Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Windows] Disable BitLocker before GOSC #515

Merged
merged 11 commits into from
Nov 17, 2023
Merged

[Windows] Disable BitLocker before GOSC #515

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
8d9506b
disable BitLocker before GOSC
123lzxm Nov 14, 2023
b7067c1
address comments
123lzxm Nov 15, 2023
f433c92
add task to check decryption failure
123lzxm Nov 15, 2023
25a1c04
save the check result to a variable
123lzxm Nov 15, 2023
e318e88
Address new comments
123lzxm Nov 15, 2023
ca14041
split the function of disable BitLocerk service and decrypt volume
123lzxm Nov 16, 2023
d280376
change fail condition
123lzxm Nov 16, 2023
b33ec32
change fail conditions
123lzxm Nov 16, 2023
3319d28
add utils path
123lzxm Nov 16, 2023
9ad00b9
BitLocker is not available on windows server
123lzxm Nov 16, 2023
1a2d6de
Simplify the when condition
123lzxm Nov 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions windows/gosv_testcase_list.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
- import_playbook: wsl_distro_install_uninstall/wsl_distro_install_uninstall.yml
- import_playbook: vbs_enable_disable/vbs_enable_disable.yml
- import_playbook: eflow_deploy/eflow_deploy.yml
- import_playbook: mdag_enable_disable/mdag_enable_disable.yml
- import_playbook: wintools_uninstall_verify/wintools_uninstall_verify.yml
- import_playbook: cpu_hot_add_basic/cpu_hot_add_basic.yml
...
48 changes: 37 additions & 11 deletions windows/guest_customization/win_gosc_prepare.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# Note: refer to this page to set time zone id and name:
# https://msdn.microsoft.com/en-us/library/ms912391.aspx
#
- name: Set fact of the common parameters in static and dhcp GOSC spec
- name: "Set fact of the common parameters in static and dhcp GOSC spec"
ansible.builtin.set_fact:
customize_gos_hostname: 'gosc-test-win'
customize_domain: "autotest.com"
Expand All @@ -17,47 +17,73 @@
customize_timezone_name: "Hawaiian Standard Time"
gosc_dns_servers: ['192.168.0.1', '192.168.0.2']
customize_runonce_echo_string: 'Windows gosc automation test'
- name: Set fact of the run once command

- name: "Set fact of the run once command"
ansible.builtin.set_fact:
customize_runonce: "cmd.exe /c echo {{ customize_runonce_echo_string }} > C:\\gosc_runonce.txt"

- name: Set fact of the VM guest IP before GOSC
- name: "Set fact of the VM guest IP before GOSC"
ansible.builtin.set_fact:
guest_ip_before_gosc: "{{ vm_guest_ip }}"

# Get guest OS hostname from VM guestinfo
- include_tasks: ../../common/vm_get_config.yml
- name: "Get guest OS hostname from VM guestinfo"
include_tasks: ../../common/vm_get_config.yml
vars:
property_list: ['guest.hostName']

- name: Set fact of the hostname before GOSC
- name: "Set fact of the hostname before GOSC"
ansible.builtin.set_fact:
hostname_before_gosc: "{{ vm_config.guest.hostName }}"

- ansible.builtin.debug:
msg: "Get guest OS hostname/IP before customization: {{ hostname_before_gosc }}/{{ guest_ip_before_gosc }}"

- name: Set fact of default Windows dir
- name: "Set fact of default Windows dir"
ansible.builtin.set_fact:
win_dir: '$env:windir'
- include_tasks: ../utils/win_get_path.yml

- name: "Get OS directory"
include_tasks: ../utils/win_get_path.yml
vars:
win_get_path_specified: "{{ win_dir }}"
- name: Set fact of the absolute path of Windows dir

- name: "Set fact of the absolute path of Windows dir"
ansible.builtin.set_fact:
win_dir: "{{ win_get_path_absolute }}"
- ansible.builtin.debug:
msg: "Windows GOSC log files in Windows dir: {{ win_dir }}"

