From fb346ca00e8dd5ede61d63ffb978ccc3ae7e7a89 Mon Sep 17 00:00:00 2001 From: Yvan Duhamel Date: Fri, 27 Dec 2024 10:04:29 +0100 Subject: [PATCH] enable TrustedLaunch --- .../SharePoint-AllVersions/CHANGELOG.md | 2 +- .../azuredeploy.parameters.json | 10 +++--- .../SharePoint-AllVersions/main.bicep | 2 +- .../SharePoint-AllVersions/metadata.json | 2 +- .../CHANGELOG.md | 2 +- .../DeployTemplate.ps1 | 4 ++- .../azuredeploy.json | 35 ++++++++++++++----- .../azuredeploy.parameters.json | 15 ++++---- .../main.bicep | 35 +++++++++++++++---- .../metadata.json | 2 +- .../SharePoint-ADFS/CHANGELOG.md | 7 ++++ .../SharePoint-ADFS/DeployTemplate.ps1 | 4 ++- .../SharePoint-ADFS/azuredeploy.json | 33 ++++++++++++----- .../SharePoint-ADFS/main.bicep | 33 +++++++++++++---- 14 files changed, 137 insertions(+), 49 deletions(-) diff --git a/Azure DevTest Labs/SharePoint-AllVersions/CHANGELOG.md b/Azure DevTest Labs/SharePoint-AllVersions/CHANGELOG.md index 2a931f94..8bd676f7 100644 --- a/Azure DevTest Labs/SharePoint-AllVersions/CHANGELOG.md +++ b/Azure DevTest Labs/SharePoint-AllVersions/CHANGELOG.md @@ -1,6 +1,6 @@ # Change log for Azure DevTest Labs template SharePoint-AllVersions -## Enhancements & bug-fixes - Published in December 26, 2024 +## Enhancements & bug-fixes - Published in December 27, 2024 ### Added diff --git a/Azure DevTest Labs/SharePoint-AllVersions/azuredeploy.parameters.json b/Azure DevTest Labs/SharePoint-AllVersions/azuredeploy.parameters.json index 2630854c..517a47d8 100644 --- a/Azure DevTest Labs/SharePoint-AllVersions/azuredeploy.parameters.json +++ b/Azure DevTest Labs/SharePoint-AllVersions/azuredeploy.parameters.json @@ -2,9 +2,9 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "provisionSharePointSubscription": { "value": "Subscription-Latest" }, - "provisionSharePoint2019": { "value": false }, - "provisionSharePoint2016": { "value": false }, + "provisionSharePointSubscription": { "value": "Subscription-RTM" }, + "provisionSharePoint2019": { "value": true }, + "provisionSharePoint2016": { "value": true }, "configureADFS": { "value": true }, "domainFqdn": { "value": "contoso.local" }, "adminUsername": { "value": "Yvand" }, @@ -14,7 +14,7 @@ "vmSharePointStorage": { "value": "Premium_LRS" }, "rdpTrafficRule": { "value": "No" }, "enableHybridBenefitServerLicenses": { "value": true }, - "enableAzureBastion": { "value": true } - // "_artifactsLocation": { "value": "https://github.com/Yvand/AzureRM-Templates/raw/master/Templates/DTL-SharePoint-AllVersions-light" } + "enableAzureBastion": { "value": false } + // "_artifactsLocation": { "value": "https://github.com/Yvand/AzureRM-Templates/raw/master/Azure%20DevTest%20Labs/DTL-SharePoint-AllVersions-light" } } } diff --git a/Azure DevTest Labs/SharePoint-AllVersions/main.bicep b/Azure DevTest Labs/SharePoint-AllVersions/main.bicep index 66753baf..84399088 100644 --- a/Azure DevTest Labs/SharePoint-AllVersions/main.bicep +++ b/Azure DevTest Labs/SharePoint-AllVersions/main.bicep @@ -250,7 +250,7 @@ param vmSharePointSize string = 'Standard_B4as_v2' param vmSharePointStorage string = 'StandardSSD_LRS' @description('The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated.') -param _artifactsLocation string = 'https://github.com/Yvand/AzureRM-Templates/raw/master/Templates/DTL-SharePoint-AllVersions-light' +param _artifactsLocation string = 'https://github.com/Yvand/AzureRM-Templates/raw/convert-to-bicep/Azure%20DevTest%20Labs/DTL-SharePoint-AllVersions-light' @description('The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated.') @secure() diff --git a/Azure DevTest Labs/SharePoint-AllVersions/metadata.json b/Azure DevTest