THANK YOU all for your contributions, community spirit and enthusiasm. I've enjoyed building this repo and working with you all here. As the repo has been migrated, this repo is archived,


Get started now, this repo contains mutliple examples and test templates for Azure VM Image Builder (Public Preview).

What is Image Builder?? Get started with the short intro video below, or go straight to the Quick Starts below.


  1. Quick QuickStarts Examples. You can run these immediately using the Azure CloudShell from the Portal, and see multiple scenarios that the VM Image Builder supports.

  2. Azure Resource Manager (ARM) Image Builder Examples. The beauty of these examples, they are heavily parameterized, so you just need to drop in your own details, then begin image building, or integrate them to existing pipelines.

Service Updates and Latest Release Information

June 2020 Updates

Release Date : 1st June 0900 PST

  • NEW Api 2020-02-14, containing:
    • Distribute updates:
      • Support for more Shared Image Gallery (SIG) properties:
        • Specify your own SIG version
        • storageAccountType
        • excludeFromLatest
    • Source updates:
      • Support for Plan_Info
      • Specify paid Market Place Offerings as a source
    • Control Plane updates:
      • Cancel build - You can now cancel a running build!
  • Security model updates:
    • Simplified model - Now you do not grant the AIB permissions to your resources, now you use a single user identity, for more details see the May 2020 Update.
  • DevOps Task Actions Required and Updates
    • The existing AIB task, 'stable' will be updated on 4th June to support user identity and the new API. This will break existing deployments, For more details see here.
    • We now have an 'Unstable' AIB Task, this allows us to put in the latest updates and features, allow customers to test them, before we promote it to the 'stable' task, approx 1 week later.
    • Support has been added to the task to support user identity.
    • Multliple Bug fixes to address source custom images

Details below..

Deprecations & Notifications

  • As of the 4th of June, the service will reject templates that do not contain "identity", with a user assigned identity.
  • This means any templates created before 2019-05-01-preview will not be run, and not supported.
  • The 2020-02-14 API requires:
    • identity is mandatory
    • vnetConfig is now one property, subnetId, this is the resourceID of the subnet.
  • Please see the May 2020 Update for details on how to mitigate the above.

Whats coming!

  • AIB AZ CLI module / PS cmdlets - this will simplify the image creation even more!
  • GA - Early Q4 2020

More details on features in API 2020-02-14!

These details are being added to Azure docs and examples now, but for those who want a sneak peak...

Support for more Shared Image Gallery (SIG) Properties

  • Specify your own SIG version (optional) Previously AIB would automatically generate a montonic version based on datetime, this works well if you just want to keep re-running the template every month, as you don't need to modify the SIG distribution. However, feedback was that many customers would like to use existing versioning schemes, to use these, simply append a version to the SIG resourceID:
"galleryImageId": "/subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.Compute/galleries/<sharedImageGalName>/images/<imageDefName>/versions/1.1.1"
  • storageAccountType (optional) AIB supports specifying these types of storage for the image version that is to be created:
    • "Standard_LRS"
    • "Standard_ZRS"

For more information on these options, see SIG documentation

  • excludeFromLatest (optional) This allows you to mark the image version you create not be used as the latest version in the SIG definition, the default is 'false'.

A complete example, showing all the properties:

    "type": "SharedImage",
    "galleryImageId": "/subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.Compute/galleries/<sharedImageGalName>/images/<imageDefName>/versions/1.1.1",
    "runOutputName": "<runOutputName>",
    "artifactTags": {
        "source": "azureVmImageBuilder",
        "baseosimg": "windows2019"
    "replicationRegions": [
    "storageAccountType" : "Standard_ZRS",
    "excludeFromLatest" : true


Support for Plan_Info

Specify paid Market Place Offerings as a source:

    "source": {
        "type": "PlatformImage",
        "publisher": "RedHat",
        "offer": "rhel-byos",
        "sku": "rhel-lvm75",
        "version": "7.5.20190620",
        "planInfo": {
            "planName": "rhel-lvm75",
            "planProduct": "rhel-byos",
            "planPublisher": "redhat"

Cancel a running build

If you are running an image build that you believe is incorrect, waiting for user input, or you feel will never complete successfully, then you can cancel the build.

The build can only be cancelled any time, if the distribution phase has started you can cancel, but you will need to clean up any created images. The cancel command does not wait for cancel to complete, please monitor lastrunstatus.runstate for canceling progress, using these status commands.

Examples of cancel commands:

Invoke-AzResourceAction -ResourceName $imageTemplateName -ResourceGroupName $imageResourceGroup -ResourceType Microsoft.VirtualMachineImages/imageTemplates -ApiVersion >> API  "2019-05-01-preview" -Action Cancel -Force
az resource invoke-action \
     --resource-group $imageResourceGroup \
     --resource-type  Microsoft.VirtualMachineImages/imageTemplates \
     -n helloImageTemplateLinux01 \
     --action Cancel 

SERVICE UPDATE May 2020: ACTION NEEDED by 26th May - Please Review

We are making key changes to Azure Image Builder security model, this will be a breaking change, therefore we require you to take these before 26th May 0700 Pacific Time.

The change - Azure Image Builder Templates (AIB) must contain a populated identity property, and the user assigned identity must have permissions to read and write images.

Impact - From the 26th May 0700 we will not accepting any new AIB Templates or process existing AIB Templates that do not contain a populated identity. This also means any templates being submitted with api versions earlier than 2019-05-01-preview will not be be accepted either.

