# Win2025-Sysprep Files for building a reusable `Win2025-Sysprep` template for vSphere, Terraform, and Ansible Semaphore. ## Included - `scripts/Prepare-Win2025Sysprep.ps1` prepares Windows Server 2025 for templating. - `files/unattend.xml` is the answer file used by `sysprep`. ## Manual prep before running the script 1. Install Windows Server 2025 in a dedicated VM. 2. Install VMware Tools. 3. Sign in as local `Administrator`. 4. Apply Windows updates and any baseline OS settings you want baked into the template. 5. Copy this folder to the VM, for example `C:\Build\Win2025-Sysprep`. ## What the script does - enables WinRM for Ansible; - opens firewall rules for WinRM and RDP; - enables RDP; - enables the built-in `Administrator` account; - switches network profiles to `Private` when possible; - cleans temporary files; - generates `unattend.xml`; - runs `sysprep /generalize /oobe /shutdown`. ## Run Open PowerShell as Administrator and run: ```powershell Set-ExecutionPolicy Bypass -Scope Process -Force cd C:\Build\Win2025-Sysprep .\scripts\Prepare-Win2025Sysprep.ps1 ``` If you want OpenSSH installed too: ```powershell .\scripts\Prepare-Win2025Sysprep.ps1 -InstallOpenSsh ``` If you want a different timezone: ```powershell .\scripts\Prepare-Win2025Sysprep.ps1 -TimeZone "Russian Standard Time" ``` ## After the VM shuts down 1. Confirm the VM is powered off in vSphere. 2. Convert the VM to a template. 3. Name the template `Win2025-Sysprep`. 4. Use that name in Terraform variable `vm_template`. ## Checklist before converting to template - VMware Tools are installed and healthy. - WinRM is responding. - The VM shut down because of `sysprep`. - The VM is not domain joined. - No machine-specific secrets or unique data remain on the server. ## Quick WinRM check Before running `sysprep`, you can verify locally: ```powershell winrm enumerate winrm/config/listener Test-WSMan ``` ## Notes - The computer name inside the source VM is not important because Terraform `windows_options` will rename cloned VMs. - Do not join the template to the domain in advance. - If you plan to use WinRM over HTTPS, it is usually better to issue the certificate after cloning, not inside the golden image.