Added code for 0.5.0 release that stabilises the post sysprep startup…

… and other minor fixes to improve performance and size

CHANGELOG.md

@@ -6,7 +6,15 @@ changelog entries to `roles/packer-setup/vars/main.yml` to modify this file_
 This is the changelog of each image version uploaded to the Vagrant Cloud. It
 contains a list of changes that each incorporate.
 
-### v0.4.0 - 2016-05-16
+### v0.5.0 - 2018-08-08
+
+* Disabled automatic Windows Update to eliminate post-startup thrash on older images - https://github.com/jborean93/packer-windoze/issues/10
+* Updated Win32-OpenSSH to the latest release [v7.7.2.0p1-Beta](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v7.7.2.0p1-Beta)
+* Ensure WinRM HTTPS listener and firewall is configured before allowing Vagrant to detect the host is up - https://github.com/jborean93/packer-windoze/issues/11
+* Run ngen before sysprep process to try and speed up the Vagrant init time
+* Clean up `C:\Windows\SoftwareDistribution\Download` and `C:\Recovery` as part of the cleanup process
+
+### v0.4.0 - 2018-05-16
 
 * Create a PS Module called `PackerWindoze` that stores the `Reset-WinRMConfig` cmdlet that recreates the WinRM configuration and keep that post sysprep for downstream users to call at any time
 * Added support for the Server 1803 image

roles/cleanup-winsxs/tasks/main.yml

@@ -49,3 +49,13 @@
 - name: setup and run cleanmgr if DISM reset base wasn't supported or cleanmgr is available
   include_tasks: cleanmgr.yml
   when: pri_cleanup_winsxs_dism_supported.stdout_lines[0] == "false" or pri_cleanup_winsxs_cleanmgr_available.stat.exists == True
+
+- name: check if the SoftwareDistribution folder exists
+  win_stat:
+    path: C:\Windows\SoftwareDistribution\Download
+  register: pri_cleanup_winsxs_download_stat
+
+- name: clear Windows Update cache download directory
+  win_shell: Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Recurse -Force
+  become: yes
+  when: pri_cleanup_winsxs_download_stat.stat.exists

roles/cleanup/tasks/main.yml

@@ -21,6 +21,11 @@
   - C:\Windows\Panther
   - C:\Windows\Temp
 
+# win_file does not work with hidden folders
+- name: cleanup the C:\Recovery folder
+  win_shell: Remove-Item -Path C:\Recovery -Force -Recurse
+  ignore_errors: yes
+
 # we want to clear the folder contents and not the folder itself
 - name: clear out the WinSXS ManifestCache folder
   win_shell: |

roles/openssh/tasks/setup.yml

@@ -3,7 +3,7 @@
 ---
 - name: set openssh version to install
   set_fact:
-    pri_openssh_version: v7.6.1.0p1-Beta
+    pri_openssh_version: v7.7.2.0p1-Beta
 
 - name: set install path for 64 bit Windows
   set_fact:

roles/packer-setup/templates/description.md.j2

@@ -26,7 +26,7 @@ Other configurations from the standard image;
 
 * WinRM HTTP and HTTPS listener with Basic and CredSSP enabled
 {% if not pri_packer_setup_config.answer_longhorn %}
-* [Win32-OpenSSH](https://github.com/PowerShell/Win32-OpenSSH) v7.6.1.0p1-Beta
+* [Win32-OpenSSH](https://github.com/PowerShell/Win32-OpenSSH) v7.7.2.0p1-Beta
 {% endif %}
 * Default Administrator account disabled, password is also `{{opt_packer_setup_password}}`
 * Hidden files and folders and file extensions are shown by default

roles/packer-setup/vars/main.yml

@@ -1,8 +1,13 @@
 # this creates the changelog in the description for the Vagrant box
 pri_packer_setup_changelog:
 - version: '0.5.0'
+  date: 2018-08-08
   changes:
-  - Disabled automatic Windows Update to eliminate post-startup thrash on older images
+  - Disabled automatic Windows Update to eliminate post-startup thrash on older images - https://github.com/jborean93/packer-windoze/issues/10
+  - Updated Win32-OpenSSH to the latest release [v7.7.2.0p1-Beta](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v7.7.2.0p1-Beta)
+  - Ensure WinRM HTTPS listener and firewall is configured before allowing Vagrant to detect the host is up - https://github.com/jborean93/packer-windoze/issues/11
+  - Run ngen before sysprep process to try and speed up the Vagrant init time
+  - Clean up `C:\Windows\SoftwareDistribution\Download` and `C:\Recovery` as part of the cleanup process
 - version: '0.4.0'
   date: 2018-05-16
   changes:
@@ -356,10 +361,10 @@ pri_packer_setup_host_config:
     #     * Cumulative Update for Windows Server 2016 for x64-based Systems - Security Updates
     #       https://www.catalog.update.microsoft.com/Search.aspx?q=Cumulative%20Update%20for%20Windows%20Server%202016%20for%20x64-based%20Systems%20-%20Security%20Updates
     bootstrap_files:
-    - name: KB4093137
-      url: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/03/windows10.0-kb4093137-x64_d4372b516a4e91705f68f5d38c0e1b0abf8072c9.msu
-    - name: KB4103723
-      url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu
+    - name: KB4132216
+      url: http://download.windowsupdate.com/c/msdownload/update/software/crup/2018/05/windows10.0-kb4132216-x64_9cbeb1024166bdeceff90cd564714e1dcd01296e.msu
+    - name: KB4338814
+      url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4338814-x64_f4a1df3470cc06192c5157c3f574ffdc4edadabd.msu
   '1709':
     box_tag: WindowsServer1709
 
