Skip to main content

Windows Images

Last updated: June 1, 2026Latest Frontend Version: 2.16.20

Supported Editions

EditionStatus
Windows Server 2019 / 2022 / 2025Recommended
Windows 10/11 ProSupported
Windows 10/11 HomeNot supported
note

You must supply your own Windows license.

Choose a Creation Method

MethodBest for
In-PlatformBuilding images directly inside tiCrypt with no external tools
AnsibleReproducible, automated builds for multiple image variants

Both methods produce a qcow2 image with the VM Installer and controller.toml baked in.

tip

You can also create Windows images outside of tiCrypt using any hypervisor that produces qcow2 images (VirtualBox, virt-manager, QEMU). Install Windows and the VirtIO drivers, then follow the same tiCrypt component steps before importing the image via Add Image to tiCrypt.

In-Platform Build

Build a Windows image entirely within tiCrypt using the Management interface and Service VMs. No external hypervisor is needed.

note

This method creates a blank bootable image. After installing Windows, continue with the standard configuration steps to complete the image.

1. Download Required ISOs

Download to your local machine:

2. Upload ISOs to the Storage Pool

Copy both ISO files into the ISO storage pool directory on the tiCrypt backend:

cp WindowsServer2025.iso /path/to/ticrypt-vm-isos/
cp virtio-win.iso /path/to/ticrypt-vm-isos/

Navigate to Management > Virtual Machines > ISO Volumes and confirm both files appear in the table.

caution

If the ISOs do not appear, refresh the Libvirt storage pool. Both must be visible before proceeding.

3. Register ISO Images

Navigate to ISO Images and click Create from volume for each ISO:

  1. Select the Realm (e.g., Libvirt).
  2. Choose the ISO volume from the dropdown.
  3. Enter a Name (e.g., WindowsServer2025, virtio-win).
  4. Select the Boot mode (UEFI or Legacy).
  5. Click Create ISO.

Repeat for both ISOs.

4. Create a Raw Disk Image

Navigate to Libvirt Volumes and click Create raw image:

  1. Enter a Name (e.g., windows-2025-base).
  2. Set the Size (40 GB minimum for Windows Server).
  3. Click Create.

5. Create a VM Image Record

Navigate to VM Images and click Create new VM image:

  1. Enter a Name (e.g., Windows Server 2025).
  2. Set the Operating System to Windows.
  3. Select the raw volume from the previous step.
  4. Set Boot options to match the ISO boot mode (UEFI or Legacy).
  5. Click Create.

6. Create and Boot a Service VM

Navigate to Service VMs and click Create new service VM:

  1. Select the VM image from the previous step.
  2. Set hardware resources (4+ cores, 8+ GB memory recommended).
  3. Click Create.

Once created, select the service VM, open the context menu, and click Boot from ISO:

  1. In ISO image, select the Windows Server ISO.
  2. In Additional ISO images, add the VirtIO drivers ISO.
caution

The VirtIO drivers ISO must be attached as a secondary ISO. Without it, the Windows installer cannot detect the virtual disk and installation will fail.

  1. Click Boot.

7. Install Windows via VNC

Right-click the service VM and select Open VNC terminal to open a console session to the VM.

The VM will boot from the Windows ISO. Follow the installation steps below:

Language and region

  1. Select your language, time/currency format, and keyboard layout.
  2. Click Next, then click Install now.

Product key and edition

  1. Enter your product key or click I don't have a product key to activate later.
  2. Select the edition (e.g., Windows Server 2025 Standard (Desktop Experience)).
  3. Accept the license terms and click Next.

Installation type

  1. Select Custom: Install Windows only (advanced).

Load VirtIO storage driver

  1. The disk list will be empty because Windows does not include VirtIO drivers natively. Click Load driver.
  2. Click Browse and navigate to the VirtIO ISO drive (typically drive D: or E:).
  3. Open the vioscsi folder, then select the subfolder matching your Windows version (e.g., 2k25\amd64 for Server 2025).
  4. Select the Red Hat VirtIO SCSI driver and click Next.
  5. The virtual disk now appears in the disk list. Select it and click Next.
tip

If multiple driver entries appear, select the one that matches your exact Windows version and architecture (amd64).

