Time out when creating Windows VM from an Image

Question

Time out when creating Windows VM from an Image

Handinata Tanudjaja 190

Hi everyone,

I have been having this same issue whenever I am trying to create a Windows VM from an image.
Here's the set up from the beginning (all of these creation reside in the same region)

Created a Windows VM with ADE where the OS disk got encrypted with my created Key Vault (no Key Encryption Key aka KEK). There's no data disk.
Other specs:
-VM size Standard B2ats v2 (2 vcpus, 1 GiB memory)
-No public Inbound Port.
-Private IP only.
-Premium SSD
Captured the OS disk snapshot with the following config:

Incremental snapshot
Platform-managed key as Key management
Disable public and private access as Network access

Created a Windows VM Image using the OS disk snapshot with the following config:

Encryption at-rest with a platform-managed key as SSE encryption type

Attempted to create a Windows VM from that VM Image using exactly the same specs like the original VM but always ended in an error.
Error message:
{"code":"OSProvisioningTimedOut","message":"OS Provisioning for VM 'VM-FromImg-0-4-12' did not finish in the allotted time. The VM may still finish provisioning successfully. Please check provisioning state later. Also, make sure the image has been properly prepared (generalized).\r\n * Instructions for Windows: https://learn.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image\r\n * Instructions for Linux: https://learn.microsoft.com/azure/virtual-machines/linux/create-upload-generic\r\n * If you are deploying more than 20 Virtual Machines concurrently, consider moving your custom image to shared image gallery. Please refer to https://aka.ms/movetosig for the same."}

Any idea why this is happening?
Also how to solve this?

Thank you very much!

Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-14T02:26:08.54+00:00

Hi Handinata Tanudjaja,

A provisioning failure happens when the OS image fails to load either due to incorrect preparatory steps or because of selecting the wrong settings during the image capture from the portal.

Azure requires the image to be generalized when using it to create a new VM. Without generalization, the provisioning agent can’t complete its work (like setting up networking, hostnames, user credentials, etc.).https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/troubleshoot-deployment-new-vm-linux#why-do-provisioning-failures-occur

Windows
After you have run Sysprep on a VM, that VM is considered generalized and cannot be restarted. The process of generalizing a VM is not reversible. If you need to keep the original VM functioning, you should create a snapshot of the OS disk, create a VM from the snapshot, and then generalize that copy of the VM.

Sysprep requires the drives to be fully decrypted. If you have enabled encryption on your VM, disable encryption before you run Sysprep.

If you plan to run Sysprep before uploading your virtual hard disk (VHD) to Azure for the first time, make sure you have prepared your VM.

Also please note, Azure Disk Encryption does not work for the following scenarios, features, and technology:

Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs.

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#restrictions

If you're not tied to snapshots, you can create the image directly from the VM after generalizing: https://learn.microsoft.com/en-us/azure/virtual-machines/capture-image-portal

Let me know if you have any further queries!

If the comment is helpful, please click "upvote" to let us know!
Handinata Tanudjaja 190 Reputation points

2025-04-14T05:20:44.8233333+00:00

Hi @Mounika Reddy Anumandla ,
Thank you for the response.
I forgot to mention that this is for Windows VM.For the route I took in creating a VM image from a OS disk snapshot, there's no option whether it needs to generalized or specialized.
However the option to generalized or specialized is available when we are trying to create a VM image from a VM.

I think what you explained here is for capturing VM image from a VM but I am actually confused why it has to be generalized?
Why couldn't we do the specialized?

And thank you for pointing this out "Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs."
So with my situation, this means the snapshot I created from an encrypted OS disk will not be able to be used for new VMs.
Is this correct?

Thank you
Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-14T07:40:32.81+00:00
Hi Handinata Tanudjaja,

Thank you for replying back to us!
Yes, you're correct, when you create an image directly from an OS disk snapshot, you do not have the option to specify whether it should be generalized or specialized. This is because the disk snapshot is just a backup of the disk, not a full image with VM-specific configurations.

Azure Disk Encryption for Windows virtual machines (VMs) use the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disk. Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All.

Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. For an overview of the service, see Azure Disk Encryption for Windows VMs.

Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs. So, yes, you are correct: the snapshot you created from an encrypted OS disk will not be usable for deploying new VMs due to the encryption keys not being included in the snapshot. As per my understanding, that might be the reason provisioning fails.

To prepare a VM for creating a reusable image, you need to generalize it. This process removes machine-specific information, allowing the image to be used for deploying multiple VMs.https://docs.azure.cn/en-us/virtual-machines/vm-generalized-image-version?tabs=cli%2Ccli2

When you create a new VM from a specialized image, the new VM retains the computer name of the original VM. Other computer-specific information, like the CMID, is also kept. This duplicate information can cause issues.

"Why couldn't we just do specialized?"

You can, but only if:

You're not trying to scale or deploy to many instances

You're okay with identical system state and credentials

You're not using Azure Disk Encryption (ADE) — because encrypted disks can't be snapshotted or imaged for reuse even in specialized mode.

https://docs.azure.cn/en-us/virtual-machines/vm-specialized-image-version

Hope this helps!

Let me know if you have any further queries!
Handinata Tanudjaja 190 Reputation points

2025-04-14T15:38:28.09+00:00
Hi @Mounika Reddy Anumandla ,

Thank you very much! That's very helpful!
We do want to deploy many VMs using an image that we would like to create.

I would like to know your step by step instruction on how to make a generalized image route, here's our situation:

The VM we have is being used in production.

The OS disk is ADE encrypted.

How do we make a generalized image without making our production VM not functioning?
And we would like to avoid the OS disk from being decrypted when making a generalized image.

Thank you again!
Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-15T07:07:57.61+00:00
Hi Handinata Tanudjaja,

As mentioned in Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows Azure Disk Encryption does not support the following scenarios:

Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs. You cannot create a deployable image directly from an ADE-encrypted OS disk. Here's a comparison of Disk Storage SSE, ADE, encryption at host, and Confidential disk encryption.
For full details,https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview

Hope it helps!
Handinata Tanudjaja 190 Reputation points

2025-04-15T14:36:23.1+00:00

Hi @Mounika Reddy Anumandla ,
Thank you for your response.
As you mentioned that we cannot create a deployable image directly from ADE-encrypted OS disk so how should we do it then?
Surely there's a way to create an image properly from a VM that has ADE-encrypted OS disk especially since this type of VM should be a common thing.

Thank you
Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-17T02:36:34.9766667+00:00

Hi Handinata Tanudjaja,

Just checking in to see if you had a chance to review the response provided to your question.

Let me know if you have any further queries!

If the information is helpful, please click "upvote" to let us know.
Handinata Tanudjaja 190 Reputation points

2025-04-17T15:35:57.59+00:00

Thank you for your answer @Mounika Reddy Anumandla !
I upvoted your response.

1 answer

Your answer

Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-14T02:26:08.54+00:00

Hi Handinata Tanudjaja,

A provisioning failure happens when the OS image fails to load either due to incorrect preparatory steps or because of selecting the wrong settings during the image capture from the portal.

Azure requires the image to be generalized when using it to create a new VM. Without generalization, the provisioning agent can’t complete its work (like setting up networking, hostnames, user credentials, etc.).https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/troubleshoot-deployment-new-vm-linux#why-do-provisioning-failures-occur

Windows
After you have run Sysprep on a VM, that VM is considered generalized and cannot be restarted. The process of generalizing a VM is not reversible. If you need to keep the original VM functioning, you should create a snapshot of the OS disk, create a VM from the snapshot, and then generalize that copy of the VM.

Sysprep requires the drives to be fully decrypted. If you have enabled encryption on your VM, disable encryption before you run Sysprep.

If you plan to run Sysprep before uploading your virtual hard disk (VHD) to Azure for the first time, make sure you have prepared your VM.

Also please note, Azure Disk Encryption does not work for the following scenarios, features, and technology:

Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs.

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#restrictions

If you're not tied to snapshots, you can create the image directly from the VM after generalizing: https://learn.microsoft.com/en-us/azure/virtual-machines/capture-image-portal

Let me know if you have any further queries!

