager now.  Use the Local Server setting in the top left corner and you will see something like below.

We will make a number of changes here. Lets start in the top right – we want to work with Manage \ Server Manager Properties.

Literally only one thing to change.  We want to select the check-box for Do not start Server Manager automatically at logon.

Now we want to get fully patched.  Again in the top right, we can see Windows Update.  Configure it as necessary.

Now update until there is no more patches.  Reboot as necessary.  It feels like to me that patching has taken longer then the darn install.  BTW, the way I reboot is to right+click on the bottom left corner where you see the funny Windows icon.  Than use Shut down or sign out and select Restart.  This is a very powerful Right Click!

See all of the choice on this menu?  Very handy. You can also remove the CD now from the VM.  It is done via Edit Settings on the Summary screen in

the vSphere Web Client. Once you restart, and log back in, please start up the Server Manager again.  If necessary it is the first

tile on the desktop. Select Local Server again. You should start with Computer name and change it to match your VM name.  You will be limited to 15

characters and that is a little tight so there may be a change.  Restart later. You can use the Advanced option here on System Properties (found in Server Manager by clicking on

Computer Name) to tweak the Performance in Visual Effects for Adjust for best performance.

Also on the Advanced tab you can change the Startup and Recovery settings so that the Time to display is changed from 30 to 5.  Some people will deselect the option to Automatically restart here but it is something rather to think about.

While in here remove the swap (page) file – we will add it back later (found in Performance Settings / Advanced).

Now tweak the Firewall if necessary. Do you need to change the Remote Management option – I suggest not if you are not sure. You very likely need to change the Remote Desktop option.  To add users (or even better groups) it is a

little hard if you are not in the domain.  If you cannot, during deployment from the template when the server is added to the domain you can manage the users (using for example Restricted Groups).

We will tweak the network now.  We likely do not need QoS Packet Scheduler.  By the way, when you are back in Server Manager if you do not see what you think you should, than use the Refresh button at the top of the screen and it will update things so they look more appropriate. You can click on the IPv4 in Ethernet0.

Windows Update should show that we have done updates. In the Feedback & Diagnostics Settings area you can determine what Diagnostic and usage data you

want to share with MS.  I actually select Full as I know how good for me it is for them to have that info. Often people will change IE Enhanced Security Configuration to off.  I am turning it off for

Administrators. Now we should add features.  Scroll to the bottom of the Server Manager page.

Now you can select Add Roles and Features from under the Tasks menu. Roles is where you would add things like IIS. I like to add Telnet Client as a feature to help with testing.  This is where you might add things

like .NET or IPAM. Now leave Server Manager. Right+Click on the Window icon in the lower left corner and select Control Panel, followed by

Hardware. We want to use High performance in the power plan.  You can also set the Turn off Display here to

never. Now start IE and save the home page as About:blank. We need to make a change at the command line before we restart.  So right + click on the Windows icon

at the lower left and select Command Prompt (Admin). Use the following command at the command line (I have had trouble confirming it is necessary on

Win2K16 but I can say it doesn’t cause an error!).

powercfg -h off

We should disable the index on drive C:.  Use Explorer to explore This PC and right+click on drive C: and select Properties.  You will see at the bottom of the screen the option to disable indexing – you will need to deselect the check-box “Allow files on this drive to have contents ….”. It will take a few minutes to complete this.

Now we should defragment the drive. This option is on the Tools tab.: and select the Optimize option. Yes, it does take a while.

While you are here you should disable the weekly optimize option as it is not necessary. Often people will want to lower or disable the User Account Settings.  You can do that by right+click

on the Windows icon in lower left corner and select Control Panel, followed by System and Security, than select Change User Account Control Settings.  Chose the setting that is best for you.

I go into Settings and search for Turn System icons on or off and turn off the Volume. Now we should restart.

Configuration – Installing softwareWe only install software here that we really need and is useful for most users.  Some of what I install is listed below.  Remember this template is general and will be used to make the SQL template (with the addition of SQL) or any other software.  So software that will be used by most users like – anti – malware, Acrobat Reader, maybe some helpdesk or troubleshooting tools should be installed..

Bginfo – see this for help. Autoruns – a great tool to make sure you know what starts with your server. Process Explorer – a great tool for troubleshooting. 7-Zip – from here and is more flexible than what is built in – for example can extract ISO. Thanks to StuartM I now suggest thinking about installing the Sysmon utility which you can find here. 

