ab636a0ec1
Setup-WinBuild2025.ps1 (Step 2):
- Defender is now disabled at deploy time by Deploy-WinBuild2025.ps1 via
DisableAntiSpyware=1 GPO + RTP off during unattended install.
- Step 2 reduced to a single Assert-Step sanity check (GPO key present = 1).
Exclusion paths removed: scanner is not running, they would be moot.
Prepare-WinBuild2025.ps1 (Setup invocation):
- Replace one-shot Invoke-Command + manual 're-run with -SkipWindowsUpdate'
message with an automated loop (max 10 iterations):
* Invoke-GuestSetup helper runs Setup inside the VM and returns exit code.
* Exit 3010 (ERROR_SUCCESS_REBOOT_REQUIRED) triggers Restart-Computer on
the guest, waits for WinRM via Wait-GuestWinRMReady (20 min timeout),
reopens PSSession and loops.
* Exit 0 breaks the loop; any other code throws immediately.
* Hard cap prevents infinite loops if WU never converges.
1081 lines
52 KiB
PowerShell
1081 lines
52 KiB
PowerShell
#Requires -RunAsAdministrator
|
|
#Requires -Version 5.1
|
|
<#
|
|
.SYNOPSIS
|
|
Provisions a Windows VM as a CI build template (run INSIDE the VM once).
|
|
|
|
.DESCRIPTION
|
|
This script is run ONE TIME inside the template VM before taking the
|
|
"BaseClean" snapshot. After the snapshot is taken, never modify the VM.
|
|
|
|
Installs and configures (each step followed by Assert-Step validation):
|
|
Step 1 — Firewall: all profiles disabled first — removes any block on subsequent steps
|
|
Validation: Domain/Private/Public all Enabled=False
|
|
Step 2 — Defender state validation only (disabled by Deploy-WinBuild2025
|
|
during unattended install via DisableAntiSpyware GPO + RTP off).
|
|
Validation: GPO DisableAntiSpyware=1. No exclusion paths — with
|
|
Defender off the scanner isn't running, so exclusions are moot.
|
|
Step 3 — WinRM: Basic auth, AllowUnencrypted, MaxMemoryPerShellMB=2048, 2h timeout
|
|
Firewall + Defender already off — no interference during config
|
|
Validation: service Running+Automatic, AllowUnencrypted, Auth/Basic, memory
|
|
Step 4 — Local build user account ($BuildUsername, PasswordNeverExpires, Administrators)
|
|
Validation: user exists, enabled, PasswordNeverExpires, admin membership
|
|
Step 4b — UAC disabled (EnableLUA=0, LocalAccountTokenFilterPolicy=1)
|
|
Validation: both registry values verified
|
|
Step 5 — CI working directories: C:\CI\build, C:\CI\output, C:\CI\scripts
|
|
Must run before Windows Update — WU worker writes temp files to C:\CI
|
|
Validation: each path exists as Container
|
|
Step 5b — Explorer LaunchTo=1 (This PC) for current user + Default profile hive
|
|
Validation: HKCU LaunchTo=1
|
|
Step 5c — CI UX hardening (all UI tweaks before the long-running WU step):
|
|
Server Manager auto-start off (machine policy + HKCU Administrator +
|
|
Default User hive → ci_build inherits at first logon)
|
|
Ctrl+Alt+Del at login disabled (DisableCAD=1) — CI VMs never need it
|
|
OOBE privacy/telemetry prompt suppressed (DisablePrivacyExperience=1,
|
|
AllowTelemetry=0) — prevents first-logon interactive prompt in clones
|
|
Validation: machine policy key, HKCU key, DisableCAD, OOBE policy, telemetry
|
|
Step 6 — Windows Update via Scheduled Task as SYSTEM (avoids WinRM token limit)
|
|
Runs with Firewall + Defender off, C:\CI present — faster, no scan overhead
|
|
Validation: result code 0/2/3, no reboot required (else exit 3010)
|
|
Step 6b — Windows Update permanently disabled (post-update lockdown)
|
|
wuauserv + UsoSvc set to Disabled; GPO keys NoAutoUpdate=1,
|
|
DisableWindowsUpdateAccess=1; WU scheduled tasks disabled
|
|
Runs unconditionally (even with -SkipWindowsUpdate) so snapshot
|
|
captures WU off — linked clones never trigger background updates
|
|
Validation: wuauserv StartType=Disabled, GPO keys present
|
|
Step 7 — .NET SDK (channel $DotNetSdkVersion) via dotnet-install.ps1
|
|
Validation: dotnet resolvable, version channel match, machine PATH
|
|
Step 8 — Python $PythonVersion (all users, C:\Python, PrependPath)
|
|
Validation: binary present, exact version match, PATH
|
|
Step 9 — Visual Studio Build Tools 2026 via Scheduled Task as SYSTEM
|
|
Validation: MSBuild.exe exists, executes, PATH, VC dir present
|
|
Step 10 — Toolchain cross-check (dotnet, python, msbuild)
|
|
Throws on any missing tool (was: warn-only)
|
|
Cleanup — Disk cleanup: cleanmgr, SoftwareDistribution, CBS, TEMP, Prefetch, DISM
|
|
wuauserv already Disabled (Step 6b) — not restarted after cache clear
|
|
SoftwareDistribution\Download cleared best-effort (WaaSMedicSvc may repopulate)
|
|
Validation: wuauserv StartType Disabled (SoftwareDistribution check removed —
|
|
WaaSMedicSvc tamper-protection restores files immediately)
|
|
Final — Pre-snapshot gate: 7 cross-cutting checks across all steps
|
|
Throws if any check fails — prevents snapshot of broken state
|
|
|
|
Step ordering rationale:
|
|
Firewall first — removes any network block before WinRM config and WU downloads
|
|
Defender second — eliminates scan overhead before WinRM, WU, and installer downloads
|
|
WinRM third — configured clean with no Firewall/Defender interference
|
|
User + UAC — quick registry ops; UAC off before dirs/tools avoids elevation prompts
|
|
CI dirs — C:\CI must exist before WU worker writes temp files there
|
|
UI tweaks — all fast registry writes batched before the slow WU step
|
|
WU sixth — all prereqs (dirs, user, tweaks) done; Firewall+Defender off
|
|
WU disable — immediately after WU completes; snapshot captures WU permanently off
|
|
Toolchain — .NET / Python / VS last; WU done, no scan on installer payloads
|
|
|
|
NOTE: Git is NOT installed. The host clones the repository and copies
|
|
the source tree into the VM via WinRM (Option B isolation model).
|
|
|
|
╔══════════════════════════════════════════════════════════════════════╗
|
|
║ NETWORK REQUIREMENT DURING SETUP ║
|
|
║ The VM must have internet access while this script runs so it can ║
|
|
║ download Windows Updates and tool installers. The VM NIC must be ║
|
|
║ set to VMnet8 (NAT) — keep it on NAT permanently (builds use NAT ║
|
|
║ for pip/nuget downloads at runtime). ║
|
|
╚══════════════════════════════════════════════════════════════════════╝
|
|
|
|
After this script completes (exit 0, all Assert-Step checks passed):
|
|
1. Shut down the VM (Start → Shut down)
|
|
The VM stays on VMnet8 (NAT) — internet access is required for builds.
|
|
2. In VMware Workstation: VM → Snapshot → Take Snapshot
|
|
Name it exactly: BaseClean
|
|
3. Power off the VM and leave it powered off permanently
|
|
|
|
.PARAMETER BuildUsername
|
|
Local username for the CI build account. Default: ci_build.
|
|
|
|
.PARAMETER BuildPassword
|
|
Password for the build account. Mandatory — supplied by Prepare-WinBuild2025.ps1
|
|
(which prompts interactively). Store the same value in Windows Credential Manager
|
|
on the HOST as target "BuildVMGuest".
|
|
|
|
.PARAMETER DotNetSdkVersion
|
|
.NET SDK channel to install. Default: 10.0 (matches host SDK).
|
|
|
|
.PARAMETER PythonVersion
|
|
Exact Python release to install (x.y.z, must exist on python.org). Default: 3.13.3.
|
|
|
|
.PARAMETER SkipWindowsUpdate
|
|
Skip the Windows Update step (useful if updates were already applied).
