Windows 11 24H2 26100.1150 SysPrep /generalize breaks BitLocker functionality

Question

Windows 11 24H2 26100.1150 SysPrep /generalize breaks BitLocker functionality

Krzysztof Gajda 60

I'm using SysPrep for years, currently with Windows 10 22H2 19045.4529 and Windows 11 23H2 22631.3737 I have no problems at all.

Today I've tried to prepare deploy image using Windows 11 24H2 26100.1150.

Steps:

Start fresh install of Windows 11 24H2 26100.1150. then enter in audit mode (CTRL+SHIFT+F3)
do things (Firefox, Thunderbird, some tweaking etc)
run sysprep /oobe /generalize /shutdown
capture the image, deploy to test device

System boots ok, WU works well (updates and drivers), then I've enable BitLocker then reboot and Windows was unable to boot (system repair starts)

I've tried the same steps 1-4 using Windows 11 23H2 22631.3737 iso image and after enabling BitLocker I did restart and everything works fine (Windows boot normally)

Next I went back to fresh instance Windows 11 24H2 26100.1150 and after audit I did 1-4 steps, but in 3rd step sysprep without "/generalize" (sysprep /oobe /shutdown) and I repeated test (enabling BitLocker in deployed image) and this time Windows 11 24H2 boots normally, but SID of this instance remains unchanged (lack of /generalize step).

I think that there is a bug in sysprep generalize step in 24H2 26100.1150 regards bitlocker subsystem (the /generalize step did something that render bitlocker unusable)

Regards

Chris

Zhong, Benjamin 0 Reputation points

2024-10-08T17:57:52.6933333+00:00

Using the official release Win11 24H2, sysprep works OK on my image which does not have Bitlocker enabled. However, it has the same boot error after we do pre-provisioning and reseal when we enroll the PCs into Intune using AutoPilot.
MP 0 Reputation points

2024-10-16T09:24:55.6933333+00:00

I'm also getting this issue. Does anyone from Microsoft have an ETA for a fix for this? Using Windows 11 24H2 Version 10.0.26100.2033.
Jacob N. Miller 15 Reputation points

2024-11-21T16:38:38.1866667+00:00

I am still seeing this issue now in NOV. from the latest media creation tool build of 24H2. Is there any Microsoft blog or channel or change log we can keep and eye on for new point versions of 24H2 to see if and when this might have been addressed?
DHC3Pilot 10 Reputation points

2024-11-26T14:39:20.5466667+00:00

As of Nov.26th problem still persists - 24H2 version 26100.2454. The solution below (Accepted answer) resolves the issue, but MS still has not addressed the root cause.
Steven Hanley 5 Reputation points

2025-03-07T18:45:19.7433333+00:00

It is March 2025 and I still have this issue with 24H2. @Microsoft is there any patch for this yet?
Jacob N. Miller 15 Reputation points

2025-05-28T17:50:30.72+00:00

Does anyone know if this has been addressed in any subsequent releases of 24H2? It has been about 11 months since this was reported.

Accepted answer

3 additional answers

Your answer

Zhong, Benjamin 0 Reputation points

2024-10-08T17:57:52.6933333+00:00

Using the official release Win11 24H2, sysprep works OK on my image which does not have Bitlocker enabled. However, it has the same boot error after we do pre-provisioning and reseal when we enroll the PCs into Intune using AutoPilot.
MP 0 Reputation points

2024-10-16T09:24:55.6933333+00:00

I'm also getting this issue. Does anyone from Microsoft have an ETA for a fix for this? Using Windows 11 24H2 Version 10.0.26100.2033.
Jacob N. Miller 15 Reputation points

2024-11-21T16:38:38.1866667+00:00

I am still seeing this issue now in NOV. from the latest media creation tool build of 24H2. Is there any Microsoft blog or channel or change log we can keep and eye on for new point versions of 24H2 to see if and when this might have been addressed?
DHC3Pilot 10 Reputation points

2024-11-26T14:39:20.5466667+00:00

As of Nov.26th problem still persists - 24H2 version 26100.2454. The solution below (Accepted answer) resolves the issue, but MS still has not addressed the root cause.
Steven Hanley 5 Reputation points

2025-03-07T18:45:19.7433333+00:00

It is March 2025 and I still have this issue with 24H2. @Microsoft is there any patch for this yet?
Jacob N. Miller 15 Reputation points

2025-05-28T17:50:30.72+00:00

Does anyone know if this has been addressed in any subsequent releases of 24H2? It has been about 11 months since this was reported.

