Update roles

roles/oatakan.windows_template_build/tasks/clean_up.yml

@@ -0,0 +1,41 @@
+---
+
+- name: remove page file
+  win_regedit:
+    path: HKLM:\System\CurrentControlSet\Control\Session Manager\Memory Management
+    name: PagingFiles
+    data: ""
+    state: present
+  register: cleanup_pagefile_removal
+
+- name: reboot server after clearing page file
+  win_reboot:
+  when: cleanup_pagefile_removal is changed
+
+- name: cleanup the temp folders
+  win_file:
+    path: '{{ item }}'
+    state: absent
+  ignore_errors: true
+  loop:
+    - C:\Temp
+    - C:\Windows\Panther
+    - C:\Windows\Temp
+
+- name: cleanup the C:\Recovery folder
+  win_shell: Remove-Item -Path C:\Recovery -Force -Recurse
+  ignore_errors: true
+
+- name: check to see if WinSXS ManifestCache folder exist
+  win_stat:
+    path: '{{ ansible_env.windir }}\winsxs\ManifestCache'
+  register: winsxs_dir
+
+- name: clear out the WinSXS ManifestCache folder
+  win_shell: |
+    &cmd.exe /c Takeown /f %windir%\winsxs\ManifestCache\*
+    &cmd.exe /c Icacls %windir%\winsxs\ManifestCache\* /GRANT administrators:F
+    &cmd.exe /c Del /q %windir%\winsxs\ManifestCache\*
+  when:
+    - winsxs_dir.stat is defined
+    - winsxs_dir.stat.exists

roles/oatakan.windows_template_build/tasks/clean_up_components.yml

@@ -0,0 +1,14 @@
+---
+
+- name: clean up components and update files
+  win_shell: Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
+  when: "'Windows Server 2008' not in ansible_distribution"
+  ignore_errors: true
+
+- include_tasks: clean_up_with_cleanmgr.yml
+  when: "'Windows Server 2008' in ansible_distribution"
+
+- name: clean up components and update files
+  win_shell: Dism.exe /online /Cleanup-Image /SpSuperseded
+  when: "'Windows Server 2008' in ansible_distribution"
+  ignore_errors: true

roles/oatakan.windows_template_build/tasks/clean_up_with_cleanmgr.yml

@@ -0,0 +1,64 @@
+---
+
+- block:
+
+    - name: check for cleanmgr executable
+      win_stat:
+        path: '{{ ansible_env.windir }}\System32\cleanmgr.exe'
+      register: check_cleanmgr_file
+
+    - include_tasks: copy_cleanmgr.yml
+      vars:
+        os_short_name: 2008r2
+      when:
+        - not check_cleanmgr_file.stat.exists
+        - ('Windows Server 2008 R2' in ansible_distribution)
+
+    - include_tasks: copy_cleanmgr.yml
+      vars:
+        os_short_name: 2012
+      when:
+        - not check_cleanmgr_file.stat.exists
+        - ('Windows Server 2012' in ansible_distribution)
+        - (not 'Windows Server 2012 R2' in ansible_distribution)
+
+    - name: get free space
+      win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json
+      register: free_space_before_cleanup
+
+    - name: ensure cleanup registry paths exist
+      win_regedit:
+        path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }}
+      loop: "{{ cleanup_registry_keys }}"
+
+    - name: set cleanup registry keys
+      win_regedit:
+        path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\{{ item }}
+        name: StateFlags0012
+        data: 2
+        type: dword
+      loop: "{{ cleanup_registry_keys }}"
+
+    - name: run cleanmgr
+      win_shell: cleanmgr /sagerun:12
+
+    - name: wait for cleanmgr to finish
+      win_shell: (get-wmiobject win32_process | where-object {$_.processname -eq 'cleanmgr.exe'} | measure).count
+      register: check_cleanmgr_process
+      until: check_cleanmgr_process.stdout is defined and check_cleanmgr_process.stdout|int == 0
+      delay: 5
+      retries: 300
+
+    - name: get free space
+      win_shell: Get-PSDrive C | Select-Object Free | ConvertTo-Json
+      register: free_space_after_cleanup
+
+    - debug:
+        msg:
+          - "Free space before cleanup: {{ ((free_space_before_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
+          - "Free space after cleanup: {{ ((free_space_after_cleanup.stdout | from_json)['Free']|int / (1024*1024*1024)) | round(2, 'floor') }} GB"
+
+  rescue:
+    - name: ignore any errors
+      debug:
+        msg: "ignoring any error with clean up with cleanmgr"

