ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WIP3

Browse Source
This commit is contained in:
Patrick Toal
2020-08-17 12:06:41 -04:00
parent 9fa09f26bd
commit 6eb48873e6
455 changed files with 45184 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
roles/oatakan.windows_template_build/tasks/clean-up-components.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: clean up components and update files
win_shell: Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
when: "'Windows Server 2008' not in ansible_distribution"
ignore_errors: yes
- include_tasks: clean-up-with-cleanmgr.yml
when: "'Windows Server 2008' in ansible_distribution"
- name: clean up components and update files
win_shell: Dism.exe /online /Cleanup-Image /SpSuperseded
when: "'Windows Server 2008' in ansible_distribution"
ignore_errors: yes

64
roles/oatakan.windows_template_build/tasks/clean-up-with-cleanmgr.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- block:
- name: check for cleanmgr executable
win_stat:
path: '{{ ansible_env.windir }}\System32\cleanmgr.exe'
register: check_cleanmgr_file
- include_tasks: copy_cleanmgr.yml
vars:
os_short_name: 2008r2
when:
- not check_cleanmgr_file.stat.exists
- ('Windows Server 2008 R2' in ansible_distribution)
- include_tasks: copy_cleanmgr.yml
vars:
os_short_name: 2012
when:
- not check_cleanmgr_file.stat.exists
- ('Windows Server 2012' in ansible_distribution)
- (not 'Windows Server 2012 R2' in ansible_distribution)
- name: get free space
win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json
register: free_space_before_cleanup
- name: ensure cleanup registry paths exist
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }}
loop: "{{ cleanup_registry_keys }}"
- name: set cleanup registry keys
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }}
name: StateFlags0012
data: 2
type: dword
loop: "{{ cleanup_registry_keys }}"
- name: run cleanmgr
win_shell: cleanmgr /sagerun:12
- name: wait for cleanmgr to finish
win_shell: (get-wmiobject win32_process | where-object {$_.processname -eq 'cleanmgr.exe'} | measure).count
register: check_cleanmgr_process
until: check_cleanmgr_process.stdout is defined and check_cleanmgr_process.stdout|int == 0
delay: 5
retries: 300
- name: get free space
win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json
register: free_space_after_cleanup
- debug:
msg:
- "Free space before cleanup: {{ ((free_space_before_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
- "Free space after cleanup: {{ ((free_space_after_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
rescue:
- name: ignore any errors
debug:
msg: "ignoring any error with clean up with cleanmgr"

41
roles/oatakan.windows_template_build/tasks/clean-up.yml Normal file
View File

@@ -0,0 +1,41 @@
---
- name: remove page file
win_regedit:
path: HKLM:\System\CurrentControlSet\Control\Session Manager\Memory Management
name: PagingFiles
data: ""
state: present
register: cleanup_pagefile_removal
- name: reboot server after clearing page file
win_reboot:
when: cleanup_pagefile_removal is changed
- name: cleanup the temp folders
win_file:
path: '{{ item }}'
state: absent
ignore_errors: yes
loop:
- C:\Temp
- C:\Windows\Panther
- C:\Windows\Temp
- name: cleanup the C:\Recovery folder
win_shell: Remove-Item -Path C:\Recovery -Force -Recurse
ignore_errors: yes
- name: check to see if WinSXS ManifestCache folder exist
win_stat:
path: '{{ ansible_env.windir }}\winsxs\ManifestCache'
register: winsxs_dir
- name: clear out the WinSXS ManifestCache folder
win_shell: |
&cmd.exe /c Takeown /f %windir%\winsxs\ManifestCache\*
&cmd.exe /c Icacls %windir%\winsxs\ManifestCache\* /GRANT administrators:F
&cmd.exe /c Del /q %windir%\winsxs\ManifestCache\*
when:
- winsxs_dir.stat is defined
- winsxs_dir.stat.exists

9
roles/oatakan.windows_template_build/tasks/cloudbase-init.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: install cloudbase init package
win_package:
path: https://cloudbase.it/downloads/CloudbaseInitSetup_x64.msi
product_id: '{ED85F19F-057A-4EE6-BC8D-F576DEACE78D}'
arguments:
- /qn
state: present

36
roles/oatakan.windows_template_build/tasks/compact-alt.yml Normal file
View File

