<# .SYNOPSIS Used to produce Windows AKS images. .DESCRIPTION This script is used by packer to produce Windows AKS images. #> param() $ErrorActionPreference = "Stop" filter Timestamp { "$(Get-Date -Format o): $_" } function Write-Log($Message) { $msg = $message | Timestamp Write-Output $msg } function Disable-WindowsUpdates { # See https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings # for additional information on WU related registry settings Write-Log "Disabling automatic windows upates" $WindowsUpdatePath = "HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" $AutoUpdatePath = "HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" if (Test-Path -Path $WindowsUpdatePath) { Remove-Item -Path $WindowsUpdatePath -Recurse } New-Item -Path $WindowsUpdatePath | Out-Null New-Item -Path $AutoUpdatePath | Out-Null Set-ItemProperty -Path $AutoUpdatePath -Name NoAutoUpdate -Value 1 | Out-Null } function Install-OpenSSH { Write-Log "Installing OpenSSH Server" # Somehow openssh client got added to Windows 2019 base image. # Remove openssh client in order to install the server. Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 } function Install-WindowsPatches { # Windows Server 2019 update history can be found at https://support.microsoft.com/en-us/help/4464619 # then you can get download links by searching for specific KBs at http://www.catalog.update.microsoft.com/home.aspx # Find a specific patch at https://www.catalog.update.microsoft.com/Search.aspx?q=kb5005625 $patchUrls = @() foreach ($patchUrl in $patchUrls) { $pathOnly = $patchUrl.Split("?")[0] $fileName = Split-Path $pathOnly -Leaf $fileExtension = [IO.Path]::GetExtension($fileName) $fullPath = [IO.Path]::Combine($env:TEMP, $fileName) switch ($fileExtension) { ".msu" { Write-Log "Downloading windows patch from $pathOnly to $fullPath" Invoke-WebRequest -UseBasicParsing $patchUrl -OutFile $fullPath Write-Log "Starting install of $fileName" $proc = Start-Process -PassThru -FilePath wusa.exe -ArgumentList "$fullPath /quiet /norestart" Wait-Process -InputObject $proc switch ($proc.ExitCode) { 0 { Write-Log "Finished install of $fileName" } 3010 { Write-Log "Finished install of $fileName. Reboot required" } default { Write-Log "Error during install of $fileName. ExitCode: $($proc.ExitCode)" exit 1 } } } default { Write-Log "Installing patches with extension $fileExtension is not currently supported." exit 1 } } } } function Set-AllowedSecurityProtocols { $allowedProtocols = @() $insecureProtocols = @([System.Net.SecurityProtocolType]::SystemDefault, [System.Net.SecurityProtocolType]::Ssl3) foreach ($protocol in [System.Enum]::GetValues([System.Net.SecurityProtocolType])) { if ($insecureProtocols -notcontains $protocol) { $allowedProtocols += $protocol } } Write-Log "Settings allowed security protocols to: $allowedProtocols" [System.Net.ServicePointManager]::SecurityProtocol = $allowedProtocols } function Set-WinRmServiceDelayedStart { # Hyper-V messes with networking components on startup after the feature is enabled # causing issues with communication over winrm and setting winrm to delayed start # gives Hyper-V enough time to finish configuration before having packer continue. Write-Log "Setting WinRM service start to delayed-auto" sc.exe config winrm start=delayed-auto } function Update-DefenderSignatures { Write-Log "Updating windows defender signatures." Update-MpSignature } function Update-WindowsFeatures { $featuresToEnable = @( "Containers", "Hyper-V", "Hyper-V-PowerShell") foreach ($feature in $featuresToEnable) { Write-Log "Enabling Windows feature: $feature" Install-WindowsFeature $feature } } # Disable progress writers for this session to greatly speed up operations such as Invoke-WebRequest $ProgressPreference = 'SilentlyContinue' Write-Log "Performing actions for provisioning phase 1" Set-WinRmServiceDelayedStart Set-AllowedSecurityProtocols Disable-WindowsUpdates Install-WindowsPatches Update-DefenderSignatures Install-OpenSSH Update-WindowsFeatures