This guide walks you through the automated process for preparing a Windows 11 virtual machine as a golden image for deployment on Oracle Cloud Infrastructure (OCI). The process uses two PowerShell scripts that run before and after a reboot to validate the environment, install required software, and execute Sysprep to generalize the image.
The automation consists of three files:
_Config.ps1 — shared configuration valuesStep1_PreReboot.ps1 — environment validation and cleanup (runs before reboot)Step2_PostReboot.ps1 — software installation and Sysprep (runs after reboot)The first script validates the environment and prepares the VM for imaging. It performs the following checks and actions automatically:
| Check | Action |
|---|---|
| Administrator privileges | Verifies the script is running as Administrator |
| Windows 11 | Confirms the OS version is Windows 11 |
| Disk space | Ensures at least 2 GB of free disk space |
| Internet connectivity | Tests network access for software downloads |
| Sysprep | Verifies the Sysprep executable is available |
| BitLocker | Disables encryption and waits for full decryption |
| Network (IP/DNS) | Switches static configuration to DHCP if needed |
| Remote Desktop | Enables RDP and its firewall rule if disabled |
| Remote Desktop Users | Displays group members for review |
| Pre-existing software | Removes Cloudbase-Init and/or VirtualBox Guest Additions if present |
The VM reboots after this step completes.
After the reboot, the second script installs the required software and runs Sysprep to generalize the image:
| Phase | Action |
|---|---|
| Download software | Downloads the Thinfinity Workspace Agent and Cloudbase-Init installers |
| Generate unattend.xml | Configures OOBE skip, Administrator password, and RDP settings |
| Kill processes | Terminates and disables non-essential services, tasks, and startup entries |
| Thinfinity Agent | Silent install and configuration with your Network ID and Gateway URLs. Pauses for manual log verification. |
| Cloudbase-Init | Silent install (service user: cb, metadata password disabled) |
| AppX cleanup | Removes conflicting AppX packages that block Sysprep |
| Remove Teams | Uninstalls Microsoft Teams |
| Sysprep | Executes sysprep /generalize /oobe /shutdown |
The VM shuts down automatically after Sysprep completes.
Copy the three script files (_Config.ps1, Step1_PreReboot.ps1, Step2_PostReboot.ps1) to the Downloads folder of the logged-in user on the target VM.
Open PowerShell as Administrator. If script execution is restricted, run the following command to allow scripts for the current session only:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassThis allows scripts to run only for the current session without changing the system-wide policy.
cd ~\Downloads.\Step1_PreReboot.ps1-NetworkID and -Gateways: .\Step2_PostReboot.ps1 -NetworkID "your-network-id" -Gateways "https://gateway1.example.com,https://gateway2.example.com"Important: Wait 20 to 30 minutes after the VM shuts down before creating the custom image. Do not start or modify the VM state before creating the image.
Once the wait period has passed, create the custom image from the OCI Console using the stopped VM as the source.
VMs created from the golden image contain two user accounts:
| User | Source | Purpose | Post-Deploy Status |
|---|---|---|---|
| Administrator | Enabled by unattend.xml | Initial configuration | Disabled after first boot |
| Terraform user | Created by Cloudbase-Init | VM access (RDP) | Active |
The built-in Administrator account is temporarily enabled during deployment for initial configuration. It is automatically disabled after the first boot, leaving only the Terraform-provisioned user as the active account.
Review the script output to identify which check failed. Common issues include insufficient disk space, no internet connectivity, or an unsupported OS version. Resolve the underlying issue and re-run Step 1.
Verify that the -NetworkID and -Gateways values are correct and that the VM has outbound network access to the gateway URLs. Do not press ENTER until the logs confirm a successful connection.
The script automatically removes known conflicting AppX packages (including Microsoft Teams). If Sysprep still fails, check the log at C:\Windows\System32\Sysprep\Panther\setupact.log to identify any remaining problematic packages, remove them manually, and re-run Step 2.