@@ -0,0 +1,36 @@
---
- name: see if Optimize-Volume cmdlet is available
win_command: powershell.exe "Get-Command -Name Optimize-Volume"
register: cleanup_defrag_cmdlet
failed_when: False
- name: defrag C with PS cmdlet
win_command: powershell.exe "Optimize-Volume -DriveLetter C"
when: cleanup_defrag_cmdlet.rc == 0
- name: defrag C with legacy exe
win_command: 'Defrag.exe C:'
when: cleanup_defrag_cmdlet.rc != 0
- name: 0 out empty space for later compression
win_shell: |
$path = "C:\zero"
$volume = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='C:'"
$block_size = 64kb
$leftover_size = $volume.Size * 0.05
$file_size = $volume.FreeSpace - $leftover_size
$data_array = New-Object -TypeName byte[]($block_size)
$stream = [System.IO.File]::OpenWrite($path)
try {
$current_file_size = 0
while ($current_file_size -lt $file_size) {
$stream.Write($data_array, 0, $data_array.Length)
$current_file_size += $data_array.Length
}
} finally {
if ($stream) {
$stream.Close()
}
}
Remove-Item -Path $path -Force | Out-Null

164
roles/oatakan.windows_template_build/tasks/compact.yml Normal file
View File

@@ -0,0 +1,164 @@
---
- name: ensure temp directory exists
win_file:
path: '{{ temp_directory }}'
state: directory
- name: download bleachbit
win_get_url:
url: '{{ bleachbit_download_url }}'
dest: '{{ temp_directory }}\BleachBit-portable.zip'
register: download_bleachbit
until: download_bleachbit is success
delay: 3
retries: 5
when: bleachbit_download_url is defined
- name: unzip bleachbit
win_unzip:
src: '{{ temp_directory }}\BleachBit-portable.zip'
dest: '{{ ansible_user_dir }}'
when: download_bleachbit is success
# This is needed on 2008 for bleachbit to work
- name: install the visual C libraries
win_package:
path: https://download.microsoft.com/download/5/D/8/5D8C65CB-C849-4025-8E95-C3966CAFD8AE/vcredist_x86.exe
product_id: '{9BE518E6-ECC6-35A9-88E4-87755C07200F}'
arguments: '/qb!'
when: "'Windows Server 2008' in ansible_distribution"
- name: stop windows update service
win_service:
name: wuauserv
state: stopped
ignore_errors: yes
- name: delete update directory
win_file:
path: C:\Windows\SoftwareDistribution\Download
state: absent
ignore_errors: yes
- name: remove windows update settings
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
name: "{{ item }}"
state: absent
loop:
- SusClientId
- PingID
- AccountDomainSid
- name: start windows update service
win_service:
name: wuauserv
state: started
ignore_errors: yes
- name: create update directory
win_file:
path: C:\Windows\SoftwareDistribution\Download
state: directory
ignore_errors: yes
- name: reset windows update
win_shell: wuauclt /resetauthorization /detectnow
ignore_errors: yes
- name: clean with bleachbit
win_shell: >
'{{ ansible_user_dir }}\BleachBit-Portable\bleachbit_console.exe --clean deepscan.backup
deepscan.ds_store deepscan.thumbs_db deepscan.tmp internet_explorer.cookies internet_explorer.forms
internet_explorer.history internet_explorer.temporary_files system.clipboard system.custom system.logs
system.memory_dump system.muicache system.prefetch system.recycle_bin system.tmp system.updates
windows_defender.history windows_explorer.mru windows_explorer.recent_documents windows_explorer.run
windows_explorer.search_history windows_explorer.thumbnails > NUL'
args:
executable: cmd
when:
- bleachbit_clean|bool
- download_bleachbit is success
ignore_errors: yes
- name: create temp directory
win_file:
path: '{{ temp_directory }}\win_build'
state: directory
- name: download ultradefrag
win_get_url:
url: '{{ ultradefrag_download_url }}'
dest: '{{ temp_directory }}\win_build\ultradefrag.zip'
register: download_ultradefrag
until: download_ultradefrag is success
delay: 3
retries: 5
- name: unzip ultradefrag
win_unzip:
src: '{{ temp_directory }}\win_build\ultradefrag.zip'
dest: '{{ temp_directory }}\win_build'
- name: set udefrag extract directory
set_fact:
udefrag_dir: '{{ temp_directory }}\win_build\ultradefrag-portable-7.1.3.amd64'
- name: defrag with ultradefrag
win_shell: '{{ udefrag_dir }}\udefrag.exe --optimize --repeat C:'
args:
executable: cmd
- name: download sdelete
win_get_url:
url: '{{ sdelete_download_url }}'
dest: '{{ temp_directory }}\win_build\SDelete.zip'
register: download_sdelete
until: download_sdelete is success
delay: 3
retries: 5
when: sdelete_download_url is defined
- name: copy sdelete
win_copy:
src: SDelete.zip
dest: '{{ temp_directory }}\win_build\SDelete.zip'
when: sdelete_download_url is undefined
- name: unzip sdelete
win_unzip:
src: '{{ temp_directory }}\win_build\SDelete.zip'
dest: '{{ temp_directory }}\win_build'
- name: accept sdelete eula
win_regedit:
path: HKCU:\Software\Sysinternals\SDelete
name: EulaAccepted
data: 1
type: dword
- name: compact with sdelete
win_shell: '{{ temp_directory }}\win_build\sdelete.exe -q -z C:'
args:
executable: cmd
- name: remove temp files
win_file:
path: '{{ temp_directory }}\win_build'
state: absent
- name: free disk space with bleachbit
win_shell: '{{ ansible_user_dir }}\BleachBit-Portable\bleachbit_console.exe --clean system.free_disk_space'
args:
executable: cmd
when:
- bleachbit_free_disk_space|bool
- download_bleachbit is success
ignore_errors: yes
- name: remove bleachbit files
win_file:
path: '{{ ansible_user_dir }}\BleachBit-Portable'
state: absent
when: download_bleachbit is success

