/build/static/layout/Breadcrumb_cap_w.png

Sysprep Executor reports Antivirus detected when it has been disabled

I am trying to Sysprep a Windows Enterprise 1903 image using ver. 4.1.1.1 of Sysprep creator. The executor reports that Antivirus is detected but I have disabled it in group policy. Real time protection is definitely off.

Asked 4 years ago 1627 views
5 Comments   [ + ] Show comments
  • Hover the mouse over AntiVirus, and see if truly talking about Windows Defender or not.

    Also if you manually disable the Real time protection, Does Windows Warns you about having Defender OFF? - Channeler 4 years ago
    • Sysprep executor does say that "Windows Defender was detected". Windows doesn't warn me that Windows Defender is off. In Windows Security, it shows "Windows Defender Antivirus is turned off". - michael.e.ritchey 4 years ago
  • A little more information ... I installed the operating system and nothing else, then cloned the machine. I successfully sysprepped and uploaded that image.
    I then installed my software to the non-sysprepped clone, now I can't sysprep it because it says antivirus is on. So I know how to disable the antivirus, and I know that I can sysprep 1903 ... I just don't know why this isn't working. - michael.e.ritchey 4 years ago
  • You should not be in a domain when you sysprep. - SMal.tmcc 4 years ago
    • I am not on a domain. I wait until after imaging to join the domain. - michael.e.ritchey 4 years ago
      • Ok so GPO does not apply to disable then - SMal.tmcc 4 years ago
  • Have you tried running the sysprep file manually and if that fails check the panther directory logs for the specific error.
    Copy the Answer file to windows\system32\sysprep

    Open a command window

    cd\windows\system32\sysprep

    sysprep /generalize /oobe /shutdown /unattend:c:\windows\system32\sysprep\YourAnswerFile.xml - SMal.tmcc 4 years ago
    • "Sysprep was not able to validate your Windows installation"
      The following is from setupact.log ... I see errors but I don't know what they mean.

      2019-08-05 12:32:19, Info SYSPRP ========================================================
      2019-08-05 12:32:19, Info SYSPRP === Beginning of a new sysprep run ===
      2019-08-05 12:32:19, Info SYSPRP ========================================================
      2019-08-05 12:32:19, Info [0x0f004d] SYSPRP The time is now 2019-08-05 12:32:19
      2019-08-05 12:32:19, Info [0x0f004e] SYSPRP Initialized SysPrep log at C:\Windows\System32\Sysprep\Panther
      2019-08-05 12:32:19, Info [0x0f0054] SYSPRP ValidatePrivileges:User has required privileges to sysprep machine
      2019-08-05 12:32:19, Info [0x0f007e] SYSPRP FCreateTagFile:Tag file C:\Windows\System32\Sysprep\Sysprep_succeeded.tag does not already exist, no need to delete anything
      2019-08-05 12:32:19, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'GENERALIZE'
      2019-08-05 12:32:19, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'OOBE'
      2019-08-05 12:32:19, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'SHUTDOWN'
      2019-08-05 12:32:19, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'UNATTEND'
      2019-08-05 12:32:19, Info [0x0f00d7] SYSPRP WinMain:Pre-validing 'cleanup' internal providers.
      2019-08-05 12:32:19, Info SYSPRP RunDlls:Running platform actions specified in action file for phase 3
      2019-08-05 12:32:19, Info SYSPRP SysprepSession::CreateSession: Successfully created instance with action file C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml, and mode <null>
      2019-08-05 12:32:19, Info SYSPRP SysprepSession::Validate: Beginning action execution from C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml
      2019-08-05 12:32:19, Info SYSPRP SysprepSession::CreateXPathForSelection: Sysprep mode in registry is <null>
      2019-08-05 12:32:19, Info SYSPRP SysprepSession::CreateXPathForSelection: Processor architecture in registry is AMD64
      2019-08-05 12:32:19, Info SYSPRP ActionPlatform::LaunchModule: Executing method 'Sysprep_Clean_Validate_Opk' from C:\Windows\System32\spopk.dll
      2019-08-05 12:32:19, Info CSI 00000001 Shim considered [l:125]'\??\C:\Windows\Servicing\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.263_none_5f1fc00458f64d76\wcp.dll' : got STATUS_OBJECT_PATH_NOT_FOUND
      2019-08-05 12:32:19, Info CSI 00000002 Shim considered [l:122]'\??\C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.263_none_5f1fc00458f64d76\wcp.dll' : got STATUS_SUCCESS
      2019-08-05 12:32:19, Error SYSPRP Sysprep_Clean_Validate_Opk: Audit mode can't be turned on if there is an active scenario.; hr = 0x800F0975
      2019-08-05 12:32:19, Error SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'Sysprep_Clean_Validate_Opk' from C:\Windows\System32\spopk.dll; dwRet = 0x975
      2019-08-05 12:32:19, Error SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml; dwRet = 0x975
      2019-08-05 12:32:19, Error SYSPRP RunPlatformActions:Failed while validating Sysprep session actions; dwRet = 0x975
      2019-08-05 12:32:19, Error [0x0f0070] SYSPRP RunDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x975
      2019-08-05 12:32:19, Error [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep cleanup internal providers; hr = 0x80070975
      2019-08-05 12:33:11, Info [0x0f0052] SYSPRP Shutting down SysPrep log
      2019-08-05 12:33:11, Info [0x0f004d] SYSPRP The time is now 2019-08-05 12:33:11 - michael.e.ritchey 4 years ago
  • Small.tmcc, I'm running into the same problem when trying to use the Sysprep Executor v4.1.1.1. I've tried to disable using Local Group Policy and still nothing. This is not on a domain and a clean install using VL media for 1903 using Scripted Install method.

