From cb8931646fd2a679f676122db5c6896933969b98 Mon Sep 17 00:00:00 2001
From: Aleksandr Chebotov <47745270+al-cheb@users.noreply.github.com>
Date: Tue, 8 Feb 2022 17:09:32 +0300
Subject: [PATCH] [Windows] Configure Windows settings,disable services and
 scheduled tasks (#5017)

* Configure Windows settings,disable services and scheduled tasks

* some settings are not available on Win16

* Add import New-ItemPath function

* Suppress output

* Disable Chrome and Edge tasks
---
 .../scripts/ImageHelpers/ImageHelpers.psm1    |   1 +
 .../win/scripts/ImageHelpers/PathHelpers.ps1  |  10 ++
 .../Installers/Configure-Antivirus.ps1        |  27 ++++-
 images/win/scripts/Installers/Finalize-VM.ps1 | 102 ++++++++++++++++++
 4 files changed, 137 insertions(+), 3 deletions(-)

diff --git a/images/win/scripts/ImageHelpers/ImageHelpers.psm1 b/images/win/scripts/ImageHelpers/ImageHelpers.psm1
index 531530f4b..94cd2ea4b 100644
--- a/images/win/scripts/ImageHelpers/ImageHelpers.psm1
+++ b/images/win/scripts/ImageHelpers/ImageHelpers.psm1
@@ -53,4 +53,5 @@ Export-ModuleMember -Function @(
     'Get-VisualStudioInstance'
     'Get-VisualStudioComponents'
     'Get-WindowsUpdatesHistory'
+    'New-ItemPath'
 )
diff --git a/images/win/scripts/ImageHelpers/PathHelpers.ps1 b/images/win/scripts/ImageHelpers/PathHelpers.ps1
index af4bd5ef5..f8dc0ecb9 100644
--- a/images/win/scripts/ImageHelpers/PathHelpers.ps1
+++ b/images/win/scripts/ImageHelpers/PathHelpers.ps1
@@ -134,3 +134,13 @@ function Add-DefaultPathItem {
     Set-DefaultPath -NewPath $newPath
     Disconnect-Hive
 }
+
+function New-ItemPath {
+    param (
+        [string]$Path
+    )
+
+    if (-not (Test-Path $Path)) {
+        New-Item -Path $Path -Force -ErrorAction Ignore | Out-Null
+    }
+}
diff --git a/images/win/scripts/Installers/Configure-Antivirus.ps1 b/images/win/scripts/Installers/Configure-Antivirus.ps1
index 7cbf43b39..cca4a09b8 100644
--- a/images/win/scripts/Installers/Configure-Antivirus.ps1
+++ b/images/win/scripts/Installers/Configure-Antivirus.ps1
@@ -1,9 +1,30 @@
-Write-Host "Set antivirus parameters"
+Write-Host "Disable Windows Defender..."
+Set-MpPreference -DisableArchiveScanning $true
+Set-MpPreference -DisableAutoExclusions  $true
+Set-MpPreference -DisableBehaviorMonitoring $true
+Set-MpPreference -DisableBlockAtFirstSeen $true
+Set-MpPreference -DisableCatchupFullScan $true
+Set-MpPreference -DisableCatchupQuickScan $true
+Set-MpPreference -DisableIntrusionPreventionSystem $true
+Set-MpPreference -DisableIOAVProtection $true
+Set-MpPreference -DisablePrivacyMode $true
+Set-MpPreference -DisableScanningNetworkFiles $true
+Set-MpPreference -DisableScriptScanning $true
+Set-MpPreference -MAPSReporting 0
+Set-MpPreference -PUAProtection 0
+Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
+Set-MpPreference -SubmitSamplesConsent 2
 Set-MpPreference -ScanAvgCPULoadFactor 5 -ExclusionPath "D:\", "C:\"
-
-Write-Host "Disable Antivirus"
 Set-MpPreference -DisableRealtimeMonitoring $true
 
+if (-not (Test-IsWin16)) {
+    Set-MpPreference -EnableControlledFolderAccess Disable
+    Set-MpPreference -EnableNetworkProtection Disabled
+}
+
+Write-Host "Disable Windows Defender scheduled tasks"
+Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' | Disable-ScheduledTask | Out-Null
+
 # https://github.com/actions/virtual-environments/issues/4277
 # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide
 $atpRegPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection'
diff --git a/images/win/scripts/Installers/Finalize-VM.ps1 b/images/win/scripts/Installers/Finalize-VM.ps1
index 7ff69f898..dd78ba826 100644
--- a/images/win/scripts/Installers/Finalize-VM.ps1
+++ b/images/win/scripts/Installers/Finalize-VM.ps1
@@ -36,4 +36,106 @@ cmd /c "npm cache clean --force 2>&1" | Out-Null
 # see https://github.com/actions/virtual-environments/issues/1704
 cmd /c "icacls $env:SystemRoot\Temp /grant Users:f /t /c /q 2>&1" | Out-Null
 
