qvm-create-windows-qube 2.0

[Elliot Killick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello, all!

Not too long ago I released qvm-create-windows-qube but quit pushing
changes for a while because I realized there was still a of work to be
done and I wanted to get it out of the dev/beta phase before releasing a
new version.

Well, it's over 200 commits later and I would say it's well out of
beta now.

Biggest new features include:

* Use a much newer Windows 7 7601 ISO for Windows 7
* Support Windows 8.1-10 Pro/Enterprise (ISO downloads from Microsoft
included)
* Support Windows 10 Enterprise LTSC (Also download provided)
* Support Windows Server 2008 R2 - Windows Server 2019 (Also downloads
provided)
* Chocolatey integration
* Option to slim down Windows installation (Similar to the following
but much more refined due to especially the disabling of services I
found could break things in a way that would result in a bad UX,
also expanded for Windows 10:
https://www.qubes-os.org/doc/windows-template-customization/)
* Test signing Qubes GUI driver is now enabled during Windows
installation process to skip a reboot
* Hardcoding trial product key in answer files (or anywhere) is no
longer necessary, Windows will use embedded trial key without any
user interaction by default
* windows-mgmt is air gapped
* Travis CI is being used for integration testing
* Tons of code cleanup, reorganization and refactoring (I'm of the
OpenBSD mindset where having clean (correct) code is just as
important as having functional code, so a lot of stuff just got
rewritten)
* Everything is much more stable (No more lame sleeps for arbitrary
amounts of time)
* MIT license

Additionally, I made a PGP key (also using Qubes Split GPG) so hopefully
my code and anything I else I make can reach you a lot more securely.

Repo can be found here, please star if you find it useful :)

https://github.com/elliotkillick/qvm-create-windows-qube

I'm working towards having this project be similar (or superior) to
VMWare's Windows "Easy Install" feature but on Qubes:
https://www.youtube.com/watch?v=1OpDXlttmE0

Regards,

Elliot
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQBj7nebfoT+xj7VVL5uQ1E+D3V8gUCXhw9CQAKCRD5uQ1E+D3V
8iT9AQDlMN4TUEQV8SrvfBj3Df0utv3i/GIDLlt+6DpxnNmSAAD/Uz7tihtwjHXz
/Dl6qtbYhoph8DSHLKwIevhP/iKArw8=
=tnno
-----END PGP SIGNATURE-----

[brenda...@gmail.com]

Having manually set up windows VMs in in the pst, I can say that Elliot’s work here is quite the time saver.

Just invoke the script, go off and do something for a bit, come back later with some windows VM installs completed, including the add on software you wanted.

Haven’t tried the newer version yet as I have to review the 10 windows 7 VMs I created under the old version to be sure I can wipe them all first!

B

[shiftedreality]

Hi there!

Following your installation guide and running into this error message:

[xxx@dom0 Desktop]$ chmod +x install.sh && ./install.sh
[i] Creating windows-mgmt...
[i] Increasing storage capacity of windows-mgmt...
[i] Cloning qvm-create-windows-qube GitHub repository...
Cloning into 'qvm-create-windows-qube'...
[i] Please check for a good PGP signature (Verify it out-of-band if necessary)...
gpg: Signature made Sat 30 Nov 2019 08:48:44 AM CET
gpg:                using EDDSA key 018FB9DE6DFA13FB18FB5552F9B90D44F83DD5F2
gpg: Good signature from "Elliot Killick <elliot...@xxx.xx>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 018F B9DE 6DFA 13FB 18FB  5552 F9B9 0D44 F83D D5F2
[i] Downloading Windows 7 (Other versions of Windows can be downloaded later by using download-windows.sh)...
[i] Downloading Windows media from Microsoft servers...
[i] Downloading Windows 7...
./download-windows.sh: line 91: curl: command not found

Any help on this would be highly appreciated. Thanks!

[brenda...@gmail.com]

Which template are you using?

[shiftedreality]

On Wednesday, January 15, 2020 at 1:37:03 AM UTC+1, brend...@gmail.com wrote:

Which template are you using?

You pointed me in the right direction. I was using Debian 10 as my default Qubes template.

After changing it to Fedora 30, install.sh works fine without any problems.

Thank you very much!

[m...@militant.dk]

mandag den 13. januar 2020 kl. 10.49.12 UTC+1 skrev Elliot Killick:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello, all!

