Sysprep generalize not clearing logs

Hi everyone, I'm hoping that this wonderful community got some help for me.

I've previously done image deployment with Windows 7 and know how to prepare an image for deployment.

I'm now trying to make an image with Windows 8.1 enterprise.

I'm making an image with with PersistAllDeviceInstalls to keep the hardware configuration.
I use the gui to run sysprep oobe with generalize option checked.

After its completed, I make an image of it and deploy to test laptop 2 with the exact same specs.

After its done, and I boot it up and finish all the preparation (like computer name etc), the system boots up to the desktop.

However, here is where I realized I'm most likely doing something wrong.

The event logs are filled with data from pre-sysprep, Symantec Endpoint Protection logs are still there.

Can someone help me out here? Isn't generalize suppose to remove logs and stuff?

It's been almost 2 years since I touched sysprep and all. Hopefully someone here can shed some light about the issue I'm facing.

All help is sincerely appreciated.

Hi Neevar, welcome to the Eight Forums.

First this warning about Sysprep GUI (from https://technet.microsoft.com/en-us/library/hh825084.aspx):

To generalize your image without an answer file use command:
The closing option (highlighted) can be shutdown, restart or quit.

To generalize your image with an answer file use command:
Change the answer file path and name (highlighted) accordingly

Event logs should be cleared when the /generalize switch is used. This from Microsoft TechNet support article https://technet.microsoft.com/en-us/library/cc721973(v=ws.10).aspx:

Generalize:
Prepares the Windows installation to be imaged. If this option is specified, all unique system information is removed from the Windows installation. The security ID (SID) resets, any system restore points are cleared, and event logs are deleted.

The next time the computer starts, the specialize configuration pass runs. A new security ID (SID) is created, and the clock for Windows activation resets, if the clock has not already been reset three times.

Click to expand...

I do not know why your logs are not cleared. Could you please tell which logs remain?

Kari

Hello Kari,

Thank you for the insightful information.

The logs that are still there are whatever you see in event viewer and the symantec endpoint protection logs.

I'm currently not at home, so I can't attach the screen shots but basically I used the gui method to sysprep.

When I get home, I'm going to try the CLI method and see if it makes a difference.

The generalize option is supposed to remove the logs and all, but I'm not sure why it's not doing that for my image. Can it be anything to do with enterprise image? Group policy perhaps? Any way to check that?

Is there any way I can get the windows 8.1 latest enterprise x64 iso legally?

Did you sysprep from normal Windows desktop mode? Generalizing should be done from Audit Mode.

I do it like this on a reference computer:

• Clean install Windows 8
• When installation finally boots to OOBE and asks to create the initial user ("Sign in to your Micrsoft Account..."), do not enter any username but instead press CTRL + SHIFT + F3 to reboot to Audit Mode
• If no answer file is needed, you can then sysprep as soon as you arrive to Audit Mode desktop

Hi Kari,

I re-did the whole process. Just like how you mentioned in the post above this.
The only thing was I changed the PersistAllDeviceInstalls to 1 (in regedit)

I used the CLI method to run sysprep /generalize /oobe / shutdown

Here are the images after i put it into the second test laptop after a full clone using clonezilla.



as you can see, the event logs pre-sysprep are still there (identified by the computer name column)


Hopefully I'm doing something wrong and it can be solved.

I have moved on, running Windows 10 on my systems now. I need to install Windows 8.1 and test this. Will do it later tonight.

OK, I have tested a few times now and at least for me, generalizing works exactly as it should.

Here two screenshots, in first one I gave first the Time command in Command Prompt to get the time when I start sysprepping:
Half a second short of 20:08 (8:08 PM).

After sysprep has finished and Windows booted to OOBE and further to desktop, I'll check the event logs which clearly show that all logged events prior to generalizing have been removed:The remaining events from "old computer" are those created after the generalizing phase of Sysprep, which is of course totally OK, as it should be. The first logged event is Eventlog meaning that's the event when logs were deleted and new archive started.

I simply can't get it to fail, to get generalizing to leave old events.

In your case check the time stamp of those "old" events; if they are created after you run sysprep, everything is as it should be.

Sorry for the late reply. But seriously, thank you so much Kari for going into the extent of testing it out yourself.
I realized that like what you said, those event logs are entries made DURING sysprep and then later on when in the OOBE.

But no matter how, the scan logs and stuff for the Symantec Endpoint Protection isn't going anywhere

The logs are still there after sysprep and imaging to the next laptop.