roles/oatakan.windows_template_build/tasks/disable_auto_logon.yml

@@ -0,0 +1,8 @@
+---
+
+- name: disable auto login
+  win_regedit:
+    path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
+    name: "{{ item.name }}"
+    state: absent
+  loop: "{{ autologin_registry }}"

roles/oatakan.windows_template_build/tasks/enable_rdp.yml

@@ -0,0 +1,18 @@
+---
+
+- name: enable RDP port
+  win_firewall_rule:
+    name: Remote Desktop
+    localport: 3389
+    action: allow
+    direction: in
+    protocol: tcp
+    state: present
+    enabled: true
+
+- name: enable RDP
+  win_regedit:
+    path: HKLM:\System\CurrentControlSet\Control\Terminal Server
+    name: fDenyTSConnections
+    data: 0
+    type: dword

roles/oatakan.windows_template_build/tasks/enable_tlsv12.yml

@@ -0,0 +1,43 @@
+---
+
+- block:
+    - name: test SSL connection
+      win_shell: "[System.Net.WebRequest]::Create('https://github.com').GetResponse()"
+
+  rescue:
+    - name: enable TLSv1.2 support
+      win_regedit:
+        path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }}
+        name: '{{ item.property }}'
+        data: '{{ item.value }}'
+        type: dword
+        state: present
+      register: enable_tls12
+      loop:
+        - type: Server
+          property: Enabled
+          value: 1
+        - type: Server
+          property: DisabledByDefault
+          value: 0
+        - type: Client
+          property: Enabled
+          value: 1
+        - type: Client
+          property: DisabledByDefault
+          value: 0
+
+    - name: enable strong crypto
+      win_regedit:
+        path: HKLM:\{{ item }}
+        name: SchUseStrongCrypto
+        data: 1
+        type: dword
+        state: present
+      loop:
+        - 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
+        - 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
+
+    - name: reboot if TLS config was applied
+      win_reboot:
+      when: enable_tls12 is changed

roles/oatakan.windows_template_build/tasks/install_dism.yml

@@ -0,0 +1,66 @@
+---
+- block:
+    - name: ensure Windows ADK with DISM is installed
+      win_package:
+        path: https://go.microsoft.com/fwlink/?linkid=873065 # version 10.0.17134.0
+        product_id: '{{ _product_id }}'
+        expected_return_code:
+          - 0
+          - 3010
+        arguments: "{{ _arguments | join(' ') }}"
+      notify:
+        - get Windows ADK uninstall command
+        - uninstall Windows ADK
+  rescue:
+    - block:
+        - name: download DISM
+          win_get_url:
+            url: https://go.microsoft.com/fwlink/?linkid=873065
+            dest: '{{ temp_directory }}\adksetup.exe'
+          register: download_dism
+          retries: 5
+          delay: 5
+          until: download_dism is success
+
+        - name: ensure Windows ADK with DISM is installed (retry)
+          win_package:
+            path: '{{ temp_directory }}\adksetup.exe' # version 10.0.17134.0
+            product_id: '{{ _product_id }}'
+            expected_return_code:
+              - 0
+              - 3010
+            arguments: "{{ _arguments | join(' ') }}"
+          register: install_dism
+          ignore_errors: true
+          notify:
+            - get Windows ADK uninstall command
+            - uninstall Windows ADK
+      rescue:
+        - name: ensure Windows ADK with DISM is installed (chocolatey)
+          win_chocolatey:
+            name: windows-adk-deploy
+            state: present
+            version: 10.0.17134.0
+          register: install_windows_adk_deploy
+          ignore_errors: true
+          notify: ensure Windows ADK with DISM is removed
+  vars:
+    _product_id: '{d794748d-72e9-45d7-9ab7-83d6c4c80f7f}'
+    _arguments:
+      - /quiet
+      - /norestart
+      - /features {{ _features | join(' ') }}
+    _features:
+      - OptionId.DeploymentTools
+      - OptionId.WindowsPreinstallationEnvironment
+      - OptionId.ImagingAndConfigurationDesigner
+      - OptionId.UserStateMigrationTool
+
+- name: ensure PATH contains Windows ADK
+  win_path:
+    scope: machine
+    state: present
+    elements: 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM'
+
+- pause:
+    seconds: 10