Not too long ago I released qvm-create-windows-qube but quit pushing
changes for a while because I realized there was still a of work to be
done and I wanted to get it out of the dev/beta phase before releasing a
new version.

This looks promising. Looking forward to testing it, thank you.

 

Well, it's over 200 commits later and I would say it's well out of
beta now.

I actually believe that the general adoption of Qubes in the world would be larger if the windows guest support was better, you might actaully be able to get funding for your efforts (https://opencollective.com/qubes-os/expenses/). You might ask a QubesOS representative for that possibility(Andrew, maybe?)

That might push the adoption to be broader and the sponsors to be more and helping Qubes to be even more widespread than it is now.

Sincerely

Max

 

[scal...@posteo.net]

Thanks Elliot for posting this. I'm trying this now. I saw the note
saying you could download a different version of Windows in the
qvm-create-windows-qube.sh. But I didn't see how that was done. Seems
like you can just reference an already downloaded iso, which is what I
did. I already had a Windows 10 iso. So I set it to use that iso and to
use the answer file provided for win10x64-enterprise-eval.xml, but ran
into the problem below. But maybe it is because of the iso i'm using?

On 13.01.2020 10:48, 'Elliot Killick' via qubes-users wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>

> * Hardcoding trial product key in answer files (or anywhere) is no
> longer necessary, Windows will use embedded trial key without any
> user interaction by default

This doesn't seem to be the case.
I'm getting the following:
on "Commencing first part of Windows installation process..." in the
install.sh script
I get a popup from "Windows Setup" that says Windows cannot read the
<ProductKey> setting from the unattend answer file." I click "OK" and it
reboots to a black screen from SeaBIOS that ends with "No bootable
device."

> * windows-mgmt is air gapped

What is this qube used for? Is it just for the setup? Can I delete it
after done?

Thanks.

> -----END PGP SIGNATURE-----

[Dominique St-Pierre Boucher]

Concerning the download of ISO, if you open a teminal in the windows-mgmt qube that is created by the script, there is a script in /home/user/Documents/qvm-create-windows-qube/windows-media/isos/ named download-windows.sh

Run that script, it will tell you what are the options. Do not forget to give network access to the windows-mgmt qube before starting the download and to remove the access after.

One of the possible reason you were not able to install Windows 10 is because of the version. The Windows 10 iso you got is probably not an Enterprise Eval version so the key wont work.

Dominique

[M]

Can I create a Windows 10 Pro VM qube or does it have to be a Windows 10 Enterprise LTSC VM qube ?

[scal...@posteo.net]

Thanks Dominique. Everything working now including Qubes Windows Tools -
i can copy files over at least.
This is great.

Am I correct that the windows-mgmt qube is just for setting up the
Windows qube and can be deleted? Certainly keeping it would expedite
creating new Windows qubes in the future though.

scallyob

> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/d871a2b3-e34b-4eec-b89a-47f07dec0bc5%40googlegroups.com
> [1].
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/qubes-users/d871a2b3-e34b-4eec-b89a-47f07dec0bc5%40googlegroups.com?utm_medium=email&utm_source=footer

[Elliot Killick]

On 2020-01-17 17:40, scal...@posteo.net wrote:
> Am I correct that the windows-mgmt qube is just for setting up the
Windows qube and can be deleted? Certainly keeping it would expedite
creating new Windows qubes in the future though.

Yes, that's correct. The windows-mgmt qube may be deleted afterwards if
you are sure that there are no more Windows qubes you would like to create.

[Elliot Killick]

On 2020-01-17 13:25, M wrote:

> Can I create a Windows 10 Pro VM qube or does it have to be a Windows 10 Enterprise LTSC VM qube ?
>

Yes, Windows 10 Pro, Enterprise AND Enterprise LTSC are all supported.

[Elliot Killick]

On 2020-01-15 01:36, shiftedreality wrote:

> You pointed me in the right direction. I was using Debian 10 as my default
> Qubes template.

Debian 10 is supposed to be supported as a template. I didn't realize
the Debian 10 template qube didn't come with cURL. Bug fixed, thanks for
catching that.

[trueriver]

In version 4 of Qubes, the Debian templates need a little extra software to run as templates for the sys-XXX Qubes. Best to is to pieced as if for the minimal Debian template, and apt-install what's needed for the three sys-XXX Qubes. Some of those packages are already installed but apt will just tell you so, and install the missing ones

[brenda...@gmail.com]

On my nth install of Qubes...and learning the hard way about passing informal scripts to others... :)

A reminder if using the standard lvm config : the cloning of VMs/templates only ends up using additional storage for the *divergence* of each from the other(s).

