ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update roles

Browse Source
This commit is contained in:
Patrick Toal
2021-04-20 12:14:42 -04:00
parent 8005080b8b
commit 595021d449
131 changed files with 4144 additions and 3018 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/oatakan.windows_template_build/README.md
View File

@@ -21,6 +21,7 @@ A list of roles that this role utilizes:
- oatakan.windows_ec2_ena_driver
- oatakan.windows_ovirt_guest_agent
- oatakan.windows_update
- oatakan.windows_virtio
- oatakan.windows_vmware_tools
- oatakan.windows_virtualbox_guest_additions

29
roles/oatakan.windows_template_build/defaults/main.yml
View File

@@ -4,24 +4,44 @@ install_updates: yes
remove_apps: no
clean_up_components: yes
upgrade_powershell: no
powershell_target_version: 4.0
powershell_target_version: 3.0
temp_directory: "{{ ansible_env.TEMP }}"
update_retry_limit: 10
upgrade_wait_timeout: 600
powershell_script_url: https://raw.githubusercontent.com/jborean93/ansible-windows/master/scripts/Upgrade-PowerShell.ps1
powershell_script_url: https://raw.githubusercontent.com/oatakan/ansible-role-windows-template-build/master/files/Upgrade-PowerShell.ps1
powershell_upgrade_script_file: 'C:\Upgrade-PowerShell.ps1'
ps_memfix_script_url: https://raw.githubusercontent.com/oatakan/ansible-role-windows-template-build/master/files/Install-WMF3Hotfix.ps1
ps_memfix_script_file: 'C:\Install-WMF3Hotfix.ps1'
set_network_to_private: '([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))).GetNetworkConnections() | % {$_.GetNetwork().SetCategory(1)}'
enable_tlsv12_hotfix_download_location: "{{ ansible_env.TEMP }}"
enable_tlsv12_hotfix:
kb: KB3080079
file: Windows6.1-KB3080079-x64.msu
url: https://download.microsoft.com/download/F/4/1/F4154AD2-2119-48B4-BF99-CC15F68E110D/Windows6.1-KB3080079-x64.msu
enable_tls_support_hotfix_download_location: 'C:\Windows\Temp'
enable_tls_support_hotfix:
kb: kb3154518
file: windows6.1-kb3154518-x64.msu
url: http://download.microsoft.com/download/6/8/0/680ee424-358c-4fdf-a0de-b45dee07b711/windows6.1-kb3154518-x64.msu
dot_net_security_hotfix_download_location: 'C:\Windows\Temp'
dot_net_security_hotfix:
kb: KB2898850
file: Windows8.1-KB2898850-x64.msu
url: http://download.microsoft.com/download/C/6/9/C690CC33-18F7-405D-B18A-0A8E199E531C/Windows8.1-KB2898850-x64.msu
windows_update_agent_url: http://download.windowsupdate.com/windowsupdate/redist/standalone/7.6.7600.320/windowsupdateagent-7.6-x64.exe
#sdelete_download_url: http://web.archive.org/web/20140902022253/http://download.sysinternals.com/files/SDelete.zip
bleachbit_download_url: https://download.bleachbit.org/BleachBit-2.2-portable.zip
bleachbit_download_url: https://download.bleachbit.org/BleachBit-4.0.0-portable.zip
sdelete_download_url: https://download.sysinternals.com/files/SDelete.zip
#ultradefrag_download_url: http://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip
ultradefrag_download_url: https://astuteinternet.dl.sourceforge.net/project/ultradefrag/stable-release/7.1.3/ultradefrag-portable-7.1.3.bin.amd64.zip
ultradefrag_download_url: https://sourceforge.net/projects/ultradefrag/files/stable-release/7.1.4/ultradefrag-portable-7.1.4.bin.amd64.zip/download
enable_auto_logon: yes
@@ -38,6 +58,7 @@ ovirt_guest_agent_role: oatakan.windows_ovirt_guest_agent
virtio_role: oatakan.windows_virtio
vmware_tools_role: oatakan.windows_vmware_tools
virtualbox_guest_additions_role: oatakan.windows_virtualbox_guest_additions
windows_update_role: oatakan.windows_update
policy:
allow_unauthenticated_guest_access: no

