Help Center/ Workspace/ User Guide (Administrators)/ Private Images/ Creating a Windows 11 Desktop Private Image/ Creating a User Desktop Image
Updated on 2025-08-20 GMT+08:00
View PDF
Share

Creating a User Desktop Image

Scenarios

This section describes how to create a user desktop image.

Prerequisites

  • You have obtained the username and password for logging in to the console.
  • You have obtained the password of the OS administrator Administrator.

Procedure

  1. Log in to the ECS console.
  2. In the service list, choose Elastic Cloud Server.
  3. Locate the row that contains the desired ECS, and choose More > Manage Image/Disk > Create Image.
  4. On the page for creating a private image, configure parameters as prompted.

    • Type: System Disk Image
    • Source: ECS. Select an ECS that has been stopped in Configuring an ECS.
    • Name: Configure this parameter based on the actual OS, for example, Workspace_Image_01.
    • Enterprise Project: Select the enterprise project to which the resource belongs, for example, default.

  5. Click Next.
  6. Read the letter of commitment and the disclaimer and select I have read and agree to the Letter of Commitment for Image Creation and Image Disclaimer. Click Next.
  7. Click Submit.

    It takes about 10 to 15 minutes to create an image. The created image is displayed in the list under Cloud Server Console > Image Management Service > Private Image.

Configuring the Certificate and Secure Boot

After the image is created, call the API to configure the certificate of version 2011 and VTPM secure boot.

  1. Obtain the public key certificate as follows before enabling secure boot:

    • Platform key: Click here to obtain the WindowsOEMDevicesPK.der certificate.

    • Key exchange key: Click here to obtain the MicCorKEKCA2011_2011-06-24.der certificate.

    • Signature database: Click here to obtain the MicWinProPCA2011_2011-10-19.der certificate.

  2. Convert the key in 1 to Base64 code.
  3. Log in to the ECS using the account and password.
  4. Search for Windows PowerShell in the Start menu of the ECS and click Run as administrator to open the Windows PowerShell window.

    Run the following commands to convert the certificate to Base64 code:

    [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("WindowsOEMDevicesPK.der certificate storage path")) | Out-File -FilePath "WindowsOEMDevicesPK.base64 certificate generation path" -NoNewline

    [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("MicCorKEKCA2011_2011-06-24.der certificate storage path")) | Out-File -FilePath "MicCorKEKCA2011_2011-06-24.base64 certificate generation path" -NoNewline

    [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("MicWinProPCA2011_2011-10-19.der certificate storage path")) | Out-File -FilePath "MicWinProPCA2011_2011-10-19.base64 certificate generation path" -NoNewline

    Replace the three certificate storage paths and three certificate generation paths in the preceding commands with the actual ones.

    Example of the WindowsOEMDevicesPK.der certificate:

    • Example of the certificate storage path: C:\WindowsOEMDevicesPK.der
    • Example of the certificate generation path: C:\WindowsOEMDevicesPK.base64

  5. Call the APIs to enable secure boot and VTPM.

    1. Obtain the image_id. In the navigation pane of the ECS console, choose Image Management Service.
    2. On the Image Management Service page, obtain the image ID, as shown in Figure 1.
      Figure 1 Image ID
    1. Edit the following content:
      Replace the values of the following parameters:
      • Replace $__platform_key with the content of the WindowsOEMDevicesPK.base64 certificate generated in 4.
      • Replace $__key_exchange_key with the content of the MicCorKEKCA2011_2011-06-24.base64 certificate generated in 4.
      • Replace $__signature_database with the content of the MicWinProPCA2011_2011-10-19.base64 certificate generated in 4.

      Do not copy -----BEGIN CERTIFICATE----- in the first line and -----END CERTIFICATE----- at the end when copying the key content in 4.

      [
    {
    "op": "add",
    "path": "/__support_tpm",
    "value": "true"
},{
    "op": "add",
    "path": "/__support_secure_boot",  
    "value": "true"
  },
  {
    "op": "add",
    "path": "/__platform_key",         
    "value": "$__platform_key"      
  },
  {
    "op": "add",
    "path": "/__key_exchange_key",
    "value": "$__key_exchange_key"   
  },
  {
    "op": "add",
    "path": "/__signature_database",
    "value": "$__signature_database"  
  }
]
    1. Call the API through API Explorer.
      1. Select a region from the Region drop-down list.
      2. Enter the image_id obtained in 5.b.
      3. Click Switch to Text Input and enter the content edited in 5.c.
      4. Click Debug, as shown in Figure 2.
        Figure 2 API calling