So, I'd recommend, if scripting for others: keep a pristine un-updated copy of the target template(s) to test scripts against. Even better would be a pristine copy and an "up-to-date but not customized" copy. E.g.

debian-10 <- installed by qubes, developer *disables* automatic update reminders and does not update (frozen)

debian-10-up-to-date <- cloned by developer, not customized, only ever apply updates

debian-10-custom <- cloned by developer, apply customizations (e.g. apt-install stuff), apply updates. For day to day use with your VMs.

That way one can (without having to remove and recreate templates via dom0 salt, dnf invocations, etc) test your scripts against baseline expectations of other users.

Brendan

[unman]

On Sun, Jan 19, 2020 at 08:53:10AM -0800, trueriver wrote:
> In version 4 of Qubes, the Debian templates need a little extra software to run as templates for the sys-XXX Qubes. Best to is to pieced as if for the minimal Debian template, and apt-install what's needed for the three sys-XXX Qubes. Some of those packages are already installed but apt will just tell you so, and install the missing ones
>

The Debian template should be usable for sys-** qubes - it is for me,
and I dont think I installed anything on the default template. (although
I do build my own.)
Please detail which software you think is missing.

[River~~]

Hi unman

I said:

> > In version 4 of Qubes, the Debian templates need a little extra software to run as templates for the sys-XXX Qubes. Best to is to pieced [typo: proceed] as if for the minimal Debian template, and apt-install what's needed for the three sys-XXX Qubes. Some of those packages are already installed but apt will just tell you so, and install the missing ones
> >

> The Debian template should be usable for sys-** qubes - it is for me,
> and I dont think I installed anything on the default template. (although
> I do build my own.)
> Please detail which software you think is missing.

I'm sorry that i can't be as helpful as you hope: or not right away anyway.

In particular, my Debian 9 template was installed sometime early in 2019 and therefore I cannot either confirm or counter whether issue #5123 would have fixed this for me: in theory it looks like it might have done. I plan to test this when I have time.

In more detail:

It failed to work on two different laptops. On one neither sys-net nor -usb work with the Debian 9 template out of the box as installed by R4.0, fully updated; on the other sys-net refused to work and -usb was absent. In both cases reverting to the fedora template made the VMs work again.

See my previous query about this

https://groups.google.com/d/msgid/qubes-users/dcec0b0d-2f61-85c4-5d15-77071f89f00e%40danwin1210.me

I resolved the issue by going to the doc page suggested by xao in that thread and on the first machine I used apt install to install all the packages needed to be added to a minimal template to make sys-net and sys-usb work (just to be clear, I confirm that I had the +full+ template: but figured that if any of these were missing that would be relevant).

On the other machine,  installed the relevant packages to make sys-net work

On both machines apt told me that several of these packages were already installed, but did install some packages on each machine. After that all three sys-XXX VMs worked with the full templates.

My to do list includes an intention to try again with a new install to find out if #5123 did indeed fix it.

The docs need to be updated either way, because an "old" Debian template, even if updated, will not have acquired the relevant extra software. When I know either way, I also plan to update the docs and, if need be, reopen #5123, but no promises when that will reach the "next task" in my queue...

R~~

[unman]

On Mon, Jan 20, 2020 at 11:56:18AM +0000, River~~ wrote:
> Hi unman
>
> I said:
>
> > > In version 4 of Qubes, the Debian templates need a little extra
> software to run as templates for the sys-XXX Qubes. Best to is to pieced
> [typo: proceed] as if for the minimal Debian template, and apt-install
> what's needed for the three sys-XXX Qubes. Some of those packages are
> already installed but apt will just tell you so, and install the missing
> ones
> > >
>
> > The Debian template should be usable for sys-** qubes - it is for me,
> > and I dont think I installed anything on the default template. (although
> > I do build my own.)
> > Please detail which software you think is missing.
>
> I'm sorry that i can't be as helpful as you hope: or not right away anyway.
>
> In particular, my Debian 9 template was installed sometime early in 2019
> and therefore I cannot either confirm or counter whether issue #5123 would
> have fixed this for me: in theory it looks like it might have done. I plan
> to test this when I have time.
>

OK.
Since 4.0.1 (I think) 4 has shipped with the Debian-10 template, which
does work out of the box.
The debian-9 template works seamlessly as sys-net sys-firewall and
sys-usb on my thinkpads as expected.