Why? - As well as allow us to prepare for future features, we are simplifying and improving the AIB security model, so instead of you granting permissions the AIB Service Principal Name, to build and distribute custom images, and then a user identity to you will now use a single user identity to get access to other Azure resources.

Actions Required

For full details and the next potential breaking change, please review the May Service Update document.

If you have any questions, please review the above and FAQs, and if you cannot find them, please raise questions on GitHub issues.



As you may have noticed, we have now made identity a mandatory parameter in the template, this has multiple advantages, as described above, but this was also needed in preparation for our new API release, 2020-02-14, that will be available in all regions on the 27th May, by 0700 Pacific.

We are in the process of updating all the documentation, new features, and end to end examples, but the main breaking changes are:

  • identity is a mandatory requirement, please review the May Service Update document, on how to add this to your templates.
  • vnetConfig - this specification is changing, from providing, name, subnetName, resourceGroupName to just subnetId, for example:
    "vnetConfig": {
        "subnetId": "/subscriptions/<subscriptionID>/resourceGroups/<vnetRgName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>"

What does this mean for existing templates and new templates created?

New Templates

If you create a new AIB template, and do not specify the API version in the calling client like below, then the template will be created using the new API version. This is because the calling client API version will override whatever exists in the AIB template.

az resource create \
    --resource-group $imageResourceGroup \
    --properties @existingVNETLinux.json \
    --is-full-object \
    --resource-type Microsoft.VirtualMachineImages/imageTemplates \
    -n existingVNETLinuxTemplate01

If you specify the API version using the calling client, like below, this will be created using the specified API version:

New-AzResourceGroupDeployment -ResourceGroupName $imageResourceGroup -TemplateFile $templateFilePath -api-version "2019-05-01-preview" -imageTemplateName $imageTemplateName -svclocation $location

Existing Templates

Once the new API is released, calling clients will default to use the new API version. Therefore, if you have existing templates that were created using the previous API version 2019-05-01-preview, in order to run, view properties, or delete them, you will need to specify the API version in the calling client, for example:

Getting the template status AZ CLI:

az resource show \
    --resource-group <imageTemplateResourceGroup> \
    --resource-type Microsoft.VirtualMachineImages/imageTemplates \
    --api-version 2019-05-01-preview
    -n <imageTemplateName>

Getting the template status PowerShell:

If you use the current documented method, then ensure the API version matches the previous API version 2019-05-01-preview.

$urlBuildStatus = [System.String]::Format("{0}subscriptions/{1}/resourceGroups/$imageResourceGroup/providers/Microsoft.VirtualMachineImages/imageTemplates/{2}?api-version=2019-05-01-preview", $managementEp, $currentAzureContext.Subscription.Id,$imageTemplateName)

Deleting Templates AZ CLI:

az resource delete \
    --resource-group <imageTemplateResourceGroup> \
    --resource-type Microsoft.VirtualMachineImages/imageTemplates \
    --api-version 2019-05-01-preview
    -n <imageTemplateName>

Deleting Templates PowerShell:

Remove-AzResource -ResourceId $resTemplateId.ResourceId -Force -ApiVersion "2019-05-01-preview"


  • What about the AIB Azure DevOps? - The DevOps task is hard coded to use an API version, this will be updated, but continue to work without interuption.

  • When will we announce the new functionality? - The new features will be documented by 28th May

  • Can I use existing documentation? - Yes, examples that have breaking changes will be updated.

March 2020 Updates

It has been a busy year already, and we are so pleased to announce this new functionality:

  • Removal of Public IP address requirement, and use an existing VNET
    • You can now allow image builder to use your existing VNET, so you can connect to existing configuration servers (DSC, Chef, Puppet etc.), file shares, or any other routable servers/services.
    • Try the end 2 end Windows and Linux examples now!
  • European Region Support
    • We now the AIB service in NorthEurope and WestEurope!
  • Windows Update customizer
  • 'Latest' image version support
    • Instead of you need to specify a version for Azure Market Place (AMP) images, you can now specify. When the image is created, AIB will use the latest version. This means you can rerun the same image template after the source images in AMP are updated, such as monthly.
  • Permissions documentation
    • We listened to feedback for clarity on permissions required for AIB, and be more granular on permissions required.
    • The quickstarts and solutions are being updated with new permission enablement steps over time.
  • Networking documentation
    • We have documented details for AIB networking, options, and requirements.
  • DevOps Task Update
    • Windows Update - Support for running Windows Update at end of task
    • Change VM size - Change the VM size to make resource intensive image builds faster, and also build on specilist VM sizes, such as GPU or HPC enabled sizes.
  • RHEL ISO Source Deprecation
    • We are removing this functionality from image builder, as there are now RHEL Bring Your Own Subscription images, please review the timelines below:
      • 31st March - Image Templates with RHEL ISO sources will now longer be accepted by the resource provider.
      • 30th April - Image Templates that contain RHEL ISO sources will not be processed any more.

The offical Microsoft docs for image builder will be updated this month to relect these updates.

December 2019 Updates Part 2

The work never ends, latest customization support:

  • osDiskSizeGB

  • There will be more updates in January! On behalf of the team, thank you to everyone who has tried Image Builder, and given feedback, we really appreciate it. Happy Holidays!!!!

