Sysprep and deploy Windows 11 22H2 in Azure with a custom image and a workaround

A common way to build virtual machines based on an image in Azure (e.g., as Session hosts for Azure Virtual Desktop) can be done by the “Golden Image” approach.

The golden image approach is pretty simple. First install your “Golden Master”

  • Create a VM in Azure (e.g., Windows 11 multi-session)
  • Install all hotfixes and updates
  • Install the application
  • Optional: Join a domain
  • Test the application

In the next step, create an image from the master

  • Sysprep the Golden Master
  • Capture the VM in the Azure Portal and create a custom image
  • Optional: Copy the custom image to an Azure compute gallery to deploy VMs in different locations, subscriptions, and trusted launch VMs

The bad thing is that your Golden Master is destroyed during the sysprep and capturing process. A bit smarter is to do that on a cloned/temporary VM and later delete the clone. WVDAdmin and Hydra for AVD will do this automatically if you create a new custom image. So, you can reuse the Golden Master.

But today, deploying Windows 11 22H2 is the main topic. In Windows 11 22H2 is an issue preventing the rollout of new VMs based on a custom image in s specific case:

If you create a custom image based on a Golden Master who is or was domain-joined, you cannot roll out a new VM. The rollout will go into a timeout; if you capture a screenshot, you can see the installation screen and a rotating donut.

What I figured out. The setup process stops after handling the following task (found in C:\Windows\Panther\setupact.log): ActionPlatform::LaunchModule: Executing method ‘CryptoSysPrep_Specialize’ from C:\Windows\system32\capisp.dll After that, no more happens. Also, the ETL files are not showing any process. I guess the process hangs.

**I was able to bring it down to this part. For a workaround, I modified the “C:\windows\system32\Sysprep\ActionFiles\Specialize.xml” on the master VM and removed the actions for ‘CryptoSysPrep_Specialize’. **

Specialize.xml is processed by sysprep after a rollout based on an image on this VM. And: It worked. The deployed VMs are running, and the timeout didn’t happen.

As a workaround, you can modify the Specialize.xml on the Golden Master and capture the image. After that, you can roll out new VMs based on that image.

I added the workaround to WVDAdmin and Hydra for AVD. If Windows 11 22H2 is detected during the imaging process, the Specialize.xml is automatically patched. Additionally, if you roll out new session hosts with one of the tools, capisp.dll with the entry point CryptoSysPrep_Specialize is called during the rollout.

Please note that this is a workaround. Follow the stream also on