diff --git a/cmd/controller/main.go b/cmd/controller/main.go
index 849234c5403..300d585cc2e 100644
--- a/cmd/controller/main.go
+++ b/cmd/controller/main.go
@@ -57,6 +57,7 @@ func main() {
 	flag.StringVar(&opts.Images.GsutilImage, "gsutil-image", "", "The container image containing gsutil")
 	flag.StringVar(&opts.Images.PRImage, "pr-image", "", "The container image containing our PR binary.")
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
+	flag.StringVar(&opts.Images.WorkingDirInitImage, "workingdirinit-image", "", "The container image containing our working dir init binary.")
 
 	// This parses flags.
 	cfg := injection.ParseAndGetRESTConfigOrDie()
diff --git a/cmd/workingdirinit/main.go b/cmd/workingdirinit/main.go
new file mode 100644
index 00000000000..baa252fbd39
--- /dev/null
+++ b/cmd/workingdirinit/main.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2022 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+func main() {
+	for _, d := range os.Args {
+		p := filepath.Clean(d)
+		if !filepath.IsAbs(p) || strings.HasPrefix(p, "/workspace/") {
+			if err := os.MkdirAll(p, 0755); err != nil {
+				log.Fatalf("Failed to mkdir %q: %v", p, err)
+			}
+		}
+	}
+}
diff --git a/config/controller.yaml b/config/controller.yaml
index a02a8a8d626..5e255b01e05 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -71,6 +71,7 @@ spec:
           "-nop-image", "ko://github.com/tektoncd/pipeline/cmd/nop",
           "-imagedigest-exporter-image", "ko://github.com/tektoncd/pipeline/cmd/imagedigestexporter",
           "-pr-image", "ko://github.com/tektoncd/pipeline/cmd/pullrequest-init",
+          "-workingdirinit-image", "ko://github.com/tektoncd/pipeline/cmd/workingdirinit",
 
           # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim
           "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f",
diff --git a/pkg/apis/pipeline/images.go b/pkg/apis/pipeline/images.go
index 1f4950d4087..e40ebfe5639 100644
--- a/pkg/apis/pipeline/images.go
+++ b/pkg/apis/pipeline/images.go
@@ -42,6 +42,8 @@ type Images struct {
 	PRImage string
 	// ImageDigestExporterImage is the container image containing our image digest exporter binary.
 	ImageDigestExporterImage string
+	// WorkingDirInitImage is the container image containing our working dir init binary.
+	WorkingDirInitImage string
 
 	// NOTE: Make sure to add any new images to Validate below!
 }
@@ -61,6 +63,7 @@ func (i Images) Validate() error {
 		{i.GsutilImage, "gsutil-image"},
 		{i.PRImage, "pr-image"},
 		{i.ImageDigestExporterImage, "imagedigest-exporter-image"},
+		{i.WorkingDirInitImage, "workingdirinit-image"},
 	} {
 		if f.v == "" {
 			unset = append(unset, f.name)
diff --git a/pkg/apis/pipeline/images_test.go b/pkg/apis/pipeline/images_test.go
index 0273db8c864..8f66cf31985 100644
--- a/pkg/apis/pipeline/images_test.go
+++ b/pkg/apis/pipeline/images_test.go
@@ -17,6 +17,7 @@ func TestValidate(t *testing.T) {
 		GsutilImage:              "set",
 		PRImage:                  "set",
 		ImageDigestExporterImage: "set",
+		WorkingDirInitImage:      "set",
 	}
 	if err := valid.Validate(); err != nil {
 		t.Errorf("valid Images returned error: %v", err)
@@ -33,7 +34,7 @@ func TestValidate(t *testing.T) {
 		PRImage:                  "", // unset!
 		ImageDigestExporterImage: "set",
 	}
-	wantErr := "found unset image flags: [git-image pr-image shell-image]"
+	wantErr := "found unset image flags: [git-image pr-image shell-image workingdirinit-image]"
 	if err := invalid.Validate(); err == nil {
 		t.Error("invalid Images expected error, got nil")
 	} else if err.Error() != wantErr {
diff --git a/pkg/pod/pod.go b/pkg/pod/pod.go
index 402c9d0ae1f..83aff8e2503 100644
--- a/pkg/pod/pod.go
+++ b/pkg/pod/pod.go
@@ -152,7 +152,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 	}
 
 	// Initialize any workingDirs under /workspace.
-	if workingDirInit := workingDirInit(b.Images.ShellImage, stepContainers); workingDirInit != nil {
+	if workingDirInit := workingDirInit(b.Images.WorkingDirInitImage, stepContainers); workingDirInit != nil {
 		initContainers = append(initContainers, *workingDirInit)
 	}
 
diff --git a/pkg/pod/workingdir_init.go b/pkg/pod/workingdir_init.go
index 0f2d7c4fa6f..ea0b1bc1b89 100644
--- a/pkg/pod/workingdir_init.go
+++ b/pkg/pod/workingdir_init.go
@@ -20,7 +20,6 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
@@ -31,7 +30,7 @@ import (
 //
 // If no such directories need to be created (i.e., no relative workingDirs
 // are specified), this method returns nil, as no init container is necessary.
-func workingDirInit(shellImage string, stepContainers []corev1.Container) *corev1.Container {
+func workingDirInit(workingdirinitImage string, stepContainers []corev1.Container) *corev1.Container {
 	// Gather all unique workingDirs.
 	workingDirs := sets.NewString()
 	for _, step := range stepContainers {
@@ -59,10 +58,9 @@ func workingDirInit(shellImage string, stepContainers []corev1.Container) *corev
 
 	return &corev1.Container{
 		Name:         "working-dir-initializer",
-		Image:        shellImage,
-		Command:      []string{"sh"},
-		Args:         []string{"-c", "mkdir -p " + strings.Join(relativeDirs, " ")},
-		WorkingDir:   pipeline.WorkspaceDir,
+		Image:        workingdirinitImage,
+		Command:      []string{"/ko-app/workingdirinit"},
+		Args:         relativeDirs,
 		VolumeMounts: implicitVolumeMounts,
 	}
 }
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
index 3af5e647f5a..3a13c8dca08 100644
--- a/tekton/publish.yaml
+++ b/tekton/publish.yaml
@@ -11,7 +11,7 @@ spec:
       default: github.com/tektoncd/pipeline
     - name: images
       description: List of cmd/* paths to be published as images
-      default: "controller webhook entrypoint nop kubeconfigwriter git-init imagedigestexporter pullrequest-init"
+      default: "controller webhook entrypoint nop kubeconfigwriter git-init imagedigestexporter pullrequest-init workingdirinit"
     - name: versionTag
       description: The vX.Y.Z version that the artifacts should be tagged with (including `v`)
     - name: imageRegistry
@@ -103,8 +103,9 @@ spec:
       # This matches the value configured in .ko.yaml
       defaultBaseImage: gcr.io/distroless/static:nonroot
       baseImageOverrides:
-        # Use the combined base image for entrypoint.
+        # Use the combined base image for images that should include Windows support.
         $(params.package)/cmd/entrypoint: ${COMBINED_BASE_IMAGE}
+        $(params.package)/cmd/workingdirinit: ${COMBINED_BASE_IMAGE}
 
         $(params.package)/cmd/git-init: ${CONTAINER_REGISTRY}/$(params.package)/git-init-build-base:latest
         # These match values configured in .ko.yaml