I got sysprep working at a minimal level the way I want. I now have a base windows 11 image I can use to rebuild a box relatively quickly.<\/p>\n\n\n\n
After a reboot I rename it and add it to the domain.<\/p>\n\n\n\n
From there ansible takes over. I am able to use a rocky 9.7 box to manage Windows Desktops via the domain through winrm<\/p>\n\n\n\n
Here is how I got winrm working (not I just used a self signed cert)<\/p>\n\n\n\n
Enable-PSRemoting -Force
$CertDnsName = \"win11.example.com\"
$Cert = New-SelfSignedCertificate `
-DnsName $CertDnsName `
\t-Provider \"Microsoft RSA SChannel Cryptographic Provider\" `
\t-KeyLength 2048 -NotAfter (Get-Date).AddYears(5) `
-CertStoreLocation Cert:\\LocalMachine\\My
$CertThumbprint = $Cert.Thumbprint
# Create Listener
New-Item -Path WSMan:\\LocalHost\\Listener -Transport HTTPS -Address * -HostName $CertDnsName -CertificateThumbPrint $CertThumbprint -Force
# Open Firewall
New-NetFirewallRule -DisplayName \"Windows Remote Management (HTTPS-In)\" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow
# Verify
winrm enumerate winrm\/config\/listener<\/pre>\n\n\n\nOn the Linux side I had to make sure I had the correct ansible packages<\/p>\n\n\n\n
sudo dnf -y install ansible-core epel-release
sudo dnf -y install krb5-workstation krb5-devel python3-devel gcc python3-passlib apg
sudo dnf install -y python3-kerberos krb5-workstation
python3 -m pip install pywinrm requests
ansible-galaxy collection install community.general
ansible-galaxy collection install community.mysql
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install ansible.windows:2.3.0<\/pre>\n\n\n\nThis got me working but my ansible.cfg needed to look like this<\/p>\n\n\n\n
[defaults]
inventory = .\/inventory
host_key_checking = False
retry_files_enabled = False
stdout_callback = default
timeout = 30
ansible_connection=winrm
# Optional but useful
interpreter_python = auto_silent
[connection]
pipelining = True
[winrm]
# Kerberos settings
transport = kerberos
scheme = https
port = 5986
server_cert_validation = ignore
kerberos_delegation = true
<\/pre>\n\n\n\nAnd finally some variables needed to be set in the inventory file<\/p>\n\n\n\n
##### Sample inventory
[windows]
win11a.example.com
win11b.example.com
win11c.example.com
[windows:vars]
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore
kilist
kdestroy
kinit Admin@EXAMPLE.COM<\/pre>\n\n\n\nIn other news, got a new Sony earbuds, RIP my old set.<\/p>\n\n\n\n
Still need to get bathroom done<\/p>\n\n\n\n
Got a new UPS to install this weekend.<\/p>\n\n\n\n
Weight: 321.6<\/p>\n","protected":false},"excerpt":{"rendered":"
I got sysprep working at a minimal level the way I want. I now have a base windows 11 image I can use to rebuild a box relatively quickly. After a reboot I rename it and add it to the … Continue reading