Using a Windows Image

To create a desktop pool using Windows, you must bring your own license.

Note

OCI does not provide images or licenses for Windows 10 or Windows 11. To use a Windows image, you must comply with your Microsoft license agreement. See Microsoft Licensing on Oracle Cloud Infrastructure.

Importing Custom Windows Images

The Compute service enables you to import Windows images that were created outside of Oracle Cloud Infrastructure. For example, you can import images running on your on-premises physical or virtual machines (VMs), or VMs running in Oracle Cloud Infrastructure Classic. You can then launch your imported images on compute virtual machines.

Caution

  • Support from Oracle Cloud Infrastructure in launching an instance from a custom operating system does not ensure that the operating system vendor also supports the instance.
  • Windows 10/11 requires you to bring your own license. You must specify a special operating system type (rdaasw) to enable this for Windows 10/11.
  • By default, Windows desktops are provisioned on Dedicated Virtual Machine Hosts (DVH). If your license agreement allows virtualizing Windows 10/11 desktops in a cloud environment, you can disable DVH provisioning by adding the appropriate tag to the image used for creating the desktop pool. See Secure Desktops Tags.

Windows Source Image Requirements

Custom images must meet the following requirements:

  • The maximum image size is 400 GB.
  • The image must be set up for a supported boot type.
    • For a Windows 10 image, use UEFI or legacy BIOS boot type.
    • For a Windows 11 image, use only UEFI boot type.
  • The boot process must not require additional data volumes to be present for a successful boot.
  • The disk image cannot be encrypted.
  • The disk image must be a VMDK or QCOW2 file.
    • Create the image file by cloning the source volume, not by creating a snapshot.
    • VMDK files must be either the "single growable" (monolithicSparse) type or the "stream optimized" (streamOptimized) type, both of which consist of a single VMDK file. All other VMDK formats, such as those that use multiple files, split volumes, or contain snapshots, are not supported.
  • The network interface must use DHCP to discover the network settings. When you import a custom image, existing network interfaces are not recreated. Any existing network interfaces are replaced with a single NIC after the import process is complete. You can attach additional VNICs after you launch the imported instance.
  • The network configuration must not hard code the MAC address for the network interface.
  • For Windows 11 images, both Trusted Platform Module (TPM) and Secure Boot must be disabled for Windows during image creation if your virtualization platform does not support them (for example, VirtualBox). Before installation, use Registry Editor to add new registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig\BypassRAMCheck DWORD (32-bit) value 1.
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig\BypassSecureBootCheck DWORD (32-bit) value 1.
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig\BypassTPMCheck DWORD (32-bit) value 1.

Preparing Windows VMs for Import

Before you can import a custom Windows image, you must prepare the image to ensure that instances launched from the image can boot correctly and that network connections will function properly.

You can perform the tasks described in this section on the running source system. If you have concerns about modifying the live source system, you can export the image as-is, import it into Oracle Cloud Infrastructure, and then launch an instance based on the custom image. You can then connect to the instance using the VNC console and perform the preparation steps.

Important

The system drive where Windows is installed will be imported to Oracle Cloud Infrastructure. All partitions on the drive will follow through the imported image. Any other drives will not be imported and you must re-create them on the instance after import. You will then need to manually move the data on the non-system drives.

To prepare a Windows VM for import, use one of the following options:

Preparing a VM Using the Secure Desktops Image Builder

Use the Secure Desktops Image Builder to prepare a VM as an image for use with Secure Desktops.

This utility verifies requirements, performs an unattended installation, and configures an image (in VMDK format), that can be uploaded to Oracle Cloud Infrastructure.