Installation

  1. Windows copies files and installs. The VM will reboot automatically during this process. Do not close the VNC terminal.
  2. After the final reboot, set the Administrator password when prompted.
caution

Create only an Administrator account. Do not create additional user accounts during installation. tiCrypt manages user provisioning at boot through the VM Controller.

Install remaining VirtIO drivers

  1. Log in as Administrator.
  2. Open File Explorer and navigate to the VirtIO drivers ISO (still attached as a secondary drive).
  3. Run virtio-win-guest-tools.exe from the root of the ISO. This bundled installer installs all remaining drivers (network, balloon, serial, display) in one step. Alternatively, install each driver individually through Device Manager by browsing to the corresponding folder on the ISO (netkvm, balloon, vioserial).
  4. Verify in Device Manager that no devices show warnings or missing drivers.

8. Base System Configuration

Apply the following settings before installing tiCrypt components. Open an elevated PowerShell session.

Timezone and regional settings:

Set-TimeZone -Id "Eastern Standard Time"
Set-WinSystemLocale -SystemLocale en-US

Disable hibernation and sleep:

powercfg /h off
powercfg /change standby-timeout-ac 0
powercfg /change monitor-timeout-ac 0

Disable Windows Firewall:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

TLS hardening (disable 1.0/1.1, enable 1.2):

New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name "Enabled" -Value 0 -Type DWord
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name "Enabled" -Value 0 -Type DWord
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name "Enabled" -Value 1 -Type DWord

NTP:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' -Name "NtpServer" -Value "time.nist.gov,0x9"
Start-Service W32Time

RDP encryption (High) and NLA:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "MinEncryptionLevel" -Value 3 -Type DWord
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1 -Type DWord

Disable automatic Windows Update restarts:

New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name "NoAutoRebootWithLoggedOnUsers" -Value 1 -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name "AUOptions" -Value 3 -Type DWord

Disable lock screen, screen saver, IE ESC, Server Manager, and Edge policies:

New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' -Name "NoLockScreen" -Value 1 -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop' -Name "ScreenSaveActive" -Value 0 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name "IsInstalled" -Value 0
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name "IsInstalled" -Value 0
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\ServerManager' -Name "DoNotOpenServerManagerAtLogon" -Value 1
New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Edge' -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Edge' -Name "HideFirstRunExperience" -Value 1 -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Edge' -Name "PasswordManagerEnabled" -Value 0 -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Edge' -Name "SearchSuggestEnabled" -Value 0 -Type DWord
note

tiCrypt VMs operate on an isolated VLAN with no external network access. The tiCrypt network infrastructure handles all traffic filtering. Disabling the Windows Firewall ensures the VM Controller can bind to port 22.

9. Install Windows Features and Roles

The following features and roles are required for tiCrypt. Install them all in a single elevated PowerShell command:

Install-WindowsFeature NFS-Client, Telnet-Client, RDS-RD-Server, DirectAccess-VPN -Restart
Feature / RolePowerShell NamePurpose
Client for NFSNFS-ClientMount NFS shares from tiCrypt storage
Telnet ClientTelnet-ClientNetwork connectivity debugging
Remote Desktop Session HostRDS-RD-ServerRDP session support for tiCrypt users
DirectAccess and VPN (RAS)DirectAccess-VPNRemote access and tunneling

The server will restart after installation. Reopen the VNC terminal and log in as Administrator.

note

If your organization requires additional features (e.g., Hyper-V, SNMP, Windows Server Backup), add them to the command above.

Configure RDP policies:

tiCrypt requires unlimited concurrent RDP sessions and clipboard/drive redirection must be disabled to prevent data exfiltration.

# Enable RDP connections
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0

# Remove session limits
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "MaxInstanceCount" -Value 999999
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "MaxInstanceCount" -Value 999999

# Disable clipboard and drive redirection
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "fDisableClip" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "fDisableCdm" -Value 1
caution

Clipboard and drive redirection must remain disabled. Enabling either allows data exfiltration from the secure enclave.

10. Enable FIPS Mode

Enable Federal Information Processing Standards (FIPS) 140-2 compliant algorithms. Required for deployments that must meet NIST 800-171, CMMC, or other federal compliance frameworks.

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy' -Name "Enabled" -Value 1 -Type DWord
note

FIPS mode restricts Windows to use only FIPS-validated cryptographic algorithms. Some third-party applications may not function correctly with FIPS enabled. Test your installed applications after enabling.

11. Windows Activation

Activate Windows before finalizing the image. tiCrypt VMs have no outbound internet access, so activation must use a KMS server on your organization's network or be completed during image preparation.

KMS activation (recommended for volume licensing):

Set the Generic Volume License Key (GVLK) for your edition, point to your KMS server, and activate:

slmgr /ipk <product-key>
slmgr /skms kms-server.example.com
slmgr /ato
EditionGVLK
Windows Server 2025 StandardTVRH6-WHNXV-R9WG3-9XRFY-MY832
Windows Server 2025 DatacenterD764K-2NDRG-47T6Q-P8T8W-YP6DF
Windows Server 2022 StandardVDYBN-27WPP-V4HQT-9VMD4-VMK7H
Windows Server 2022 DatacenterWX4NM-KYWYW-QJJR4-XV3QB-6VM33
Windows Server 2019 StandardN69G4-B89J2-4G8F4-WWYCC-J464C
Windows Server 2019 DatacenterWMDGN-G9PQG-XVVXX-R3X43-63DFG

MAK activation (standalone key):

If your organization uses Multiple Activation Keys instead of KMS:

slmgr /ipk <your-MAK-key>
slmgr /ato

Verify activation status:

slmgr /dli
danger

tiCrypt VMs have no outbound network access. The KMS server's domain and port (default: 1688) must be added to the Licensing Servers allowlist under Management > Virtual Machines > Licensing Servers before VMs are deployed. Without this entry, Windows cannot complete periodic reactivation and will eventually become unlicensed.

Licensing server entries are universal -- all VMs in the realm can reach any entry in the list.

note

For full details on KMS setup and product keys, see the Microsoft KMS documentation.

12. Enable BitLocker

tiCrypt uses BitLocker to encrypt VM drives. It is not enabled by default on Windows Server.

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

The server will restart. After the restart:

  1. Reopen the VNC terminal and log in as Administrator.
  2. Wait for post-restart configuration tasks to complete.
  3. A Remote Desktop Licensing dialog may appear. Dismiss or configure it per your organization's licensing.
  4. Open Server Manager > All Servers and wait until the Manageability column shows Online before proceeding.
danger

BitLocker is required. Without it, tiCrypt cannot mount encrypted drives and the VM will not function.

13. Install the VM Installer

Download and run the VM Installer MSI: Windows

Installs to C:\Program Files\Tera Insights\tiCrypt VM Controller\.

14. Configure the Controller

Edit C:\Program Files\Tera Insights\tiCrypt VM Controller\controller.toml. See Controller Configuration for the full reference.

For Windows images with RDP access:

[tunnel]
enabled = true
addGroups = ["Remote Desktop Users"]

15. Enable SFTP (Optional)

Enable this if your users need to upload files from their local machine into a running VM. For example, researchers who need to bring datasets or scripts into the secure enclave without using the Vault.

SFTP provides a one-way file transfer into the VM. Uploads are permitted; downloads and file reads are blocked.

note

OpenSSH is preinstalled on Windows Server 2019, 2022, and 2025.

