commit bdb1bb6a5a22ff7d57d1b865f89a047f19933cc0 Author: Jochen Welzel Date: Mon Jan 25 08:28:41 2021 +0100 first commit working windows templates diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1e800f8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +iso +VM +files +packer_cache diff --git a/Win10-base.json b/Win10-base.json new file mode 100755 index 0000000..acc75ac --- /dev/null +++ b/Win10-base.json @@ -0,0 +1,47 @@ +{ + "builders": [ + { + "type": "qemu", + "communicator": "winrm", + "skip_compaction": "false", + "output_directory": "VM/win10-base", + "format": "qcow2", + "accelerator": "kvm", + "qemuargs": [ + [ + "-m", + "8192" + ], + [ + "-usbdevice", + "tablet" + ], + [ + "-smp", + "4" + ] + ], + "net_device": "virtio-net", + "disk_interface": "virtio-scsi", + "vm_name": "win10-base.qcow2", + "iso_url": "iso/windows_10_ent_eval.iso", + "iso_checksum": "sha256:32c7b0a51a48cc4f67c250be4fe2b384febb9cc864c5b77a052d4e2845394eac", + "winrm_username": "Administrator", + "winrm_password": "Aqdcgt12", + "winrm_timeout": "2h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "shutdown_timeout": "30m", + "cpus": 4, + "disk_size": "51200", + "boot_wait": "9m", + "floppy_files": [ + "answer_files/Autounattend.xml", + "files/virtio-win/Win10/", + "scripts/bootstrap-win.ps1" + ], + "headless": true + } + ], + "provisioners": [ + ] +} diff --git a/Win10-cleanup.json b/Win10-cleanup.json new file mode 100755 index 0000000..293ea6b --- /dev/null +++ b/Win10-cleanup.json @@ -0,0 +1,54 @@ +{ + "builders": [ + { + "type": "qemu", + "communicator": "winrm", + "skip_compaction": "false", + "output_directory": "VM/win10-cleanup", + "format": "qcow2", + "accelerator": "kvm", + "qemuargs": [ + [ + "-m", + "8192" + ], + [ + "-usbdevice", + "tablet" + ], + [ + "-smp", + "4" + ] + ], + "net_device": "virtio-net", + "disk_interface": "virtio-scsi", + "vm_name": "win10-cleanup.qcow2", + "iso_url": "VM/win10-install/win10-install.qcow2", + "iso_checksum": "none", + "disk_image": true, + "winrm_username": "Administrator", + "winrm_password": "Aqdcgt12", + "winrm_timeout": "2h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "shutdown_timeout": "30m", + "cpus": 4, + "disk_size": "51200", + "skip_resize_disk": true, + "headless": true + } + ], + "provisioners": [ + { + "type": "powershell", + "elevated_user": "Administrator", + "elevated_password": "Aqdcgt12", + "script": "scripts/cleanup.ps1", + "remote_path": "C:/tools/cleanup.ps1" + }, + { + "type": "windows-restart", + "restart_timeout": "1h" + } + ] +} diff --git a/Win10-install.json b/Win10-install.json new file mode 100755 index 0000000..49dac9b --- /dev/null +++ b/Win10-install.json @@ -0,0 +1,84 @@ +{ + "builders": [ + { + "type": "qemu", + "communicator": "winrm", + "skip_compaction": "false", + "output_directory": "VM/win10-install", + "format": "qcow2", + "accelerator": "kvm", + "qemuargs": [ + [ + "-m", + "8192" + ], + [ + "-usbdevice", + "tablet" + ], + [ + "-smp", + "4" + ] + ], + "net_device": "virtio-net", + "disk_interface": "virtio-scsi", + "vm_name": "win10-install.qcow2", + "iso_url": "VM/win10-update/win10-update.qcow2", + "iso_checksum": "none", + "disk_image": true, + "winrm_username": "Administrator", + "winrm_password": "Aqdcgt12", + "winrm_timeout": "2h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "shutdown_timeout": "30m", + "cpus": 4, + "disk_size": "51200", + "skip_resize_disk": true, + "headless": true + } + ], + "provisioners": [ + { + "type": "powershell", + "elevated_user": "Administrator", + "elevated_password": "Aqdcgt12", + "script": "scripts/install_virtio_guest.ps1", + "remote_path": "C:/tools/install_virtio_guest.ps1" + }, + { + "type": "powershell", + "elevated_user": "Administrator", + "elevated_password": "Aqdcgt12", + "script": "scripts/install_chocolatey.ps1", + "remote_path": "C:/tools/install_chocolatey.ps1" + }, + { + "type": "powershell", + "elevated_user": "Administrator", + "elevated_password": "Aqdcgt12", + "inline": [ + "Set-ItemProperty 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\' -Name \"fDenyTSConnections\" -Value 0", + "Set-ItemProperty 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\' -Name \"UserAuthentication\" -Value 1", + "Enable-NetFirewallRule -DisplayGroup \"Remote Desktop\"", + "Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0", + "Start-Service sshd", + "Set-Service -Name sshd -StartupType 'Automatic'", + "choco install notepadplusplus --yes --no-progress --failonstderr", + "choco install powershell-core --yes --no-progress --failonstderr", + "choco install vlc --yes --no-progress --failonstderr", + "choco install mpv --yes --no-progress --failonstderr", + "choco install brave --yes --no-progress --failonstderr", + "choco install Firefox --yes --no-progress --failonstderr", + "choco install warp --yes --no-progress --failonstderr", + "choco install microsoft-windows-terminal --yes --no-progress --failonstderr", + "choco install FoxitReader --yes --no-progress --failonstderr", + "New-ItemProperty -Path \"HKLM:\\SOFTWARE\\OpenSSH\" -Name DefaultShell -Value 'C:\\Program Files\\PowerShell\\7\\pwsh.exe' -PropertyType String -Force" + ] + }, + { + "type": "windows-restart", + "restart_timeout": "1h" + } + ] +} diff --git a/Win10-updates.json b/Win10-updates.json new file mode 100755 index 0000000..e491c93 --- /dev/null +++ b/Win10-updates.json @@ -0,0 +1,55 @@ +{ + "builders": [ + { + "type": "qemu", + "communicator": "winrm", + "skip_compaction": "false", + "output_directory": "VM/win10-update", + "format": "qcow2", + "accelerator": "kvm", + "qemuargs": [ + [ + "-m", + "8192" + ], + [ + "-usbdevice", + "tablet" + ], + [ + "-smp", + "4" + ] + ], + "net_device": "virtio-net", + "disk_interface": "virtio-scsi", + "vm_name": "win10-update.qcow2", + "iso_url": "VM/win10-base/win10-base.qcow2", + "iso_checksum": "none", + "disk_image": true, + "winrm_username": "Administrator", + "winrm_password": "Aqdcgt12", + "winrm_timeout": "2h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "shutdown_timeout": "30m", + "cpus": 4, + "disk_size": "51200", + "skip_resize_disk": true, + "headless": true + } + ], + "provisioners": [ + { + "type": "windows-update", + "search_criteria": "IsInstalled=0", + "filters": [ + "exclude:$_.Title -like '*Preview*'", + "include:$true" + ] + }, + { + "type": "windows-restart", + "restart_timeout": "1h" + } + ] +} diff --git a/answer_files/Autounattend.xml b/answer_files/Autounattend.xml new file mode 100755 index 0000000..2096346 --- /dev/null +++ b/answer_files/Autounattend.xml @@ -0,0 +1,174 @@ + + + + + + + + a:\ + + + + + + + + + Primary + 1 + 350 + + + 2 + Primary + true + + + + + true + NTFS + + 1 + 1 + + + NTFS + + C + 2 + 2 + + + 0 + true + + + + true + jochen + zelnet + + + + + + 0 + 2 + + OnError + false + + + /IMAGE/NAME + Windows 10 Enterprise Evaluation + + + + + + + + en-US + + de-DE + de-DE + en-US + en-US + de-DE + + + + + true + + + + + de-de + de-de + en-US + en-US + de-de + + + + + Aqdcgt12 + true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>Aqdcgt12</Value> + <PlainText>true</PlainText> + </Password> + <Description>localuser User</Description> + <DisplayName>jochen</DisplayName> + <Group>administrators</Group> + <Name>jochen</Name> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <AutoLogon> + <Password> + <Value>Aqdcgt12</Value> + <PlainText>true</PlainText> + </Password> + <Username>jochen</Username> + <Enabled>true</Enabled> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>powershell -File a:\bootstrap-win.ps1</CommandLine> + <Description>Bootstrap Windows</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c pnputil -i -a a:\netkvm.inf</CommandLine> + <Order>96</Order> + <Description>Install netkvm</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c pnputil -i -a a:\vioscsi.inf</CommandLine> + <Order>97</Order> + <Description>Install netkvm</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c pnputil -i -a a:\viostor.inf</CommandLine> + <Order>98</Order> + <Description>Install netkvm</Description> + </SynchronousCommand> + </FirstLogonCommands> + <ShowWindowsLive>false</ShowWindowsLive> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <!-- Rename computer here. --> + <ComputerName>winimage-qemu</ComputerName> + <TimeZone>W. Europe Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + </settings> + <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="catalog:d:/sources/install_windows 7 ENTERPRISE.clg"/> +</unattend> diff --git a/answer_files/Autounattendx64.xml b/answer_files/Autounattendx64.xml new file mode 100644 index 0000000..24fd035 --- /dev/null +++ b/answer_files/Autounattendx64.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>de-de</InputLocale> + <SystemLocale>de-de</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>de-de</UserLocale> + </component> + <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <UserData> + <AcceptEula>true</AcceptEula> + <FullName>ZelVM</FullName> + <Organization>zelnet</Organization> + </UserData> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <InputLocale>de-de</InputLocale> + <SystemLocale>de-de</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>de-de</UserLocale> + </component> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <ProtectYourPC>3</ProtectYourPC> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + </OOBE> + <UserAccounts> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>Aqdcgt12</Value> + <PlainText>true</PlainText> + </Password> + <Description>jochen</Description> + <DisplayName>jochen</DisplayName> + <Name>jochen</Name> + <Group>Administrators</Group> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -ExecutionPolicy Bypass -File c:\tools\customize.ps1</CommandLine> + <Description>Customization</Description> + <Order>1</Order> + </SynchronousCommand> + </FirstLogonCommands> + <TimeZone>W. Europe