src/sysprep.psm1

function New-UnattendFile {
  <#
  .SYNOPSIS
    Creates a Windows Unattend file
  .DESCRIPTION
 
  .EXAMPLE
    These examples show how to call the New-UnattendFile function with named parameters.
    # linux:
    PS C:\> New-UnattendFile -destinationPath 'unattend.xml' -productKey 'W269N-WFGWX-YVC9B-4J6C9-T83GX' -registeredOwner 'RelOps Mozilla' -registeredOrganization 'Mozilla Corporation' -administratorPassword $(openssl rand -base64 12)
    # windows:
    PS C:\> New-UnattendFile -destinationPath 'unattend.xml' -productKey 'W269N-WFGWX-YVC9B-4J6C9-T83GX' -registeredOwner 'RelOps Mozilla' -registeredOrganization 'Mozilla Corporation' -administratorPassword (New-Password)
  #>

  [CmdletBinding()]
  param (
    [Parameter(Mandatory = $true)]
    [ValidateNotNullOrEmpty()]
    [string] $destinationPath,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/component-settings-and-properties-reference
    [ValidateSet('amd64', 'arm', 'arm64', 'ia64', 'x86')]
    [string] $processorArchitecture = 'amd64',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-computername
    [string] $computerName = '*',
    [string] $auditComputerName = $computerName,

    [bool] $auditComputerNameMustReboot = ($auditComputerName -ne $computerName),
    [bool] $extendOsPartition = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-useraccounts-administratorpassword
    [string] $administratorPassword = (New-Password),
    [string] $encodedAdministratorPassword = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(('{0}AdministratorPassword' -f $administratorPassword))),

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-autologon-logoncount
    [int] $autoLogonCount = 2,
    [switch] $autoLogonEnabled = ($autoLogonCount -gt 0),
    [string] $autoLogonUsername = 'Administrator',
    [string] $autoLogonDomain = $null,
    [string] $autoLogonPassword = $administratorPassword,
    [string] $encodedAutoLogonPassword = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(('{0}Password' -f $autoLogonPassword))),

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-productkey
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-userdata-productkey
    [Parameter(Mandatory = $true)]
    [string] $productKey,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-registeredorganization
    [string] $registeredOrganization = '',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-registeredowner
    [string] $registeredOwner = '',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-uilanguage
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-winpe-uilanguage
    [string] $uiLanguage = 'en-US',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-uilanguagefallback
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-winpe-uilanguagefallback
    [string] $uiLanguageFallback = 'en-US',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-inputlocale
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-winpe-inputlocale
    [string] $inputLocale = $uiLanguage,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-systemlocale
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-winpe-systemlocale
    [string] $systemLocale = $uiLanguage,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-userlocale
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-international-core-winpe-userlocale
    [string] $userLocale = $uiLanguage,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-timezone
    # https://support.microsoft.com/en-us/help/973627/microsoft-time-zone-index-values (use string value of column with header "Name of Time Zone')
    [string] $timeZone = 'UTC',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-diagnostics-optin
    [bool] $diagnosticsOptIn = $false,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-dynamicupdate-enable
    [bool] $dynamicUpdateEnable = $false,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-dynamicupdate-willshowui
    [ValidateSet('Always', 'OnError', 'Never')]
    [string] $dynamicUpdateWillShowUI = 'Never',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-userdata-accepteula
    [bool] $acceptEula = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-userdata-fullname
    [string] $fullName = $registeredOwner,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-userdata-organization
    [string] $organization = $registeredOrganization,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-lua-settings-enablelua
    [bool] $enableLUA = $false,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp-skiprearm
    [ValidateRange(0, 1)]
    [int] $skipRearm = 1,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp-ux-skipautoactivation
    [bool] $skipAutoActivation = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-sqmapi-ceipenabled
    [ValidateRange(0, 1)]
    [int] $ceipEnabled = 0,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-hideeulapage
    [bool] $hideEULAPage = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-hideoemregistrationscreen
    [bool] $hideOEMRegistrationScreen = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-hideonlineaccountscreens
    [bool] $hideOnlineAccountScreens = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-hidewirelesssetupinoobe
    [bool] $hideWirelessSetupInOOBE = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-networklocation
    [ValidateSet('Home', 'Work', 'Other')]
    [string] $networkLocation = 'Other',

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-dns-client-dnsdomain
    [string] $dnsDomain = $null,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-dns-client-dnssuffixsearchorder
    [string[]] $dnsSuffixSearchOrder = $null,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-dns-client-usedomainnamedevolution
    [nullable[bool]] $dnsUseDomainNameDevolution = $null,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-dns-client-interfaces
    [hashtable[]] $networkInterfaces = @(
      @{
        'alias' = 'Local Area Connection';
        'dns' = @{
          'domain' = $dnsDomain;
          'dynamic' = $null;
          'register' = $null;
          'search' = @('1.1.1.1', '1.0.0.1', '8.8.8.8', '8.8.4.4')
        }
      }
    )

    # deprecated after 1709
    [bool] $skipMachineOOBE = $true,

    # deprecated after 1709
    [bool] $skipUserOOBE = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-oobe-protectyourpc
    [ValidateRange(1, 3)]
    [int] $protectYourPC = 3,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-disableautodaylighttimeset
    [bool] $disableAutoDaylightTimeSet = $true,