Labs/SharePoint-AllVersions/metadata.json index 6db11540..8138d713 100644 --- a/Azure DevTest Labs/SharePoint-AllVersions/metadata.json +++ b/Azure DevTest Labs/SharePoint-AllVersions/metadata.json @@ -3,5 +3,5 @@ "description": "Deploy SharePoint Subscription / 2019 / 2016 with a lightweight configuration. Each version is independent and may or may not be deployed.", "summary": "Deploy SharePoint Subscription / 2019 / 2016 with a lightweight configuration. Each version is independent and may or may not be deployed.", "githubUsername": "Yvand", - "dateUpdated": "2024-12-26" + "dateUpdated": "2024-12-27" } \ No newline at end of file diff --git a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/CHANGELOG.md b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/CHANGELOG.md index a0b91a18..f5d1f0f4 100644 --- a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/CHANGELOG.md +++ b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/CHANGELOG.md @@ -1,6 +1,6 @@ # Change log for Azure DevTest Labs template DTL-SharePoint-FullConfig -## Enhancements & bug-fixes - Published in December 26, 2024 +## Enhancements & bug-fixes - Published in December 27, 2024 ### Added diff --git a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/DeployTemplate.ps1 b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/DeployTemplate.ps1 index 0fb146b1..50a44ccd 100644 --- a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/DeployTemplate.ps1 +++ b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/DeployTemplate.ps1 @@ -93,7 +93,9 @@ if ($result.ProvisioningState -eq "Succeeded") { Write-Host "Deployment completed successfully in $($elapsedTime.ToString("h\hmm\m\n"))." -ForegroundColor Green $outputs = (Get-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -Name $resourceDeploymentName).Outputs $outputMessage = "Use the account ""$($outputs.domainAdminAccount.value)"" (""$($outputs.domainAdminAccountFormatForBastion.value)"") to sign in" - $outputMessage += $outputs.ContainsKey("publicIPAddressSP") ? " to ""$($outputs.publicIPAddressSP.value)""" : "." + if ($outputs.ContainsKey("publicIPAddressSP") -and ![String]::IsNullOrWhiteSpace($outputs.publicIPAddressSP.value)) { + $outputMessage += " to ""$($outputs.publicIPAddressSP.value)""" + } Write-Host $outputMessage -ForegroundColor Green } else { diff --git a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.json b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.json index 7156d83a..7dbf0b4f 100644 --- a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.json +++ b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "463196043803748823" + "version": "0.32.4.45862", + "templateHash": "11266622120295476244" }, "description": "Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).", "author": "Yvand" @@ -332,7 +332,7 @@ }, "_artifactsLocation": { "type": "string", - "defaultValue": "https://github.com/Yvand/AzureRM-Templates/raw/dev/Azure DevTest Labs/DTL-SharePoint-FullConfig", + "defaultValue": "https://github.com/Yvand/AzureRM-Templates/raw/convert-to-bicep/Azure%20DevTest%20Labs/DTL-SharePoint-FullConfig", "metadata": { "description": "The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated." } @@ -417,7 +417,7 @@ "Label": "Latest", "Packages": [ { - "DownloadUrl": "https://download.microsoft.com/download/4/b/4/4b4d907f-2e25-4972-a7b1-dfe8d1c0fadb/uber-subscription-kb5002651-fullfile-x64-glb.exe" + "DownloadUrl": "https://download.microsoft.com/download/c/e/c/ceca0241-efca-4484-9d76-5661806f16c4/uber-subscription-kb5002658-fullfile-x64-glb.exe" } ] } @@ -457,7 +457,8 @@ "vmFEName": "FE", "vmDCImage": "MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-smalldisk:latest", "vmSQLImage": "MicrosoftSQLServer:sql2022-ws2022:sqldev-gen2:latest", - "vmSharePointImage": "[if(variables('sharePointSettings').isSharePointSubscription, variables('sharePointSettings').sharePointImagesList.Subscription, if(equals(parameters('sharePointVersion'), '2019'), variables('sharePointSettings').sharePointImagesList.sp2019, variables('sharePointSettings').sharePointImagesList.sp2016))]" + "vmSharePointImage": "[if(variables('sharePointSettings').isSharePointSubscription, variables('sharePointSettings').sharePointImagesList.Subscription, if(equals(parameters('sharePointVersion'), '2019'), variables('sharePointSettings').sharePointImagesList.sp2019, variables('sharePointSettings').sharePointImagesList.sp2016))]", + "vmSharePointSecurityProfile": "[if(equals(parameters('sharePointVersion'), '2016'), null(), createObject('securityType', 'TrustedLaunch', 'uefiSettings', createObject('secureBootEnabled', true(), 'vTpmEnabled', true())))]" }, "dscSettings": { "forceUpdateTag": "1.0", @@ -668,7 +669,14 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": { + "securityType": "TrustedLaunch", + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + } + } }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', 'vm-dc-nic')]" @@ -846,7 +854,14 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": { + "securityType": "TrustedLaunch", + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + } + } }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', 'vm-sql-nic')]" @@ -1023,7 +1038,8 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": "[variables('vmsSettings').vmSharePointSecurityProfile]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', 'vm-sp-nic')]" @@ -1264,7 +1280,8 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": "[variables('vmsSettings').vmSharePointSecurityProfile]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', format('vm-fe{0}-nic', range(0, parameters('frontEndServersCount'))[range(0, parameters('frontEndServersCount'))[copyIndex()]]))]", diff --git a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.parameters.json b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.parameters.json index 4c04aefd..7c3eefce 100644 --- a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.parameters.json +++ b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/azuredeploy.parameters.json @@ -2,18 +2,19 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - // "sharePointVersion": { "value": "Subscription-RTM" }, - "sharePointVersion": { "value": "2019" }, + "sharePointVersion": { "value": "Subscription-RTM" }, + // "sharePointVersion": { "value": "2019" }, "domainFqdn": { "value": "contoso.local" }, "adminUsername": { "value": "yvand" }, "adminPassword": { "value": null }, "otherAccountsPassword": { "value": null }, "timeZone": { "value": "Romance Standard Time" }, - // "vmSharePointStorage": { "value": "Premium_LRS" }, - "rdpTrafficRule": { "value": "10.20.30.40" }, - "numberOfAdditionalFrontEnd": { "value": 1 }, + "outboundAccessMethod": { "value": "PublicIPAddress" }, + "rdpTrafficRule": { "value": "No" }, + "frontEndServersCount": { "value": 1 }, "enableHybridBenefitServerLicenses": { "value": true }, - "addAzureBastion": { "value": false } - // "_artifactsLocation": { "value": "https://github.com/Yvand/AzureRM-Templates/raw/master/Templates/DTL-SharePoint-FullConfig" } + "enableAzureBastion": { "value": false }, + "vmSharePointStorage": { "value": "Premium_LRS" } + // "_artifactsLocation": { "value": "https://github.com/Yvand/AzureRM-Templates/raw/master/Azure%20DevTest%20Labs/DTL-SharePoint-FullConfig" } } } diff --git a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/main.bicep b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/main.bicep index 3830feed..f93c0a42 100644 --- a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/main.bicep +++ b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/main.bicep @@ -262,7 +262,7 @@ param vmSharePointSize string = 'Standard_B4as_v2' param vmSharePointStorage string = 'StandardSSD_LRS' @description('The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated.') -param _artifactsLocation string = 'https://github.com/Yvand/AzureRM-Templates/raw/dev/Azure DevTest Labs/DTL-SharePoint-FullConfig' +param _artifactsLocation string = 'https://github.com/Yvand/AzureRM-Templates/raw/convert-to-bicep/Azure%20DevTest%20Labs/DTL-SharePoint-FullConfig' @description('The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated.') @secure() @@ -390,6 +390,15 @@ var vmsSettings = { : ((sharePointVersion == '2019') ? sharePointSettings.sharePointImagesList.sp2019 : sharePointSettings.sharePointImagesList.sp2016)) + vmSharePointSecurityProfile: sharePointVersion == '2016' + ? null + : { + securityType: 'TrustedLaunch' + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + } } var dscSettings = { @@ -603,6 +612,13 @@ resource vm_dc_def 'Microsoft.Compute/virtualMachines@2024-07-01' = { ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: { + securityType: 'TrustedLaunch' + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + } } } @@ -770,6 +786,13 @@ resource vm_sql_def 'Microsoft.Compute/virtualMachines@2024-07-01' = { ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: { + securityType: 'TrustedLaunch' + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + } } } @@ -936,6 +959,7 @@ resource vm_sp_def 'Microsoft.Compute/virtualMachines@2024-07-01' = { ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: vmsSettings.vmSharePointSecurityProfile } } @@ -1159,6 +1183,7 @@ resource vm_fe_def 'Microsoft.Compute/virtualMachines@2024-07-01' = [ ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: vmsSettings.vmSharePointSecurityProfile } } ] @@ -1564,15 +1589,11 @@ resource firewall_def 'Microsoft.Network/azureFirewalls@2023-11-01' = if (outbou } } -output publicIPAddressDC string = outboundAccessMethod == 'PublicIPAddress' - ? vm_dc_pip.properties.dnsSettings.fqdn - : '' +output publicIPAddressDC string = outboundAccessMethod == 'PublicIPAddress' ? vm_dc_pip.properties.dnsSettings.fqdn : '' output publicIPAddressSQL string = outboundAccessMethod == 'PublicIPAddress' ? vm_sql_pip.properties.dnsSettings.fqdn : '' -output publicIPAddressSP string = outboundAccessMethod == 'PublicIPAddress' - ? vm_sp_pip.properties.dnsSettings.fqdn - : '' +output publicIPAddressSP string = outboundAccessMethod == 'PublicIPAddress' ? vm_sp_pip.properties.dnsSettings.fqdn : '' output vm_fe_public_dns array = [ for i in range(0, frontEndServersCount): (outboundAccessMethod == 'PublicIPAddress') ? vm_fe_pip[i].properties.dnsSettings.fqdn diff --git a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/metadata.json b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/metadata.json index 3886cf2e..b1e66777 100644 --- a/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/metadata.json +++ b/Azure DevTest Labs/SharePoint-SingleFarm-FullConfig/metadata.json @@ -3,5 +3,5 @@ "description": "Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).", "summary": "Create a SharePoint Server farm with an extensive configuration. Key softwares (inc. Fiddler, vscode, np++, 7zip and ULS Viewer) and fine tuning make the farm immediately useful for most scenarios", "githubUsername": "Yvand", - "dateUpdated": "2024-12-26" + "dateUpdated": "2024-12-27" } \ No newline at end of