Standard Time</TimeZone> + </component> + </settings> + <cpi:offlineImage cpi:source="wim:d:/images/wim/install.wim#Windows 10 Pro" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> +</unattend> diff --git a/privatedata.json b/privatedata.json new file mode 100644 index 0000000..e00bac3 --- /dev/null +++ b/privatedata.json @@ -0,0 +1,3 @@ +{ + "localuser_win_pass": "Aqdcgt12" +} diff --git a/scripts/SetupComplete-qemu.ps1 b/scripts/SetupComplete-qemu.ps1 new file mode 100644 index 0000000..fd4a5a9 --- /dev/null +++ b/scripts/SetupComplete-qemu.ps1 @@ -0,0 +1,6 @@ + +# start cloudbase-init service and set to auto-start +start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config cloudbase-init start= auto" -wait +start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "start cloudbase-init" -wait + +exit 0 diff --git a/scripts/SetupComplete-vmw.ps1 b/scripts/SetupComplete-vmw.ps1 new file mode 100644 index 0000000..ca09460 --- /dev/null +++ b/scripts/SetupComplete-vmw.ps1 @@ -0,0 +1,15 @@ +# if you create custom ovfEnv properties in your template you can easily turn them into Environment variables for fun automation possibiliites. + +# read properties from vmware tools and store as xml +& "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" --cmd "info-get guestinfo.ovfEnv" 2>&1 | tee-object -variable vmtoolsxml | out-null +[xml]$vmtoolsxml = $vmtoolsxml + +# turn all properties into ps Environment variables +foreach( $property in $vmtoolsxml.Environment.PropertySection.SelectNodes("*")){ +$ps_varname = ($property.key | %{$_ -replace "vm.",""} | %{$_ -replace "\.","_"} ) +new-variable -name $ps_varname -value $property.value +} + + + +exit 0 \ No newline at end of file diff --git a/scripts/bootstrap-win.ps1 b/scripts/bootstrap-win.ps1 new file mode 100644 index 0000000..9898c0a --- /dev/null +++ b/scripts/bootstrap-win.ps1 @@ -0,0 +1,44 @@ +# windows powershell bootstrap script +$host.ui.RawUI.WindowTitle = "Bootstrapping Windows" + + +New-Item -Path "c:\" -Name "logs" -ItemType "directory" +New-Item -Path "c:\" -Name "tools" -ItemType "directory" + +# supress network location Prompt +New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff" -Force + +# set network to private + +# Make administrator user active for desktop OS +net user administrator /active:yes + +# disable windows defender If you install your own AV later +#if ($KERNELVERSION -ge (new-object 'Version' 10,0)) { +# Set-MpPreference -DisableRealtimeMonitoring $true -DisableArchiveScanning $true -DisableIOAVProtection $true +#} + +$netprofile = Get-NetConnectionProfile +Set-NetConnectionProfile -Name $netprofile.Name -NetworkCategory Private + +# enable winrm on http + +winrm quickconfig -quiet +# config winrm settings to work with packer +winrm set winrm/config/service '@{AllowUnencrypted="true"}' +winrm set winrm/config/service/auth '@{Basic="true"}' + +# configure powersaving and screen saver +powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c +powercfg -change -monitor-timeout-ac 0 +powercfg -hibernate OFF + +New-Itemproperty -Path "registry::HKCU\Control Panel\Desktop" -Name ScreenSaveActive -Value 0 -PropertyType "DWord" -Force +New-Itemproperty -Path "registry::HKCU\Control Panel\Desktop" -Name ScreenSaveTimeOut -Value 0 -PropertyType "DWord" -Force +New-Itemproperty -Path "registry::HKU\.DEFAULT\Control Panel\Desktop" -Name ScreenSaveActive -Value 0 -PropertyType "DWord" -Force +New-Itemproperty -Path "registry::HKU\.DEFAULT\Control Panel\Desktop" -Name ScreenSaveTimeOut -Value 0 -PropertyType "DWord" -Force + +#Stop windows updtes from starting immediatly +$WUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings +$WUSettings.NotificationLevel=1 +$WUSettings.save() diff --git a/scripts/cleanup-compact.ps1 b/scripts/cleanup-compact.ps1 new file mode 100644 index 0000000..dfb35f9 --- /dev/null +++ b/scripts/cleanup-compact.ps1 @@ -0,0 +1,70 @@ +#Powershell version of install cleanup_compact + +# get the windows kernel version +$KERNELVERSION = [Environment]::OSVersion.Version + +get-packageprovider -name chocolatey -ForceBootstrap +install-package sdelete -force +#install-package ultradefrag -force + +# unzip function +function punzip( $zipfile, $outdir ) { + If(-not(Test-Path -path $zipfile)){return "zipfile " + $zipfile + " not found!"} + If(-not(Test-Path -path $outdir)){return "output dir " + $outdir + " not found!"