Help Center> Workspace> User Guide (Application Streaming)> Administrator Operation Guide> Private Images> Creating a Windows Private Image (Basic Image)> Configuring an ECS
Updated on 2024-03-15 GMT+08:00
View PDF

Configuring an ECS

Scenario

This section describes how to install application software, configure patch updates, and install system patches on an ECS.

Prerequisites

  • You have obtained the username and password for logging in to the ECS.
  • You have created an ECS. For details, see Creating an ECS.
  • You have obtained the files listed in Required Software and decompressed the Workspace_HDP_WindowsDesktop_Installer_x.x.x.iso file to obtain the Workspace_HDP_WindowsDesktop_Installer_x.x.x folder.

Procedure

The operations vary depending on the OS. Follow the instructions on the GUI.

Installing a Windows OS and the VMTools Driver

  1. Log in to the console.
  2. Choose Service List > Compute > Elastic Cloud Server.
  3. Locate the row that contains the ECS created in Creating an ECS, and click Remote Login to log in to the Windows VM.
  4. For details, see Installing a Windows OS and the VMTools Driver.

    When selecting the OS installation location, ensure that the driver version of Windows Server 2019 is the same as that of Windows Server 2016. That is, set $OS_Version in vmtools-windows/upgrade/$OS_Version/drivers/viostor to Windows 2016.

Modifying the group policy

  • If you modify the group policy, no confirmation dialog box is displayed when you disable the Windows ECS created using the image.
  • If you do not modify the group policy, you can perform this task on a Windows ECS created using the image.
  • Remote desktop connection is available only after you configure the group policy of the remote desktop service.
  1. On the ECS, right-click in the lower left corner, enter gpedit.msc in the Run dialog box, and press Enter.

    The Local Group Policy Editor window is displayed.

  2. In the navigation tree of the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > System.
  3. Disable Activate Shutdown Event Tracker System State Data feature and Display Shutdown Event Tracker, as shown in Figure 1.

    Figure 1 Modifying the group policy

  4. In the navigation pane, choose Computer Configuration > Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
  5. Set Require use of specific security layer for remote (RDP) connections to Enabled, and set Security Layer to RDP, as shown in Figure 2.

    Figure 2 Setting security layer

  6. Set Require user authentication for remote connections by using Network Level Authentication to Disabled, as shown in Figure 3.

    Figure 3 Setting user authentication

Disabling Manage Your Server page upon login

  1. In the navigation tree, choose Computer Configuration > Administrative Templates > System > Server Manager, as shown in Figure 4.

    Figure 4 Disabling Manage Your Server page upon login

  2. In the right pane, double-click Do not display Server Manager automatically at logon.

    The Do not display Server Manager automatically at logon dialog box is displayed.

  3. Select Enabled.
  4. Click OK.

Enabling the microphone access permission for applications

  1. In the navigation tree of the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Windows Components > App Privacy.

    Access the app privacy configuration list page and allow Windows applications to access the microphone, as shown in Figure 5.

    Figure 5 Allowing Windows applications to access the microphone

  2. In the right pane, double-click Let Windows apps access the microphone.

    The Let Windows apps access the microphone dialog box is displayed.

  3. Select Enabled. In the Options list, set Default for all apps to Force Allow, as shown in Figure 6.

    Figure 6 Configuring the microphone access permission for applications

  4. Click OK.

Enabling the camera access permission for applications

This parameter is required only for the VDI single session.

  1. In the navigation tree of the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Windows Components > App Privacy.

    Go to the application privacy configuration list page and allow Windows applications to access the camera, as shown in Figure 7.

    Figure 7 Allowing Windows applications to access the camera

  2. In the right pane, double-click Let Windows apps access the camera.

    The Let Windows apps access the camera dialog box is displayed.

  3. Select Enabled. In the Options list, set Default for all apps to Force Allow, as shown in Figure 8.

    Figure 8 Configuring the camera access permission for applications

  4. Click OK.

Enabling the graphics adapter for the GPU remote desktop

This configuration is required only for GPU feature usage.

  1. In the navigation tree of the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment.

    The remote session environment configuration list page is displayed, as shown in Figure 9.