Note

  • This utility creates images for Windows 11 (64-bit) Professional or Enterprise Editions. Evaluation versions are not supported. To create a Windows 10 image, follow the manual method to prepare the VM.
  • This utility requires the use of Oracle VirtualBox. If you are using a different virtualization software solution, follow the manual method to prepare the VM.
  • This utility automatically selects UEFI firmware for the Windows 11 image.
To use the Secure Desktops Image Builder:
  1. Refer to OCI Secure Desktops: How To Create a Windows Image For Use With OCI Secure Desktops Using the OCI Secure Desktops Image Builder (3004854.1).
  2. Review the instructions and download all required packages to your local system.
  3. Download the application file (attached in the knowledge article) to your local system.
  4. Run the application file as Administrator and follow all prompts.
  5. Once the process completes, the utility displays the location of the VMDK image file that has been created.
  6. Import the VMDK image file to Oracle Cloud Infrastructure.

Preparing a VM Using the Manual Method

Use the manual method to prepare a VM as an image for use with Secure Desktops.

Note

For guidance on manually preparing the VM using VirtualBox, refer to OCI Secure Desktops: Windows 10/11 for OCI preparation (2953657.1).
To manually prepare a Windows VM:

  1. Follow your organization's security guidelines to ensure that the Windows system is secured. This can include, but is not limited to the following tasks:
    • Install the latest security updates for the operating system and installed applications.
    • Enable the firewall, and configure it so that you only enable the rules which are needed.
    • Disable unnecessary privileged accounts.
    • Use strong passwords for all accounts.
  2. Set your license activation server:
    slmgr.vbs /skms <KMS_server_name_or_IP>:1688
  3. Create a backup of the root volume.
  4. If the VM has remotely attached storage, such as NFS or block volumes, configure any services that rely on this storage to start manually. Remotely attached storage is not available the first time that an imported instance boots on Oracle Cloud Infrastructure.
  5. Ensure that all network interfaces use DHCP, and that the MAC address and IP addresses are not hard coded. See your system documentation for steps to perform network configuration for your system.
  6. Install Oracle Cloud Agent. To obtain the Oracle Cloud Agent installation file, contact Oracle support.
  7. Download the Oracle VirtIO Drivers for Microsoft Windows.
  8. Install the drivers (selecting Custom installation type) and then restart the instance.
  9. Disable LockScreen:
    try {
      Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" -ErrorAction Stop 
    } catch {
     New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Force
    } try {
     New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" -Value 1 -PropertyType Dword -ErrorAction Stop
     Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name "NoLockScreen" -Value 1  -ErrorAction Stop
    } catch {
     echo "done"
    }
  10. Disable RDP:
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 1
  11. Set the time server to OCI:
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\Parameters' -Name 'Type' -Value NTP -Type String
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\Config' -Name 'AnnounceFlags' -Value 5 -Type DWord
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer' -Name 'Enabled' -Value 1 -Type DWord
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\Parameters' -Name 'NtpServer' -Value '169.254.169.254,0x9' -Type String
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' -Name 'SpecialPollInterval' -Value 900 -Type DWord
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\Config' -Name 'MaxPosPhaseCorrection' -Value 1800 -Type DWord
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\W32Time\Config' -Name 'MaxNegPhaseCorrection' -Value 1800 -Type DWord
  12. Optionally, install any additional software you would like your users to have access to.
  13. Install Cloudbase-Init. During installation:
    • Username: Administrator
    • Do not select the option to run Cloudbase-Init service as LocalSystem.

      Using this option makes certain OS features unavailable during the cloud init phase and can result in missing desktop volumes when the desktop is launched, requiring you to run the attach_volume.ps1 script to resolve the issue. See Missing desktop volumes when launching Windows desktop.

    • Do not select the options to run Sysprep within Cloudbase-Init and shut down the system.

    Once installation is complete, edit C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf and add retry_count=100.