29
roles/oatakan.windows_template_build/tasks/copy_cleanmgr.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: check winsxs cleanmgr file
win_stat:
path: "{{ winsxs_cleanmgr_file[os_short_name] }}"
register: check_winsxs_cleanmgr_file
- name: check winsxs cleanmgr mui file
win_stat:
path: "{{ winsxs_cleanmgr_mui_file[os_short_name] }}"
register: check_winsxs_cleanmgr_mui_file
- name: copy cleanmgr file from winsxs folder
win_copy:
src: "{{ winsxs_cleanmgr_file[os_short_name] }}"
dest: '{{ ansible_env.windir }}\System32\cleanmgr.exe'
remote_src: yes
when:
- check_winsxs_cleanmgr_file.stat.exists
- check_winsxs_cleanmgr_mui_file.stat.exists
- name: copy cleanmgr mui file from winsxs folder
win_copy:
src: "{{ winsxs_cleanmgr_mui_file[os_short_name] }}"
dest: '{{ ansible_env.windir }}\System32\en-US\cleanmgr.exe.mui'
remote_src: yes
when:
- check_winsxs_cleanmgr_file.stat.exists
- check_winsxs_cleanmgr_mui_file.stat.exists

8
roles/oatakan.windows_template_build/tasks/disable-auto-logon.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: disable auto login
win_regedit:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
name: "{{ item.name }}"
state: absent
loop: "{{ autologin_registry }}"

18
roles/oatakan.windows_template_build/tasks/enable-rdp.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: enable RDP port
win_firewall_rule:
name: Remote Desktop
localport: 3389
action: allow
direction: in
protocol: tcp
state: present
enabled: yes
- name: enable RDP
win_regedit:
path: HKLM:\System\CurrentControlSet\Control\Terminal Server
name: fDenyTSConnections
data: 0
type: dword

69
roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml Normal file
View File

@@ -0,0 +1,69 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- name: download hotfix
win_get_url:
url: '{{ enable_tlsv12_hotfix.url }}'
dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
- name: install hotfix
win_hotfix:
source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: present
register: hotfix_install
- name: debug hotfix installation result
debug:
var: hotfix_install
- name: ensure hotfix file is removed
win_file:
path: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}'
state: absent
- name: reboot if needed
win_reboot:
when: hotfix_install.reboot_required
- name: enable TLSv1.2 support
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }}
name: '{{ item.property }}'
data: '{{ item.value }}'
type: dword
state: present
register: enable_tls12
loop:
- type: Server
property: Enabled
value: 1
- type: Server
property: DisabledByDefault
value: 0
- type: Client
property: Enabled
value: 1
- type: Client
property: DisabledByDefault
value: 0
- name: ensure Windows ADK with DISM is removed
win_chocolatey:
name: windows-adk-deploy
state: absent
- name: reboot if TLS config was applied
win_reboot:
when: enable_tls12 is changed

69
roles/oatakan.windows_template_build/tasks/main.yml Normal file
View File

@@ -0,0 +1,69 @@
---
- include_tasks: powershell-upgrade.yml
when: upgrade_powershell | bool
- name: run setup module
setup:
- include_tasks: enable-tlsv12.yml
when: upgrade_powershell | bool
- include_tasks: disable-auto-logon.yml
- include_tasks: updates.yml
when: install_updates | bool
- include_role:
name: "{{ ovirt_guest_agent_role }}"
when: target_ovirt | bool and not target_qemu | bool
- include_role:
name: "{{ virtio_role }}"
when: target_qemu | bool or ('KubeVirt' in ansible_system_vendor | default(''))
- include_role:
name: "{{ virtualbox_guest_additions_role }}"
when: "'VirtualBox' in ansible_product_name"
- include_role:
name: "{{ vmware_tools_role }}"
when: "'VMware' in ansible_product_name"
- include_tasks: startup.yml
- include_tasks: policy.yml
- include_tasks: power.yml
when: "'Windows 10' in ansible_distribution"
- include_tasks: enable-rdp.yml
- include_tasks: cloudbase-init.yml
when:
- "'VMware' not in ansible_product_name"
- "'VirtualBox' not in ansible_product_name"
- ('KubeVirt' not in ansible_system_vendor | default(False))
- not target_ovirt | bool
- not target_vagrant | bool
- include_tasks: remove-apps-alt-2.yml
when:
- remove_apps | bool
- "'Windows 10' in ansible_distribution"
- include_role:
name: "{{ ec2_ena_driver_role }}"
when: target_ec2 | bool
- include_tasks: clean-up-components.yml
when: clean_up_components | bool
- include_tasks: clean-up.yml
- include_tasks: sysprep.yml
- include_tasks: compact.yml
- include_tasks: shutdown.yml
when: shutdown_instance | bool