} + $shell = new-object -com shell.application + $zip = $shell.NameSpace($zipfile) + foreach($item in $zip.items()) + { + $shell.Namespace($outdir).copyhere($item) + } +} + +## Download the FILES +$client = new-object System.Net.WebClient +$client.DownloadFile("http://downloads.sourceforge.net/project/ultradefrag/stable-release/7.0.1/ultradefrag-portable-7.0.1.bin.amd64.zip", "C:\windows\temp\ultradefrag-portable-7.0.1.bin.amd64.zip" ) + +# Stops the windows update service. +Stop-Service -Name wuauserv -Force -EA 0 +Get-Service -Name wuauserv + +# Delete the contents of windows software distribution. +write-output "Delete the contents of windows software distribution" +Get-ChildItem "C:\Windows\SoftwareDistribution\*" -Recurse -Force -Verbose -ErrorAction SilentlyContinue | remove-item -force -recurse -ErrorAction SilentlyContinue + +# Delete the contents of localuser apps. +write-output "Delete the contents of localuser apps" +Get-ChildItem "C:\users\localuser\AppData\Local\Packages\*" -Recurse -Force -Verbose -ErrorAction SilentlyContinue | remove-item -force -recurse -ErrorAction SilentlyContinue + +# Delete the contents of user template desktop. +write-output "Delete the contents of user template desktop" +Get-ChildItem "C:\Users\Public\Desktop\*" -Recurse -Force -Verbose -ErrorAction SilentlyContinue | remove-item -force -recurse -ErrorAction SilentlyContinue + +# Starts the Windows Update Service +Start-Service -Name wuauserv -EA 0 + +# use dism to cleanup windows sxs. This only works on 2012r2 and 8.1 and above. +# bumped up to windows 10 only as was failing on 2012r2 +if ([Environment]::OSVersion.Version -ge [Version]"10.0") { + write-output "Cleaning up winSXS with dism" + dism /online /cleanup-image /startcomponentcleanup /resetbase /quiet +} + +# extract ultradefrag archive +write-output "extracting ultradefrag archive" +punzip ("C:\windows\temp\ultradefrag-portable-7.0.1.bin.amd64.zip") ("C:\Windows\temp") + +# Defragment the virtual disk blocks +write-output "Starting to Defragment Disk" +start-process -FilePath 'C:\Windows\Temp\ultradefrag-portable-7.0.1.amd64\udefrag.exe' -ArgumentList '--optimize --repeat C:' -wait -verb RunAs + +# Zero dirty blocks +write-output "Starting to Zero blocks" +#New-Item -Path "HKCU:\Software\Sysinternals\SDelete" -force -ErrorAction SilentlyContinue +#Set-ItemProperty -Path "HKCU:\Software\Sysinternals\SDelete" -Name EulaAccepted -Value "1" -Type DWORD -force +start-process -FilePath 'C:\Chocolatey\bin\sdelete64.bat' -ArgumentList '-q -z C:' -wait -EA 0 +uninstall-package sdelete -force + +exit 0 + + + diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 new file mode 100644 index 0000000..9168b1b --- /dev/null +++ b/scripts/cleanup.ps1 @@ -0,0 +1,35 @@ +Write-Host "Cleaning updates.." -ForegroundColor 'Cyan' +Stop-Service -Name wuauserv -Force +Remove-Item c:\Windows\SoftwareDistribution\Download\* -Recurse -Force +Start-Service -Name wuauserv + +Write-Host "Cleaning SxS..." -ForegroundColor 'Cyan' +Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase + +@( + "$env:localappdata\Nuget", + "$env:localappdata\temp\*", + "$env:windir\logs", + "$env:windir\panther", + "$env:windir\temp\*", + "$env:windir\winsxs\manifestcache" +) | ForEach-Object { + if (Test-Path $_) { + Write-Host "Removing $_" + try { + Takeown /d Y /R /f $_ + Icacls $_ /GRANT:r administrators:F /T /c /q 2>&1 | Out-Null + Remove-Item $_ -Recurse -Force | Out-Null + } + catch { $global:error.RemoveAt(0) } + } +} + +Write-Host "defragging..." -ForegroundColor 'Cyan' +if (Get-Command Optimize-Volume -ErrorAction SilentlyContinue) { + Optimize-Volume -DriveLetter C +} +else { + Defrag.exe c: /H +} +fsutil behavior set DisableDeleteNotify 0 diff --git a/scripts/cloudbase-init.ps1 b/scripts/cloudbase-init.ps1 new file mode 100644 index 0000000..b1257e8 --- /dev/null +++ b/scripts/cloudbase-init.ps1 @@ -0,0 +1,17 @@ +#download installer +$client = new-object System.Net.WebClient +$client.DownloadFile("https://cloudbase.it/downloads/CloudbaseInitSetup_Stable_x64.msi", "C:\windows\temp\CloudbaseInitSetup_Stable_x64.msi" ) + +# install the payload +start-process -FilePath 'c:\Windows\temp\CloudbaseInitSetup_Stable_x64.msi' -ArgumentList '/qn /l*v C:\windows\temp\cloud-init.log LOGGINGSERIALPORTNAME=COM1 USERNAME=admin' -passthru | wait-process + +# verify that cloudbase-init tools exists +if (-not(test-path -path "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts")){ +Write-output "cloudbase-init not installed exiting..." +exit 1 +} + +move-item C:\Windows\Temp\cloudbase-init-unattend.conf "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init-unattend.conf" -force +move-item C:\Windows\Temp\cloudbase-init.conf "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf" -force +move-item C:\Windows\Temp\cloudbase-init-firstboot.ps1 "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\cloudbase-init-firstboot.ps1" -force +start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config cloudbase-init start= demand" -wait diff --git a/scripts/configure-win.ps1 b/scripts/configure-win.ps1 new file mode 100644 index 0000000..877db1e --- /dev/null +++ b/scripts/configure-win.ps1 @@ -0,0 +1,74 @@ +# windows server cleanup + +# test to see if this is a desktop version of windows +$windesktop = (gwmi win32_operatingsystem).OperatingSystemSKU -notmatch "(\b[7-9]|10|1[2-5]|1[7-9]|2[0-5])" +if ($windesktop) +{ + write-output "This is a desktop version of windows" +} + +write-output "Disable Hybernation" +powercfg -hibernate OFF + +write-output "configure screen saver" +Set-ItemProperty -Path "registry::HKEY_USERS\.DEFAULT\Control Panel\Desktop" -Name ScreenSaveActive -Value 0 + +write-output "change administrator user pass next login" +# this gets reset by sysprep/guest customization. need to set it again in the guest customization script. +net user localuser /logonpasswordchg:no + +write-output "Enable administrator account" +net user administrator /active:yes + +write-output "Disable firewall" +netsh advfirewall set allprofiles state off + +write-output "supress network location Prompt" +New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff" -Force + +# remove troublesome 3rd party app store apps that cause sysprep to fail +if ($windesktop) +{ + if ([Environment]::OSVersion.Version -ge (new-object 'Version' 10,0)) + { + Get-AppxPackage -user localuser PackageFullName | Remove-AppxPackage -ErrorAction SilentlyContinue + } +} + +## Optimize IPv6 settings +write-output "disable privacy IPv6 addresses" +netsh interface ipv6 set privacy state=disabled store=active +netsh interface ipv6 set privacy state=disabled store=persistent + +write-output "enable EUI-64 addressing" +netsh interface ipv6 set global randomizeidentifiers=disabled store=active +netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent + +write-output "Enable Remote Desktop" +(Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1) | Out-Null +(Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) | Out-Null + +write-output "Clear windows autologon" +Remove-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -EA 0 +Remove-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -EA 0 +Remove-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -EA 0 +Remove-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserPassword -EA 0 + +# not the most secure option here.. +write-output "Enable remote command policy" +Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord + +# sysprep with wmf 5 fix +Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\StreamProvider -Name LastFullPayloadTime -Value 0 -Type DWord + +# set ntp to sync time before domain join +Write-Output "Setting System Time Zone to UTC `r" +tzutil.exe /s "UTC" + +write-output "setup guest customization shim" +if(!(Test-Path -Path "C:\Windows\Setup\Scripts" )){ + New-Item -ItemType directory -Path "C:\Windows\Setup\Scripts" +} +Set-Content -path C:\windows\setup\scripts\SetupComplete.cmd -value 'powershell -executionpolicy bypass -file C:\windows\setup\scripts\SetupComplete.ps1' +move-item c:\windows\temp\SetupComplete.ps1 c:\windows\setup\scripts\ + diff --git a/scripts/configure-windows-local-policy.ps1 b/scripts/configure-windows-local-policy.ps1 new file mode 100644 index 0000000..351c988 --- /dev/null +++ b/scripts/configure-windows-local-policy.ps1 @@ -0,0 +1,106 @@ +$ProgressPreference="SilentlyContinue" + +# test to see if this is a desktop version of windows +$windesktop = (gwmi win32_operatingsystem).OperatingSystemSKU -notmatch "(\b[7-9]|10|1[2-5]|1[7-9]|2[0-5])" +if ($windesktop) +{ + write-output "This is a desktop version of windows" +} + +# get the windows kernel version +$KERNELVERSION = [Environment]::OSVersion.Version + +# example test for reference. +# 6.1 = Windows 7 & 2008 R2 +# 6.2 = Windows 8 & Server 2012 +# 6.3 = Windows 8.1 & Server 2012 R2 +# 10.0 = Windows 10 & Server 2016 +#if ($KERNELVERSION -ge (new-object 'Version' 10,0)) { +# write-output "Windows 10 kernel version" +#} + +# install PolicyFileEditor +Install-Module -Name PolicyFileEditor -Confirm:$false + +# disable windows defender +Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows Defender" -ValueName DisableAntiSpyware -Data 1 -Type DWord + +# reg unload +Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows\System" -ValueName DisableForceUnload -Data 1 -Type DWord + +# ProcessCreationIncludeCmdLine_Enabled +Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -ValueName ProcessCreationIncludeCmdLine_Enabled -Data 1 -Type DWord + +# set RDP Min encryption level +Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName MinEncryptionLevel -Data 3 -Type DWord + +# set RPC encryption +Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName fEncryptRPCTraffic -Data 1 -Type DWord + +Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows NT\Terminal Services" -ValueName fPromptForPassword -Data 1 -Type DWord + +# limit log size +limit-eventlog -logname Security -MaximumSize 1048576kb + +# Windows 81 & 2012r2 or newer +if ($KERNELVERSION -ge (new-object 'Version' 6,3)) { + Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -ValueName EnableModuleLogging -Data 1 -Type DWord + Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -ValueName **delvals. -Data 1 -Type String + Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -ValueName Microsoft.Powershell.