|
|
|
|
.NOTES
|
|
Invoke via Prepare-WinBuild2025.ps1 from the HOST (recommended), or
|
|
run manually from an elevated PowerShell session INSIDE the VM:
|
|
Set-ExecutionPolicy Bypass -Scope Process -Force
|
|
.\Setup-WinBuild2025.ps1 -BuildPassword 'YourPassword'
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
# Local username for the CI build account inside the VM
|
|
[string] $BuildUsername = 'ci_build',
|
|
|
|
# Password for the build account.
|
|
# Must be supplied by the caller (Prepare-WinBuild2025.ps1 prompts interactively).
|
|
# Store the same password in Windows Credential Manager on the HOST as target "BuildVMGuest".
|
|
[Parameter(Mandatory)]
|
|
[string] $BuildPassword,
|
|
|
|
# .NET SDK channel to install (should match the host SDK version)
|
|
[string] $DotNetSdkVersion = '10.0',
|
|
|
|
# Python version to install (x.y.z — must match an exact release on python.org)
|
|
[string] $PythonVersion = '3.13.3',
|
|
|
|
# Skip Windows Update (useful when updates already applied or no internet)
|
|
[switch] $SkipWindowsUpdate,
|
|
|
|
# Skip disk cleanup step (cleanmgr + DISM + cache clear) — speeds up re-runs during dev/debug
|
|
[switch] $SkipCleanup
|
|
)
|
|
|
|
Set-StrictMode -Version Latest
|
|
$ErrorActionPreference = 'Stop'
|
|
|
|
function Write-Step {
|
|
param([string]$Message)
|
|
Write-Host "`n=== $Message ===" -ForegroundColor Cyan
|
|
}
|
|
|
|
function Assert-Step {
|
|
param(
|
|
[Parameter(Mandatory)] [string] $StepName,
|
|
[Parameter(Mandatory)] [string] $Description,
|
|
[Parameter(Mandatory)] [scriptblock] $Test
|
|
)
|
|
$ok = $false
|
|
try { $ok = [bool](& $Test) }
|
|
catch { throw "[$StepName] Validation threw on '$Description': $_" }
|
|
if (-not $ok) {
|
|
throw "[$StepName] Validation failed: $Description"
|
|
}
|
|
Write-Host " [OK] $Description" -ForegroundColor Green
|
|
}
|
|
|
|
# ── Pre-flight: remove temp files from any previous partial run ───────────────
|
|
# These files are normally deleted at the end of each step that creates them.
|
|
# A previous interrupted run may have left them behind — remove before starting.
|
|
$knownTempFiles = @(
|
|
'C:\CI\wu_worker.ps1', 'C:\CI\wu_result.txt', 'C:\CI\wu_reboot.txt', 'C:\CI\wu_log.txt',
|
|
'C:\CI\vs_worker.ps1', 'C:\CI\vs_result.txt', 'C:\CI\vs_BuildTools.exe',
|
|
'C:\CI\python_installer.exe'
|
|
)
|
|
foreach ($f in $knownTempFiles) {
|
|
if (Test-Path $f) {
|
|
Remove-Item $f -Force -ErrorAction SilentlyContinue
|
|
Write-Host "[PreFlight] Removed leftover temp file: $f"
|
|
}
|
|
}
|
|
|
|
# ── Step 1: Firewall ──────────────────────────────────────────────────────────
|
|
Write-Step "Disabling Windows Firewall (all profiles) — isolated lab VM"
|
|
|
|
# Disable first: removes any block on subsequent WinRM config and WU downloads.
|
|
# This VM lives on VMnet8 NAT behind the VMware NAT gateway — no inbound exposure
|
|
# from outside the host, so full disable is acceptable.
|
|
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False
|
|
Write-Host "Windows Firewall disabled on all profiles."
|
|
|
|
# Validation
|
|
foreach ($p in 'Domain','Private','Public') {
|
|
Assert-Step 'Firewall' "$p profile disabled" {
|
|
(Get-NetFirewallProfile -Profile $p -ErrorAction Stop).Enabled -eq $false
|
|
}
|
|
}
|
|
|
|
# ── Step 2: Defender — already disabled by Deploy-WinBuild2025 ───────────────
|
|
# Deploy-WinBuild2025.ps1 set RTP off + DisableAntiSpyware=1 GPO during the
|
|
# unattended install. With Defender fully off, exclusion paths are moot — the
|
|
# scanner that would respect them isn't running. Keep a sanity check on the
|
|
# tamper-protect GPO key so we throw early if someone re-enabled Defender.
|
|
Write-Step "Defender state (validation only — disabled at deploy time)"
|
|
Assert-Step 'Defender' 'GPO DisableAntiSpyware=1 (set by Deploy-WinBuild2025)' {
|
|
$key = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
|
|
(Test-Path $key) -and
|
|
((Get-ItemProperty -Path $key -Name DisableAntiSpyware -ErrorAction SilentlyContinue).DisableAntiSpyware -eq 1)
|
|
}
|
|
|
|
# ── Step 3: WinRM ─────────────────────────────────────────────────────────────
|
|
Write-Step "Configuring WinRM"
|
|
|
|
# Firewall and Defender already off — no interference during WinRM hardening.
|
|
Enable-PSRemoting -Force -SkipNetworkProfileCheck 3>$null | Out-Null
|
|
|
|
# Allow unencrypted (HTTP/5985) — acceptable for an isolated lab network.
|
|
# Migrate to HTTPS/5986 with a self-signed cert for hardened environments.
|
|
winrm set winrm/config/service '@{AllowUnencrypted="true"}' | Out-Null
|
|
winrm set winrm/config/service/auth '@{Basic="true"}' | Out-Null
|
|
|
|
# Increase shell memory and timeout limits for long builds
|
|
winrm set winrm/config/winrs '@{MaxProcessesPerShell="25"}' | Out-Null
|
|
Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 2048 -Force 3>$null
|
|
Set-Item WSMan:\localhost\Shell\IdleTimeOut 7200000 -Force 3>$null # 2 hours
|
|
|
|
# Ensure WinRM starts automatically
|
|
Set-Service -Name WinRM -StartupType Automatic 3>$null
|
|
Start-Service WinRM 3>$null
|
|
|
|
Write-Host "WinRM configured."
|
|
|
|
# Validation
|
|
Assert-Step 'WinRM' 'service Running' {
|
|
(Get-Service WinRM -ErrorAction Stop).Status -eq 'Running'
|
|
}
|
|
Assert-Step 'WinRM' 'service StartType Automatic' {
|
|
(Get-Service WinRM -ErrorAction Stop).StartType -eq 'Automatic'
|
|
}
|
|
Assert-Step 'WinRM' 'AllowUnencrypted=true' {
|
|
(Get-Item WSMan:\localhost\Service\AllowUnencrypted).Value -eq 'true'
|
|
}
|
|
Assert-Step 'WinRM' 'Auth/Basic=true' {
|
|
(Get-Item WSMan:\localhost\Service\Auth\Basic).Value -eq 'true'
|
|
}
|
|
Assert-Step 'WinRM' 'MaxMemoryPerShellMB >= 2048' {
|
|
[int](Get-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB).Value -ge 2048
|
|
}
|
|
|
|
# ── Step 4: Build user account ───────────────────────────────────────────────
|
|
Write-Step "Creating build user account: $BuildUsername"
|
|
|
|
$existingUser = Get-LocalUser -Name $BuildUsername -ErrorAction SilentlyContinue
|
|
if ($existingUser) {
|
|
Write-Host "User '$BuildUsername' already exists — skipping creation."
|
|
}
|
|
else {
|
|
# Convert to SecureString locally (inside the VM session) to avoid exposing
|
|
# the password as a process argument visible in audit log event 4688.
|
|
$secPwd = ConvertTo-SecureString $BuildPassword -AsPlainText -Force
|
|
try {
|
|
New-LocalUser -Name $BuildUsername -Password $secPwd `
|
|
-PasswordNeverExpires -Description 'CI build account' `
|
|
-ErrorAction Stop | Out-Null
|
|
}
|
|
catch {
|
|
throw "Failed to create user '$BuildUsername': $_"
|
|
}
|
|
Write-Host "User '$BuildUsername' created."