    [bool] $showWindowsLive = $false,

    # https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/enable-remote-desktop-by-using-an-answer-file
    [bool] $enableRDP = $false,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runsynchronous
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runasynchronous
    [hashtable[]] $commands = @(
      @{
        'Description'   = 'say hello in FirstLogonCommands';
        'CommandLine'   = 'echo "hello beautiful world"';
        'Pass'          = 'oobeSystem';
        'Synchronicity' = 'Synchronous';
        'Priority'      = 500
      },
      @{
        'Description'   = 'say goodbye in FirstLogonCommands';
        'CommandLine'   = 'echo "goodbye cruel world"';
        'Pass'          = 'oobeSystem';
        'Synchronicity' = 'Synchronous';
        'Priority'      = 501
      }
    ),

    [Parameter(Mandatory = $true)]
    [ValidateSet('Windows 7', 'Windows 10', 'Windows Server 1903', 'Windows Server 1909', 'Windows Server 2012 R2', 'Windows Server 2016', 'Windows Server 2019')]
    [string] $os,

    [switch] $obfuscatePassword = $false,

    [ValidateSet('Audit', 'OOBE')]
    [string] $generalizeMode = 'OOBE',
    [switch] $generalizeShutdown = $false,
    [bool] $generalizeOmit = $true,

    [ValidateSet('Audit', 'OOBE')]
    [string] $auditSystemResealMode = 'OOBE',
    [switch] $auditSystemResealShutdown = $false,
    [bool] $auditSystemResealOmit = $true,

    [ValidateSet('Audit', 'OOBE')]
    [string] $auditUserResealMode = 'OOBE',
    [switch] $auditUserResealShutdown = $false,
    [bool] $auditUserResealOmit = (-not $generalizeOmit),

    [ValidateSet('Audit', 'OOBE')]
    [string] $oobeSystemResealMode = 'OOBE',
    [switch] $oobeSystemResealShutdown = $false,
    [bool] $oobeSystemResealOmit = $true,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-display-colordepth
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-display-colordepth
    [ValidateSet(1, 4, 8, 15, 16, 24, 32, 48)]
    [int] $displayColorDepth = 16,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-display-horizontalresolution
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-display-horizontalresolution
    [ValidateRange(640, 1024)]
    [int] $displayHorizontalResolution = 1024,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-display-verticalresolution
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-display-verticalresolution
    [ValidateRange(480, 768)]
    [int] $displayVerticalResolution = 768,

    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-setup-display-refreshrate
    # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-display-refreshrate
    [ValidateRange(60, 120)]
    [int] $displayRefreshRate = 60,

