diff --git a/env/windows-arm64/azure/README.md b/env/windows-arm64/azure/README.md index fec7f003..5cf8fe4e 100644 --- a/env/windows-arm64/azure/README.md +++ b/env/windows-arm64/azure/README.md @@ -33,13 +33,13 @@ Deployment VMs are set up with invocations of the following az CLI command: ``` az vm create \ --name=MyNewVmName \ - --resource-group=dev_buildlets \ + --resource-group=_buildlets \ --admin-username=gopheradmin \ --admin-password= \ --image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \ - --nsg-rule=NONE \ - --size=Standard_D8ps_v5 \ - --subscription= \ + --nsg=_buildlets-security-group \ + --size=Standard_D4ps_v5 \ + --subscription= \ --public-ip-address "" ``` @@ -57,7 +57,8 @@ Once a VM has been created, you can apply Go-specific configuration to it by run az vm run-command invoke \ --command-id=RunPowerShellScript \ --name="MyNewVM" \ - --resource-group=dev_buildlets \ + --subscription= \ + --resource-group=_buildlets \ --scripts @startup.ps1 ``` @@ -67,25 +68,27 @@ Notes: * output from the command is in JSON * exit status of the "az" command does NOT accurately reflect exit status of the powershell script. +* errors about things already existing are expected + +## First login + +Log into the new builder as "gopher" at least once so as to go through the "initial login" Windows workflow. Find the VM in the Azure portal, and enter the login in the Bastion section. Choose "no" on all the setup prompts. ## Follow-ons to disable antivirus In later versions of windows, it can be very difficult to completely disable the system's antivirus software, due to "features" such as [tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide), which make it almost impossible to programmatically turn off windows defender (and which ensure that any changes made are undone when the system reboots). -Running this command should help somewhat: +Open Windows Security, Virus & threat protection, Manage settings, and turn off Tamper Protection. Then run this command: ``` az vm run-command invoke \ --command-id=RunPowerShellScript \ --name="MyNewVM" \ - --resource-group=dev_buildlets \ + --subscription= \ + --resource-group=_buildlets \ --scripts @antivirusadditions.ps1 ``` -## First login - -Log into the new builder as "gopher" at least once so as to go through the "initial login" Windows workflow. - ## Builder key Generate a builder key for the VMs according to the directions in [x/build/cmd/genbuilderkey](https://go.googlesource.com/build/+/fdfb99e1de1f68b555502056567be459d98a0e71/cmd/genbuilderkey/README.md). diff --git a/env/windows-arm64/azure/antivirusadditions.ps1 b/env/windows-arm64/azure/antivirusadditions.ps1 index dc283848..8bf16603 100644 --- a/env/windows-arm64/azure/antivirusadditions.ps1 +++ b/env/windows-arm64/azure/antivirusadditions.ps1 @@ -8,10 +8,8 @@ Write-Host "Adding drive and process exclusions" # Antivirus setup. -$drive = "C" - -Add-MpPreference -ExclusionPath "$(drive):\" -ErrorAction SilentlyContinue -Add-MpPreference -ExclusionProcess "$(drive):\*" -ErrorAction SilentlyContinue +Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue +Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue Write-Host "Attempting to disable scanning engines via Set-MpPreference"