env/windows-arm64/azure: update instructions
- Account for the new production environment
- Use smaller, cheaper machines
- Fix the antivirus instructions
For golang/go#57408.
Change-Id: I219677c570787a907d67763e0d88552ebdc142c4
Reviewed-on: https://go-review.googlesource.com/c/build/+/462516
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/env/windows-arm64/azure/README.md b/env/windows-arm64/azure/README.md
index fec7f00..5cf8fe4 100644
--- a/env/windows-arm64/azure/README.md
+++ b/env/windows-arm64/azure/README.md
@@ -33,13 +33,13 @@
```
az vm create \
--name=MyNewVmName \
- --resource-group=dev_buildlets \
+ --resource-group=<dev/prod>_buildlets \
--admin-username=gopheradmin \
--admin-password=<password from valentine> \
--image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \
- --nsg-rule=NONE \
- --size=Standard_D8ps_v5 \
- --subscription=<set subscription ID here> \
+ --nsg=<dev/prod>_buildlets-security-group \
+ --size=Standard_D4ps_v5 \
+ --subscription=<Development/Production> \
--public-ip-address ""
```
@@ -57,7 +57,8 @@
az vm run-command invoke \
--command-id=RunPowerShellScript \
--name="MyNewVM" \
- --resource-group=dev_buildlets \
+ --subscription=<Development/Production> \
+ --resource-group=<dev/prod>_buildlets \
--scripts @startup.ps1
```
@@ -67,25 +68,27 @@
* output from the command is in JSON
* exit status of the "az" command does NOT accurately reflect exit status of the powershell script.
+* errors about things already existing are expected
+
+## First login
+
+Log into the new builder as "gopher" at least once so as to go through the "initial login" Windows workflow. Find the VM in the Azure portal, and enter the login in the Bastion section. Choose "no" on all the setup prompts.
## Follow-ons to disable antivirus
In later versions of windows, it can be very difficult to completely disable the system's antivirus software, due to "features" such as [tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide), which make it almost impossible to programmatically turn off windows defender (and which ensure that any changes made are undone when the system reboots).
-Running this command should help somewhat:
+Open Windows Security, Virus & threat protection, Manage settings, and turn off Tamper Protection. Then run this command:
```
az vm run-command invoke \
--command-id=RunPowerShellScript \
--name="MyNewVM" \
- --resource-group=dev_buildlets \
+ --subscription=<Development/Production> \
+ --resource-group=<prod/dev>_buildlets \
--scripts @antivirusadditions.ps1
```
-## First login
-
-Log into the new builder as "gopher" at least once so as to go through the "initial login" Windows workflow.
-
## Builder key
Generate a builder key for the VMs according to the directions in [x/build/cmd/genbuilderkey](https://go.googlesource.com/build/+/fdfb99e1de1f68b555502056567be459d98a0e71/cmd/genbuilderkey/README.md).
diff --git a/env/windows-arm64/azure/antivirusadditions.ps1 b/env/windows-arm64/azure/antivirusadditions.ps1
index dc28384..8bf1660 100644
--- a/env/windows-arm64/azure/antivirusadditions.ps1
+++ b/env/windows-arm64/azure/antivirusadditions.ps1
@@ -8,10 +8,8 @@
# Antivirus setup.
-$drive = "C"
-
-Add-MpPreference -ExclusionPath "$(drive):\" -ErrorAction SilentlyContinue
-Add-MpPreference -ExclusionProcess "$(drive):\*" -ErrorAction SilentlyContinue
+Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue
+Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue
Write-Host "Attempting to disable scanning engines via Set-MpPreference"