    [xml] $template = @"
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
  <settings pass="windowsPE">
    <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SetupUILanguage>
        <UILanguage>$uiLanguage</UILanguage>
      </SetupUILanguage>
      <InputLocale>$inputLocale</InputLocale>
      <SystemLocale>$systemLocale</SystemLocale>
      <UILanguage>$uiLanguage</UILanguage>
      <UILanguageFallback>$uiLanguageFallback</UILanguageFallback>
      <UserLocale>$userLocale</UserLocale>
    </component>
    <component name="Microsoft-Windows-Setup" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <Diagnostics>
        <OptIn>$(if ($diagnosticsOptIn) { 'true' } else { 'false' })</OptIn>
      </Diagnostics>
      <DynamicUpdate>
        <Enable>$(if ($dynamicUpdateEnable) { 'true' } else { 'false' })</Enable>
        <WillShowUI>$dynamicUpdateWillShowUI</WillShowUI>
      </DynamicUpdate>
      <DiskConfiguration>
        <Disk wcm:action="add">
          <CreatePartitions>
            <CreatePartition wcm:action="add">
              <Order>1</Order>
              <Type>Primary</Type>
              <Size>100</Size>
            </CreatePartition>
            <CreatePartition wcm:action="add">
              <Extend>true</Extend>
              <Order>2</Order>
              <Type>Primary</Type>
            </CreatePartition>
          </CreatePartitions>
          <ModifyPartitions>
            <ModifyPartition wcm:action="add">
              <Active>true</Active>
              <Format>NTFS</Format>
              <Label>System Reserved</Label>
              <Order>1</Order>
              <PartitionID>1</PartitionID>
              <TypeID>0x27</TypeID>
            </ModifyPartition>
            <ModifyPartition wcm:action="add">
              <Active>true</Active>
              <Format>NTFS</Format>
              <Label>os</Label>
              <Letter>C</Letter>
              <Order>2</Order>
              <PartitionID>2</PartitionID>
            </ModifyPartition>
          </ModifyPartitions>
          <DiskID>0</DiskID>
          <WillWipeDisk>true</WillWipeDisk>
        </Disk>
      </DiskConfiguration>
      <ImageInstall>
        <OSImage>
          <InstallTo>
            <DiskID>0</DiskID>
            <PartitionID>2</PartitionID>
          </InstallTo>
          <InstallToAvailablePartition>false</InstallToAvailablePartition>
        </OSImage>
      </ImageInstall>
      <UserData>
        <AcceptEula>$(if ($acceptEula) { 'true' } else { 'false' })</AcceptEula>
        <FullName>$fullName</FullName>
        <Organization>$organization</Organization>
        <ProductKey>
          <Key>$productKey</Key>
        </ProductKey>
      </UserData>
      <Display>
        <ColorDepth>$displayColorDepth</ColorDepth>
        <HorizontalResolution>$displayHorizontalResolution</HorizontalResolution>
        <RefreshRate>$displayRefreshRate</RefreshRate>
        <VerticalResolution>$displayVerticalResolution</VerticalResolution>
      </Display>
    </component>
  </settings>
  <settings pass="offlineServicing">
    <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <EnableLUA>$(if ($enableLUA) { 'true' } else { 'false' })</EnableLUA>
    </component>
  </settings>
  <settings pass="generalize">
    <component name="Microsoft-Windows-Security-SPP" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SkipRearm>$skipRearm</SkipRearm>
    </component>
  </settings>
  <settings pass="specialize">
    <component name="Microsoft-Windows-International-Core" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <InputLocale>$inputLocale</InputLocale>
      <SystemLocale>$systemLocale</SystemLocale>
      <UILanguage>$uiLanguage</UILanguage>
      <UILanguageFallback>$uiLanguageFallback</UILanguageFallback>
      <UserLocale>$userLocale</UserLocale>
    </component>
    <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SkipAutoActivation>$(if ($skipAutoActivation) { 'true' } else { 'false' })</SkipAutoActivation>
    </component>
    <component name="Microsoft-Windows-SQMApi" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <CEIPEnabled>$ceipEnabled</CEIPEnabled>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <ComputerName>$computerName</ComputerName>
      <ProductKey>$productKey</ProductKey>
      <TimeZone>$timeZone</TimeZone>
      <Display>
        <ColorDepth>$displayColorDepth</ColorDepth>
        <HorizontalResolution>$displayHorizontalResolution</HorizontalResolution>
        <RefreshRate>$displayRefreshRate</RefreshRate>
        <VerticalResolution>$displayVerticalResolution</VerticalResolution>
      </Display>
    </component>
    <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <fDenyTSConnections>false</fDenyTSConnections>
    </component>
    <component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <UserAuthentication>0</UserAuthentication>
    </component>
    <component name="Networking-MPSSVC-Svc" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <FirewallGroups>
        <FirewallGroup wcm:action="add" wcm:keyValue="rd1">
          <Active>true</Active>
          <Group>Remote Desktop</Group>
          <Profile>all</Profile>
        </FirewallGroup>
      </FirewallGroups>
    </component>
    <component name="Microsoft-Windows-Deployment" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    </component>
    <component name="Microsoft-Windows-DNS-Client" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    </component>
  </settings>
  <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Deployment" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <ExtendOSPartition>
        <Extend>$(if ($extendOsPartition) { 'true' } else { 'false' })</Extend>
      </ExtendOSPartition>
      $(if (-not $oobeSystemResealOmit) { ('<Reseal><ForceShutdownNow>{0}</ForceShutdownNow><Mode>{1}</Mode></Reseal>' -f $(if ($oobeSystemResealShutdown) { 'true' } else { 'false' }), $oobeSystemResealMode) })
