[Windows] Configure Windows settings,disable services and scheduled tasks (#5017)

* Configure Windows settings,disable services and scheduled tasks

* some settings are not available on Win16

* Add import New-ItemPath function

* Suppress output

* Disable Chrome and Edge tasks

images/win/scripts/ImageHelpers/ImageHelpers.psm1

@@ -53,4 +53,5 @@ Export-ModuleMember -Function @(
     'Get-VisualStudioInstance'
     'Get-VisualStudioComponents'
     'Get-WindowsUpdatesHistory'
+    'New-ItemPath'
 )

images/win/scripts/ImageHelpers/PathHelpers.ps1

@@ -134,3 +134,13 @@ function Add-DefaultPathItem {
     Set-DefaultPath -NewPath $newPath
     Disconnect-Hive
 }
+
+function New-ItemPath {
+    param (
+        [string]$Path
+    )
+
+    if (-not (Test-Path $Path)) {
+        New-Item -Path $Path -Force -ErrorAction Ignore | Out-Null
+    }
+}

images/win/scripts/Installers/Configure-Antivirus.ps1

@@ -1,9 +1,30 @@
-Write-Host "Set antivirus parameters"
+Write-Host "Disable Windows Defender..."
+Set-MpPreference -DisableArchiveScanning $true
+Set-MpPreference -DisableAutoExclusions  $true
+Set-MpPreference -DisableBehaviorMonitoring $true
+Set-MpPreference -DisableBlockAtFirstSeen $true
+Set-MpPreference -DisableCatchupFullScan $true
+Set-MpPreference -DisableCatchupQuickScan $true
+Set-MpPreference -DisableIntrusionPreventionSystem $true
+Set-MpPreference -DisableIOAVProtection $true
+Set-MpPreference -DisablePrivacyMode $true
+Set-MpPreference -DisableScanningNetworkFiles $true
+Set-MpPreference -DisableScriptScanning $true
+Set-MpPreference -MAPSReporting 0
+Set-MpPreference -PUAProtection 0
+Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
+Set-MpPreference -SubmitSamplesConsent 2
 Set-MpPreference -ScanAvgCPULoadFactor 5 -ExclusionPath "D:\", "C:\"
-
-Write-Host "Disable Antivirus"
 Set-MpPreference -DisableRealtimeMonitoring $true
 
+if (-not (Test-IsWin16)) {
+    Set-MpPreference -EnableControlledFolderAccess Disable
+    Set-MpPreference -EnableNetworkProtection Disabled
+}
+
+Write-Host "Disable Windows Defender scheduled tasks"
+Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' | Disable-ScheduledTask | Out-Null
+
 # https://github.com/actions/virtual-environments/issues/4277
 # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
 $atpRegPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection'

images/win/scripts/Installers/Finalize-VM.ps1

@@ -36,4 +36,106 @@ cmd /c "npm cache clean --force 2>&1" | Out-Null
 # see https://github.com/actions/virtual-environments/issues/1704
 cmd /c "icacls $env:SystemRoot\Temp /grant Users:f /t /c /q 2>&1" | Out-Null
 
+# Registry settings
+$registrySettings = @(
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; Name = "AUOptions"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; Name = "NoAutoUpdate"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "DoNotConnectToWindowsUpdateInternetLocations"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "DisableWindowsUpdateAccess"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata"; Name = "PreventDeviceMetadataFromNetwork"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection"; Name = "AllowTelemetry"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows"; Name = "CEIPEnable"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat"; Name = "AITEnable"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat"; Name = "DisableUAR"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\Software\Policies\Microsoft\Windows\DataCollection"; Name = "AllowTelemetry"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\DataCollection"; Name = "AllowTelemetry"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance"; Name = "MaintenanceDisabled"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\MRT"; Name = "DontOfferThroughWUAU"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\MRT"; Name = "DontReportInfectionInformation"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search"; Name = "AllowCortana"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SYSTEM\CurrentControlSet\Control"; Name = "ServicesPipeTimeout"; Value = 120000; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener"; Name = "Start"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger"; Name = "Start"; Value = 0; PropertyType = "DWORD"}
+)
+
+$registrySettings | ForEach-Object {
+    $regPath = $PSItem.Path
+    New-ItemPath -Path $regPath
+    New-ItemProperty @PSItem -Force -ErrorAction Ignore
+} | Out-Null
+
+# Disable Template Services / User Services added by Desktop Experience
+$regUserServicesToDisables = @(
+    "HKLM:\SYSTEM\CurrentControlSet\Services\CDPUserSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService"
+)
+
+$regUserServicesToDisables | ForEach-Object {
+    $regPath = $_
+    New-ItemPath -Path $regPath
+    New-ItemProperty -Path $regPath -Name "Start" -Value 4 -PropertyType DWORD -Force -ErrorAction Ignore
+    New-ItemProperty -Path $regPath -Name "UserServiceFlags" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+} | Out-Null
+
+
+# Disabled services
+$servicesToDisable = @(
+    "wuauserv"
+    "DiagTrack"
+    "dmwappushservice"
+    "PcaSvc"
+    "SysMain"
+    "gupdate"
+    "gupdatem"
+)
+
+$servicesToDisable | ForEach-Object {
+    Set-Service -Name $_ -StartupType Disabled -ErrorAction Ignore
+} | Out-Null
+
+# Disable scheduled tasks
+$allTasksInTaskPath = @(
+    "\"
+    "\Microsoft\Azure\Security\"
+    "\Microsoft\VisualStudio\"
+    "\Microsoft\VisualStudio\Updates\"
+    "\Microsoft\Windows\Application Experience\"
+    "\Microsoft\Windows\ApplicationData\"
+    "\Microsoft\Windows\Autochk\"
+    "\Microsoft\Windows\Chkdsk\"
+    "\Microsoft\Windows\Customer Experience Improvement Program\"
+    "\Microsoft\Windows\Data Integrity Scan\"
+    "\Microsoft\Windows\Defrag\"
+    "\Microsoft\Windows\Diagnosis\"
+    "\Microsoft\Windows\DiskCleanup\"
+    "\Microsoft\Windows\DiskDiagnostic\"
+    "\Microsoft\Windows\Maintenance\"
+    "\Microsoft\Windows\PI\"
+    "\Microsoft\Windows\Power Efficiency Diagnostics\"
+    "\Microsoft\Windows\Server Manager\"
+    "\Microsoft\Windows\Speech\"
+    "\Microsoft\Windows\UpdateOrchestrator\"
+    "\Microsoft\Windows\Windows Error Reporting\"
+    "\Microsoft\Windows\WindowsUpdate\"
+    "\Microsoft\XblGameSave\"
+)
+
+$allTasksInTaskPath | ForEach-Object {
+    Get-ScheduledTask -TaskPath $_ -ErrorAction Ignore | Disable-ScheduledTask -ErrorAction Ignore
+} | Out-Null
+
+$disableTaskNames = @(
+    @{TaskPath = "\Microsoft\Windows\.NET Framework\"; TaskName = ".NET Framework NGEN v4.0.30319"}
+    @{TaskPath = "\Microsoft\Windows\.NET Framework\"; TaskName = ".NET Framework NGEN v4.0.30319 64"}
+    @{TaskPath = "\Microsoft\Windows\AppID\"; TaskName = "SmartScreenSpecific"}
+)
+
+$disableTaskNames | ForEach-Object {
+    Disable-ScheduledTask @PSItem -ErrorAction Ignore
+} | Out-Null
+
 Write-Host "Finalize-VM.ps1 - completed"