So what you mean is that *your* Debian-9 template (updated) does not
work as a template for sys-XXX qubes on *your* hardware.
That's different.

[scal...@posteo.net]

I had installed Win10 Enterprise and everything was running well until I
had to restart.

Now I can't figure out how to get Windows GUI to appear. When I've
installed Windows without this script I only have one menu option
"Start" and that boots the Windows interface. With the install using
this script I have three menu options: Command Prompt, Explorer,
Internet Explorer. I can run any of those and the Win10 Qube starts, but
there is no GUI interface for the selected app or for Windows in desktop
in general. There is Qubes Settings. I thought this issue might be due
to seamless mode, but clicking the button to disable it in Qubes
Settings just gives me this error:

----
line: raise exc
func: run_service_for_stdio
line no.: 287
file: /usr/lib/python3.5/site-packages/qubesadmin/__init__.py
----
line: self.vm.run_service_for_stdio("qubes.SetGuiMode",
input=b'FULLSCREEN')
func: disable_seamless
line no.: 762
file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py

I also tried turning on "debug mode" and stopping and starting the Win10
qube. But that didn't produce anything I could see either.

Any other ideas?

[brenda...@gmail.com]

Try running qvm-start-gui <vmname> when the window doesn’t appear.

[River~~]

On 17:33, Mon, 20 Jan 2020 unman <un...@thirdeyesecurity.org wrote:
>
>
> So what you mean is that *your* Debian-9 template (updated) does not
> work as a template for sys-XXX qubes on *your* hardware.
> That's different.

I think you are missing my point here. The Fedora templates do work on both my laptops, the (older) Debian templates didn't.

My expectation, which seems reasonable to me, was that the so called "full" Debian template would be a drop in replacement for the full Fedora one, and in fact that expectation turns out to be false: further work is needed to make it work in some cases, including mine.

The fact that it happens to work on some other hardware does not alter the fact that (at the time those Debian templates were issued) they were not drop in replacements.

The fact that other ppl have hardware that fortuitously avoids that difference is good luck for you but does not negate my point.

[scal...@posteo.net]

Works. Thanks!

[unman]

I think your expectation is misplaced - they are different distros, with
different packages, and even where packages *seem* to be the same, their
contents may differ.
Hardware support is difficult. In *many* cases the templates will be
interchangeable. In some, not. You will often see people here being advised to
switch templates to resolve hardware issues for this very reason.

Your original post seemed to suggest that the Debian template didn't come
with packages required to act as sys-XXX - this isn't true. It *may* lack
packages required for some hardware - just install them. (The same is
true for the Fedora templates)

[River~~]

No unman, please get off my case on this.

You misrepresent my intention totally, and ate responding without showing signs of having read the material I pointed you to.

My *original* original post on this subject, which I pointed you to, asked whether that expectation was reasonable, and awokd said that it usually does work.

In that thread, xao pointed me to a list of packages relevant to minimal templates, and suggested I used that to guide me.

My first post in this thread tried to pass that information on to other people, as it seemed relevant.  That earlier thread also pointed to issue #5123, which if you read the first post of that issue, starts from the assertion that it seems I'm not the only Qubes user to come with that expectation.

You say:

> I think your expectation is misplaced - ...

Then please explain exactly why issue #5123, which I also pointed you to and which you also do not seem to have read, has adjusted the contents of the Debian template to meet the fact that (according to the first post in that issue) seems to be a common expectation.

> ... they are different distros, ...

They are actually both parts of the Qubes distro here, installed by either the Qubes installer or from the Qubes repo -- their history from other distros is irrelevant. And yes, when you install a real Debian you get promoted for firmware. When you install the Qubes template you get no such prompt.

Indeed, you install the Debian template using DNF not apt, because the Qubes system regards it as software for Dom0.

>
> Your original post seemed to suggest that the Debian template didn't come
> with packages required to act as sys-XXX - this isn't true.

This is true.

Please stop denying that fact. It doesn't work before I followed xao's advice, it does work after. Therefore at least one of those packages was essential. And every one of the other packages added by #5123 will be essential for some other users: that's why they are there.

Clearly a sys net Qube needs a working firmware *for* *the* *computer* *it's* *on*, not just for some other hardware. End of.

That's why #5123 was accepted, because it fixed exactly this problem (or certainly attempted to).