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
        $(if ($autoLogonDomain) { ('<Domain>{0}</Domain>' -f $autoLogonDomain) } else { '<Domain />' })
        <Username>$autoLogonUsername</Username>
        <Password>
          <Value>$(if ($obfuscatePassword) { $encodedAutoLogonPassword } else { ('<![CDATA[{0}]]>' -f $autoLogonPassword) })</Value>
          <PlainText>$(if ($obfuscatePassword) { 'false' } else { 'true' })</PlainText>
        </Password>
        <Enabled>$(if ($autoLogonEnabled) { 'true' } else { 'false' })</Enabled>
        <LogonCount>$autoLogonCount</LogonCount>
      </AutoLogon>
      <OOBE>
        <HideEULAPage>$(if ($hideEULAPage) { 'true' } else { 'false' })</HideEULAPage>
        $(if ($os -ne 'Windows 7') { ('<HideOEMRegistrationScreen>{0}</HideOEMRegistrationScreen>' -f $(if ($hideOEMRegistrationScreen) { 'true' } else { 'false' })) })
        $(if ($os -ne 'Windows 7') { ('<HideOnlineAccountScreens>{0}</HideOnlineAccountScreens>' -f $(if ($hideOnlineAccountScreens) { 'true' } else { 'false' })) })
        <HideWirelessSetupInOOBE>$(if ($hideWirelessSetupInOOBE) { 'true' } else { 'false' })</HideWirelessSetupInOOBE>
        <NetworkLocation>$networkLocation</NetworkLocation>
        <SkipUserOOBE>$(if ($skipUserOOBE) { 'true' } else { 'false' })</SkipUserOOBE>
        <SkipMachineOOBE>$(if ($skipMachineOOBE) { 'true' } else { 'false' })</SkipMachineOOBE>
        <ProtectYourPC>$protectYourPC</ProtectYourPC>
      </OOBE>
      $(if ($os -eq 'Windows 7') { ('<ShowWindowsLive>{0}</ShowWindowsLive>' -f $(if ($showWindowsLive) { 'true' } else { 'false' })) })
      <UserAccounts>
        <AdministratorPassword>
          <Value>$(if ($obfuscatePassword) { $encodedAdministratorPassword } else { ('<![CDATA[{0}]]>' -f $administratorPassword) })</Value>
          <PlainText>$(if ($obfuscatePassword) { 'false' } else { 'true' })</PlainText>
        </AdministratorPassword>
      </UserAccounts>
      <RegisteredOrganization>$registeredOrganization</RegisteredOrganization>
      <RegisteredOwner>$registeredOwner</RegisteredOwner>
      $(if ($os -ne 'Windows 7') { ('<DisableAutoDaylightTimeSet>{0}</DisableAutoDaylightTimeSet>' -f $(if ($disableAutoDaylightTimeSet) { 'true' } else { 'false' })) })
      <Display>
        <ColorDepth>$displayColorDepth</ColorDepth>
        <HorizontalResolution>$displayHorizontalResolution</HorizontalResolution>
        <RefreshRate>$displayRefreshRate</RefreshRate>
        <VerticalResolution>$displayVerticalResolution</VerticalResolution>
      </Display>
    </component>
  </settings>
  <settings pass="auditSystem">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
        $(if ($autoLogonDomain) { ('<Domain>{0}</Domain>' -f $autoLogonDomain) } else { '<Domain />' })
        <Username>$autoLogonUsername</Username>
        <Password>
          <Value>$(if ($obfuscatePassword) { $encodedAutoLogonPassword } else { ('<![CDATA[{0}]]>' -f $autoLogonPassword) })</Value>
          <PlainText>$(if ($obfuscatePassword) { 'false' } else { 'true' })</PlainText>
        </Password>
        <Enabled>$(if ($autoLogonEnabled) { 'true' } else { 'false' })</Enabled>
        <LogonCount>$autoLogonCount</LogonCount>
      </AutoLogon>
      <UserAccounts>
        <AdministratorPassword>
          <Value>$(if ($obfuscatePassword) { $encodedAdministratorPassword } else { ('<![CDATA[{0}]]>' -f $administratorPassword) })</Value>
          <PlainText>$(if ($obfuscatePassword) { 'false' } else { 'true' })</PlainText>
        </AdministratorPassword>
      </UserAccounts>
      $(if ($os -ne 'Windows 7') { ('<DisableAutoDaylightTimeSet>{0}</DisableAutoDaylightTimeSet>' -f $(if ($disableAutoDaylightTimeSet) { 'true' } else { 'false' })) })
      <Display>
        <ColorDepth>$displayColorDepth</ColorDepth>
        <HorizontalResolution>$displayHorizontalResolution</HorizontalResolution>
        <RefreshRate>$displayRefreshRate</RefreshRate>
        <VerticalResolution>$displayVerticalResolution</VerticalResolution>
      </Display>
    </component>
    <component name="Microsoft-Windows-Deployment" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AuditComputerName>
        <MustReboot>$(if ($auditComputerNameMustReboot) { 'true' } else { 'false' })</MustReboot>
        <Name>$auditComputerName</Name>
      </AuditComputerName>
      <ExtendOSPartition>
        <Extend>$(if ($extendOsPartition) { 'true' } else { 'false' })</Extend>
      </ExtendOSPartition>
      $(if (-not $auditSystemResealOmit) { ('<Reseal><ForceShutdownNow>{0}</ForceShutdownNow><Mode>{1}</Mode></Reseal>' -f $(if ($auditSystemResealShutdown) { 'true' } else { 'false' }), $auditSystemResealMode) })
    </component>
  </settings>
  <settings pass="auditUser">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <RegisteredOrganization>$registeredOrganization</RegisteredOrganization>
      <RegisteredOwner>$registeredOwner</RegisteredOwner>
      <Display>
        <ColorDepth>$displayColorDepth</ColorDepth>
        <HorizontalResolution>$displayHorizontalResolution</HorizontalResolution>
        <RefreshRate>$displayRefreshRate</RefreshRate>
        <VerticalResolution>$displayVerticalResolution</VerticalResolution>
      </Display>
    </component>
    <component name="Microsoft-Windows-Deployment" processorArchitecture="$processorArchitecture" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      $(if (-not $auditUserResealOmit) {
        ('<Reseal><ForceShutdownNow>{0}</ForceShutdownNow><Mode>{1}</Mode></Reseal>' -f $(if ($auditUserResealShutdown) { 'true' } else { 'false' }), $auditUserResealMode)
      } elseif (-not $generalizeOmit) {
        ('<Generalize><ForceShutdownNow>{0}</ForceShutdownNow><Mode>{1}</Mode></Generalize>' -f $(if ($generalizeShutdown) { 'true' } else { 'false' }), $generalizeMode)
      })
    </component>
  </settings>
</unattend>
"@

