split the function of disable BitLocerk service and decrypt volume

Signed-off-by: Yanan Shen <yanans@vmware.com>
vmware · Nov 16, 2023 · ca14041 · ca14041
1 parent e318e88
commit ca14041
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 75 deletions.
diff --git a/windows/guest_customization/win_gosc_prepare.yml b/windows/guest_customization/win_gosc_prepare.yml
@@ -64,8 +64,19 @@
     - guest_os_product_type | lower == 'client'
 
 # Disable BitLocker which will cause sysprep failure.
-- name: "Disable Bitlocker"
-  include_tasks: ../utils/win_disable_bitlocker.yml
+- name: "Get BitLocker service status"
+  include_tasks: win_get_service_status.yml
+  vars:
+    win_service_name: "BDESVC"
+
+- name: "Stop and disable BitLocker service in guest OS"
+  include_tasks: win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "Set-Service -Name BDESVC -Status stopped -StartupType disabled"
+  when: service_status == "Running"
+
+- name: "Decrypt Bitlocker volumes"
+  include_tasks: ../utils/win_decrypt_bitlocker_volume.yml
 
 # Shutdown guest OS before execute guest customization
 - name: "Shutdown OS"

diff --git a/windows/utils/win_decrypt_bitlocker_volume.yml b/windows/utils/win_decrypt_bitlocker_volume.yml
@@ -0,0 +1,44 @@
+# Copyright 2023 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Decrypt the BitLocker encrypted volumes
+# Parameters:
+#   decrypt_wait_time: the time in seconds to wait for the volume decryption.
+#
+- name: "Get encrypted volumes in guest OS"
+  include_tasks: win_get_bitlocker_volume.yml
+
+- name: "Decrypt the BitLocker volumes"
+  when:  bitlocker_volume_list | length > 0
+  block:
+    - name: "Initialize the decryption wait time"
+      ansible.builtin.set_fact:
+        decrypt_wait_time: 900
+      when: decrypt_wait_time is undefined or not decrypt_wait_time
+
+    - name: "Decrypt the BitLocker volumes"
+      include_tasks: win_execute_cmd.yml
+      vars:
+        win_powershell_cmd: >-
+          $BLV = Get-BitLockerVolume;
+          Disable-BitLocker -MountPoint $BLV
+
+    - name: "Check if Decryption is completed"
+      ansible.windows.win_shell: "(Get-BitLockerVolume | Where-Object { $_.EncryptionPercentage -GT 0 } | measure).Count"
+      register: decrypt_volume_result
+      delegate_to: "{{ vm_guest_ip }}"
+      ignore_errors: true
+      until:
+        - decrypt_volume_result.stdout_lines is defined
+        - decrypt_volume_result.stdout_lines | length != 0
+        - decrypt_volume_result.stdout_lines[0] | int == 0
+      retries: "{{ (decrypt_wait_time | int / 60) | int }}"
+      delay: 60
+
+    - name: "Volume decryption failed"
+      ansible.builtin.fail:
+        msg: "Failed to decrypt the OS volumes in {{ decrypt_wait_time }} seconds."
+      when:
+        - decrypt_volume_result.stdout_lines is defined
+        - decrypt_volume_result.stdout_lines | length != 0
+        - decrypt_volume_result.stdout_lines[0] | int > 0
diff --git a/windows/utils/win_disable_bitlocker.yml b/windows/utils/win_disable_bitlocker.yml
diff --git a/windows/utils/win_get_bitlocker_volume.yml b/windows/utils/win_get_bitlocker_volume.yml
@@ -1,4 +1,4 @@
-# Copyright 2022-2023 VMware, Inc.
+# Copyright 2023 VMware, Inc.
 # SPDX-License-Identifier: BSD-2-Clause
 ---
 # Get the volumes encrypted by BitLocker Device Encryption