file diff --git a/Azure Resource Manager/SharePoint-ADFS/CHANGELOG.md b/Azure Resource Manager/SharePoint-ADFS/CHANGELOG.md index d10034f9..9963cef8 100644 --- a/Azure Resource Manager/SharePoint-ADFS/CHANGELOG.md +++ b/Azure Resource Manager/SharePoint-ADFS/CHANGELOG.md @@ -1,5 +1,12 @@ # Change log for Azure template SharePoint-ADFS +## Enhancements & bug-fixes - + +### Changed + +- Template + - Enabled [Trusted launch](https://learn.microsoft.com/azure/virtual-machines/trusted-launch-existing-vm), with secure boot and Virtual Trusted Platform Module, on all virtual machines except SharePoint 2016 + ## Enhancements & bug-fixes - Published in December 18, 2024 ### Changed diff --git a/Azure Resource Manager/SharePoint-ADFS/DeployTemplate.ps1 b/Azure Resource Manager/SharePoint-ADFS/DeployTemplate.ps1 index 0fb146b1..50a44ccd 100644 --- a/Azure Resource Manager/SharePoint-ADFS/DeployTemplate.ps1 +++ b/Azure Resource Manager/SharePoint-ADFS/DeployTemplate.ps1 @@ -93,7 +93,9 @@ if ($result.ProvisioningState -eq "Succeeded") { Write-Host "Deployment completed successfully in $($elapsedTime.ToString("h\hmm\m\n"))." -ForegroundColor Green $outputs = (Get-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -Name $resourceDeploymentName).Outputs $outputMessage = "Use the account ""$($outputs.domainAdminAccount.value)"" (""$($outputs.domainAdminAccountFormatForBastion.value)"") to sign in" - $outputMessage += $outputs.ContainsKey("publicIPAddressSP") ? " to ""$($outputs.publicIPAddressSP.value)""" : "." + if ($outputs.ContainsKey("publicIPAddressSP") -and ![String]::IsNullOrWhiteSpace($outputs.publicIPAddressSP.value)) { + $outputMessage += " to ""$($outputs.publicIPAddressSP.value)""" + } Write-Host $outputMessage -ForegroundColor Green } else { diff --git a/Azure Resource Manager/SharePoint-ADFS/azuredeploy.json b/Azure Resource Manager/SharePoint-ADFS/azuredeploy.json index 5d5b4413..9d38f0c0 100644 --- a/Azure Resource Manager/SharePoint-ADFS/azuredeploy.json +++ b/Azure Resource Manager/SharePoint-ADFS/azuredeploy.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "14893435318195681754" + "version": "0.32.4.45862", + "templateHash": "4274725021098793298" }, "description": "Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).", "author": "Yvand" @@ -425,7 +425,7 @@ "Label": "Latest", "Packages": [ { - "DownloadUrl": "https://download.microsoft.com/download/4/b/4/4b4d907f-2e25-4972-a7b1-dfe8d1c0fadb/uber-subscription-kb5002651-fullfile-x64-glb.exe" + "DownloadUrl": "https://download.microsoft.com/download/c/e/c/ceca0241-efca-4484-9d76-5661806f16c4/uber-subscription-kb5002658-fullfile-x64-glb.exe" } ] } @@ -465,7 +465,8 @@ "vmFEName": "FE", "vmDCImage": "MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-smalldisk:latest", "vmSQLImage": "MicrosoftSQLServer:sql2022-ws2022:sqldev-gen2:latest", - "vmSharePointImage": "[if(variables('sharePointSettings').isSharePointSubscription, variables('sharePointSettings').sharePointImagesList.Subscription, if(equals(parameters('sharePointVersion'), '2019'), variables('sharePointSettings').sharePointImagesList.sp2019, variables('sharePointSettings').sharePointImagesList.sp2016))]" + "vmSharePointImage": "[if(variables('sharePointSettings').isSharePointSubscription, variables('sharePointSettings').sharePointImagesList.Subscription, if(equals(parameters('sharePointVersion'), '2019'), variables('sharePointSettings').sharePointImagesList.sp2019, variables('sharePointSettings').sharePointImagesList.sp2016))]", + "vmSharePointSecurityProfile": "[if(equals(parameters('sharePointVersion'), '2016'), null(), createObject('securityType', 'TrustedLaunch', 