  1. Disable automatic start so the OpenSSH service does not hold port 22 at boot:

    Set-Service -Name sshd -StartupType Disabled
    Stop-Service -Name sshd

  2. Edit controller.toml:

    [tunnel]
    sftpEnabled = true
    sftpPort = 2022
caution

If the OpenSSH service starts automatically and binds port 22, the VM Controller cannot register.

16. Install Applications (Optional)

Pre-install applications that your researchers need so they are available immediately when the VM boots. Common examples: R, RStudio, Python, Jupyter, MATLAB, SAS, ArcGIS, Chrome, VS Code, or domain-specific analysis tools.

Chocolatey simplifies bulk installation. For example:

choco install googlechrome notepadplusplus 7zip python rstudio -y
caution

tiCrypt VMs have no outbound network access by default. If any installed software requires communication with a licensing server for activation or periodic license checks (e.g., Windows, SAS, ArcGIS, Adobe, MATLAB), the server's domain and port must be added under Management > Virtual Machines > Licensing Servers before the VM can reach it. Without this entry, the software will fail to activate.

Licensing server entries are universal -- all VMs in the realm can reach any entry in the list.

17. Finalize

  1. Open Server Manager > All Servers and verify the Manageability column shows Online.
  2. Select Shut Down from the Start menu or run Stop-Computer in PowerShell to stop the service VM.

The image is ready for use.

Automated Build: Ansible

Ansible automates Windows image creation end-to-end: system configuration, security hardening, driver installation, tiCrypt component deployment, and application provisioning. This is the recommended approach for organizations maintaining multiple image variants or requiring reproducible builds.

Prerequisites

RequirementDetails
Ansible2.10+ with the ansible.windows collection
pywinrmPython WinRM library (pip install pywinrm)
Target VMA Windows VM with WinRM enabled and reachable from the Ansible control node

Enable WinRM on the Target VM

Run the following in an elevated PowerShell session on the target:

winrm quickconfig -force
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $true
caution

The above enables basic authentication over unencrypted transport for image preparation. For production automation, use HTTPS transport with certificate-based or Kerberos authentication.

Inventory File

all:
  hosts:
    windows_vm:
      ansible_host: 192.168.1.100
      ansible_user: Administrator
      ansible_password: "{{ vault_win_password }}"
      ansible_connection: winrm
      ansible_winrm_transport: basic
      ansible_winrm_server_cert_validation: ignore
      ansible_port: 5985

Variables File

timezone: "Eastern Standard Time"
ntp_server: "time.nist.gov,0x9"

virtio_driver_path: "D:\\virtio-win-guest-tools.exe"

controller_toml_src: "files/controller.toml"
ticrypt_certificates:
  - "files/ticrypt-ca.cer"
  - "files/ticrypt-intermediate.cer"

vm_installer_msi: "files/ticrypt-vm-controller.msi"

# Windows Activation (KMS)
kms_server: "kms-server.example.com"
kms_gvlk: "TVRH6-WHNXV-R9WG3-9XRFY-MY832"  # Change per edition

chocolatey_packages:
  - googlechrome
  - notepadplusplus
  - 7zip

What the Playbook Covers

TaskDescription
System configurationTimezone, regional settings, hibernation, sleep, screen lock
FirewallDisable Windows Firewall (tiCrypt network handles filtering)
Security hardeningTLS 1.2 enforcement, NTP, RDP encryption + NLA, Edge policies, IE ESC, FIPS 140-2
Windows ActivationSet GVLK, configure KMS server, activate
Server ManagerDisable auto-start at logon
Windows UpdateDisable automatic restarts, apply security and critical updates
Windows features & rolesNFS Client, Telnet Client, RD Session Host, DirectAccess
BitLockerInstall the BitLocker feature (required for tiCrypt drive encryption)
VirtIO driversInstall KVM guest drivers
OpenSSHDisable auto-start (preinstalled on Windows Server)
Application deploymentInstall packages via Chocolatey
VM InstallerDeploy controller.toml, import certificates, install the MSI
Windows UpdateApply security and critical updates