|
|
}
|
|
|
|
# Always ensure password policy and Administrators membership (idempotent)
|
|
& net user $BuildUsername /passwordchg:no | Out-Null
|
|
Set-LocalUser -Name $BuildUsername -PasswordNeverExpires $true
|
|
|
|
$isMember = & net localgroup Administrators 2>&1 | Select-String -SimpleMatch $BuildUsername
|
|
if (-not $isMember) {
|
|
& net localgroup Administrators $BuildUsername /add | Out-Null
|
|
Write-Host "User '$BuildUsername' added to Administrators."
|
|
}
|
|
else {
|
|
Write-Host "User '$BuildUsername' already in Administrators."
|
|
}
|
|
|
|
# Validation
|
|
Assert-Step 'User' "user '$BuildUsername' exists" {
|
|
[bool](Get-LocalUser -Name $BuildUsername -ErrorAction SilentlyContinue)
|
|
}
|
|
Assert-Step 'User' "user '$BuildUsername' enabled" {
|
|
(Get-LocalUser -Name $BuildUsername -ErrorAction Stop).Enabled
|
|
}
|
|
Assert-Step 'User' "user '$BuildUsername' password never expires" {
|
|
# Property name varies across LocalAccounts module versions:
|
|
# - Newer (Server 2022+, some SKUs): bool 'PasswordNeverExpires'
|
|
# - Older / WS2025 PS 5.1: nullable datetime 'PasswordExpires' ($null = never)
|
|
$u = Get-LocalUser -Name $BuildUsername -ErrorAction Stop
|
|
$hasFlag = $u.PSObject.Properties.Name -contains 'PasswordNeverExpires'
|
|
if ($hasFlag) { [bool]$u.PasswordNeverExpires } else { $null -eq $u.PasswordExpires }
|
|
}
|
|
Assert-Step 'User' "user '$BuildUsername' member of Administrators" {
|
|
[bool](& net localgroup Administrators 2>&1 | Select-String -SimpleMatch $BuildUsername)
|
|
}
|
|
|
|
# ── Step 4b: Disable UAC ─────────────────────────────────────────────────────
|
|
Write-Step "Disabling UAC (isolated lab VM)"
|
|
|
|
# EnableLUA=0 disables UAC entirely — admin processes get full token without prompt.
|
|
# LocalAccountTokenFilterPolicy=1 ensures remote admin connections (WinRM) also
|
|
# get an elevated token (avoids the filtered-token issue with runProgramInGuest).
|
|
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' `
|
|
-Name EnableLUA -Value 0 -Type DWord -Force
|
|
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' `
|
|
-Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord -Force
|
|
Write-Host "UAC disabled."
|
|
|
|
# Validation
|
|
$uacPolicyKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
|
|
Assert-Step 'UAC' 'EnableLUA=0' {
|
|
(Get-ItemProperty -Path $uacPolicyKey -Name EnableLUA -ErrorAction Stop).EnableLUA -eq 0
|
|
}
|
|
Assert-Step 'UAC' 'LocalAccountTokenFilterPolicy=1' {
|
|
(Get-ItemProperty -Path $uacPolicyKey -Name LocalAccountTokenFilterPolicy -ErrorAction Stop).LocalAccountTokenFilterPolicy -eq 1
|
|
}
|
|
|
|
# ── Step 5: CI working directories ───────────────────────────────────────────
|
|
Write-Step "Creating CI working directories"
|
|
|
|
# Must run before Windows Update (Step 6): the WU worker script writes temp files
|
|
# to C:\CI\ (wu_worker.ps1, wu_result.txt, wu_reboot.txt, wu_log.txt).
|
|
$ciDirs = @('C:\CI\build', 'C:\CI\output', 'C:\CI\scripts')
|
|
foreach ($dir in $ciDirs) {
|
|
if (-not (Test-Path $dir)) {
|
|
New-Item -ItemType Directory -Path $dir -Force | Out-Null
|
|
Write-Host "Created: $dir"
|
|
}
|
|
}
|
|
|
|
# Validation
|
|
foreach ($dir in $ciDirs) {
|
|
Assert-Step 'CIDirs' "$dir exists (Container)" {
|
|
Test-Path -Path $dir -PathType Container
|
|
}
|
|
}
|
|
|
|
# ── Step 5b: Explorer settings ───────────────────────────────────────────────
|
|
Write-Step "Configuring Explorer defaults"
|
|
|
|
# Open Explorer to 'This PC' (Devices and Drives) instead of Quick Access.
|
|
# LaunchTo=1 = This PC, LaunchTo=2 = Quick Access (default)
|
|
$explorerAdvKey = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
|
|
Set-ItemProperty -Path $explorerAdvKey -Name 'LaunchTo' -Value 1 -Type DWord -Force
|
|
|
|
# Also apply to the Default User profile so ci_build and any new user inherits it.
|
|
$defaultHive = 'C:\Users\Default\NTUSER.DAT'
|
|
$mountName = 'TempDefaultUser'
|
|
if (Test-Path $defaultHive) {
|
|
reg load "HKU\$mountName" $defaultHive | Out-Null
|
|
$defKey = "Registry::HKU\$mountName\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
|
|
if (-not (Test-Path $defKey)) { New-Item -Path $defKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $defKey -Name 'LaunchTo' -Value 1 -Type DWord -Force
|
|
[gc]::Collect()
|
|
reg unload "HKU\$mountName" | Out-Null
|
|
Write-Host "Explorer: 'This PC' set for current user and default profile."
|
|
}
|
|
else {
|
|
Write-Host "Explorer: 'This PC' set for current user (default hive not found)."
|
|
}
|
|
|
|
# Validation
|
|
Assert-Step 'Explorer' "LaunchTo=1 (HKCU current user)" {
|
|
(Get-ItemProperty -Path $explorerAdvKey -Name LaunchTo -ErrorAction Stop).LaunchTo -eq 1
|
|
}
|
|
|
|
# ── Step 5c: CI UX hardening ─────────────────────────────────────────────────
|
|
Write-Step "CI UX hardening (lock screen off, Server Manager off, no CAD, no OOBE)"
|
|
|
|
# All UI tweaks batched here — fast registry writes before the slow WU step.
|
|
|
|
# 1 — Lock screen: disable entirely (CI VMs never need a lock screen)
|
|
# NoLockScreen=1 suppresses the lock screen shown before login on console sessions.
|
|
$personPolicyKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization'
|
|
if (-not (Test-Path $personPolicyKey)) { New-Item -Path $personPolicyKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $personPolicyKey -Name 'NoLockScreen' -Value 1 -Type DWord -Force
|
|
Write-Host "Lock screen disabled."
|
|
|
|
# 2 — Server Manager: do not auto-open at logon
|
|
# Three layers needed on WS2025:
|
|
# a) Machine policy key (GPO path — read by ServerManager policy check)
|
|
# b) HKLM non-policy key (read directly by ServerManager.exe on WS2025)
|
|
# c) Scheduled Task '\Microsoft\Windows\Server Manager\ServerManager'
|
|
# — this is the actual launcher; registry alone is insufficient on WS2025
|
|
# d) HKCU + Default hive for per-user belt-and-suspenders
|
|
$smPolicyKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\ServerManager'
|
|
if (-not (Test-Path $smPolicyKey)) { New-Item -Path $smPolicyKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $smPolicyKey -Name 'DoNotOpenAtLogon' -Value 1 -Type DWord -Force
|
|
|
|
$smHKLMKey = 'HKLM:\SOFTWARE\Microsoft\ServerManager'
|
|
if (-not (Test-Path $smHKLMKey)) { New-Item -Path $smHKLMKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $smHKLMKey -Name 'DoNotOpenServerManagerAtLogon' -Value 1 -Type DWord -Force
|
|
|
|
Disable-ScheduledTask -TaskPath '\Microsoft\Windows\Server Manager\' `
|
|
-TaskName 'ServerManager' -ErrorAction SilentlyContinue | Out-Null
|
|
|
|
# Current session user (Administrator)
|
|
$smUserKey = 'HKCU:\SOFTWARE\Microsoft\ServerManager'
|
|
if (-not (Test-Path $smUserKey)) { New-Item -Path $smUserKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $smUserKey -Name 'DoNotOpenServerManagerAtLogon' -Value 1 -Type DWord -Force
|
|
|
|
# Default User hive — ci_build and any future account inherits at first logon
|
|
$smDefaultHive = 'C:\Users\Default\NTUSER.DAT'
|
|
$smMountName = 'TempDefaultUserSM'
|
|
if (Test-Path $smDefaultHive) {
|
|
reg load "HKU\$smMountName" $smDefaultHive | Out-Null
|
|
$smDefKey = "Registry::HKU\$smMountName\SOFTWARE\Microsoft\ServerManager"
|
|
if (-not (Test-Path $smDefKey)) { New-Item -Path $smDefKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $smDefKey -Name 'DoNotOpenServerManagerAtLogon' -Value 1 -Type DWord -Force
|
|
[gc]::Collect()
|
|
reg unload "HKU\$smMountName" | Out-Null
|
|
Write-Host "Server Manager: policy + HKLM + task + Administrator HKCU + Default hive set."
