Securing Windows Server 2012 using RETINA recommendations breaks SYSPREP

When locking down Windows Server 2012, some vulnerability scanners recommend to disable the Task Scheduler service.  This should be done with GPO after the image is created.  Applying the setting prior to running SYSPREP on the OS will cause SYSPREP to fail with a fatal error.

Sysprep produces the following message:

System Preparation Tool 3.14
A fatal error occurred while trying to sysprep the machine.

The sysprep setuperr.log contains entries similar to:

2014-05-06 14:20:27, Error                 SYSPRP SPPNP: Failed to find task '\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers'. hr = 0x80070003[gle=0x00000003]
2014-05-06 14:20:27, Error                 SYSPRP WSLicenseCleanUpState failed with hr=80070003
2014-05-06 14:20:27, Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'WSLicenseCleanUpState' from C:\Windows\System32\wsclient.dll; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP ActionPlatform::ExecuteAction: Error in executing action; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP ActionPlatform::ExecuteActionList: Error in execute actions; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP SysprepSession::Execute: Error in executing actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP RunPlatformActions:Failed while executing SysprepSession actions; dwRet = 0x80070003
2014-05-06 14:20:27, Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x80070003
2014-05-06 14:20:27, Error      [0x0f00a8] SYSPRP WinMain:Hit failure while processing sysprep generalize internal providers; hr = 0x80070003

As a solution, task scheduler settings are not deployed to the local GPO on the machine, but are controlled at the GPO level within the Domain.  Should you require the machine not to be joined to a domain, then apply the settings for Task Scheduler after sysprep and prior to production deployment.

Hopefully this helps someone, as I didn't see it anywhere else online with the same errors.

Mac MacAnanny - Engineer - DoD - Office of the Secretary of Defense - DoD