December 2019 Updates

We constantly update the Image Builder Service, and its been a while since we summarized recent updates here:

  • PowerShell Customizer Elevated Permissions

    • PowerShell Support for running commands and scripts with elevated permissions
  • Checksum File Validation

    • PowerShell / Shell / File Customizer Support for checkSum
    • Checksum the file a file locally, then Image Builder will checksum and validate.
  • Increase Build Time

    • The default timeout of the image is currently 4hours, but can be reduced or increased upto 16hours.
  • Change Build VM Size

    • By default Image Builder will use a "Standard_D1_v2" build VM, but you may want to use a different VM size, since you may restrict this through Azure Policy, you have customizations that are compute intensive, or you need customize images that can only be run on certain types of VM Size types, e.g. if you want to customize an Image for a GPU VM, you need a GPU VM size.
  • Windows Client / Virtual Desktop OS Support

    • Many customers are testing Image Builder to support customizing Windows Desktop images, see the PowerShell example on how you can get started building Win10 Images.
    • Change this quickstart to start building custom WVD images with the Shared Image Gallery.
  • DevOps Task Updates

    • Specify source Azure Market Place OS image versions
    • Improved performance and reliability enhancements for Windows builds
    • Improved Build Log support
      • Source Azure Market Place Image Pub/offer/SKU/Version emitted into DevOps variables.
  • Supportability

    • Improved error messages, with log error location
    • Multiple bug and reliability enhancements
    • Support for raising image builder Microsoft support cases
    • Join the Image Builder Community MS Teams Channel
      • Give feedback, share ideas, contact the engineering team
  • Shared Image Gallery Version Modifications

    • Support for Image Version updates post image build, such as updating regions, replicas etc is now supported.
  • PowerShell examples

May 2019 Release

  • Release Date : 10th May 1000 PST This is an exciting release, image builder has just PUBLIC PREVIEW!!!!!

    The whole team is excited to make this milestone, and thanks the Private preview community for their engagement, feedback, and helping shape the product.

    You will be glad to know there are no API changes this month! But just wanted to share with you an exciting feature additions:

    1. Preview Azure DevOps Extension - This simplfies using Image Builder in Azure DevOps release pipelines, you just fill in Source / Customizations / Distribute, then the task will create the image, it also will copy in you Build pipeline artifacts!!!

      It is so cool, please try it, and give us feedback.

    2. Image Builder Public Docs

      The quickstarts are in the process of bring migrated to Azure Docs, but the quick starts will be maintained until there is a full transition, and you will be notified.

  1. Troubleshooting

azvmimagebuilder's Issues

issues building win10ent

Hi, I have issues using Your example:

but I'm changing source for windows 10 enterprise (as documentation says it is supported)

                "source": {
                    "type": "PlatformImage",
                    "publisher": "MicrosoftWindowsDesktop",
                    "offer": "Windows-10",
                    "sku": "19h2-evd",
                    "version": "latest"

But when I’m trying to deploy template there is error:

New-AzResourceGroupDeployment -ResourceGroupName $imageResourceGroup -TemplateFile $templateFilePath -api-version "2019-05-01-preview" -imageTemplateName $imageTemplateName -svclocation $location
New-AzResourceGroupDeployment: 19:04:30 - The deployment 'helloImageTemplateWin' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The resource operation completed with terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure)
 - Internal error occurred. (Code:InternalOperationError)
CorrelationId: 70f100f0-20eb-42df-a2db-b675b6fd4b20

In there is new empty resource group IT_*
After that I have to remove that template and I can start over but after 2 days with no luck I have out of new ideas to solve this.

Delete command failed with http error code: 405

trying to delete my template.
first did a cancel command. but now its stuck.

Operation Microsoft.VirtualMachineImages/imageTemplates/delete is not allowed in provisioning state: provisioned or run state: canceling.

its in this state for about 19 hours.

Does the canceling timeout? so i can delete the template. or can i force delete it?

Correction in

Hi, there is misstake in:


remove definitions

Remove-AzRoleDefinition -Name "$idenityNamePrincipalId" -Force -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"

should be:

remove definitions

Remove-AzRoleDefinition -Name "$imageRoleDefName" -Force -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"

CODE 200 error via Azure DevOps build pipeline

Hey guys,

Running into an issue running this task in Azure DevOps. I have followed this setup guide and when I try to run the task with a Shared Image Library. It fails with the error Error: put template call failed for template t_1578507314769 with error: Internal error occurred. (CODE: 200)

I have attached my logs.


DevOps Distribution Error

Hello. I have been exploring the AIB service for the past week or so, having no issues via the ARM template method but now looking at the DevOps based deployment but running into an issue.

The image build process seems to run properly via DevOps (template uploads, IT_* resource group created, customization.log looks clean) however the build errors during deployment of the Managed Image:

Error: post template call failed for template t_******* with error: Failed in distributing 1 images out of total 1: Some error happened, please check the error details. (CODE: 200)

I cannot seem to find any further details on the error.

On the DevOps task, the type is "ManagedImage" and the Image ID is:


The Devops/Azure authorization is scoped to the AIB targeted resource group and has the Contributor role on the RG.

EDIT: Also created a new DevOps service connection at the Subscription level and experiencing the same error.

Changing the type to VHD, the release runs properly. It feels like permissions but I can't seem to isolate where. Any advice would be appreciated.


WindowsServer:2016-Datacenter Builds Failing

We are seeing build failures issue with the latest MicrosoftWindowsServer:WindowsServer:2016-Datacenter source image, version: 14393.3326.1911120150

If you look in the customization.log, you will see this error:
[9bd218e8-11c5-4820-87a8-c5f667c41c7d] PACKER OUT Build 'azure-arm' errored: Timeout waiting for WinRM.
[9bd218e8-11c5-4820-87a8-c5f667c41c7d] PACKER ERR 2019/11/26 06:54:32 machine readable: azure-arm,error []string{"Timeout waiting for WinRM."}

This has just started happening with this image version, if we rollback to the previous version, there is no issue.