+# Registry settings
+$registrySettings = @(
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; Name = "AUOptions"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"; Name = "NoAutoUpdate"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "DoNotConnectToWindowsUpdateInternetLocations"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "DisableWindowsUpdateAccess"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata"; Name = "PreventDeviceMetadataFromNetwork"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection"; Name = "AllowTelemetry"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows"; Name = "CEIPEnable"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat"; Name = "AITEnable"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat"; Name = "DisableUAR"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\Software\Policies\Microsoft\Windows\DataCollection"; Name = "AllowTelemetry"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\DataCollection"; Name = "AllowTelemetry"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance"; Name = "MaintenanceDisabled"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\MRT"; Name = "DontOfferThroughWUAU"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\MRT"; Name = "DontReportInfectionInformation"; Value = 1; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search"; Name = "AllowCortana"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SYSTEM\CurrentControlSet\Control"; Name = "ServicesPipeTimeout"; Value = 120000; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener"; Name = "Start"; Value = 0; PropertyType = "DWORD"}
+    @{Path = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger"; Name = "Start"; Value = 0; PropertyType = "DWORD"}
+)
+
+$registrySettings | ForEach-Object {
+    $regPath = $PSItem.Path
+    New-ItemPath -Path $regPath
+    New-ItemProperty @PSItem -Force -ErrorAction Ignore
+} | Out-Null
+
+# Disable Template Services / User Services added by Desktop Experience
+$regUserServicesToDisables = @(
+    "HKLM:\SYSTEM\CurrentControlSet\Services\CDPUserSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc"
+    "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService"
+)
+
+$regUserServicesToDisables | ForEach-Object {
+    $regPath = $_
+    New-ItemPath -Path $regPath
+    New-ItemProperty -Path $regPath -Name "Start" -Value 4 -PropertyType DWORD -Force -ErrorAction Ignore
+    New-ItemProperty -Path $regPath -Name "UserServiceFlags" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+} | Out-Null
+
+
+# Disabled services
+$servicesToDisable = @(
+    "wuauserv"
+    "DiagTrack"
+    "dmwappushservice"
+    "PcaSvc"
+    "SysMain"
+    "gupdate"
+    "gupdatem"
+)
+
+$servicesToDisable | ForEach-Object {
+    Set-Service -Name $_ -StartupType Disabled -ErrorAction Ignore
+} | Out-Null
+
+# Disable scheduled tasks
+$allTasksInTaskPath = @(
+    "\"
+    "\Microsoft\Azure\Security\"
+    "\Microsoft\VisualStudio\"
+    "\Microsoft\VisualStudio\Updates\"
+    "\Microsoft\Windows\Application Experience\"
+    "\Microsoft\Windows\ApplicationData\"
+    "\Microsoft\Windows\Autochk\"
+    "\Microsoft\Windows\Chkdsk\"
+    "\Microsoft\Windows\Customer Experience Improvement Program\"
+    "\Microsoft\Windows\Data Integrity Scan\"
+    "\Microsoft\Windows\Defrag\"
+    "\Microsoft\Windows\Diagnosis\"
+    "\Microsoft\Windows\DiskCleanup\"
+    "\Microsoft\Windows\DiskDiagnostic\"
+    "\Microsoft\Windows\Maintenance\"
+    "\Microsoft\Windows\PI\"
+    "\Microsoft\Windows\Power Efficiency Diagnostics\"
+    "\Microsoft\Windows\Server Manager\"
+    "\Microsoft\Windows\Speech\"
+    "\Microsoft\Windows\UpdateOrchestrator\"
+    "\Microsoft\Windows\Windows Error Reporting\"
+    "\Microsoft\Windows\WindowsUpdate\"
+    "\Microsoft\XblGameSave\"
+)
+
+$allTasksInTaskPath | ForEach-Object {
+    Get-ScheduledTask -TaskPath $_ -ErrorAction Ignore | Disable-ScheduledTask -ErrorAction Ignore
+} | Out-Null
+
+$disableTaskNames = @(
+    @{TaskPath = "\Microsoft\Windows\.NET Framework\"; TaskName = ".NET Framework NGEN v4.0.30319"}
+    @{TaskPath = "\Microsoft\Windows\.NET Framework\"; TaskName = ".NET Framework NGEN v4.0.30319 64"}
+    @{TaskPath = "\Microsoft\Windows\AppID\"; TaskName = "SmartScreenSpecific"}
+)
+
+$disableTaskNames | ForEach-Object {
+    Disable-ScheduledTask @PSItem -ErrorAction Ignore
+} | Out-Null
+
 Write-Host "Finalize-VM.ps1 - completed"