@@ -387,7 +392,11 @@ pri_packer_setup_host_config:
     architecture: amd64
     answer_longhorn: no
     skip_feature_removal: yes
-    bootstrap_files: []
+    bootstrap_files:
+    - name: KB4343669
+      url: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/07/windows10.0-kb4343669-x64_2a58320e44d3ff803bc7016b5d02f3e85482b46f.msu
+    - name: KB4338819
+      url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/07/windows10.0-kb4338819-x64_73cef45cbee3c689ddddf596aed7cb6a61092180.msu
   '10-x86':
     box_tag: jborean93/Windows10-x86
 

roles/sysprep/files/PackerWindoze.psm1

@@ -64,28 +64,37 @@ Function New-LegacySelfSignedCert($subject, $valid_days) {
     return $parsed_certificate
 }
 
-function New-WinRMFirewallRule($port, $protocol) {
+Function New-FirewallRule {
+    param(
+        [Parameter(mandatory=$true)][String]$Name,
+        [Parameter(mandatory=$true)][String]$Description,
+        [Parameter(mandatory=$true)][int]$Port,
+        [Parameter()][Switch]$Deny
+    )
     $fw = New-Object -ComObject HNetCfg.FWPolicy2
-    $https_rule = "Windows Remote Management ($protocol-In)"
 
-    $rules = $fw.Rules | Where-Object { $_.Name -eq $https_rule }
+    $rules = $fw.Rules | Where-Object { $_.Name -eq $Name }
     if (-not $rules) {
-        Write-Verbose -Message "Creating a new WinRM $protocol firewall rule"
+        Write-Verbose -Message "Creating new firewall rule - $Name"
         $rule = New-Object -ComObject HNetCfg.FwRule
-        $rule.Name = $https_rule
-        $rule.Description = "Inbound rule for Windows Remote Management via WS-Management. [TCP $port]"
+        $rule.Name = $name
+        $rule.Description = $Description
         $rule.Profiles = 0x7FFFFFFF
         $rules = @($rule)
     }
-    
+
     foreach ($rule in $rules) {
+        $action = 1  # Allow
+        if ($Deny.IsPresent) {
+            $action = 0  # Deny
+        }
         $rule_details = @{
-            LocalPorts = $port
+            LocalPorts = $Port
             RemotePorts = "*"
             LocalAddresses = "*"
             Enabled = $true
             Direction = 1
-            Action = 1
+            Action = $action
             Grouping = "Windows Remote Management"
             ApplicationName = "System"
         }
@@ -104,25 +113,38 @@ function New-WinRMFirewallRule($port, $protocol) {
         }
 
         if ($changed) {
-            Write-Verbose -Message "WinRM $protocol firewall rule needs to be (re)created as config does not match expectation"
+            Write-Verbose -Message "Firewall rule $($rule.Name) needs to be (re)created as config does not match expectation"
             try {
                 $fw.Rules.Add($rule)
             } catch [System.Runtime.InteropServices.COMException] {
                 # E_UNEXPECTED 0x80000FFFF means the rule already exists
                 if ($_.Exception.ErrorCode -eq 0x8000FFFF) {
-                    Write-Verbose -Message "WinRM $protocol firewall rule already exists, deleting before recreating"
+                    Write-Verbose -Message "Firewall rule $($rule.Name) already exists, deleting before recreating"
                     $fw.Rules.Remove($rule.Name)
                     $fw.Rules.Add($rule)
                 } else {
-                    Write-Verbose -Message "Failed to add WinRM $protocol firewall rule: $($_.Exception.Message)"
+                    Write-Verbose -Message "Failed to add firewall rule $($rule.Name): $($_.Exception.Message)"
                     throw $_
                 }
             }
         }
     }
 }
 