|
|
}
|
|
else {
|
|
Write-Host "Server Manager: policy + HKLM + task + Administrator HKCU set (Default hive not found)."
|
|
}
|
|
|
|
# 3 — Disable Ctrl+Alt+Del at interactive login
|
|
# Set in both locations: Winlogon (classic) + Policies\System (policy, authoritative on WS2025).
|
|
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' `
|
|
-Name 'DisableCAD' -Value 1 -Type DWord -Force
|
|
$systemPolicyKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
|
|
Set-ItemProperty -Path $systemPolicyKey -Name 'DisableCAD' -Value 1 -Type DWord -Force
|
|
Write-Host "Ctrl+Alt+Del at login disabled (Winlogon + Policies\System)."
|
|
|
|
# 4 — Suppress OOBE privacy/telemetry prompt
|
|
$oobePolicyKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\OOBE'
|
|
if (-not (Test-Path $oobePolicyKey)) { New-Item -Path $oobePolicyKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $oobePolicyKey -Name 'DisablePrivacyExperience' -Value 1 -Type DWord -Force
|
|
|
|
$oobeKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE'
|
|
if (-not (Test-Path $oobeKey)) { New-Item -Path $oobeKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $oobeKey -Name 'DisablePrivacyExperience' -Value 1 -Type DWord -Force
|
|
|
|
$dcKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
|
|
if (-not (Test-Path $dcKey)) { New-Item -Path $dcKey -Force | Out-Null }
|
|
Set-ItemProperty -Path $dcKey -Name 'AllowTelemetry' -Value 0 -Type DWord -Force
|
|
Write-Host "OOBE privacy prompt and telemetry disabled."
|
|
|
|
# Validation
|
|
Assert-Step 'CIUX' 'lock screen disabled (NoLockScreen=1)' {
|
|
(Get-ItemProperty -Path $personPolicyKey -Name NoLockScreen -ErrorAction Stop).NoLockScreen -eq 1
|
|
}
|
|
Assert-Step 'CIUX' 'Server Manager policy DoNotOpenAtLogon=1' {
|
|
(Get-ItemProperty -Path $smPolicyKey -Name DoNotOpenAtLogon -ErrorAction Stop).DoNotOpenAtLogon -eq 1
|
|
}
|
|
Assert-Step 'CIUX' 'Server Manager HKLM DoNotOpenServerManagerAtLogon=1' {
|
|
(Get-ItemProperty -Path $smHKLMKey -Name DoNotOpenServerManagerAtLogon -ErrorAction Stop).DoNotOpenServerManagerAtLogon -eq 1
|
|
}
|
|
Assert-Step 'CIUX' 'Server Manager scheduled task disabled' {
|
|
$t = Get-ScheduledTask -TaskPath '\Microsoft\Windows\Server Manager\' `
|
|
-TaskName 'ServerManager' -ErrorAction SilentlyContinue
|
|
(-not $t) -or ($t.State -eq 'Disabled')
|
|
}
|
|
Assert-Step 'CIUX' 'Server Manager HKCU DoNotOpenServerManagerAtLogon=1 (Administrator)' {
|
|
(Get-ItemProperty -Path $smUserKey -Name DoNotOpenServerManagerAtLogon -ErrorAction Stop).DoNotOpenServerManagerAtLogon -eq 1
|
|
}
|
|
Assert-Step 'CIUX' 'DisableCAD=1 in Policies\System' {
|
|
(Get-ItemProperty -Path $systemPolicyKey -Name DisableCAD -ErrorAction Stop).DisableCAD -eq 1
|
|
}
|
|
Assert-Step 'CIUX' 'OOBE policy DisablePrivacyExperience=1' {
|
|
(Get-ItemProperty -Path $oobePolicyKey -Name DisablePrivacyExperience -ErrorAction Stop).DisablePrivacyExperience -eq 1
|
|
}
|
|
Assert-Step 'CIUX' 'DataCollection AllowTelemetry=0' {
|
|
(Get-ItemProperty -Path $dcKey -Name AllowTelemetry -ErrorAction Stop).AllowTelemetry -eq 0
|
|
}
|
|
|
|
# ── Step 6: Windows Update ────────────────────────────────────────────────────
|
|
# Firewall + Defender already off: WU downloads and installs run without scanning.
|
|
# C:\CI exists (Step 5): worker temp files write successfully.
|
|
# NOTE: The Windows Update COM API (Microsoft.Update.Session) raises E_ACCESSDENIED
|
|
# when called from a WinRM/network-logon session. We work around this by running
|
|
# the actual download+install inside a Scheduled Task (SYSTEM account, full token).
|
|
if ($SkipWindowsUpdate) {
|
|
Write-Host "[Setup] Skipping Windows Update (SkipWindowsUpdate switch set)."
|
|
}
|
|
else {
|
|
Write-Step "Running Windows Update via Scheduled Task (avoids WinRM token restrictions)"
|
|
|
|
# --- worker script that runs as SYSTEM inside the scheduled task ---
|
|
$wuWorkerPath = 'C:\CI\wu_worker.ps1'
|
|
$wuResultPath = 'C:\CI\wu_result.txt'
|
|
$wuRebootPath = 'C:\CI\wu_reboot.txt'
|
|
$wuLogPath = 'C:\CI\wu_log.txt'
|
|
|
|
$wuWorker = @'
|
|
$ErrorActionPreference = 'Stop'
|
|
try {
|
|
$s = New-Object -ComObject Microsoft.Update.Session
|
|
$q = $s.CreateUpdateSearcher()
|
|
$q.Online = $true # force live query — skip stale client cache
|
|
$q.ServerSelection = 2 # 2=ssWindowsUpdate — bypass WSUS, query WU servers directly
|
|
$found = $q.Search("IsInstalled=0 and Type='Software'")
|
|
$count = $found.Updates.Count
|
|
if ($count -eq 0) {
|
|
"0" | Set-Content C:\CI\wu_result.txt
|
|
"False" | Set-Content C:\CI\wu_reboot.txt
|
|
"No updates needed (0 updates found by COM API)." | Set-Content C:\CI\wu_log.txt
|
|
} else {
|
|
$names = ($found.Updates | ForEach-Object { " - $($_.Title)" }) -join "`n"
|
|
"Found $count update(s):`n$names" | Set-Content C:\CI\wu_log.txt
|
|
"Downloading $count update(s)..." | Add-Content C:\CI\wu_log.txt
|
|
$dl = $s.CreateUpdateDownloader()
|
|
$dl.Updates = $found.Updates
|
|
$dl.Download() | Out-Null
|
|
"Installing $count update(s)..." | Add-Content C:\CI\wu_log.txt
|
|
$inst = $s.CreateUpdateInstaller()
|
|
$inst.Updates = $found.Updates
|
|
$r = $inst.Install()
|
|
[string]$r.ResultCode | Set-Content C:\CI\wu_result.txt
|
|
[string]$r.RebootRequired | Set-Content C:\CI\wu_reboot.txt
|
|
"Done. ResultCode=$($r.ResultCode) RebootRequired=$($r.RebootRequired)" | Add-Content C:\CI\wu_log.txt
