Skip to content

/ malboxes

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Windows 10 versions #128

Merged
merged 20 commits into from Sep 5, 2019
Merged

New Windows 10 versions #128

merged 20 commits into from Sep 5, 2019

Conversation

@obilodeau
Copy link
Member

@obilodeau obilodeau commented Aug 27, 2019

Current status: Our Windows 10 1607 Autounattend.xml doesn't pass on the 1903 iso. Something changed. Need to generate a new one.
obilodeau added 3 commits Aug 27, 2019
@obilodeau
Split Windows 10 templates into sub-versions
c9e0663
@obilodeau
Failed attempt at Windows 10 1903 (19H1) x64
4f48639
@obilodeau
doc: more Windows 10 download links and hashes
Loading status checks…
0c3e4ab
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Aug 28, 2019

Spent several build cycles today trying to fix an issue with a WinRM timeout that turned out to be an Autounattend.xml regression. I think I've finally found a fix.
obilodeau added 3 commits Aug 28, 2019
@obilodeau
Windows 10 1903 required changes to Autounattend.xml
Loading status checks…
0b19625 
Sorry for the line noise but some of my previous changes mixed line
termination characters and this fixes that too.
@obilodeau
Windows 10 1903 (19H1) x86
aa975f5
@obilodeau
Default Windows 10 builds now default to 19H1 (1903)
Loading status checks…
49c7479
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Aug 30, 2019

I realized during my workshop that with 1903, Defender was enabled. Need to investigate that and find a fix.
@obilodeau
Found a way to disable the new Defender Tamper Protection
Loading status checks…
6abefd4 
Adding only for Windows 10
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Aug 30, 2019

Tamper Protection was what caused me trouble. You can read about it here: https://www.windowscentral.com/how-manage-windows-security-tamper-protection-windows-10-may-2019-update

I think I've found a way to bypass it reliably without requiring user intervention. Doing a full rebuild of all OSes with this patch now.
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 3, 2019

Smoke tests passed but getting this in them:

    virtualbox-iso: + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Fea ...
    virtualbox-iso: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    virtualbox-iso:     + CategoryInfo          : PermissionDenied: (TamperProtection:String) [Set-ItemProperty], UnauthorizedAccessExcept
    virtualbox-iso:    ion
    virtualbox-iso:     + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetItemPropertyCommand
    virtualbox-iso:

Trying to run the scripts as system instead. Another round of tests required.
obilodeau added 2 commits Sep 3, 2019
@obilodeau
Defender: Disable Tamper Protection as SYSTEM
Loading status checks…
9f331af
@obilodeau
Bump requirements for Packer due to powershell as SYSTEM
Loading status checks…
6c0345c 
Turns out that the upstream feature was introduced in 1.3.3 released on December 5, 2018 and merged in hashicorp/packer#6972.
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 4, 2019

Tests failed with the following:

* Must supply an 'elevated_password' if 'elevated_user' provided

Turns out the Packer version in the buildbot was older and didn't support using system accounts. See commit for details and here's the upstream issue: hashicorp/packer#6104
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 4, 2019

With the latest changes 1607 runs fine but 1903 still complains but the build goes through. I'll see what the resulting image looks like but I might only add a note to manually disable defender for 1903 and later.
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 4, 2019

Resulting image has Defender turned On. I'll need to introduce an exception starting with 1903 where we advice the user on how turning off Windows Defender TamperProtection and provide a batch script to run to disable it.
obilodeau added 5 commits Sep 4, 2019
@obilodeau
Added a mechanism to communicate from the template to Malboxes core
c99c9f5 
Used it to communicate to the user if a specific version of Windows is
spun so that it has instructions on how to disable Defender.
@obilodeau
Revert "Defender: Disable Tamper Protection as SYSTEM"
e5434b1 
This reverts commit 9f331af.
@obilodeau
Revert "Found a way to disable the new Defender Tamper Protection"
85f5739 
This reverts commit 6abefd4.
@obilodeau
Notice about Defender Tamper Protection and new Defender disable script
Loading status checks…
d0abd92
@obilodeau
Fix: copying disable_defender anyway since os_version not available
Loading status checks…
9410b27
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 4, 2019

Ready for another round of testing.
obilodeau added 2 commits Sep 4, 2019
@obilodeau
Force success on the defender disable script
Loading status checks…
3c69a59 
and minor output improvements
@obilodeau
Fix: Forgot to migrate Windows 7 to new Defender disable script
Loading status checks…
003c461
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 5, 2019
edited

CI tests for the latest fixes failed but it seems unrelated:

==> virtualbox-iso: Error exporting virtual machine: VBoxManage error: 0%...
==> virtualbox-iso: Progress state: NS_ERROR_FAILURE
==> virtualbox-iso: VBoxManage: error: Appliance write failed
==> virtualbox-iso: VBoxManage: error: Could not open the medium '/var/jenkins_home/.cache/malboxes/builds/packer-virtualbox-iso-1567659328.vdi'.
==> virtualbox-iso: VBoxManage: error: VD: error VERR_FILE_NOT_FOUND opening image file '/var/jenkins_home/.cache/malboxes/builds/packer-virtualbox-iso-1567659328.vdi' (VERR_FILE_NOT_FOUND)
==> virtualbox-iso: VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component MediumWrap, interface IMedium
==> virtualbox-iso: VBoxManage: error: Context: "RTEXITCODE handleExportAppliance(HandlerArg*)" at line 1263 of file VBoxManageAppliance.cpp

On my machine the Windows 7 build failed with wireshark's dependencies troubles but I think they were transient and in any case a user can always remove it from the build and install it afterwards.

One last smoke test run and if all green, I'll merge.
@obilodeau obilodeau changed the title [WIP] New Windows 10 versions New Windows 10 versions Sep 5, 2019
@obilodeau
Copy link
Member Author

@obilodeau obilodeau commented Sep 5, 2019

Build passed!
obilodeau added 3 commits Sep 5, 2019
@obilodeau
Windows 7 template now named x86 and x64 instead of 32 and 64
Loading status checks…
6e7622f 
README updated to reflect that for both Win 10 and Win 7
@obilodeau
Merge branch 'master' into new-windows-versions
Loading status checks…
c3ab0eb
@obilodeau
doc adjustment
Loading status checks…
84a274b
@obilodeau
Packer minimum version out
Loading status checks…
1a48e6f 
No longer required since we dropped the requirement on using SYSTEM elevated_user for powershell because that fix didn't work.
@obilodeau obilodeau merged commit 382a767 into master Sep 5, 2019
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant
@obilodeau
You can’t perform that action at this time.