  )
  begin {
    Write-Log -message ('{0} :: begin - {1:o}' -f $($MyInvocation.MyCommand.Name), (Get-Date).ToUniversalTime()) -severity 'trace';
  }
  process {
    try {
      $unattend = $template.Clone();
      $nsmgr = New-Object System.Xml.XmlNamespaceManager($unattend.NameTable);
      $nsmgr.AddNamespace('ns', 'urn:schemas-microsoft-com:unattend');

      # dns client settings in the specialize settings pass of the Microsoft-Windows-DNS-Client component
      # DNSDomain
      if ($null -ne $dnsDomain) {
        $xmlDNSDomain = $unattend.CreateElement('DNSDomain', $unattend.DocumentElement.NamespaceURI);
        $xmlDNSDomain.AppendChild($unattend.CreateTextNode($dnsDomain)) | Out-Null;
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-DNS-Client']", $nsmgr).AppendChild($xmlDNSDomain) | Out-Null;
        Write-Log -message ('{0} :: DNSDomain set to {1} in the Microsoft-Windows-DNS-Client component of the specialize settings pass' -f $($MyInvocation.MyCommand.Name), $dnsDomain) -severity 'debug';
      } else {
        Write-Log -message ('{0} :: DNSDomain ommitted from the Microsoft-Windows-DNS-Client component of the specialize settings pass' -f $($MyInvocation.MyCommand.Name)) -severity 'debug';
      }
      # DNSSuffixSearchOrder
      if (($null -ne $dnsSuffixSearchOrder) -and ($dnsSuffixSearchOrder.Length)) {
        $xmlDNSSuffixSearchOrder = $unattend.CreateElement('DNSSuffixSearchOrder', $unattend.DocumentElement.NamespaceURI);
        $xmlDNSSuffixSearchOrderDomainNameKeyValue = 0;
        foreach ($domainName in $dnsSuffixSearchOrder) {
          $xmlDNSSuffixSearchOrderDomainName = $unattend.CreateElement('DomainName', $unattend.DocumentElement.NamespaceURI);
          $xmlDNSSuffixSearchOrderDomainName.SetAttribute('action', 'http://schemas.microsoft.com/WMIConfig/2002/State', 'add') | Out-Null;
          $xmlDNSSuffixSearchOrderDomainName.SetAttribute('keyValue', 'http://schemas.microsoft.com/WMIConfig/2002/State', (++$xmlDNSSuffixSearchOrderDomainNameKeyValue)) | Out-Null;
          $xmlDNSSuffixSearchOrderDomainName.AppendChild($unattend.CreateTextNode($domainName)) | Out-Null;
          $xmlDNSSuffixSearchOrder.AppendChild($xmlDNSSuffixSearchOrderDomainName) | Out-Null;
          Write-Log -message ('{0} :: DomainName: {1} added to DNSSuffixSearchOrder' -f $($MyInvocation.MyCommand.Name), $domainName) -severity 'debug';
        }
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-DNS-Client']", $nsmgr).AppendChild($xmlDNSSuffixSearchOrder) | Out-Null;
        Write-Log -message ('{0} :: {1} domain name{2} added to the DNSSuffixSearchOrder element of the Microsoft-Windows-DNS-Client component in the specialize settings pass' -f $($MyInvocation.MyCommand.Name), $dnsSuffixSearchOrder.Length, $(if ($dnsSuffixSearchOrder.Length -gt 1) { 's' } else { '' })) -severity 'debug';
      } else {
        Write-Log -message ('{0} :: DNSSuffixSearchOrder ommitted from the Microsoft-Windows-DNS-Client component of the specialize settings pass' -f $($MyInvocation.MyCommand.Name)) -severity 'debug';
      }
      # UseDomainNameDevolution
      if ($null -ne $dnsUseDomainNameDevolution) {
        $xmlUseDomainNameDevolution = $unattend.CreateElement('UseDomainNameDevolution', $unattend.DocumentElement.NamespaceURI);
        $xmlUseDomainNameDevolution.AppendChild($unattend.CreateTextNode($(if ($dnsUseDomainNameDevolution) { 'true' } else { 'false' }))) | Out-Null;
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-DNS-Client']", $nsmgr).AppendChild($xmlUseDomainNameDevolution) | Out-Null;
        Write-Log -message ('{0} :: UseDomainNameDevolution set to {1} in the Microsoft-Windows-DNS-Client component of the specialize settings pass' -f $($MyInvocation.MyCommand.Name), $(if ($dnsUseDomainNameDevolution) { 'true' } else { 'false' })) -severity 'debug';
      } else {
        Write-Log -message ('{0} :: UseDomainNameDevolution ommitted from the Microsoft-Windows-DNS-Client component of the specialize settings pass' -f $($MyInvocation.MyCommand.Name)) -severity 'debug';
      }
      # Interfaces
      if (($null -ne $networkInterfaces) -and ($networkInterfaces.Length)) {
        $xmlInterfaces = $unattend.CreateElement('Interfaces', $unattend.DocumentElement.NamespaceURI);
        foreach ($networkInterface in $networkInterfaces) {
          # Interface
          $xmlInterface = $unattend.CreateElement('Interface', $unattend.DocumentElement.NamespaceURI);
          $xmlInterface.SetAttribute('action', 'http://schemas.microsoft.com/WMIConfig/2002/State', 'add') | Out-Null;
          # Identifier
          $xmlInterfaceIdentifier = $unattend.CreateElement('Identifier', $unattend.DocumentElement.NamespaceURI);
          $xmlInterfaceIdentifier.AppendChild($unattend.CreateTextNode($networkInterface.alias)) | Out-Null;
          $xmlInterface.AppendChild($xmlInterfaceIdentifier) | Out-Null;
          Write-Log -message ('{0} :: Identifier set to: {1} for network interface: {2}' -f $($MyInvocation.MyCommand.Name), $networkInterface.alias, $networkInterface.alias) -severity 'debug';
          if ($null -ne $networkInterface.dns) {
            # DNSDomain
            if ($null -ne $networkInterface.dns.domain) {
              $xmlInterfaceDNSDomain = $unattend.CreateElement('DNSDomain', $unattend.DocumentElement.NamespaceURI);
              $xmlInterfaceDNSDomain.AppendChild($unattend.CreateTextNode($networkInterface.dns.domain)) | Out-Null;