|
|
}
|
|
} catch {
|
|
"ERROR: $_" | Set-Content C:\CI\wu_log.txt
|
|
"99" | Set-Content C:\CI\wu_result.txt
|
|
"False" | Set-Content C:\CI\wu_reboot.txt
|
|
}
|
|
'@
|
|
$wuWorker | Set-Content -Path $wuWorkerPath -Encoding UTF8
|
|
|
|
# Re-enable WU fully before launching the COM API worker.
|
|
# A previous run of this script (Step 6b) leaves: wuauserv=Disabled, UsoSvc=Disabled,
|
|
# DisableWindowsUpdateAccess=1, stale DataStore metadata.
|
|
# Microsoft.Update.Session.Search() silently returns 0 results if any of these are set.
|
|
$wuPolicyKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
|
|
$wuPolicyAUKey = "$wuPolicyKey\AU"
|
|
|
|
# Step A: clear GPO policy blocks
|
|
Remove-ItemProperty -Path $wuPolicyKey -Name 'DisableWindowsUpdateAccess' -ErrorAction SilentlyContinue
|
|
Remove-ItemProperty -Path $wuPolicyAUKey -Name 'NoAutoUpdate' -ErrorAction SilentlyContinue
|
|
Remove-ItemProperty -Path $wuPolicyAUKey -Name 'AUOptions' -ErrorAction SilentlyContinue
|
|
|
|
# Step B: stop WU-adjacent services cleanly before resetting state
|
|
foreach ($svc in 'wuauserv', 'UsoSvc', 'bits') {
|
|
Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
# Step C: delete WU client database — forces fresh online detection on next start.
|
|
# Without this, the COM API reuses stale cached metadata from the previous run
|
|
# and reports 0 available updates even when updates exist.
|
|
Remove-Item 'C:\Windows\SoftwareDistribution\DataStore\*' -Recurse -Force -ErrorAction SilentlyContinue
|
|
|
|
# Step D: re-enable and start all services the COM API depends on
|
|
foreach ($svc in 'cryptsvc', 'bits', 'wuauserv', 'UsoSvc') {
|
|
Set-Service -Name $svc -StartupType Manual -ErrorAction SilentlyContinue
|
|
Start-Service -Name $svc -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
# Step E: wait for WU service to fully initialize and build fresh DataStore
|
|
Start-Sleep -Seconds 20
|
|
Write-Host "Windows Update services started. DataStore reset. GPO blocks cleared."
|
|
|
|
# Remove any leftover result files from a previous run
|
|
Remove-Item $wuResultPath, $wuRebootPath -ErrorAction SilentlyContinue
|
|
|
|
# Register scheduled task running as SYSTEM
|
|
$taskName = 'CI-WindowsUpdate'
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
$action = New-ScheduledTaskAction -Execute 'powershell.exe' `
|
|
-Argument "-NonInteractive -ExecutionPolicy Bypass -File `"$wuWorkerPath`""
|
|
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -RunLevel Highest
|
|
Register-ScheduledTask -TaskName $taskName -Action $action -Principal $principal -Force | Out-Null
|
|
|
|
Write-Host "Scheduled task registered. Starting Windows Update..."
|
|
Start-ScheduledTask -TaskName $taskName
|
|
|
|
# Poll until the task finishes (result file written = task complete)
|
|
$timeout = [datetime]::UtcNow.AddMinutes(60)
|
|
$dotCount = 0
|
|
while (-not (Test-Path $wuResultPath)) {
|
|
if ([datetime]::UtcNow -gt $timeout) {
|
|
throw "Windows Update timed out after 60 minutes."
|
|
}
|
|
Start-Sleep -Seconds 15
|
|
$dotCount++
|
|
if ($dotCount % 4 -eq 0) { Write-Host " ... still running ($(([datetime]::UtcNow - ($timeout.AddMinutes(-60))).Minutes) min elapsed)" }
|
|
}
|
|
|
|
# Read results
|
|
$resultCode = [int](Get-Content $wuResultPath -Raw).Trim()
|
|
$rebootNeeded = (Get-Content $wuRebootPath -Raw).Trim() -eq 'True'
|
|
$log = Get-Content $wuLogPath -Raw -ErrorAction SilentlyContinue
|
|
|
|
Write-Host "Windows Update log:"
|
|
Write-Host $log
|
|
|
|
# Clean up
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
Remove-Item $wuWorkerPath, $wuResultPath, $wuRebootPath, $wuLogPath -ErrorAction SilentlyContinue
|
|
|
|
if ($resultCode -eq 99) {
|
|
throw "Windows Update worker script failed. See log above."
|
|
}
|
|
if ($resultCode -notin @(0, 2, 3)) {
|
|
Write-Warning "Windows Update returned unexpected result code: $resultCode"
|
|
}
|
|
else {
|
|
Write-Host "Windows Update completed (ResultCode=$resultCode)."
|
|
}
|
|
|
|
if ($rebootNeeded) {
|
|
Write-Warning "*** REBOOT REQUIRED to finish installing updates. ***"
|
|
Write-Warning " Restart the VM, then re-run this script with: -SkipWindowsUpdate"
|
|
exit 3010
|
|
}
|
|
}
|
|
|
|
# ── Step 6b: Disable Windows Update permanently (post-update lockdown) ───────
|
|
Write-Step "Disabling Windows Update permanently (post-update snapshot lockdown)"
|
|
|
|
# WU has completed (or was skipped via -SkipWindowsUpdate). Disable now so that
|
|
# every linked clone spawned from the BaseClean snapshot never triggers background
|
|
# updates, spurious reboots, or download lock contention on the shared NVMe.
|
|
|
|
# Stop + disable main WU service
|
|
Stop-Service -Name wuauserv -Force -ErrorAction SilentlyContinue
|
|
Set-Service -Name wuauserv -StartupType Disabled
|
|
|
|
# Stop + disable Update Orchestrator Service (UsoSvc) — WU client in Server 2025
|
|
Stop-Service -Name UsoSvc -Force -ErrorAction SilentlyContinue
|
|
Set-Service -Name UsoSvc -StartupType Disabled -ErrorAction SilentlyContinue
|
|
|
|
Write-Host "wuauserv and UsoSvc set to Disabled."
|
|
|
|
# GPO registry keys — survive service self-healing and future WU self-repair attempts
|
|
$wuKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
|
|
$wuAUKey = "$wuKey\AU"
|
|
if (-not (Test-Path $wuKey)) { New-Item -Path $wuKey -Force | Out-Null }
|
|
if (-not (Test-Path $wuAUKey)) { New-Item -Path $wuAUKey -Force | Out-Null }
|
|
|
|
# Block WU API + UI access entirely
|
|
Set-ItemProperty -Path $wuKey -Name 'DisableWindowsUpdateAccess' -Value 1 -Type DWord -Force
|
|
# AutoUpdate policy: AUOptions=1 = disabled; NoAutoUpdate=1 = no background check
|
|
Set-ItemProperty -Path $wuAUKey -Name 'NoAutoUpdate' -Value 1 -Type DWord -Force
|
|
Set-ItemProperty -Path $wuAUKey -Name 'AUOptions' -Value 1 -Type DWord -Force
|
|
|
|
Write-Host "Windows Update GPO policy keys written."
|
|
|
|
# Disable WU scheduled tasks (best-effort — some may not exist on every SKU)
|
|
$wuTaskPath = '\Microsoft\Windows\WindowsUpdate\'
|
|
foreach ($taskName in @('Scheduled Start', 'WakeTimer', 'Automatic App Update',
|
|
'sih', 'sihboot', 'USO_UxBroker')) {
|
|
Disable-ScheduledTask -TaskPath $wuTaskPath -TaskName $taskName `
|
|
-ErrorAction SilentlyContinue | Out-Null
|
|
}
|
|
Write-Host "Windows Update scheduled tasks disabled (best-effort)."
