Help Center/ Workspace/ User Guide (Administrators)/ Private Images/ Creating a Windows 11 Desktop Private Image/ Configuring an ECS
Updated on 2025-09-16 GMT+08:00
View PDF
Share

Configuring an ECS

Scenario

This section describes how to install application software, configure patch update, and install system patches on an ECS.

Prerequisites

  • You have obtained the username and password for logging in to the ECS.
  • You have created an ECS. See Creating an ECS.
  • You have obtained the files listed in Required Software and decompressed Workspace_HDP_WindowsDesktop_Installer_x.x.x.iso to obtain the folder Workspace_HDP_WindowsDesktop_Installer_x.x.x.

Procedure

The operations vary depending on the OS. Follow the instructions on the GUI.

Installing a Windows OS and the VirtIO driver

  1. Log in to the console.
  2. Choose Compute > Elastic Cloud Server under All Services.
  1. Locate the row of the ECS created in Configuring an ECS, and click Remote Login. The window of logging in to a Windows ECS is displayed.
  2. In the window displayed, click the button of logging in now under VNC login.

    • Before installing Windows 11, press any key immediately after logging in using VNC. If the following page is displayed, click Send CtrlAltDel in the upper right corner and then press any key. The normal loading page appears.

      If the following page appears repeatedly, click Send CtrlAltDel and press any key until the normal loading page appears.

  3. Select the language, time, and currency format as required, and click Next.
  4. Set the keyboard and input method as required and click Next.
  5. Select the installation option, which is Windows 11 by default. Select the declaration terms and click Next.

    If a message is displayed indicating that this PC does not meet the system requirements for Windows 11, the virtualization does not support vTPM. In this case, perform the following operations:

    1. Restart the server.
    2. On the page of installation options, press Shift + F10 to open the CLI.
    3. Add registry entries by running the following commands:

      reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f

      reg add "HKLM\SYSTEM\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f

    4. Close the CLI and click Next.

  6. On the Applicable notices and license terms page, click Accept.
  7. Retain the default disk.

    If no default disk is available, perform the following operations:

    1. Click Load Driver.
    2. Click Browse.
    3. Select viostor > w11 > amd64 under CD Driver (X) and click OK.
    4. Select the driver file corresponding to the ISO version and check the box of hiding drivers incompatible with this computer.
    5. Click Install and retain the default disk.
    6. Click Next and click Install.

    Wait till the OS installation is complete.

  8. Select a region as required, for example, China. Click Yes.
  9. Select a keyboard layout as required. Click Yes.
  10. Click Skip.
  11. Configure the network as required.

    If no configuration is required, click I don't have internet in the lower left corner, and then click Continue with limited setup.

    If I don't have internet is not displayed, press Shift + F10 and enter OOBE\BYPASSNRO in the CLI, and press Enter.

  12. Set Who Will Use This Computer? Create a user named admin and click Next.

    You are advised to create a user named admin. The username and password can be used for subsequent server configuration.

  13. Enter the password and click Next.
  14. Enter the password in 15 again and click Next.
  15. On the displayed Create security questions for this account window, specify three security questions.
  16. On the Choose privacy settings for your device window, click Next three times, and then click Accept.
  17. In Let Cortana help you get things done, click Not now or Accept.
  18. Click Next to agree to the cross-border transfer of personal data. The Windows 11 desktop GUI is displayed.
  19. Install related drivers for Windows 11.
  20. Open the computer, select the CD driver (X), and double-click to open it.
  21. Double-click virtio-win-gt-x64 or virtio-win-gt-x86 based on the OS. Install the driver as prompted.
  22. After the installation is complete, start Device Manager and check whether the driver has been installed.

    1. Right-click and choose Run from the shortcut menu. In the displayed text box, enter devmgmt.msc and press Enter.
    2. On the Device Manager page, check whether the driver has been installed, as shown in Figure 1.
      Figure 1 Device manager

Follow-up operations

  1. Check whether the resolution can be changed. If it cannot, address it based on the system boot mode.
  2. Right-click and choose Run from the shortcut menu. In the displayed text box, enter msinfo32 and press Enter.
  3. In the right pane of the System Information dialog box, locate BIOS Mode, as shown in Figure 2.

    Figure 2 System information

  4. If the value of BIOS Mode is UEFI, address the resolution change failure by referring to What Do I Do If I Cannot Change the Resolution of a Windows OS Booted in UEFI Mode?

Skipping network connection activation upon the first startup

  1. When you log in to Windows 11 for the first time, press Shift+F10 on the network connection page. If the operation fails, press Fn+Shift+F10.
  2. In the displayed window, enter regedit and press Enter.
  3. In the displayed window, choose Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE.
  4. Right-click in the blank area on the right of the registry. In the displayed shortcut menu, create a DWORD (32-bit) value (D). Rename the new value BypassNRO. Double-click BypassNRO to change the DWORD (32-bit) value to 1, and click OK.
  5. In the command prompt window, enter taskkill /f /im OOBENetworkConnectionFlow.exe and press Enter to skip the network connection.

