Navigation
Getting StartedUpdated July 3, 2026

Windows VDI workstation bootstrap

getting-startedwindowsvdionboardingworkstations
<div class="getting-started-hero" markdown="1"> <h1><span class="platform-icon platform-vdi"></span>Windows VDI Workstation Bootstrap</h1> <h2>Standardize a managed Windows VDI image for Epic on Azure engineering and operations tasks.</h2> <p>Best for: managed Windows environments with ephemeral or controlled persistence.</p> </div> <ul class="platform-links"> <li><a class="platform-link" href="../bootstrap/">All workstation options</a></li> <li><a class="platform-link" href="macos/">macOS</a></li> <li><a class="platform-link" href="windows/">Windows (WSL2)</a></li> <li><a class="platform-link" href="windows-vdi/">Windows VDI</a></li> <li><a class="platform-link" href="saw/">SAW</a></li> </ul>

At a glance

AspectSummary
PurposeControlled Windows host with WSL2 for infra + diagnostics
ProvisioningGold image + WSL feature enable + Ubuntu LTS distro
Estimated time20–30 minutes initial (excludes access approval wait)
Core toolingGit, Terraform, Ansible, Azure CLI, gh (no Packer by default)
When to chooseNeed managed Windows environment with ephemeral or controlled persistence

Prerequisites

Steps

  1. Request elevation (one-time)

    • Submit access ticket referencing role: "Epic Engineering VDI Elevated Shell"
    • Include justification: "Terraform plan/apply, Ansible execution environment preparation, Azure CLI troubleshooting"
    • Await approval notification (ServiceNow / email). Do not proceed before status = Approved.
  2. Launch VDI session & open elevated PowerShell

    • Start Menu → PowerShell → Right-click → Run as administrator
    • Verify elevated context: whoami /groups | findstr /i administrators
  3. Enable required Windows features (if not in gold image)

    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart
    Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart
    
  4. Install WSL distribution (if policy allows developer toolchain)

    wsl --install -d Ubuntu-22.04
    
  5. Reboot (or sign-out) if prompted, then complete initial Linux user setup.

  6. Inside WSL: baseline packages & certificates

    sudo apt update && sudo apt install -y git curl unzip jq ca-certificates
    # (Optional) import corporate certificates if not injected by base image
    sudo tee /usr/local/share/ca-certificates/OptumRootCA.crt < ~/OptumRootCA.crt >/dev/null || true
    sudo update-ca-certificates
    # Verify fingerprint
    openssl x509 -in /usr/local/share/ca-certificates/OptumRootCA.crt -noout -sha256 -fingerprint
    

    Reference: Root CA / Internal Policy CA

  7. Tooling installation inside WSL (pinned versions where required)

    • Terraform (manual unzip to control version drift)
    • Azure CLI (scripted installer)
    • Ansible via pipx
    • GitHub CLI via repository (See Windows (WSL2) bootstrap for exact commands—reuse identically.)
  8. Create / import SSH key (deploy only non-sensitive private key; keep hardware-backed tokens out of non-persistent pools).

  9. Configure Azure CLI persistent login (if profile roaming supported); otherwise expect re-auth per session.

  10. Run verification (below) and capture evidence in onboarding ticket.

Verification

Run the following commands and confirm each prints a version:

```bash
ansible --version | head -1
az version --output json | jq -r '."azure-cli"'
terraform version | head -1
gh --version | head -1
```

Expected: Versions meet or exceed minimum table.

Minimum tool versions

ToolMinimumNote
Git2.39
Terraform1.5Pinned manually (avoid drift)
Ansible2.14Install via pipx
Python3.10Base runtime for Ansible
GitHub CLI2.0Optional if PR operations needed
Azure CLI2.54Disable dynamic extension install

Troubleshooting

| Symptom | Context | Resolution |
|---------|---------|-----------|
| Missing elevation rights | Step 2 fails privileged commands | Revalidate access ticket state; re-logon after approval. |
| WSL install blocked | Store disabled / policy | Request offline distribution package through endpoint engineering. |
| Terraform TLS errors | Missing CA in WSL trust | Re-run certificate import; confirm file exists then `sudo update-ca-certificates`. |
| Azure CLI login fails | Conditional access / proxy | Add proxy env vars; verify `curl https://management.azure.com` exit 0. |
| Lost tools each login | Non-persistent image | Bake baseline into gold image; persist home via profile container. |

Rollback and cleanup

ActionCommandNote
Remove WSL distrowsl --unregister Ubuntu-22.04⚠️ Destructive – deletes Linux environment
Remove Terraform binarysudo rm /usr/local/bin/terraformLeaves config/state files
Clear Azure tokensaz account clearForces fresh auth next session

Security notes

Notes

  • Offline distribution fallback details are intentionally environment-specific; capture the mirror path in your team's runbook rather than this guide.
  • Elevation justification must align with least-privilege governance.

{{ doc_footer(page) }}