Accessing a Windows VM

You can access a Windows virtual machine (VM) using a remote desktop application. For example, Microsoft Remote Desktop enables you to connect to Windows VMs from a Windows or macOS operating system.

Before accessing a Windows VM, you need to decrypt the password of its administrator account. This is done using the private key of the keypair that you associated with the VM.

Only RSA keypairs can decrypt the password of a Windows VM.
You can retrieve the password of your Windows VM only on the first start, as the password is not available to retrieve after the first reboot. If you have not retrieved the password, you cannot access your Window VM and you need to terminate it and launch a new one.

This procedure only applies to VMs based on official OMIs, using the default keypair authentication system. In other cases, the connection process can differ. For more information, see About Keypairs.

Decrypting the Password of the VM

Decrypting the Password of the VM Using Cockpit v2

Before you begin: Ensure the Windows VM is ready.

After launch, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

Click inside the VMs dashboard to make checkboxes appear.
Check the box of the VM you want the password from.
The VM is selected and an action menu appears.
Click Read password.
The READ PASSWORD dialog box appears.
Click Upload.
A window appears.
Select the .rsa file containing the private key of the keypair associated with the VM.

Only RSA keypairs can decrypt the password of a Windows VM.
Click Submit.
The administrator password of the VM is decrypted and downloaded on your computer as a .txt file.

The password also appears in a temporary notification at the bottom right of the page.

Decrypting the Password of the Instance Using Cockpit v1

Cockpit v1 is no longer fixed nor supported. Cockpit v1 is no longer available in the cloudgouv-eu-west-1 Region. For more information, see End-of-Life Policy.

Before you begin: Ensure the Windows instance is ready.

After launch, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

Click Compute > Instances.
Click the instance you want the password from.
The instance is selected.
Click Get password .
The XXX: GET PASSWORD dialog box appears.
Click Choose file.
A window appears.
Select the .rsa file containing the private key of the keypair associated with the instance.

Only RSA keypairs can decrypt the password of a Windows VM.
Click OK to validate.
The administrator password of the instance decrypted and is downloaded on your computer as a .txt file.

The password also appears in a temporary notification at the top of the page.

Decrypting the Password of the VM Using OSC CLI

Before you begin: Ensure the Windows VM is ready.

After launch, the VM needs about 10 minutes to be ready. You can check if the VM is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

The ReadAdminPassword command gets the administrator password for a Windows running virtual machine (VM).
The administrator password is encrypted using the keypair you specified when launching the VM.

Only RSA keypairs can decrypt the password of a Windows VM.
The administrator password is generated only on the first boot of the Windows VM. It is not returned after the first boot.

Request sample

$ osc-cli api ReadAdminPassword --profile "default" \
    --VmId "i-12345678"

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
VmId: The ID of the VM.

The ReadAdminPassword command returns the following elements:

AdminPassword: The password of the VM. After the first boot, returns an empty string.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
VmId: The ID of the VM.

Result sample

{
  "VmId": "i-12345678",
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "AdminPassword": "..."
}

Decrypting the Password of the Instance Using AWS CLI

Before you begin: Ensure the Windows instance is ready.

After launch, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

To decode and decrypt the administrator password of the instance, use the get-password-data command following this syntax:

Request sample

$ aws ec2 get-password-data \
    --profile YOUR_PROFILE \
    --instance-id i-12345678 \
    --priv-launch-key ~/.ssh/keypair.rsa \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
instance-id: The ID of the instance you want to access.
priv-launch-key: The path to the .rsa file containing the private key of the keypair on your computer.
endpoint: The endpoint corresponding to the Region you want to send the request to.

The get-password-data command returns the following elements:

InstanceId: The ID of the instance.
PasswordData: The administrator password of the instance.
Timestamp: The time the console output was updated for the last time, in ISO 8601 format.

Result sample

{
    "InstanceId": "i-123456789",
    "PasswordData": "/XxYy12Z*z",
    "Timestamp": "2018-03-26T13:01:33.176Z"
}

Decrypting the Password of the Instance Using a Bash Script

Before you begin: Ensure the Windows instance is ready.

After launch, the instance needs about 10 minutes to be ready. You can check if the instance is ready by looking at its console output. For more information, see Viewing the Console Output of a VM.

To retrieve the administrator password encoded in Base64, view the console output of the instance. For more information, see Viewing the Console Output of a VM.

4/26/2017 11:50:17 AM : ==============================================
4/26/2017 11:50:17 AM : OS : Microsoft Windows NT 10.0.14393
4/26/2017 11:50:17 AM : OsVersion : 10.0.14393
4/26/2017 11:50:17 AM : OsProductName : Microsoft Windows Server 2016 Datacenter
4/26/2017 11:50:17 AM : Language : en-US
4/26/2017 11:50:17 AM : AMI-ID : ami-12345678
4/26/2017 11:50:17 AM : Instance-ID : i-12345678
4/26/2017 11:50:17 AM : Username : Administrator
4/26/2017 11:50:18 AM : Password : <Password>A123BcdEfgh4iJk/LmNo5pq+rSTuVWXYzAb6CDEfg78g9HIJ012Kl3m4NOpqrstuVWX5yzABcdEfgHYjkLMnoPqr/StUvwXyzA6bCdE/7FgHIjKLMN/OP8qRst9UvW0X1yZABCD2Ef34GHijKlmN5OhyrdoarduIEd7z/ejqWXcVFmgzOkqBgPVyrKR/eD6J8rq0Kq55DQjK5GF1hoDGDgCaAQ5DpkW0pw34CM5ak7UmV22veRhR0To94IvAnpi0sHH/LSraqfIWnoebouUjIK9dFdvYCtds4JfqThPIjZYQYn+DgaKqGFt2m1SdKRwqwGGb3pityiaUZ0P0MUemw==</Password>
4/26/2017 11:50:18 AM : Message : Windows is ready to use

In the console output, copy the Base64-encoded password located between the <password>…</password> tags and save it in a text file on your machine.
To decode the Base64-encoded password, and then decrypt it using the private key, use the following command:
Request sample
```
$ base64 --decode --input ~/Documents/instance_password.txt | openssl rsautl -decrypt -inkey ~/.ssh/keypair.rsa
```
This command contains the following attributes that you need to specify:
- input: The path to the file containing the encoded password on your computer.
- inkey: The path to the .rsa file containing the private key of the keypair on your computer
  
  The password for the instance is returned.

Access the Instance Using Microsoft Remote Desktop

Before you begin:

Install Microsoft Remote Desktop on your machine:
- On macOS: see the Mac version.
- On Windows: see the Windows version.
Decrypt the password of the instance using one of the three methods above.
To allow the connection from your machine to the instance, ensure the instance has the following security group rule:
- Port: RDP (3389)
- Protocol: TCP
- CIDR: The public IP of your machine.
  
  For more information, see Adding Rules to a Security Group.

Open Microsoft Remote Desktop.
Connect to the instance using its public IP and administrator password.
The default user for Windows instances created from official OMIs is administrator.

If you are using a VPN or a DirectLink connection, you can use the private IP of the instance.
You now have access to the desktop of the Windows instance.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.