MicrosoftWindowsServer:WindowsServer:2016-Datacenter: 14393.3274.1910061629

We are investigating this with the Windows team, updates will be posted here.

I keep running into a persistent build failure when using the quick start examples

I have managed identity with owner permission set, I have had the template configured perfectly including adding the correct identity block, subscription ID, api version...etc, I have zero custom configurations set. I'm in the correct region ("us west 2", the only thing it has to do is build an ubuntu 18.04 image. While the template successfully uploads, it NEVER executes. It simply repeats the same useless msg:
"statusMessage": "{"status":"Failed","error":{"code":"ResourceOperationFailure","message":"The resource operation completed with terminal provisioning state 'Failed'.","details":[{"code":"InternalOperationError","message":"Failed in distributing 1 images out of total 1: Some error happened, please check the error details.","details":[{"code":"InternalOperationError","message":"Internal error occurred. This is a generic error. To identify possible causes, go to"}]}]}}",

my json

    "type": "Microsoft.VirtualMachineImages/imageTemplates",
    "apiVersion": ""2020-02-14"",
    "location": "westus2",
    "dependsOn": [],
    "tags": {
        "imagebuilderTemplate": "ubuntu1804",
        "userIdentity": "enabled"
        "identity": {
            "type": "UserAssigned",
                    "userAssignedIdentities": {
                        "/subscriptions/<subId>/resourcegroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/azureimagebuilder": {}
    "properties": {

        "buildTimeoutInMinutes" : 80,
            "vmSize": "Standard_D1_v2",
            "osDiskSizeGB": 40

        "source": {
            "type": "PlatformImage",
                "publisher": "Canonical",
                "offer": "UbuntuServer",
                "sku": "18.04-LTS", 
                "version": "18.04.201903060"
        "customize": [
                "type": "Shell",
                "name": "RunScriptFromSource",
                "scriptUri": ""

                "type": "Shell",
                "name": "CheckSumCompareShellScript",
                "scriptUri": "",
                "sha256Checksum": "ade4c5214c3c675e92c66e2d067a870c5b81b9844b3de3cc72c49ff36425fc93"
                "type": "File",
                "name": "downloadBuildArtifacts",
                "sourceUri": "",

                "type": "Shell",
                "name": "setupBuildPath",
                "inline": [
                    "sudo mkdir /buildArtifacts",
                    "sudo cp /tmp/index.html /buildArtifacts/index.html"

                "type": "Shell",
                "name": "InstallUpgrades",
                "inline": [
                    "sudo apt install unattended-upgrades"

                {   "type":"ManagedImage",
                    "imageId": "/subscriptions/<subsctID>/resourceGroups/<RG>/providers/Microsoft.Compute/images/shouldwork",
                    "location": "westus",
                    "runOutputName": "shouldwork",
                    "artifactTags": {
                        "source": "azVmImageBuilder",
                        "baseosimg": "ubuntu1804"

Permission issue not covered by troubleshooting section.

When I run the example(I missed the role assignment part), I got the below error. After contacting with Azure help desk, I found that the client object ID mentioned ending with d911 is actually the Azure VirtualMachine Image Builder app's principle ID.

After seeing this error, I have successfully created my custom image by adding creating role assignment for this id to my resource group then try again.

So I think the principle ID of image builder app might have changed?

Deployment failed. Correlation ID: 2354bbd8-1d32-4d43-8106-bfad77f2d8b7. Failed in distributing 1 images out of total 1: 
{[Error 0] [Distribute 0] Error publishing VHD to managed image:/subscriptions/********/resourceGroups/********/providers/Microsoft.Compute/images/********, 
Error: Creating image from VHD 'https://****************.vhd' [with 10 retries] reported non-success status 
(Timedout [compute.ImagesClient#Delete: Failure sending request: 
StatusCode=403 -- 
Original Error: Code="AuthorizationFailed" 
Message="The client '53c21081-626a-4ba0-9b76-ff5739b2d911' with object id '53c21081-626a-4ba0-9b76-ff5739b2d911' does not have authorization to perform action 'Microsoft.Compute/images/delete' over scope '/subscriptions/********/resourceGroups/********/providers/Microsoft.Compute/images/********' or the scope is invalid. 
If access was recently granted, please refresh your credentials."])}

Also, try to create role assignment with the xx6dfc mentioned in this repo's doc will get a result returned by azure that contains a principle ID of xxd911, this is strange. I can only guess that xx6dfc was replaced by xxd911.

az role assignment create --assignee cf32a0cc-373c-47c9-9156-0db11f6a6dfc  --role Contributor --scope /subscriptions/********/resourceGroups/********
  "canDelegate": null,
  "id": "/subscriptions/********/resourceGroups/********/providers/Microsoft.Authorization/roleAssignments/ae5d9fe7-68f6-4b5f-9985-6097a61ab3bb",
  "name": "ae5d9fe7-68f6-4b5f-9985-6097a61ab3bb",
  "principalId": "53c21081-626a-4ba0-9b76-ff5739b2d911",
  "principalType": "ServicePrincipal",
  "resourceGroup": "svpc_image_rg",
  "roleDefinitionId": "/subscriptions/********/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "scope": "/subscriptions/********/resourceGroups/********",
  "type": "Microsoft.Authorization/roleAssignments"

Updates to ./quickquickstarts/0_Creating_a_Custom_Windows_Managed_Image/

Running through samples (great work by the way), and found some typo's in executing some of the steps in "Create a Custom Windows Image from an Azure Platform Vanilla OS Image"

Revised lines below, or have updated copy in a fork or I can submit a pull request, whichever method preferred.

