diff --git a/.pwsh/setup.ps1 b/.pwsh/setup.ps1
new file mode 100644
index 0000000..2a0bdec
--- /dev/null
+++ b/.pwsh/setup.ps1
@@ -0,0 +1,65 @@
+# Windows initial setup script
+# Run as Administrator: powershell -ExecutionPolicy Bypass -File setup.ps1
+
+# packages
+$packages = @(
+    "Microsoft.WindowsTerminal"
+    "Microsoft.PowerShell"
+    "Microsoft.OpenSSH.Beta"
+    "Microsoft.VisualStudioCode"
+    "Microsoft.WSL"
+    "Microsoft.PowerToys"
+    "Git.Git"
+    "Vim.Vim"
+    "Nvidia.CUDA"
+    "Mozilla.Firefox"
+    "Python.Python.3.13"
+    "jqlang.jq"
+    "Anthropic.ClaudeCode"
+)
+
+foreach ($pkg in $packages) {
+    Write-Host "Installing $pkg ..." -ForegroundColor Cyan
+    winget install --id $pkg --accept-source-agreements --accept-package-agreements -e
+}
+
+# enable and start sshd
+Write-Host "Setting up OpenSSH Server ..." -ForegroundColor Cyan
+Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 2>$null
+Set-Service -Name sshd -StartupType Automatic
+Start-Service sshd
+New-NetFirewallRule -Name "OpenSSH-Server" -DisplayName "OpenSSH Server" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 2>$null
+
+# configure sshd
+Write-Host "Configuring sshd ..." -ForegroundColor Cyan
+$sshdConfig = "C:\ProgramData\ssh\sshd_config"
+if (Test-Path $sshdConfig) {
+    $content = Get-Content $sshdConfig -Raw
+    # disable password auth, enable empty passwords, disable admin authorized_keys override
+    if ($content -notmatch "(?m)^PasswordAuthentication no") {
+        Add-Content $sshdConfig "`nPasswordAuthentication no"
+    }
+    if ($content -notmatch "(?m)^PermitEmptyPasswords yes") {
+        Add-Content $sshdConfig "PermitEmptyPasswords yes"
+    }
+    # comment out Match Group administrators if not already
+    (Get-Content $sshdConfig) | ForEach-Object {
+        if ($_ -match "^Match Group administrators") { "#$_" } else { $_ }
+    } | Set-Content $sshdConfig
+    Restart-Service sshd
+    Write-Host "sshd configured" -ForegroundColor Green
+}
+
+# set default shell to pwsh for ssh
+# NOTE: if pwsh path is wrong, ssh auth will fail with "Permission denied"
+# verify path with: (Get-Command pwsh).Source
+$pwshPath = (Get-Command pwsh -ErrorAction SilentlyContinue).Source
+if ($pwshPath) {
+    New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value $pwshPath -PropertyType String -Force
+    Write-Host "Default SSH shell: $pwshPath" -ForegroundColor Green
+}
+
+# pin packages to exclude from upgrade --all
+winget pin add --id EpicGames.EpicGamesLauncher 2>$null
+
+Write-Host "Done" -ForegroundColor Green