Windows 11

Golden Image Creation Guide

A comprehensive step-by-step guide to building, configuring, capturing,

Overview

A golden image (also called a reference image or master image) is a standardized, pre-configured Windows 11 installation that you build once and deploy to many machines. Each deployed machine gets a unique identity — its own SID, computer name, and hardware configuration — while inheriting the same baseline OS, applications, drivers, and settings.

This guide covers all six phases of the golden image lifecycle:

✔  TIP: Using a virtual machine (Hyper-V or VMware) for your reference machine is strongly recommended. VM snapshots let you revert to any stage — especially pre-Sysprep — without rebuilding from scratch.

Prerequisites

Gather the following before you begin:

• Reference machine or VM with at least 64 GB disk, 4 GB RAM, TPM 2.0 chip, and Secure Boot enabled
• Windows 11 ISO from Microsoft’s Media Creation Tool or Volume Licensing Service Center (VLSC)
• Windows Assessment and Deployment Kit (ADK) + WinPE Add-on installed on a separate technician PC
• USB drive (16 GB+) or network share for storing the captured .WIM file
• Software licenses for every application you plan to bundle into the image
• Network connection initially disabled (prevents unwanted Store app updates during build)

✖  CRITICAL: IMPORTANT: Audit Mode is now required by Microsoft for all Sysprep operations. Windows 11 Sysprep run from OOBE (the old method) is unsupported and causes ‘Reset this PC’ failures on deployed machines.

Step 1 — Boot from Windows 11 Media

Boot your reference machine from the Windows 11 ISO or USB. In the setup wizard:

• Select your language, region, and keyboard layout
• Choose the correct edition (Enterprise for domain environments, Pro for smaller deployments)
• Select your target partition and perform a clean install — do not upgrade an existing OS
• Ensure the network cable is unplugged or the NIC is disabled

⚠  WARNING: Keeping the machine offline during installation prevents Windows from requiring a Microsoft Account login and stops background Store app downloads that will break Sysprep later.

Step 2 — Enter Audit Mode (Critical)

When Windows Setup reaches the first OOBE screen (country/region selection), press:

Ctrl  +  Shift  +  F3

The machine reboots and automatically logs in as the built-in Administrator account in Audit Mode. The Sysprep dialog appears — minimize it. Do not close it.

Alternatively, to enter Audit Mode from an existing installation, run:

C:\Windows\System32\Sysprep\sysprep.exe /audit /reboot

ℹ  NOTE: You must perform ALL configuration — driver installs, Windows Updates, app installs — while in Audit Mode. Windows will remain in Audit Mode on every reboot until you explicitly run Sysprep /oobe.

Step 3 — Disable Microsoft Store Auto-Updates

This is the most important pre-configuration step. Open the Local Group Policy Editor:

Win + R  →  gpedit.msc  →  Enter

Navigate to:

Computer Configuration

  → Administrative Templates

    → Windows Components

      → Store

Enable both of these policies:

• Turn off Automatic Download and Install of updates
• Turn off the Store application  (optional — blocks Store access entirely)

✖  CRITICAL: CRITICAL: If Microsoft Store apps update while you are building, Sysprep will fail with error 0x80073cf2. This happens because the user-installed app version differs from the provisioned version. This is the single most common cause of Sysprep failure in Windows 11.

Step 4 — Install Windows Updates

Temporarily re-enable the network adapter, then go to Settings → Windows Update → Check for updates. Install all available updates, reboot as required, and repeat until no more updates appear.

⚠  WARNING: For Windows 11 24H2 images, ensure the June 2025 Cumulative Update (KB5060842, OS Build 26100.4349) is installed. This update fixes a BitLocker/Sysprep BSOD bug specific to 24H2.

Disconnect the network again once all updates are complete.

Step 5 — Install Hardware Drivers

Install all drivers appropriate for your target hardware:

ℹ  NOTE: If deploying to diverse hardware models, keep the image driver-light. Inject model-specific drivers at deployment time using MDT driver groups or DISM offline servicing rather than baking them into the WIM.

Step 6 — Install Applications

Install all software that should be present on every deployed machine. Use silent/unattended installers:

• Microsoft 365 / Office: Use the Office Deployment Tool (ODT) with a config.xml for silent install
• Endpoint protection / antivirus (disable real-time scanning before Sysprep)
• VPN and remote access clients
• Runtimes: .NET Framework, Visual C++ redistributables, Java if required
• Line-of-business applications via silent installers (/quiet /norestart)

Use winget for repeatable installs:

winget install –id Adobe.Acrobat.Reader.64-bit –silent –accept-package-agreements

winget install –id Google.Chrome –silent –accept-package-agreements

winget install –id Microsoft.VCRedist.2015+.x64 –silent –accept-package-agreements