229
roles/oatakan.windows_template_build/files/win-updates.ps1
View File

@@ -1,229 +0,0 @@
param($global:RestartRequired=0,
$global:MoreUpdates=0,
$global:MaxCycles=5,
$MaxUpdatesPerCycle=500)
$Logfile = "C:\Windows\Temp\win-updates.log"
function LogWrite {
Param ([string]$logstring)
$now = Get-Date -format s
Add-Content $Logfile -value "$now $logstring"
Write-Host $logstring
}
function Check-ContinueRestartOrEnd() {
$RegistryKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"
$RegistryEntry = "CustomRebootRequired"
switch ($global:RestartRequired) {
0 {
$prop = (Get-ItemProperty $RegistryKey).$RegistryEntry
if ($prop) {
LogWrite "Restart Registry Entry Exists - Removing It"
Remove-ItemProperty -Path $RegistryKey -Name $RegistryEntry -ErrorAction SilentlyContinue
}
LogWrite "No Restart Required"
Check-WindowsUpdates
if (($global:MoreUpdates -eq 1) -and ($script:Cycles -le $global:MaxCycles)) {
Install-WindowsUpdates
} elseif ($script:Cycles -gt $global:MaxCycles) {
LogWrite "Exceeded Cycle Count - Stopping"
} else {
LogWrite "Done Installing Windows Updates"
}
}
1 {
$prop = (Get-ItemProperty $RegistryKey).$RegistryEntry
if (-not $prop) {
LogWrite "Restart Registry Entry Does Not Exist - Creating It"
Set-ItemProperty -Path $RegistryKey -Name $RegistryEntry -Value "1"
} else {
LogWrite "Restart Registry Entry Exists Already"
}
#LogWrite "Restart Required - Restarting..."
#Restart-Computer
}
default {
LogWrite "Unsure If A Restart Is Required"
break
}
}
}
function Install-WindowsUpdates() {
$script:Cycles++
LogWrite "Evaluating Available Updates with limit of $($MaxUpdatesPerCycle):"
$UpdatesToDownload = New-Object -ComObject 'Microsoft.Update.UpdateColl'
$script:i = 0;
$CurrentUpdates = $SearchResult.Updates
while($script:i -lt $CurrentUpdates.Count -and $script:CycleUpdateCount -lt $MaxUpdatesPerCycle) {
$Update = $CurrentUpdates.Item($script:i)
if (($Update -ne $null) -and (!$Update.IsDownloaded)) {
[bool]$addThisUpdate = $false
if ($Update.InstallationBehavior.CanRequestUserInput) {
LogWrite "> Skipping: $($Update.Title) because it requires user input"
} else {
if (!($Update.EulaAccepted)) {
LogWrite "> Note: $($Update.Title) has a license agreement that must be accepted. Accepting the license."
$Update.AcceptEula()
[bool]$addThisUpdate = $true
$script:CycleUpdateCount++
} else {
[bool]$addThisUpdate = $true
$script:CycleUpdateCount++
}
}
if ([bool]$addThisUpdate) {
LogWrite "Adding: $($Update.Title)"
$UpdatesToDownload.Add($Update) |Out-Null
}
}
$script:i++
}
if ($UpdatesToDownload.Count -eq 0) {
LogWrite "No Updates To Download..."
} else {
LogWrite 'Downloading Updates...'
$ok = 0;
while (! $ok) {
try {
$Downloader = $UpdateSession.CreateUpdateDownloader()
$Downloader.Updates = $UpdatesToDownload
$Downloader.Download()
$ok = 1;
} catch {
LogWrite $_.Exception | Format-List -force
LogWrite "Error downloading updates. Retrying in 30s."
$script:attempts = $script:attempts + 1
Start-Sleep -s 30
}
}
}
$UpdatesToInstall = New-Object -ComObject 'Microsoft.Update.UpdateColl'
[bool]$rebootMayBeRequired = $false
LogWrite 'The following updates are downloaded and ready to be installed:'
foreach ($Update in $SearchResult.Updates) {
if (($Update.IsDownloaded)) {
LogWrite "> $($Update.Title)"
$UpdatesToInstall.Add($Update) |Out-Null
if ($Update.InstallationBehavior.RebootBehavior -gt 0){
[bool]$rebootMayBeRequired = $true
}
}
}
if ($UpdatesToInstall.Count -eq 0) {