20
roles/oatakan.windows_template_build/tasks/policy.yml Normal file
View File

@@ -0,0 +1,20 @@
---
# do not enable this by default
- name: allow unauthenticated guest access
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
name: AllowInsecureGuestAuth
data: 1
type: dword
when: policy.allow_unauthenticated_guest_access|bool
- name: set connection profile to private
win_shell: Set-NetConnectionProfile -NetworkCategory Private
when:
- "'Windows 10' in ansible_distribution"
- name: Ensure local account password doesn't expire
win_user:
name: "{{ ansible_user }}"
password_never_expires: yes

6
roles/oatakan.windows_template_build/tasks/power.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: change power plan to high performance
win_power_plan:
name: high performance
ignore_errors: yes

70
roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml Normal file
View File

@@ -0,0 +1,70 @@
---
- name: download script
raw: '(New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")'
changed_when: False
check_mode: no
register: download_script
- name: set execution policy
raw: 'Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force'
changed_when: False
check_mode: no
ignore_errors: yes
- name: delete scheduled task if it exists
raw: 'SCHTASKS /Delete /TN upgrade'
args:
executable: cmd.exe
changed_when: False
check_mode: no
ignore_errors: yes
- name: create a scheduled task to run powershell script
raw: >
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN upgrade /TR "powershell.exe -Command
'& {{ powershell_upgrade_script_file }} -Version {{ powershell_target_version }}
-Username {{ ansible_user }} -Password {{ ansible_password }}'"
args:
executable: cmd.exe
changed_when: False
check_mode: no
- name: run scheduled task
raw: 'SCHTASKS /Run /TN upgrade'
args:
executable: cmd.exe
changed_when: False
check_mode: no
- name: wait for system to reboot after upgrade
wait_for_connection:
delay: 300
sleep: 30
timeout: 300
- name: delete scheduled task
win_scheduled_task:
name: upgrade
state: absent
- name: delete script
win_file:
path: "{{ powershell_upgrade_script_file }}"
state: absent
- name: ensure auto login is disabled
win_regedit:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
name: AutoAdminLogon
data: 0
type: string
- name: ensure auto login creds are removed
win_regedit:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
name: "{{ item }}"
state: absent
loop:
- DefaultUserName
- DefaultPassword

96
roles/oatakan.windows_template_build/tasks/remove-apps-alt-2.yml Normal file
View File