Step 7 — Configure System Settings and Policies

Apply your organization’s standard configuration. Run these registry tweaks as Administrator:

:: Disable telemetry

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection” /v AllowTelemetry /t REG_DWORD /d 0 /f

:: Disable Cortana

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v AllowCortana /t REG_DWORD /d 0 /f

:: Disable advertising ID

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo” /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f

:: Set power plan to High Performance

powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

:: Set time zone (adjust as needed)

tzutil /s “Eastern Standard Time”

✖  CRITICAL: Do NOT use CopyProfile in your unattend.xml. Microsoft does not reliably test this feature and it increasingly causes issues in Windows 11. Configure user profile defaults via PowerShell scripts that run at first logon during deployment instead.

Step 8 — Remove Unwanted Built-in AppX Packages

Remove bloatware using PowerShell as Administrator. You must remove both the per-user package AND the provisioned package, in that order:

$appsToRemove = @(

    “MicrosoftTeams”,

    “Microsoft.BingWeather”,

    “Microsoft.GetHelp”,

    “Microsoft.Getstarted”,

    “Microsoft.GamingApp”,

    “Microsoft.MicrosoftOfficeHub”,

    “Microsoft.People”,

    “Microsoft.YourPhone”,

    “Microsoft.ZuneVideo”,

    “Microsoft.ZuneMusic”,

    “Microsoft.549981C3F5F10”,   # Cortana

    “Microsoft.Xbox.TCUI”,

    “Microsoft.XboxApp”,

    “Microsoft.XboxGameOverlay”,

    “Microsoft.XboxGamingOverlay”,

    “Microsoft.XboxIdentityProvider”

)

foreach ($app in $appsToRemove) {

    Get-AppxPackage -Name “*$app*” | Remove-AppxPackage -ErrorAction SilentlyContinue

    Get-AppxProvisionedPackage -Online |

        Where-Object DisplayName -Like “*$app*” |

        Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue

}

✖  CRITICAL: Do NOT remove system-critical packages: Microsoft.SecHealthUI (Windows Security), Microsoft.Windows.Photos, Start menu packages, or the Widgets platform. Removing these will break Sysprep or produce an unbootable image.

Step 9 — Disable BitLocker on the OS Volume

Sysprep fails if BitLocker is active. Check the current status:

manage-bde -status C:

If Protection Status shows ‘Protection On’, disable it and wait for full decryption:

manage-bde -off C:

# Monitor progress — must reach 0% before proceeding

manage-bde -status C:

✖  CRITICAL: On Windows 11 24H2, even a previously-disabled BitLocker can cause a BSOD after Sysprep. The fix is to apply the June 2025 Cumulative Update (KB5060842) before running Sysprep.

Step 10 — Confirm Machine is NOT Domain-Joined

Run this check in PowerShell:

(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain

# Must return: False

If the machine is domain-joined, unjoin before proceeding:

Remove-Computer -UnjoinDomainCredential (Get-Credential) -PassThru -Verbose -Restart

✖  CRITICAL: Sysprep on a domain-joined machine hangs indefinitely during the Specialize pass (at CryptoSysPrep_Specialize). The machine will never complete generalization.

Step 11 — Final Update Pass and Cleanup

Re-enable the network, run Windows Update one final time, then disconnect the network again.

Now run a full cleanup to reduce image size:

# Empty all temp folders

Remove-Item -Path “$env:TEMP\*” -Recurse -Force -ErrorAction SilentlyContinue

Remove-Item -Path “C:\Windows\Temp\*” -Recurse -Force -ErrorAction SilentlyContinue

# Clear Windows Update download cache

Stop-Service wuauserv -Force

Remove-Item -Path “C:\Windows\SoftwareDistribution\Download\*” -Recurse -Force

Start-Service wuauserv

# Run DISM component cleanup

DISM /Online /Cleanup-Image /StartComponentCleanup /ResetBase

# Run Disk Cleanup silently

cleanmgr /sageset:65535

cleanmgr /sagerun:65535

✔  TIP: If using a VM, take a snapshot NOW labeled ‘Pre-Sysprep’. This lets you revert and re-Sysprep later (e.g. to add more apps or patches) without rebuilding from scratch.

Step 12 — Pre-Flight: Scan for AppX Blockers

Run this PowerShell scan before executing Sysprep to detect packages that will cause failure:

# Find packages installed for a user but not provisioned for all users

$provisioned = Get-AppxProvisionedPackage -Online | Select-Object -ExpandProperty PackageName

Get-AppxPackage -AllUsers | Where-Object {

    $pkg = $_.PackageFullName

    -not ($provisioned | Where-Object { $pkg -like “*$_*” })

} | Select-Object Name, PackageFullName

Remove any packages returned by the above command:

Remove-AppxPackage -Package “FULL_PACKAGE_NAME_HERE” -AllUsers

If Sysprep fails after running, check the log at:

C:\Windows\System32\Sysprep\Panther\setuperr.log

Step 13 — Run Sysprep (GUI Method)

The Sysprep dialog should already be minimized from Audit Mode. Open it and configure:

Click OK. Sysprep runs through Cleanup → Generalize → Specialize → Shutdown. The machine powers off automatically when complete.