LogWrite 'No updates available to install...'
$global:MoreUpdates=0
$global:RestartRequired=0
break
}
if ($rebootMayBeRequired) {
LogWrite 'These updates may require a reboot'
$global:RestartRequired=1
}
LogWrite 'Installing updates...'
$Installer = $script:UpdateSession.CreateUpdateInstaller()
$Installer.Updates = $UpdatesToInstall
$InstallationResult = $Installer.Install()
LogWrite "Installation Result: $($InstallationResult.ResultCode)"
LogWrite "Reboot Required: $($InstallationResult.RebootRequired)"
LogWrite 'Listing of updates installed and individual installation results:'
if ($InstallationResult.RebootRequired) {
$global:RestartRequired=1
} else {
$global:RestartRequired=0
}
for($i=0; $i -lt $UpdatesToInstall.Count; $i++) {
New-Object -TypeName PSObject -Property @{
Title = $UpdatesToInstall.Item($i).Title
Result = $InstallationResult.GetUpdateResult($i).ResultCode
}
LogWrite "Item: " $UpdatesToInstall.Item($i).Title
LogWrite "Result: " $InstallationResult.GetUpdateResult($i).ResultCode;
}
Check-ContinueRestartOrEnd
}
function Check-WindowsUpdates() {
LogWrite "Checking For Windows Updates"
$Username = $env:USERDOMAIN + "\" + $env:USERNAME
New-EventLog -Source $ScriptName -LogName 'Windows Powershell' -ErrorAction SilentlyContinue
$Message = "Script: " + $ScriptPath + "`nScript User: " + $Username + "`nStarted: " + (Get-Date).toString()
Write-EventLog -LogName 'Windows Powershell' -Source $ScriptName -EventID "104" -EntryType "Information" -Message $Message
LogWrite $Message
$script:UpdateSearcher = $script:UpdateSession.CreateUpdateSearcher()
$script:successful = $FALSE
$script:attempts = 0
$script:maxAttempts = 12
while(-not $script:successful -and $script:attempts -lt $script:maxAttempts) {
try {
$script:SearchResult = $script:UpdateSearcher.Search("IsInstalled=0 and Type='Software' and IsHidden=0")
$script:successful = $TRUE
} catch {
LogWrite $_.Exception | Format-List -force
LogWrite "Search call to UpdateSearcher was unsuccessful. Retrying in 10s."
$script:attempts = $script:attempts + 1
Start-Sleep -s 10
}
}
if ($SearchResult.Updates.Count -ne 0) {
$Message = "There are " + $SearchResult.Updates.Count + " more updates."
LogWrite $Message
try {
for($i=0; $i -lt $script:SearchResult.Updates.Count; $i++) {
LogWrite $script:SearchResult.Updates.Item($i).Title
LogWrite $script:SearchResult.Updates.Item($i).Description
LogWrite $script:SearchResult.Updates.Item($i).RebootRequired
LogWrite $script:SearchResult.Updates.Item($i).EulaAccepted
}
$global:MoreUpdates=1
} catch {
LogWrite $_.Exception | Format-List -force
LogWrite "Showing SearchResult was unsuccessful. Rebooting."
$global:RestartRequired=1
$global:MoreUpdates=0
Check-ContinueRestartOrEnd
LogWrite "Show never happen to see this text!"
Restart-Computer
}
} else {
LogWrite 'There are no applicable updates'
$global:RestartRequired=0
$global:MoreUpdates=0
}
}
$script:ScriptName = $MyInvocation.MyCommand.ToString()
$script:ScriptPath = $MyInvocation.MyCommand.Path
$script:UpdateSession = New-Object -ComObject 'Microsoft.Update.Session'
$script:UpdateSession.ClientApplicationID = 'Packer Windows Update Installer'
$script:UpdateSearcher = $script:UpdateSession.CreateUpdateSearcher()
$script:SearchResult = New-Object -ComObject 'Microsoft.Update.UpdateColl'
$script:Cycles = 0
$script:CycleUpdateCount = 0
Check-WindowsUpdates
if ($global:MoreUpdates -eq 1) {
Install-WindowsUpdates
} else {
Check-ContinueRestartOrEnd
}

