Prepare your OS image for layering in Citrix Hypervisor, Hyper-V, or vSphere

Before you start, ensure that you meet the requirements. While preparing the image, you can Expedite Microsoft Ngen.exe operations, as described in this section.

If using Windows 10, you can speed up desktop start times as long as you are not running Citrix Provisioning, machine creation, or VMware View. In this situation, you can remove Windows 10 built-in applications. We recommend removing the apps on a new version of the OS layer, rather than in the OS image itself.

Install the OS on a virtual machine

It is crucial to start with an OS freshly installed from ISO, preferably from your hypervisor.

In this procedure, be sure to follow steps and notes specific to the Windows version you are installing.

  1. Log into your hypervisor client.
  2. Create a virtual machine with the correct CPU, RAM, hard drive, and network settings for your operating system type. Guidance:

    • Citrix Hypervisor virtual machine: Ensure that only one network is selected.
    • vSphere virtual machine:
      • Network: (Required) Select the VMXNET 3 network adapter.

      Important: You can have one, and only one, network device, and the E1000 NIC must never have been used. The default E1000 adapter (or even a ghost NIC leftover from an E1000 adapter) can cause customization timeout errors on the virtual machines.

      • Thin Provision: Select Thin Provision.
    • All hypervisors:
      • Hard drive: Ensure that the appliance can access the hard drive that you create.
  3. Attach the ISO and install the operating system. This machine must not be joined to the domain. Domain join must be done in the Platform layer, and any domain group membership changes must be done through Group Policy.
  4. Install the hypervisor tools for the platform where you plan to package layers. If you support multiple hypervisors, put the tools for the hypervisor you plan to use for publishing images in the Platform layer.


    Use the Microsoft Windows Integration Services Setup Disk to install Hyper-V Integration Services.

If using a Server OS, install the Remote Desktop Session Host feature

When using a Windows Server OS, you need to install the Remote Desktop Session Host feature. Although you can install the Remote Desktop Session Host role on the Platform layer with the VDA, the advantage of having the role in the OS layer is that it is updated as part of Windows.

If you install RDS in the OS layer, you need to use local GPOs to define the RDS license servers. Otherwise over time you will lose the ability to log on to packaging machines.

To install the Session Host feature:

1.  In the Server Manager, select **Add roles and features**.
1.  For the **Installation Type**, select **Role-based** or **Feature-based** installation.
1.  For the Server Role, select Remote Desktop Services > Remote Desktop Session Host (Installed). This installs  the C++ library and the RDS role.
1.  Complete the process of adding the Server Roles.

Ensure the correct versions of .Net Framework are installed (Windows 7, Windows 10, Windows Server 2016)

The .Net Framework is a software framework provided by Microsoft, and it is required for many third party applications to run.

  • /.NET Framework 4.5: Required on Windows 7.
  • /.NET Framework 3.5: Required on Windows 10 and Windows Server 2016.

To install .NET Framework:

  1. On the Start menu, select Control Panel > Programs and Features.
  2. In the left panel select Turn Windows features on or off. A window opens.
  3. Select the correct version of .NET Framework, click OK, and wait for the installation to complete.


    Even if .NET is already installed, continue with the rest of these steps.

  4. Exit the Control Panel.
  5. In Notifications in the right-side of your taskbar, click All Settings, and open the Windows 10 Settings app.
  6. Select Settings > Update & Security.
  7. Check for updates, and install all updates available.
  8. Exit Settings.

Install Windows updates

Be sure to install all Windows updates.

  1. Install all important updates.
  2. Check for updates again after the virtual machine is rebooted. Some updates became available only after others are installed.
  3. Install all required service packs:
    • If using Windows 2008 with Citrix Provisioning or Horizon View, install Windows Server 2008 R2 Service Pack 1 (SP1).


      You may need to uninstall KB3125574, before installing this one.

  4. Turn off Windows Automatic Updates and disable Windows System Restore using the local group policy editor, gpedit.msc. The system handles restore points for you. Layer versions allow you to specify when updates occur.
  5. Windows 10: Turn off Hibernation by entering this command:

    powercfg.exe /hibernate off
  6. Enable the built-in administrator and check Password never expires.
  7. If using KMS licensing, run a command window as Administrator, and enter these commands:

    slmgr /skms <kmsserverhost>
    slmgr /rearm
    slmgr /ipk XXXX-YOUR-KMS-KEY-XXXX
    slmgr /ato
  8. If this is a server OS, run the following commands in PowerShell:

    Set-ExecutionPolicy Unrestricted

Expedite Microsoft Ngen.exe operations, if needed

Once all software updates have been installed, you must allow Ngen.exe to essentially recompile .NET byte code into native images and construct the registry entries to manage them.

Ngen.exe is the Microsoft Native Image Generator, which is part of the .NET system. Windows decides when to run Ngen.exe based on what software is being installed and what Windows detects in the configuration.


When Ngen.exe is running, you must let it complete. An interrupted Ngen.exe operation can leave you with non-functioning .NET assemblies or other problems in the .NET system.

Normally, Ngen.exe is a background operation that pauses when there is foreground activity. If you want to expedite an Ngen.exe operation, you can bring the task into the foreground. This helps the task to complete as quickly as possible.

To bring the task into the foreground:

  1. Open a command prompt as Administrator.
  2. Go to the Microsoft .NET Framework directory for the version currently in use:

    cd C:\Windows\Microsoft.NET\FrameworkNN\vX.X.XXXXX
  3. Enter the following Ngen.exe command:

    ngen eqi

    This executes all queued compilation jobs.

  4. Enter the Ngen.exe command:

    ngen update /force

    This brings the Ngen.exe task to the foreground in the command prompt, and lists the assemblies being compiled. It is OK if you see several compilation messages.

    You can use Task Manager to see if an instance of MSCORSVW.EXE is running. If it is, you must allow it to complete, or run ngen update /force.


    Do not reboot to stop the task. Allow the task to complete.

  5. Ensure that all Ngen.exe processes have run to completion.
  6. When complete, you can now shut down the virtual machine.

Run the App Layering OS Machine Tools on the image

To prepare the OS image to run in a layer, you execute the OS Machine Tools file on the image. This executable runs a GPO setup script (gposetup.cmd), and a Set KMS Version script (SetKMSVersion.hta).

  1. Download the following zip file onto the OS image:
  2. Extract the files to:



    The file must be extracted to the above directory. Do not change the directory.

If using Key Management Service (KMS), configure license activation

Once the scripts are extracted, the SetKMSVersion utility asks you to choose whether or not to use KMS licensing.

  1. In the dialog box that appears, select whether to use Key Management Service (KMS) licensing.

    Set KMS version image

To configure scripts for KMS, do the following.

  1. Navigate to:


  2. Run SetKMSVersion.hta as Administrator. This creates a script file in the c:\windows\setup\scripts\kmsdir folder.

When the operating system starts, the appropriate KMS activation script is executed.

Install the App Layering services

  1. In the c:\windows\setup\scripts folder, run the setup_x86.exe (32-bit) or setup_x64.exe (64-bit).

  2. If you are using an unattend file, the installation prompts for the location of the file. The default location is c:\windows\panther.

Once this is done, you are ready to import the image into a new OS layer.

If using MS Office, run the optimization script

The Optimization script included in the App Layering installation package is required to layer Microsoft Office. This script allows you to save memory and CPU by disabling services you don’t need, enabling services you do need, and removing installation-specific drivers and settings.

You can run the Optimization script on the OS layer, and if needed, supersede it with a new version of the script in an App layer included in your image template. Since App layers are applied to the image after the OS layer, the script in the App layer overrides the original version in the OS layer.

  1. In the c:\windows\setup\scripts folder, run the optimizations.cmd file to create a file that will be run when the image is created.

  2. If you run the unattend.hta file, the optimizations.cmd file is run automatically.

    • If you run optimizations.cmd without first running unattend.hta, follow the instructions to run it on the OS image.

    • If you are using the optimizations script and you are also enabling the View Persona feature, the View Persona folder redirection requires Offline files to be enabled. By default, the optimization script turns off any offline files that are not a requirement for App Layering. Therefore:

      1. Go to the section of the script called Disable Unnecessary Services to Save Memory and CPU.

      2. Deselect the option to Disable Offline File Service, and click Save File.

If you need to run Windows Mini Setup, use our answer file

If you need to run Windows Mini Setup, follow these steps to use our unattend.hta answer file.

  1. In the c:\windows\setup\scripts folder, right-click the unattend.hta tool and choose Run as administrator. The unattend builder form opens.
  2. Complete the unattend form.Product key activation.
    • For KMS activation, select KMS Server.
      • For KMS with a Multiple Activation Key (MAK), select KMS with MAK and enter the MAK.
      • For Retail Licensing with a MAK, select Retail with MAK, and the MAK.
    • Local Administrator account
      • If you want to use the unattend.xml file to enable the Administrator account on each Layered Image, select Enable. Remember to also enable this account in your OS Image or Operating System Layer revision. It is possible to enable the Administrator account for your OS Image and then have it disabled in the deployed Layered Images by clearing the check box
      • If you want to add an alternate Administrator account, select Enable and enter the account information. This account cannot be pre-configured in the OS Image.
      • You can create a Layered Image where the Administrator is disabled and the alternate administrator is created and enabled. However for this to work, the Administrator account must be enabled in the OS Image and it cannot be renamed.
    • Time zone
      • Select the time zone. If your time zone is not listed, you can add it to the Other box. Be sure to use the time zone, not the display setting. A list of time zone settings can be found in Microsoft TechNet.
    • Disabling automatic activation
      • Select this option if you plan to use the Microsoft Volume Activation Management Tool.
  3. Click Save File.