Step 2 : Modify HelloImage Example

curl -o helloImageTemplateWin.json

Step 3 : Create the Image

az resource create \
    --resource-group $imageResourceGroup \
    --properties @helloImageTemplateWin.json \
    --is-full-object \
    --resource-type Microsoft.VirtualMachineImages/imageTemplates \
    -n helloImageTemplateWin02
az resource invoke-action \
     --resource-group $imageResourceGroup \
     --resource-type  Microsoft.VirtualMachineImages/imageTemplates \
     -n helloImageTemplateWin02 \
     --action Run 

Clean Up

az resource delete \
    --resource-group $imageResourceGroup \
    --resource-type Microsoft.VirtualMachineImages/imageTemplates \
    -n helloImageTemplateWin02

Next Steps

If you loved or hated Image Builder, please go to next steps to leave feedback, contact dev team, more documentation, or try more examples [here](../]

I would like to use an existing SQL server image as the base image

I'm able to specify a different source (see below excerpt) as the base image. However, I would like to customize the base image to enable certain features. For example, I want to allow SQL authentication and create an SA account. How can I accomplish this?

       "source": {
            "type": "PlatformImage",
            "publisher": "MicrosoftSQLServer",
            "offer": "sql2019-ws2019",
            "sku": "sqldev",
            "version": "15.0.200114"

Azure VM Builder fails for Windows image build when using User Identity

Thanks for the sample for using azure VM image builder. I tried few of them and it worked for me.. I am facing problem when using User identity while building windows 2019 image. I tried with various 2019 version from Marketplace but no luck. Also, Windows Update goes into infinite loop with RPC communication failure.

Here is what i am trying to do with your existing template:
Stage file from storage container to VM drive and have noticed the entire packer process crashes when trying to build image at the very end after waiting for hour. Also, when I use windows-update, RPC communication fails. I noticed this when using user identity.

Do you have some samples for Windows 2016 or 2019 image build using user identity?

Here are the sample i am trying to use in customize?

                        "type": "PowerShell",
                        "name": "buildArtifactsdir",
                        "runElevated": false,
                        "inline": [
                            "mkdir c:\\buildArtifacts"
                        "type": "File",
                        "name": "postConfig",
                        "sourceUri": "",
                        "destination": "c:\\buildArtifacts\\win2019.ps1"

Access denied with inline powershell

The source Image is 20h1 Multi-user from the azure gallery.

                    "type": "PowerShell",
                    "name": "RSAT",
                    "inline": [
                        "Get-WindowsCapability -Online |where Name -like rsat.* | Add-WindowsCapability -Online",
                        "Enable-WindowsOptionalFeature -Online -FeatureName  Microsoft-Hyper-V-Management-PowerShell -all"

give me the error

[b3a6c657-91b6-4bad-a395-24b80f735fb3] PACKER OUT ==> azure-arm: Add-WindowsCapability : Access is denied.
[b3a6c657-91b6-4bad-a395-24b80f735fb3] PACKER OUT ==> azure-arm: At C:\Windows\Temp\script-5eff3928-bf58-637e-f14f-4c41596bf9d8.ps1:1 char:58
[b3a6c657-91b6-4bad-a395-24b80f735fb3] PACKER OUT ==> azure-arm: + ... lity -Online |where Name -like rsat.* | Add-WindowsCapability -Online
[b3a6c657-91b6-4bad-a395-24b80f735fb3] PACKER OUT ==> azure-arm: +                                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

resource type 'imageTemplates

When revisiting this after some time, to see if progress had been made, we are receiving the issue below :-

[error]Error: put template call failed for template t_1583248310130 with error: The subscription is not registered for the resource type 'imageTemplates'. Please check that the resource type exists and re-register for this provider in order to have access to this resource type. (CODE: 409)

Azure Image Builder Public Docs Examples

Some of the Azure Docs examples are broken, this because the backend templates in this repo have been updated, and using "identity", the Azure docs are being updated now, apologies.

Note, these GitHub docs were updated to support "identity".

Run Elevated Commands Hang on some Win10 SKUs

We are finding that image builder builds are hanging when configuring rs5-enterprisen sku and rs5-pro sku, this is when the PowerShell customizer is running commands as an elevated user, in my repro, just creating directories. This does not happen with rs5-evd.

We are investigating what is happening here.

customize inline scripts do not get executed!


I am trying the example on


the release pipeline Succeeded, then vm image is created, files are baked in but looks like the PowerShell-customize inline scripts do not get executed at all!

am i missing some step?

any help will be very much appreciated.

Thank you and regards

AIB is failing with error "Failed in customizing image"

Full Error Message:
Deployment failed. Correlation ID: ba81a3e2-119e-4992-bd4a-95281cb5d177. Failed in building/customizing image: Failed in customizing image: Failed while waiting for packerizer: Microservice has failed: Failed while processing request: Error when executing packerizer: Packer build command has failed: exit status 1. During the image build, a failure has occurred, please review the build log to identify which build/customization step failed. For more troubleshooting steps go to Image Build log location:*************************/customization.log. OperationId: 019d793b-66fc-480f-9b5f-6de798958520. Use this operationId to search packer logs.

