Create a Widows 10 BYOL OS only master image (Using Virtual Box)

THIS IS A DRAFT!!

GPL: 11-14-2019: Doc created for 1903

GPL: 02-24-2020: Updated for 1909

Prerequisites:

1. Must have an PC where Virtual Box can be installed and run. • It also must have at least 65GB free space to create the VHD file. 2. Have a source Windows 10 OS .iso available for use NOTE: A combination of v1903 and v1909 were used in compiling this guide. 3. The PC must be connected to the Internet (for OS patching purposes)

Download and Install Oracle Virtual Box

Download the virtual box software from: https://www.virtualbox.org/wiki/Downloads Install Virtual Box on your PC: (I used all default prompts)

Configure Windows Virtual Box VM Instance to install Windows 10 OS only instance

From the VirtualBox Manager menu, click New to create a new Virtual Machine

Enter a Name for the new VM and select Version of Windows 10 (64-bit), then click Next

Set your memory to at least 2 GB (4GB if you can spare it)

I set mine to 4GB

Then Click Next

The Create Hard disk window appears:

Select the Create a virtual hard disk now option and then click Create.

Select . from the list, then click Next

Select Fixed Size from the list,

Then click Next

Change the size from the default of 50GB to 60 GB:

Then click Create.

The virtual disk creates:

Which will leave you back at the VM Virtual Machine manger homepage:

You need to disable the Floppy Drive and a Windows 10 .iso. To begin, click Settings:

And then the System Icon:

In the Boot Order box, Uncheck the Floppy drive:

And click OK.

Now click the Storage Icon:

Click on the CD-Rom Icon listed as Empty under the Storage Devices to select it:

Now click the CD-ROM icon listed under the Attributes box:

The Dropdown list appears:

Select the “Choose Virtual Optical Disk File…” option

A file explorer window opens:

Navigate to the Windows 10.iso file of your choice, then click the file to select it.

Once selected, click Open

The CD-ROM drive in the Storage Devices box now shows the Windows 10_.iso.

The CD-ROM drive in the Storage Devices box now shows the Windows 10_x.iso. Click OK.

Once again, you’ll be back at the Virtual Box console window:

Install and patch the Windows 10 OS from your .iso

Click Start to boot the VM:

Install Windows 10 (v1903)

The VM boots using the Windows 10.iso media file:

Leave the defaults and click Next:

When Prompted:

Click the Install now button.

Setup starts:

And will prompt for the OS to install:

Select the Windows 10 version of your choice. (Enterprise, Pro or Education):

I chose Enterprise, then click Next.

You’re prompted to Accept the License Terms:

Click the I accept the License terms check box:

then click Next.

Windows Setup asks which type of installation you want:

Click Custom: Install Windows Only.

Windows Setup then asks where you want to install Windows.

Leave the Drive 0 option selected and click Next.

Setup then starts installing Windows:

This takes some time. Come back to the machine after grabbing some coffee…..

The VM will restart a few times….

And will “get ready”:

Which evnentually leads to the Location Prompt:

Select United States from the list and then Click Yes

For Keyboard, leave US and Click YES

When asked about a second keyboard:

Click Skip

Setup will then continue for a bit….

Until it stops at this screen:

The image you are creating will be used in a domain joined scenario. Therefore, click “Domain Join instead” at the bottom left.

After a few moments:

A “Who’s going to use this PC?” window appears:

The username entered will be a local administrator. Therefore, this is the perfect time to create the required WorkSpaces_BYOL user. So in the Name box, enter workSpaces_byol:

NOTE: Case doesn’t matter….all lower is fine.

Then click Next

You’ll be prompted to create a Password:

Enter a password for the WorkSpaces_BYOL user and then hit Next:

Re-enter the same password to confirm it, and then hit Next.

NOTE: Be sure to record this password as you’ll need to include it in the files to upload to the AWS WorkSpaces service team so they can integrate this image into the WorkSpaces service. You will be able to disable the ID and/or change the password after the integration is complete and as you create a custom WorkSpaces image later on.

You will now be asked to create and answer 3 security questions:

You can pick any of the questions listed and answer them accordingly.

NOTE: You do NOT need to supply these Questions and Answers to AWS. However, you do want to remember these for your own reference purposes should you need them for any administrative purposes in the future.