              $xmlInterface.AppendChild($xmlInterfaceDNSDomain) | Out-Null;
              Write-Log -message ('{0} :: DNSDomain set to: {1} for network interface: {2}' -f $($MyInvocation.MyCommand.Name), $networkInterface.dns.domain, $networkInterface.alias) -severity 'debug';
            } else {
              Write-Log -message ('{0} :: DNSDomain element omitted for network interface: {1}' -f $($MyInvocation.MyCommand.Name), $networkInterface.alias) -severity 'debug';
            }
            # DNSServerSearchOrder
            if (($null -ne $networkInterface.dns.search) -and ($networkInterface.dns.search.Length)) {
              $xmlInterfaceDNSServerSearchOrder = $unattend.CreateElement('DNSServerSearchOrder', $unattend.DocumentElement.NamespaceURI);
              # IpAddress
              $xmlInterfaceDNSServerSearchOrderIpAddressKeyValue = 0;
              foreach ($dnsIpAddress in $networkInterface.dns.search) {
                $xmlInterfaceDNSServerSearchOrderIpAddress = $unattend.CreateElement('IpAddress', $unattend.DocumentElement.NamespaceURI);
                $xmlInterfaceDNSServerSearchOrderIpAddress.SetAttribute('action', 'http://schemas.microsoft.com/WMIConfig/2002/State', 'add') | Out-Null;
                $xmlInterfaceDNSServerSearchOrderIpAddress.SetAttribute('keyValue', 'http://schemas.microsoft.com/WMIConfig/2002/State', (++$xmlInterfaceDNSServerSearchOrderIpAddressKeyValue)) | Out-Null;
                $xmlInterfaceDNSServerSearchOrderIpAddress.AppendChild($unattend.CreateTextNode($dnsIpAddress)) | Out-Null;
                $xmlInterfaceDNSServerSearchOrder.AppendChild($xmlInterfaceDNSServerSearchOrderIpAddress) | Out-Null;
                Write-Log -message ('{0} :: IpAddress: {1} added with keyValue: {2} to DNSServerSearchOrder for network interface: {3}' -f $($MyInvocation.MyCommand.Name), $dnsIpAddress, $xmlInterfaceDNSServerSearchOrderIpAddressKeyValue, $networkInterface.alias) -severity 'debug';
              }
              $xmlInterface.AppendChild($xmlInterfaceDNSServerSearchOrder) | Out-Null;
              Write-Log -message ('{0} :: {1} ip address{2} added to DNSServerSearchOrder for network interface: {3}' -f $($MyInvocation.MyCommand.Name), $networkInterface.dns.search.Length, $(if ($networkInterface.dns.search.Length -gt 1) { 'es' } else { '' }), $networkInterface.alias) -severity 'debug';
            } else {
              Write-Log -message ('{0} :: DNSServerSearchOrder element omitted for network interface: {1}' -f $($MyInvocation.MyCommand.Name), $networkInterface.alias) -severity 'debug';
            }
            # EnableAdapterDomainNameRegistration
            if ($null -ne $networkInterface.dns.register) {
              $xmlInterfaceEnableAdapterDomainNameRegistration = $unattend.CreateElement('EnableAdapterDomainNameRegistration', $unattend.DocumentElement.NamespaceURI);
              $xmlInterfaceEnableAdapterDomainNameRegistration.AppendChild($unattend.CreateTextNode($(if ($networkInterface.dns.register) { 'true' } else { 'false' }))) | Out-Null;
              $xmlInterface.AppendChild($xmlInterfaceEnableAdapterDomainNameRegistration) | Out-Null;
              Write-Log -message ('{0} :: EnableAdapterDomainNameRegistration set to: {1} for network interface: {2}' -f $($MyInvocation.MyCommand.Name), $(if ($networkInterface.dns.register) { 'true' } else { 'false' }), $networkInterface.alias) -severity 'debug';
            } else {
              Write-Log -message ('{0} :: EnableAdapterDomainNameRegistration element omitted for network interface: {1}' -f $($MyInvocation.MyCommand.Name), $networkInterface.alias) -severity 'debug';
            }
            # DisableDynamicUpdate
            if ($null -ne $networkInterface.dns.dynamic) {
              $xmlInterfaceDisableDynamicUpdate = $unattend.CreateElement('DisableDynamicUpdate', $unattend.DocumentElement.NamespaceURI);
              $xmlInterfaceDisableDynamicUpdate.AppendChild($unattend.CreateTextNode($(if ($networkInterface.dns.dynamic) { 'false' } else { 'true' }))) | Out-Null;
              $xmlInterface.AppendChild($xmlInterfaceDisableDynamicUpdate) | Out-Null;
              Write-Log -message ('{0} :: DisableDynamicUpdate set to: {1} for network interface: {2}' -f $($MyInvocation.MyCommand.Name), $(if ($networkInterface.dns.dynamic) { 'false' } else { 'true' }), $networkInterface.alias) -severity 'debug';
            } else {
              Write-Log -message ('{0} :: DisableDynamicUpdate element omitted for network interface: {1}' -f $($MyInvocation.MyCommand.Name), $networkInterface.alias) -severity 'debug';
            }
          }
          $xmlInterfaces.AppendChild($xmlInterface) | Out-Null;
          Write-Log -message ('{0} :: Interface: {1} added to Interfaces' -f $($MyInvocation.MyCommand.Name), $networkInterface.alias) -severity 'debug';
        }
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-DNS-Client']", $nsmgr).AppendChild($xmlInterfaces) | Out-Null;
        Write-Log -message ('{0} :: {1} network interface configuration{2} added to Microsoft-Windows-DNS-Client component in the specialize settings pass' -f $($MyInvocation.MyCommand.Name), $networkInterfaces.Length, $(if ($networkInterfaces.Length -gt 1) { 's' } else { '' })) -severity 'debug';
      } else {
        Write-Log -message ('{0} :: network interface configuration ommitted from the Microsoft-Windows-DNS-Client component of the specialize settings pass' -f $($MyInvocation.MyCommand.Name)) -severity 'debug';
      }