* -Data Microsoft.Powershell.* -Type String +} + +# Windows 10 specific policy +if ($KERNELVERSION -ge (new-object 'Version' 10,0)) { + write-output "Setting Windows Kernel Version 10 Policy" + # disable web results search bar + Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "Software\Policies\Microsoft\Windows\Windows Search" -ValueName ConnectedSearchUseWeb -Data 0 -Type DWord + # disable Cortana + Set-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key "SOFTWARE\Policies\Microsoft\Windows\Windows Search" -ValueName AllowCortana -Data 0 -Type DWord +} + +# show results +write-output "Listing configured local windows policies" +Get-PolicyFileEntry -Path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -All + + +write-output "Configure local security policy" +secedit /export /cfg c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('PasswordComplexity = 0', 'PasswordComplexity = 1') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('MaximumPasswordAge = 42', 'MaximumPasswordAge = 90') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('MaximumPasswordAge = 0', 'MaximumPasswordAge = 90') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('PasswordHistorySize = 0', 'PasswordHistorySize = 10') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('DontDisplayLastUserName=4,0', 'DontDisplayLastUserName=4,1') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('CachedLogonsCount=1,"10"', 'CachedLogonsCount=1,"4"') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('RestrictAnonymous=4,0', 'RestrictAnonymous=4,1') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('FilterAdministratorToken=4,0', 'FilterAdministratorToken=4,1') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('LockoutBadCount = 0', "LockoutBadCount = 5`nResetLockoutCount = 15`nLockoutDuration = 15`n") | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('MinimumPasswordLength = 8', 'MinimumPasswordLength = 12') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('MinimumPasswordLength = 0', 'MinimumPasswordLength = 12') | Out-File c:\windows\temp\secpol.cfg +(get-content c:\windows\temp\secpol.cfg).replace('FilterAdministratorToken=4,0', 'FilterAdministratorToken=4,1') | Out-File c:\windows\temp\secpol.cfg +get-content c:\windows\temp\secpol.cfg +secedit /configure /db c:\windows\security\local.sdb /cfg c:\windows\temp\secpol.cfg /areas SECURITYPOLICY + +#audit policy +write-output "Configure local audit policy" +auditpol /set /subcategory:"Credential Validation" /failure:enable /success:enable +auditpol /set /subcategory:"Application Group Management" /failure:enable /success:enable +auditpol /set /subcategory:"Computer Account Management" /failure:enable /success:enable +auditpol /set /subcategory:"Distribution Group Management" /failure:enable /success:enable +auditpol /set /subcategory:"Other Account Management Events" /failure:enable /success:enable +auditpol /set /subcategory:"Security Group Management" /failure:enable /success:enable +auditpol /set /subcategory:"User Account Management" /failure:enable /success:enable +auditpol /set /subcategory:"Process Creation" /success:enable +auditpol /set /subcategory:"Account Lockout" /failure:enable /success:enable +auditpol /set /subcategory:"File Share" /failure:enable +auditpol /set /subcategory:"Registry" /failure:enable +auditpol /set /subcategory:"Removable Storage" /failure:enable /success:enable +auditpol /set /subcategory:"SAM" /failure:enable /success:enable +auditpol /set /subcategory:"Audit Policy Change" /failure:enable /success:enable +auditpol /set /subcategory:"Authentication Policy Change" /failure:enable /success:enable +auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable +auditpol /set /subcategory:"Security State Change" /failure:enable /success:enable +auditpol /set /subcategory:"Security System Extension" /failure:enable /success:enable +auditpol /set /subcategory:"Process Termination" /failure:enable /success:enable + + # report audit policy + auditpol.exe /get /category:* diff --git a/scripts/install_chocolatey.ps1 b/scripts/install_chocolatey.ps1 new file mode 100644 index 0000000..e99693d --- /dev/null +++ b/scripts/install_chocolatey.ps1 @@ -0,0 +1,13 @@ +(new-object net.webclient).DownloadFile('https://chocolatey.org/install.ps1', 'C:\Windows\Temp\install.ps1') + +$env:chocolateyUseWindowsCompression = 'false' +for($try = 0; $try -lt 5; $try++) +{ + & C:/Windows/Temp/install.ps1 + if ($?) { exit 0 } + if (Test-Path C:\ProgramData\chocolatey) { exit 0 } + Write-Host "Failed to install chocolatey (Try #${try})" + Start-Sleep 2 +} +Write-Error "Chocolatey failed to install, please re-build your machine again" +exit 2 diff --git a/scripts/install_firefox.ps1 b/scripts/install_firefox.ps1 new file mode 100644 index 0000000..de2ce13 --- /dev/null +++ b/scripts/install_firefox.ps1 @@ -0,0 +1,15 @@ +$date = Get-Date -Format "yyyy-MM-dd HH:mm" + +"$date