Disabling the firewall

  1. In the navigation pane of the Local Group Policy Editor, choose Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile.

    The Domain Profile page is displayed, as shown in Figure 3.
    Figure 3 Domain profiles

  2. In the right pane, double-click Windows Defender Firewall: Protect all network connections.

    The Windows Defender Firewall: Protect all network connections dialog box is displayed.

  3. Select Disabled.
  4. Click OK.
  5. In the navigation pane, choose Standard Profile.

    The Standard Profile page is displayed, as shown in Figure 4.

    Figure 4 Standard profiles

  6. In the right pane, double-click Windows Defender Firewall: Protect all network connections.

    The Windows Defender Firewall: Protect all network connections dialog box is displayed.

  7. Select Disabled.
  8. Click OK.

Disabling fast startup

  1. On the ECS, press Win + R. In the Run dialog box, enter control and press Enter.
  2. On the Control Panel page, choose System and Security > Power Options. In the left pane, click Choose what the power button does, as shown in Figure 5.

    Figure 5 Power Options

  3. Click Change settings that are currently unavailable, as shown in Figure 6.

    Figure 6 Change settings that are currently unavailable

  4. Deselect Turn on fast start-up, as shown in Figure 7.

    Figure 7 Fast startup

  5. Click Save changes.

Configuring NIC persistence using group policies

  1. Create a startup file named DisableChecksum.ps1 in the C:/Windows/Setup/Scripts directory of the ECS.
  2. Copy the following content to DisableChecksum.ps1: 

    $adapters = Get-NetAdapter | Where-Object {$_.MediaConnectState -eq "Connected" -or $_.InterfaceDescription -like "*"}

Write-Output $adapters

foreach ($adapter in $adapters) {
    $name = $adapter.Name
    Write-Host "Disabling checksum offload for: $name"
    $properties = @(
        "IPv4 Checksum Offload",
        "IP Checksum Offload",
        "TCP Checksum Offload (IPv4)",
        "TCP Checksum Offload (IPv6)",
        "UDP Checksum Offload (IPv4)",
        "UDP Checksum Offload (IPv6)",
        "TCP Checksum Offload IPv4",
        "TCP Checksum Offload IPv6",
        "UDP Checksum Offload IPv4",
        "UDP Checksum Offload IPv6",
        "IPv4 Checksum Offload",
        "IPv6 Checksum Offload"
    )

    foreach ($prop in $properties) {
        try {
            $current = Get-NetAdapterAdvancedProperty -Name $name -DisplayName $prop -ErrorAction SilentlyContinue
            Write-Output "Current: $current"
            Write-Output "Prop: $prop"
            if ($current) {
                Set-NetAdapterAdvancedProperty -Name $name -DisplayName $prop -DisplayValue "Disabled" -ErrorAction Stop
                Write-Host "   Disabled: $prop"
            }
        } catch {
        }
    }
}

  3. On the ECS, press Win + R. In the Run dialog box, enter gpedit.msc and press Enter.
  1. On the Local Group Policy Editor page, choose Windows Settings > Scripts (Startup/Shutdown), as shown in Figure 8.

    Figure 8 Script settings

  2. Double-click Startup, as shown in Figure 9.

    Figure 9 Startup for scripts

  3. On the displayed Startup Properties page, click the PowerShell Scripts tab.
  4. Click Add to go to the Add a Script window.
  5. Click Browse, select the file created in 47, and click OK. The script parameters are empty by default.
  6. Click OK.

Disabling Windows update

System update may cause desktop system exceptions (such as blue screen, black screen, and frame freezing). To ensure system stability, verify that the patch package works properly before pushing it.

  1. On the ECS, right-click in the lower left corner and choose Run from the shortcut menu.

    The Run dialog box is displayed.

  1. Enter compmgmt.msc in the Open text box and press Enter.

    The Computer Management window is displayed.

  2. In the navigation pane, choose Services and Applications > Services.

    The Services page is displayed, as shown in Figure 10.

    Figure 10 Services

  3. In the right pane, double-click Windows Update.

    The Windows Update Properties page is displayed.

  4. On the General tab, set Startup Type to Disabled.
  5. Go to Recovery. Set First failure to Take No Action.
  6. Click OK.
  • After Cloudbase-Init is installed, it will randomize the password of the Administrator account if application software that takes effect only after a restart is installed. To prevent login failure after randomization, create a temporary account and reset the password of Administrator.
  • The Administrator account of Windows OS is disabled by default. You need to enable it.
  • If your login using the default password of Administrator fails after the restart, log in as the admin user and reset the password of Administrator. Then log in as the Administrator user again.