If the comment is helpful, please click "upvote" to let us know!
Handinata Tanudjaja 190 Reputation points

2025-04-14T05:20:44.8233333+00:00

Hi @Mounika Reddy Anumandla ,
Thank you for the response.
I forgot to mention that this is for Windows VM.For the route I took in creating a VM image from a OS disk snapshot, there's no option whether it needs to generalized or specialized.
However the option to generalized or specialized is available when we are trying to create a VM image from a VM.

I think what you explained here is for capturing VM image from a VM but I am actually confused why it has to be generalized?
Why couldn't we do the specialized?

And thank you for pointing this out "Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs."
So with my situation, this means the snapshot I created from an encrypted OS disk will not be able to be used for new VMs.
Is this correct?

Thank you
Handinata Tanudjaja 190 Reputation points

2025-04-14T15:38:28.09+00:00

Hi @Mounika Reddy Anumandla ,

Thank you very much! That's very helpful!
We do want to deploy many VMs using an image that we would like to create.

I would like to know your step by step instruction on how to make a generalized image route, here's our situation:

The VM we have is being used in production.

The OS disk is ADE encrypted.

How do we make a generalized image without making our production VM not functioning?
And we would like to avoid the OS disk from being decrypted when making a generalized image.

Thank you again!
Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-15T07:07:57.61+00:00

Hi Handinata Tanudjaja,

As mentioned in Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows Azure Disk Encryption does not support the following scenarios:

Creating an image or snapshot of an encrypted VM and using it to deploy additional VMs. You cannot create a deployable image directly from an ADE-encrypted OS disk. Here's a comparison of Disk Storage SSE, ADE, encryption at host, and Confidential disk encryption.
For full details,https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview

Hope it helps!
Handinata Tanudjaja 190 Reputation points

2025-04-15T14:36:23.1+00:00

Hi @Mounika Reddy Anumandla ,
Thank you for your response.
As you mentioned that we cannot create a deployable image directly from ADE-encrypted OS disk so how should we do it then?
Surely there's a way to create an image properly from a VM that has ADE-encrypted OS disk especially since this type of VM should be a common thing.

Thank you
Mounika Reddy Anumandla 3,995 Reputation points Microsoft External Staff

2025-04-17T02:36:34.9766667+00:00

Hi Handinata Tanudjaja,

Just checking in to see if you had a chance to review the response provided to your question.

Let me know if you have any further queries!

If the information is helpful, please click "upvote" to let us know.
Handinata Tanudjaja 190 Reputation points

2025-04-17T15:35:57.59+00:00

Thank you for your answer @Mounika Reddy Anumandla !
I upvoted your response.

Answer 1

Hi Handinata Tanudjaja,

Thank you for replying back to us! Happy to assist you further!

I have investigated more on your ask and the suggestion is that it is not supported to create an image from a VM that is encrypted. You need ALWAYS decrypt the VM that you want to use as image.

Snapshots in Azure retain the encryption settings of the original OS disk. This means that if the OS disk was encrypted using Azure Disk Encryption or other encryption methods, the snapshot will also be encrypted with the same settings.

To deploy a new VM from an encrypted VM using snapshots, you typically follow these steps:

Create a Snapshot of the Encrypted OS Disk and Create a Managed Disk from the Snapshot. The managed disk will retain the ADE encryption, including references to the same Key Vault and encryption keys.

Create a VM from the Managed Disk

When creating the new VM, use the managed disk as the OS disk.

You don’t need to re-enable ADE manually unless:

You move to a different subscription or region.

You change the encryption type (e.g., from ADE to disk encryption set).

User's image

If the original VM was encrypted, you may need to configure the encryption settings for the new VM, such as providing encryption keys or passwords. You can also disable ADE here like below.

User's image

Similar issue: https://stackoverflow.com/questions/56454966/azure-os-disk-encryption-on-vm-creation

Hope this clarifies!

Nikhil Duserla 6,470 Reputation points Microsoft External Staff

2025-04-18T05:22:31.59+00:00

Hi Handinata Tanudjaja,

Mounika have provided more details, hope it helps. If it does, I would request you to kindly please consider accepting it as an answer and do a thumbs up at “Was it helpful”. This in turn will benefit other community members with similar scenario navigate better to right solution.

Share via

Time out when creating Windows VM from an Image

1 answer

Your answer