  14. Create PowerShell script C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\enable_rdp.ps1 to enable RDP in Oracle Cloud Infrastructure when Cloudbase-Init runs:
    #ps1_sysnative 
    # 
    # location C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\enable_rdp.ps1 
    # 
    $script_path=$Env:ProgramData+"\Oracle\OCI\Desktops"
    $log="$script_path\enable_rdp.txt" 
    Start-Transcript -Path $log -Append 
    Write-Host "Enabling rdp port" | Out-Default 
    Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -name fDenyTSConnections | Out-Default 
    date | Out-Default 
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -name fDenyTSConnections -Value 0 | Out-Default 
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop" | Out-Default 
    # 
    Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -name fDenyTSConnections | Out-Default 
  15. If you plan to launch the imported image on more than one VM instance, create a generalized image of the boot disk. A generalized image is cleaned of computer-specific information, such as unique identifiers. When you create instances from a generalized image, the unique identifiers are regenerated. This prevents two instances that are created from the same image from colliding on the same identifiers.
  16. Run the OCI Secure Desktops Image Readiness Checker to verify whether your VM satisfies compliance requirements to be created as an image for use with Secure Desktops.

    This tool can update Network Time Protocol (NTP), Remote Desktop Protocol (RDP), and lock screen settings required for a Secure Desktops Windows image.

    For more information about this utility, and to download the application file, refer to OCI Secure Desktops: How To Confirm Compliance Using The OCI Secure Desktops Image Readiness Checker (3010275.1)

  17. Clone the stopped VM as a VMDK or QCOW2 file. Refer to the tools documentation provided with your virtualization environment for steps.
  18. Import the VMDK or QCOW2 image file to Oracle Cloud Infrastructure.

Importing a Windows-Based VM

After you prepare a Windows image for import, upload the image file and import the image.

  1. Upload the image file to an Object Storage bucket. Use the command line interface (CLI) to issue the following command:
    oci --profile <profile in $HOME/.oci/config> --region <region> os object put\
        -bn <name of bucket> \
        -ns <name space> \
        --name <The name of the object in the bucket> \
        --file <path to the QCOW2 or VMDK image>
  2. Create a custom image from the uploaded object in the bucket specifying the operating system rdaasw:
    oci --profile <profile in $HOME/.oci/config> --region <region> \
       compute image import from-object \
       -ns <name space> \
       -bn <name of bucket> \
       --name <The name of the object in the bucket> \
       --compartment-id <The OCID of the compartment you want the custom image to be created in> \
       --display-name <A user-friendly name for the new custom image> \
       --operating-system rdaasw \
       --operating-system-version <Windows10 or Windows11> \
       --launch-mode PARAVIRTUALIZED \
       --source-image-type QCOW2|VMDK

    The imported image appears in the Custom images list for the compartment, with a state of Importing. When the import completes successfully, the state changes to Available.

    If the state fails to change, or no entry appears in the Custom images list, then the import failed. Ensure that you have read access to the Object Storage object, and that the object contains a supported image.

  3. Ensure that the custom image is set to the correct boot mode.
    • For a Windows 10 image, use UEFI or legacy BIOS boot type.
    • For a Windows 11 image, use only UEFI boot type.

    Edit the image as follows:

    1. Open the navigation menu and click Compute. Under Compute, click Custom Images.
    2. Click your image.
    3. Click Edit Image Details and under Firmware, select the appropriate boot mode.
    4. Click Save changes.
  4. If you’re using a Windows 11 image, you must configure the image for shielded instances.

    Edit the image as follows:

    1. Open the navigation menu and click Compute. Under Compute, click Custom Images.
    2. Click your image.
    3. Click Edit Image Details and then set the following:
      • Under Firmware, ensure that only UEFI is selected.
      • Under Secure Boot, for preferred status for secure boot, select Enabled.
    4. Click Save changes.
  5. Before making your image available for use with Secure Desktops, it is recommended that you test the image by manually creating a compute instance with the image and establishing a console connection. See Troubleshooting Instances Using Instance Console Connections.
  6. Add required tags to make your image available for use with Secure Desktops. See Secure Desktops Tags.