# Uninstall OneDrive in Windows 11 for the known 3rd-party issue
# Paramter 'uninstall_onedrive' is used for internal testing only
- include_tasks: uninstall_onedrive.yml
- name: "Uninstall OneDrive"
include_tasks: uninstall_onedrive.yml
when:
- uninstall_onedrive is defined
- uninstall_onedrive | bool
- guest_os_ansible_distribution_ver is version('10.0.22000.0', '>=')
- guest_os_product_type | lower == 'client'

# Disable BitLocker which will cause sysprep failure.
# BitLocker is not installed by default on Windows Server.
- name: "Disable BitLocker"
when: guest_os_product_type | lower == 'client'
block:
- name: "Get BitLocker service status"
include_tasks: ../utils/win_get_service_status.yml
vars:
win_service_name: "BDESVC"

- name: "Stop and disable BitLocker service in guest OS"
include_tasks: ../utils/win_execute_cmd.yml
vars:
win_powershell_cmd: "Set-Service -Name BDESVC -Status stopped -StartupType disabled"
when: service_status == "Running"

- name: "Decrypt Bitlocker volumes"
include_tasks: ../utils/win_decrypt_bitlocker_volume.yml

# Shutdown guest OS before execute guest customization
- include_tasks: ../utils/win_shutdown_restart.yml
- name: "Shutdown OS"
include_tasks: ../utils/win_shutdown_restart.yml
vars:
set_win_power_state: "shutdown"
43 changes: 43 additions & 0 deletions windows/utils/win_decrypt_bitlocker_volume.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Copyright 2023 VMware, Inc.
# SPDX-License-Identifier: BSD-2-Clause
---
# Decrypt the BitLocker encrypted volumes
# Parameters:
# decrypt_wait_time: the time in seconds to wait for the volume decryption.
#
- name: "Get encrypted volumes in guest OS"
include_tasks: win_get_bitlocker_volume.yml

- name: "Decrypt the BitLocker volumes"
when: bitlocker_volume_list | length > 0
block:
- name: "Initialize the decryption wait time"
ansible.builtin.set_fact:
decrypt_wait_time: 900
when: decrypt_wait_time is undefined or not decrypt_wait_time

- name: "Decrypt the BitLocker volumes"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: >-
$BLV = Get-BitLockerVolume;
Disable-BitLocker -MountPoint $BLV

- name: "Check if Decryption is completed"
ansible.windows.win_shell: "(Get-BitLockerVolume | Where-Object { $_.EncryptionPercentage -GT 0 } | measure).Count"
register: decrypt_volume_result
delegate_to: "{{ vm_guest_ip }}"
ignore_errors: true
until:
- decrypt_volume_result.stdout_lines is defined
- decrypt_volume_result.stdout_lines | length != 0
- decrypt_volume_result.stdout_lines[0] | int == 0
retries: "{{ (decrypt_wait_time | int / 60) | int }}"
delay: 60

- name: "Volume decryption failed"
ansible.builtin.fail:
msg: "Failed to decrypt the OS volumes in {{ decrypt_wait_time }} seconds."
when:
- decrypt_volume_result.failed is defined
- decrypt_volume_result.failed
22 changes: 22 additions & 0 deletions windows/utils/win_get_bitlocker_volume.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copyright 2023 VMware, Inc.
# SPDX-License-Identifier: BSD-2-Clause
---
# Get the volumes encrypted by BitLocker Device Encryption
# Return:
# bitlocker_volume_list: the list of encrypted volume drives
#
- name: "Initialize the BtiLocker volume list"
ansible.builtin.set_fact:
bitlocker_volume_list: []

- name: "Get BitLocker encrypted volumes"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: "(Get-BitLockerVolume | Where-Object { $_.EncryptionPercentage -GT 0 }).MountPoint"

- name: "Set BitLocker volume list"
ansible.builtin.set_fact:
bitlocker_volume_list: "{{ win_powershell_cmd_output.stdout_lines | select }}"
when:
- win_powershell_cmd_output.stdout_lines is defined
- win_powershell_cmd_output.stdout_lines | length != 0