From 2242a9c291275f91f0806cbc1c633b75943d75b1 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 9 Dec 2024 14:38:33 -0500 Subject: [PATCH 01/10] Disable onedrive on windows 11, uninstall appx packages, disable microphone prompt --- .../manifests/profiles/disable_services.pp | 11 + .../files/appxpackages/uninstall.ps1 | 284 ++++++++++++++++++ .../manifests/disable_onedrive.pp | 52 ++-- .../manifests/disable_permissions_prompt.pp | 15 + .../manifests/uninstall_appx_packages.pp | 8 + 5 files changed, 343 insertions(+), 27 deletions(-) create mode 100644 modules/win_disable_services/files/appxpackages/uninstall.ps1 create mode 100644 modules/win_disable_services/manifests/disable_permissions_prompt.pp create mode 100644 modules/win_disable_services/manifests/uninstall_appx_packages.pp diff --git a/modules/roles_profiles/manifests/profiles/disable_services.pp b/modules/roles_profiles/manifests/profiles/disable_services.pp index 488b2b6cb..2b7cc48f2 100644 --- a/modules/roles_profiles/manifests/profiles/disable_services.pp +++ b/modules/roles_profiles/manifests/profiles/disable_services.pp @@ -47,6 +47,17 @@ include win_disable_services::disable_windows_defender_schtask } } + if $facts['custom_win_display_version'] == '24H2' { + ## Firefox will ask prompt for microphone access during mochitest, + ## so explicitly disable it here + include win_disable_services::disable_permissions_prompt + ## Let's Uninstall Appx Packages + ## Taken from https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool + ## Bug 1913499 https://bugzilla.mozilla.org/show_bug.cgi?id=1913499 + include win_disable_services::uninstall_appx_packages + ## Let's uninstall OneDrive + include win_disable_services::disable_onedrive + } if $facts['os']['release']['full'] == '10' { include win_disable_services::disable_onedrive } diff --git a/modules/win_disable_services/files/appxpackages/uninstall.ps1 b/modules/win_disable_services/files/appxpackages/uninstall.ps1 new file mode 100644 index 000000000..3634024b4 --- /dev/null +++ b/modules/win_disable_services/files/appxpackages/uninstall.ps1 @@ -0,0 +1,284 @@ +$apps = @{ + "Bing Search" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9nzbf4gt040c" + "Description" = "Web Search from Microsoft Bing provides web results and answers in Windows Search" + } + "Clipchamp.Clipchamp" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9p1j8s7ccwwt?hl=en-us&gl=US" + "Description" = "Create videos with a few clicks" + } + "Microsoft.549981C3F5F10" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/cortana/9NFFX4SZZ23L?hl=en-us&gl=US" + "Description" = "Cortana (could not update)" + } + "Microsoft.BingNews" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-news/9wzdncrfhvfw" + "Description" = "Microsoft News app" + } + "Microsoft.BingWeather" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/msn-weather/9wzdncrfj3q2" + "Description" = "MSN Weather app" + } + "Microsoft.DesktopAppInstaller" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9NBLGGH4NNS1" + "Description" = "Microsoft App Installer for Windows 10 makes sideloading Windows apps easy" + } + "Microsoft.GamingApp" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/xbox/9mv0b5hzvk9z" + "Description" = "Xbox app" + } + "Microsoft.GetHelp" = @{ + "VDIState" = "Unchanged" + "URL" = "https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/customize-get-help-app" + "Description" = "App that facilitates free support for Microsoft products" + } + "Microsoft.Getstarted" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-tips/9wzdncrdtbjj" + "Description" = "Windows 10 tips app" + } + "Microsoft.MicrosoftOfficeHub" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/office/9wzdncrd29v9" + "Description" = "Office UWP app suite" + } + "Microsoft.Office.OneNote" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/onenote-for-windows-10/9wzdncrfhvjl" + "Description" = "Office UWP OneNote app" + } + "Microsoft.MicrosoftSolitaireCollection" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-solitaire-collection/9wzdncrfhwd2" + "Description" = "Solitaire suite of games" + } + "Microsoft.MicrosoftStickyNotes" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-sticky-notes/9nblggh4qghw" + "Description" = "Note-taking