roles/oatakan.windows_template_build/tasks/remove_apps-alt-2.yml

@@ -0,0 +1,96 @@
+---
+
+- name: remove default apps
+  win_shell: |
+    $ErrorActionPreference = "Stop"
+    $apps = @(
+        "Microsoft.3DBuilder",
+        "Microsoft.Appconnector",
+        "Microsoft.BingFinance",
+        "Microsoft.BingNews",
+        "Microsoft.BingSports",
+        "Microsoft.BingWeather",
+        "Microsoft.FreshPaint",
+        "Microsoft.Getstarted",
+        "Microsoft.MicrosoftOfficeHub",
+        "Microsoft.MicrosoftSolitaireCollection",
+        "Microsoft.MicrosoftStickyNotes",
+        "Microsoft.Office.OneNote",
+        "Microsoft.OneConnect",
+        "Microsoft.People",
+        "Microsoft.SkypeApp",
+        "Microsoft.Windows.Photos",
+        "Microsoft.WindowsAlarms",
+        "Microsoft.WindowsCalculator",
+        "Microsoft.WindowsCamera",
+        "Microsoft.WindowsMaps",
+        "Microsoft.WindowsPhone",
+        "Microsoft.WindowsSoundRecorder",
+        "Microsoft.XboxApp",
+        "Microsoft.ZuneMusic",
+        "Microsoft.ZuneVideo",
+        "Microsoft.WindowsCommunicationsApps",
+        "Microsoft.MinecraftUWP",
+        "Microsoft.MicrosoftPowerBIForWindows",
+        "Microsoft.NetworkSpeedTest",
+        "Microsoft.CommsPhone",
+        "Microsoft.ConnectivityStore",
+        "Microsoft.Messaging",
+        "Microsoft.Office.Sway",
+        "Microsoft.OneConnect",
+        "Microsoft.WindowsFeedbackHub",
+        "Microsoft.BingFoodAndDrink",
+        "Microsoft.BingTravel",
+        "Microsoft.BingHealthAndFitness",
+        "Microsoft.WindowsReadingList",
+        "Microsoft.MSPaint",
+        "Microsoft.Microsoft3DViewer",
+        "Microsoft.Print3D",
+        "9E2F88E3.Twitter",
+        "PandoraMediaInc.29680B314EFC2",
+        "Flipboard.Flipboard",
+        "ShazamEntertainmentLtd.Shazam",
+        "king.com.CandyCrushSaga",
+        "king.com.CandyCrushSodaSaga",
+        "king.com.*",
+        "ClearChannelRadioDigital.iHeartRadio",
+        "4DF9E0F8.Netflix",
+        "6Wunderkinder.Wunderlist",
+        "Drawboard.DrawboardPDF",
+        "2FE3CB00.PicsArt-PhotoStudio",
+        "D52A8D61.FarmVille2CountryEscape",
+        "TuneIn.TuneInRadio",
+        "GAMELOFTSA.Asphalt8Airborne",
+        "TheNewYorkTimes.NYTCrossword",
+        "DB6EA5DB.CyberLinkMediaSuiteEssentials",
+        "Facebook.Facebook",
+        "flaregamesGmbH.RoyalRevolt2",
+        "Playtika.CaesarsSlotsFreeCasino",
+        "A278AB0D.MarchofEmpires",
+        "KeeperSecurityInc.Keeper",
+        "ThumbmunkeysLtd.PhototasticCollage",
+        "XINGAG.XING",
+        "89006A2E.AutodeskSketchBook",
+        "D5EA27B7.Duolingo-LearnLanguagesforFree",
+        "46928bounde.EclipseManager",
+        "ActiproSoftwareLLC.562882FEEB491"
+    )
+    foreach ($app in $apps) {
+        Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage -AllUsers
+        Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like $app } | Remove-AppxProvisionedPackage -Online
+    }
+  register: cleanup_win10_remove
+  until: cleanup_win10_remove is successful
+  retries: 5
+  delay: 1
+  ignore_errors: true
+
+- name: prevent suggested applications from returning
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content
+    name: DisableWindowsConsumerFeatures
+    data: 1
+    datatype: dword
+
+- name: reboot to effect pending changes
+  win_reboot:

roles/oatakan.windows_template_build/tasks/remove_apps-alt.yml

@@ -0,0 +1,30 @@
+---
+
+- name: remove user apps
+  script: RemoveUserApps.ps1
+  register: cleanup_win10_remove
+  until: cleanup_win10_remove is successful
+  retries: 3
+  delay: 1
+  ignore_errors: true
+
+#- name: disable windows store
+#  win_regedit:
+#    path: HKLM:\Software\Policies\Microsoft\WindowsStore
+#    name: AutoDownload
+#    data: 00000002
+#    type: dword
+#
+#- name: disable content delivery manager
+#  win_regedit:
+#    path: HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
+#    name: SilentInstalledAppsEnabled
+#    data: 00000000
+#    type: dword
+#
+#- name: disable windows store
+#  win_regedit:
+#    path: HKLM:\Software\Policies\Microsoft\Windows\CloudContent
+#    name: DisableWindowsConsumerFeatures
+#    data: 00000001
+#    type: dword

roles/oatakan.windows_template_build/tasks/remove_apps.yml

@@ -0,0 +1,97 @@
+---
+
+- name: Setup the xWebAdministration module
+  win_psmodule:
+    name: DSCR_AppxPackage
+    state: present
+
+- name: remove packages
+  win_dsc:
+    resource_name: cAppxProvisionedPackageSet
+    Ensure: Absent
+    PackageName:
+      - Microsoft.3DBuilder
+      - Microsoft.Appconnector
+      - Microsoft.BingFinance
+      - Microsoft.BingNews
+      - Microsoft.BingSports
+      - Microsoft.BingWeather
+      - Microsoft.FreshPaint
+      - Microsoft.Getstarted
+      - Microsoft.MicrosoftOfficeHub
+      - Microsoft.MicrosoftSolitaireCollection
+      - Microsoft.MicrosoftStickyNotes
+      - Microsoft.Office.OneNote
+      - Microsoft.OneConnect
+      - Microsoft.People
+      - Microsoft.SkypeApp
+      - Microsoft.Windows.Photos
+      - Microsoft.WindowsAlarms
+      - Microsoft.WindowsCalculator
+      - Microsoft.WindowsCamera
+      - Microsoft.WindowsMaps
+      - Microsoft.WindowsPhone
+      - Microsoft.WindowsSoundRecorder
+      - Microsoft.XboxApp
+      - Microsoft.ZuneMusic
+      - Microsoft.ZuneVideo
+      - Microsoft.WindowsCommunicationsApps
+      - Microsoft.MinecraftUWP
+      - Microsoft.MicrosoftPowerBIForWindows
+      - Microsoft.NetworkSpeedTest
+      - Microsoft.CommsPhone
+      - Microsoft.ConnectivityStore
+      - Microsoft.Messaging
+      - Microsoft.Office.Sway
+      - Microsoft.OneConnect
+      - Microsoft.WindowsFeedbackHub
+      - Microsoft.BingFoodAndDrink
+      - Microsoft.BingTravel
+      - Microsoft.BingHealthAndFitness
+      - Microsoft.WindowsReadingList
+      - Microsoft.MSPaint
+      - Microsoft.Microsoft3DViewer
+      - Microsoft.Print3D
+      - 9E2F88E3.Twitter
+      - PandoraMediaInc.29680B314EFC2
+      - Flipboard.Flipboard
+      - ShazamEntertainmentLtd.Shazam
+      - king.com.CandyCrushSaga