You may not want it running all of the time but you might. It is a very powerful tool and can help educate and investigate.

Generally by now I am prompted to activate the Microsoft license.  I do let it activate.  If you don’t you may have some issues with sysprep.  You can see more about this in this article.

Note: For things like BgInfo and Autoruns which have no installer it is more complex.  Use the info in the BgInfo article to help.  Basically you will create a Utilities program group for them and install them manually.  This is an example of software that is harder to install via GPO since they have no MSI. If you know how to create an MSI from scratch that is a handy thing to do for BgInfo and Autoruns.

Note2: For the things that are not programs like Reader or Chrome, but rather things like Bginfo, or Autoruns, they were not seen in the Utilities folder when selected under the Start menu.  It took time, like 20 minutes and two restart before they were seen there.  No idea WTF but at least they are there.  In Win2K12 it was right away. In a VM deployed from this template they were seen right away.

Ready to make it a template?We are ready to make this virtual machine a template now.  If you have connected it to the domain previously, for reasons such as getting the GPO’s to help configure it you should remove it from the network now.

Enable the swap file. o Start Server Manager, select Local Servero Click on Workgroup, than select Advancedo Select Settings in Performance.o Now select Advanced and select Change in the Virtual Memory section.o You can select Automatically manage paging file size for all drives if that works for your

organization.  I should mention that I like to have a separate drive and put the paging file on it – when it makes sense.

If necessary remove this VM from the domain and restart. I always like to check Windows Update before I finish and yes, today I did find a bunch of updates that

I did not find earlier.  So I update and restart as necessary. Disconnect the ISO and reset to Client Device – if not already done. Remove the backup copies of the patches – use this command (at the command prompt (as admin)) –

dism /online /cleanup-image /StartComponentCleanup /ResetBase – note – this may take a few minutes – about 10 for me but that can go up as more patches are applied! It will look something like:

Empty the trash. A new idea is to empty the event logs.  Which is a good idea.  Use PowerShell and this code snippet.

(Get-WinEvent -ListLog *).logname | ForEach-Object {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog(“$psitem”)}

Make sure you are really ready to proceed! We now need to manage the profile

o We first install the Copy Profile tool – called DefProf.o Now create a temporary domain or local admin account, and log on as that user.o We use it to copy my / your profile to the Default Profile – so execute defprof

your_account_name and you are done.o When that is done we remove the tool (in the latest version it seems to do that itself),o Delete the temp account you created – if appropriate.o And shut the VM down.

Once the VM is shut down we are ready to turn it into a template. I generally now do an update in the Notes section to account for what I have done.

Now we use right+click on the VM, select All vCenter Actions and Convert to Template as seen below.

Done.  We now have a Windows 2016 template.

 

Deploy from TemplateI suspect everyone knows how to deploy from this new template? I can confirm that passwords put into the custom specification with the Web Client works fine now at 6.0 U2.  I also suggest using the following commands in the Run Once part of the customization specification.

powercfg -h off bcdedit /timeout 5

I have seen a lot of different things done via Run Once.  Scripts for example that install applications, or do inventory related tasks, so remember that and you can use it as you need.

TestYou should test by deploying from your template.  The things I check first and quick is if the VM is attached to the domain.  The fast way to do this is in the vSphere Web Client.  Look to see if the the VM has a FQDN rather than something else.

Some other things to check include:

Do you see the wallpaper as you think you should?  Meaning BGinfo information should be seen. Do you see the Utilities folder that you created and including the things inside it like BGInfo and

Autoruns? 7Zip, and Chrome usually come through just fine.

Things to think about I believe that if the User Profile Manager tool works for you that it should be purchased. If you are doing a template that has a bunch of drive letters – like a SQL server, you will lose the order

of those drive letters after you deploy.  It can be fixed – problem avoided – if you use the info in this article.  Thanks Michael for this! I don’t see this when there is two drive letters but I understand you will with more then 2 or 3.

Updating your TemplateYou should update your template approximately once every month or so.  This will allow you to catch any outstanding patches for the OS as well as application patches.  Just convert the template to virtual machine, turn it on, patch, than restart it, and convert it to template.  You may consider joining it to your domain to catch new GPO type stuff that may be sticky but remember to remove it from the domain before you turn it back into the template.

LinksNA.