@@ -0,0 +1,96 @@
---
- name: remove default apps
win_shell: |
$ErrorActionPreference = "Stop"
$apps = @(
"Microsoft.3DBuilder",
"Microsoft.Appconnector",
"Microsoft.BingFinance",
"Microsoft.BingNews",
"Microsoft.BingSports",
"Microsoft.BingWeather",
"Microsoft.FreshPaint",
"Microsoft.Getstarted",
"Microsoft.MicrosoftOfficeHub",
"Microsoft.MicrosoftSolitaireCollection",
"Microsoft.MicrosoftStickyNotes",
"Microsoft.Office.OneNote",
"Microsoft.OneConnect",
"Microsoft.People",
"Microsoft.SkypeApp",
"Microsoft.Windows.Photos",
"Microsoft.WindowsAlarms",
"Microsoft.WindowsCalculator",
"Microsoft.WindowsCamera",
"Microsoft.WindowsMaps",
"Microsoft.WindowsPhone",
"Microsoft.WindowsSoundRecorder",
"Microsoft.XboxApp",
"Microsoft.ZuneMusic",
"Microsoft.ZuneVideo",
"Microsoft.WindowsCommunicationsApps",
"Microsoft.MinecraftUWP",
"Microsoft.MicrosoftPowerBIForWindows",
"Microsoft.NetworkSpeedTest",
"Microsoft.CommsPhone",
"Microsoft.ConnectivityStore",
"Microsoft.Messaging",
"Microsoft.Office.Sway",
"Microsoft.OneConnect",
"Microsoft.WindowsFeedbackHub",
"Microsoft.BingFoodAndDrink",
"Microsoft.BingTravel",
"Microsoft.BingHealthAndFitness",
"Microsoft.WindowsReadingList",
"Microsoft.MSPaint",
"Microsoft.Microsoft3DViewer",
"Microsoft.Print3D",
"9E2F88E3.Twitter",
"PandoraMediaInc.29680B314EFC2",
"Flipboard.Flipboard",
"ShazamEntertainmentLtd.Shazam",
"king.com.CandyCrushSaga",
"king.com.CandyCrushSodaSaga",
"king.com.*",
"ClearChannelRadioDigital.iHeartRadio",
"4DF9E0F8.Netflix",
"6Wunderkinder.Wunderlist",
"Drawboard.DrawboardPDF",
"2FE3CB00.PicsArt-PhotoStudio",
"D52A8D61.FarmVille2CountryEscape",
"TuneIn.TuneInRadio",
"GAMELOFTSA.Asphalt8Airborne",
"TheNewYorkTimes.NYTCrossword",
"DB6EA5DB.CyberLinkMediaSuiteEssentials",
"Facebook.Facebook",
"flaregamesGmbH.RoyalRevolt2",
"Playtika.CaesarsSlotsFreeCasino",
"A278AB0D.MarchofEmpires",
"KeeperSecurityInc.Keeper",
"ThumbmunkeysLtd.PhototasticCollage",
"XINGAG.XING",
"89006A2E.AutodeskSketchBook",
"D5EA27B7.Duolingo-LearnLanguagesforFree",
"46928bounde.EclipseManager",
"ActiproSoftwareLLC.562882FEEB491"
)
foreach ($app in $apps) {
Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage -AllUsers
Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like $app } | Remove-AppxProvisionedPackage -Online
}
register: cleanup_win10_remove
until: cleanup_win10_remove is successful
retries: 5
delay: 1
ignore_errors: yes
- name: prevent suggested applications from returning
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content
name: DisableWindowsConsumerFeatures
data: 1
datatype: dword
- name: reboot to effect pending changes
win_reboot:

30
roles/oatakan.windows_template_build/tasks/remove-apps-alt.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: remove user apps
script: RemoveUserApps.ps1
register: cleanup_win10_remove
until: cleanup_win10_remove is successful
retries: 3
delay: 1
ignore_errors: yes
#- name: disable windows store
# win_regedit:
# path: HKLM:\Software\Policies\Microsoft\WindowsStore
# name: AutoDownload
# data: 00000002
# type: dword
#
#- name: disable content delivery manager
# win_regedit:
# path: HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
# name: SilentInstalledAppsEnabled
# data: 00000000
# type: dword
#
#- name: disable windows store
# win_regedit:
# path: HKLM:\Software\Policies\Microsoft\Windows\CloudContent
# name: DisableWindowsConsumerFeatures
# data: 00000001
# type: dword

97
roles/oatakan.windows_template_build/tasks/remove-apps.yml Normal file
View File

@@ -0,0 +1,97 @@
---
- name: Setup the xWebAdministration module
win_psmodule:
name: DSCR_AppxPackage
state: present
- name: remove packages
win_dsc:
resource_name: cAppxProvisionedPackageSet
Ensure: Absent
PackageName:
- Microsoft.3DBuilder
- Microsoft.Appconnector
- Microsoft.BingFinance
- Microsoft.BingNews
- Microsoft.BingSports
- Microsoft.BingWeather
- Microsoft.FreshPaint
- Microsoft.Getstarted
- Microsoft.MicrosoftOfficeHub
- Microsoft.MicrosoftSolitaireCollection
- Microsoft.MicrosoftStickyNotes
- Microsoft.Office.OneNote
- Microsoft.OneConnect
- Microsoft.People
- Microsoft.SkypeApp
- Microsoft.Windows.Photos
- Microsoft.WindowsAlarms
- Microsoft.WindowsCalculator
- Microsoft.WindowsCamera
- Microsoft.WindowsMaps
- Microsoft.WindowsPhone
- Microsoft.WindowsSoundRecorder
- Microsoft.XboxApp
- Microsoft.ZuneMusic
- Microsoft.ZuneVideo
- Microsoft.WindowsCommunicationsApps
- Microsoft.MinecraftUWP
- Microsoft.MicrosoftPowerBIForWindows
- Microsoft.NetworkSpeedTest
- Microsoft.CommsPhone
- Microsoft.ConnectivityStore
- Microsoft.Messaging
- Microsoft.Office.Sway
- Microsoft.OneConnect
- Microsoft.WindowsFeedbackHub
- Microsoft.BingFoodAndDrink
- Microsoft.BingTravel
- Microsoft.BingHealthAndFitness
- Microsoft.WindowsReadingList
- Microsoft.MSPaint
- Microsoft.Microsoft3DViewer
- Microsoft.Print3D
- 9E2F88E3.Twitter
- PandoraMediaInc.29680B314EFC2
- Flipboard.Flipboard
- ShazamEntertainmentLtd.Shazam
- king.com.CandyCrushSaga
- king.com.CandyCrushSodaSaga
- king.com.*
- ClearChannelRadioDigital.iHeartRadio
- 4DF9E0F8.Netflix
- 6Wunderkinder.Wunderlist
- Drawboard.DrawboardPDF
- 2FE3CB00.PicsArt-PhotoStudio
- D52A8D61.FarmVille2CountryEscape
- TuneIn.TuneInRadio
- GAMELOFTSA.Asphalt8Airborne
- TheNewYorkTimes.NYTCrossword
- DB6EA5DB.CyberLinkMediaSuiteEssentials
- Facebook.Facebook
- flaregamesGmbH.RoyalRevolt2
- Playtika.CaesarsSlotsFreeCasino
- A278AB0D.MarchofEmpires
- KeeperSecurityInc.Keeper
- ThumbmunkeysLtd.PhototasticCollage
- XINGAG.XING
- 89006A2E.AutodeskSketchBook
- D5EA27B7.Duolingo-LearnLanguagesforFree
- 46928bounde.EclipseManager
- ActiproSoftwareLLC.562882FEEB491-
register: cleanup_win10_remove
until: cleanup_win10_remove is successful
retries: 3
delay: 1
ignore_errors: yes
- name: prevent suggested applications from returning
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content
name: DisableWindowsConsumerFeatures
data: 1
datatype: dword
- name: reboot to effect pending changes
win_reboot:

29
roles/oatakan.windows_template_build/tasks/remove-onedrive.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: kill onedrive process
win_shell: Stop-Process -Name OneDrive
ignore_errors: yes
- name: uninstall onedrive
win_shell: '{{ ansible_env.SystemRoot }}\SysWOW64\OneDriveSetup.exe /uninstall'
ignore_errors: yes
- name: remove onedrive directories
win_file:
path: '{{ item }}'
state: absent
ignore_errors: yes
loop:
- '{{ ansible_env.USERPROFILE }}\OneDrive'
- '{{ ansible_env.LOCALAPPDATA }}\Microsoft\OneDrive'
- '{{ ansible_env.ProgramData }}\Microsoft OneDrive'
- C:\OneDriveTemp
- name: delete registry keys
win_regedit:
path: '{{ item }}'
state: absent
delete_key: yes
loop:
- HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
- HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}

5
roles/oatakan.windows_template_build/tasks/shutdown.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: run sysprep-shutdown scheduled task
win_shell: schtasks.exe /Run /TN "sysprep-shutdown"
ignore_errors: yes

7
roles/oatakan.windows_template_build/tasks/startup.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: remove essentials setup wizard from start up
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Run
name: EssentialsRoleConfigWizard
state: absent

76
roles/oatakan.windows_template_build/tasks/sysprep.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: recompile .NET assemblies
win_dotnet_ngen:
#- name: enable custom answer file
# win_regedit:
# path: HKLM:\System\Setup
# name: UnattendFile
# data: C:\Windows\system32\sysprep\unattend.xml
# type: string
- name: ensure Panther directory exists
win_file:
path: c:\Windows\Panther
state: directory
- name: enable winrm
win_shell: '& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"))) -ForceNewSSLCert -EnableCredSSP'
ignore_errors: yes
when: "'Windows Server 2008' in ansible_distribution"
- name: copy unattend.xml
win_template:
src: unattend.xml.j2
dest: C:\Windows\system32\sysprep\unattend.xml
when:
- ('VMware' not in ansible_product_name) or ('VMware' in ansible_product_name and target_vagrant | bool)
- not target_ovirt | bool
- not ('KubeVirt' in ansible_system_vendor | default(''))
#- name: run sysprep
# win_shell: C:\Windows\system32\sysprep\sysprep.exe /generalize /shutdown /oobe /quiet
# args:
# executable: cmd
# async: 1200
# poll: 0
- name: create scheduled task to delete WinRM listeners and shutdown
win_scheduled_task:
name: sysprep-shutdown
username: SYSTEM
disallow_start_if_on_batteries: no
stop_if_going_on_batteries: no
actions:
- path: powershell.exe
arguments: Remove-Item -Path WSMan:\localhost\Listener\* -Recurse -Force
- path: C:\windows\system32\sysprep\sysprep.exe
arguments: /generalize /oobe /quiet /shutdown
when:
- ('VMware' not in ansible_product_name) or ('VMware' in ansible_product_name and target_vagrant | bool) or (target_ovirt | bool) or ('KubeVirt' in ansible_system_vendor | default(''))
- name: create scheduled task to delete WinRM listeners and shutdown
win_scheduled_task:
name: sysprep-shutdown
username: SYSTEM
disallow_start_if_on_batteries: no
stop_if_going_on_batteries: no
actions:
- path: powershell.exe
arguments: Remove-Item -Path WSMan:\localhost\Listener\* -Recurse -Force
- path: shutdown.exe
arguments: /s /t 10 /f /d p:4:1 /c "Ansible Shutdown"
when:
- "'VMware' in ansible_product_name"
- not target_vagrant | bool
- not target_ovirt | bool
- not ('KubeVirt' in ansible_system_vendor | default(''))
- name: set flag to recreate pagefile after next sysprep
win_shell: |
$system = Get-WmiObject -Class Win32_ComputerSystem -EnableAllPrivileges
if ($system -ne $null) {
$system.AutomaticManagedPagefile = $true
$system.Put()
}