Configuring a private DNS

You can configure a private DNS server address for OBS so that Windows ECSs on Huawei Cloud can directly access OBS through the private network.

  1. On the ECS, right-click in the lower left corner, enter cmd, and press Enter.
  2. Run the ipconfig /all command to check whether the DNS server is at the private DNS address in the region where the ECS resides.

    Huawei Cloud provides different private DNS server addresses for different regions. For details, see What Are Huawei Cloud Private DNS Server Addresses?

  3. Change the DNS server address of the VPC subnet.

    Locate the VPC where the ECS resides and change the DNS server address of the VPC subnet to the private DNS address. In this manner, ECSs in the VPC can use the private DNS for resolution and thereby you can access OBS on Huawei Cloud intranet. For details, see Modifying a Subnet.

    The private DNS server address must be selected based on the region where the ECS is. For details, see What Are Huawei Cloud Private DNS Server Addresses?

Obtaining required installation packages

  1. Upload the packages obtained in Required Software, except the OS ISO file, to the OBS bucket used in Registering a Private Image Using an ISO File.

    Set the object permission to Public Read.

  2. Record the link of each package in the OBS bucket.

    On OBS Browser+, right-click the package, choose Share from the shortcut menu, and click Copy Link to obtain the download link of the package. You need to download the package within the sharing validity period.

  3. In the root directory of drive C on the ECS, create a folder, for example, software, for storing the package to be installed.
  4. Open the browser on the ECS, copy the package link recorded in 67 to the address box, and press Enter to download the package.

    • Switch the input mode of the ECS to English.
    • Download the required packages in sequence.

  5. Copy the obtained packages to C:\software.

Installing the 7-Zip

  1. Go to C:\software to find and decompress the 7-Zip installation package.

Installing the Visual Studio 2017 runtime library

  1. Go to C:\software to find the vc_redist.x64.exe and vc_redist.x86.exe packages, and double-click to install the Visual Studio 2017 runtime library.
  2. Restart the ECS.

Enabling a disabled Administrator account

  1. Right-click in the lower left corner, enter compmgmt.msc, and press Enter.
  2. On the Computer Management page, choose Computer Management (Local) > System Tools > Local Users and Groups > Users.
  3. Right-click Administrator and choose Properties from the shortcut menu. Deselect Account is disabled and click OK, as shown in Figure 11.

    Figure 11 Setting the Administrator account

  4. Right-click Administrator and choose Set Password from the shortcut menu, as shown in Figure 12. Set the password of the Administrator account as prompted.

    Figure 12 Setting the password of the Administrator account

  5. Log out of the ECS and log in to the ECS as the Administrator user.

(Optional) Deleting the Microsoft language package

  1. Search for Windows PowerShell in the Start menu and click Run as administrator. The Windows PowerShell running page is displayed.
  2. Delete the Microsoft language package:

    Get-Appxpackage -allusers *Microsoft.LanguageExperiencePackzh-CN* | remove-appxpackage

(Optional) Installing the OS patch

  1. Go to C:\software where the package is stored and install the OS patch.

    OS patches are updated by Microsoft on an irregular basis. Pay attention to Microsoft announcements and update the OS in a timely manner.

(Optional) Installing applications

  1. Go to C:\software where the package is stored and install the application.

    Some security software (antivirus software, safeguards, and firewalls) may conflict with the Microsoft encapsulation tool. As a result, desktop creation may fail, and the blue screen of death (BSOD) or black screen may occur on the created desktop. Therefore, install security software only after desktops are provisioned.

(Optional) Installing peripheral drivers

  1. Go to C:\software where the package is stored and install the peripheral driver.

Installing the Cloudbase-Init software

  1. Go to C:\software where the package is stored, open the Cloudbase-Init installation package, and install Cloudbase-Init as prompted.
  2. On the Configuration options page, configure parameters by referring to Figure 13.

    Figure 13 Configuration options

    The version number in the figure is for reference only. Use the actual version number.

  3. After the configuration is complete, deselect the options shown in Figure 14.

    Figure 14 Finish

  4. Click Finish.

Configuring Cloudbase-Init

  1. Edit the configuration file C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf in the Cloudbase-Init installation path.

    1. Add the netbios_host_name_compatibility=false configuration item to the last line of the configuration file so that the host name of the Windows OS can contain a maximum of 63 characters.

      NetBIOS supports up to 15 characters due to the constraint of Windows OS.

    2. Add the configuration item metadata_services=cloudbaseinit.metadata.services.httpservice.HttpService to enable the agent to access the OpenStack data source.
    3. Add the following configuration item to disable Cloudbase-Init restart: 
      plugins=cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,cloudbaseinit.plugins.windows.createuser.CreateUserPlugin,cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin,cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin,cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin,cloudbaseinit.plugins.common.userdata.UserDataPlugin

  2. In C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init-unattend.conf, check whether cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin, exists.

    • If yes, delete it and perform subsequent operations.
    • If no, perform subsequent operations.
    • Add cloudbaseinit.plugins.common.userdata.UserDataPlugin at the end of plugins=. Add a comma (,) in front of the added configuration item.

  3. If you use a Windows ECS to create an image, change the SAN policy of the ECS to OnlineAll. Otherwise, when you use the image to create ECSs, the disks may be offline.

    Windows has three types of SAN policies: OnlineAll, OfflineShared, and OfflineInternal.

    Table 1 SAN policies of Windows

    Type

    Description

    OnlineAll

    All newly detected disks are online.

    OfflineShared

    All disks on sharable buses, such as iSCSI and FC, are left offline by default, while disks on non-sharable buses are online.

    OfflineInternal

    All newly detected disks are offline.
    1. Execute cmd.exe and run the following command to query the current SAN policy of the ECS using DiskPart:

      diskpart

    2. Run the following command to view the SAN policy of the ECS:

      san

      • If the SAN policy is OnlineAll, run the exit command to exit DiskPart and close cmd.exe.
      • If no, go to 90.c.
    3. Run the following command to change the SAN policy to OnlineAll:

      san policy=onlineall

    4. Run the exit command to exit DiskPart and close cmd.exe.

Installing SysAgent and Sysprep

  1. Open Control Panel on the computer and uninstall HW.SysAgent and HW.SysPrep.
  2. Double-click HW.SysAgent.Installer_64.msi and HW.SysPrep.Installer_64.msi in C:\software.

Installing AppCenterAgent and AppCenter

  1. Open Control Panel on the computer and uninstall WKSAppCenterAgent.
  2. Double-click WKSAppCenterAgent.msi and WKSAppCenter.msi in C:\software.

Deleting a system recovery partition

This operation is required for Windows 10 or Windows 11 images.

  1. Right-click Start and choose Disk Management from the shortcut menu. Check whether the system disk (generally drive C) has a recovery partition. Go to the next step only when there is a recovery partition.
  2. Press Win + R, enter cmd, and enter the following content:

    diskpart

    The diskpart window is displayed.

  3. Run the following commands in sequence to delete the system recovery partition:

    1. Print the disk list and select the system disk. 
      list disk 
# The number 0 indicates that the selected disk 0 is the system disk. Select a disk as required.
select disk 0
    2. Print the disk partition list and select the recovery partition to be deleted. 
      list partition 
# In this example, 4 indicates the number of the recovery partition. Select a value as required.
select partition 4
    3. Delete the recovery partition. 
      delete partition override

Encapsulating the image

  • To create an image that is not encapsulated, perform 5 to 8.
  • To create an encapsulated image, perform 5 to 7, and 9.
    • If images are not encapsulated, problems may occur on some applications, such as Windows Server Update Services (WSUS).
    • Images that are not encapsulated can be provisioned more quickly.
    • You must encapsulate the image as the Administrator user.
  1. Before running the command for encapsulation, you need to modify the permission on the en-US folder in c:\Windows\System32 to allow the administrator to write data to the en-US folder.

    1. Go to the c:\Windows\System32 directory.
    2. Right-click the en-US file and choose Properties > Security > Advanced from the shortcut menu. The Advanced Security Settings page is displayed.
    3. On the displayed page, click Change and enter Administrator in the text box. Click Check Names and click OK.
    4. Select Replace owner on subcontainers and objects and click OK.
    5. Right-click the en-US file and choose Properties > Security.
    6. On the en-US property page, click Edit. On the en-US permission page that is displayed, click Administrator and select OK on the right of Full control.
    7. Click OK.

  1. On the ECS, find the Windows image creation tool in C:\software and decompress it to obtain the Workspace_HDP_WindowsDesktop_XXX folder.
  2. Right-click in the lower left corner, enter cmd, and press Enter.
  3. Switch to the directory containing the template tool:

    cd C:\software\Workspace_HDP_WindowsDesktop_Installer_x.x.x

  4. In the displayed CLI, run the following command to create an image not encapsulated:

    run_silent.bat --passive --environment_type 2 --nocheck --noshutdown --nosysprep

  5. (Optional) In the displayed CLI, run the following command to create an encapsulated image:

    run_silent.bat --passive --environment_type 2 --nocheck --noshutdown

    During image creation, the ECS automatically restarts. Do not exit or stop the ECS. After the ECS is restarted, enter the ECS password to proceed with image encapsulation.

Enabling hibernation

  1. Right-click in the lower left corner and choose Run from the shortcut menu.

    The Run dialog box is displayed.

    Run the powercfg -h on command to enable hibernation.

Stopping the ECS

  1. On the ECS list page of the console, locate the row of the ECS created in Creating an ECS, and choose More > Stop to stop the ECS.