diff --git a/packaging/googet/google-compute-engine-sysprep.goospec b/packaging/googet/google-compute-engine-sysprep.goospec
index ca6192fb..fa6347fe 100644
--- a/packaging/googet/google-compute-engine-sysprep.goospec
+++ b/packaging/googet/google-compute-engine-sysprep.goospec
@@ -22,6 +22,7 @@
     "path": "sysprep/sysprep_uninstall.ps1"
   },
   "releaseNotes": [
+    "3.20.0 - Remove MTLS MDS certificates from certificate store and disk during sysprep.
     "3.19.0 - Migrating MTU & Firewall rule modifications to use PowerShell cmdlets instead of netsh for Win10/2016 and above.",
     "3.18.0 - Updated activate_instance.ps1 to skip setting KMS and activation, if any known GCE Windows BYOL license is attached.",
     "3.17.0 - Add Windows Server 2022 KMS client keys",
diff --git a/sysprep/sysprep.ps1 b/sysprep/sysprep.ps1
index 9e89fcb6..a4fc082c 100644
--- a/sysprep/sysprep.ps1
+++ b/sysprep/sysprep.ps1
@@ -132,6 +132,7 @@ function Clear-TempFolders {
     "C:\Users\*\Appdata\Local\Temp\*\*",
     "C:\Users\*\Appdata\Local\Microsoft\Internet Explorer\*",
     "C:\Users\*\Appdata\LocalLow\Temp\*\*",
+    "C:\ProgramData\Google\Compute Engine\mds-mtls-*"
     "C:\Users\*\Appdata\LocalLow\Microsoft\Internet Explorer\*") | ForEach-Object {
     if (Test-Path $_) {
       Remove-Item $_ -Recurse -Force -ErrorAction Ignore
@@ -215,6 +216,9 @@ try {
     Start-Sleep -Seconds 15
   }
 
+  Write-Log 'Stopping GCEAgent.'
+  Stop-Service -name GCEAgent
+
   Write-Log 'Setting startup commands.'
   Set-ItemProperty -Path HKLM:\SYSTEM\Setup -Name CmdLine -Value "`"$PSScriptRoot\windeploy.cmd`""
   if (-not (Test-Path $script:setupscripts_dir_loc)) {
@@ -243,6 +247,13 @@ $PSHome\powershell.exe -NoProfile -NoLogo -ExecutionPolicy Unrestricted -File "$
     }
   }
 
+  Write-Log 'Clearing MTLS MDS certs.'
+  @('Cert:\LocalMachine\My', 'Cert:\LocalMachine\Root') | ForEach-Object {
+    if (Test-Path $_) {
+      Get-ChildItem $_ | Where-Object {$_.Issuer -Match 'google.internal'} | Remove-Item
+    }
+  }
+
   if ([System.Environment]::OSVersion.Version.Build -ge 10240) {
     Write-Log "Enabling RDP and WinRM firewall rules using PowerShell. Build $([System.Environment]::OSVersion.Version.Build)"
     New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -Profile Any