In the customization.log file i see below error:

[019d793b-66fc-480f-9b5f-6de798958520] PACKER OUT ==> azure-arm: ERROR: -> InvalidTemplateDeployment : The template deployment failed because of policy violation. Please see details for more information.
[019d793b-66fc-480f-9b5f-6de798958520] PACKER ERR 2019/11/06 08:38:20 packer: 2019/11/06 08:38:20 Packer config: &{DisableCheckpoint:false DisableCheckpointSignature:false PluginMinPort:10000 PluginMaxPort:25000 Builders:map[] PostProcessors:map[] Provisioners:map[]}

i have provide Image builder as contributor role to the resource group. please suggest

Temporary Image Builder Outage

Image build is not available in any region currently, from 10am 1/31 Pacific, team working to resolve, see here and teams channel for updates.

Principal cf32a0cc373c47c991560db11f6a6dfc

when I run the following, it come back with the return error , I have verified all resource providers are registered and the AZ module is the latest, please assist

Returned error
New-AzRoleAssignment : Principal cf32a0cc373c47c991560db11f6a6dfc does not exist in the directory f32b97f0-efb8-4bc3-91ee-18a6e5f635c9.

Command executed
PS C:\GitHub\AIS\AFC> New-AzRoleAssignment `

-ObjectId cf32a0cc-373c-47c9-9156-0db11f6a6dfc -Scope /subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup
-RoleDefinitionName Contributor

Feature Request: Add support to Compact VHD image

I am considering using Azure Image Builder to build images that can be used both in Azure and on-premise. However the generated VHD physical size is large, as it is a fully expanded disk image. This means effectively downloading a large file (e.g. 127gb) from the internet which is mostly unused space.

It would be great if we could have an added property to the "VHD" distribute type that runs the "Compact" operation if set to true, so that the generated VHD is significantly smaller for download.

So for example the VHD distribute section of the AIB ARM template might look like:

        "type": "VHD",
        "runOutputName": "aibTemplate",
        "compact": true

The Powershell commands required to compact a VHD are:

Mount-VHD .\aibImage.vhd -ReadOnly
Optimize-VHD .\aibImage.vhd -Mode Pretrimmed
Dismount-VHD .\aibImage.vhd

# Pretrimmed: Utilizes information from the trim/unmap commands to detect unused blocks.
# Does not look for empty blocks and does not query the contained file system for unused blocks.

This site contains a nice powershell function to do this.

Many thanks

The image does not support AAD login

Hi @danielsollondon,
I was checking AAD login option by creating VM from the win 2019 image built using image builder and I see the warning message "This image does not support Login with AAD." As per the MS docs, AAD login is supported for windows 2019 data center edition:

I noticed the same warning message for Rhel 7..
Is this a bug? Can you please check this by creating VM from 2019 datacenter image from your side?

Create a custom RHEL image using a RHEL ISO


I would like to create image with RHEL7.5, template that previously worked, but I got error in CLI:
Deployment failed. Correlation ID: 22bfe2f3-5aa7-4aa8-9d25-f9f78c50fedf. Failed in building/customizing image: Failed in customizing image: Failed while waiting for packerizer: Microservice has failed: Failed while processing request: Error when executing packerizer: Packer build command has failed: exit status 1. During the image build, a failure has occurred, please review the build log to identify which build/customization step failed. For more troubleshooting steps go to Image Build log location: OperationId: a7623644-74cb-4c88-b8c5-88c2b3386080. Use this operationId to search packer logs.

In customization.log, I found some errors:
[a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER OUT ==> azure-arm: -> image : '' [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER OUT ==> azure-arm: Error deleting resource. Please delete manually. [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER ERR 2019/09/22 22:10:00 ui error: ==> azure-arm: Error deleting resource. Please delete manually. [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER OUT ==> azure-arm: [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER ERR ==> azure-arm: [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER OUT ==> azure-arm: Name: [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER ERR ==> azure-arm: Name: [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER OUT ==> azure-arm: Error: storage: service returned error: StatusCode=404, ErrorCode=BlobNotFound, ErrorMessage=The specified blob does not exist. [a7623644-74cb-4c88-b8c5-88c2b3386080] PACKER ERR ==> azure-arm: Error: storage: service returned error: StatusCode=404, ErrorCode=BlobNotFound, ErrorMessage=The specified blob does not exist.

Example my properties:

parameters and powershell provisioner

was wondering if the Azure image builder PowerShell provisioner provides the means to inject 'parameters' to further use in the scripts.

In packer one can use environment vars to inject values before script execution.

I did not find any example in the repo or in the docs online.

The following ARM template provides a workaround, but this isn't suitable when using a script ref?

could you provide any guidance?


Virtual network parameters/properties for AIB template

Hi Daniel,

I am trying to use an existing virtual network rather than setup a new when creating my image template, but am unsure of the network parameter/property names to use in my template file.

For example, when creating a template with packer, I use the following parameter names under builders:


Do you happen to know the equivalent parameter names to use under properties in an AIB template file?

Any help would be gratefully appreciated.

Thanks in advance for your support,




This is the error i'm getting on starting the image build for Create a Windows Custom Image from an Azure Platform Vanilla OS Image

Unable to distribute to European regions

I have attempted to distribute a Windows Image which has been heavily customised (customisation takes about 2 hours). I have attempted to distribute via both a Managed Image and a Shared Image Gallery, I am using West US for the build process (as it is not available in the EU yet) but I need the images available in North Europe for deployment.