Example Playbook

---
- name: Configure Windows VM Image
  hosts: windows_vm
  vars_files:
    - vars.yml
  tasks:

    # ── System Configuration ──────────────────────────────────

    - name: Set timezone
      win_timezone:
        timezone: "{{ timezone }}"

    - name: Set regional format
      win_region:
        format: "en-US"
        copy_settings: true

    - name: Disable hibernation
      win_shell: powercfg /h off

    - name: Disable sleep on AC power
      win_shell: |
        powercfg /change standby-timeout-ac 0
        powercfg /change monitor-timeout-ac 0

    - name: Disable lock screen
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization
        name: NoLockScreen
        data: 1
        type: dword

    - name: Disable screen saver
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop
        name: ScreenSaveActive
        data: 0
        type: dword

    - name: Disable Server Manager auto-start
      win_regedit:
        path: HKLM:\SOFTWARE\Microsoft\ServerManager
        name: DoNotOpenServerManagerAtLogon
        data: 1
        type: dword

    - name: Disable IE Enhanced Security (Admins)
      win_regedit:
        path: HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
        name: IsInstalled
        data: 0
        type: dword

    - name: Disable IE Enhanced Security (Users)
      win_regedit:
        path: HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
        name: IsInstalled
        data: 0
        type: dword

    # ── Firewall ─────────────────────────────────────────────

    - name: Disable Windows Firewall (all profiles)
      win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

    # ── Windows Update Policy ────────────────────────────────

    - name: Disable automatic restart with logged-on users
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
        name: NoAutoRebootWithLoggedOnUsers
        data: 1
        type: dword

    - name: Set Windows Update to download only (no auto-install)
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
        name: AUOptions
        data: 3
        type: dword

    # ── Security Hardening: TLS ───────────────────────────────

    - name: Disable TLS 1.0
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
        name: Enabled
        data: 0
        type: dword

    - name: Disable TLS 1.1
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
        name: Enabled
        data: 0
        type: dword

    - name: Enable TLS 1.2
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
        name: Enabled
        data: 1
        type: dword

    # ── Security Hardening: NTP ───────────────────────────────

    - name: Configure NTP server
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
        name: NtpServer
        data: "{{ ntp_server }}"
        type: string

    - name: Start W32Time service
      win_service:
        name: W32Time
        start_mode: auto
        state: started

    # ── Security Hardening: RDP ───────────────────────────────

    - name: Set RDP encryption level to High
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
        name: MinEncryptionLevel
        data: 3
        type: dword

    - name: Require Network Level Authentication for RDP
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
        name: UserAuthentication
        data: 1
        type: dword

    # ── Security Hardening: Edge Policies ─────────────────────

    - name: Disable Edge first-run experience
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Edge
        name: HideFirstRunExperience
        data: 1
        type: dword

    - name: Disable Edge password manager
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Edge
        name: PasswordManagerEnabled
        data: 0
        type: dword

    - name: Disable Edge search suggestions
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Edge
        name: SearchSuggestEnabled
        data: 0
        type: dword

    # ── Windows Features & Roles ────────────────────────────────

    - name: Install NFS Client
      win_feature:
        name: NFS-Client
        state: present

    - name: Install Telnet Client
      win_feature:
        name: Telnet-Client
        state: present

    - name: Install Remote Desktop Session Host
      win_feature:
        name: RDS-RD-Server
        state: present

    - name: Install DirectAccess and VPN
      win_feature:
        name: DirectAccess-VPN
        state: present

    - name: Enable RDP connections
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server
        name: fDenyTSConnections
        data: 0
        type: dword

    - name: Set unlimited RDP sessions (policy)
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        name: MaxInstanceCount
        data: 999999
        type: dword