|
|
|
|
# Validation
|
|
Assert-Step 'WUDisable' 'wuauserv StartType Disabled' {
|
|
(Get-Service wuauserv -ErrorAction Stop).StartType -eq 'Disabled'
|
|
}
|
|
Assert-Step 'WUDisable' 'NoAutoUpdate=1 GPO key' {
|
|
(Get-ItemProperty -Path $wuAUKey -Name NoAutoUpdate -ErrorAction Stop).NoAutoUpdate -eq 1
|
|
}
|
|
Assert-Step 'WUDisable' 'DisableWindowsUpdateAccess=1 GPO key' {
|
|
(Get-ItemProperty -Path $wuKey -Name DisableWindowsUpdateAccess -ErrorAction Stop).DisableWindowsUpdateAccess -eq 1
|
|
}
|
|
|
|
# ── Step 7: Install .NET SDK ──────────────────────────────────────────────────
|
|
Write-Step "Installing .NET SDK $DotNetSdkVersion"
|
|
|
|
$dotnetInstalled = Get-Command dotnet -ErrorAction SilentlyContinue
|
|
if ($dotnetInstalled) {
|
|
$installedVersion = dotnet --version
|
|
Write-Host ".NET SDK already installed: $installedVersion"
|
|
}
|
|
else {
|
|
Write-Host "Downloading dotnet-install.ps1..."
|
|
$dotnetInstallScript = "$env:TEMP\dotnet-install.ps1"
|
|
Invoke-WebRequest -Uri 'https://dot.net/v1/dotnet-install.ps1' `
|
|
-OutFile $dotnetInstallScript -UseBasicParsing
|
|
|
|
Write-Host "Installing .NET SDK $DotNetSdkVersion (channel)..."
|
|
& $dotnetInstallScript `
|
|
-Channel $DotNetSdkVersion `
|
|
-InstallDir 'C:\dotnet' `
|
|
-NoPath
|
|
|
|
# Add to system PATH
|
|
$currentPath = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine')
|
|
if ($currentPath -notlike '*C:\dotnet*') {
|
|
[System.Environment]::SetEnvironmentVariable(
|
|
'PATH',
|
|
"$currentPath;C:\dotnet",
|
|
'Machine'
|
|
)
|
|
}
|
|
$env:PATH = $env:PATH + ';C:\dotnet'
|
|
|
|
Write-Host ".NET SDK installed: $(dotnet --version)"
|
|
}
|
|
|
|
# Validation
|
|
Assert-Step 'DotNet' 'dotnet command resolvable' {
|
|
[bool](Get-Command dotnet -ErrorAction SilentlyContinue)
|
|
}
|
|
Assert-Step 'DotNet' "SDK version starts with channel '$DotNetSdkVersion'" {
|
|
$v = (& dotnet --version 2>&1 | Select-Object -First 1).ToString().Trim()
|
|
$major = $DotNetSdkVersion.Split('.')[0]
|
|
$v.StartsWith("$major.")
|
|
}
|
|
Assert-Step 'DotNet' 'machine PATH contains C:\dotnet' {
|
|
[System.Environment]::GetEnvironmentVariable('PATH', 'Machine') -like '*C:\dotnet*'
|
|
}
|
|
|
|
# ── Step 8: Install Python ───────────────────────────────────────────────────
|
|
Write-Step "Installing Python $PythonVersion"
|
|
|
|
$pythonExe = 'C:\Python\python.exe'
|
|
if (Test-Path $pythonExe) {
|
|
Write-Host "Python already installed: $(& $pythonExe --version 2>&1)"
|
|
}
|
|
else {
|
|
$pyInstallerUrl = "https://www.python.org/ftp/python/$PythonVersion/python-$PythonVersion-amd64.exe"
|
|
$pyInstallerPath = 'C:\CI\python_installer.exe'
|
|
Write-Host "Downloading Python $PythonVersion installer..."
|
|
Invoke-WebRequest -Uri $pyInstallerUrl -OutFile $pyInstallerPath -UseBasicParsing
|
|
|
|
Write-Host "Installing Python $PythonVersion (all users, prepend PATH)..."
|
|
$pyProc = Start-Process -FilePath $pyInstallerPath -ArgumentList @(
|
|
'/quiet',
|
|
'InstallAllUsers=1',
|
|
'PrependPath=1',
|
|
'Include_test=0',
|
|
'Include_doc=0',
|
|
'TargetDir=C:\Python'
|
|
) -Wait -PassThru
|
|
|
|
Remove-Item $pyInstallerPath -ErrorAction SilentlyContinue
|
|
|
|
if ($pyProc -and $pyProc.ExitCode -ne 0) {
|
|
throw "Python installation failed (exit $($pyProc.ExitCode))."
|
|
}
|
|
|
|
# Refresh PATH for subsequent steps
|
|
$env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' +
|
|
[System.Environment]::GetEnvironmentVariable('PATH', 'User')
|
|
|
|
Write-Host "Python installed: $(python --version 2>&1)"
|
|
}
|
|
|
|
# Validation
|
|
Assert-Step 'Python' 'C:\Python\python.exe present' {
|
|
Test-Path 'C:\Python\python.exe' -PathType Leaf
|
|
}
|
|
Assert-Step 'Python' "version equals $PythonVersion" {
|
|
$v = (& 'C:\Python\python.exe' --version 2>&1 | Select-Object -First 1).ToString().Trim()
|
|
$v -match [regex]::Escape($PythonVersion)
|
|
}
|
|
Assert-Step 'Python' 'PATH contains C:\Python (machine or user)' {
|
|
$combined = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' +
|
|
[System.Environment]::GetEnvironmentVariable('PATH', 'User')
|
|
$combined -like '*C:\Python*'
|
|
}
|
|
|
|
# ── Step 9: Install Visual Studio Build Tools 2026 ───────────────────────────
|
|
Write-Step "Installing Visual Studio Build Tools 2026"
|
|
|
|
$msbuildPath = 'C:\Program Files (x86)\Microsoft Visual Studio\2026\BuildTools\MSBuild\Current\Bin\MSBuild.exe'
|
|
if (Test-Path $msbuildPath) {
|
|
Write-Host "VS Build Tools 2026 already installed."
|
|
}
|
|
else {
|
|
$vsInstallerUrl = 'https://aka.ms/vs/stable/vs_buildtools.exe'
|
|
$vsInstallerPath = 'C:\CI\vs_BuildTools.exe'
|
|
$vsResultPath = 'C:\CI\vs_result.txt'
|
|
$vsLogPath = 'C:\CI\vs_log.txt'
|
|
|
|
Write-Host "Downloading VS Build Tools installer..."
|
|
Remove-Item $vsInstallerPath -ErrorAction SilentlyContinue # remove any stale/corrupt copy
|
|
Invoke-WebRequest -Uri $vsInstallerUrl -OutFile $vsInstallerPath -UseBasicParsing
|
|
|
|
# Remove Zone.Identifier ADS — files downloaded from internet are marked Zone 3 (Internet).
|
|
# SYSTEM account cannot execute them without this unblock step.
|
|
Unblock-File -Path $vsInstallerPath -ErrorAction SilentlyContinue
|
|
|
|
# Verify the download produced a valid Windows PE file (MZ header)
|
|
$mzBytes = [System.IO.File]::ReadAllBytes($vsInstallerPath) | Select-Object -First 2
|
|
if (-not ($mzBytes[0] -eq 0x4D -and $mzBytes[1] -eq 0x5A)) {
|
|
$fileSize = (Get-Item $vsInstallerPath).Length
|
|
throw "VS installer download appears invalid (size=$fileSize, not an EXE). Check the URL: $vsInstallerUrl"
|
|
}
|
|
Write-Host "Installer verified OK ($((Get-Item $vsInstallerPath).Length) bytes)."