> It *may* lack
> packages required for some hardware -

???? May ????

It does lack them. Please stop undermining the facts. I told you that installing them made it work. Do you not believe me????????

> just install them.

Exactly so.

That's exactly why it is helpful that xao pointed me to a list in the docs. That's exactly why it's helpful for me to pass that advice on to others, until such time as the "fully firmwared" Debian template becomes the norm (as Chris pointed out in the earlier thread). That's exactly why it is profoundly unhelpful for you to undermine that sounds advice.

> (The same is
> true for the Fedora templates)

Er no.

If a Fedora template didn't work it would be reported as a bug as soon as the first user found they couldn't update through sys-net. And would be acknowledged as a bug without all this prevarication, and it would not get out of the rc1 stage, if it even got that far.

The reason the Debian one slips through the net is that it is not critical in that sense. People can (and according to #5123 actually have) given up on the Debian templates for sys-net due to this issue.

Whatever you think, the ppl who maintain the Qubes system accepted that as an issue and believe it to be fixed by adding those firmware files. I'm simply reporting that back.

But believe what you like.

This exchange is now closed as far as I am concerned.

[Elliot Killick]

On 2020-01-20 17:35, scal...@posteo.net wrote:
> I had installed Win10 Enterprise and everything was running well until
> I had to restart.
>
> Now I can't figure out how to get Windows GUI to appear. When I've
> installed Windows without this script I only have one menu option
> "Start" and that boots the Windows interface. With the install using
> this script I have three menu options: Command Prompt, Explorer,
> Internet Explorer. I can run any of those and the Win10 Qube starts,
> but there is no GUI interface for the selected app or for Windows in
> desktop in general. There is Qubes Settings. I thought this issue
> might be due to seamless mode, but clicking the button to disable it
> in Qubes Settings just gives me this error:

You'll be happy to know that the fixes to everything you just mentioned
are outlined in the README (appmenus and GUI).

Please read it. :)


Elliot

[Elliot Killick]

On 2020-01-19 16:53, trueriver wrote:

> In version 4 of Qubes, the Debian templates need a little extra software to run as templates for the sys-XXX Qubes. Best to is to pieced as if for the minimal Debian template, and apt-install what's needed for the three sys-XXX Qubes. Some of those packages are already installed but apt will just tell you so, and install the missing ones

I'm a little lost. The windows-mgmt qube is not a "sys-XXX" qube and so
I'm not sure how "sys-XXX" qubes are relevant to what I said.

I have not tested qvm-create-windows-qube with a minimal template,
however, if you would like to do so then by all means go ahead. Just be
prepared to install some additional software manually. Just to clarify
for everyone, the only officially supported templates are fedora-30 and
debian-10.

Lastly, just to make sure I have all my ducks in a row, I have just
tested qvm-create-windows-qube with a fresh debian-10 template qube and
all seemed to work fine.


Thank you for your concern,

Elliot

[Rafael Reis]

Wow. This is just outstanding. 

Just installed windows 10 pro (manually downloaded) and it went without a hitch. Only mistake I made was pressing no for the reboot prompt on the first VM boot, but I managed to work around it and the script picked up where it left off. 

Indeed the bugs mentioned on Readme.md are there. I had to take the steps to do the fixes, especially the cmd to load the gui, otherwise it would not appear.

Thank you very much for the incredible contribution. Let me know if I can debug / test anything, or help some other way.

Em segunda-feira, 13 de janeiro de 2020 06:49:12 UTC-3, Elliot Killick escreveu:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello, all!

Not too long ago I released qvm-create-windows-qube but quit pushing
changes for a while because I realized there was still a of work to be
done and I wanted to get it out of the dev/beta phase before releasing a
new version.

Well, it's over 200 commits later and I would say it's well out of
beta now.