Step 14 — Run Sysprep (Command Line — Recommended)

Open an elevated Command Prompt and run:

C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown

For VM-only deployments (skips some hardware checks):

sysprep.exe /oobe /generalize /shutdown /Mode:VM

With an unattend answer file:

sysprep.exe /oobe /generalize /shutdown /unattend:E:\AnswerFiles\autounattend.xml

✖  CRITICAL: Once the machine shuts down, DO NOT power it back on. Booting would trigger OOBE and partially configure the image, corrupting it for deployment. Treat the powered-off machine as a sealed artifact.

What Sysprep /generalize removes:

• Machine SID (Security Identifier) — each deployment gets a unique SID
• Computer name — replaced by a random name or one from the answer file
• Hardware-specific configuration and device driver store index
• Windows activation state
• Domain membership markers
• Event logs and user-specific data from the built-in Administrator account

Step 15 — Troubleshoot Sysprep Failures

If Sysprep fails, always read the log first:

notepad C:\Windows\System32\Sysprep\Panther\setuperr.log

Step 16 — Create WinPE Boot Media

On your technician PC (Windows ADK installed), open the Deployment and Imaging Tools Environment as Administrator:

# Copy WinPE base files

copype amd64 C:\WinPE_amd64

# Mount the WinPE image to add optional components

Dism /Mount-Image /ImageFile:”C:\WinPE_amd64\media\sources\boot.wim” /index:1 /MountDir:”C:\WinPE_amd64\mount”

# Add optional components (scripting, WMI, networking)

Dism /Add-Package /Image:”C:\WinPE_amd64\mount” /PackagePath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab”

# Unmount and commit changes

Dism /Unmount-Image /MountDir:”C:\WinPE_amd64\mount” /Commit

# Write to USB (replace F: with your USB drive letter)

MakeWinPEMedia /UFD C:\WinPE_amd64 F:

Step 17 — Boot Reference Machine into WinPE

Insert the WinPE USB into the powered-off (sysprepped) reference machine. Power it on and boot from the USB (press F12, F8, or ESC for the boot menu).

At the WinPE command prompt, identify your drive letters:

diskpart

list volume

exit

Note which volume letter is your Windows partition (often C: or D: in WinPE) and where your destination storage is (e.g. E: for USB or a network path).

Step 18 — Capture the Image with DISM

Run the DISM capture command (adjust drive letters to match your environment):

DISM /Capture-Image ^

  /ImageFile:E:\Images\Win11_Golden_v1.wim ^

  /CaptureDir:C:\ ^

  /Name:”Win11 Enterprise 24H2 Golden” ^

  /Description:”Build: 2026-06 | Apps: M365, Chrome, Acrobat” ^

  /Compress:max ^

  /CheckIntegrity

Typical capture time is 20–60 minutes. A standard enterprise image is 8–18 GB compressed.

Step 19 — Verify the Captured Image

# View image metadata

DISM /Get-ImageInfo /ImageFile:E:\Images\Win11_Golden_v1.wim

# Verify integrity

DISM /Check-ImageHealth /ImageFile:E:\Images\Win11_Golden_v1.wim /Index:1

# Generate SHA256 checksum for archiving

certutil -hashfile E:\Images\Win11_Golden_v1.wim SHA256 > Win11_Golden_v1.wim.sha256

✔  TIP: Store the SHA256 checksum alongside the WIM file. Use it to verify the image hasn’t been corrupted when copying to deployment servers or after long-term storage.

Option A — DISM Direct (Single Machine)

Boot the target machine into WinPE, then partition, format, and apply the image:

:: Partition the disk (UEFI / GPT)

diskpart

select disk 0

clean

convert gpt

create partition efi size=100

format quick fs=fat32 label=”System”

assign letter=S

create partition msr size=16

create partition primary

format quick fs=ntfs label=”Windows”

assign letter=C

exit

:: Apply the captured image

DISM /Apply-Image /ImageFile:E:\Images\Win11_Golden_v1.wim /Index:1 /ApplyDir:C:\

:: Set up bootloader

bcdboot C:\Windows /s S: /f UEFI

Remove WinPE media and reboot. The machine completes OOBE.