Answer 1

Anonymous

Found the same issue but I have a workaround. There is an issue with the BCD configuration.

After the Sysprep, I've added these 3 lines in the script WINDIR%\Setup\Scripts\SetupComplete.cmd :

bcdedit -set {current} osdevice partition=C:
bcdedit -set {current} device partition=C:
bcdedit -set {memdiag} device partition=\Device\HarddiskVolume1

Of course, the lines can be a bit different depending on your disk configuration.

This leaves me with a strong impression that this version of Win 11 has not been tested properly.

Krzysztof Gajda 60 Reputation points

2024-07-30T18:15:57.2833333+00:00

Ok. I will try Your solution, using the "RunSynchronousCommand" in unattended.xml, but I share Your point of view, that this version of W11 has some weird bugs, that QC team didn't catch (or they didn't aware).
Krzysztof Gajda 60 Reputation points

2024-08-02T21:28:12.0966667+00:00
It works!

Only these two are needed:

bcdedit -set {current} osdevice partition=C:

bcdedit -set {current} device partition=C:

The "after sysprep" bad settings are:

device locate=\WINDOWS\system32\winload.efi

osdevice locate=\WINDOWS

which should be both pointing to "partition=C:"

device partition=C:

osdevice partition=C:
Paul Cormier 5 Reputation points

2024-10-10T20:12:00.2866667+00:00

I just wanted to thank you for this post. I have wasted several days trying to get to the bottom of why any machine I apply this latest image to ends up in recovery mode the first reboot after enabling BitLocker. I owe you the proverbial beer. Thanks so much for posting.
Jeroen Houben 0 Reputation points

2024-10-17T08:28:40.7+00:00

This is a life saver. Thanks so much!!!!!!!
Juan Carlos Linares 0 Reputation points

2024-10-18T03:31:44.2966667+00:00

could you help me how to build the file "SetupComplete.cmd" with only the two lines:
bcdedit -set {current} osdevice partition=C:

bcdedit -set {current} device partition=C:

and make it run after "sysprep" ??

Krzysztof Gajda 60

IMHO better is to edit unattend.xml, then go to "specialize" section and insert
"RunSynchronous" like this:

`<settings pass="specialize">
		<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
           <RunSynchronous>
             <RunSynchronousCommand wcm:action="add">
               <Description>BCD fix 1</Description>
               <Order>1</Order>
               <Path>bcdedit -set {current} osdevice partition=C:</Path>
             </RunSynchronousCommand>
             <RunSynchronousCommand wcm:action="add">
               <Description>BCD fix 2</Description>
               <Order>2</Order>
               <Path>bcdedit -set {current} device partition=C:</Path>
             </RunSynchronousCommand>
           </RunSynchronous>
</settings>`

Gary Mansell 25 Reputation points

2025-02-13T11:38:13.5466667+00:00

I also am suffering from this issue with my Azure VM Master Image. I can't find an unattend.xml file in my Windows folders. Do I need to create this unattend.xml file (if so where, and does anything else need to be in it)?

Answer 2

Tomasi Jürgen - ZID 25

I had the same problem with build 2605 (Windows 11 Enterprise LTSC 2024 / 24H2). BSOD after sysprep /generalize /oobe. Because the solution above did not work for me, i fully disabled Bitlocker before sysprep - i added the following lines in my RunSysprep.cmd for automation:

 net stop bdesvc

 sc config BDESVC start=disabled

After this change a reboot without BSOD was possible. After deployment i re-enabled the bitlocker service in the startup phase.

toby33 21 Reputation points

2025-01-17T23:08:51.03+00:00

This is the more elegant and straightforward approach anyway, IMO.