2
roles/oatakan.windows_template_build/meta/.galaxy_install_info
View File

@@ -1,2 +1,2 @@
install_date: Wed Jun 24 18:44:34 2020
install_date: Tue Apr 20 16:13:51 2021
version: master

7
roles/oatakan.windows_template_build/tasks/compact.yml
View File

@@ -27,6 +27,10 @@
path: https://download.microsoft.com/download/5/D/8/5D8C65CB-C849-4025-8E95-C3966CAFD8AE/vcredist_x86.exe
product_id: '{9BE518E6-ECC6-35A9-88E4-87755C07200F}'
arguments: '/qb!'
register: install_visual_c
until: install_visual_c is success
delay: 3
retries: 5
when: "'Windows Server 2008' in ansible_distribution"
- name: stop windows update service
@@ -91,6 +95,7 @@
win_get_url:
url: '{{ ultradefrag_download_url }}'
dest: '{{ temp_directory }}\win_build\ultradefrag.zip'
follow_redirects: all
register: download_ultradefrag
until: download_ultradefrag is success
delay: 3
@@ -103,7 +108,7 @@
- name: set udefrag extract directory
set_fact:
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.3.amd64'
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.4.amd64'
- name: defrag with ultradefrag
win_shell: '{{ udefrag_dir }}\udefrag.exe --optimize --repeat C:'

32
roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml
View File

@@ -13,16 +13,29 @@
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- pause:
seconds: 10
- name: download hotfix
win_get_url:
url: '{{ enable_tlsv12_hotfix.url }}'
dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
register: download_hotfix
until: download_hotfix is success
delay: 3
retries: 5
- name: install hotfix
- name: install hotfix (PS >= 4)
win_hotfix:
source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: present
register: hotfix_install
when: ansible_powershell_version is version('4', '>=')
- name: install hotfix (PS == 3)
win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart'
register: hotfix_install
when: ansible_powershell_version is version('3', '==')
- name: debug hotfix installation result
debug:
@@ -35,7 +48,7 @@
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required
when: hotfix_install.reboot_required | default(False)
- name: enable TLSv1.2 support
win_regedit:
@@ -59,10 +72,25 @@
property: DisabledByDefault
value: 0
- name: enable strong crypto
win_regedit:
path: HKLM:\{{ item }}
name: SchUseStrongCrypto
data: 1
type: dword
state: present
loop:
- 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
- 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
- name: ensure Windows ADK with DISM is removed
win_chocolatey:
name: windows-adk-deploy
state: absent
register: remove_win_adk_dism
until: remove_win_adk_dism is success
delay: 3
retries: 5
- name: reboot if TLS config was applied
win_reboot:

14
roles/oatakan.windows_template_build/tasks/main.yml
View File

@@ -9,9 +9,16 @@
- include_tasks: enable-tlsv12.yml
when: upgrade_powershell | bool
- include_tasks: update-agent-win2008.yml
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- include_tasks: security-update-win2012.yml
when: "'Windows Server 2012' in ansible_distribution or 'Windows 8' in ansible_distribution"
- include_tasks: disable-auto-logon.yml
- include_tasks: updates.yml
- include_role:
name: "{{ windows_update_role }}"
when: install_updates | bool
- include_role:
@@ -35,7 +42,7 @@
- include_tasks: policy.yml
- include_tasks: power.yml
when: "'Windows 10' in ansible_distribution"
when: "'Server' not in ansible_distribution"
- include_tasks: enable-rdp.yml
@@ -44,13 +51,14 @@
- "'VMware' not in ansible_product_name"
- "'VirtualBox' not in ansible_product_name"
- ('KubeVirt' not in ansible_system_vendor | default(False))
- ('Red Hat' not in ansible_system_vendor | default(False))
- not target_ovirt | bool
- not target_vagrant | bool
- include_tasks: remove-apps-alt-2.yml
when:
- remove_apps | bool
- "'Windows 10' in ansible_distribution"
- "'Server' not in ansible_distribution"
- include_role:
name: "{{ ec2_ena_driver_role }}"

7
roles/oatakan.windows_template_build/tasks/policy.yml
View File

@@ -9,11 +9,16 @@
type: dword
when: policy.allow_unauthenticated_guest_access|bool
- name: set connection profile to private
- name: set connection profile to private (Windows 10)
win_shell: Set-NetConnectionProfile -NetworkCategory Private
when:
- "'Windows 10' in ansible_distribution"
- name: set connection profile to private (Windows 7)
win_shell: '{{ set_network_to_private }}'
when:
- "'Windows 7' in ansible_distribution"
- name: Ensure local account password doesn't expire
win_user:
name: "{{ ansible_user }}"

42
roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml
View File

@@ -1,7 +1,9 @@
---
- include_tasks: enable_tls_system_default.yml
- name: download script
raw: '(New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")'
raw: '[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); (New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")'
changed_when: False
check_mode: no
register: download_script
@@ -13,12 +15,12 @@
ignore_errors: yes
- name: delete scheduled task if it exists
raw: 'SCHTASKS /Delete /TN upgrade'
raw: 'SCHTASKS /Delete /TN upgrade /f'
args:
executable: cmd.exe
changed_when: False
check_mode: no
ignore_errors: yes
failed_when: False
- name: create a scheduled task to run powershell script
raw: >
@@ -30,6 +32,15 @@
changed_when: False
check_mode: no
- name: start windows update service
raw: net start wuauserv
args:
executable: cmd.exe
failed_when: false
- pause:
seconds: 60
- name: run scheduled task
raw: 'SCHTASKS /Run /TN upgrade'
args:
@@ -37,11 +48,30 @@
changed_when: False
check_mode: no
- pause:
seconds: "{{ upgrade_wait_timeout }}"
- name: wait for powershell upgrade task to finish
raw: '((schtasks /query /TN upgrade)[4] -split " +")[-2]'
changed_when: False
check_mode: no
register: upgrade_status_check
failed_when: false
until: (upgrade_status_check.stdout | trim | lower) == 'ready'
delay: 10
retries: 10
- debug:
msg: "{{ powershell_target_version }}"
# apply winrm memory hotfix for powershell 3.0
- include_tasks: winrm-memfix.yml
when: powershell_target_version is version('3.0', '==')
- name: wait for system to reboot after upgrade
wait_for_connection:
delay: 300
sleep: 30
timeout: 300
sleep: 60
timeout: 400
- name: delete scheduled task
win_scheduled_task:

2
roles/oatakan.windows_template_build/tasks/sysprep.yml
View File

@@ -18,7 +18,7 @@
- name: enable winrm
win_shell: '& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"))) -ForceNewSSLCert -EnableCredSSP'
ignore_errors: yes
when: "'Windows Server 2008' in ansible_distribution"
when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution"
- name: copy unattend.xml
win_template:

43
roles/oatakan.windows_template_build/tasks/updates-all.yml
View File

@@ -1,43 +0,0 @@
---
- name: check for available updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- include_tasks: updates-with-retry.yml
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
- name: check for missing updates.
win_updates:
state: searched
register: available_updates
- name: list missing updates
debug:
var: available_updates
- name: check to see if update is finished
win_shell: gwmi -Class win32_computersystem -ComputerName 127.0.0.1 | select -ExpandProperty username -ErrorAction Stop
register: logon_status
until: logon_status is success
delay: 10
retries: 100
ignore_errors: yes
when: "'Windows 10' in ansible_distribution"
- name: reboot windows
win_reboot:
when: "'Windows 10' in ansible_distribution"

98
roles/oatakan.windows_template_build/tasks/updates-powershell.yml
View File

@@ -1,98 +0,0 @@
---
- name: update over multiple reboots
block:
- name: check for available updates
win_updates:
category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- block:
- name: install windows updates using powershell script
script: win-updates.ps1
become: yes
become_method: runas
become_user: SYSTEM
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
rescue:
- name: reboot the system to recover from a failed update
win_reboot:
reboot_timeout: 7200
- name: wait for system to be responsive after update
wait_for_connection:
delay: 60
sleep: 10
timeout: 600
- name: check to see if reboot is required
win_reg_stat:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
name: CustomRebootRequired
register: update_reboot_required_key
- name: reboot the system to continue with the update
win_reboot:
reboot_timeout: 7200
when: update_reboot_required_key.exists
- name: check for missing updates
win_updates:
category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
state: searched
register: missing_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{% for key, value in missing_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: missing_updates.updates is defined
- block:
- name: set update count
set_fact:
update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
- name: still more updates - need to retry
fail:
msg: >
'{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
when: ((update_retry_limit | int) - (update_retry_count | int) > 0)
when: missing_updates.found_update_count > 0
- name: ensure the CustomRebootRequired key doesn't exist
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
name: CustomRebootRequired
state: absent
rescue:
- debug:
msg: "Still more updates remaining - retrying..."
- include_tasks: updates-powershell.yml

74
roles/oatakan.windows_template_build/tasks/updates-win2008r2.yml
View File

@@ -1,74 +0,0 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- name: download hotfix group 1
win_get_url:
url: '{{ item.url }}'
dest: '{{ hotfix_download_location }}\{{ item.file }}'
loop: "{{ hotfixes_group_1 }}"
- name: install hotfix group 1
win_hotfix:
source: '{{ hotfix_download_location }}\{{ item.file }}'
state: present
register: hotfix_install_group_1
loop: "{{ hotfixes_group_1 }}"
- name: debug hotfix installation result
debug:
var: hotfix_install_group_1
- name: ensure hotfix file is removed (group 1)
win_file:
path: '{{ hotfix_download_location }}\{{ item.file }}'
state: absent
loop: "{{ hotfixes_group_1 }}"
- name: reboot from starting update
win_reboot:
- name: check for available updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- include_tasks: updates-with-retry.yml
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
- name: check for missing updates.
win_updates:
state: searched
register: available_updates
- name: list missing updates
debug:
var: available_updates
- name: make sure Windows ADK with DISM for Server 2008 R2 is not installed
win_chocolatey:
name: windows-adk-deploy
state: absent