app" + } + "Microsoft.OutlookForWindows" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9NRX63209R7B?hl=en-us&gl=US" + "Description" = "a best-in-class email experience that is free for anyone with Windows" + } + "Microsoft.MSPaint" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/store/detail/paint-3d/9NBLGGH5FV99" + "Description" = "Paint 3D app (not Classic Paint app)" + } + "Microsoft.Paint" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9PCFS5B6T72H" + "Description" = "Classic Paint app" + } + "Microsoft.People" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8" + "Description" = "Contact management app" + } + "Microsoft.PowerAutomateDesktop" = @{ + "VDIState" = "Unchanged" + "URL" = "https://flow.microsoft.com/en-us/desktop/" + "Description" = "Power Automate Desktop app. Record desktop and web actions in a single flow" + } + "Microsoft.ScreenSketch" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l" + "Description" = "Snip and Sketch app" + } + "Microsoft.SkypeApp" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/skype/9wzdncrfj364" + "Description" = "Instant message, voice or video call app" + } + "Microsoft.StorePurchaseApp" = @{ + "VDIState" = "Unchanged" + "URL" = "" + "Description" = "Store purchase app helper" + } + "Microsoft.Todos" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-to-do-lists-tasks-reminders/9nblggh5r558" + "Description" = "Microsoft To Do makes it easy to plan your day and manage your life" + } + "Microsoft.WinDbg.Fast" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9PGJGD53TN86?hl=en-us&gl=US" + "Description" = "Microsoft WinDbg" + } + "Microsoft.Windows.DevHome" = @{ + "VDIState" = "Unchanged" + "URL" = "https://learn.microsoft.com/en-us/windows/dev-home/" + "Description" = "A control center providing the ability to monitor projects in your dashboard using customizable widgets and more" + } + "Microsoft.Windows.Photos" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/microsoft-photos/9wzdncrfjbh4" + "Description" = "Photo and video editor" + } + "Microsoft.WindowsAlarms" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-alarms-clock/9wzdncrfj3pr" + "Description" = "A combination app, of alarm clock, world clock, timer, and stopwatch." + } + "Microsoft.WindowsCalculator" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-calculator/9wzdncrfhvn5" + "Description" = "Microsoft Calculator app" + } + "Microsoft.WindowsCamera" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-camera/9wzdncrfjbbg" + "Description" = "Camera app to manage photos and video" + } + "microsoft.windowscommunicationsapps" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/mail-and-calendar/9wzdncrfhvqm" + "Description" = "Mail & Calendar apps" + } + "Microsoft.WindowsFeedbackHub" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/feedback-hub/9nblggh4r32n" + "Description" = "App to provide Feedback on Windows and apps to Microsoft" + } + "Microsoft.WindowsMaps" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-maps/9wzdncrdtbvb" + "Description" = "Microsoft Maps app" + } + "Microsoft.WindowsNotepad" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-notepad/9msmlrh6lzf3" + "Description" = "Fast, simple text editor for plain text documents and source code files." + } + "Microsoft.WindowsStore" = @{ + "VDIState" = "Unchanged" + "URL" = "https://blogs.windows.com/windowsexperience/2021/06/24/building-a-new-open-microsoft-store-on-windows-11/" + "Description" = "Windows Store app" + } + "Microsoft.WindowsSoundRecorder" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-voice-recorder/9wzdncrfhwkn" + "Description" = "(Voice recorder)" + } + "Microsoft.WindowsTerminal" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/windows-terminal/9n0dx20hk701" + "Description" = "A terminal app featuring tabs, panes, Unicode, UTF-8 character support, and GPU text rendering engine." + } + "Microsoft.Winget.Platform.Source" = @{ + "VDIState" = "Unchanged" + "URL" = "https://learn.microsoft.com/en-us/windows/package-manager/winget/" + "Description" = "The Winget tool enables users to manage applications on Win10 and Win11 devices. This tool is the client interface to the Windows Package Manager service" + } + "Microsoft.Xbox.TCUI" = @{ + "VDIState" = "Unchanged" + "URL" = "https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview" + "Description" = "XBox Title Callable UI (TCUI) enables your game code to call pre-defined user interface displays" + } + "Microsoft.XboxGameOverlay" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p" + "Description" = "Xbox Game Bar extensible overlay" + } + "Microsoft.XboxGamingOverlay" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p" + "Description" = "Xbox Game Bar extensible overlay" + } + "Microsoft.XboxIdentityProvider" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/xbox-identity-provider/9wzdncrd1hkw" + "Description" = "A system app that enables PC games to connect to Xbox Live." + } + "Microsoft.XboxSpeechToTextOverlay" = @{ + "VDIState" = "Unchanged" + "URL" = "https://support.xbox.com/help/account-profile/accessibility/use-game-chat-transcription" + "Description" = "Xbox game transcription overlay" + } + "Microsoft.YourPhone" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/Your-phone/9nmpj99vjbwv" + "Description" = "Android phone to PC device interface app" + } + "Microsoft.ZuneMusic" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/groove-music/9wzdncrfj3pt" + "Description" = "Groove Music app" + } + "Microsoft.ZuneVideo" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/movies-tv/9wzdncrfj3p2" + "Description" = "Movies and TV app" + } + "MicrosoftCorporationII.QuickAssist" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/9P7BP5VNWKX5?hl=en-us&gl=US" + "Description" = "Microsoft remote help app" + } + "MicrosoftWindows.Client.WebExperience" = @{ + "VDIState" = "Unchanged" + "URL" = "" + "Description" = "Windows 11 Internet information widget" + } + "Microsoft.XboxApp" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/store/apps/9wzdncrfjbd8" + "Description" = "Xbox 'Console Companion' app (games, friends, etc.)" + } + "Microsoft.MixedReality.Portal" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/mixed-reality-portal/9ng1h8b3zc7m" + "Description" = "The app that facilitates Windows Mixed Reality setup, and serves as the command center for mixed reality experiences" + } + "Microsoft.Microsoft3DViewer" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/p/3d-viewer/9nblggh42ths" + "Description" = "App to view common 3D file types" + } + "MicrosoftTeams" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/xp8bt8dw290mpq" + "Description" = "Microsoft communication platform" + } + "MSTeams" = @{ + "VDIState" = "Unchanged" + "URL" = "https://apps.microsoft.com/detail/xp8bt8dw290mpq" + "Description" = "Microsoft communication platform" + } + "Microsoft.OneDriveSync" = @{ + "VDIState" = "Unchanged" + "URL" = "https://docs.microsoft.com/en-us/onedrive/one-drive-sync" + "Description" = "Microsoft OneDrive sync app (included in Office 2016 or later)" + } + "Microsoft.Wallet" = @{ + "VDIState" = "Unchanged" + "URL" = "https://www.microsoft.com/en-us/payments" + "Description" = "(Microsoft Pay) for Edge browser on certain devices" + } +} + +Foreach ($Key in $apps.Keys) { + $Item = $apps[$Key] + Write-Host "Removing Provisioned Package $Key" + Get-AppxProvisionedPackage -Online | + Where-Object { $_.PackageName -like ("*{0}*" -f $Key) } | + Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue | Out-Null + + Write-Host "Attempting to remove [All Users] $Key - $($Item.Description)" + Get-AppxPackage -AllUsers -Name ("*{0}*" -f $Key) | + Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue + + Write-Host "Attempting to remove $Key - $($Item.Description)" + Get-AppxPackage -Name ("*{0}*" -f $Key) | + Remove-AppxPackage -ErrorAction SilentlyContinue | Out-Null + +} \ No newline at end of file diff --git a/modules/win_disable_services/manifests/disable_onedrive.pp b/modules/win_disable_services/manifests/disable_onedrive.pp index c8c93b482..ee09317c5 100644 --- a/modules/win_disable_services/manifests/disable_onedrive.pp +++ b/modules/win_disable_services/manifests/disable_onedrive.pp @@ -3,37 +3,35 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. class win_disable_services::disable_onedrive { + # This script will disable and remove all portions of onedrive + # and prevent onedrive from being setup on future user creation + # Using puppetlabs-powershell + # Script & modules are originally from https://github.com/W4RH4WK/Debloat-Windows-10 - # This script will disable and remove all portions of onedrive - # and prevent onedrive from being setup on future user creation - # Using puppetlabs-powershell - # Script & modules are originally from https://github.com/W4RH4WK/Debloat-Windows-10 + $module_dir = "${facts['custom_win_system32']}\\WindowsPowerShell\\v1.0\\modules" - $module_dir = "${facts['custom_win_system32']}\\WindowsPowerShell\\v1.0\\modules" + file { "${module_dir}\\take-own": + ensure => directory, + } + file { "${module_dir}\\force-mkdir": + ensure => directory, + } - file { "${module_dir}\\take-own": - ensure => directory, - } - file { "${module_dir}\\force-mkdir": - ensure => directory, - } + file { "${module_dir}\\force-mkdir\\force-mkdir.psm1": + content => file('win_disable_services/force-mkdir.psm1'), + require => File["${module_dir}\\force-mkdir"], + } + file { "${module_dir}\\take-own\\take-own.psm1": + content => file('win_disable_services/take-own.psm1'), + require => [File["${module_dir}\\force-mkdir\\force-mkdir.psm1"], File["${module_dir}\\take-own"]], + } - file { "${module_dir}\\force-mkdir\\force-mkdir.psm1": - content => file('win_disable_services/force-mkdir.psm1'), - require => File["${module_dir}\\force-mkdir"], - } - file { "${module_dir}\\take-own\\take-own.psm1": - content => file('win_disable_services/take-own.psm1'), - require => [File["${module_dir}\\force-mkdir\\force-mkdir.psm1"], File[ "${module_dir}\\take-own"]], - } - - - exec { 'disable_onedrive': - command => file('win_disable_services/disable_onedrive.ps1'), - provider => powershell, - require => File["${module_dir}\\take-own\\take-own.psm1"], - unless => 'Test-Path "$env:systemroot\SysWOW64\OneDriveSetup.exe"', - } + exec { 'disable_onedrive': + command => file('win_disable_services/disable_onedrive.ps1'), + provider => powershell, + require => File["${module_dir}\\take-own\\take-own.psm1"], + unless => 'Test-Path "$env:systemroot\SysWOW64\OneDriveSetup.exe"', + } } # Bug list # TODO port script into this manifest diff --git a/modules/win_disable_services/manifests/disable_permissions_prompt.pp b/modules/win_disable_services/manifests/disable_permissions_prompt.pp new file mode 100644 index 000000000..a259b44d6 --- /dev/null +++ b/modules/win_disable_services/manifests/disable_permissions_prompt.pp @@ -0,0 +1,15 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# Class: win_disable_services::disable_permissions_prompt +# +# This class disables the permissions prompt for the microphone in Windows. +# +class win_disable_services::disable_permissions_prompt { + registry_value { 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone': + ensure => present, + type => string, + data => 'Allow', + } +} diff --git a/modules/win_disable_services/manifests/uninstall_appx_packages.pp b/modules/win_disable_services/manifests/uninstall_appx_packages.pp new file mode 100644 index 000000000..03c37c88a --- /dev/null +++ b/modules/win_disable_services/manifests/uninstall_appx_packages.pp @@ -0,0 +1,8 @@ +# This class is responsible for disabling AppX packages on Windows. +class win_disable_services::uninstall_appx_packages { + exec { 'disable_appx_packages': + command => file('appxpackages/uninstall.ps1'), + provider => powershell, + timeout => 300, + } +} From 70bbe4659affeeccb39726f46dfceb99ff1f54c3 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 9 Dec 2024 14:41:53 -0500 Subject: [PATCH 02/10] Disable appx packages on all windows testers --- .../roles_profiles/manifests/profiles/disable_services.