    Figure 9 Remote session environment configuration

  2. In the right pane, double-click Use the hardware graphics adapter for all Remote Desktop Services sessions.

    The Use the hardware graphics adapter for all Remote Desktop Services sessions dialog box is displayed.

  3. Select Enabled.
  4. Click OK.

Configuring H.264/AVC hardware encoding for remote desktop connection

  1. In the navigation tree of the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment.

    The remote hardware encoding configuration page is displayed, as shown in Remote hardware encoding.

    Figure 10 Remote hardware encoding

  2. Select Enabled.
  3. Click OK.

Setting the maximum frame rate

  1. Click and enter Regedit to open the registry editor.
  2. In the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations directory, right-click the blank area and click New > DWORD (32-bit) Value in the right pane, enter a new value for DWMFRAMEINTERVAL, and press Enter, as shown in Figure 11.

    Figure 11 Creating a DWMFRAMEINTERVAL

  3. Right-click DWMFRAMEINTERVAL and choose Modify from the shortcut menu.
  1. Select Decimal, enter 15 in the Value data box, and select OK.

Disabling the defender firewall

  1. In the navigation tree of the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile.

    The Windows firewall name varies by the OS version. The actual configured name prevails.

    For example, Windows Firewall is displayed on Windows Server 2016, and Windows Defender Firewall is displayed on Windows Server 2019.

    The Domain Profile page is displayed, as shown in Figure 12.
    Figure 12 Domain profiles

  2. In the right pane, double-click Windows Defender Firewall: Protect all network connections.

    The Windows Defender Firewall: Protect all network connections dialog box is displayed.

  3. Select Disabled.
  4. Click OK.
  5. In the navigation tree of the Local Group Policy Editor window, click Standard Profile.

    The Standard Profile page is displayed, as shown in Figure 13.

    Figure 13 Standard profiles

  6. In the right pane, double-click Windows Defender Firewall: Protect all network connections.

    The Windows Defender Firewall: Protect all network connections dialog box is displayed.

  7. Select Disabled.
  8. Click OK.
  9. Close the Local Group Policy Editor window.
  10. Click Start > Run.

    The Run dialog box is displayed.

  11. Enter services.msc in the Open text box and press Enter.

    The Services window is displayed.

  12. In the right pane, double-click Application Layer Gateway Service.

    The Application Layer Gateway Service Properties (Local Computer) page is displayed.

  13. On the General tab, set Startup type to Disabled, as shown in Figure 14.

    Figure 14 Configuring the startup type

  14. Click OK.
  15. Set the Startup Type of Internet Connection Sharing (ICS) and Windows Firewall to Disabled by referring to 45 to 47.

    • The Windows firewall name varies by the OS version. The actual configured name prevails. For example, Windows Defender Firewall is displayed on Windows Server 2019.
    • You do not need to configure Windows Defender Firewall for Windows Server 2019.

Closing the Internet Explorer ESC on the server

  1. Click to open the Server Manager page.
  2. Select Local Server. On the Local Server page, click current settings in the Internet Explorer Enhanced Security Configuration to open the property page. Select Off for the required user and click OK, as shown in Figure 15.

    Figure 15 Modifying the Internet Explorer enhanced security configuration

Disabling Windows updates

  1. In the right pane of the Services window, double-click Windows Update.

    The Windows Update Properties page is displayed.

  2. Set Startup type to Disabled.
  3. Click OK.

Configuring the remote desktop service

  • This operation ensures that each Windows ECS created using the image can be logged in to from the remote desktop.
  • To use remote desktop connection, you need to modify the group policy of the remote desktop service.
  1. In the right pane of the Services window, right-click Remote Desktop Services and choose Properties from the shortcut menu.

    The Remote Desktop Services Properties (Local Computer) window is displayed.

  2. On the General tab, set Startup type to Automatic and click OK.
  3. Close the Services window.

Enabling remote service connection

After remote service connection is enabled, each Windows ECS created using the image can be accessed remotely.

  1. In the ECS, right-click in the lower left corner and choose Run from the shortcut menu.
  2. In the Run dialog box, enter sysdm.cpl and press Enter.

    The System Properties window is displayed.

  1. On the Remote tab, select Allow remote connections to this computer.

    For some OS types, if you select Allow remote connections to this computer, the remote desktop connection dialog box will be displayed. In this case, click OK to go to the next step.