84
roles/oatakan.windows_template_build/tasks/updates-with-retry.yml
View File

@@ -1,84 +0,0 @@
---
- name: update over multiple reboots
block:
- block:
- name: install all windows updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ (win_update_blacklist | default([])) + (failed_kb | default([])) }}"
whitelist: "{{ win_update_whitelist | default(omit) }}"
reboot: yes
register: installed_updates
rescue:
- name: reboot the system to recover from a failed update
win_reboot:
reboot_timeout: 7200
- name: set failed KB to skip
set_fact:
failed_kb: "{{ failed_kb|default([]) + [installed_updates.msg | regex_replace('^.*\\((KB.*)\\).*','\\1')] }}"
when:
- installed_updates.msg is defined
- ('Failed' in installed_updates.msg)
- ('KB' in installed_updates.msg)
- name: fail to retry
fail:
msg: "There are failed updates: {{ failed_kb | join(' ') }}"
when:
- failed_kb is defined
- failed_kb | length > 0
- name: wait for system to be responsive after update
wait_for_connection:
delay: 60
sleep: 10
timeout: 600
- name: work on any skipped KB
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
whitelist: "{{ failed_kb | default([]) }}"
reboot: yes
register: installed_updates_retry_skipped
when:
- failed_kb is defined
- failed_kb | length > 0
- name: check for missing updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: missing_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{% for key, value in missing_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: missing_updates.updates is defined
- name: still more updates - need to retry
fail:
msg: >
'{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
when:
- missing_updates.found_update_count > 0
- ((update_retry_limit | int) - (update_retry_count | int) >= 0)
rescue:
- name: set update count
set_fact:
update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
- debug:
msg: "Still more updates remaining - retrying... ({{ update_retry_count }}/{{ update_retry_limit }})"
- include_tasks: updates-with-retry.yml
when: ((update_retry_limit | int) - (update_retry_count | int) >= 0)

89
roles/oatakan.windows_template_build/tasks/updates.yml
View File

@@ -1,89 +0,0 @@
---
- name: disable firewall for Domain, Public and Private profiles
win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
when: "'Windows Server 2012' in ansible_distribution"
- name: disable firewall for Domain, Public and Private profiles
win_shell: netsh advfirewall set allprofiles state off
when: "'Windows Server 2008' in ansible_distribution"
- name: get used space before update
win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
register: used_space_before_update
ignore_errors: yes
- name: update Windows Update Agent on 2008
win_package:
path: http://download.windowsupdate.com/windowsupdate/redist/standalone/7.6.7600.320/windowsupdateagent-7.6-x64.exe
arguments:
- /quiet
- /norestart
- /wuforce
creates_path: C:\Windows\System32\wuaueng.dll
creates_version: 7.6.7600.320
when: "'Windows Server 2008' in ansible_distribution"
- include_tasks: updates-all.yml
vars:
win_update_category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
when:
- install_updates | bool
- "'Windows Server 2008' not in ansible_distribution"
#- include_tasks: updates-powershell.yml
# when:
# - install_updates | bool
# - "'Windows Server 2008' in ansible_distribution"
- include_tasks: updates-win2008r2.yml
vars:
win_update_category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
hotfix_download_location: "{{ ansible_env.TEMP }}"
hotfixes_group_1:
- kb: KB3020369
file: Windows6.1-KB3020369-x64.msu
url: https://download.microsoft.com/download/F/D/3/FD3728D5-0D2F-44A6-B7DA-1215CC0C9B75/Windows6.1-KB3020369-x64.msu
- kb: KB3125574
file: windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
url: http://download.windowsupdate.com/d/msdownload/update/software/updt/2016/05/windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
- kb: KB4474419
file: windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
- kb: KB4490628
file: windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/03/windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
when:
- install_updates | bool
- "'Windows Server 2008' in ansible_distribution"
- name: get used space after update
win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
register: used_space_after_update
ignore_errors: yes
- debug:
msg:
- "Used space before update: {{ ((used_space_before_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
- "Used space after update: {{ ((used_space_after_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
when:
- used_space_before_update.stdout is defined
- used_space_after_update.stdout is defined
- name: enabled firewall for Domain, Public and Private profiles
win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
when: "'Windows Server 2012' in ansible_distribution"
- name: enable firewall for Domain, Public and Private profiles
win_shell: netsh advfirewall set allprofiles state on
when: "'Windows Server 2008' in ansible_distribution"

2
roles/oatakan.windows_template_build/templates/unattend.xml.j2
View File

@@ -41,9 +41,11 @@
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<NetworkLocation>Home</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
{% if not '2008' in ansible_distribution or not 'Windows 7' in ansible_distribution %}
<HideLocalAccountScreen>true</HideLocalAccountScreen>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
{% endif %}
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>