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/roles_profiles/manifests/profiles/disable_services.pp b/modules/roles_profiles/manifests/profiles/disable_services.pp index 2b7cc48f2..7d774515f 100644 --- a/modules/roles_profiles/manifests/profiles/disable_services.pp +++ b/modules/roles_profiles/manifests/profiles/disable_services.pp @@ -39,6 +39,10 @@ include win_disable_services::disable_windows_update if $facts['custom_win_purpose'] != builder { include win_disable_services::disable_wsearch + ## Let's Uninstall Appx Packages + ## Taken from https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool + ## Bug 1913499 https://bugzilla.mozilla.org/show_bug.cgi?id=1913499 + include win_disable_services::uninstall_appx_packages if ($facts['custom_win_location'] == 'azure') { include win_scheduled_tasks::kill_local_clipboard } @@ -51,10 +55,6 @@ ## Firefox will ask prompt for microphone access during mochitest, ## so explicitly disable it here include win_disable_services::disable_permissions_prompt - ## Let's Uninstall Appx Packages - ## Taken from https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool - ## Bug 1913499 https://bugzilla.mozilla.org/show_bug.cgi?id=1913499 - include win_disable_services::uninstall_appx_packages ## Let's uninstall OneDrive include win_disable_services::disable_onedrive } From c6a8043ec7cb46b7097a627240876c3c42490596 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 9 Dec 2024 15:19:50 -0500 Subject: [PATCH 03/10] Add missing parent directory in command path --- .../win_disable_services/manifests/uninstall_appx_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/win_disable_services/manifests/uninstall_appx_packages.pp b/modules/win_disable_services/manifests/uninstall_appx_packages.pp index 03c37c88a..8efc57186 100644 --- a/modules/win_disable_services/manifests/uninstall_appx_packages.pp +++ b/modules/win_disable_services/manifests/uninstall_appx_packages.pp @@ -1,7 +1,7 @@ # This class is responsible for disabling AppX packages on Windows. class win_disable_services::uninstall_appx_packages { exec { 'disable_appx_packages': - command => file('appxpackages/uninstall.ps1'), + command => file('win_disable_services/appxpackages/uninstall.ps1'), provider => powershell, timeout => 300, } From 6e084a2bbf9ca55ad8d35cf1c3fc9222ddadddff Mon Sep 17 00:00:00 2001 From: Jonathan Moss <2729151+jwmoss@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:44:57 -0500 Subject: [PATCH 04/10] Change pip cache dir to pip 23 changes --- modules/win_mozilla_build_tester/manifests/pip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/win_mozilla_build_tester/manifests/pip.pp b/modules/win_mozilla_build_tester/manifests/pip.pp index 8d8429f97..e207d510a 100644 --- a/modules/win_mozilla_build_tester/manifests/pip.pp +++ b/modules/win_mozilla_build_tester/manifests/pip.pp @@ -41,7 +41,7 @@ }, } # Resource from counsyl-windows - windows::environment { 'PIP_DOWNLOAD_CACHE': + windows::environment { 'PIP_CACHE_DIR': value => "${cache_drive}\\pip-cache", } } From b6c817d706c2fc842af3acc5812f00f2acbfed43 Mon Sep 17 00:00:00 2001 From: Jonathan Moss <2729151+jwmoss@users.noreply.github.com> Date: Fri, 13 Dec 2024 13:04:53 -0500 Subject: [PATCH 05/10] Try using d:\pip-cache for datacenter hardware --- modules/win_mozilla_build_tester/manifests/pip.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/win_mozilla_build_tester/manifests/pip.pp b/modules/win_mozilla_build_tester/manifests/pip.pp index e207d510a..facaf521d 100644 --- a/modules/win_mozilla_build_tester/manifests/pip.pp +++ b/modules/win_mozilla_build_tester/manifests/pip.pp @@ -16,7 +16,7 @@ } ## If Datacenter, then cache drive is C if ($facts['custom_win_location'] == 'datacenter') { - $cache_drive = 'c:' + $cache_drive = 'd:' } file { "${$facts['custom_win_programdata']}\\pip": From 323f3f674b01d1f7bbb5ff0dbc9f84ddcf37665d Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 16 Dec 2024 10:17:08 -0500 Subject: [PATCH 06/10] Add script to maintainsystem to reset pip-cache permissions each time --- .../files/azure-maintainsystem.ps1 | 41 +++++++++++++++---- .../files/maintainsystem-reftester.ps1 | 26 ++++++++++++ 2 files changed, 59 insertions(+), 8 deletions(-) diff --git a/modules/win_scheduled_tasks/files/azure-maintainsystem.ps1 b/modules/win_scheduled_tasks/files/azure-maintainsystem.ps1 index dd8fb88b8..c42451d0d 100644 --- a/modules/win_scheduled_tasks/files/azure-maintainsystem.ps1 +++ b/modules/win_scheduled_tasks/files/azure-maintainsystem.ps1 @@ -418,17 +418,17 @@ function Start-WorkerRunner { $filePath = "C:\generic-worker\ed25519-private.key" $acl = Get-Acl -Path $filePath $otherAccessRules = $acl.Access | Where-Object { - $_.IdentityReference -notlike "NT AUTHORITY\SYSTEM" -and - $_.IdentityReference -notlike "BUILTIN\Administrators" + $_.IdentityReference -notlike "NT AUTHORITY\SYSTEM" -and + $_.IdentityReference -notlike "BUILTIN\Administrators" } if ($otherAccessRules.Count -gt 0) { - $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } - $systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM", "FullControl", "Allow") - $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators", "FullControl", "Allow") - $acl.AddAccessRule($systemRule) - $acl.AddAccessRule($adminRule) - Set-Acl -Path $filePath -AclObject $acl + $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } + $systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM", "FullControl", "Allow") + $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators", "FullControl", "Allow") + $acl.AddAccessRule($systemRule) + $acl.AddAccessRule($adminRule) + Set-Acl -Path $filePath -AclObject $acl } @@ -523,6 +523,29 @@ function LinkZY2D { } } +function Set-PipCachePermissions { + [CmdletBinding()] + param ( + + ) + + Write-Log -message ('{0} :: Setting permissions on : {1}' -f $($MyInvocation.MyCommand.Name), $ENV:PIP_CACHE_DIR) -severity 'DEBUG' + $folderPath = $ENV:PIP_CACHE_DIR + $acl = Get-Acl $folderPath + $permission = "Everyone", "FullControl", "Allow" + $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission + $acl.SetAccessRule($accessRule) + Set-Acl $folderPath $acl + + # Apply permissions recursively to all subdirectories and files + Get-ChildItem -Path $folderPath -Recurse | ForEach-Object { + $itemAcl = Get-Acl $_.FullName + $itemAcl.SetAccessRule($accessRule) + Set-Acl $_.FullName $itemAcl + } + Write-Log -message ('{0} :: Successfully set permissions on : {1}' -f $($MyInvocation.MyCommand.Name), $ENV:PIP_CACHE_DIR) -severity 'DEBUG' +} + ## Get the tags from azure imds $imds_tags = Get-AzureInstanceMetadata -ApiVersion "2021-12-13" -Endpoint "instance" -Query "tags" @@ -555,6 +578,8 @@ If (($hand_off_ready -eq 'yes') -and ($managed_by -eq 'taskcluster')) { Puppet-Run LinkZY2D } + ## Finally, let's make sure that $ENV:PIP_CACHE_DIR is readable by all users + Set-PipCachePermissions ## Start worker runner, which starts generic-worker Start-WorkerRunner # wait and check if GW has started diff --git a/modules/win_scheduled_tasks/files/maintainsystem-reftester.ps1 b/modules/win_scheduled_tasks/files/maintainsystem-reftester.ps1 index 22b6c63b9..8afcebca8 100644 --- a/modules/win_scheduled_tasks/files/maintainsystem-reftester.ps1 +++ b/modules/win_scheduled_tasks/files/maintainsystem-reftester.ps1 @@ -403,6 +403,29 @@ function Test-ConnectionUntilOnline { throw "Connection timeout." } +function Set-PipCachePermissions { + [CmdletBinding()] + param ( + + ) + + Write-Log -message ('{0} :: Setting permissions on : {1}' -f $($MyInvocation.MyCommand.Name), $ENV:PIP_CACHE_DIR) -severity 'DEBUG' + $folderPath = $ENV:PIP_CACHE_DIR + $acl = Get-Acl $folderPath + $permission = "Everyone", "FullControl", "Allow" + $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission + $acl.SetAccessRule($accessRule) + Set-Acl $folderPath $acl + + # Apply permissions recursively to all subdirectories and files + Get-ChildItem -Path $folderPath -Recurse | ForEach-Object { + $itemAcl = Get-Acl $_.FullName + $itemAcl.SetAccessRule($accessRule) + Set-Acl $_.FullName $itemAcl + } + Write-Log -message ('{0} :: Successfully set permissions on : {1}' -f $($MyInvocation.MyCommand.Name), $ENV:PIP_CACHE_DIR) -severity 'DEBUG' +} + ## Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1910123 ## The bug tracks when we reimaged a machine and the machine had a different refresh rate (64hz vs 60hz) ## This next line will check if the refresh rate is not 60hz and trigger a reimage if so @@ -435,6 +458,9 @@ If ($bootstrap_stage -eq 'complete') { ## Instead of querying chocolatey each time this runs, let's query chrome json endoint and check locally installed version Get-LatestGoogleChrome + ## Finally, let's make sure that $ENV:PIP_CACHE_DIR is readable by all users + Set-PipCachePermissions + StartWorkerRunner start-sleep -s 30 while ($true) { From cc7635c730a5ab8335f37462358b8504fab2916d Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 6 Jan 2025 10:31:51 -0500 Subject: [PATCH 07/10] Add mozilla.firefox.msi string to microphone access --- .../manifests/disable_permissions_prompt.