+      - king.com.CandyCrushSodaSaga
+      - king.com.*
+      - ClearChannelRadioDigital.iHeartRadio
+      - 4DF9E0F8.Netflix
+      - 6Wunderkinder.Wunderlist
+      - Drawboard.DrawboardPDF
+      - 2FE3CB00.PicsArt-PhotoStudio
+      - D52A8D61.FarmVille2CountryEscape
+      - TuneIn.TuneInRadio
+      - GAMELOFTSA.Asphalt8Airborne
+      - TheNewYorkTimes.NYTCrossword
+      - DB6EA5DB.CyberLinkMediaSuiteEssentials
+      - Facebook.Facebook
+      - flaregamesGmbH.RoyalRevolt2
+      - Playtika.CaesarsSlotsFreeCasino
+      - A278AB0D.MarchofEmpires
+      - KeeperSecurityInc.Keeper
+      - ThumbmunkeysLtd.PhototasticCollage
+      - XINGAG.XING
+      - 89006A2E.AutodeskSketchBook
+      - D5EA27B7.Duolingo-LearnLanguagesforFree
+      - 46928bounde.EclipseManager
+      - ActiproSoftwareLLC.562882FEEB491-
+  register: cleanup_win10_remove
+  until: cleanup_win10_remove is successful
+  retries: 3
+  delay: 1
+  ignore_errors: true
+
+- name: prevent suggested applications from returning
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content
+    name: DisableWindowsConsumerFeatures
+    data: 1
+    datatype: dword
+
+- name: reboot to effect pending changes
+  win_reboot:

roles/oatakan.windows_template_build/tasks/remove_onedrive.yml

@@ -0,0 +1,33 @@
+---
+
+- name: kill onedrive process
+  win_shell: Stop-Process -Name OneDrive
+  ignore_errors: true
+
+- name: uninstall onedrive
+  win_shell: '{{ ansible_env.SystemRoot }}\SysWOW64\OneDriveSetup.exe /uninstall'
+  ignore_errors: true
+
+- name: remove onedrivesync package
+  win_shell: get-appxpackage *Microsoft.OneDriveSync* | remove-appxpackage -AllUsers
+  ignore_errors: true
+
+- name: remove onedrive directories
+  win_file:
+    path: '{{ item }}'
+    state: absent
+  ignore_errors: true
+  loop:
+    - '{{ ansible_env.USERPROFILE }}\OneDrive'
+    - '{{ ansible_env.LOCALAPPDATA }}\Microsoft\OneDrive'
+    - '{{ ansible_env.ProgramData }}\Microsoft OneDrive'
+    - C:\OneDriveTemp
+
+- name: delete registry keys
+  win_regedit:
+    path: '{{ item }}'
+    state: absent
+    delete_key: true
+  loop:
+    - HKCR:\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
+    - HKCR:\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}

roles/oatakan.windows_template_build/tasks/update_agent_win2008.yml

@@ -0,0 +1,13 @@
+---
+# this updates windows update which is needed to install further updates
+# see https://docs.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent
+
+- name: ensure Windows Update Agent on 2008 is installed
+  win_package:
+    path: "{{ windows_update_agent_url }}"
+    arguments:
+      - /quiet
+      - /norestart
+      - /wuforce
+    creates_path: C:\Windows\System32\wuaueng.dll
+    creates_version: 7.6.7600.320