Skip to main content

Preparing Windows templates

Windows guests have neither Cloudbase-Init nor OpenSSH Server preinstalled by default. You need to install and configure them manually.

To install Cloudbase-Init and OpenSSH Server inside a Windows virtual machine

  • Log in to a Windows VM.

  • Create a new administrator account that will be used for SSH connections and log in with it.

  • To install and configure OpenSSH Server:

  • Run Windows PowerShell with administrator privileges and set the execution policy to unrestricted to be able to run scripts:

> Set-ExecutionPolicy Unrestricted
  • Download OpenSSH Server (for example, from the GitHub repository), extract the archive into the C:\Program Files directory, and then install it by running:
> & 'C:\Program Files\OpenSSH-Win64\install-sshd.ps1'
  • Start the sshd service and set its startup type to “Automatic”:
> net start sshd
> Set-Service sshd -StartupType Automatic

  • Open TCP port 22 for the OpenSSH service in the Windows Firewall:

  • On Windows 8.1, Windows Server 2012, and newer versions, run:

> New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName OpenSSH
  • On Windows Server 2008/2008 R2, run:
> netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22
  • Open the C:\ProgramData\ssh\sshd_config file:
> notepad 'C:\ProgramData\ssh\sshd_config'

Comment out the following lines at the end of the file:

#Match Group administrators
#AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Save the changes.

  • Create the .ssh directory in C:\Users`<current_user>` and an empty authorized_keys file inside it:
> cd C:\Users\`<current_user>`
> mkdir .ssh
> notepad .\.ssh\authorized_keys

Remove the .txt extension from the created file:

> move .\.ssh\authorized_keys.txt .\.ssh\authorized_keys
  • Modify the permissions for the created file to disable inheritance:
> icacls .\.ssh\authorized_keys /inheritance:r

  • Download Cloudbase-Init from https://cloudbase.it/cloudbase-init/#download, and then install it by following the procedure from the Installation section at https://cloudbase.it/cloudbase-init/.

  • The password for the user specified during the Cloudbase-Init installation will be reset on the next VM startup. If this user does not exist, a new user account will be created. You will be able to log in with this account by using the key authentication method or you can set a new password with a customization script. If there are multiple Windows users at the image preparation time, the passwords for other users will not be changed.

  • When the Cloudbase-Init installation is complete, do not select the option to run Sysprep before clicking Finish. Otherwise, you will not be able to modify cloudbase-init.conf.

  • Run Windows PowerShell with administrator privileges and open the file C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf:

> notepad 'C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf'

Add metadata_services and plugins on two lines:

metadata_services=\
cloudbaseinit.metadata.services.configdrive.ConfigDriveService,\
cloudbaseinit.metadata.services.httpservice.HttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,\
cloudbaseinit.plugins.windows.ntpclient.NTPClientPlugin,\
cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,\
cloudbaseinit.plugins.windows.createuser.CreateUserPlugin,\
cloudbaseinit.plugins.common.networkconfig.NetworkConfigPlugin,\
cloudbaseinit.plugins.windows.licensing.WindowsLicensingPlugin,\
cloudbaseinit.plugins.common.sshpublickeys.SetUserSSHPublicKeysPlugin,\
cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,\
cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin,\
cloudbaseinit.plugins.common.userdata.UserDataPlugin,\
cloudbaseinit.plugins.windows.winrmlistener.ConfigWinRMListenerPlugin,\
cloudbaseinit.plugins.windows.winrmcertificateauth.\
ConfigWinRMCertificateAuthPlugin,\
cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin

Make sure to remove all backslashes in the lines above.

Save the changes.

  • Run the built-in Sysprep tool:
> sysprep /generalize /oobe /shutdown