Start Run" | Out-File 'C:\logs\customize.log' -Append +$date = Get-Date -Format "yyyy-MM-dd HH:mm" +"$date create install dir" | Out-File 'C:\logs\customize.log' -Append +New-Item -Path "c:\" -Name "install" -ItemType "directory" +$date = Get-Date -Format "yyyy-MM-dd HH:mm" +"$date download firefox" | Out-File 'C:\logs\customize.log' -Append +Invoke-WebRequest -Uri "https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=de" -OutFile "c:\install\firefox.exe" +$date = Get-Date -Format "yyyy-MM-dd HH:mm" +"$date install firefox" | Out-File 'C:\logs\customize.log' -Append +c:\install\firefox -ms + +$date = Get-Date -Format "yyyy-MM-dd HH:mm" +"$date Finish Run" | Out-File 'C:\logs\customize.log' -Append diff --git a/scripts/install_virtio_guest.ps1 b/scripts/install_virtio_guest.ps1 new file mode 100644 index 0000000..7c78c4a --- /dev/null +++ b/scripts/install_virtio_guest.ps1 @@ -0,0 +1,6 @@ +Invoke-Webrequest -Uri "https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso" -OutFile "C:\tools\virtio-win.iso" + +$iso=Mount-DiskImage C:\tools\virtio-win.iso +$driveletter=(Get-Volume -DiskImage $iso).DriveLetter + +msiexec /qb /x $driveletter":\virtio-win-gt-x64.msi" diff --git a/scripts/sysprep-shutdown.ps1 b/scripts/sysprep-shutdown.ps1 new file mode 100644 index 0000000..2b2880a --- /dev/null +++ b/scripts/sysprep-shutdown.ps1 @@ -0,0 +1,3 @@ +# Kick off sysprep +start-process -FilePath 'C:/windows/System32/Sysprep/sysprep.exe' -ArgumentList '/oobe /generalize /shutdown "/unattend:C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf\Unattend.xml"' +exit 0 \ No newline at end of file diff --git a/scripts/tools-winrm.ps1 b/scripts/tools-winrm.ps1 new file mode 100644 index 0000000..8b4c6b4 --- /dev/null +++ b/scripts/tools-winrm.ps1 @@ -0,0 +1,9 @@ +# install vmware tools +write-output "Starting VMare Tools install" + +## Download vmware tools +$client = new-object System.Net.WebClient +$client.DownloadFile("https://packages.vmware.com/tools/releases/latest/windows/x64/VMware-tools-10.0.9-3917699-x86_64.exe", "C:\windows\temp\setup64.exe" ) + +#Write-host "Installing VMware Tools..." +start-process -FilePath 'C:/Windows/Temp/setup64.exe' -ArgumentList '/S /v "/qn /l*v ""C:\windows\temp\vmwtoolsinstall.log"" ADDLOCAL=ALL REMOVE=Hgfs REBOOT=R"' \ No newline at end of file diff --git a/scripts/windows-update-winrm.ps1 b/scripts/windows-update-winrm.ps1 new file mode 100644 index 0000000..6043d77 --- /dev/null +++ b/scripts/windows-update-winrm.ps1 @@ -0,0 +1,160 @@ +# Powershell version of install windows update via task scheduler +# This script creates a logon task to run windows updates. +# Depends on packer windows-restart to start the taks and stop winrm. +# After all updaets are instaled winrm is started and the login task is removed. + +# setup window name and script name variable +$scriptname="windows-update-winrm.ps1" +$host.ui.RawUI.WindowTitle = "$scriptname" + +# start logging +start-transcript -path c:\windows\temp\windows-update-winrm.log -append + +# Report the IE version Installed +Write-output ("Installed IE Version currently is " + (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Internet Explorer').Version) + +# Report the powershell version installed +$powershellversion=$PSVersionTable.PSVersion +write-output "Powershell version $powershellversion installed" +if ($PSVersionTable.PSVersion.Major -lt 5) { + write-output "Powershell upgrade in previous step failed!!" + get-content "C:\Windows\wsusofflineupdate.log" + exit 1 +} + +# Report the version of windows update agent +$wu_agent=(get-command C:\windows\system32\wups2.dll).version +if ($wu_agent -ge [Version]"7.6.7601.19161") { + write-output "Windows Update agent is current! $wu_agent" +} else { + write-output "Windows Update agent out of date! $wu_agent" +} + +# Check to see if scheduled task called $scriptname exists +if (schtasks /query /tn $scriptname 2>$null ) { + write-output "Checking for updates...." + Get-WUInstallerStatus + # hack to get buggy windows 7 to show updates + #if ([Environment]::OSVersion.Version -le [Version]"6.1.7601.65536") { + #if ((gwmi win32_operatingsystem).OperatingSystemSKU -notmatch "(\b[7-9]|10|1[2-5]|1[7-9]|2[0-5])") { + if ([Version](Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Internet Explorer').Version -le [Version]"9.11.9600.18231") { + write-output "Forcing Windows to search for updates until it finds some...." + while (-not(Get-WindowsUpdate -notCategory "Windows 7 Language Packs")) { + write-output "Still looking for updates...." + } + Write-output "Win Found some updates" + } + #} + #} + # Actually install the updates starts here.. + if (Get-WindowsUpdate -notCategory "Windows 7 Language Packs" -NotTitle "Printer") + { + write-output "Starting Windows update installation..." + # run windows updates + Install-WindowsUpdate -IgnoreUserInput -AcceptALL -IgnoreReboot -verbose -notCategory "Windows 7 