In my case, it took a while to even narrow down the cause as sysprep.

As an interesting aside, it is possible to recover from it the first boot by entering the SRE CLI and using manage-bde to unlock the drive with the key and disable bitlocker.

You will then be able to boot.

However, if you re-enable bitlocker after that, the BSOD will occur again and somehow break the SRE to the point that even booting from install media won't get you back to the CLI.

Pretty wild bug.

Answer 3

I was also bothered by this problem, but I solved it.

I verified it with Windows 11 Enterprise LTSC 2024, but I hope it is also solved for normal Win11 24H2.

Install LTSC 2024 (or 24H2) from ISO on a Hyper-V VM.
Enter audit mode.
Then apply the June 2025 cumulative update KB5060842 (OS Build 26100.4349) through Windows Update.
Run Sysprep (with "Generalize" checked).
When you boot the generalized image, the BCD configuration remains normal ("device partition=C:").
After enabling BitLocker, I was able to confirm that Windows boots normally when rebooted.

The "Improvements" section of the release notes for the May 2025 preview update KB5058499 (OS Build 26100.4202) states that another issue with BitLocker has been resolved. Perhaps this issue with Sysprep and BitLocker has also been indirectly resolved.

May 28, 2025—KB5058499 (OS Build 26100.4202) Preview

However, if you have already generalized an image that does not have the June 2025 update applied and deployed it to a device, you should be careful. Even if you later apply the June 2025 update on that device, it does not seem to fix the BCD configuration.

In that case, you'll need to manually fix the BCD configuration, or apply the June 2025 or later updates to your golden image, then run Sysprep and redeploy the image to the device. Then you can enable BitLocker as usual.

Run Sysprep before the update:

C:\Users\Administrator>ver
Microsoft Windows [Version 10.0.26100.1742]
C:\Users\Administrator>bcdedit /enum
Windows Boot Manager
--------------------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager
locale                  ja-JP
inherit                 {globalsettings}
default                 {current}
resumeobject            {551382cf-46bf-11f0-b916-b12fc3d99bac}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
Windows Boot Loader
--------------------------------
identifier              {current}
device                  locate=\WINDOWS\system32\winload.efi
path                    \WINDOWS\system32\winload.efi
description             Windows 11
locale                  ja-JP
inherit                 {bootloadersettings}
recoverysequence        {551382d3-46bf-11f0-b916-b12fc3d99bac}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                locate=\WINDOWS
systemroot              \WINDOWS
resumeobject            {551382cf-46bf-11f0-b916-b12fc3d99bac}
nx                      OptIn
bootmenupolicy          Standard

Run Sysprep after the update:

C:\Windows\System32>ver
Microsoft Windows [Version 10.0.26100.4349]
C:\Windows\System32>bcdedit /enum
Windows Boot Manager
--------------------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager
locale                  ja-JP
inherit                 {globalsettings}
isolatedcontext         Yes
default                 {current}
resumeobject            {8663d6ed-469e-11f0-b76d-00155d0bfe17}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
Windows Boot Loader
--------------------------------
identifier              {current}
device                  partition=C:
path                    \WINDOWS\system32\winload.efi
description             Windows 11
locale                  ja-JP
inherit                 {bootloadersettings}
recoverysequence        {8663d6f1-469e-11f0-b76d-00155d0bfe17}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {8663d6ed-469e-11f0-b76d-00155d0bfe17}
nx                      OptIn
bootmenupolicy          Standard

Answer 4

Михаил Глушко 0

Run CMD. Put command and reboot after

manage-bde -off C:

Share via

Windows 11 24H2 26100.1150 SysPrep /generalize breaks BitLocker functionality

3 additional answers

Your answer