'uefiSettings', createObject('secureBootEnabled', true(), 'vTpmEnabled', true())))]" }, "dscSettings": { "forceUpdateTag": "1.0", @@ -676,7 +677,14 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": { + "securityType": "TrustedLaunch", + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + } + } }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', 'vm-dc-nic')]" @@ -873,7 +881,14 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": { + "securityType": "TrustedLaunch", + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + } + } }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', 'vm-sql-nic')]" @@ -1069,7 +1084,8 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": "[variables('vmsSettings').vmSharePointSecurityProfile]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', 'vm-sp-nic')]" @@ -1329,7 +1345,8 @@ } ] }, - "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]" + "licenseType": "[if(parameters('enableHybridBenefitServerLicenses'), 'Windows_Server', null())]", + "securityProfile": "[variables('vmsSettings').vmSharePointSecurityProfile]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', format('vm-fe{0}-nic', range(0, parameters('frontEndServersCount'))[range(0, parameters('frontEndServersCount'))[copyIndex()]]))]", diff --git a/Azure Resource Manager/SharePoint-ADFS/main.bicep b/Azure Resource Manager/SharePoint-ADFS/main.bicep index ab18d64e..fd8452e3 100644 --- a/Azure Resource Manager/SharePoint-ADFS/main.bicep +++ b/Azure Resource Manager/SharePoint-ADFS/main.bicep @@ -394,6 +394,15 @@ var vmsSettings = { : ((sharePointVersion == '2019') ? sharePointSettings.sharePointImagesList.sp2019 : sharePointSettings.sharePointImagesList.sp2016)) + vmSharePointSecurityProfile: sharePointVersion == '2016' + ? null + : { + securityType: 'TrustedLaunch' + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + } } var dscSettings = { @@ -607,6 +616,13 @@ resource vm_dc_def 'Microsoft.Compute/virtualMachines@2024-07-01' = { ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: { + securityType: 'TrustedLaunch' + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + } } } @@ -788,6 +804,13 @@ resource vm_sql_def 'Microsoft.Compute/virtualMachines@2024-07-01' = { ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: { + securityType: 'TrustedLaunch' + uefiSettings: { + secureBootEnabled: true + vTpmEnabled: true + } + } } } @@ -968,6 +991,7 @@ resource vm_sp_def 'Microsoft.Compute/virtualMachines@2024-07-01' = { ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: vmsSettings.vmSharePointSecurityProfile } } @@ -1205,6 +1229,7 @@ resource vm_fe_def 'Microsoft.Compute/virtualMachines@2024-07-01' = [ ] } licenseType: (enableHybridBenefitServerLicenses ? 'Windows_Server' : null) + securityProfile: vmsSettings.vmSharePointSecurityProfile } } ] @@ -1626,15 +1651,11 @@ resource firewall_def 'Microsoft.Network/azureFirewalls@2023-11-01' = if (outbou } } -output publicIPAddressDC string = outboundAccessMethod == 'PublicIPAddress' - ? vm_dc_pip.properties.dnsSettings.fqdn - : '' +output publicIPAddressDC string = outboundAccessMethod == 'PublicIPAddress' ? vm_dc_pip.properties.dnsSettings.fqdn : '' output publicIPAddressSQL string = outboundAccessMethod == 'PublicIPAddress' ? vm_sql_pip.properties.dnsSettings.fqdn : '' -output publicIPAddressSP string = outboundAccessMethod == 'PublicIPAddress' - ? vm_sp_pip.properties.dnsSettings.fqdn - : '' +output publicIPAddressSP string = outboundAccessMethod == 'PublicIPAddress' ? vm_sp_pip.properties.dnsSettings.fqdn : '' output vm_fe_public_dns array = [ for i in range(0, frontEndServersCount): (outboundAccessMethod == 'PublicIPAddress') ? vm_fe_pip[i].properties.dnsSettings.fqdn