-function Reset-WinRMConfig {
+Function Remove-FirewallRule {
+    param(
+        [Parameter(mandatory=$true)][String]$Name
+    )
+    $fw = New-Object -ComObject HNetCfg.FWPolicy2
+
+    $rules = $fw.Rules | Where-Object { $_.Name -eq $Name }
+    foreach ($rule in $rules) {
+        Write-Verbose -Message "Removing firewall rule $($rule.Name)"
+        $fw.Rules.Remove($rule.Name)
+    }
+}
+
+Function Reset-WinRMConfig {
     <#
     .SYNOPSIS
     Resets the WinRM configuration for the current host. This cmdlet will
@@ -156,7 +178,38 @@ function Reset-WinRMConfig {
         Write-Verbose "Removing all existing certificate in the personal store"
         Remove-Item -Path Cert:\LocalMachine\My\* -Force -Recurse
     }
+
+    # add a deny Firewall Rule for port 5985 and 5986 to force Vagrant to wait
+    # until all the steps are completed before returning. This deny rule is
+    # removed at the end of this process
+    Write-Verbose -Message "Creating deny WinRM Firewall rules during setup process"
+    $http_deny_rule = "PackerWindoze temp WinRM HTTP Deny rule"
+    $https_deny_rule = "PackerWindoze temp WinRM HTTPS Deny rule"
+    New-FirewallRule -Name $http_deny_rule -Description $http_deny_rule -Port 5985 -Deny
+    New-FirewallRule -Name $https_deny_rule -Description $https_deny_rule -Port 5986 -Deny
+
+    Write-Verbose -Message "Enabling Basic authentication"
+    Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
+
+    Write-Verbose -Message "Enabling CredSSP authentication"
+    Enable-WSManCredSSP -role server -Force > $null
+
+    Write-Verbose -Message "Setting AllowUnencrypted to False"
+    Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
+
+    Write-Verbose -Message "Setting the LocalAccountTokenFilterPolicy registry key for remote admin access"
+    $reg_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+    $reg_prop_name = "LocalAccountTokenFilterPolicy"
 
+    $reg_key = Get-Item -Path $reg_path
+    $reg_prop = $reg_key.GetValue($reg_prop_name)
+    if ($reg_prop -ne 1) {
+        if ($null -eq $reg_prop) {
+            Remove-ItemProperty -Path $reg_path -Name $reg_prop_name
+        }
+        New-ItemProperty -Path $reg_path -Name $reg_prop_name -Value 1 -PropertyType DWord > $null
+    }
+
     Write-Verbose -Message "Creating HTTP listener"
     $selector_set = @{
         Transport = "HTTP"
@@ -167,6 +220,7 @@ function Reset-WinRMConfig {
     }
     New-WSManInstance -ResourceURI winrm/config/listener -SelectorSet $selector_set -ValueSet $value_set > $null
 
+    Write-Verbose -Message "Creating HTTPS listener"
     if ($CertificateThumbprint) {
         $thumbprint = $CertificateThumbprint
     } else {
@@ -181,28 +235,23 @@ function Reset-WinRMConfig {
         CertificateThumbprint = $thumbprint
         Enabled = $true
     }
-
-    Write-Verbose -Message "Creating HTTPS listener"
     New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $selector_set -ValueSet $value_set > $null
-
+
+    Write-Verbose -Message "Configuring WinRM HTTPS firewall rule"
+    New-FirewallRule -Name "Windows Remote Management (HTTPS-In)" `
+        -Description "Inbound rule for Windows Remote Management via WS-Management. [TCP 5986]" `
+        -Port 5986
+
     Write-Verbose "Enabling PowerShell Remoting"
     # Change the verbose output for this cmdlet only as the output is really verbose
     $orig_verbose = $VerbosePreference
     $VerbosePreference = "SilentlyContinue"
     Enable-PSRemoting -Force > $null
     $VerbosePreference = $orig_verbose
-
-    Write-Verbose -Message "Enabling Basic authentication"
-    Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
-
-    Write-Verbose -Message "Enabling CredSSP authentication"
-    Enable-WSManCredSSP -role server -Force > $null
-
-    Write-Verbose -Message "Setting AllowUnencrypted to False"
-    Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
-
-    Write-Verbose -Message "Configuring WinRM HTTPS firewall rule"
-    New-WinRMFirewallRule -port 5986 -protocol HTTPS
+
+    Write-Verbose -Message "Removing WinRM deny firewall rules as config is complete"
+    Remove-FirewallRule -Name $http_deny_rule
+    Remove-FirewallRule -Name $https_deny_rule
 
     Write-Verbose -Message "Testing out WinRM communication over localhost"
     $session_option = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

roles/sysprep/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
+- name: run ngen to recompile .NET assemblies
+  win_dotnet_ngen:
+
 - name: ensure unattend panther and temp directory exists
   win_file:
     path: '{{item}}'