In this video, I’ll show you how to properly create a Windows 11 gold image, for use with Omnissa Horizon VDI (both persistent VM template full-clones, and non-persistent Instant Clones).
We’ll be using the manual process to create the VDI Golden Image.
In this video, I’ll show you how to:
- Use Windows ADK and WinPE add-on to create a WinPE ISO to pre-boot the Windows 11 Installer
- Use the WinPE ISO to pre-boot and install Windows 11, without a vTPM
- Prepare the Windows 11 image for deployment
- Install Omnissa Horizon agent
- Install Microsoft 365 using the ODT (Office Deployment Toolkit)
- Use the Omnissa Operating System Optimization Tool (OSOT)
- Optimize the image using OSOT
- Generalize the image using OSOT
- Finalize the image using OSOT
Note on VDI (Virtual Desktop Infrastrucutre), TPM and vTPM devices
When deploying Windows 11 in VDI environments there are special considerations due to Windows 11 TPM requirements. Windows 11 Golden images should not have a vTPM, nor should they ever have a vTPM attached and then removed. Attaching and removing a vTPM or TPM from Windows 11 is considered data loss, and can cause issues with the image.
If you are deploying persistent full-clones, after the cloning process you can add a vTPM to the persistent VM.
If you are deploying non-persistent Instant Clones, the desktop pool in Horizon should be configured to add a vTPM to Instant Clones on provisioning.
References
A big thank you goes out to Graeme Gordon and Hilko Lantinga for their documentation and techzone articles providing this information for Partners, Customers, and Community!
Refernced Links and Documents:
- Broadcom: Deploy Windows 11 in virtual machine using bootable Windows PE (WinPE) Image
- Omnissa: Manually creating optimized Windows images for Horizon VMs
- Omnissa: Windows OS Optimization Tool for Omnissa Horizon User Guide
- Stephen Wagner: Create and Deploy Virtual Machines with vTPM and NKP on VMware vSphere
Fantastic guide to help many customers. I love the video guide.
[…] Stephen Wagner: How to create a VDI Windows 11 Gold Image with proper vTPM for Omnissa Horizon […]
Thanks Calvin! Appreciate the comment! 🙂
Absolutely brilliant. Thank you for this.
Hi, wondering why you have to deploy as OVF? Can’t you just take a snapshot of that vm and use that? Maybe I missed somethingi in the video about it…
thanks!
It’s an important step that is required to reclaim the space released by “sdelete”.
This is one of the best how to videos I have ever watched. I have not had much luck over the years finding good clear instructions on vmware products and this was truly a godsend.
Good evening. I wanted to understand if I can, after having created the gold image without tpm, decide never to put the tpm, as well as leave the old-fashioned bios. A thousand thanks
Hi Mauro,
Your instant clones should have a vTPM which gets added by Horizon during provisioning. This is best practice and to remain in a supported state.
As for your question about the old fashioned BIOS, I’d recommend following the best practices and what’s supported for production environments.
Cheers,
Stephen
For persistent vdi what the process to add the vtpm do you add using the pool setting or once the vdi have been provisioned shutdown and add a vtpm
Thank you. I agree about the bios for UEFI. This doesn’t cause me any problems all things considered. vtpm and VM encryption a little yes. (performance with not exactly new hw). so I ask again for your suggestion and clarification: when you talk about staying in the supported situation do you mean for whom? Microsoft or Omnissa? If I don’t have applications on my VDIs that use tpm, can’t I avoid adding them to my instant clones? if above you mean supported situation for Microsoft do you mean that if I don’t put the vtpm the monthly patches or new release in the future won’t be installed? (in any case I would have this need at most on the master which ironically should not have as a device). I wanted to feel at ease in not having it (on instant clone) in case I had a performance problem. for the complete clone I could have it I have much less. sorry for my doubts but I can only deal with expert figures like yours. Thank you
When adding the vTPM, this does not encrypt the VM. On a standard and beat practice deployment when using the vTPM, only the VM configuration file gets encrypted. This does not enable any other encryption unless you have enabled it yourself or used a 3rd party tool that may modify the configuration of the VM or hypervisor.
When I talk about supported confirmations, I’m referring to both Omnissa, Microsoft, and every other vendor or solution that may be integrated in to the stack. It’s important to follow best practices and any integration guides that the vendors may have.
In response to your question on updates, the gold image should not have a TPM, so I wouldn’t recommend adding it as it causes issues for a large number of organizations that do this without understanding the consequences.
Having a vTPM on your instant clones should not cause any performance problems.
Cheers
Stephen
I haven’t checked on newer versions of horizon to see if they support persistent desktop pools auto assignment of vTPM, but traditionally I usually clone, configure, provision, and then add the vTPM at a later time.
I noticed that I’d the VM is cloned and a vTPM immediately attached before first boot, it can cause sysprep to fail when VM customization is running.
Hope this helps.
Cheers
Stephen
Thanks a lot
Good morning. I checked this morning on Ominissa Horizon 2412: the automated full clone pool has the checkbox in the provisioning settings to add vTPM after cloning, just like the instant clone pool. I just need to test it. That should be fine.
When rebooting after the Generalize step, I get a pop up that says “Windows could not finish configuring the system. To attempt to resume configuration, restart the computer.”
I researched and saw some advice to enter cmd and use ‘cd oobe’ > msoobe to bully my way past it, but then I end up with an endlessly spinning ‘Just a moment’ screen.
Any ideas?
Hi Mike, if you review the sysprep logs you most likely have APPX packages that require cleanup to allow sysprep.
Once those are dealt with you should be good to go
sysprep completes successfully based on the logs, then fails afterwards when calling C:\Windows\System32\waasmedicsvc.dll
“GeneralizeForImaging for WaaSMedic failed to create WaaSRemdiationAgent. hr = 0x80070422[gle=0x00000057]”
Hi Mike,
I’m not sure why that would be happening. I’ve never seen that before. Have you made any modifications to the Windows system?
I think it is because it has been worked on piecemeal over weeks. The logs show multiple aborted sysprep runs for some reason. Possibly due to reboots following app installs.
The VM should only be sysprepped once during generalization.
Have you been able to create a virtual smart card using the vTPM after deploying a Windows 11 VM? Physical cards pass through just fine, but when attempting to create a VSC it just sort of gets stuck on “Waiting for Smart Card”
Hey there, unfortunately I haven’t had the requirement to perform that.