Accessing a Windows VM

You can access a Windows virtual machine (VM) using a remote desktop application. For example, Microsoft Remote Desktop enables you to connect to Windows VMs from a Windows or macOS operating system.

Before accessing a Windows VM, you need to decrypt the password of its administrator account. This is done using the private key of the keypair that you associated with the VM.

Only RSA keypairs can decrypt the password of a Windows VM.
You can retrieve the password of your Windows VM only on the first start, as the password is not available to retrieve after the first reboot. If you have not retrieved the password, you cannot access your Window VM and you need to terminate it and create a new one.

This procedure only applies to VMs based on official OMIs, using the default keypair authentication system. In other cases, the connection process can differ. For more information, see About Keypairs.

Decrypting the Password of the VM

Decrypting the Password of the VM Using Cockpit v2

Before you begin: Ensure the Windows VM is ready.

After creation, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

In the VMs dashboard, check the box of the VM you want the password from.
The VM is selected.
Click Read password.
The READ PASSWORD dialog box appears.
Click Upload.
A window appears.
Select the .rsa file containing the private key of the keypair associated with the VM.

Only RSA keypairs can decrypt the password of a Windows VM.
Click Submit.
The administrator password of the VM is decrypted and downloaded on your computer as a .txt file.

The password also appears in a temporary notification at the bottom right of the page.

Decrypting the Password of the VM Using OSC CLI

Before you begin: Ensure the Windows VM is ready.

After creation, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

The ReadAdminPassword command gets the administrator password for a Windows running virtual machine (VM).
The administrator password is encrypted using the keypair you specified when launching the VM.

Only RSA keypairs can decrypt the password of a Windows VM.
The administrator password is generated only on the first boot of the Windows VM. It is not returned after the first boot.

Request sample

$ osc-cli api ReadAdminPassword --profile "default" \
    --VmId "i-12345678"

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
VmId: The ID of the VM.

The ReadAdminPassword command returns the following elements:

AdminPassword: The password of the VM. After the first boot, returns an empty string.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
VmId: The ID of the VM.

Result sample

{
  "VmId": "i-12345678",
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "AdminPassword": "..."
}

Decrypting the Password of the VM Using oapi-cli

Before you begin: Ensure the Windows VM is ready.

After creation, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

Only RSA keypairs can decrypt the password of a Windows VM.
The administrator password is generated only on the first boot of the Windows VM. It is not returned after the first boot.

Request sample

$ oapi-cli --profile "default" ReadAdminPassword \
    --VmId "i-12345678"

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
VmId: The ID of the VM.

The ReadAdminPassword command returns the following elements:

AdminPassword: The password of the VM. After the first boot, returns an empty string.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
VmId: The ID of the VM.

Result sample

{
  "VmId": "i-12345678",
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "AdminPassword": "..."
}

Decrypting the Password of the Instance Using AWS CLI

Before you begin:

Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.

Ensure the Windows instance is ready.

After creation, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

To decode and decrypt the administrator password of the instance, use the get-password-data command following this syntax:

Request sample

$ aws ec2 get-password-data \
    --profile YOUR_PROFILE \
    --instance-id i-12345678 \
    --priv-launch-key ~/.ssh/keypair.rsa \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
instance-id: The ID of the instance you want to access.
priv-launch-key: The path to the .rsa file containing the private key of the keypair on your computer.
endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The get-password-data command returns the following elements:

InstanceId: The ID of the instance.
PasswordData: The administrator password of the instance.
Timestamp: The time the console output was updated for the last time, in ISO 8601 format.

Result sample

{
    "InstanceId": "i-123456789",
    "PasswordData": "/XxYy12Z*z",
    "Timestamp": "2018-03-26T13:01:33.176Z"
}

Decrypting the Password of the VM Using a Bash Script

Before you begin: Ensure the Windows VM is ready.

After creation, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

To retrieve the administrator password encoded in Base64, view the console output of the VM. For more information, see Viewing the Console Output of a VM.

4/26/2017 11:50:17 AM : ==============================================
4/26/2017 11:50:17 AM : OS : Microsoft Windows NT 10.0.14393
4/26/2017 11:50:17 AM : OsVersion : 10.0.14393
4/26/2017 11:50:17 AM : OsProductName : Microsoft Windows Server 2016 Datacenter
4/26/2017 11:50:17 AM : Language : en-US
4/26/2017 11:50:17 AM : AMI-ID : ami-12345678
4/26/2017 11:50:17 AM : Instance-ID : i-12345678
4/26/2017 11:50:17 AM : Username : Administrator
4/26/2017 11:50:18 AM : Password : <Password>A123BcdEfgh4iJk/LmNo5pq+rSTuVWXYzAb6CDEfg78g9HIJ012Kl3m4NOpqrstuVWX5yzABcdEfgHYjkLMnoPqr/StUvwXyzA6bCdE/7FgHIjKLMN/OP8qRst9UvW0X1yZABCD2Ef34GHijKlmN5OhyrdoarduIEd7z/ejqWXcVFmgzOkqBgPVyrKR/eD6J8rq0Kq55DQjK5GF1hoDGDgCaAQ5DpkW0pw34CM5ak7UmV22veRhR0To94IvAnpi0sHH/LSraqfIWnoebouUjIK9dFdvYCtds4JfqThPIjZYQYn+DgaKqGFt2m1SdKRwqwGGb3pityiaUZ0P0MUemw==</Password>
4/26/2017 11:50:18 AM : Message : Windows is ready to use

In the console output, copy the Base64-encoded password located between the <password>…</password> tags and save it in a text file on your machine.
To decode the Base64-encoded password, and then decrypt it using the private key, use the following command:
Request sample
```
$ base64 --decode --input ~/Documents/instance_password.txt | openssl rsautl -decrypt -inkey ~/.ssh/keypair.rsa
```
This command contains the following attributes that you need to specify:
- input: The path to the file containing the encoded password on your computer.
- inkey: The path to the .rsa file containing the private key of the keypair on your computer
  
  The password for the VM is returned.

Access the VM Using Microsoft Remote Desktop

Before you begin:

Install Microsoft Remote Desktop on your machine:
- On macOS: see the Mac version.
- On Windows: see the Windows version.
Decrypt the password of the VM using one of the three methods above.
To allow the connection from your machine to the VM, ensure the VM has the following security group rule:
- Port: RDP (3389)
- Protocol: TCP
- CIDR: The public IP of your machine.
  
  The expected CIDR IP is the public IP of the machine you are using, not the public IP of the VM.
  
  For more information, see Adding Rules to a Security Group.

Open Microsoft Remote Desktop.
Connect to the VM using its public IP and administrator password.
The default user for Windows VMs created from official OMIs is administrator.

If you are using a VPN or a DirectLink connection, you can use the private IP of the VM.
You now have access to the desktop of the Windows VM.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.