Instructions detail how to customize a Windows 11 Enterprise x64 image for incorporating software and security into an ISO file.
- DISA Windows 11 STIG Compliance
- SRA Ground Control Station STIG Compliance
- QGroundControl (QGC)
- QGC-Gov
- Mission Planner
- Windows Tactical Assault Kit (WinTAK)
- Windows 11 Enterprise x64
- Windows Assessment and Deployment Kit (ADK)
- Windows Preinstallation Environment (PE) Add-Ons
- Download the Windows 11 Enterprise x64 ISO
- Install TPM on Linux KVM Host
sudo apt-get install swtpm swtpm-tools
-
Create the Windows 11 VM
- Create a new VM for Windows 11 from
virt-manager - Attach the Windows 11 ISO image to the VM
- Configure desired CPU, RAM, and storage capacity
- At the end of the wizard, tick
Customize configuration before installcheckbox
- Create a new VM for Windows 11 from
-
Configure the Windows 11 VM Hardware
- Click the
Overviewsection, change firmware toUEFI x86_64: /usr/share/edk2-ovmf/x64/OVMF_CODE.secboot.fd - Click
Add Hardwareand addTPM- Change
TypetoEmulated - Change
ModeltoTIS - Change
Versionto2.0
- Change
- Click the
-
Boot up the VM and follow the Windows 11 installation wizard and initial setup wizard.
-
Install all software updates via
Windows Update. -
Install all required software (manually or automated via Powershell).
-
Apply provisioning packages to configure and secure the system (after initial setup):
-
Apply security configurations (STIG) via PowerSTIG.
-
Run
sysprep(as administrator) to remove unique information so that the image can be reused on a different computer.C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown
-
Install Linux packages (on Linux)
-
Install OMI (on Linux)
-
Install DSC (on Linux)
https://learn.microsoft.com/en-us/powershell/dsc/getting-started/lnxgettingstarted?view=dsc-1.1
-
Upgrade Powershell (on Windows)
-
Enable basic authentication (on Windows)
winrm set winrm/config/service '@{AllowUnencrypted="true"}' winrm set winrm/config/service/auth '@{Basic="true"}'Note that this is to ease development and must be disabled later.
-
Connect Linux to Windows (from Linux)
/opt/omi/bin/omicli ei root/cimv2 Win32_Environment --auth Basic --hostname 192.168.122.234 -u rse -p 0captain --port 5985
-
Install PowerSTIG
Install-Module -Name PowerStig -Scope CurrentUser -
Set the network connection type to private (Optional, for remote management).
-
Enable
WinRM(Optional, for remote management)Set-WSManQuickConfighttps://learn.microsoft.com/en-us/powershell/dsc/troubleshooting/troubleshooting?view=dsc-1.1
It is highly recommended to install all required software prior to applying the security configurations!
- Compile each PowerSTIG Configuration (optional), i.e., run said powershell script. For example:
cd .\dsc\
.\WindowsClient.ps1
Note that this has already been done. Recompiling is only necessary if the configuration has been altered.
- Apply PowerSTIG Configuration.
Recommended to create a Recovery Point prior to iteratively applying each configuration. In the event that a configuration "borks" application(s) or system functionality there is a way to revert back to the last known working point and troubleshoot the issue through exception inclusion of rules via the specified configuration.
```
Start-DscConfiguration .\WindowsClient -w -v -f
Start-DscConfiguration .\WindowsDefender -w -v -f
# After the following, applications will need inbound/outbound rules made to allow traffic.
Start-DscConfiguration .\WindowsFirewall -w -v -f
Start-DscConfiguration .\DotNetFramework -w -v -f
# After the following, user will be unable to download software from the internet.
# Therefore, software installation should be done before applying these configurations.
Start-DscConfiguration .\Chrome -w -v -f
Start-DscConfiguration .\Edge -w -v -f
Start-DscConfiguration .\EdgeProxy -w -v -f
Start-DscConfiguration .\Firefox -w -v -f
```
# TODO
1) Adobe?
2) McAfee?
3) Office?
Note that all configurations can be applied in one swift call via .\dsc\app-all-configs.ps1.
Use this with caution!
For more information, please see: https://github.com/Microsoft/PowerStig/wiki/GettingStarted
Install-Module -Name xNetworking
Start-DscConfiguration .\CreateFirewallRule\ -w -v -f
# TODO Use Clonezilla Live to create the final image
# TODO Use Clonezilla Live or Clonezill Lite Server to deploy the image(s)
pip install pywinrm
ansible-playbook -i ansible/inventory.ini ansible/roles/windows/tasks/windows-setup.yml
ansible-playbook -i ansible/inventory.ini ansible/roles/windows/tasks/winrm-setup.yml
ansible-playbook -i ansible/inventory.ini ansible/roles/windows/tasks/install-software.yml
ansible-playbook -i ansible/inventory.ini ansible/roles/windows/tasks/install-dev.yml
Recommendation: Take a snapshot NOW!!!
virsh dumpxml win11
sudo qemu-img snapshot -c snapshot_name /path/to/your/pflash-image
sudo qemu-img snapshot -c baseline /var/lib/libvirt/images/win11.qcow2
sudo qemu-img snapshot -l /var/lib/libvirt/images/win11.qcow2
-
See the following guide to create provisioning packages to apply configuration settings to Windows client devices. Provisioning packages should be used to configure and customize Windows installations before or during deployment, non-domain devices, and specific use cases.
-
See limitations on using sysprep:
-
Must be ran as administrator.
-
Windows updates must not be in-progress.
-
User-specific applications cannot be installed.
get-appxpackage -allusers -name "microsoft.onedrivesync" | Remove-appxpackageget-appxpackage -allusers -name "microsoft.bingsearch" | Remove-appxpackage