skolo/win/ansible/swarming-bot-settings.yml - buildbot - Git at Google

 ---
 # Disable Windows Update feature updates, Windows Defender, and disk indexing.
 - hosts: all
   tasks:
   - name: Enable deferring feature updates in Windows Update
     win_regedit:
       path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
       name: "DeferFeatureUpdates"
       data: 1
       type: dword
   - name: Set deferral period for feature updates to 365 in Windows Update UpdatePolicy
     win_regedit:
       path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
       name: "FeatureUpdatesDeferralInDays"
       data: 365
       type: dword
   - name: Set deferral period for feature updates to 365 in Windows Update UX Settings
     win_regedit:
       path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
       name: "DeferFeatureUpdatesPeriodInDays"
       data: 365
       type: dword
   # We do not defer quality updates because they rarely cause problems.
   - name: Disable deferring quality updates in Windows Update
     win_regedit:
       path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
       name: "DeferQualityUpdates"
       data: 0
       type: dword
   - name: Set deferral period for quality updates to 0 in Windows Update UpdatePolicy
     win_regedit:
       path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
       name: "QualityUpdatesDeferralInDays"
       data: 0
       type: dword
   - name: Set deferral period for quality updates to 0 in Windows Update UX Settings
     win_regedit:
       path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
       name: "DeferQualityUpdatesPeriodInDays"
       data: 0
       type: dword
   # Unlike Windows Server, Windows Defender can not be uninstalled on Windows 10. Windows also
   # tends to re-enable it if it's disabled. Instead we exclude the entire drive from scanning and
   # disable specific features. Docs here:
   # https://docs.microsoft.com/en-us/powershell/module/defender/Set-MpPreference?view=win10-ps
   - name: Disable Windows Defender
     win_shell: "Set-MpPreference -ExclusionPath C:\\ -DisableBehaviorMonitoring $True
       -DisableBlockAtFirstSeen $True -DisableIOAVProtection $True
       -DisableIntrusionPreventionSystem $True -DisableRealtimeMonitoring $True
       -MAPSReporting Disabled -PUAProtection Disabled"
   - name: Disable disk indexing
     win_service:
       name: WSearch
       start_mode: disabled
       state: stopped
	---
	# Disable Windows Update feature updates, Windows Defender, and disk indexing.
	- hosts: all
	tasks:
	- name: Enable deferring feature updates in Windows Update
	win_regedit:
	path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
	name: "DeferFeatureUpdates"
	data: 1
	type: dword
	- name: Set deferral period for feature updates to 365 in Windows Update UpdatePolicy
	win_regedit:
	path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
	name: "FeatureUpdatesDeferralInDays"
	data: 365
	type: dword
	- name: Set deferral period for feature updates to 365 in Windows Update UX Settings
	win_regedit:
	path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
	name: "DeferFeatureUpdatesPeriodInDays"
	data: 365
	type: dword
	# We do not defer quality updates because they rarely cause problems.
	- name: Disable deferring quality updates in Windows Update
	win_regedit:
	path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
	name: "DeferQualityUpdates"
	data: 0
	type: dword
	- name: Set deferral period for quality updates to 0 in Windows Update UpdatePolicy
	win_regedit:
	path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
	name: "QualityUpdatesDeferralInDays"
	data: 0
	type: dword
	- name: Set deferral period for quality updates to 0 in Windows Update UX Settings
	win_regedit:
	path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
	name: "DeferQualityUpdatesPeriodInDays"
	data: 0
	type: dword
	# Unlike Windows Server, Windows Defender can not be uninstalled on Windows 10. Windows also
	# tends to re-enable it if it's disabled. Instead we exclude the entire drive from scanning and
	# disable specific features. Docs here:
	# https://docs.microsoft.com/en-us/powershell/module/defender/Set-MpPreference?view=win10-ps
	- name: Disable Windows Defender
	win_shell: "Set-MpPreference -ExclusionPath C:\\ -DisableBehaviorMonitoring $True
	-DisableBlockAtFirstSeen $True -DisableIOAVProtection $True
	-DisableIntrusionPreventionSystem $True -DisableRealtimeMonitoring $True
	-MAPSReporting Disabled -PUAProtection Disabled"
	- name: Disable disk indexing
	win_service:
	name: WSearch
	start_mode: disabled
	state: stopped