Option B — WDS + PXE Boot (Enterprise Fleet)

Install Windows Deployment Services on a Windows Server:

Install-WindowsFeature WDS -IncludeManagementTools

Configure WDS and add your images:

wdsutil /initialize-server /reminst:”D:\RemoteInstall” /standalone

wdsutil /add-image /imagefile:”E:\boot.wim” /imagetype:boot

wdsutil /add-image /imagefile:”E:\Images\Win11_Golden_v1.wim” /imagetype:install /imagegroup:”Windows 11″

⚠  WARNING: As of April 2026, Microsoft has disabled WDS hands-free (answer file) deployments by default due to security vulnerability CVE-2026-0386. WDS still works as a PXE boot server, but automated unattend.xml delivery is off by default. Use MDT, Configuration Manager, or custom WinPE scripts to automate post-boot setup.

Option C — MDT (Automated Task Sequences)

Microsoft Deployment Toolkit automates the full pipeline: partitioning → image apply → driver injection → domain join → app install.

1. Install MDT 8456 + the MDT 8456 Hotfix (KB4564442) on your MDT server

2. Install Windows ADK version matching your Windows 11 build

3. Create a Deployment Share

4. Import your .WIM as an Operating System

5. Import drivers (organize into driver groups by hardware model)

6. Create a Task Sequence: Standard Client Task Sequence

7. Generate a LiteTouch WinPE boot image and add it to WDS

8. PXE-boot target machines to pull the task sequence automatically

ℹ  NOTE: MDT is not officially supported by Microsoft for Windows 11 (support ended October 2025). For enterprise support, use Configuration Manager OSD or Windows Autopilot. MDT continues to function for organizations that accept community support.

Step 23 — Automate First Boot with autounattend.xml

Place an autounattend.xml file at the root of your WinPE boot media to skip all OOBE prompts and auto-configure each deployed machine:

<?xml version=”1.0″ encoding=”utf-8″?>

<unattend xmlns=”urn:schemas-microsoft-com:unattend”>

  <settings pass=”oobeSystem”>

    <component name=”Microsoft-Windows-Shell-Setup”

               processorArchitecture=”amd64″

               publicKeyToken=”31bf3856ad364e35″

               language=”neutral” versionScope=”nonSxS”>

      <OOBE>

        <HideEULAPage>true</HideEULAPage>

        <HideLocalAccountScreen>false</HideLocalAccountScreen>

        <HideOnlineAccountScreens>true</HideOnlineAccountScreens>

        <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>

        <SkipMachineOOBE>true</SkipMachineOOBE>

        <SkipUserOOBE>true</SkipUserOOBE>

      </OOBE>

      <UserAccounts>

        <LocalAccounts>

          <LocalAccount wcm:action=”add”>

            <Password><Value>P@ssw0rd!</Value><PlainText>true</PlainText></Password>

            <Group>Administrators</Group>

            <Name>LocalAdmin</Name>

          </LocalAccount>

        </LocalAccounts>

      </UserAccounts>

    </component>

  </settings>

</unattend>

Create and validate answer files using Windows System Image Manager (WSIM), included in the Windows ADK.

Step 24 — Monthly Offline Patching with DISM

You do not need to rebuild the image every month. Mount the WIM and inject patches offline:

# Create a mount point

mkdir C:\Mount

# Mount the image (read-write)

DISM /Mount-Image /ImageFile:E:\Images\Win11_Golden_v1.wim /Index:1 /MountDir:C:\Mount

# Inject a cumulative update (.msu or .cab)

DISM /Image:C:\Mount /Add-Package /PackagePath:C:\Updates\windows11.0-kb5060842-x64.msu

# Remove superseded components to reclaim space

DISM /Image:C:\Mount /Cleanup-Image /StartComponentCleanup /ResetBase

# Commit changes and unmount

DISM /Unmount-Image /MountDir:C:\Mount /Commit

Version your WIM files by date: Win11_Golden_v1_2025-06.wim, Win11_Golden_v1_2025-07.wim, etc. Always retain the previous month’s version for rollback.

Golden Image Governance Checklist

Follow these practices for every image build and deployment cycle:

• Store WIM on a network share with access controls — not a public or open folder
• Keep SHA256 checksums for every WIM version in a change log document
• Document every app, version, and configuration change between builds
• Test-deploy every new image to a VM before releasing to production fleet
• Rebuild the image from scratch every 6-12 months to avoid stale baselines
• Revert to the pre-Sysprep VM snapshot when re-Sysprepping rather than rebuilding
• Validate BitLocker enablement on deployed machines before fleet-wide rollout
• Verify Windows Activation on each deployed machine after deployment
• Patch the image offline (DISM) monthly rather than letting deployments install updates post-deploy
• Review and re-run the AppX pre-flight scan (Step 12) before every Sysprep run

Quick Reference: Common Commands

Sysprep Commands

DISM Commands

PowerShell: AppX Management

Key File Paths