Windows OS's that I have tested (2012r2 to 10.1809) require the string "AdministratorPassword" to be appended to the end of the raw password string prior to hashing, which must then be in UTF16LE format. While the hashing method is now included in the latest 1.21.2 release as 'Base-64-Windows' option under Operating System, the additional string is not. Windows (Unattended) Answer files (.xml) encapsulated in provisioning templates (.erb) cannot be processed by the OS unless this string exists at the end of the password when <%= root_pass > is used.

    case hash_alg
    when 'Base64'
      result = Base64.strict_encode64(passwd)
    when 'Base64-Windows'
*      passwd << Base64.strict_encode64("AdministratorPassword")*
      result = Base64.strict_encode64(passwd.encode('utf-16le'))

The attached password_crypt.rb file has an additional line that appends the passwd with the required string.

Templates tested were originally sourced from https://github.com/kireevco/foreman-wimaging/tree/1bd8f0facff80c19a5eccc12c01e8febd00f701e/wimaging and have been customised to my environment.