Getting StartedUpdated July 3, 2026
Windows VDI workstation bootstrap
getting-startedwindowsvdionboardingworkstations
<div class="getting-started-hero" markdown="1">
<h1><span class="platform-icon platform-vdi"></span>Windows VDI Workstation Bootstrap</h1>
<h2>Standardize a managed Windows VDI image for Epic on Azure engineering and operations tasks.</h2>
<p>Best for: managed Windows environments with ephemeral or controlled persistence.</p>
</div>
<ul class="platform-links">
<li><a class="platform-link" href="../bootstrap/">All workstation options</a></li>
<li><a class="platform-link" href="macos/">macOS</a></li>
<li><a class="platform-link" href="windows/">Windows (WSL2)</a></li>
<li><a class="platform-link" href="windows-vdi/">Windows VDI</a></li>
<li><a class="platform-link" href="saw/">SAW</a></li>
</ul>
At a glance
| Aspect | Summary |
|---|---|
| Purpose | Controlled Windows host with WSL2 for infra + diagnostics |
| Provisioning | Gold image + WSL feature enable + Ubuntu LTS distro |
| Estimated time | 20–30 minutes initial (excludes access approval wait) |
| Core tooling | Git, Terraform, Ansible, Azure CLI, gh (no Packer by default) |
| When to choose | Need managed Windows environment with ephemeral or controlled persistence |
Prerequisites
Steps
-
Request elevation (one-time)
- Submit access ticket referencing role: "Epic Engineering VDI Elevated Shell"
- Include justification: "Terraform plan/apply, Ansible execution environment preparation, Azure CLI troubleshooting"
- Await approval notification (ServiceNow / email). Do not proceed before status = Approved.
-
Launch VDI session & open elevated PowerShell
- Start Menu → PowerShell → Right-click → Run as administrator
- Verify elevated context:
whoami /groups | findstr /i administrators
-
Enable required Windows features (if not in gold image)
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -NoRestart -
Install WSL distribution (if policy allows developer toolchain)
wsl --install -d Ubuntu-22.04 -
Reboot (or sign-out) if prompted, then complete initial Linux user setup.
-
Inside WSL: baseline packages & certificates
sudo apt update && sudo apt install -y git curl unzip jq ca-certificates # (Optional) import corporate certificates if not injected by base image sudo tee /usr/local/share/ca-certificates/OptumRootCA.crt < ~/OptumRootCA.crt >/dev/null || true sudo update-ca-certificates # Verify fingerprint openssl x509 -in /usr/local/share/ca-certificates/OptumRootCA.crt -noout -sha256 -fingerprintReference: Root CA / Internal Policy CA
-
Tooling installation inside WSL (pinned versions where required)
- Terraform (manual unzip to control version drift)
- Azure CLI (scripted installer)
- Ansible via pipx
- GitHub CLI via repository (See Windows (WSL2) bootstrap for exact commands—reuse identically.)
-
Create / import SSH key (deploy only non-sensitive private key; keep hardware-backed tokens out of non-persistent pools).
-
Configure Azure CLI persistent login (if profile roaming supported); otherwise expect re-auth per session.
-
Run verification (below) and capture evidence in onboarding ticket.
Verification
Run the following commands and confirm each prints a version:
```bash
ansible --version | head -1
az version --output json | jq -r '."azure-cli"'
terraform version | head -1
gh --version | head -1
```
Expected: Versions meet or exceed minimum table.
Minimum tool versions
| Tool | Minimum | Note |
|---|---|---|
| Git | 2.39 | |
| Terraform | 1.5 | Pinned manually (avoid drift) |
| Ansible | 2.14 | Install via pipx |
| Python | 3.10 | Base runtime for Ansible |
| GitHub CLI | 2.0 | Optional if PR operations needed |
| Azure CLI | 2.54 | Disable dynamic extension install |
Troubleshooting
| Symptom | Context | Resolution |
|---------|---------|-----------|
| Missing elevation rights | Step 2 fails privileged commands | Revalidate access ticket state; re-logon after approval. |
| WSL install blocked | Store disabled / policy | Request offline distribution package through endpoint engineering. |
| Terraform TLS errors | Missing CA in WSL trust | Re-run certificate import; confirm file exists then `sudo update-ca-certificates`. |
| Azure CLI login fails | Conditional access / proxy | Add proxy env vars; verify `curl https://management.azure.com` exit 0. |
| Lost tools each login | Non-persistent image | Bake baseline into gold image; persist home via profile container. |
Rollback and cleanup
| Action | Command | Note |
|---|---|---|
| Remove WSL distro | wsl --unregister Ubuntu-22.04 | ⚠️ Destructive – deletes Linux environment |
| Remove Terraform binary | sudo rm /usr/local/bin/terraform | Leaves config/state files |
| Clear Azure tokens | az account clear | Forces fresh auth next session |
Security notes
Notes
- Offline distribution fallback details are intentionally environment-specific; capture the mirror path in your team's runbook rather than this guide.
- Elevation justification must align with least-privilege governance.
{{ doc_footer(page) }}