.png)
2 hours ago
1
Need a clean Windows box now, not in fifteen minutes? Same. Here’s the setup we use to spin up a fresh Windows 11 remote desktop in ~2 minutes, pay only when it’s on, and have it auto-wipe back to a clean slate when we’re done.
TL;DR
- Click Run workflow on a GitHub Action that boots up a Win11 VM on Azure.
- Open Windows App (Mac) or Remmina (Linux) and connect to the VM’s IP.
- The GitHub Action auto-shuts down the VM after 45 minutes and resets it to a pristine state.
- Cost: ~$10/month (disk + static IP) + $0.20/hour when you actually use it.
Why not UTM?
UTM is great, but:
- Cold boot + reset to clean can cost you 10–15 minutes per session.
- You’re burning local CPU/RAM/disk and juggling snapshots.
- Sometimes you just want a throwaway Windows box to poke at something and move on.
This setup is for that.
How to build this for yourself?
Step 1: Create the VM
Once you’ve gotten over the hurdle of creating an account at Microsoft Azure, click on Create Virtual Machine to create a Windows 11 VM:
- Image: Windows 11 Pro, version 24H2 - x64 Gen2
- Size: Standard_D2s_v3 - 2 vcpus, 8 GiB memory
- OS disk type: Standard HDD ($6/month instead of $20/month for Premium SSD)
Step 2: Credentials
The GitHub Action needs access to your Azure account to be able to start, stop and re-image your VM. Here’s what you need to do inside portal.azure.com:
Step 2.1 Create App Registration
- Go to Azure Active Directory (Microsoft Entra ID)
- Click App registrations in the left menu
- Click New registration
- Name: github-actions-test-vm
- Click Register
Step 2.2 Create Client Secret
- In your new app registration, go to `Certificates & secrets`
- Click New client secret
- Description: GitHub Action
- Click `Add`
- COPY THE SECRET VALUE NOW (you won’t see it again!)
Step 2.3 Assign Permissions to Resource Group
- Go to Resource groups → your_group
- Click Access control (IAM)
- Click Add → Add role assignment
- Under Privileged administrator roles select Contributor
- Click Next
- Click Select members
- Search for github-actions-test-vm
- Select it and click Select
- Click Review + assign
Step 2.4 Gather JSON values
From your App registration overview page, collect:
- Application (client) ID → `clientId`
- Directory (tenant) ID → tenantId
- Secret value (from step 2) → `clientSecret`
From your subscription:
- Go to Subscriptions, copy your subscription ID → subscriptionId
Step 2.5 Save JSON to GitHub
Go to GitHub Actions settings and save the following as AZURE_CREDENTIALS secret.
{ "clientId": "<Application-ID>", "tenantId": "<Tenant-ID>" "clientSecret": "<Secret-Value>", "subscriptionId": "<Subscription-ID>", }Step 3: GitHub Action
This one is easy, just copy the source from our repo.
You are gonna have to change the --resource-group and --name from pareto to whatever names you used in Azure Portal.
Done!
Click Run workflow on a GitHub Action and enjoy your throwaway Windows 11 Desktop VM!
Further time savings
A fresh Windows 11 install asks you for a ton of confirmations when you first start it up. This gets annoying real fast.
What you can do is: go through the whole ordeal, then use the Capture -> Image feature in Azure to save the disk image.
Finally, delete the VM and recreate it, this time selecting your custom saved image by clicking See all images -> Shared Images.
Now, the GitHub Action will reset the VM back to your saved state!
Caveats
- Some images require you to pass an admin password to re-image the VM. Change the re-image command in the YAML like so:
- Under some circumstances, Azure will not let you create a VM with the default Windows 11 image. What worked for us is getting a trial subscription to Microsoft 365 Business Premium that gives you the license to run Windows 11 VMs. You can cancel the trial after your VM is created because Azure includes license cost in the per-hour cost of the VM.
Neyts is the Pareto Security co-founder and Tech Lead.
