103 lines
3.5 KiB
PowerShell
103 lines
3.5 KiB
PowerShell
[CmdletBinding()]
|
|
param(
|
|
[string]$TimeZone = "UTC",
|
|
[switch]$InstallOpenSsh
|
|
)
|
|
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
$root = Split-Path -Parent $PSScriptRoot
|
|
$unattendTemplate = Join-Path $root "files\\unattend.xml"
|
|
$generatedUnattend = "C:\\Windows\\Panther\\Unattend.xml"
|
|
|
|
function Write-Step {
|
|
param([string]$Message)
|
|
Write-Host "==> $Message" -ForegroundColor Cyan
|
|
}
|
|
|
|
function Ensure-AdministratorEnabled {
|
|
Write-Step "Enabling built-in Administrator account"
|
|
$adminAccount = Get-CimInstance Win32_UserAccount -Filter "LocalAccount=True AND SID LIKE '%-500'"
|
|
if ($null -ne $adminAccount) {
|
|
& net user $adminAccount.Name /active:yes | Out-Null
|
|
}
|
|
}
|
|
|
|
function Enable-RemoteDesktop {
|
|
Write-Step "Enabling Remote Desktop"
|
|
Set-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server" -Name "fDenyTSConnections" -Value 0
|
|
Get-NetFirewallRule -PolicyStore ActiveStore -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.Service -eq "TermService" } |
|
|
Enable-NetFirewallRule | Out-Null
|
|
}
|
|
|
|
function Enable-WinRmForAnsible {
|
|
Write-Step "Configuring WinRM"
|
|
winrm quickconfig -quiet | Out-Null
|
|
Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true
|
|
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
|
|
Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $true
|
|
Restart-Service WinRM
|
|
}
|
|
|
|
function Set-NetworkProfilesPrivate {
|
|
Write-Step "Switching detected network profiles to Private where possible"
|
|
Get-NetConnectionProfile | ForEach-Object {
|
|
if ($_.NetworkCategory -ne "Private") {
|
|
Set-NetConnectionProfile -InterfaceIndex $_.InterfaceIndex -NetworkCategory Private
|
|
}
|
|
}
|
|
}
|
|
|
|
function Ensure-FirewallRules {
|
|
Write-Step "Opening firewall for WinRM"
|
|
Get-NetFirewallRule -PolicyStore ActiveStore -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.Service -eq "WinRM" } |
|
|
Enable-NetFirewallRule | Out-Null
|
|
}
|
|
|
|
function Install-OpenSshServer {
|
|
Write-Step "Installing OpenSSH Server"
|
|
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | Out-Null
|
|
Set-Service -Name sshd -StartupType Automatic
|
|
Start-Service sshd
|
|
if (Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue) {
|
|
Enable-NetFirewallRule -Name "OpenSSH-Server-In-TCP" | Out-Null
|
|
}
|
|
}
|
|
|
|
function Clear-TemporaryFiles {
|
|
Write-Step "Cleaning temporary files"
|
|
Get-ChildItem -Path "$env:TEMP" -Force -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
|
|
Get-ChildItem -Path "C:\\Windows\\Temp" -Force -ErrorAction SilentlyContinue | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
function Write-UnattendFile {
|
|
Write-Step "Generating unattend file"
|
|
$content = Get-Content -Path $unattendTemplate -Raw
|
|
$content = $content.Replace("__TIME_ZONE__", $TimeZone)
|
|
Set-Content -Path $generatedUnattend -Value $content -Encoding UTF8
|
|
}
|
|
|
|
function Run-Sysprep {
|
|
Write-Step "Running sysprep"
|
|
$sysprepExe = "C:\\Windows\\System32\\Sysprep\\Sysprep.exe"
|
|
$arguments = "/oobe /generalize /shutdown /unattend:$generatedUnattend"
|
|
Start-Process -FilePath $sysprepExe -ArgumentList $arguments -Wait
|
|
}
|
|
|
|
Write-Step "Starting Windows Server 2025 template preparation"
|
|
Ensure-AdministratorEnabled
|
|
Set-NetworkProfilesPrivate
|
|
Enable-WinRmForAnsible
|
|
Ensure-FirewallRules
|
|
Enable-RemoteDesktop
|
|
|
|
if ($InstallOpenSsh) {
|
|
Install-OpenSshServer
|
|
}
|
|
|
|
Clear-TemporaryFiles
|
|
Write-UnattendFile
|
|
Run-Sysprep
|