Azure Image Builder with Azure Windows Baseline

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure


This template creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied using the guest configuration feature of Azure Policy.

After the deployment completes, the build will still be running in Azure Image Gallery. To view the status, either open the image definition in Azure portal or use a client such as PowerShell.

Get-AzGalleryImageVersion -ResourceGroupName '<myResourceGroup>' -GalleryName '<myGalleryName>' -GalleryImageDefinitionName 'Win2019_BaselineDefinition'

The object returned will have details about the current build. After the build finishes, the same command will provide details about which regions contain a replica of the build.

To deploy a custom virtual machine using the new image, after the build finishes, use the "Create VM" button on the image definition page of the Azure portal, or a client such as PowerShell.

$i = Get-AzGalleryImageDefinition -ResourceGroupName '<myResourceGroup>' -GalleryName '<myGalleryName>' -Name 'Win2019_BaselineDefinition'

# This command will prompt for username/password to use in the machine for a local admin account
New-AzVM -name '<myVMName>' -Image $


The following resources are created by this template:

  • 1 user-assigned managed identity for running a deployment script
  • 1 role definition and 1 role assignment to limit access of the new identity
  • 1 Azure Image Gallery with 1 image and 1 template
  • 1 deployment script to trigger the build of the custom image in Azure Image Builder

Tags: Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Authorization/roleDefinitions, customRole, Microsoft.Authorization/roleAssignments, Microsoft.Compute/galleries, Microsoft.Compute/galleries/images, Microsoft.VirtualMachineImages/imageTemplates, UserAssigned, PlatformImage, WindowsUpdate, PowerShell, SharedImage, Microsoft.Resources/deploymentScripts