  2. Click OK.

    Remote desktop connection has been enabled.

Creating a temporary local admin user

  • After Cloudbase-Init is installed, it will randomize the password of the Administrator account if application software that takes effect only after a restart is installed. To prevent login failure after randomization, create a temporary account and reset the password of Administrator.
  • If your login using the default password of Administrator fails after the restart, log in as the admin user and reset the password of Administrator. Then use the Administrator account to log in again.
  1. In the navigation pane on the left, choose System Tools > Local Users and Groups > Users.
  2. Right-click and choose New User from the shortcut menu.
  3. In the New User dialog box, enter the user name and password, confirm the password, and click Create.
  4. In the navigation tree, choose Local Users and Groups > Groups.
  5. Right-click Administrators and choose Add to Group from the shortcut menu.
  6. In the Administrators Properties dialog box, click Add to add the user to the group and click OK.
  7. Click OK and close the Administrators Properties dialog box.
  8. Close Computer Management.

Configuring a private DNS

You can configure a private DNS server address for OBS so that Windows ECSs on Huawei Cloud can directly access OBS through the private network.

  1. On the ECS, click in the lower left corner, enter cmd, and press Enter.
  2. Run the ipconfig /all command to check whether the DNS server is at the private DNS address in the region where the ECS resides.

    Huawei Cloud provides different private DNS server addresses for different regions. For details, see What Are Huawei Cloud Private DNS Server Addresses?

  3. Change the DNS server address of the VPC subnet.

    Locate the VPC where the ECS resides and change the DNS server address of the VPC subnet to the private DNS address. In this manner, ECSs in the VPC can use the private DNS for resolution and thereby you can access OBS on Huawei Cloud intranet. For details, see Modifying a Subnet.

    Select the private DNS server address based on the region where the ECS is located. For details, see What Are Huawei Cloud Private DNS Server Addresses?

Obtaining required installation packages

  1. Upload the packages obtained in Required Software, except the OS ISO file, to the OBS bucket used in Registering a Private Image Using an ISO File.

    Set the object permission to Public Read.

  2. Record the link of each package in the OBS bucket.

    On OBS Browser+, right-click the package, choose Share from the shortcut menu, and click Copy Link to obtain the download link of the package. You need to download the package within the sharing validity period.

  3. In the root directory of drive C on the ECS, create a folder, for example, software, for storing the package to be installed.
  4. Open the browser on the ECS, copy the package link recorded in 73 to the address box, and press Enter to download the package.

    • Switch the input mode of the ECS to English.
    • Download the required packages in sequence.

  5. Copy the obtained software packages to the C:\software directory.

Installing the 7-Zip

  1. Go to C:\software to find and decompress the 7-Zip installation package.

(Optional) Installing the OS patch

  1. Go to C:\software where the package is stored and install the OS patch.

    OS patches are updated by Microsoft on an irregular basis. Pay attention to Microsoft announcements and update the OS in a timely manner.

Installing the GPU driver

This configuration is required only for GPU feature usage.

  1. Go to C:\software where the driver is stored, start and install the driver as prompted.

(Optional) Installing applications

  1. Go to C:\software where the package is stored and install the application.

    Some security software (antivirus software, safeguards, and firewalls) may conflict with the Microsoft encapsulation tool. As a result, desktop creation may fail, and the blue screen of death (BSOD) or black screen may occur on the created desktop. Therefore, install security software only after desktops are provisioned.

(Optional) Installing peripheral drivers

  1. Go to C:\software where the package is stored and install the peripheral driver as required.

Installing the Cloudbase-Init software

  1. Go to C:\software where the package is stored, open the Cloudbase-Init installation package, and install Cloudbase-Init as prompted.
  2. On the Configuration options page, configure parameters by referring to Figure 16.

    Figure 16 Configuration options

    Set parameters by referring to the following figure.

  3. After the configuration is complete, deselect the options shown in Figure 17.

    Figure 17 Finish

  4. Click Finish.

Configuring Cloudbase-Init

  1. Edit the configuration file C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf in the Cloudbase-Init installation path.

    1. Add the configuration item netbios_host_name_compatibility=false to the last line of the configuration file so that the host name of the Windows OS can contain a maximum of 63 characters.