|
|
|
|
# VS installer fails under WinRM (network logon token). Run via Scheduled Task as SYSTEM.
|
|
$vsWorkerPath = 'C:\CI\vs_worker.ps1'
|
|
$vsWorker = @"
|
|
# SYSTEM account may have no TEMP set — use C:\Windows\Temp
|
|
`$env:TEMP = 'C:\Windows\Temp'
|
|
`$env:TMP = 'C:\Windows\Temp'
|
|
|
|
# Clean any corrupt VS installer cache left by previous failed attempts
|
|
Remove-Item 'C:\ProgramData\Microsoft\VisualStudio\Packages' -Recurse -Force -ErrorAction SilentlyContinue
|
|
Remove-Item 'C:\Windows\Temp\vs*' -Recurse -Force -ErrorAction SilentlyContinue
|
|
Remove-Item 'C:\Windows\Temp\dd_*' -Force -ErrorAction SilentlyContinue
|
|
|
|
`$result = try {
|
|
`$proc = Start-Process -FilePath '$vsInstallerPath' -ArgumentList @(
|
|
'--quiet','--wait','--norestart','--nocache',
|
|
'--installPath "C:\Program Files (x86)\Microsoft Visual Studio\2026\BuildTools"',
|
|
'--add','Microsoft.VisualStudio.Workload.VCTools',
|
|
'--includeRecommended',
|
|
'--add','Microsoft.VisualStudio.Workload.MSBuildTools',
|
|
'--add','Microsoft.VisualStudio.Workload.ManagedDesktopBuildTools',
|
|
'--add','Microsoft.VisualStudio.Component.NuGet.BuildTools',
|
|
'--add','Microsoft.Net.Component.4.8.SDK',
|
|
'--add','Microsoft.Net.Component.4.7.2.TargetingPack'
|
|
) -Wait -PassThru
|
|
if (`$proc) { [string]`$proc.ExitCode } else { '99' }
|
|
} catch {
|
|
"99: `$_"
|
|
}
|
|
if (-not `$result) { `$result = '99' }
|
|
`$result | Set-Content '$vsResultPath' -Encoding UTF8
|
|
"@
|
|
$vsWorker | Set-Content -Path $vsWorkerPath -Encoding UTF8
|
|
|
|
Remove-Item $vsResultPath -ErrorAction SilentlyContinue
|
|
|
|
$taskName = 'CI-VSBuildTools'
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
$action = New-ScheduledTaskAction -Execute 'powershell.exe' `
|
|
-Argument "-NonInteractive -ExecutionPolicy Bypass -File `"$vsWorkerPath`""
|
|
$principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -RunLevel Highest
|
|
Register-ScheduledTask -TaskName $taskName -Action $action -Principal $principal -Force | Out-Null
|
|
|
|
Write-Host "Installing VS Build Tools via Scheduled Task (this may take 15-30 minutes)..."
|
|
Start-ScheduledTask -TaskName $taskName
|
|
|
|
$timeout = [datetime]::UtcNow.AddMinutes(60)
|
|
$dots = 0
|
|
while (-not (Test-Path $vsResultPath)) {
|
|
if ([datetime]::UtcNow -gt $timeout) { throw "VS Build Tools installation timed out." }
|
|
# If task already finished without writing the result file, the worker itself crashed
|
|
$taskInfo = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
|
|
if ($taskInfo -and $taskInfo.State -eq 'Ready') {
|
|
$lastResult = (Get-ScheduledTaskInfo -TaskName $taskName -ErrorAction SilentlyContinue).LastTaskResult
|
|
throw "VS worker task exited prematurely (LastTaskResult=0x$('{0:X}' -f $lastResult)). Check C:\CI\vs_worker.ps1 for syntax errors."
|
|
}
|
|
Start-Sleep -Seconds 20
|
|
$dots++
|
|
if ($dots % 3 -eq 0) { Write-Host " ... still installing ($(([datetime]::UtcNow - ($timeout.AddMinutes(-60))).Minutes) min elapsed)" }
|
|
}
|
|
|
|
$rawResult = Get-Content $vsResultPath -Raw -ErrorAction SilentlyContinue
|
|
$rawResult = if ($rawResult) { $rawResult.Trim() } else { '99' }
|
|
# Result file may contain "0", "3010", or "99: <error message>"
|
|
$vsExit = if ($rawResult -match '^\d+$') { [int]$rawResult } else { 99 }
|
|
$vsMsg = if ($vsExit -eq 99) { $rawResult } else { '' }
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
Remove-Item $vsWorkerPath, $vsResultPath, $vsInstallerPath -ErrorAction SilentlyContinue
|
|
|
|
if ($vsExit -notin @(0, 3010)) {
|
|
throw "VS Build Tools installation failed (exit $vsExit). $vsMsg"
|
|
}
|
|
Write-Host "VS Build Tools 2026 installed (exit code $vsExit)."
|
|
}
|
|
|
|
# Add MSBuild to system PATH
|
|
$msbuildDir = Split-Path $msbuildPath -Parent
|
|
$currentPath = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine')
|
|
if ($currentPath -notlike "*$msbuildDir*") {
|
|
[System.Environment]::SetEnvironmentVariable(
|
|
'PATH',
|
|
"$currentPath;$msbuildDir",
|
|
'Machine'
|
|
)
|
|
Write-Host "MSBuild added to system PATH."
|
|
}
|
|
|
|
# Validation
|
|
Assert-Step 'VSBuildTools' "MSBuild.exe exists at expected path" {
|
|
Test-Path -Path $msbuildPath -PathType Leaf
|
|
}
|
|
Assert-Step 'VSBuildTools' 'MSBuild executes and reports version' {
|
|
$out = & $msbuildPath -version 2>&1 | Select-Object -Last 1
|
|
$out -match '^\d+\.\d+'
|
|
}
|
|
Assert-Step 'VSBuildTools' 'machine PATH contains MSBuild dir' {
|
|
[System.Environment]::GetEnvironmentVariable('PATH', 'Machine') -like "*$msbuildDir*"
|
|
}
|
|
Assert-Step 'VSBuildTools' 'VC tools install dir present' {
|
|
Test-Path 'C:\Program Files (x86)\Microsoft Visual Studio\2026\BuildTools\VC' -PathType Container
|
|
}
|
|
|
|
# ── Step 10: Verify toolchain ─────────────────────────────────────────────────
|
|
Write-Step "Verifying toolchain"
|
|
|
|
$env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' +
|
|
[System.Environment]::GetEnvironmentVariable('PATH', 'User')
|
|
|
|
$allOk = $true
|
|
|
|
# Helper: resolve a binary — tries hardcoded path first, then Get-Command (PATH)
|
|
function Resolve-Tool {
|
|
param([string]$HardcodedPath, [string]$CommandName)
|
|
if ($HardcodedPath -and (Test-Path $HardcodedPath -PathType Leaf)) {
|
|
return $HardcodedPath
|
|
}
|
|
$found = Get-Command $CommandName -ErrorAction SilentlyContinue
|
|
if ($found) { return $found.Source }
|
|
return $null
|
|
}
|
|
|
|
# dotnet
|
|
$dotnetBin = Resolve-Tool '' 'dotnet'
|
|
if ($dotnetBin) {
|
|
$v = & $dotnetBin --version 2>&1 | Select-Object -First 1
|
|
Write-Host " [OK] dotnet: $v ($dotnetBin)" -ForegroundColor Green
|
|
} else {
|
|
Write-Host " [FAIL] dotnet not found" -ForegroundColor Red
|
|
$allOk = $false
|
|
}
|
|
|
|
# python
|
|
$pythonBin = Resolve-Tool 'C:\Python\python.exe' 'python'
|
|
if ($pythonBin) {
|
|
$v = & $pythonBin --version 2>&1 | Select-Object -First 1
|
|
Write-Host " [OK] python: $v ($pythonBin)" -ForegroundColor Green
|
|
} else {
|
|
Write-Host " [FAIL] python not found" -ForegroundColor Red
|
|
$allOk = $false
|
|
}
|
|
|
|
# msbuild
|
|
$msbuildBin = Resolve-Tool $msbuildPath 'msbuild'
|
|
if ($msbuildBin) {
|
|
$v = & $msbuildBin -version 2>&1 | Select-Object -First 1
|
|
Write-Host " [OK] msbuild: $v ($msbuildBin)" -ForegroundColor Green
|
|
} else {
|
|
Write-Host " [FAIL] msbuild not found at '$msbuildPath' and not in PATH" -ForegroundColor Red
|
|
$allOk = $false
|
|
}
|
|
|
|
if (-not $allOk) {
|
|
throw "Toolchain verification failed. See [FAIL] entries above. Setup aborted."
