Add VM image setup script for verification

Author: piroor

doc/verify/windows-11-24H2/.gitignore

@@ -0,0 +1,6 @@
+.terraform
+terraform.tfvars
+terraform.tfstate
+terraform.tfstate.backup
+rdp/*.rdp
+

doc/verify/windows-11-24H2/Makefile

@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+.PHONY: apply ansible destroy
+
+SHELL=/bin/bash
+
+all: apply
+
+terraform.tfvars:
+	cat terraform.tfvars.template | sed -e "s/%password%/$$(pwgen -s --remove-chars="\'\"$$%{}" -y 20 1)/gi" > terraform.tfvars
+	# Chrome policy template via https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
+	@if [ -f ansible/files/policy_templates.zip ]; then \
+	  sed -i'' -e 's/chrome-policy-template-archive = ""/chrome-policy-template-archive = "policy_templates.zip"/' terraform.tfvars; \
+	else \
+	  echo "WARNING: missing Chrome ADM/ADMX policy template. Download via https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip"; \
+	  echo "WARNING: then put it under ansible/files/policy_templates.zip."; \
+	fi
+	# Edge policy template via https://www.microsoft.com/ja-jp/edge/business/download
+	@if [ -f ansible/files/MicrosoftEdgePolicyTemplates.zip ]; then \
+	  sed -i'' -e 's/edge-policy-template-archive = ""/edge-policy-template-archive = "MicrosoftEdgePolicyTemplates.zip"/' terraform.tfvars; \
+	else \
+	  echo "WARNING: Missing Edge ADM/ADMX policy template. Download via https://www.microsoft.com/ja-jp/edge/business/download"; \
+	  echo "WARNING: then put it under ansible/files/MicrosoftEdgePolicyTemplates.zip."; \
+	fi
+
+CHROME_WEBEXT_VERSION=$(shell cat ../../../webextensions/chrome/manifest.json | jq --raw-output ".version")
+EDGE_WEBEXT_VERSION=$(shell cat ../../../webextensions/edge/manifest.json | jq --raw-output ".version")
+manifest.xml:
+	cat manifest.xml.template | sed -e "s/CHROME_WEBEXT_VERSION/$(CHROME_WEBEXT_VERSION)/" \
+	                                -e "s/EDGE_WEBEXT_VERSION/$(EDGE_WEBEXT_VERSION)/" > ansible/files/manifest.xml
+
+apply: terraform.tfvars manifest.xml
+	terraform init
+	terraform plan
+	time (terraform apply -auto-approve && ansible-playbook -i ansible/hosts ansible/playbook.yml)
+
+apply-playbook:
+	ansible-playbook -i ansible/hosts ansible/playbook.yml
+
+destroy:
+	terraform destroy -auto-approve
+
+clean:
+	rm -rf terraform.tfvars .terraform terraform.tfstate terraform.tfstate.backup
+

doc/verify/windows-11-24H2/ansible/.gitignore

@@ -0,0 +1,3 @@
+hosts
+playbook.yml
+

doc/verify/windows-11-24H2/ansible/files/copy-policy-templates.bat

@@ -0,0 +1,15 @@
+REM
+REM c:\Users\Public配下にchrome,edgeのポリシーテンプレートがある想定
+REM
+
+REM MicrosoftEdgePolicyTemplates.zipがedgeとして展開されている想定
+xcopy /F /E /Y /V edge\windows\admx\*.admx c:\Windows\PolicyDefinitions\
+xcopy /F /E /Y /V edge\windows\admx\en-US c:\Windows\PolicyDefinitions\en-US
+xcopy /F /E /Y /V edge\windows\admx\ja-JP c:\Windows\PolicyDefinitions\ja-JP
+
+REM policy_templates.zipがchromeとして展開されている想定
+xcopy /F /E /Y /V chrome\windows\admx\*.admx c:\Windows\PolicyDefinitions\
+xcopy /F /E /Y /V chrome\windows\admx\en-US c:\Windows\PolicyDefinitions\en-US
+xcopy /F /E /Y /V chrome\windows\admx\ja-JP c:\Windows\PolicyDefinitions\ja-JP
+
+

doc/verify/windows-11-24H2/ansible/files/join-dummy-domain.bat

@@ -0,0 +1,12 @@
+REM
+REM ダミーのドメインに参加状態にする
+REM See https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
+
+reg add HKLM\SOFTWARE\Microsoft\Enrollments\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v EnrollmentState /t reg_dword /d 1 /f
+reg add HKLM\SOFTWARE\Microsoft\Enrollments\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v EnrollmentType /t reg_dword /d 0 /f
+reg add HKLM\SOFTWARE\Microsoft\Enrollments\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v IsFederated /t reg_dword /d 0 /f
+reg add HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v Flags /t reg_dword /d 0xd6fb7f /f
+reg add HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v AcctUId /t reg_sz /d "0x000000000000000000000000000000000000000000000000000000000000000000000000" /f
+reg add HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v RoamingCount /t reg_dword /d 0 /f
+reg add HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v SslClientCertReference /t reg_sz /d "MY;User;0000000000000000000000000000000000000000" /f
+reg add HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /v ProtoVer /t reg_sz /d "1.2" /f

doc/verify/windows-11-24H2/ansible/files/leave-dummy-domain.bat

@@ -0,0 +1,6 @@
+REM
+REM ダミーのドメインから離脱する
+REM See https://hitco.at/blog/apply-edge-policies-for-non-domain-joined-devices/
+
+reg delete HKLM\SOFTWARE\Microsoft\Enrollments\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /f
+reg delete HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF /f

doc/verify/windows-11-24H2/ansible/files/manifest.xml

@@ -0,0 +1,6 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
+  <app appid='omgmjffdahkpfpginoledpigpfpmlncm'><!-- Edge用アドオンのIDを書く -->
+    <updatecheck codebase='file:///C:/Users/Public/webextensions/edge.crx' version='1.0' /><!-- `edge.crx` の実際のFile URLを書く -->
+  </app>
+</gupdate>

doc/verify/windows-11-24H2/config/FirstLogonCommands.xml

@@ -0,0 +1,17 @@
+<FirstLogonCommands>
+    <SynchronousCommand>
+        <CommandLine>cmd /c "mkdir C:\terraform"</CommandLine>
+        <Description>Create the Terraform working directory</Description>
+        <Order>11</Order>
+    </SynchronousCommand>
+    <SynchronousCommand>
+        <CommandLine>cmd /c "copy C:\AzureData\CustomData.bin C:\terraform\winrm.ps1"</CommandLine>
+        <Description>Move the CustomData file to the working directory</Description>
+        <Order>12</Order>
+    </SynchronousCommand>
+    <SynchronousCommand>
+        <CommandLine>powershell.exe -sta -ExecutionPolicy Unrestricted -file C:\terraform\winrm.ps1</CommandLine>
+        <Description>Execute the WinRM enabling script</Description>
+        <Order>13</Order>
+    </SynchronousCommand>
+</FirstLogonCommands>

doc/verify/windows-11-24H2/config/settings.ps1

@@ -0,0 +1,4 @@
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible-documentation/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile ConfigureRemotingForAnsible.ps1
+powershell -ExecutionPolicy ByPass -File ConfigureRemotingForAnsible.ps1
+Remove-Item -path ConfigureRemotingForAnsible.ps1 -force