Select a First Question:

And Answer accordingly. (I did use “xxxx”)

Select a second question:

And Answer accordingly. (I did use “yyyy”)

Select a Third question

And answer accordingly. (I did use “zzzz”)

Click Next.

You be asked if you want to add activity History across devices:

Click NO

You’ll be asked if you want help from Cortana the window digital assistant:

Leave the “Let Cortana respond to “Hey Cortana” Unchecked and click Decline.

You will then be asked to choose privacy settings:

Scroll down the page and move all of the sliders to say NO.

And then click Accept.

Windows Setup then continues for a while:

And is very helpful:

And informative along the way:

Until Windows 10 ultimately presents a desktop:

Click Yes to make it discoverable. (Again, you can change this later on via a custom WorkSpaces instance and/or GPO)

Manually Patch the Windows 10 OS only instance

You must manually patch the image with the latest Windows Updates.

NOTE: The only EXCEPTION to this rule is do NOT bring a Windows 10 (1511 release) via patching to a version 1607. If Anniversary edition (1607) is the intended version, Anniversary edition media should be used. (This applies to ALL windows 10 releases ie 1803 to 1809, etc)

To do so, run the Windows Updates wizard by clicking the Start menu, followed by the gear/settings icon to the left:

Once the Windows Settings window appears,

Scroll down and choose Update & Security:

and then Windows Update.

Check for new Windows 10 updates by choosing Check for updates.

Click Check for Updates. It most likely will come back with a recommended list of updates that are needed. If any are indeed found to be needed, they will start downloading and installing themselves:

When you see a number of the updates sitting in a Pending Install state (and none are being installed):

From the Start Menu, select Restart

OR, if you are prompted:

Click Restart Now.

The machine will shutdown:

Reboot: (It may reboot a few times during this process, depending upon the updates installed)

Will continue to update:

Until complete:

The OS GUI updates itself:

Reboots: (again depending upon the updates applied)

And Boots up update again:

Another helpful message

And the GUI then updates itself further:

Until it ultimately will leave you at:

The login screen. Click on it to expose the login window:

With the WorkSpaces_Byol user populated. Enter the password you created earlier to log in.

Now run the Windows Updates wizard and check for updates again (install…reboot…repeat until there are not any more updates to run)

Open Windows Update to run it again. From the Start menu, select Settings:

Windows Settings opens:

Scroll down the page to find and click Update and Security.

Reboot VM when complete

Click Restart now if/when prompted to shutdown and restart the Windows 10 virtual machine after each attempt to ensure its fully patched.

Repeat the previous reboot, login, run the windows update wizard until it tells you that the machine is up to date:

Run the AWSEUC_WIN10_BYOL_config.PS1 and BYOL checker script

1. Log into the machine using the Workspaces_BYOL ID using the password that was previously noted. 2. Open File Explorer

and manually create a C:\Temp folder 3. Open Internet Explorer and go to: 4. Open the following URL to download the AWSEUC_WIN10_BYOL_config.ZIP AND the BYOLChecker.zip files: http://bit.ly/WS_BYOL_PREP NOTE: This is temporary….working on a permanent “host” location for these files 5. Download/Save the AWSEUC_WIN10_BYOL_config.txt file to c:\temp saving it as a .ps1

NOTE: You will have to append quotes in the File name box to rename it while saving. 6. Download/Save the BYOLChecker.zip file to c:\temp NOTE: The BYOLChecker link on the page is simply a link to the production URL found here: https://docs.aws.amazon.com/workspaces/latest/adminguide/byol-windows- images.html#windows_images_run_byol_checker_script 7. At the Save as dialog box, navigate to the c:\temp location

8. To run the AWSEUC_WIN10_BYOL_config.PS1 script, an ADMINISTRATIVE context must be used in PowerShell ISE. Right-click Windows PowerShell ISE,

NOTE: I use PowerShell ISE….a straight PowerShell window can also be used in an Administrative context. Choose Run as administrator.