Biggest new features include:

  * Use a much newer Windows 7 7601 ISO for Windows 7
  * Support Windows 8.1-10 Pro/Enterprise (ISO downloads from Microsoft
    included)
  * Support Windows 10 Enterprise LTSC (Also download provided)
  * Support Windows Server 2008 R2 - Windows Server 2019 (Also downloads
    provided)
  * Chocolatey integration
  * Option to slim down Windows installation (Similar to the following
    but much more refined due to especially the disabling of services I
    found could break things in a way that would result in a bad UX,
    also expanded for Windows 10:
    https://www.qubes-os.org/doc/windows-template-customization/)
  * Test signing Qubes GUI driver is now enabled during Windows
    installation process to skip a reboot

  * Hardcoding trial product key in answer files (or anywhere) is no
    longer necessary, Windows will use embedded trial key without any
    user interaction by default

  * windows-mgmt is air gapped

[Claudio Chinicz]

Hi Elliot,

I've followed the instruction, had to manually download win10x64.iso and when I ran the "./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365business -i win10x64.iso -a win10x64-pro.xml win10-work" command I got the following error:

Error mounting /dev/loop2: GDBus.error:org.freedesktop.vdisk2.error failed: error mounting /dev/loop2 at run/media/user/cccoma_x64fre_en-us_dv9: wrong fs type, bad option, bad superblock on dev/loop2, missing codepage or helper program, or other error

Any idea?

Thanks

[Elliot Killick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2020-01-23 23:10, Rafael Reis wrote:
> Wow. This is just outstanding.
>
> Just installed windows 10 pro (manually downloaded) and it went without a
> hitch. Only mistake I made was pressing no for the reboot prompt on the
> first VM boot, but I managed to work around it and the script picked up
> where it left off.
>
> Indeed the bugs mentioned on Readme.md are there. I had to take the steps
> to do the fixes, especially the cmd to load the gui, otherwise it
would not
> appear.
>
> Thank you very much for the incredible contribution. Let me know if I can
> debug / test anything, or help some other way.
>
>
> Em segunda-feira, 13 de janeiro de 2020 06:49:12 UTC-3, Elliot Killick
> escreveu:

>>

Thank you, Rafael. Glad it could help you! :)

If you're itching to test out something new then I just pushed a new
feature:

    - Followed (mainly) this Whonix documentation to create an
(unofficial) Windows-Whonix-Workstation that complies up to the "Even
more security" standard: https://www.whonix.org/wiki/Other_Operating_Systems

"Most security" is to use a default Whonix VM and build it from source.

And with that, another security/privacy improvement that further helps
in the isolating of Windows which is that the installation process is
now fully air gapped with the exception of installing any packages at
the very end (if any are desired). It was mostly air gapped before but
there was a small window of time during the "Completing setup of Qubes
Windows Tools..." where Windows had access to the Internet before
applying the disable telemetry script and now also the script for making
Windows into a Windows-Whonix-Workstation. Fixing this was not as simple
as just adding/removing the NetVM whenever due to Qubes Windows Tools
being a bit finicky. The solution I implemented was to use the Qubes
inbuilt Firewall to temporarily drop traffic which kept Windows securely
air gapped while still allowing QWT and packages to install fine.

Besides that just cleaning up a few things and a small bug here and there.

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQBj7nebfoT+xj7VVL5uQ1E+D3V8gUCXi1FdQAKCRD5uQ1E+D3V
8p8UAP9IeLZUSpB+jOLt7QXHVzobnQPLhMwW4KhoHl1nKEWmFAEA8agqWjsuxBlP
LR8aEjtynsagALcGAAnktHFWmq3XFwA=
=35dc
-----END PGP SIGNATURE-----

[Elliot Killick]

On 2020-01-24 13:16, Claudio Chinicz wrote:
> Hi Elliot,
>
> I've followed the instruction, had to manually download win10x64.iso and
> when I ran the "./qvm-create-windows-qube.sh -n sys-firewall -oyp
> firefox,notepadplusplus,office365business -i win10x64.iso -a
> win10x64-pro.xml win10-work" command I got the following error:
>
> Error mounting /dev/loop2: GDBus.error:org.freedesktop.vdisk2.error
failed:
> error mounting /dev/loop2 at run/media/user/cccoma_x64fre_en-us_dv9:
wrong
> fs type, bad option, bad superblock on dev/loop2, missing codepage or
> helper program, or other error
>
> Any idea?
>
> Thanks

Yes, I believe I've gotten that error message before and it basically
means that the udisksctl command could not mount the ISO because the
filesystem is corrupted in some way. Where did you get the ISO from? If
you got if from the download-windows.sh script then make sure the
SHA-256 sum checks out with the one in the SHA256SUMS file. If the sums
don't match then just retry the download. The download-windows.sh script
will automatically verify the checksum.

[Claudio Chinicz]

ׁHi Elliot,

I've downloaded again and succeeded creating the HVM.

I had a Windows 10 HVM I built manually just booting from the ISO and where I did not succeed installing the QWT (boot after the QWT install would freeze).

