SysPrep journeys when moving to azure

You would think that if you have a virtual machine lets say a Windows 2012 image putting that server on the cloud should be easy. Just a sysprep and that is all.
But NO.
There is a lot that can wrong when doing a sysprep.

What about if your server uses in the web.config files protected configurations.

Protected What?

https://blogs.msdn.microsoft.com/mosharaf/2005/11/17/encrypting-configuration-files-using-protected-configuration/

This is a feature that allows to take sections like:

<connectionStrings>

<add name=”advWorks” connectionString=”Data Source=.\yukon;Initial Catalog=AdventureWorks;User ID=webUser;pwd=my_P@ssw0rd” />

</connectionStrings>  

`

And encrypt them with instructions like:

aspnet_regiis -pe connectionStrings -app /testwebcs2  

The issue with that is that the password for those encryptions might get lost during sysprep, and you need to guest the key container where that password was saved.

When you run your app you will get strange errors like:

HTTP Error 500.19 “Failed to decrypt attribute “password””

This guy http://jeffmurr.com/blog/?p=77
provides a great explanation. And for me method 2 worked like a charm:

**Export keys from source server:


aspnet_regiis -px "iisConfigurationKey" "C:\IISKEY\iisConfigurationKey.xml" -pri  
aspnet_regiis -px "iisWasKey" "C:\IISKEY\iisWasKey.xml" -pri

**And Import on your target/problem server:

aspnet_regiis -pi "iisConfigurationKey" "C:\IISKEY\iisConfigurationKey.xml"  
aspnet_regiis -pi "iisWasKey" "C:\IISKEY\iisWasKey.xml"  

But you might also get weird problems in other areas, for examples certificates. In this case my choice was exporting the certificates from the original machine. But... what happens if those certificates are marked as not exporting the private key.

Well first things first. How do I know which certicates I have on the original machine?
You can use the mmc snap in or use powershell:

> Set-Location Cert:\LocalMachine\My

> Get-ChildItem | Format-Table Thumbprint,Subject, FriendlyName, Thumbprint -AutoSize

And to export the certificates well I used mimikatz see http://blog.ruecker.fi/2014/03/12/exporting-the-not-exportable/

On the problematic machine delete the old certificate before import.
And after import go to mmc snap in, certificates and right click on the certificate, go to properties and then security tab and compare permisions with the original machine.

That worked for some issues. I hope everthing else works, buth the sysprep journeys can be tough