Building for Windows Server 2019 yields IMAGE_STATE_UNDEPLOYABLE #6251
Replies: 31 comments 73 replies
-
FYI: We are having the same problem and it seems to be a regression. It's also happening with Windows Server 2022. |
Beta Was this translation helpful? Give feedback.
-
Same issue for us too, on Server 2019 images. |
Beta Was this translation helpful? Give feedback.
-
Same for us with Windows 2019. Update:
|
Beta Was this translation helpful? Give feedback.
-
We are having the same issue. Our SOC informed us that Microsoft Defender was finding suspicious script in the packer build. It was a false positive (pypy install script) but could that be putting the VM in a state that cannot be deployed? |
Beta Was this translation helpful? Give feedback.
-
Had the exact same. For me my install/packer password used by WinRM to perform the build was not over 14 characters and did not include special characters. Changed in my script to match how MS are creating a password and passing it to packer and all is now good. Image builds in 4.5 hours. |
Beta Was this translation helpful? Give feedback.
-
Is there a solution for this? Getting the same error IMAGE_STATE_UNDEPLOYABLE on both, 2019 and 2022 images. |
Beta Was this translation helpful? Give feedback.
-
@martingem Have you found a solution ? I have the same issue. |
Beta Was this translation helpful? Give feedback.
-
Not sure if it's related, but our subscriptions have Microsoft Defender for Servers (plan 2) enabled. I turned this off and kicked off a new image build earlier this morning.
What's different here? Instead of the build screaming No idea if that means the image is still defective - I guess I'll find out soon? UPDATE: Created a new agent pool which appears to run jobs without any issues with this new image. Can everyone else on this thread check if they have Defender for Cloud enabled in their environment? |
Beta Was this translation helpful? Give feedback.
-
I found the following error in the sysprep logs:
Is there another way around this than disabling Defender for Cloud? |
Beta Was this translation helpful? Give feedback.
-
This issue is occurring for me too, Windows 2022. ==> vhd: Provisioning with powershell script: C:\Users\AzDevOps\AppData\Local\Temp\powershell-provisioner1816835113 |
Beta Was this translation helpful? Give feedback.
-
Also seeing the same issues on Windows 2022 |
Beta Was this translation helpful? Give feedback.
-
Can confirm, having the same issue on Windows 2022. |
Beta Was this translation helpful? Give feedback.
-
@al-cheb I'll make a ticket with Azure to try to understand what can cause this, but I would think that the generation would fail as well for Microsoft, no? Anyway, for all the others that replied, thanks. I'll post an update whenever I get a response and see where we go from here. |
Beta Was this translation helpful? Give feedback.
-
We start having the same issues. |
Beta Was this translation helpful? Give feedback.
-
Is this still an issue with the WIN 2019 and WIN 2022 images? |
Beta Was this translation helpful? Give feedback.
-
Could you verify that the image does not contain MMA/AMA or active MDE agent (SENSE)? |
Beta Was this translation helpful? Give feedback.
-
Hitting 'restart' on the VM when it's in this state seems to allow the packer build to complete successfully. I haven't confirmed whether the image is good yet. |
Beta Was this translation helpful? Give feedback.
-
@elSagie I have unticked as you specified and now the Win2022 build has finally completed. Obviously this cannot be a permanent solution. |
Beta Was this translation helpful? Give feedback.
-
For now to resolve our issues we have disabled the DfC integration in Azure portal for our image build subscriptions |
Beta Was this translation helpful? Give feedback.
-
@elSagie . @al-cheb any updates on this item, I know the workarounds are working, but I am getting pressure to re-enable these settings. |
Beta Was this translation helpful? Give feedback.
-
Hi people, To me it makes sense - there is no way you can deploy new VM to be onboarded to MDE upon deployment - MDE onboarding must be done by their script only. |
Beta Was this translation helpful? Give feedback.
-
I also have the same issue. Please assist... |
Beta Was this translation helpful? Give feedback.
-
We have same issue also with Windows Server images. It will repeat "IMAGE_STATE_UNDEPLOYABLE" for 12 hours. |
Beta Was this translation helpful? Give feedback.
-
To disable the MDE integration (Setting - Integration - Allow Microsoft Defender for Endpoint to access my data) programmatically use REST API.
|
Beta Was this translation helpful? Give feedback.
-
we have the same issue, any suggestions please other than what was posted above. We have Defender for cloud enabled since we started using this repo for more than a year, never face this issue until that last two months. tagging @mikhailkoliada @igorboskovic3 @Alexey-Ayupov for some help with these, as these have been very helpful in resolving some of the issues in the past. Appreciate all the help. |
Beta Was this translation helpful? Give feedback.
-
Hi guys, I also have this issue,
You could achieve it by adding this in your packer json file in the azure-arm builder. I tried until now one build and it worked. 👯♂️ 😄 |
Beta Was this translation helpful? Give feedback.
