Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-12-14 23:45:07 -05:00
Code Issues Projects Releases Packages Wiki Activity

Additional information for W10/11 templates

Browse source
This commit is contained in:
Dr. Gerhard Weck 2025-12-02 19:01:54 +01:00 committed by GitHub
parent 7f2f3dedd4
commit bffad9337e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
user/templates/windows/qubes-windows.rst
View file

@ -77,7 +77,7 @@ Have the Windows ISO image (the 64-bit version) downloaded in some qube.
Windows ISOs can be downloaded directly from Microsoft (e.g., `here <https://www.microsoft.com/en-us/software-download/windows10ISO>`__ for Win10), or selected and downloaded via the `Windows Media Creation Tool <https://go.microsoft.com/fwlink/?LinkId=691209>`__. You should, however, regard the downloaded image to be untrustworthy, since there is no reliable way to check that the download was not somehow compromised (see the discussion in issue `Simplify Qubes Windows Tools Installation for R4.1 #7240 <https://github.com/QubesOS/qubes-issues/issues/7240>`__).
Unofficial “debloated” ISOs from projects like reviOS 18 or ameliorated 10 can be found on the net, although obviously you should consider them even “unsafer” than MS provided ISOs. Alternatively, one could download an official ISO and run scripts/apply patches before installation. Some of the “tweaks” might end up being too much depending on the qubes planned usage, though (eg. no appx functionality in ameliorated Windows - so the installation of Windows Store apps is impossible, even with PowerShell).
Unofficial “debloated” ISOs from projects like reviOS 18 or ameliorated 10 can be found on the net, although obviously you should consider them even “unsafer” than MS-provided ISOs. Alternatively, one could download an official ISO and run scripts/apply patches before installation. Some of the “tweaks” might end up being too much depending on the qubes planned usage, though (e.g., no appx functionality in ameliorated Windows - so the installation of Windows Store apps is impossible, even with PowerShell).
Create Windows VM
=================
@ -328,7 +328,7 @@ After Windows installation
/var/log/xen/console/guest-WindowsNew-dm.log
At that point you should have a functional and stable Windows VM, although without updates, Xens PV drivers nor Qubes integration (see sections :ref:`Windows Update <user/templates/windows/qubes-windows:windows update>` and :ref:`Xen PV drivers and Qubes Windows Tools <user/templates/windows/qubes-windows-tools:xen pv drivers and qubes windows tools>`). It is a good time to clone the VM again.
At that point, you should have a functional and stable Windows VM, although without updates, Xens PV drivers nor Qubes integration (see sections :ref:`Windows Update <user/templates/windows/qubes-windows:windows update>` and :ref:`Xen PV drivers and Qubes Windows Tools <user/templates/windows/qubes-windows-tools:xen pv drivers and qubes windows tools>`). It is a good time to clone the VM again.
Installing Qubes Windows Tools
@ -364,12 +364,14 @@ Windows as a template
---------------------
As described above, Windows 7, 10, and 11 can be installed as TemplateVM. To have the user data stored in AppVMs depending on this template, the user data has to be stored on a private disk named ``Q:``. If there is already a disk for user data, possibly called ``D:``, it has to be renamed to ``Q:``. Otherwise, this disk has to be created via the Windows ``diskpart`` utility, or the Disk Management administrative function by formatting the qubes private volume and associating the letter ``Q:`` with it. The volume name is of no importance.
Windows 7, 10, and 11 can be installed as TemplateVM. To have user data stored in AppVMs based on this template, it must be stored on a private disk named ``Q:``. If there is already a disk for user data, possibly called ``D:``, it has to be renamed to ``Q:``. Otherwise, this disk must be created using the Windows ``diskpart`` utility or the Disk Management administrative tool by formatting the qubes private volume and assigning the letter ``Q:`` to it. The volume name is of no importance.
Moving the user data is not directly possible under Windows, because the directory ``C:\Users`` is permanently open and thus locked. Qubes Windows Tools provides a function to move this data on Windows reboot when the directory is not yet locked. To use this function, a working version of QWT has to be used (see the documentation at the QWT installation). In this case, the option ``Move User Profiles`` has to be selected at the QWT installation. Then, the user files are moved to the new disk during the reboot at the end of the installation. After the user data has been moved to ``Q:``, be sure not to use the option `Move User Profiles` on subsequent installations of Qubes Windows Tools.
Moving the user data is not directly possible under Windows, because the directory ``C:\Users`` is permanently open and thus locked. Qubes Windows Tools provides a function to move this data on Windows reboot when the directory is not yet locked. To use this function, a working version of QWT has to be used (see the documentation at the QWT installation). In this case, the option ``Move User Profiles`` for Windows 7 or ``Move users directory to the private image`` for Windows 10 or 11 has to be selected at the QWT installation. Then, the user files are moved to the new disk during the reboot at the end of the installation. After the user data has been moved to ``Q:``, be sure not to use the option `Move User Profiles` on subsequent installations of Qubes Windows Tools.
**Windows 7 only:** This can also be accomplished without QWT installation, avoiding the installation of the Xen PV drivers, if the risk of a compromised version of these drivers, according to QSB-091, is considered too severe. In this case, the file ``relocate_dir.exe`` has to be extracted from the QWT installer kit ``qubes-tools-x64.msi``, which will be shown as the content of the CD-ROM made available by starting the Windows qube with the additional option ``--install-windows-tools`` (see the QWT installation documentation). The installer kit is a specially formatted archive, from which the file ``relocate_dir.exe`` can be extracted using a utility like 7-Zip. The file has to be copied to ``%windir%\system32``, i.e., usually ``C:\Windows\system32``. Furthermore, locate the registry key ``HKLM\SYSTEM\CurrentControlSet\Control\Session Manager``, and add the text ``relocate_dir.exe C:\Users Q:\Users`` as a new line to the ``REG_MULTI_SZ`` value ``\BootExecute`` in this key. On rebooting the Windows qube, the user files will be moved to the disk ``Q:``, and the additional registry entry will be removed, such that this action occurs only once.
**Windows 10 and 11:** Here, you can get the file ``relocate_dir.exe`` from the Windows 7 QWT installer kit (version `4.1.69-1 <https://yum.qubes-os.org/r4.2/current/dom0/fc37/rpm/qubes-windows-tools-4.1.69-1.fc37.noarch.rpm>`__ ). Unpack the file ``qubes-windows-tools-4.1.69-1.fc37.noarch.rpm`` using a utility like 7-Zip repeatedly until you find the file ``qubes-tools-x64.msi``, copy this file somewhere, and unpack it until you finally have the file ``relocate_dir.exe``, and copy this file into the directory ``%windir%\system32``. Then proceed as described for Windows 7. If you have another Windows 10 or 11 TemplateVM with QWT installed and moved user directories, you may instead use the relocation utility ``relocate-dir.exe`` stored in its system directory. Note, however, that its name is slightly different and modify the registry entry accordingly.
AppVMs based on these templates can be created in the normal way by using the Qube Manager or by specifying
.. code:: console