Skip to content

Commit

Permalink
Remove mtls mds certs from disk and certstore (#250)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ChaitanyaKulkarni28
ChaitanyaKulkarni28 authored Aug 15, 2024
1 parent 73d5f92 commit 7177456
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
1 change: 1 addition & 0 deletions packaging/googet/google-compute-engine-sysprep.goospec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"path": "sysprep/sysprep_uninstall.ps1"
},
"releaseNotes": [
"3.20.0 - Remove MTLS MDS certificates from certificate store and disk during sysprep.
"3.19.0 - Migrating MTU & Firewall rule modifications to use PowerShell cmdlets instead of netsh for Win10/2016 and above.",
"3.18.0 - Updated activate_instance.ps1 to skip setting KMS and activation, if any known GCE Windows BYOL license is attached.",
"3.17.0 - Add Windows Server 2022 KMS client keys",
Expand Down
11 changes: 11 additions & 0 deletions sysprep/sysprep.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ function Clear-TempFolders {
"C:\Users\*\Appdata\Local\Temp\*\*",
"C:\Users\*\Appdata\Local\Microsoft\Internet Explorer\*",
"C:\Users\*\Appdata\LocalLow\Temp\*\*",
"C:\ProgramData\Google\Compute Engine\mds-mtls-*"
"C:\Users\*\Appdata\LocalLow\Microsoft\Internet Explorer\*") | ForEach-Object {
if (Test-Path $_) {
Remove-Item $_ -Recurse -Force -ErrorAction Ignore
Expand Down Expand Up @@ -215,6 +216,9 @@ try {
Start-Sleep -Seconds 15
}

Write-Log 'Stopping GCEAgent.'
Stop-Service -name GCEAgent

Write-Log 'Setting startup commands.'
Set-ItemProperty -Path HKLM:\SYSTEM\Setup -Name CmdLine -Value "`"$PSScriptRoot\windeploy.cmd`""
if (-not (Test-Path $script:setupscripts_dir_loc)) {
Expand Down Expand Up @@ -243,6 +247,13 @@ $PSHome\powershell.exe -NoProfile -NoLogo -ExecutionPolicy Unrestricted -File "$
}
}

Write-Log 'Clearing MTLS MDS certs.'
@('Cert:\LocalMachine\My', 'Cert:\LocalMachine\Root') | ForEach-Object {
if (Test-Path $_) {
Get-ChildItem $_ | Where-Object {$_.Issuer -Match 'google.internal'} | Remove-Item
}
}

if ([System.Environment]::OSVersion.Version.Build -ge 10240) {
Write-Log "Enabling RDP and WinRM firewall rules using PowerShell. Build $([System.Environment]::OSVersion.Version.Build)"
New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow -Profile Any
Expand Down

0 comments on commit 7177456

Please sign in to comment.