43
roles/oatakan.windows_template_build/tasks/updates-all.yml Normal file
View File

@@ -0,0 +1,43 @@
---
- name: check for available updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- include_tasks: updates-with-retry.yml
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
- name: check for missing updates.
win_updates:
state: searched
register: available_updates
- name: list missing updates
debug:
var: available_updates
- name: check to see if update is finished
win_shell: gwmi -Class win32_computersystem -ComputerName 127.0.0.1 | select -ExpandProperty username -ErrorAction Stop
register: logon_status
until: logon_status is success
delay: 10
retries: 100
ignore_errors: yes
when: "'Windows 10' in ansible_distribution"
- name: reboot windows
win_reboot:
when: "'Windows 10' in ansible_distribution"

98
roles/oatakan.windows_template_build/tasks/updates-powershell.yml Normal file
View File

@@ -0,0 +1,98 @@
---
- name: update over multiple reboots
block:
- name: check for available updates
win_updates:
category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- block:
- name: install windows updates using powershell script
script: win-updates.ps1
become: yes
become_method: runas
become_user: SYSTEM
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
rescue:
- name: reboot the system to recover from a failed update
win_reboot:
reboot_timeout: 7200
- name: wait for system to be responsive after update
wait_for_connection:
delay: 60
sleep: 10
timeout: 600
- name: check to see if reboot is required
win_reg_stat:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
name: CustomRebootRequired
register: update_reboot_required_key
- name: reboot the system to continue with the update
win_reboot:
reboot_timeout: 7200
when: update_reboot_required_key.exists
- name: check for missing updates
win_updates:
category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
state: searched
register: missing_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{% for key, value in missing_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: missing_updates.updates is defined
- block:
- name: set update count
set_fact:
update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
- name: still more updates - need to retry
fail:
msg: >
'{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
when: ((update_retry_limit | int) - (update_retry_count | int) > 0)
when: missing_updates.found_update_count > 0
- name: ensure the CustomRebootRequired key doesn't exist
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
name: CustomRebootRequired
state: absent
rescue:
- debug:
msg: "Still more updates remaining - retrying..."
- include_tasks: updates-powershell.yml

74
roles/oatakan.windows_template_build/tasks/updates-win2008r2.yml Normal file
View File

@@ -0,0 +1,74 @@
---
- name: ensure Windows ADK with DISM is installed
win_chocolatey:
name: windows-adk-deploy
state: present
version: 10.0.17134.0
register: install_windows_adk_deploy
- name: ensure PATH contains Windows ADK
win_path:
scope: machine
state: present
elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM"
- name: download hotfix group 1
win_get_url:
url: '{{ item.url }}'
dest: '{{ hotfix_download_location }}\{{ item.file }}'
loop: "{{ hotfixes_group_1 }}"
- name: install hotfix group 1
win_hotfix:
source: '{{ hotfix_download_location }}\{{ item.file }}'
state: present
register: hotfix_install_group_1
loop: "{{ hotfixes_group_1 }}"
- name: debug hotfix installation result
debug:
var: hotfix_install_group_1
- name: ensure hotfix file is removed (group 1)
win_file:
path: '{{ hotfix_download_location }}\{{ item.file }}'
state: absent
loop: "{{ hotfixes_group_1 }}"
- name: reboot from starting update
win_reboot:
- name: check for available updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: available_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available.
{% for key, value in available_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: available_updates.updates is defined
- include_tasks: updates-with-retry.yml
when:
- available_updates.updates is defined
- available_updates.found_update_count > 0
- name: check for missing updates.
win_updates:
state: searched
register: available_updates
- name: list missing updates
debug:
var: available_updates
- name: make sure Windows ADK with DISM for Server 2008 R2 is not installed
win_chocolatey:
name: windows-adk-deploy
state: absent

84
roles/oatakan.windows_template_build/tasks/updates-with-retry.yml Normal file
View File