    - name: Set unlimited RDP sessions (RDP-Tcp)
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
        name: MaxInstanceCount
        data: 999999
        type: dword

    - name: Disable clipboard redirection over RDP
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        name: fDisableClip
        data: 1
        type: dword

    - name: Disable drive redirection over RDP
      win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        name: fDisableCdm
        data: 1
        type: dword

    # ── FIPS Mode ─────────────────────────────────────────────

    - name: Enable FIPS 140-2 compliant algorithms
      win_regedit:
        path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
        name: Enabled
        data: 1
        type: dword

    # ── Windows Activation ────────────────────────────────────

    - name: Set GVLK
      win_shell: slmgr /ipk "{{ kms_gvlk }}"

    - name: Configure KMS server
      win_shell: slmgr /skms "{{ kms_server }}"

    - name: Activate Windows
      win_shell: slmgr /ato

    # ── BitLocker ─────────────────────────────────────────────

    - name: Install BitLocker feature
      win_feature:
        name: BitLocker
        state: present
      register: bitlocker_result

    - name: Reboot after BitLocker installation
      win_reboot:
      when: bitlocker_result.changed

    # ── VirtIO Drivers ────────────────────────────────────────

    - name: Install VirtIO guest drivers
      win_package:
        path: "{{ virtio_driver_path }}"
        state: present

    # ── OpenSSH ───────────────────────────────────────────────

    - name: Disable OpenSSH auto-start
      win_service:
        name: sshd
        start_mode: disabled
        state: stopped

    # ── Application Deployment ────────────────────────────────

    - name: Install Chocolatey packages
      win_chocolatey:
        name: "{{ item }}"
        state: present
      loop: "{{ chocolatey_packages }}"

    # ── VM Installer Deployment ───────────────────────────────

    - name: Copy VM Installer MSI
      win_copy:
        src: "{{ vm_installer_msi }}"
        dest: 'C:\Temp\ticrypt-vm-controller.msi'

    - name: Install VM Installer
      win_package:
        path: 'C:\Temp\ticrypt-vm-controller.msi'
        state: present

    - name: Deploy controller.toml
      win_copy:
        src: "{{ controller_toml_src }}"
        dest: 'C:\Program Files\Tera Insights\tiCrypt VM Controller\controller.toml'

    - name: Import tiCrypt certificates
      win_certificate_store:
        path: "{{ item }}"
        store_location: LocalMachine
        store_name: Root
        state: present
      loop: "{{ ticrypt_certificates }}"

    # ── Windows Update ────────────────────────────────────────

    - name: Apply security and critical updates
      win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
        reboot: yes

Running the Playbook

ansible-playbook -i inventory.yml playbook.yml --ask-vault-pass
tip

Contact your tiCrypt administrator for a reference playbook tailored to your environment.

Debugging

If the image fails to register after deployment, access the VM directly via VNC to diagnose.

Prerequisites

Before booting the VM for debugging:

  1. In the tiCrypt frontend, set the video attribute to VNC on the hardware setup. This places the VM in debug mode.
  2. Set registration-timeout-debug to at least 1 hour.

All commands below require root access on the VM host.

VNC Access

List running VMs and find yours (typically the last entry):

virsh list

Get the VNC display port:

virsh vncdisplay vm-<uuid>

VNC binds to localhost. Forward the port to your desktop via SSH:

ssh -L 5901:localhost:5900 vm-host

Connect your VNC client to localhost:1. If the display port is :10, change the remote port to 5910.

Checklist

Log in as Administrator via VNC and verify:

CheckHowExpected
NetworkipconfigIPv4 address assigned via DHCP
VM Installer serviceGet-Service ticrypt-vm-controllerRunning
Service logsEvent Viewer > Application logNo controller registration or download errors
SSH disabledGet-Service sshdStopped / Disabled. If running, it is blocking port 22
VirtIO driversDevice ManagerNo missing devices or driver warnings