Setting up a windows 11 or windows server 2025 golden template

#virtualization #windows

What is a golden template?

A golden template is a virtual machine (usually) that is used to clone to get clean machines with a predetermined set of software available for each unique machine.

How do I set it up?

Keep the windows 11 install offline.

First of all, you need a hypervisor. I'm using libvirt, so instructions for eg vmware workstation might differ, but you need the following:

  1. 4 CPU's (2 is enough for server)
  2. At least 4GiB of RAM
  3. At least 50GiB of disk space
  4. Secure boot
  5. Specifically on linux
    1. Use VirtIO for everything that allows it EXCEPT for the CDROM devices and video devices. Make sure to load the driver during install.
  6. Virtual TPM (only for windows 11)
    Follow the standard windows installation. For windows server, if you prefer a desktop environment, chose desktop experience. For most capabilities, chose datacenter.
    Pasted image 20250816163045.png
    Specifically for linux, if you reach this point and changed the SATA drive to the VirtIO driver, just load in the VirtIO ISO and load the win11 drivers available for download at https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.271-1/virtio-win-0.1.271.iso.
    Pasted image 20250816094405.png
    Pasted image 20250816094656.png
    Once you reach this page:
    Pasted image 20250816095429.png
    open a command prompt by pressing "Shift + F10" and type "oobe\bypassnro" to continue with an offline account. This is necessary for a golden template. Simply press the "I don't have an internet connection" and proceed making a local account.
    From here on, it's all different for everyone, so install your guest tools, install your favorite apps, delete the apps you dislike and proceed with the sysprep.
    I chose to use a debloat script to clean up windows for a nice and clean template. I used this one: https://github.com/Raphire/Win11Debloat.
    navigate to "C:\Windows\System32\Sysprep" and double click the sysprep.exe.
    Utilize these settings and press ok.
    Pasted image 20250816104520.png

Troubleshooting

If you get errors, check the panther folder and open setuperr.log.
One of the most common ones is bitlocker (disable-bitlocker -mountpoint "C:" most likely. Check which is the correct drive. manage-bde -status to check the status.) such is the case for me.
Pasted image 20250816104659.png
Do what you have to do and try again.
If it keeps failing (such is the case for me) I will look into making a website for automate a windows installation.

Conclussion

After you have sysprepped your device, it is crucial to leave it turned off. Only turn it on when you have to update it and afterwards, sysprep it again.
You now have a golden windows 11 template.