@@ -0,0 +1,84 @@
---
- name: update over multiple reboots
block:
- block:
- name: install all windows updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ (win_update_blacklist | default([])) + (failed_kb | default([])) }}"
whitelist: "{{ win_update_whitelist | default(omit) }}"
reboot: yes
register: installed_updates
rescue:
- name: reboot the system to recover from a failed update
win_reboot:
reboot_timeout: 7200
- name: set failed KB to skip
set_fact:
failed_kb: "{{ failed_kb|default([]) + [installed_updates.msg | regex_replace('^.*\\((KB.*)\\).*','\\1')] }}"
when:
- installed_updates.msg is defined
- ('Failed' in installed_updates.msg)
- ('KB' in installed_updates.msg)
- name: fail to retry
fail:
msg: "There are failed updates: {{ failed_kb | join(' ') }}"
when:
- failed_kb is defined
- failed_kb | length > 0
- name: wait for system to be responsive after update
wait_for_connection:
delay: 60
sleep: 10
timeout: 600
- name: work on any skipped KB
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
whitelist: "{{ failed_kb | default([]) }}"
reboot: yes
register: installed_updates_retry_skipped
when:
- failed_kb is defined
- failed_kb | length > 0
- name: check for missing updates
win_updates:
category_names: "{{ win_update_category_names }}"
blacklist: "{{ win_update_blacklist | default(omit) }}"
state: searched
register: missing_updates
- debug:
msg: |
{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{% for key, value in missing_updates.updates.items() %}
- {{ value.title }}
{% endfor %}
when: missing_updates.updates is defined
- name: still more updates - need to retry
fail:
msg: >
'{{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing.
{{ (update_retry_limit | int) - (update_retry_count | int) }} more retries left'
when:
- missing_updates.found_update_count > 0
- ((update_retry_limit | int) - (update_retry_count | int) >= 0)
rescue:
- name: set update count
set_fact:
update_retry_count: '{{ update_retry_count | default(0) | int + 1 }}'
- debug:
msg: "Still more updates remaining - retrying... ({{ update_retry_count }}/{{ update_retry_limit }})"
- include_tasks: updates-with-retry.yml
when: ((update_retry_limit | int) - (update_retry_count | int) >= 0)

89
roles/oatakan.windows_template_build/tasks/updates.yml Normal file
View File

@@ -0,0 +1,89 @@
---
- name: disable firewall for Domain, Public and Private profiles
win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
when: "'Windows Server 2012' in ansible_distribution"
- name: disable firewall for Domain, Public and Private profiles
win_shell: netsh advfirewall set allprofiles state off
when: "'Windows Server 2008' in ansible_distribution"
- name: get used space before update
win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
register: used_space_before_update
ignore_errors: yes
- name: update Windows Update Agent on 2008
win_package:
path: http://download.windowsupdate.com/windowsupdate/redist/standalone/7.6.7600.320/windowsupdateagent-7.6-x64.exe
arguments:
- /quiet
- /norestart
- /wuforce
creates_path: C:\Windows\System32\wuaueng.dll
creates_version: 7.6.7600.320
when: "'Windows Server 2008' in ansible_distribution"
- include_tasks: updates-all.yml
vars:
win_update_category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
when:
- install_updates | bool
- "'Windows Server 2008' not in ansible_distribution"
#- include_tasks: updates-powershell.yml
# when:
# - install_updates | bool
# - "'Windows Server 2008' in ansible_distribution"
- include_tasks: updates-win2008r2.yml
vars:
win_update_category_names:
- CriticalUpdates
- DefinitionUpdates
- SecurityUpdates
- UpdateRollups
- Updates
hotfix_download_location: "{{ ansible_env.TEMP }}"
hotfixes_group_1:
- kb: KB3020369
file: Windows6.1-KB3020369-x64.msu
url: https://download.microsoft.com/download/F/D/3/FD3728D5-0D2F-44A6-B7DA-1215CC0C9B75/Windows6.1-KB3020369-x64.msu
- kb: KB3125574
file: windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
url: http://download.windowsupdate.com/d/msdownload/update/software/updt/2016/05/windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
- kb: KB4474419
file: windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
- kb: KB4490628
file: windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/03/windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
when:
- install_updates | bool
- "'Windows Server 2008' in ansible_distribution"
- name: get used space after update
win_shell: Get-PSDrive C | Select-Object Used | ConvertTo-Json
register: used_space_after_update
ignore_errors: yes
- debug:
msg:
- "Used space before update: {{ ((used_space_before_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
- "Used space after update: {{ ((used_space_after_update.stdout | from_json)['Used']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
when:
- used_space_before_update.stdout is defined
- used_space_after_update.stdout is defined
- name: enabled firewall for Domain, Public and Private profiles
win_shell: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
when: "'Windows Server 2012' in ansible_distribution"
- name: enable firewall for Domain, Public and Private profiles
win_shell: netsh advfirewall set allprofiles state on
when: "'Windows Server 2008' in ansible_distribution"