Would you recommend building a Template from this HVM?

The big advantage I saw in this implementation was that I can confortably run my applications with 2GB (minimum) vs 6GB in my previous HVM. Another advantage of the QWT is that I can send files from Windows to any other PV/HPV VM using qrexec.

What's intriguing me is that copy/paste between VMs is not working. When I ctl+shift+C on my Windows VM I see the popup saying I can ctl+shift+V on another VM but when I do so nothing is pasted. Any ideas?

Thank you very much for this scripts/Windows VM builder.

Regards

[Elliot Killick]

On 2020-01-26 12:37, Claudio Chinicz wrote:
> ׁHi Elliot,
>

> I've downloaded again and succeeded creating the HVM.
>
> I had a Windows 10 HVM I built manually just booting from the ISO and where
> I did not succeed installing the QWT (boot after the QWT install would
> freeze).
>
> Would you recommend building a Template from this HVM?
>
> The big advantage I saw in this implementation was that I can confortably
> run my applications with 2GB (minimum) vs 6GB in my previous HVM. Another
> advantage of the QWT is that I can send files from Windows to any other
> PV/HPV VM using qrexec.
>
> What's intriguing me is that copy/paste between VMs is not working. When I
> ctl+shift+C on my Windows VM I see the popup saying I can ctl+shift+V on
> another VM but when I do so nothing is pasted. Any ideas?
>
> Thank you very much for this scripts/Windows VM builder.
>
> Regards

By freeze do you mean it stops on the part where QWT tries to create the
private disk? This is documented in the QWT Known Issues section of the
README. Just exit that window with the error message and the
installation will proceed as normal. Besides that for Windows 10/Windows
Server 2019, you should not have to interact with any window or part of
the installation. Sometimes, QWT may also just crash upon boot causing
Windows to crash. This doesn't happen often, however, it is also
documented in the README. This is more likely to happen if you installed
Windows manually as you said because unstable QWT features like Qubes
Memory Manager (qmemman) are enabled by default which we disable in the
qvm-create-windows-qube.sh script (Thanks to @brendanhoar for that one).

Due to that bug in making the private disk required, it's not possible
to create templates for Windows 10/Windows Server 2019 anyway.
Otherwise, I would recommend for must users to build a template with the
software they want pre-installed and make AppVMs from that.

Regarding copy/paste not working, it appears to work fine for others so
I would just suggest you restart the Windows qube or possibly make a new
one. If it's copying the data out correctly then there should be a
notification saying "Copied X bytes to the clipboard".

You're welcome, Claudio!


Regards,

Elliot

[M E]

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2de7254e-c22c-3275-cdfd-30cdacd86a67%40zohomail.eu.

I want to install Windows 10 from a DVD in a new HVM and have begun following this guide: https://www.qubes-os.org/doc/windows-vm/

It says:

“Create a new Qube:
Name: Win10, Color: red
Standalone Qube not based on a template
Networking: sys-firewall (default)
Launch settings after creation: check
Click “OK”.”

As I’m going to install Win 10 from a DVD, shall I then just follow the guide and choose “Launch settings after creation” or shall I choose “Install from device” ?

[A E]

I have made a Windows domain and downloaded and installed Windows 7 and Qubes Windows Tools by executing this script in dom0 according to this guide (link: https://github.com/elliotkillick/qvm-create-windows-qube ):

chmod +x install.sh && ./install.sh

And now I would like to know how to get further.

I have made a thread here about making a Win10 HVM, so you are welcome to answer there instead (I have just made this post in attempt to get a quicker response):

https://groups.google.com/forum/m/#!topic/qubes-users/78DgmWxZf80

[A E]

How to use the script of the download-windows.sh file ?

When I execute the script in the terminal, the different windows versions are listed. But when I copy the label of one of them and paste it on the line below it and press enter, the terminal says that it doesn’t recognize the command.

[A E]

More precisely worded: How to use the download-windows.sh file to download Win10 Pro 64 bit ?

[A E]

A way to download Windows 10 Pro manually and install it.

I haven’t managed to download Windows 10 Pro by using the file “download-windows.sh”. So instead I downloaded Windows 10 Pro manually and ran the script afterwards.

You can follow these steps to do it the same way as I did it:

1)  Open the “Qube Settings” for the domain “windows-mgmt”. Under “Network”, choose “default” one and click on “Apply”.