Language Packs" + # restart after every insstall of updates + stop-transcript + restart-computer + } else { + write-output "No updates found..." + # maybe check for systems that still show zero installed updates and reboot + #if (Get-WUList -IsInstalled) {write-output "updates have been installed"} + #remove scheduled task + schtasks /delete /tn $scriptname /f + # stop logging & dump to console so it gets recorded in packer log + #get-content c:\windows\temp\windows-update-winrm.log + # start winrm service and set to autostart + start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config WinRM start= delayed-auto" -wait + #start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "start WinRM" -wait + stop-transcript + restart-computer + } +} else { + # first run of script + # setup windows updater components + $ErrorActionPreference = 'Stop' + # install nuget + write-output "Installing NuGet" + + [int]$attempts = 0 + do { + try { + $attempts +=1 + Get-PackageProvider -Name NuGet -ForceBootstrap + if (-not([string](Get-PackageProvider).name -match "NuGet")) { throw "Error installing NuGet" } + break + } catch { + write-host "Problem installing NuGet `tAttempt $attempts ` + `n`tException: " $_.Exception.Message + start-sleep -s 20 + } + } + while ($attempts -lt 10) + if ($attempts -ge 10) { + write-host "NuGet failed to install!!" + exit 1 + } + + # allow repo install + write-output "adding PSGallery repo" + Set-PSRepository -Name PSGallery -InstallationPolicy Trusted + + # install PSWindowsUpdate + write-output "Installing PSWindowsUpdate" + Install-Module -Name PSWindowsUpdate -Confirm:$false | out-null + write-output "Installed PSWindowsUpdate" + + # attempt install early for debugging + #Get-WUInstallerStatus + + #Get-WindowsUpdate -notCategory "Windows 7 Language Packs" + write-output "Modern windows update tools installed..." + + ##### Debugging BS for windows 7 below.. + #start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config bits start= auto" -wait + #start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config wuauserv start= auto" -wait + #start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config appidsvc start= auto" -wait + #start-process -nonewwindow -FilePath "C:/Windows/system32/sc.exe" -ArgumentList "config cryptsvc start= auto" -wait + + #if ([Environment]::OSVersion.Version -le [Version]"6.2") { + # Write-output "Installing KB KB2966583" + # Install-WindowsUpdate -KBArticleID KB2966583 -acceptall + #} + + # Stops the windows update service. + # Get-Service -Name wuauserv | Stop-Service -Force -Verbose -ErrorAction SilentlyContinue + + # Delete the contents of windows software distribution. + #write-output "Delete the contents of windows software distribution" + #Get-ChildItem "C:\Windows\SoftwareDistribution\*" -Recurse -Force -Verbose -ErrorAction SilentlyContinue | remove-item -force -recurse -ErrorAction SilentlyContinue + + # setup windows update server from envrionment variables + #write-output "Windows Update Group $env:wsus_group" + #write-output "Windows Update Server $env:wsus_server" + # check if you can reach the wsus server + #If (test-connection -quiet $env:wsus_server) { + #$wsusserver="http://" + $env:wsus_server + ":8530" + #} elseif (test-connection -quiet 10.122.168.21) { + #$wsusserver="http://10.122.168.21:8530" + #} else { + #write-output "Unable to contact the wsus server. Using microsoft.com" + #} + # set windows updates to pull from local wsus server + #if ($wsusserver) { + #write-output "WSUS server contacted " $wsusserver + #New-Item -Path "HKLM:Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -force -ErrorAction SilentlyContinue + #Set-ItemProperty -Path "HKLM:\software\policies\Microsoft\Windows\WindowsUpdate" -Name WUServer -Value $wsusserver -Type String -force + #Set-ItemProperty -Path "HKLM:\software\policies\Microsoft\Windows\WindowsUpdate" -Name WUStatusServer -Value $wsusserver -Type String -force + #Set-ItemProperty -Path "HKLM:\software\policies\Microsoft\Windows\WindowsUpdate\AU" -Name UseWUServer -Value "1" -Type DWORD -force + #Set-ItemProperty -Path "HKLM:\software\policies\Microsoft\Windows\WindowsUpdate" -Name TargetGroupEnabled -Value "1" -Type DWORD -force + #Set-ItemProperty -Path "HKLM:\software\policies\Microsoft\Windows\WindowsUpdate" -Name TargetGroup -Value $env:wsus_group -Type String -force + #} + # set winrm to manual start to prevent packer from connecting on reboot + Set-Service -Name winrm -StartupType Manual + # if schedled task does not exist create it + Write-output "Creating scheduled task to start $scriptname with proper elevation" + # setup task scheduler login item to process this script next boot + schtasks /create /ru "BUILTIN\administrators" /sc ONLOGON /tn $scriptname /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\windows\temp\$scriptname" /rl highest /f /np + } +stop-transcript +exit 0 \ No newline at end of file