|
|
}
|
|
Write-Host "All toolchain checks passed." -ForegroundColor Green
|
|
|
|
# ── Cleanup ───────────────────────────────────────────────────────────────────
|
|
if ($SkipCleanup) {
|
|
Write-Host "`n[Setup] Skipping disk cleanup (-SkipCleanup switch set)." -ForegroundColor Yellow
|
|
}
|
|
else {
|
|
Write-Step "Cleaning up disk"
|
|
|
|
# 1. Windows Disk Cleanup (cleanmgr) — run with /sagerun:1 using preset flags
|
|
# First register the flags via /sageset:1 in the registry (silent, no UI)
|
|
$cleanKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches'
|
|
$sageset = 1
|
|
$cleanCategories = @(
|
|
'Active Setup Temp Folders',
|
|
'BranchCache',
|
|
'Downloaded Program Files',
|
|
'Internet Cache Files',
|
|
'Memory Dump Files',
|
|
'Old ChkDsk Files',
|
|
'Previous Installations',
|
|
'Recycle Bin',
|
|
'Service Pack Cleanup',
|
|
'Setup Log Files',
|
|
'System error memory dump files',
|
|
'System error minidump files',
|
|
'Temporary Files',
|
|
'Temporary Setup Files',
|
|
'Thumbnail Cache',
|
|
'Update Cleanup',
|
|
'Upgrade Discarded Files',
|
|
'Windows Defender',
|
|
'Windows Error Reporting Archive Files',
|
|
'Windows Error Reporting Files',
|
|
'Windows Error Reporting Queue Files',
|
|
'Windows Error Reporting Temp Files',
|
|
'Windows ESD installation files',
|
|
'Windows Upgrade Log Files'
|
|
)
|
|
foreach ($cat in $cleanCategories) {
|
|
$keyPath = "$cleanKey\$cat"
|
|
if (Test-Path $keyPath) {
|
|
Set-ItemProperty -Path $keyPath -Name "StateFlags$('{0:D4}' -f $sageset)" -Value 2 -Type DWord -Force -ErrorAction SilentlyContinue
|
|
}
|
|
}
|
|
Write-Host "Running cleanmgr /sagerun:$sageset (may take a few minutes)..."
|
|
$proc = Start-Process -FilePath 'cleanmgr.exe' -ArgumentList "/sagerun:$sageset" -Wait -PassThru
|
|
Write-Host "cleanmgr exited (code $($proc.ExitCode))."
|
|
|
|
# 2. Clear Windows Update cache
|
|
# Stop all services that might hold file locks inside SoftwareDistribution:
|
|
# wuauserv — Windows Update (already Disabled from Step 6b, stop is idempotent)
|
|
# UsoSvc — Update Orchestrator (already Disabled from Step 6b)
|
|
# bits — Background Intelligent Transfer Service (downloads WU payloads)
|
|
# dosvc — Delivery Optimization (peer-to-peer WU cache)
|
|
# TrustedInstaller — Windows Modules Installer (unpacks .cab/.msu update packages)
|
|
Write-Host "Stopping WU-adjacent services before cache clear..."
|
|
foreach ($svc in 'wuauserv', 'UsoSvc', 'bits', 'dosvc', 'TrustedInstaller') {
|
|
Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
|
|
}
|
|
|
|
# Delete and recreate the Download folder — more reliable than 'Remove-Item *'
|
|
# because locked files inside subdirectories silently fail with wildcard delete.
|
|
$sdDownload = 'C:\Windows\SoftwareDistribution\Download'
|
|
Remove-Item $sdDownload -Recurse -Force -ErrorAction SilentlyContinue
|
|
New-Item -ItemType Directory -Path $sdDownload -Force | Out-Null
|
|
Write-Host "Windows Update download cache cleared."
|
|
|
|
# 3. Clear CBS / component store logs
|
|
Remove-Item 'C:\Windows\Logs\CBS\*' -Force -ErrorAction SilentlyContinue
|
|
|
|
# 4. Clear TEMP folders
|
|
Remove-Item 'C:\Windows\Temp\*' -Recurse -Force -ErrorAction SilentlyContinue
|
|
Remove-Item "$env:TEMP\*" -Recurse -Force -ErrorAction SilentlyContinue
|
|
|
|
# 5. Clear Prefetch
|
|
Remove-Item 'C:\Windows\Prefetch\*' -Force -ErrorAction SilentlyContinue
|
|
|
|
# 6. Run DISM component store cleanup (removes superseded update components)
|
|
Write-Host "Running DISM component store cleanup (StartComponentCleanup)..."
|
|
$dism = Start-Process -FilePath 'dism.exe' `
|
|
-ArgumentList '/Online','/Cleanup-Image','/StartComponentCleanup','/ResetBase' `
|
|
-Wait -PassThru
|
|
Write-Host "DISM exited (code $($dism.ExitCode))."
|
|
|
|
Write-Host "Disk cleanup complete."
|
|
|
|
# Validation — leftover artifacts from this run should be gone
|
|
# Note: do NOT assert SoftwareDistribution\Download empty.
|
|
# WaaSMedicSvc (Windows Update Medic Service) is tamper-protected — cannot be stopped —
|
|
# and actively restores WU files immediately after deletion. Files reappearing here is
|
|
# normal and harmless: WU is permanently disabled by Step 6b (service Disabled + GPO keys).
|
|
# Report remaining size as informational only.
|
|
$sdFiles = Get-ChildItem 'C:\Windows\SoftwareDistribution\Download' -Recurse -File -Force -ErrorAction SilentlyContinue
|
|
$sdMB = [math]::Round(($sdFiles | Measure-Object -Property Length -Sum).Sum / 1MB, 1)
|
|
Write-Host " SoftwareDistribution\Download: $($sdFiles.Count) file(s), ${sdMB} MB remaining (WaaSMedicSvc best-effort, WU is disabled)."
|
|
|
|
Assert-Step 'Cleanup' 'wuauserv StartType still Disabled after cache clear' {
|
|
(Get-Service wuauserv -ErrorAction Stop).StartType -eq 'Disabled'
|
|
}
|
|
} # end if (-not $SkipCleanup)
|
|
|
|
# ── Final pre-snapshot validation ────────────────────────────────────────────
|
|
Write-Step "Final pre-snapshot validation"
|
|
|
|
Assert-Step 'Final' 'WinRM service Running' { (Get-Service WinRM -ErrorAction Stop).Status -eq 'Running' }
|
|
Assert-Step 'Final' 'all firewall profiles disabled' {
|
|
-not (Get-NetFirewallProfile | Where-Object Enabled -eq $true)
|
|
}
|
|
Assert-Step 'Final' "user $BuildUsername present + admin" {
|
|
(Get-LocalUser -Name $BuildUsername -ErrorAction Stop) -and
|
|
(& net localgroup Administrators 2>&1 | Select-String -SimpleMatch $BuildUsername)
|
|
}
|
|
Assert-Step 'Final' 'UAC EnableLUA=0' {
|
|
(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA).EnableLUA -eq 0
|
|
}
|
|
Assert-Step 'Final' 'dotnet, python, msbuild all resolvable' {
|
|
$env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' +
|
|
[System.Environment]::GetEnvironmentVariable('PATH', 'User')
|
|
(Get-Command dotnet -ErrorAction SilentlyContinue) -and
|
|
(Test-Path 'C:\Python\python.exe' -PathType Leaf) -and
|
|
(Test-Path $msbuildPath -PathType Leaf)
|
|
}
|
|
Assert-Step 'Final' 'Windows Update permanently disabled' {
|
|
(Get-Service wuauserv -ErrorAction Stop).StartType -eq 'Disabled'
|
|
}
|
|
Assert-Step 'Final' 'no leftover installer scripts in C:\CI' {
|
|
-not (Test-Path 'C:\CI\python_installer.exe') -and
|
|
-not (Test-Path 'C:\CI\vs_BuildTools.exe') -and
|
|
-not (Test-Path 'C:\CI\wu_worker.ps1') -and
|
|
-not (Test-Path 'C:\CI\vs_worker.ps1')
|
|
}
|
|
|
|
Write-Host "All pre-snapshot checks passed." -ForegroundColor Green
|
|
|
|
# ── Done ──────────────────────────────────────────────────────────────────────
|
|
Write-Host ""
|
|
Write-Host "Setup-WinBuild2025.ps1 complete. All Assert-Step checks passed." -ForegroundColor Green
|
|
# Full next-steps banner is printed by Prepare-WinBuild2025.ps1 on the host.
|
|
# If running this script standalone (manually inside the VM), follow the steps
|
|
# in docs/WINDOWS-TEMPLATE-SETUP.md (shut down → snapshot BaseClean → power off).
|
|
Write-Host ""
|