BitLocker, Not LAPS: Fixing Sysprep Failures on Trusted Launch AVD Images

The Problem

We were building a new Windows 11 25H2 image for Azure Virtual Desktop multi-session deployments and kept hitting sysprep failures with error 0x80310039. Our first instinct, like most people's, was LAPS. Made sense—new feature, security-focused, the usual suspect in modern Windows builds.

Spent longer than I'd like to admit going down that road.

The Real Culprit

BitLocker was the actual problem. Specifically, BitLocker configured in TPM-only mode on a Trusted Launch VM. Sysprep doesn't play well with that configuration—the encryption gets in the way of the system reset that sysprep needs to do.

The fix was straightforward: Disable-BitLocker before running sysprep. Once we killed the BitLocker config, the image build completed without issues.

What We Actually Built

We captured the validated image into a new compute gallery: AvdGallery in the AVD resource group. Then we deployed a test instance (AVD-IT-TEST-01, D2s_v3 SKU) into the production virtual network to validate the image against the real environment before rolling it out.

This was also the first time that production image gallery had been touched in 3–5 years. So today we also re-established the capability to actually refresh images going forward, which matters more than people usually realize.

The Practical Takeaway

We documented the entire pre-sysprep validation process in a reusable checklist. BitLocker status is now part of that checklist, right up front. If you're building AVD images on Trusted Launch VMs, check BitLocker before you even think about running sysprep.

Where This Breaks in Production

This doesn't show up in clean lab builds.

It shows up in environments where:

• Trusted Launch is enabled by default across the AVD host pool
• BitLocker policies are applied early in the image lifecycle — before the build process is fully stabilized
• Image builds are being standardized across multiple teams with different baseline configurations

The result is an image that works during early testing but fails unpredictably during sysprep as security controls interact with the build process. The error code points to BitLocker, but the root cause is sequencing — security hardening applied before the image is ready for it.

If This Is Happening in Your Environment

Sysprep failures in AVD environments are rarely just a BitLocker issue.

They're usually a sign that image hardening, security baselines, and build sequencing aren't aligned — everything works individually but breaks when combined at scale.

If your AVD image builds are producing failures that don't have a clean root cause, or if you haven't refreshed your image gallery in years, that's typically where we get brought in.

We don't rebuild from scratch — we fix and stabilize what's already there.

→ itccinc.com