Update windows base VHD to 2025-1B (#5576)

.pipelines/templates/e2e-template.yaml

@@ -45,7 +45,9 @@ jobs:
           VHD_BUILD_ID: $(VHD_BUILD_ID)
           LOGGING_DIR: $(LOGGING_DIR)
       # Without this step next step may fail on successful run
-      - bash: mkdir -p $(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)
+      - bash: |
+          set -ex
+          mkdir -p "$(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)"
         condition: always()
         displayName: Create folder for scenario logs
       - task: PublishTestResults@2

vhdbuilder/packer/configure-windows-vhd.ps1

@@ -388,12 +388,22 @@ function Install-ContainerD {
 
 function Install-OpenSSH {
     Write-Log "Installing OpenSSH Server"
+
+    # Somehow openssh client got added to Windows 2019 base image.
+    if ($env:WindowsSKU -Like '2019*')
+    {
+        Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
+        Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
+    }
+
     Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
 
     # It’s by design that files within the C:\Windows\System32\ folder are not modifiable. 
     # When the OpenSSH Server starts, it copies C:\windows\system32\openssh\sshd_config_default to C:\programdata\ssh\sshd_config, if the file does not already exist.
     $OriginalConfigPath = "C:\windows\system32\OpenSSH\sshd_config_default"
-    $ConfigPath = "C:\programdata\ssh\sshd_config"
+    $ConfigDirectory = "C:\programdata\ssh"
+    New-Item -ItemType Directory -Force -Path $ConfigDirectory
+    $ConfigPath = $ConfigDirectory + "\sshd_config"
     Write-Log "Updating $ConfigPath for CVE-2023-48795"
     $ModifiedConfigContents = Get-Content $OriginalConfigPath `
         | %{$_ -replace "#RekeyLimit default none", "$&`r`n# Disable cipher to mitigate CVE-2023-48795`r`nCiphers [email protected]`r`nMacs -*[email protected]`r`n"}
@@ -874,7 +884,7 @@ function Log-ReofferUpdate {
             Write-Log "ReofferUpdate is $($result.ReofferUpdate)"
         }
     } catch {
-        Write-Log "ReofferUpdate does not exist"
+        Write-Log "ReofferUpdate registry setting does not exist"
     }
 }
 

vhdbuilder/packer/generate-windows-vhd-configuration.ps1

@@ -60,17 +60,8 @@ $global:defenderUpdateInfoUrl = "https://go.microsoft.com/fwlink/?linkid=870379&
 
 switch -Regex ($windowsSku) {
     "2019-containerd" {
-        # TODO: clean up when you bump 2025-1B. These patches do an upgrade from 2024-9B to 2024-12B in a way that doesn't break openssh.
-        # The right patch for .NET is actually KB5046540. However, the download page us for KB5046269. So we have to verify that patch. I have no idea why.
-
-        $global:patchUrls = @(
-          "https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2024/12/windows10.0-kb5048661-x64_6bfc43258aab46ec793d2977122226a4a2b8ed6f.msu",
-          "https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/10/windows10.0-kb5046268-x64_cd2f14649df2343f1b4692c50644f22b863ed408.msu"
-        )
-        $global:patchIDs = @(
-          "KB5048661",
-          "KB5046268"
-        )
+        $global:patchUrls = @()
+        $global:patchIDs = @()
 
         $global:imagesToPull = @(
             "mcr.microsoft.com/windows/servercore:ltsc2019",

vhdbuilder/packer/windows-image.env

@@ -6,32 +6,32 @@
 WINDOWS_2019_BASE_IMAGE_SKU=2019-Datacenter-Core-smalldisk
 # TODO: update global:patch in generate-windows-vhd-configuration.ps1 and remove this comment when you bump 12B
 # - but revert and bring back if open ssh fails when you build the VHD. This image is 9B.
-WINDOWS_2019_BASE_IMAGE_VERSION=17763.6293.240905
+WINDOWS_2019_BASE_IMAGE_VERSION=17763.6775.250109
 
 # CLI example to get the latest image version:
 #   az vm image show --urn MicrosoftWindowsServer:WindowsServer:2022-Datacenter-Core-smalldisk:latest
 WINDOWS_2022_BASE_IMAGE_SKU=2022-Datacenter-Core-smalldisk
-WINDOWS_2022_BASE_IMAGE_VERSION=20348.2966.241205
+WINDOWS_2022_BASE_IMAGE_VERSION=20348.3091.250112
 
 # CLI example to get all available image version under a SKU (suffix g2 for Gen 2):
 #   az vm image list --all --publisher MicrosoftWindowsServer --offer WindowsServer --output table -s 2022-datacenter-core-smalldisk-g2
 # CLI example to get the latest image version:
 #   az vm image show --urn MicrosoftWindowsServer:WindowsServer:2022-datacenter-core-smalldisk-g2:latest
 WINDOWS_2022_GEN2_BASE_IMAGE_SKU=2022-datacenter-core-smalldisk-g2
-WINDOWS_2022_GEN2_BASE_IMAGE_VERSION=20348.2966.241205
+WINDOWS_2022_GEN2_BASE_IMAGE_VERSION=20348.3091.250112
 
 # CLI example to get the latest image version:
 #   az vm image show --urn MicrosoftWindowsServer:WindowsServer:23h2-datacenter-core:latest
 WINDOWS_23H2_BASE_IMAGE_SKU=23h2-datacenter-core
-WINDOWS_23H2_BASE_IMAGE_VERSION=25398.1308.241205
+WINDOWS_23H2_BASE_IMAGE_VERSION=25398.1369.250111
 
 # CLI example to get all available image version under a SKU (suffix g2 for Gen 2):
 #   az vm image list --all --publisher MicrosoftWindowsServer --offer WindowsServer --output table -s 23h2-datacenter-core-g2
 # CLI example to get the latest image version:
 #   az vm image show --urn MicrosoftWindowsServer:WindowsServer:23h2-datacenter-core-g2:latest
 # NOTE: Please update $global:patchUrls and $global:patchIDs in vhdbuilder/packer/generate-windows-vhd-configuration.ps1 on demand
 WINDOWS_23H2_GEN2_BASE_IMAGE_SKU=23h2-datacenter-core-g2
-WINDOWS_23H2_GEN2_BASE_IMAGE_VERSION=25398.1308.241205
+WINDOWS_23H2_GEN2_BASE_IMAGE_VERSION=25398.1369.250111
 
 # Please uncomment the following lines and set a larger os disk size that is at least 30GB when your PR check-in fails
 # WINDOWS_2019_CONTAINERD_OS_DISK_SIZE_GB=30