2)  Open the domains Firefox browser and search the web for “how to download windows 10”.
      One of the first results is a link to a Microsoft webpage from which it is possible to download the file in the local language.
      The file gets downloaded to the download folder in the domain.

3)  Open the “Qube Settings” for the domain “windows-mgmt”. Under “Network”, choose “(none)” and click on “Apply”.

4)  Move or copy the file to this destination: /Documents/qvm-create-windows-qube/windows-media/isos

5)  Open the terminal in dom0 and execute the following script (remember to write the name of the iso file you downloaded in step 2 instead of “filename”):

./qvm-create-windows-qube.sh -n sys-whonix -oyw -i filename.iso -a win10x64-pro.xml anon-win10

Info: anon-win10 will be the name of the domain. I don’t know if it is possible to change the domain name without spoiling anything.

Do not close the terminal before it says the installation was complete (successfully) !

Let the terminal do the job, it restarts the qube and so on when it is necessary.

When I got into Windows there appeared three message boxes. One saying that the pc has to be restarted. A second one saying that drive D has to be formatted. And the third one saying something about a private drive as far as I recall.

I started to click OK, I think on the third messaged, and then Windows  immediately closed and restarted and seemed to run fine afterwards.

And in the terminal it said the installation was completed successfully.

[A E]

Afterwards, I have mistakenly closed the window with Windows 10 in it. And now I can’t figure out how to make the window visible again...

I have tried to click on different icons in the menu of the domain anon-win10 in the qube menu - also the one called “Start”. A message pops up saying that the domain is started, but I can’t see a window where Windows 10 is starting up.

Can someone tell me how to make the window visible again ?

[A E]

Arh, to make it appear again, just execute this script in dom0: qvm-features <windows_qube> gui 1 .

Write the name of the domain (for example “anon-win10”), instead of <windows_qube> .

[A E]

How to install Microsoft Office365 in the Win10 HVM that is created by using the script: ./qvm-create-windows-qube.sh -n sys-whonix -oyw -i filename.iso -a win10x64-pro.xml anon-win10 ?

[A E]

Easy: You just have to close the HVM and start it up again. After that internet access from the HVM is granted. 

[Elliot Killick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2020-02-11 04:55, paulos elias wrote:
> Hey Elliot,
>
> I used your script to install windows and it worked like champ. Great
work really! I was a little upset that QWT doesn't support speaker and
usb devices passthrough. I know that is not what your script is supposed
to do but I was just wondering if there exist, at all, some tweak I can
do to make that work. I just thought it doesn't hurt to ask. Sorry to
bother but do have any trick?

Late response⁠⁠⁠—I'm aware, but, if you're still interested then info on
that is available here:

https://github.com/QubesOS/qubes-issues/issues/2624

Also, for future reference please keep the mailing list CC'd in.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQBj7nebfoT+xj7VVL5uQ1E+D3V8gUCXruqwwAKCRD5uQ1E+D3V
8m91AP9DZxMf+E0PVzzjZJ7ZyqxGcNGgeDYDaRuxSpJVe/yc/AEA0mtZ0mfFXZED
TwD8CTeF9MW923/Xc/A4AFkKB3Z/FAo=
=ewcx
-----END PGP SIGNATURE-----

[lik...@gmx.de]

On 1/13/20 9:48 AM, 'Elliot Killick' via qubes-users wrote:

>
> I'm working towards having this project be similar (or superior) to
> VMWare's Windows "Easy Install" feature but on Qubes:
> https://www.youtube.com/watch?v=1OpDXlttmE0
>
> Regards,
>
> Elliot
>
>

Thank you very much for this project. I tried it with the current win10x64 and I'm currently stuck several times at the same step:
[i] Preparing Windows media for automatic installation...
[i] Starting creation of win10-orig_01
[i] Commencing first part of Windows installation process...
[i] Commencing second part of Windows installation process...
[i] Preparing Qubes Windows Tools for automatic installation...
[i] Installing Qubes Windows Tools...

During the windows tools installation the volume d: fails during formating with ntfs. By trying to format it manually (format d: /fs:ntfs /Q) the following message is displayed:
"QuickFormatting 2.0 GB
Starting offset of the thinly provisioned or DAX partition is not aligned to a cluster boundary. Partition is 512 bytes aligned. To format with specified cluster size, align the partition to 4 KB.
Format failed."

The installation of Windows Tools cannot be continued.

Any ideas how to resolve this?