# Copyright 2020 The Kubernetes Authors. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- # This file was adapted from https://github.com/Azure/aks-engine/blob/master/vhd/packer/configure-windows-vhd.ps1 for ansible - name: Remove Windows updates default registry settings win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ state: absent delete_key: yes - name: Add Windows update registry path win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate state: present - name: Add Windows automatic update registry path win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU state: present # https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry - name: Disable Windows automatic updates in registry win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU state: present name: NoAutoUpdate data: 1 type: dword - name: Set Windows automatic updates to notify only in registry win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU state: present name: AUOptions data: 2 type: dword # Hyper-V messes with networking components on startup after the feature is enabled # causing issues with communication over winrm and setting winrm to delayed start # gives Hyper-V enough time to finish configuration before having packer continue. - name: Set WinRm Service to delayed start win_command: sc.exe config winrm start=delayed-auto # Best effort to update defender signatures # This can fail if there is already a signature # update running which means we will get them anyways # Also at the time the VM is provisioned Defender will trigger any required updates - name: Update Windows Defender signatures win_shell: | $service = Get-Service "Windefend" $service.WaitForStatus("Running","00:5:00") Update-MpSignature ignore_errors: yes # Find KB Article numbers: # - WS 2019 https://support.microsoft.com/en-us/help/4464619 # - WS 2022 https://support.microsoft.com/topic/windows-server-2022-update-history-e1caa597-00c5-4ab9-9f3e-8212fe80b2ee # Task to install specific updates by KB. All categories are specified as the module # won't install the update unless the category matches. Setting windows_updates_kbs_numbers to [] # will skip this task. - name: Install Windows updates based on KB numbers win_updates: whitelist: "{{ windows_updates_kbs_numbers }}" reboot: yes category_names: - Application - Connectors - CriticalUpdates - DefinitionUpdates - DeveloperKits - Drivers - FeaturePacks - Guidance - SecurityUpdates - ServicePacks - Tools - UpdateRollups - Updates when: windows_updates_kbs_numbers|length > 0 # Task to install any outstanding updates that belong to specific categories. Setting # windows_updates_category_names to [] will skip this task. - name: Install Windows updates based on Categories win_updates: category_names: "{{ windows_updates_category_names }}" reboot: yes when: windows_updates_category_names|length > 0 - import_tasks: ssh-feature.yml when: ssh_source_url == "" - import_tasks: ssh-archive.yml when: ssh_source_url != "" - name: Set default SSH shell to Powershell win_regedit: path: HKLM:\SOFTWARE\OpenSSH state: present name: DefaultShell data: '{{ systemdrive.stdout | trim }}\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' type: string - name: Create SSH program data folder win_shell: If (-Not (Test-Path -Path "$env:ProgramData\ssh")) { mkdir "$env:ProgramData\ssh" } - name: Enable ssh login without a password win_shell: Add-Content -Path "$env:ProgramData\ssh\sshd_config" -Value "PasswordAuthentication no`nPubkeyAuthentication yes" - name: Set SSH service startup mode to auto and ensure it is started win_service: name: sshd start_mode: auto state: started # Apply HNS flags for fixes that need to be enabled via Registry # these eventually get turned on automatically and can be removed in future releases - name: Apply HNS control Flags 0x40 and 0x10 in 2022-11B patches win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State state: present name: HNSControlFlag data: 0x50 type: dword when: distribution_version == "2019" - name: Apply WCIFS fix win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\wcifs state: present name: WcifsSOPCountDisabled data: 0 type: dword when: distribution_version == "2019" - name: Expand dynamic port range to 34000-65535 to avoid port exhaustion win_shell: netsh int ipv4 set dynamicportrange tcp 34000 31536 - name: Add required Windows Features win_feature: name: - Containers - Hyper-V-PowerShell state: present register: win_feature # Due to a limitation in some CNI plugins the Hyper-V role needs to be installed in order # to use the VMSwitch Powershell Cmdlets. # An issue has been logged to have the networking components to be split out but until # that is complete, environments that do not support running a hypervisor require the # below which skips the CPU check for Hypervisor support and still installs the VMSwitch Cmlets # when disable_hypervisor is set to true # https://github.com/microsoft/Windows-Containers/issues/80 - name: Add Hyper-V win_shell: | dism /online /enable-feature /featurename:Microsoft-Hyper-V /all /NoRestart register: hyperv_installed failed_when: hyperv_installed.rc != 1 and hyperv_installed.rc != 0 - name: Disable Hypervisor win_shell: | dism /online /disable-feature /featurename:Microsoft-Hyper-V-Online /NoRestart when: (disable_hypervisor | default(false) | bool) register: hypervisor_disabled failed_when: hypervisor_disabled.rc != 1 and hypervisor_disabled.rc != 0 - name: Reboot win_reboot: