Building a Windows Golden Image with HashiCorp Packer

Last updated: March 4, 2026

Why I Switched to Packer for Golden Images

Before I started using Packer, my image process was entirely manual: install Windows Server, click through the GUI, run some PowerShell scripts by hand, install VirtIO, install Cloudbase-Init, Sysprep, clone the disk image. The whole thing took 2–3 hours and was completely undocumented. When I needed to rebuild for a new Windows Server version or to include a security patch, I started from scratch.

The other problem was drift. VM templates built manually in Prism Element had no audit trail. I could not tell what was installed, who built them, or when the last patch was applied.

Packer solves both problems. The entire image is defined in version-controlled HCL files. Every build is reproducible. CIS benchmark hardening is applied automatically. The final image is uploaded to the Nutanix Image Service and tagged with a version. Old images are cleaned up by policy.

This article documents my full Packer setup for building a hardened Windows Server 2022 golden image on Nutanix AHV CE.

How Packer Works with Nutanix AHV

Packer uses the nutanix builder plugin, developed by the Nutanix Cloud Native team. The build flow is:

1. Packer reads HCL template + variables
2. Packer calls Prism Central API to create a temporary VM
3. VM boots from the Windows Server ISO
4. Autounattend.xml drives unattended Windows installation
   (served via a secondary CD-ROM / floppy attached by Packer)
5. Windows installs, reboots, Packer waits for WinRM to become available
6. Packer connects via WinRM and runs provisioners:
   - PowerShell scripts (updates, VirtIO, Cloudbase-Init, hardening)
   - Inline commands
7. Packer runs Sysprep to generalize the image
8. Packer shuts down the VM and converts the vDisk to an image
9. Image is uploaded to Prism Central Image Service
10. Temporary VM is deleted

The key difference from a manual process: steps 2–10 are fully automated and idempotent. The same HCL produces the same image every time.

Prerequisites

Requirement

Notes

Packer 1.11+

brew install packer or download from packer.io

Nutanix Packer Plugin

packer plugins install github.com/nutanix-cloud-native/nutanix

Prism Central 2023.x+

Packer communicates with the v3 API

WinRM reachable from Packer host

Packer needs network access to the VM's port 5985

Windows Server 2022 ISO

Uploaded to Prism Central Image Service

Nutanix VirtIO ISO

Downloaded from Nutanix Portal → Tools & Firmware

~80 GB free in storage container

For the temporary build VM

Verify Packer Installation

packer version
# Packer v1.11.x

packer plugins installed
# github.com/nutanix-cloud-native/nutanix v0.9.x

Project Structure

packer-nutanix-windows/
├── windows-server-2022/
│   ├── windows-server-2022.pkr.hcl       # Main Packer template
│   ├── variables.pkrvars.hcl              # Environment-specific vars (gitignored)
│   ├── variables.pkrvars.hcl.example     # Template for vars file
│   ├── http/
│   │   └── autounattend.xml              # Unattended Windows install config
│   ├── scripts/
│   │   ├── 01-install-virtio.ps1         # VirtIO driver installation
│   │   ├── 02-windows-update.ps1         # Apply all Windows Updates
│   │   ├── 03-install-cloudbase-init.ps1 # Cloudbase-Init setup
│   │   ├── 04-harden-os.ps1              # CIS-inspired baseline hardening
│   │   ├── 05-install-base-tools.ps1     # Common tools (7-Zip, Notepad++, etc.)
│   │   └── 99-sysprep.ps1                # Generalize and prepare for imaging
│   └── .gitignore
└── README.md

Installing the Nutanix Packer Plugin

# Install the plugin (downloads from GitHub Releases)
packer plugins install github.com/nutanix-cloud-native/nutanix

# Verify
packer plugins installed
# github.com/nutanix-cloud-native/nutanix v0.9.4

The plugin binary is stored at ~/.config/packer/plugins/.

Preparing the Autounattend.xml

The autounattend.xml file drives the unattended Windows Server installation. Packer attaches it as a second CD-ROM which the Windows installer automatically detects.

<!-- http/autounattend.xml -->
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">

  <!-- Pass 1: Windows PE – disk partitioning and image selection -->
  <settings pass="windowsPE">

    <component name="Microsoft-Windows-International-Core-WinPE"
               processorArchitecture="amd64"
               publicKeyToken="31bf3856ad364e35"
               language="neutral" versionScope="nonSxS">
      <SetupUILanguage>
        <UILanguage>en-US</UILanguage>
      </SetupUILanguage>
      <InputLocale>en-US</InputLocale>
      <SystemLocale>en-US</SystemLocale>
      <UILanguage>en-US</UILanguage>
      <UserLocale>en-US</UserLocale>
    </component>

    <component name="Microsoft-Windows-Setup"
               processorArchitecture="amd64"
               publicKeyToken="31bf3856ad364e35"
               language="neutral" versionScope="nonSxS">

      <!-- Load VirtIO SCSI driver from second CD-ROM so installer sees the disk -->
      <DriverPaths>
        <PathAndCredentials wcm:action="add" wcm:keyValue="1">
          <Path>E:\viostor\2k22\amd64</Path>
        </PathAndCredentials>
        <PathAndCredentials wcm:action="add" wcm:keyValue="2">
          <Path>E:\NetKVM\2k22\amd64</Path>
        </PathAndCredentials>
      </DriverPaths>

      <DiskConfiguration>
        <Disk wcm:action="add">
          <DiskID>0</DiskID>
          <WillWipeDisk>true</WillWipeDisk>
          <CreatePartitions>
            <!-- EFI System Partition -->
            <CreatePartition wcm:action="add">
              <Order>1</Order>
              <Type>EFI</Type>
              <Size>100</Size>
            </CreatePartition>
            <!-- Microsoft Reserved Partition -->
            <CreatePartition wcm:action="add">
              <Order>2</Order>
              <Type>MSR</Type>
              <Size>16</Size>
            </CreatePartition>
            <!-- Windows OS partition – remaining space -->
            <CreatePartition wcm:action="add">
              <Order>3</Order>
              <Type>Primary</Type>
              <Extend>true</Extend>
            </CreatePartition>
          </CreatePartitions>
          <ModifyPartitions>
            <ModifyPartition wcm:action="add">
              <Order>1</Order>
              <PartitionID>1</PartitionID>
              <Format>FAT32</Format>
            </ModifyPartition>
            <ModifyPartition wcm:action="add">
              <Order>2</Order>
              <PartitionID>3</PartitionID>
              <Format>NTFS</Format>
              <Label>Windows</Label>
              <Letter>C</Letter>
            </ModifyPartition>
          </ModifyPartitions>
        </Disk>
      </DiskConfiguration>

      <ImageInstall>
        <OSImage>
          <InstallTo>
            <DiskID>0</DiskID>
            <PartitionID>3</PartitionID>
          </InstallTo>
          <!-- Index 2 = Windows Server 2022 Standard (Desktop Experience) -->
          <InstallFrom>
            <MetaData wcm:action="add">
              <Key>/IMAGE/INDEX</Key>
              <Value>2</Value>
            </MetaData>
          </InstallFrom>
          <WillShowUI>Never</WillShowUI>
        </OSImage>
      </ImageInstall>

      <UserData>
        <AcceptEula>true</AcceptEula>
        <FullName>Administrator</FullName>
        <Organization>Lab</Organization>
      </UserData>

    </component>
  </settings>

  <!-- Pass 4: specialize – machine-specific settings -->
  <settings pass="specialize">
    <component name="Microsoft-Windows-Shell-Setup"
               processorArchitecture="amd64"
               publicKeyToken="31bf3856ad364e35"
               language="neutral" versionScope="nonSxS">
      <ComputerName>WIN-BUILD-TEMP</ComputerName>
      <TimeZone>UTC</TimeZone>
    </component>
    <component name="Microsoft-Windows-ServerManager-SvrMgrNc"
               processorArchitecture="amd64"
               publicKeyToken="31bf3856ad364e35"
               language="neutral" versionScope="nonSxS">
      <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon>
    </component>
  </settings>

  <!-- Pass 7: oobeSystem – first boot settings and WinRM setup -->
  <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup"
               processorArchitecture="amd64"
               publicKeyToken="31bf3856ad364e35"
               language="neutral" versionScope="nonSxS">
      <AutoLogon>
        <Password>
          <Value>PackerBuild@2026</Value>
          <PlainText>true</PlainText>
        </Password>
        <Enabled>true</Enabled>
        <LogonCount>5</LogonCount>
        <Username>Administrator</Username>
      </AutoLogon>
      <UserAccounts>
        <AdministratorPassword>
          <Value>PackerBuild@2026</Value>
          <PlainText>true</PlainText>
        </Password>
      </UserAccounts>
      <OOBE>
        <HideEULAPage>true</HideEULAPage>
        <HideLocalAccountScreen>true</HideLocalAccountScreen>
        <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
        <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
        <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
        <ProtectYourPC>1</ProtectYourPC>
      </OOBE>
      <!-- Run WinRM setup on first boot so Packer can connect -->
      <FirstLogonCommands>
        <SynchronousCommand wcm:action="add">
          <Order>1</Order>
          <CommandLine>cmd /c winrm quickconfig -q</CommandLine>
          <Description>Enable WinRM</Description>
        </SynchronousCommand>
        <SynchronousCommand wcm:action="add">
          <Order>2</Order>
          <CommandLine>cmd /c winrm set winrm/config/service @{AllowUnencrypted="true"}</CommandLine>
          <Description>Allow unencrypted WinRM</Description>
        </SynchronousCommand>
        <SynchronousCommand wcm:action="add">
          <Order>3</Order>
          <CommandLine>cmd /c winrm set winrm/config/service/auth @{Basic="true"}</CommandLine>
          <Description>Enable Basic auth</Description>
        </SynchronousCommand>
        <SynchronousCommand wcm:action="add">
          <Order>4</Order>
          <CommandLine>cmd /c netsh advfirewall firewall add rule name="WinRM HTTP" protocol=TCP dir=in localport=5985 action=allow</CommandLine>
          <Description>Open WinRM firewall port</Description>
        </SynchronousCommand>
        <SynchronousCommand wcm:action="add">
          <Order>5</Order>
          <CommandLine>powershell -Command "Set-ExecutionPolicy Bypass -Scope LocalMachine -Force"</CommandLine>
          <Description>Allow PowerShell scripts</Description>
        </SynchronousCommand>
      </FirstLogonCommands>
    </component>
  </settings>

</unattend>

Image index 2 selects Windows Server 2022 Standard (Desktop Experience). Use index 1 for Core edition. Run Get-WindowsImage -ImagePath D:\sources\install.wim on a Windows machine to list all available indexes in your ISO.

Writing the Packer HCL Template

# windows-server-2022/windows-server-2022.pkr.hcl

packer {
  required_version = ">= 1.11.0"
  required_plugins {
    nutanix = {
      version = ">= 0.9.4"
      source  = "github.com/nutanix-cloud-native/nutanix"
    }
  }
}

# ─── Variables ────────────────────────────────────────────────────────────────

variable "nutanix_username" {
  type      = string
  sensitive = false
}

variable "nutanix_password" {
  type      = string
  sensitive = true
}

variable "nutanix_endpoint" {
  type        = string
  description = "Prism Central IP or FQDN"
}

variable "nutanix_port" {
  type    = number
  default = 9440
}

variable "nutanix_insecure" {
  type    = bool
  default = true
  description = "Skip TLS verification (set false for production with valid cert)"
}

variable "nutanix_cluster_name" {
  type        = string
  description = "Name of the cluster as shown in Prism Central"
}

variable "nutanix_subnet_name" {
  type        = string
  description = "VM network name to attach the build VM to"
}

variable "nutanix_storage_container" {
  type    = string
  default = "vms-rf2"
}

variable "windows_iso_name" {
  type        = string
  description = "Image name of the Windows Server 2022 ISO in Prism Central Image Service"
  default     = "windows-server-2022-eval.iso"
}

variable "virtio_iso_name" {
  type        = string
  description = "Image name of the Nutanix VirtIO ISO in Prism Central Image Service"
  default     = "Nutanix-VirtIO-1.2.4.iso"
}

variable "winrm_username" {
  type    = string
  default = "Administrator"
}

variable "winrm_password" {
  type      = string
  default   = "PackerBuild@2026"
  sensitive = true
}

variable "image_version" {
  type        = string
  description = "Version tag for the output image (e.g. 2026.03.04)"
  default     = "2026.03.04"
}

variable "vm_cpu" {
  type    = number
  default = 4
}

variable "vm_memory_mb" {
  type    = number
  default = 8192
}

variable "vm_disk_size_mib" {
  type    = number
  default = 81920  # 80 GiB
}

# ─── Local values ─────────────────────────────────────────────────────────────

locals {
  output_image_name = "win2022-golden-${var.image_version}"
  timestamp         = formatdate("YYYYMMDD-hhmm", timestamp())
  build_vm_name     = "packer-build-win2022-${local.timestamp}"
}

# ─── Source ───────────────────────────────────────────────────────────────────

source "nutanix" "windows_server_2022" {

  # Prism Central connection
  nutanix_username = var.nutanix_username
  nutanix_password = var.nutanix_password
  nutanix_endpoint = var.nutanix_endpoint
  nutanix_port     = var.nutanix_port
  nutanix_insecure = var.nutanix_insecure

  # Cluster and storage placement
  cluster_name = var.nutanix_cluster_name

  # Build VM hardware
  vm_name      = local.build_vm_name
  num_sockets  = var.vm_cpu
  num_vcpus_per_socket = 1
  memory_mb    = var.vm_memory_mb
  os_type      = "Windows"

  # Boot disk
  vm_disks = [
    {
      image_type        = "DISK"
      disk_size_gb      = var.vm_disk_size_mib / 1024
      data_source_reference = null
    }
  ]

  # CD-ROM 1: Windows Server 2022 ISO (boot)
  # CD-ROM 2: VirtIO Drivers ISO
  # CD-ROM 3: Packer-generated floppy with autounattend.xml
  vm_nics = [
    {
      subnet_name = var.nutanix_subnet_name
    }
  ]

  # ISO images referenced from Prism Central Image Service
  cd_content = {
    "/autounattend.xml" = "./http/autounattend.xml"
  }
  cd_label = "PACKER_UNATTEND"

  # ISO boot disk references (attached as CD-ROMs)
  boot_type = "UEFI"
  boot_command = []    # autounattend.xml handles installation silently

  # WinRM communicator – Packer waits for this to be available
  communicator   = "winrm"
  winrm_username = var.winrm_username
  winrm_password = var.winrm_password
  winrm_port     = 5985
  winrm_timeout  = "90m"
  winrm_use_ssl  = false
  winrm_insecure = true

  # Output image
  image_name        = local.output_image_name
  image_description = "Windows Server 2022 Standard golden image – built ${local.timestamp} – version ${var.image_version}"

  # Nutanix image metadata
  force_deregister = true  # Overwrite existing image with same name on rebuild
}

# ─── Build ────────────────────────────────────────────────────────────────────

build {
  name    = "win2022-golden"
  sources = ["source.nutanix.windows_server_2022"]

  # 1. Install VirtIO drivers fully (NIC + storage + balloon)
  provisioner "powershell" {
    script = "./scripts/01-install-virtio.ps1"
  }

  # 2. Run Windows Update (may trigger multiple reboots)
  provisioner "powershell" {
    script          = "./scripts/02-windows-update.ps1"
    valid_exit_codes = [0, 3010]  # 3010 = reboot required but OK
  }

  # Reboot after updates
  provisioner "windows-restart" {
    restart_timeout = "30m"
  }

  # 3. Install Cloudbase-Init
  provisioner "powershell" {
    script = "./scripts/03-install-cloudbase-init.ps1"
  }

  # 4. OS hardening (CIS baseline – Level 1)
  provisioner "powershell" {
    script = "./scripts/04-harden-os.ps1"
  }

  # 5. Install base tools
  provisioner "powershell" {
    script = "./scripts/05-install-base-tools.ps1"
  }

  # Final reboot to settle all changes
  provisioner "windows-restart" {
    restart_timeout = "20m"
  }

  # 6. Sysprep (shuts down VM, Packer then captures the image)
  provisioner "powershell" {
    script = "./scripts/99-sysprep.ps1"
  }

  post-processor "manifest" {
    output     = "manifest.json"
    strip_path = true
  }
}

Variables File

# variables.pkrvars.hcl.example  (copy to variables.pkrvars.hcl, gitignored)
nutanix_username          = "admin"
nutanix_password          = "your-prism-central-password"
nutanix_endpoint          = "10.0.10.20"
nutanix_insecure          = true
nutanix_cluster_name      = "home-lab-cluster"
nutanix_subnet_name       = "vm-prod-vlan20"
nutanix_storage_container = "vms-rf2"
windows_iso_name          = "windows-server-2022-eval.iso"
virtio_iso_name           = "Nutanix-VirtIO-1.2.4.iso"
winrm_password            = "PackerBuild@2026"
image_version             = "2026.03.04"
vm_cpu                    = 4
vm_memory_mb              = 8192
vm_disk_size_mib          = 81920

Add to .gitignore:

variables.pkrvars.hcl
manifest.json

Provisioners – Hardening and Software Installation

01-install-virtio.ps1

# Install all VirtIO drivers from the mounted CD-ROM
# The VirtIO ISO is attached by Packer as D: or E: - scan for it

$virtioPath = $null
foreach ($drive in (Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Free -eq 0 })) {
    if (Test-Path "$($drive.Root)virtio-win-gt-x64.msi") {
        $virtioPath = $drive.Root
        break
    }
}

if (-not $virtioPath) {
    Write-Error "VirtIO ISO drive not found. Ensure the VirtIO ISO is attached."
    exit 1
}

Write-Output "Installing VirtIO from $virtioPath"
Start-Process msiexec.exe -ArgumentList "/i `"${virtioPath}virtio-win-gt-x64.msi`" /qn /norestart" -Wait -NoNewWindow

# Install balloon driver separately if not included
$balloonInf = Get-ChildItem -Path $virtioPath -Filter "balloon.inf" -Recurse | Where-Object { $_.FullName -match "2k22\\amd64" } | Select-Object -First 1
if ($balloonInf) {
    pnputil /add-driver $balloonInf.FullName /install
}

Write-Output "VirtIO drivers installed."

02-windows-update.ps1

# Install PSWindowsUpdate module and apply all updates
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

if (-not (Get-Module -ListAvailable -Name PSWindowsUpdate)) {
    Install-PackageProvider -Name NuGet -Force -Confirm:$false
    Install-Module -Name PSWindowsUpdate -Force -Confirm:$false
}

Import-Module PSWindowsUpdate

Write-Output "Checking for updates..."
$updates = Get-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot

if ($updates.Count -gt 0) {
    Write-Output "Installing $($updates.Count) updates..."
    Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -IgnoreReboot -Confirm:$false
    Write-Output "Updates installed. A reboot may be required."
    exit 3010  # Signal to Packer: reboot needed but not a failure
} else {
    Write-Output "No updates available."
    exit 0
}

03-install-cloudbase-init.ps1

# Download and install Cloudbase-Init for AHV config drive support
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$installerUrl = "https://cloudbase.it/downloads/CloudbaseInitSetup_Stable_x64.msi"
$installerPath = "$env:TEMP\CloudbaseInitSetup.msi"

Write-Output "Downloading Cloudbase-Init..."
Invoke-WebRequest -Uri $installerUrl -OutFile $installerPath -UseBasicParsing

Write-Output "Installing Cloudbase-Init..."
Start-Process msiexec.exe -ArgumentList "/i `"$installerPath`" /qn /norestart" -Wait -NoNewWindow

# Write production-ready config
$configDir = "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\conf"
$configFile = "$configDir\cloudbase-init.conf"

Set-Content -Path $configFile -Value @"
[DEFAULT]
username=Administrator
groups=Administrators
inject_user_password=true
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=false
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadata_services=cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.httpservice.HttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,cloudbaseinit.plugins.windows.createuser.CreateUserPlugin,cloudbaseinit.plugins.common.setuserpassword.SetUserPasswordPlugin,cloudbaseinit.plugins.windows.extendvolumes.ExtendVolumesPlugin,cloudbaseinit.plugins.common.userdata.UserDataPlugin,cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin
"@

Write-Output "Cloudbase-Init installed and configured."
Remove-Item $installerPath -Force

04-harden-os.ps1

# CIS Windows Server 2022 Level 1 – selected controls
# Full CIS benchmark: https://www.cisecurity.org/cis-benchmarks

Write-Output "Applying OS hardening baseline..."

# --- Account policies ---
# Set minimum password length = 14
net accounts /MINPWLEN:14
# Set maximum password age = 60 days
net accounts /MAXPWAGE:60
# Set account lockout threshold = 5 invalid attempts
net accounts /LOCKOUTTHRESHOLD:5
# Set lockout duration = 15 minutes
net accounts /LOCKOUTDURATION:15

# --- Disable unnecessary services ---
$servicesToDisable = @(
    "Fax",
    "XblAuthManager",
    "XblGameSave",
    "XboxNetApiSvc",
    "WMPNetworkSvc",
    "RemoteRegistry"
)
foreach ($svc in $servicesToDisable) {
    $service = Get-Service -Name $svc -ErrorAction SilentlyContinue
    if ($service) {
        Set-Service -Name $svc -StartupType Disabled
        Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
        Write-Output "Disabled service: $svc"
    }
}

# --- Windows Firewall – ensure enabled on all profiles ---
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# --- Disable LLMNR ---
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0

# --- Disable NetBIOS over TCP/IP on all adapters ---
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled }
foreach ($adapter in $adapters) {
    $adapter.SetTcpipNetbios(2) | Out-Null  # 2 = Disable NetBIOS
}

# --- Enable Windows Defender and set update frequency ---
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -SignatureUpdateInterval 4

# --- Disable SMBv1 ---
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -NoRestart

# --- Configure audit policies ---
auditpol /set /subcategory:"Logon"                       /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout"             /success:enable /failure:enable
auditpol /set /subcategory:"Logoff"                      /success:enable /failure:disable
auditpol /set /subcategory:"Special Logon"               /success:enable /failure:disable
auditpol /set /subcategory:"Security Group Management"   /success:enable /failure:disable
auditpol /set /subcategory:"User Account Management"     /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation"            /success:enable /failure:disable

# --- Set WinRM to only allow HTTPS (post-deployment) ---
# Note: HTTP WinRM is left open during the Packer build (needed for provisioners).
# The Cloudbase-Init user-data in your Blueprint should disable HTTP WinRM post-deploy.

# --- Disable AutoRun ---
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Value 255

# --- Enable DEP ---
bcdedit /set nx OptIn 2>$null

Write-Output "Hardening baseline applied."

05-install-base-tools.ps1

# Install common tools via winget (available on Server 2022 with Windows Package Manager)
Write-Output "Installing base tools..."

# Enable TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Install Chocolatey as a fallback package manager
Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

# Install packages
choco install -y --no-progress `
    7zip `
    notepadplusplus `
    googlechrome `
    git `
    openssh

# Configure OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Set-Service -Name sshd -StartupType Automatic
Start-Service sshd

# Add firewall rule for SSH
New-NetFirewallRule -Name "OpenSSH-Server" -DisplayName "OpenSSH Server (sshd)" -Enabled True `
    -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 | Out-Null

Write-Output "Base tools installed."

99-sysprep.ps1

# Final Sysprep – generalize the image and shut down
# Packer captures the disk image after shutdown

Write-Output "Running Sysprep to generalize image..."

# Clean up temporary files before capturing
Remove-Item -Path "$env:TEMP\*" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\Temp\*" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Recurse -Force -ErrorAction SilentlyContinue

# Remove Windows Update cache
Stop-Service wuauserv -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\SoftwareDistribution\*" -Recurse -Force -ErrorAction SilentlyContinue
Start-Service wuauserv

# Clear event logs
Get-EventLog -LogName * | ForEach-Object { Clear-EventLog $_.Log -ErrorAction SilentlyContinue }

# Remove Chocolatey cache
Remove-Item -Path "C:\ProgramData\chocolatey\lib-bkp" -Recurse -Force -ErrorAction SilentlyContinue

# Run Sysprep – /shutdown tells Sysprep to power off after generalize
# Packer detects the shutdown and proceeds to image capture
$sysprepArgs = "/generalize /oobe /shutdown /quiet"

# Use unattend.xml to skip OOBE prompts on next boot
$unattendPath = "C:\Windows\System32\Sysprep\unattend.xml"
Set-Content -Path $unattendPath -Value @'
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
  <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup"
               processorArchitecture="amd64"
               publicKeyToken="31bf3856ad364e35"
               language="neutral" versionScope="nonSxS">
      <OOBE>
        <HideEULAPage>true</HideEULAPage>
        <HideLocalAccountScreen>true</HideLocalAccountScreen>
        <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
        <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
        <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
        <ProtectYourPC>1</ProtectYourPC>
      </OOBE>
    </component>
  </settings>
</unattend>
'@

Write-Output "Starting Sysprep with /shutdown..."
Start-Process -FilePath "C:\Windows\System32\Sysprep\sysprep.exe" `
    -ArgumentList "$sysprepArgs /unattend:$unattendPath" `
    -Wait -NoNewWindow

# Control never returns here – Sysprep shuts down the VM

Running the Packer Build

# Initialize (download plugin if not already installed)
packer init windows-server-2022/windows-server-2022.pkr.hcl

# Validate template syntax
packer validate \
  -var-file="windows-server-2022/variables.pkrvars.hcl" \
  windows-server-2022/windows-server-2022.pkr.hcl

# Run the build
packer build \
  -var-file="windows-server-2022/variables.pkrvars.hcl" \
  windows-server-2022/windows-server-2022.pkr.hcl

Expected Output

nutanix.windows_server_2022: output will be in this color.

==> nutanix.windows_server_2022: Creating VM packer-build-win2022-20260304-0200...
==> nutanix.windows_server_2022: Attaching ISO: windows-server-2022-eval.iso
==> nutanix.windows_server_2022: Attaching ISO: Nutanix-VirtIO-1.2.4.iso
==> nutanix.windows_server_2022: Attaching CD with autounattend.xml
==> nutanix.windows_server_2022: Powering on VM...
==> nutanix.windows_server_2022: Waiting for WinRM to become available...
    nutanix.windows_server_2022: WinRM connected.
==> nutanix.windows_server_2022: Connected to machine via WinRM
==> nutanix.windows_server_2022: Provisioning with Powershell...
==> nutanix.windows_server_2022: Provisioning script: ./scripts/01-install-virtio.ps1
    nutanix.windows_server_2022: VirtIO drivers installed.
==> nutanix.windows_server_2022: Provisioning script: ./scripts/02-windows-update.ps1
    nutanix.windows_server_2022: Installing 38 updates...
==> nutanix.windows_server_2022: Restarting Machine...
==> nutanix.windows_server_2022: Waiting for machine to restart...
==> nutanix.windows_server_2022: Provisioning script: ./scripts/03-install-cloudbase-init.ps1
    nutanix.windows_server_2022: Cloudbase-Init installed and configured.
==> nutanix.windows_server_2022: Provisioning script: ./scripts/04-harden-os.ps1
    nutanix.windows_server_2022: Hardening baseline applied.
==> nutanix.windows_server_2022: Provisioning script: ./scripts/05-install-base-tools.ps1
    nutanix.windows_server_2022: Base tools installed.
==> nutanix.windows_server_2022: Restarting Machine...
==> nutanix.windows_server_2022: Provisioning script: ./scripts/99-sysprep.ps1
    nutanix.windows_server_2022: Starting Sysprep with /shutdown...
==> nutanix.windows_server_2022: VM shut down. Capturing image...
==> nutanix.windows_server_2022: Image created: win2022-golden-2026.03.04
==> nutanix.windows_server_2022: Deleting build VM: packer-build-win2022-20260304-0200
Build 'nutanix.windows_server_2022' finished after 1 hour 43 minutes.

==> Builds finished. The artifacts of successful builds are:
--> nutanix.windows_server_2022: win2022-golden-2026.03.04

Using the Golden Image in AHV

After a successful build, the image win2022-golden-2026.03.04 appears in:

Prism Central → Compute & Storage → Images

Create a VM Directly from the Image

Prism Element → VM → + Create VM
  Disk 1: Clone from Image → win2022-golden-2026.03.04
  NIC 1: vm-prod-vlan20
  Guest Customization: Sysprep (Cloudbase-Init reads config drive on first boot)

Use in a Blueprint

In your NCM Self-Service Blueprint substrate, reference the image by name:

# calm-dsl substrate snippet
disks = [
    AhvVmDisk(
        image="win2022-golden-2026.03.04",
        bootable=True,
        disk_size=80
    )
]

Or in the Prism Central Blueprint GUI:

Substrate → VM → Disks → Image: win2022-golden-2026.03.04

Because Cloudbase-Init is embedded in the image, the Blueprint's Sysprep guest customization script will be read automatically on first boot — hostname, password, and user-data all applied without any manual steps.

CI/CD Pipeline for Image Rebuilds

I rebuild the golden image monthly (or immediately after a critical CVE) using a GitLab CI/CD pipeline.

# .gitlab-ci.yml
stages:
  - validate
  - build
  - notify

variables:
  PACKER_VERSION: "1.11.2"
  IMAGE_VERSION: "$CI_PIPELINE_CREATED_AT"   # e.g. 2026-03-04T02:00:00Z — trim in script

validate:
  stage: validate
  image: hashicorp/packer:${PACKER_VERSION}
  script:
    - packer plugins install github.com/nutanix-cloud-native/nutanix
    - packer validate
        -var "nutanix_username=${NUTANIX_USER}"
        -var "nutanix_password=${NUTANIX_PASSWORD}"
        -var "nutanix_endpoint=${NUTANIX_PC}"
        -var "nutanix_cluster_name=${NUTANIX_CLUSTER}"
        -var "nutanix_subnet_name=${NUTANIX_SUBNET}"
        -var "image_version=$(date +%Y.%m.%d)"
        windows-server-2022/windows-server-2022.pkr.hcl
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

build-golden-image:
  stage: build
  image: hashicorp/packer:${PACKER_VERSION}
  timeout: 3 hours
  script:
    - packer plugins install github.com/nutanix-cloud-native/nutanix
    - packer build
        -var "nutanix_username=${NUTANIX_USER}"
        -var "nutanix_password=${NUTANIX_PASSWORD}"
        -var "nutanix_endpoint=${NUTANIX_PC}"
        -var "nutanix_cluster_name=${NUTANIX_CLUSTER}"
        -var "nutanix_subnet_name=${NUTANIX_SUBNET}"
        -var "winrm_password=${WINRM_BUILD_PASSWORD}"
        -var "image_version=$(date +%Y.%m.%d)"
        windows-server-2022/windows-server-2022.pkr.hcl
    - echo "IMAGE_NAME=win2022-golden-$(date +%Y.%m.%d)" >> build.env
  artifacts:
    reports:
      dotenv: build.env
    paths:
      - manifest.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"   # Monthly schedule
    - if: $CI_PIPELINE_SOURCE == "web"        # Manual trigger

notify:
  stage: notify
  image: curlimages/curl:latest
  script:
    - |
      curl -X POST "${SLACK_WEBHOOK_URL}" \
        -H 'Content-type: application/json' \
        --data "{\"text\":\"✅ Golden image built: ${IMAGE_NAME}\"}"
  needs:
    - job: build-golden-image
      artifacts: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - if: $CI_PIPELINE_SOURCE == "web"

Store secrets in GitLab CI/CD Variables (masked):

NUTANIX_USER, NUTANIX_PASSWORD, NUTANIX_PC
NUTANIX_CLUSTER, NUTANIX_SUBNET
WINRM_BUILD_PASSWORD
SLACK_WEBHOOK_URL

Versioning and Lifecycle Management

Naming Convention

win2022-golden-YYYY.MM.DD
  e.g. win2022-golden-2026.03.04

Tag images with metadata via Prism Central API after build:

# Add category tags via acli
nutanix@cvm:~$ acli image.update win2022-golden-2026.03.04 \
  annotation="CIS Level 1 | KB patched $(date +%Y-%m-%d) | VirtIO 1.2.4 | Cloudbase-Init 1.1.6"

Retention Policy

Keep the last 3 golden images; delete older ones automatically via a cleanup script:

#!/usr/bin/env python3
# cleanup_old_images.py
import requests, re, sys
from datetime import datetime

PC_HOST = sys.argv[1]
PC_USER = sys.argv[2]
PC_PASS = sys.argv[3]
KEEP_COUNT = 3
IMAGE_PREFIX = "win2022-golden-"

session = requests.Session()
session.auth = (PC_USER, PC_PASS)
session.verify = False

resp = session.post(
    f"https://{PC_HOST}:9440/api/nutanix/v3/images/list",
    json={"kind": "image", "length": 200},
)
images = resp.json()["entities"]

golden = [
    img for img in images
    if img["status"]["name"].startswith(IMAGE_PREFIX)
]
golden.sort(key=lambda x: x["status"]["name"], reverse=True)

to_delete = golden[KEEP_COUNT:]
for img in to_delete:
    name = img["status"]["name"]
    uuid = img["metadata"]["uuid"]
    print(f"Deleting old image: {name} ({uuid})")
    session.delete(f"https://{PC_HOST}:9440/api/nutanix/v3/images/{uuid}")

print(f"Retained {min(len(golden), KEEP_COUNT)} images, deleted {len(to_delete)}.")

Troubleshooting

Symptom

Cause

Fix

Packer times out waiting for WinRM

Autounattend.xml not found or VirtIO driver path wrong, Windows install stalled

Attach via Prism console to see the installer state; verify autounattend.xml CD label and VirtIO driver paths match ISO structure

Error: "No disk found" during Windows install

VirtIO SCSI driver not loaded in windowsPE pass

Check drive letter of VirtIO ISO in DriverPaths (E: vs F:); verify viostor\2k22\amd64 path exists in ISO

WinRM auth failure

Password mismatch between autounattend.xml and Packer winrm_password

Keep both values in sync; autounattend sets the build-time Administrator password, Packer connects with the same value

Sysprep fails: "A fatal error occurred while trying to Sysprep the machine"

Windows Updates pending reboot, or .NET install incomplete

Add extra windows-restart provisioner before Sysprep; disable Windows Update service cleanup before running Sysprep

Image not appearing in Prism Central after build

force_deregister = true removed old image but upload failed

Check Packer output for API errors; verify Prism Central has enough storage in the target container

Cloudbase-Init not running on first VM boot

Sysprep ran without Cloudbase-Init installed, or service is disabled

Verify 03-install-cloudbase-init.ps1 succeeded in Packer build log; check Cloudbase-Init service startup type in the image

Build VM left behind after failed run

Packer crashed before cleanup

Manually delete packer-build-win2022-* VMs from Prism Element; use force_deregister and handle cleanup in CI on failure

Next Steps

Tags: Nutanix, AHV, Packer, HashiCorp, Golden Image, Windows Server 2022, Cloudbase-Init, VirtIO, Sysprep, Autounattend, CI/CD, Image Pipeline

PreviousWriting a Blueprint for Windows VM Automation NextGitLab CI/CD Integration with Nutanix Blueprint

Last updated 11 hours ago

hashtagTable of Contents

hashtagWhy I Switched to Packer for Golden Images

hashtagHow Packer Works with Nutanix AHV

hashtagPrerequisites

hashtagVerify Packer Installation

hashtagProject Structure

hashtagInstalling the Nutanix Packer Plugin

hashtagPreparing the Autounattend.xml

hashtagWriting the Packer HCL Template

hashtagVariables File

hashtagProvisioners – Hardening and Software Installation

hashtag01-install-virtio.ps1

hashtag02-windows-update.ps1

hashtag03-install-cloudbase-init.ps1

hashtag04-harden-os.ps1

hashtag05-install-base-tools.ps1

hashtag99-sysprep.ps1

hashtagRunning the Packer Build

hashtagExpected Output

hashtagUsing the Golden Image in AHV

hashtagCreate a VM Directly from the Image

hashtagUse in a Blueprint

hashtagCI/CD Pipeline for Image Rebuilds

hashtagVersioning and Lifecycle Management

hashtagNaming Convention

hashtagRetention Policy

hashtagTroubleshooting

hashtagNext Steps

Table of Contents