9. Click Yes to the UAC prompt:

10. In the PowerShell ISE window, change path to “c:\temp”

11. Set the session’s Execution policy by entering: “Set-ExecutionPolicy Unrestricted”

12. Hit “A” for all when prompted 13. Start the AWSEUC_WIN10_BYOL_config.PS1 script by entering “.\AWSEUC_WIN10_BYOL_config.PS1”

If a security notification appears:

Press the R key to run once. 14. The script executes and eventually leaves you with the following prompt:

Click OK to ShutDown the virtual machine NOTE: This window may pop up behind the PowerShell ISE window. 15. The virtual machine shuts down and you are left at the VM Manager window. Prior to running the BYOL Checker, the Windows 10.iso file must be unmounted from the CD-ROM drive. To do so, click on the Settings icon:

16. When Settings opens:

Click the Storage icon

17. Click the optical drive (en_windows_10..) found under the Storage Devices box.

Then click the remove selected Storage Attachment icon:

18. When prompted:

. Click Remove

19. Click OK to close the Storage Window

20. Back at the VM Manager

Click Start to boot the VM and run the BYOL_Checker script. 21. Log back in as the workspaces_byol user and open File Manager 22. Navigate to the C:\temp in file explorer: 23. Extract the BYOLChecker.zip file by right clicking on it and selecting Extract All… from the menu:

24. Leave the c:\temp\byolChecker path as is in the input box,

Then click Extract 25. Run the BYOLChecker.PS1 script from PowerShell. Right-click Windows PowerShell,

Choose Run as administrator.

26. Click Yes to the UAC prompt:

In the PowerShell window, change the path to c:\temp\byolchecker”

27. Set the session’s Execution policy by entering: “Set-ExecutionPolicy Unrestricted”

28. Hit “A” for Yes to All when prompted 29. Start the BYOLChecker.PS1 script by entering “.\BYOLChecker.PS1”

30. If a security notification appears:

Press the R key to run once. 31. The Amazon WorkSpaces Image Validation form appears:

Click the Begin Tests button. 32. Each test begins to run…

, 33. When it completes, you can view the status of each test.

NOTE: For any test with a status of Warning:

If applicable, resolve any issues that cause test failures and warnings by clicking the “Fix All Warnings” button. Once it completes, the click the Begin Tests button again. Repeat these steps until the VM passes all tests. All failures and warnings must be resolved before you can run Sysprep.

NOTE2: The AWSEUC_WIN10_BYOL_config.Ps1 script eliminates the need for this…just left it in the doc for reference “just in case”.

34. The BYOL script checker generates two log files. These two files are located in the directory that contains the BYOL Checker script files and are named as follows: • BYOLPrevalidationlogYYYYMMDDT • ImageInfo.text Prior to running sysprep, you will want to off load those files so you can attach them to the case/ticket that was opened. 35. Once the checker has passed all of the tests, the script will open to the following window:

36. Click the Run Sysprep button

37. Sysprep begins to execute and will ultimately shutdown the virtual machine leaving you back at the window:

With the virtual machine displayed in powered off state.

Get the path to the .vhd file (required for uploading to S3)

You now have finished the configuration of the Windows 10 OS only image. This step simply walks you through identifying the path and file location of the .vhd file. The .vhd file IS THE FILE you will upload into AWS and becomes your base Windows 10 OS image that will ultimately be integrated with the Amazon WorkSpaces Service.

1. The virtual machine shuts down and you are left at the VM Manager window:

2. Click on the Settings icon: 3. When Settings opens:

Click the Storage icon

4. Click the hard drive icon found under the Storage Devices box: (labeled Windows10_xxx.vhd)

Notice the under the Information section along the right side of the window, the location of the file is listed:

5. Click on that location entry to select the value

COPY THE FULL PATH as this is the data point you need to record!! Paste that path into notepad or somewhere you can easily reference it later.

My path is: C:\Users\GPLAdmin\VirtualBox VMs\Win10_Ent_1903\Win10_Ent_1903.vhd

NOTE: Even though the full path isn’t displayed, by clicking on the value of that field, you’ll be able to Ctl+A to select the full path and filename and then Ctl+C to copy it.

6. Once the path is copied and stored

Click OK or Cancel to close the Settings window. 7. This leaves you back at the VM Manager

Process Complete

You now have a .vhd file you can use to upload into S3 and continue the BYOL image creation process. Use the Import_VHD_images.pdf doc temporarily found here: http://workspaces.awseuclabfiles.com/Import_VHD_image.pdf