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/win_disable_services/manifests/disable_permissions_prompt.pp b/modules/win_disable_services/manifests/disable_permissions_prompt.pp index a259b44d6..5b4161d1a 100644 --- a/modules/win_disable_services/manifests/disable_permissions_prompt.pp +++ b/modules/win_disable_services/manifests/disable_permissions_prompt.pp @@ -12,4 +12,11 @@ type => string, data => 'Allow', } + + ## Required for Mochitest browser-chrome run from msix packages + registry_value { 'HKLM\SOFTWARE\MicrosoftWindows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Mozilla.Firefox.MSIX': + ensure => present, + type => string, + data => 'Allow', + } } From 1b895b9a814c66c902428f9fb8be86831829d611 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 6 Jan 2025 12:25:57 -0500 Subject: [PATCH 08/10] Add missing \ --- .../manifests/disable_permissions_prompt.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/win_disable_services/manifests/disable_permissions_prompt.pp b/modules/win_disable_services/manifests/disable_permissions_prompt.pp index 5b4161d1a..8dafa3208 100644 --- a/modules/win_disable_services/manifests/disable_permissions_prompt.pp +++ b/modules/win_disable_services/manifests/disable_permissions_prompt.pp @@ -1,7 +1,3 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - # Class: win_disable_services::disable_permissions_prompt # # This class disables the permissions prompt for the microphone in Windows. @@ -14,7 +10,7 @@ } ## Required for Mochitest browser-chrome run from msix packages - registry_value { 'HKLM\SOFTWARE\MicrosoftWindows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Mozilla.Firefox.MSIX': + registry_value { 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\Mozilla.Firefox.MSIX': ensure => present, type => string, data => 'Allow', From df8dd0ccf541c7b7e944996e79eeed76edd6fe26 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Mon, 6 Jan 2025 15:31:09 -0500 Subject: [PATCH 09/10] Exclude disabling permissions --- modules/roles_profiles/manifests/profiles/disable_services.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/roles_profiles/manifests/profiles/disable_services.pp b/modules/roles_profiles/manifests/profiles/disable_services.pp index 7d774515f..4d121507f 100644 --- a/modules/roles_profiles/manifests/profiles/disable_services.pp +++ b/modules/roles_profiles/manifests/profiles/disable_services.pp @@ -53,8 +53,8 @@ } if $facts['custom_win_display_version'] == '24H2' { ## Firefox will ask prompt for microphone access during mochitest, - ## so explicitly disable it here - include win_disable_services::disable_permissions_prompt + ## Let's not disable here, but rather in-tree in win_unittest.py pre-flight commands + # include win_disable_services::disable_permissions_prompt ## Let's uninstall OneDrive include win_disable_services::disable_onedrive } From 487bdc1a083ccf9d48ccc009e976ab1f22a2b880 Mon Sep 17 00:00:00 2001 From: Jonathan Moss <2729151+jwmoss@users.noreply.github.com> Date: Wed, 15 Jan 2025 12:17:32 -0500 Subject: [PATCH 10/10] Merge fixes in windows branch back to windows_optimization (#795) * Disable onedrive on 24H2, uninstall unneeded appx packages, bump TC to 77.3.1 * Fix client_id string in taskcluster hiera lookup for 24h2 * Remove unused/test script for caching pypi --- data/roles/win116424h2azure.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/data/roles/win116424h2azure.yaml b/data/roles/win116424h2azure.yaml index 481313bf0..2a4fe0cd0 100644 --- a/data/roles/win116424h2azure.yaml +++ b/data/roles/win116424h2azure.yaml @@ -6,23 +6,23 @@ win-worker: generic_worker: # File versions name: "generic-worker-multiuser-windows-amd64" - version: '72.1.0' + version: '77.3.1' taskcluster: worker_runner: name: 'start-worker-windows-amd64' - version: '72.1.0' + version: '77.3.1' provider: "azure" implementation: "generic-worker" proxy: name: "taskcluster-proxy-windows-amd64" - version: '72.1.0' + version: '77.3.1' # Refrencing the file directly with version in it # Since there is no programtic way to check the version of the livelog exe livelog: name: "livelog-windows-amd64" - version: '72.1.0' - client_id: "azure/gecko-t/win11-64-2009" + version: '77.3.1' + client_id: "azure/gecko-t/win11-64-24h2" worker_group: "test" # Mozilla-build