      # unattended commands
      $commandPlacements = @(
        # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands-synchronouscommand
        @{
          'pass' = 'oobeSystem';
          'synchronicity' = 'synchronous';
          'commands' = @($commands | ? { $_.Pass -ieq 'oobeSystem' -and $_.Synchronicity -ieq 'synchronous' });
          'list' = 'FirstLogonCommands';
          'item' = 'SynchronousCommand';
          'command' = 'CommandLine';
          'option' = @{
            'name' = 'RequiresUserInput';
            'default' = 'false'
          };
          'parent' = $unattend.SelectSingleNode("//ns:settings[@pass='oobeSystem']/ns:component[@name='Microsoft-Windows-Shell-Setup']", $nsmgr)
        },
        # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-logoncommands-asynchronouscommand
        @{
          'pass' = 'oobeSystem';
          'synchronicity' = 'asynchronous';
          'commands' = @($commands | ? { $_.Pass -ieq 'oobeSystem' -and $_.Synchronicity -ieq 'asynchronous' });
          'list' = 'LogonCommands';
          'item' = 'AsynchronousCommand';
          'command' = 'CommandLine';
          'parent' = $unattend.SelectSingleNode("//ns:settings[@pass='oobeSystem']/ns:component[@name='Microsoft-Windows-Shell-Setup']", $nsmgr)
        },
        # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runsynchronous-runsynchronouscommand
        @{
          'pass' = 'auditUser';
          'synchronicity' = 'synchronous';
          'commands' = @($commands | ? { $_.Pass -ieq 'auditUser' -and $_.Synchronicity -ieq 'synchronous' });
          'list' = 'RunSynchronous';
          'item' = 'RunSynchronousCommand';
          'command' = 'Path';
          'option' = @{
            'name' = 'WillReboot';
            'default' = 'Never'
          };
          'parent' = $unattend.SelectSingleNode("//ns:settings[@pass='auditUser']/ns:component[@name='Microsoft-Windows-Deployment']", $nsmgr)
        },
        # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runasynchronous-runasynchronouscommand
        @{
          'pass' = 'auditUser';
          'synchronicity' = 'asynchronous';
          'commands' = @($commands | ? { $_.Pass -ieq 'auditUser' -and $_.Synchronicity -ieq 'asynchronous' });
          'list' = 'RunAsynchronous';
          'item' = 'RunAsynchronousCommand';
          'command' = 'Path';
          'parent' = $unattend.SelectSingleNode("//ns:settings[@pass='auditUser']/ns:component[@name='Microsoft-Windows-Deployment']", $nsmgr)
        },
        # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runsynchronous-runsynchronouscommand
        @{
          'pass' = 'specialize';
          'synchronicity' = 'synchronous';
          'commands' = @($commands | ? { $_.Pass -ieq 'specialize' -and $_.Synchronicity -ieq 'synchronous' });
          'list' = 'RunSynchronous';
          'item' = 'RunSynchronousCommand';
          'command' = 'Path';
          'option' = @{
            'name' = 'WillReboot';
            'default' = 'Never'
          };
          'parent' = $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Deployment']", $nsmgr)
        },
        # https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deployment-runasynchronous-runasynchronouscommand
        @{
          'pass' = 'specialize';
          'synchronicity' = 'asynchronous';
          'commands' = @($commands | ? { $_.Pass -ieq 'specialize' -and $_.Synchronicity -ieq 'asynchronous' });
          'list' = 'RunAsynchronous';
          'item' = 'RunAsynchronousCommand';
          'command' = 'Path';
          'parent' = $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Deployment']", $nsmgr)
        }
      );
      foreach ($commandPlacement in $commandPlacements) {
        if ($commandPlacement.commands -and $commandPlacement.commands.Length) {
          $xmlCommandList = $unattend.CreateElement($commandPlacement.list, $unattend.DocumentElement.NamespaceURI);
          # arrays of hashtables require slightly more complex sorting definitions (see: https://stackoverflow.com/a/37034736/68115)
          $passCommands = @($commandPlacement.commands | Sort-Object -Property @{ 'Expression' = { $_.Priority }; 'Descending' = $false });
          $order = 0;
          foreach ($command in $passCommands) {
            $xmlCommandElement = $unattend.CreateElement($commandPlacement.item, $unattend.DocumentElement.NamespaceURI);
            $xmlCommandElement.SetAttribute('action', 'http://schemas.microsoft.com/WMIConfig/2002/State', 'add') | Out-Null;
            $xmlCommandElementChildren = @(
              @{
                'name' = 'Order';
                'value' = ++$order
              },
              @{
                'name' = 'Description';
                'value' = $command['Description']
              },
              @{
                'name' = $commandPlacement.command;
                'value' = $command['CommandLine']
              }
            );
            if ($commandPlacement.option -and $commandPlacement.option.name -and $commandPlacement.option.default) {
