From 35fdc371fb1fc69706bfe012d2fdac468b97c057 Mon Sep 17 00:00:00 2001
From: Alexey-Ayupov <116575425+Alexey-Ayupov@users.noreply.github.com>
Date: Fri, 4 Jul 2025 14:45:17 +0200
Subject: [PATCH] Validate MS Defender is not installed (#12529)

---
 .../scripts/build/post-build-validation.sh    | 19 +++++++++++++++++++
 .../templates/build.ubuntu-22_04.pkr.hcl      |  6 ++++++
 .../templates/build.ubuntu-24_04.pkr.hcl      |  6 ++++++
 3 files changed, 31 insertions(+)
 create mode 100644 images/ubuntu/scripts/build/post-build-validation.sh

diff --git a/images/ubuntu/scripts/build/post-build-validation.sh b/images/ubuntu/scripts/build/post-build-validation.sh
new file mode 100644
index 000000000..0526de837
--- /dev/null
+++ b/images/ubuntu/scripts/build/post-build-validation.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+################################################################################
+##  File:  post-build-validation.sh
+##  Desc:  Validate different aspects of the image after build
+################################################################################
+
+echo "Test microsoft defender not installed using '-d /opt/microsoft/mdatp'"
+# Validate Defender not installed test 1
+if [ -d /opt/microsoft/mdatp ]; then
+    echo "Microsoft Defender for Endpoint is installed."
+    exit 1
+fi
+
+echo "Test microsoft defender not installed using 'systemctl list-units --type=service --all | grep mdatp'"
+# Validate Defender not installed test 2
+if systemctl list-units --type=service --all | grep -w mdatp &>/dev/null; then
+    echo "Microsoft Defender for Endpoint is installed."
+    exit 1
+fi
diff --git a/images/ubuntu/templates/build.ubuntu-22_04.pkr.hcl b/images/ubuntu/templates/build.ubuntu-22_04.pkr.hcl
index 180fbf6d6..05259514b 100644
--- a/images/ubuntu/templates/build.ubuntu-22_04.pkr.hcl
+++ b/images/ubuntu/templates/build.ubuntu-22_04.pkr.hcl
@@ -238,6 +238,12 @@ build {
     inline          = ["mkdir -p /etc/vsts", "cp /tmp/ubuntu2204.conf /etc/vsts/machine_instance.conf"]
   }
 
+  provisioner "shell" {
+    environment_vars = ["HELPER_SCRIPTS=${var.helper_script_folder}"]
+    execute_command  = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
+    scripts          = ["${path.root}/../scripts/build/post-build-validation.sh"]
+  }
+
   provisioner "shell" {
     execute_command = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
     inline          = ["sleep 30", "/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"]
diff --git a/images/ubuntu/templates/build.ubuntu-24_04.pkr.hcl b/images/ubuntu/templates/build.ubuntu-24_04.pkr.hcl
index 6aba4e71f..94f595c33 100644
--- a/images/ubuntu/templates/build.ubuntu-24_04.pkr.hcl
+++ b/images/ubuntu/templates/build.ubuntu-24_04.pkr.hcl
@@ -217,6 +217,12 @@ provisioner "shell" {
     scripts          = ["${path.root}/../scripts/build/configure-system.sh"]
   }
 
+  provisioner "shell" {
+    environment_vars = ["HELPER_SCRIPTS=${var.helper_script_folder}"]
+    execute_command  = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
+    scripts          = ["${path.root}/../scripts/build/post-build-validation.sh"]
+  }
+
   provisioner "shell" {
     execute_command = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
     inline          = ["sleep 30", "/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"]