    The manual way of running sysprep succeeded, but I would like to get the KACE Sysprep Executor to work as it's done in the past.

    Any more ideas? - ACAST 4 years ago
    • A similar thing happened in the past to me I think on 1703 with a certain file, It took Microsoft about 2 weeks to issue a patch to fix the sysprep problem. For now I would replace the spopk.dll file with an older one till MS issues a patch, when they do they will overwrite whatever version you have one image. FOG see the same problems

      https://forums.fogproject.org/topic/13335/fyi-win10-1903-sysprep-possible-bug - SMal.tmcc 4 years ago

Answers (2)

Answer Summary:
Posted by: SMal.tmcc 4 years ago
Red Belt
2

Top Answer

Endorsed by Nick The Ninja

OK so the real problem is:

Error SYSPRP Sysprep_Clean_Validate_Opk: Audit mode can't be turned on if there is an active scenario.; hr = 0x800F0975

Research along this line

https://www.google.com/search?client=firefox-b-1-d&q=Sysprep_Clean_Validate_Opk%3A+Audit+mode+can%27t+be+turned+on+if+there+is+an+active+scenario

https://social.technet.microsoft.com/Forums/en-US/0dcbdf32-05a1-4edc-8f22-287998d30de5/sysprep-problem-audit-mode-canamp39t-be-turned-on-if-there-is-an-active-scenario?forum=win10itprosetup

Comments:
  • I very much appreciate you trying to help me. If I sound a bit frustrated, I've got a new semester starting in 2 weeks and 250 or so computers to put new images on.
    I've tried the suggestion I found of using an older spopk.dll (from 1803) and it seems to be working. I am sending the image up now. I am sure that's not a correct solution but it might be the only one I've got. Next time I do this, I won't likely use the newest Windows Version I can get.
    Again, thanks.

    So .. to recap. Replacing the 'spopk.dll' as suggested in the technet link above AND using the command line to do sysprep instead of the executor seemed to do the trick. To replace the spopk.dll, you have to take ownership and give yourself full control of the file. I used a dll from 1803. - michael.e.ritchey 4 years ago
    • Then it is an OS related issue...., yeah I'm still with 1809.... When a new build is out, I try to wait 6 months and use a known good patched ISO. - Channeler 4 years ago
Posted by: SMal.tmcc 4 years ago
Red Belt
0

see Cory's answer https://www.itninja.com/question/sysprep-executor-detecting-defender

Comments:
  • If you are referring to where cserrins suggested to hover over the Antivirus detected message, then, as I stated, it does say that. However, the "Turn off Windows Defender Antivirus" setting is enabled in group policy. Windows Security notification is disabled in task manager startup. In the registry, both DisableAntiSpyware and DisableRealtimeMonitoring are set to "1" in HKLM\SOFTWARE\Policies\Microsoft\Windows Defender. Also on that page is a warning about upgrades. This is a fresh install from .iso. - michael.e.ritchey 4 years ago
    • Your however does not apply unless the machine is in a domain, GPO's are domain policies. - SMal.tmcc 4 years ago

Posted by:

michael.e.ritchey White Belt
Ninja since: 6 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

KACE Product Support Questions
question

Related Questions

Link

Related Links

Post

Related Posts

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