      NetBIOS supports up to 15 characters due to the constraint of Windows OS.

    2. Add the configuration item metadata_services=cloudbaseinit.metadata.services.httpservice.HttpService to enable the agent to access the OpenStack data source.
    3. Add the following configuration item to disable Cloudbase-Init restart:
      plugins=cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,cloudbaseinit.plugins.windows.createuser.CreateUserPlugin,cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin,cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin,cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin,cloudbaseinit.plugins.common.userdata.UserDataPlugin

  1. In C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init-unattend.conf, check whether cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin, exists.

    • If yes, delete it and perform subsequent operations.
    • If no, perform subsequent operations.
    • Add cloudbaseinit.plugins.common.userdata.UserDataPlugin at the end of plugins=. Add a comma (,) in front of the added configuration item.

Installing the password reset plug-in

  1. Install the ECS password reset plug-ins by referring to Installing the One-Click Password Reset Plug-In.

Installing SysAgent and SysPrep

  1. Copy the HW.SysAgent.Installer_64.msi and HW.SysPrep.Installer_64.msi installation packages to the ECS.
  2. Double-click the HW.SysAgent.Installer_64.msi and HW.SysPrep.Installer_64.msi files to install them.

Installing the WKSAppDhcpd component

  1. Copy the WKSAppDhcpd_windows-amd64.msi installation package to the ECS.
  2. Double-click the WKSAppDhcpd_windows-amd64.msi file to install it.

    This parameter is required only for multi-session mode.

Installing WKSRStorageAgent component

  1. Copy the WKSRStorageAgent_windows-amd64.msi installation package to the ECS.
  2. Double-click the WKSRStorageAgent_windows-amd64.msi file to install it.

(Optional) Backing up an image

After an image is encapsulated, if the ECS is stopped and restarted, the image is decapsulated and cannot be used directly. You need to configure and encapsulate the ECS again. If necessary, you can back up the ECS before encapsulation.

  1. On the ECS list page, locate the configured ECS and choose More > Stop to stop it.
  2. After the ECS is stopped, choose More > Manage Image/Backup > Create Image to create an ECS backup.
  3. After the ECS backup is created, restart the ECS and perform encapsulation on the ECS.

Encapsulating an image

  1. On the ECS, find the Windows image creation tool in C:\software and decompress it to obtain the Workspace_HDP_WindowsDesktop_XXX folder.
  2. Right-click in the lower left corner, enter cmd, and press Enter.
  3. Run the following command to switch to the directory containing the template tool:

    cd C:\software\Workspace_HDP_WindowsDesktop_Installer_x.x.x

  4. In the displayed CLI, run the following command to encapsulate the image:

    To create a multi-session common/GPU image: run_silent.bat --passive --environment_type 2 --hda_type 3 --nocheck -noshutdown

    To create a single-session common image: run_silent.bat --passive --environment_type 2 --hda_type 1 --appmode --nocheck -noshutdown

    To create a single-session GPU image: run_silent.bat --passive --hda_type 2 --environment_type 2 --appmode --nocheck --noshutdown

    During image encapsulation, the ECS automatically restarts. Do not exit or stop the ECS. After the ECS is restarted, enter the ECS password to proceed with image encapsulation.

    After the encapsulation tool displays a message indicating that the encapsulation is successful, you can close the tool.

Deleting the temporary admin user

  1. Click Start > Run.

    The Run dialog box is displayed.

  2. Enter sysdm.cpl in the Open text box and press Enter.

    The System Properties dialog box is displayed.

  3. On the Advanced tab page, click Settings under User Profiles.

  4. On the User Profiles page, select the profiles of the user to be deleted and click Delete.
  5. Click OK.
  6. Close the System Properties window.
  7. Click Start > Run.

    The Run dialog box is displayed.

  8. Enter compmgmt.msc in the Open text box and press Enter.

    The Computer Management window is displayed.

  9. In the navigation pane on the left, choose System Tools > Local Users and Groups > Users.
  10. In the right pane, right-click the username to be deleted and choose Delete.
  11. In the displayed dialog box, click Yes.
  12. Click OK.
  13. Close the Computer Management window.

Stopping an ECS

  1. On the ECS list page of the console, locate the row that contains the ECS created in Creating an ECS, and choose More > Stop to stop the ECS.