Managed Image


{ "type": "ManagedImage", "imageId": "[concat(subscription().id,'/resourceGroups/',parameters('imageGalleryResourceGroup'),'/providers/Microsoft.Compute/images/',parameters('imageTemplateName'))]", "location": "[resourceGroup().location]", "runOutputName": "[concat('MI-',parameters('imageTemplateName'))]", "artifactTags": { "source": "azVmImageBuilder", "baseosimg": "[concat('Windows10EVD',parameters('OSVersion'))]" } }


"statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"InternalOperationError\",\"message\":\"Failed in distributing 1 images out of total 1: {[Error 0] [Distribute 0] Error copying VHD blob to 'northeurope': Failed while waiting for blob copy: Error getting blob copy status: Failed executing Get Blob Properties request: Head context deadline exceeded}\"}]}}"

Shared Image Gallery


{ "type": "SharedImage", "galleryImageId": "[concat(subscription().id,'/resourceGroups/',parameters('imageGalleryResourceGroup'),'/providers/Microsoft.Compute/galleries/',parameters('imageGalleryName'),'/images/',parameters('imageTemplateName'))]", "location": "[resourceGroup().location]", "runOutputName": "[concat('SIG-',parameters('imageTemplateName'))]", "artifactTags": { "source": "azVmImageBuilder", "baseosimg": "[concat('Windows10EVD',parameters('OSVersion'))]" }, "replicationRegions": [ "[resourceGroup().location]" ] }


Unable permission denied when attempting to access the Gallery Image despite adding owner rights to the Managed Identity

Any thoughts or suggestions would be appreciated

Unable to delete imageTemplate

Don't know if the is the correct place to put this. I've been trying to use the imageBuilder. I've written a script based on your quick quickStarts. I am trying to delete the created imageTemplate but it refuses. There are no other resources other than his template and resource group.

Remove-AzResource : {
  "code": "OperationNotAllowed",
  "message": "Operation 'Microsoft.VirtualMachineImages/imageTemplates/delete' is not allowed in provisioningState: 'provisioned', runState: 'running'"
CorrelationId: {redacted}
At line:1 char:1
+ Remove-AzResource -ResourceId "/subscriptions/{redacted} ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Remove-AzResource], ErrorResponseMessageException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.RemoveAzureResourceCmdlet

Builds failing when MSI to authenticate with Azure Storage

If you are using managed identity to access azure storage (similar to this Quickstart) we have an issue with the service that is causing builds to fail, this is agnostic of source OS.

I will test, and update the docs, please give me 24hrs.

Apologies for the inconvenience here.


File customizer not placing file at destination path.

I am using multiple File customizer to place certain artifacts on the image.
But once i create a VM from created image, I could not find the artifact at destination location.
"type": "File",
"name": "downloadBuildArtifacts",
"sourceUri": "",
"type": "File",
"name": "sparkArtifact",
"sourceUri": "",

Update Time Zone

We have tried a few ways to update the timezone, but it keeps defaulting back to UTC.
We even tried the following customizer.

“type”: “PowerShell”,
“name”: “settingUpMgmtAgtPath”,
“runElevated”: true,
“inline”: [
“mkdir c:\buildActions1”,
“Set-TimeZone -Id ‘US Mountain Standard Time’“,
“echo Azure-Image-Builder-Was-Here > c:\buildActions1\buildActionsOutput.txt”

Service principle not in subscription

I get this error trying to setup our tenant.

New-AzRoleAssignment: Principal ef5111396170438ea6e1763dc31bdf74 does not exist in the directory

I get the feeling I'm missing some pre-req not in the docs

Build resource group

Due to limited permission, can't create new Resource group while building image.
how can use - build_resource_group_name as we can use in packer ?

QuickStarts Failing with: A role definition cannot be updated with a name that already exists.

After creating more samples, running the code in AZ CLI or AZ PS quick starts, when you create the role definition fails:
A role definition cannot be updated with a name that already exists.

Even if you try to delete it, or assign it, it fails, it is suspected (not confined yet) this is because it may already exist in the AD tenant, because another user in your organization has created it, but not deleted it.

I will be updating the samples to ensure role definition names are unique. If you encounter this now, just edit the role definition. We have planned to release public Azure VM Image Builder Roles.

27th May 2020 Update - NEW API VERSION ‘2020-02-14’

In preparation for GA, the AIB team is now releasing more features, starting with a new API version.

Actions Required
Please review the documentation for the latest API version, and take action for these breaking changes:

  1. identity is a mandatory requirement, please review the May Service Update document, on how to add this to your templates.
  2. vnetConfig - this specification is changing, from providing, name, subnetName, resourceGroupName to just subnetId, you will need to update you JSON template and create a new AIB template.
  3. Review steps for operating and maintaining image templates created with the previous API version, and what will happen with new templates created.

For details see here

• What about the AIB Azure DevOps? - The DevOps task is hard coded to use an API version, this will be updated, but continue to work without interuption.
• When will we announce the new functionality? - The new features will be documented by 28th May
• Can I use existing documentation? - Yes, examples that have breaking changes will be updated.

Add AIB to Trusted Microsoft Services

I would like to let AIB use files which are currently access limited via the Azure Storage Firewall. This has an option for Microsoft Trusted services to bypass the firewall to continue to work as expected however AIB isn't on this list. Would it be possible to add AIB to this list of trusted services?

Quickstart is broken: following the "existingVNETWindows" tutorial, the image never builds

Following your quickstart documentation, I made the necessary modifications to the scripts to use my existing vnet name etc, but every time I get to the "Build the image" step (where you're supposed to run Invoke-AzResourceAction) it always fails to build.

If I try to proceed to the VM deployment step anyways, it fails there too, indicating that the image is definitely not getting built successfully.

I'm running this in a Trial Azure subscription. I can provide all my source code (modified copies of the scripts from the quickstart), just let me know what's needed.