              $xmlCommandElementChildren += @{
                'name' = $commandPlacement.option.name;
                'value' = $(if ($command[$commandPlacement.option.name]) { $command[$commandPlacement.option.name] } else { $commandPlacement.option.default })
              };
            }
            foreach ($xmlCommandElementChild in $xmlCommandElementChildren) {
              $xmlCommandElementChildElement = $unattend.CreateElement($xmlCommandElementChild['name'], $unattend.DocumentElement.NamespaceURI);
              $xmlCommandElementChildElement.AppendChild($unattend.CreateTextNode($xmlCommandElementChild['value'])) | Out-Null;
              $xmlCommandElement.AppendChild($xmlCommandElementChildElement) | Out-Null;
            }
            $xmlCommandList.AppendChild($xmlCommandElement) | Out-Null;
            if ($commandPlacement.option -and $commandPlacement.option.name -and $commandPlacement.option.default) {
              Write-Log -message ('{0} :: {1} command with priority {2} added to {3} settings pass ({4}/{5}[{6}] (with attribute {7}: {8})): {9}' -f $($MyInvocation.MyCommand.Name), $commandPlacement.synchronicity, $command['Priority'], $commandPlacement.pass, $commandPlacement.list, $commandPlacement.item, $order, $commandPlacement.option.name, $(if ($command[$commandPlacement.option.name]) { $command[$commandPlacement.option.name] } else { $commandPlacement.option.default }), $command['Description']) -severity 'debug';
            } else {
              Write-Log -message ('{0} :: {1} command with priority {2} added to {3} settings pass ({4}/{5}[{6}]): {7}' -f $($MyInvocation.MyCommand.Name), $commandPlacement.synchronicity, $command['Priority'], $commandPlacement.pass, $commandPlacement.list, $commandPlacement.item, $order, $command['Description']) -severity 'debug';
            }
          }
          $commandPlacement.parent.AppendChild($xmlCommandList) | Out-Null;
          Write-Log -message ('{0} :: {1} added to {2} settings pass' -f $($MyInvocation.MyCommand.Name), $commandPlacement.list, $commandPlacement.pass) -severity 'debug';
        } else {
          Write-Log -message ('{0} :: no {1} commands detected for {2} settings pass' -f $($MyInvocation.MyCommand.Name), $commandPlacement.synchronicity, $commandPlacement.pass) -severity 'debug';
        }
      }
      # todo: move logic below into template
      if (($os -ne 'Windows 7') -or (($os -eq 'Windows 7') -and (-not $enableRDP))) {
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']", $nsmgr).RemoveChild($unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-TerminalServices-LocalSessionManager']", $nsmgr)) | Out-Null;
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']", $nsmgr).RemoveChild($unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-TerminalServices-RDP-WinStationExtensions']", $nsmgr)) | Out-Null;
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']", $nsmgr).RemoveChild($unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Networking-MPSSVC-Svc']", $nsmgr)) | Out-Null;
      }
      if (-not $computerName) {
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Shell-Setup']", $nsmgr).RemoveChild($unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Shell-Setup']/ns:ComputerName", $nsmgr)) | Out-Null;
      }
      if (-not $productKey) {
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Shell-Setup']", $nsmgr).RemoveChild($unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Shell-Setup']/ns:ProductKey", $nsmgr)) | Out-Null;
      }
      if (-not $timeZone) {
        $unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Shell-Setup']", $nsmgr).RemoveChild($unattend.SelectSingleNode("//ns:settings[@pass='specialize']/ns:component[@name='Microsoft-Windows-Shell-Setup']/ns:TimeZone", $nsmgr)) | Out-Null;
      }
      $unattend.Save($destinationPath) | Out-Null;
    } catch {
      Write-Log -message ('{0} :: exception: {1}' -f $($MyInvocation.MyCommand.Name), $_.Exception.Message) -severity 'warn';
      if ($_.Exception.InnerException) {
        Write-Log -message ('{0} :: inner exception: {1}' -f $($MyInvocation.MyCommand.Name), $_.Exception.InnerException.Message) -severity 'warn';
      }
    }
  }
  end {
    Write-Log -message ('{0} :: end - {1:o}' -f $($MyInvocation.MyCommand.Name), (Get-Date).ToUniversalTime()) -severity 'trace';
  }
}

function New-Password {
  <#
  .SYNOPSIS
    Creates a new random password
  .DESCRIPTION
  #>

  [CmdletBinding()]
  param (
    [int] $length = 12,
    [int] $nonAlphaChars = 3
  )
  begin {
    Write-Log -message ('{0} :: begin - {1:o}' -f $($MyInvocation.MyCommand.Name), (Get-Date).ToUniversalTime()) -severity 'trace' -supressOutput:$true;
  }
  process {
    try {
      Add-Type -AssemblyName 'System.Web';
      return ([System.Web.Security.Membership]::GeneratePassword($length, $nonAlphaChars));
    } catch {
      return (& openssl @('rand', '-base64', $length));
    }
  }
  end {
    Write-Log -message ('{0} :: end - {1:o}' -f $($MyInvocation.MyCommand.Name), (Get-Date).ToUniversalTime()) -severity 'trace' -supressOutput:$true;
  }
}