-
I am also getting successful build, but when I convert the vm into a managed image or a image in shared image gallery, it works fine.
But the vm I create using the managed image or the shared gallery image is failing with the message "image not prepared properly use as is "
I tried using it as is, i am not even running the post generation scripts on the vm and still getting same error, that image not prepared properly.
Any help pls?
Adam, can you please tell me how you opened an Ms ticket? I mean to which team , windows vm team or GitHub team or which one?
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: McAdamz ***@***.***>
Sent: Thursday, February 2, 2023 12:06:12 PM
To: actions/runner-images ***@***.***>
Cc: vamshisiram ***@***.***>; Mention ***@***.***>
Subject: Re: [actions/runner-images] Building for Windows Server 2019 yields IMAGE_STATE_UNDEPLOYABLE (Discussion #6251)
Hi guys,
I also have this issue, I have an open ticket with MS and currently this is what I am trying: Add the following tag to your VM which is supposed to disable the MDE activation for the VM
Tag name: ExcludeMdeAutoProvisioning Tag value: True
You could achieve it by adding this in your packer json file in the azure-arm builder. @martingem<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmartingem&data=05%7C01%7C%7Cbb475392d4d047f1321608db0558ef4a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109651774990107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1TMAHZC3J7bhHD7LbywstfZgD%2FEi9XSI9MYVBAeIjsU%3D&reserved=0> maybe this can be a solution for you as well as you don't need to change anything at subscription level. "azure_tags": { "ExcludeMdeAutoProvisioning": "True" },
I tried until now one build and it worked. 👯♂️ 😄
I've finally managed to get a win2022 build running by adding that tag to the build script.
I use Azure Dev ops to build the image and it runs on a schedule once a month to keep it up to date.
I haven't forked the repo as I didn't want to have to keep syncing, so I set up my YAML file to just clone it and added a new Powershell step to insert the ""azure_tags": { "ExcludeMdeAutoProvisioning": "True" }," tag to the build script.
Yes, it's a dirty hacky workaround, but simple to remove and clear as to what is going on:
- task: ***@***.***
displayName: 'Workaround for issue: #6251'
inputs:
targetType: 'inline'
script: |
$TemplateFile = "virtual-environments/images/win/${{ parameters.image_type }}.json"
Write-Host 'Attempting to modify $TemplateFile with workaround'
((Get-Content -path $TemplateFile -Raw) -replace '"type": "azure-arm",','"type": "azure-arm","azure_tags": { "ExcludeMdeAutoProvisioning": "True" },') | Set-Content -Path $TemplateFile
Write-Host "$TemplateFile modified"
Get-Content -path $TemplateFile -Raw
I'm now happy to finally have the latest image successfully run!
—
Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Factions%2Frunner-images%2Fdiscussions%2F6251%23discussioncomment-4855361&data=05%7C01%7C%7Cbb475392d4d047f1321608db0558ef4a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109651775146325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xA1f6i4Rg1GUEYkx3zGgdTq6fuenObdSo%2FIvDoMeaqc%3D&reserved=0>, or unsubscribe<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVU36WUVLUKNJZ3ZQTIS7V3WVQHTJANCNFSM6AAAAAAQRFHRAM&data=05%7C01%7C%7Cbb475392d4d047f1321608db0558ef4a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638109651775146325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I7%2BvufU%2F7pI33rrl1QQc%2BiExlqjBUoRHxFNAl%2FMGiLc%3D&reserved=0>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hello @simpleprovider, obviously this tag |
Beta Was this translation helpful? Give feedback.
-
Amazing hidden gem! Thanks! I wonder what other "special" tags there are that allow us to tame the magic of Azure... ;-) Also, this seems like a rather big security issue. Anyone able to add this tag to a VM resource can bypass MS Defender for Cloud... |
Beta Was this translation helpful? Give feedback.
-
If you're using the |
Beta Was this translation helpful? Give feedback.
-
Description
Hello,
I've been building the images for two years using the official code, the only difference is the publish part to an internal Azure compute galleries (formerly Shared image gallery).
Of course, I tried to rebuild (as suggested by others in TechNet forums) 4 times, no success.
It seems like the capture is working (Finalize VM), but the next step yields IMAGE_STATE_UNDEPLOYABLE. Using my googling skills, I found :
unattend.xml is being removed in the packer code
Set-Service RdAgent -StartupType Disabled
and subsequent step, but Set-Service isn't recognized by Powershell at least as is.Let me know what kind of details could help.
Platforms affected
Runner images affected
Image version and build link
I'm currently at 771b501
Is it regression?
e661113
Expected behavior
Image Deployment state to be "COMPLETE"
Actual behavior
Image Deployment state is "IMAGE_STATE_UNDEPLOYABLE"
Repro steps
Building using the same https://github.com/actions/runner-images/blob/main/images.CI/linux-and-win/azure-pipelines/image-generation.yml, except for Compute image gallery as a destination.
Beta Was this translation helpful? Give feedback.
All reactions