Can I use this to build a vmware image?

I currently have a packer file configured to build a vmware image (vmx) using the vmware-iso builder Will the Azure Image Builder work with this?

In addition, I am using the windows-update provisioner found at Is there a way to add custom provisioners to the Azure Image Builder?

Here is my packer.json:

  "builders": [{
    "type": "vmware-iso",
    "vm_name": "{{ user `vm_name` }}",
    "vmdk_name": "{{ user `vm_name` }}",
    "output_directory": "{{ user `output_directory`}}",
    "iso_url": "{{ user `iso_url` }}",
    "iso_checksum": "{{user `iso_checksum`}}",
    "iso_checksum_type": "{{ user `iso_checksum_type` }}",
    "communicator": "winrm",
    "winrm_username": "administrator",
    "winrm_password": "password",
    "winrm_timeout": "12h",
    "winrm_port": "5985",
    "vnc_port_min": 5900,
    "vnc_port_max": 5980,
    "shutdown_command": "a:/Start-Shutdown.bat",
    "shutdown_timeout": "15m",
    "headless": "{{ user `vmWareBuilder_headless` }}",
    "guest_os_type": "{{ user `guest_os_type` }}",
    "disk_size": "50000",
    "keep_registered": false,
    "skip_validate_credentials": true,
    "version": "14",
    "floppy_files": [
    "floppy_dirs": [
    "network": "{{ user `vmWareBuilder_network` }}",
    "cpus": 2,
    "memory": 4096,
    "boot_wait": "10s",
    "vmx_data": {
      "scsi0.virtualDev": "pvscsi",
      "annotation": "{{ user `vmWareBuilder_annotation` }}"
  "provisioners": [{
    "type": "powershell",
    "elevated_user": "Administrator",
    "elevated_password": "password",
    "script": "./extra/scripts/disable-windows-updates.ps1"
      "type": "windows-restart"
      "type": "windows-update",
      "filters": [
          "include:$_.Title -like '*Servicing Stack Update for Windows*'"
      "type": "windows-update"
      "type": "powershell",
      "inline": [
        "Write-Output Phase-5-Deprovisioning",
        "if( Test-Path $Env:SystemRoot\\windows\\system32\\Sysprep\\unattend.xml ){ rm $Env:SystemRoot\\windows\\system32\\Sysprep\\unattend.xml -Force}"
      "type": "windows-restart",
      "restart_timeout": "2h",
      "pause_before": "30s",
      "restart_check_command": "powershell -command \"& {Write-Output 'restarted.'}\""

SysPrep failing on 2019

This is a new issue, but the deprovisioning script appears to be a constant loop.

[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: At C:\DeprovisioningScript.ps1:3 char:9
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: + while ((Get-Service WindowsAzureTelemetryService).Status -ne 'Running ...
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: + CategoryInfo : ObjectNotFound: (WindowsAzureTelemetryService:String) [Get-Service], ServiceCommandExcep
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: tion
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm:
[d50d81fb-d7cd-4094-9715-e11e39eda8ef] PACKER OUT ==> azure-arm: Get-Service : Cannot find any service with service name 'WindowsAzureTelemetryService'.

400 The SSL Certificate Error

Receiving this error when trying to deploy a AIB Template......this was working without issue last week. Any ideas? Nothing else to go on.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details.","details":[{"code":"BadRequest","message":"{\r\n "error": {\r\n "code": "BadRequest",\r\n "message": "\r\n<title>400 The SSL certificate error</title>\r\n<body bgcolor=\"white\">\r\n

400 Bad Request

\r\nThe SSL certificate error\r\n
nginx\r\n\r\n\r\n"\r\n }\r\n}"}]}


Quota limit of standardDv2 family hit using Azure Image Builder


It looks like some part of the packaging process tries to spin up a Dv2 family VM.

Right now I'm at my max quota for this - I know how to request an increase in quota.

What I'd like to know is where in the process is the Dv2 being called and is there a configuration option to specify a different VM class.


fddf68f1-6605-432d-9e8f-abf25c3f8059] PACKER ERR 2019/10/08 20:42:05 packer: 2019/10/08 20:42:05 Azure response status="400 Bad Request" method="POST"  
body="{\"error\":{\"code\":\"InvalidTemplateDeployment\",\"message\":\"The template deployment 'pkrdpyew5c23775' is not valid according to the validation procedure. The tracking id is 'a5935223-a591-4e73-b9db-5a1aefc6e9d2'. See inner errors for details.\",
\"details\":[{\"code\":\"QuotaExceeded\",\"message\":\"The operation couldn't be completed as it results in exceeding quota limit of standardDv2Family Cores. Maximum allowed: 10, Current in use: 22, Additional requested: 1. Read more about quota limits at
  • Jack

Add possibility to set the image version name when distributing to Azure Shared Gallery

Hello, I'm distributing from Image Builder to a Shared Image Gallery. The Image name seems is not possible to be set. Currently, the image is named with something like "0.24254.42935" or "0.24254.53522".
To have proper versioning, it is needed to be able to set the name, so to name each version like "0.0.1".
I have checked the latest version of the schema here ( but also there I do not see a way, inside the "SharedImage" item of the "distribute" section, a property to set to configure this value.

Here an example of the bad naming on how images end up inside the Image definition.


Windows Update does not work in devops

customization 5.log
I created a project in devops and use the image builder agent task to integrate with azure image builder. The project works fine with the Windows10-Ehv master image. But when I tick the windows update checkbox the build fails with a timeout. Tried multiple times but that checkbox makes it fail.

