Tag Archives: Windows

1-2-3-4-5 BitLocker 9-8-7-6-5

BitLocker Drive Encryption

BitLocker Drive Encryption (Photo credit: Wikipedia)

I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office.  The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor.  As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.

As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines.  When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.

BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since.  It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked.  Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip.  However there are a few additions you can add.

Authentication has not changed much in the last few thousand years.  It is usually based on a combination of something you have and something you know.  Beyond that is it just levels of complexity and degrees of encryption.  So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together.  So we need another way of protecting our data.  Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).

Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on.  However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined.  Hardware level passwords, on the other hand, are a different beast altogether.  The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so.  Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.

untitled1. Open the Group Policy Editor (gpedit.msc).

2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives

3. Right-click the policy called Require additional authentication at startup and click Edit.

4. Select the Enabled radio button.

5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.

At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.

**NOTE: This policy will apply when enabling drives for the first time.  A drive that is already encrypted will not fall into scope of this policy.

By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO.  That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.

Windows To Go: Disk Behaviour

BitLocker Drive Encryption

BitLocker Drive Encryption (Photo credit: Wikipedia)

Recently I was explaining Windows To Go at a client site.  We had a few interesting discussions about the power as well as the limitations of the security features.

One attendee asked a couple of good questions:

1) Is there any way to block the ‘on-lining’ of your Windows To Go key in other installations of Windows?

2) Is there a way to block users from bringing local disks on-line from within Windows To Go?

While I did not have the answers off the top of my head, after some consideration they are actually quite simple.

1) Windows To Go is the equivalent of any hard drive.  Because the machines that you are meant to use them on will be unmanaged, it is impossible to prevent this.  However Microsoft does provide several different levels of protection:

  • The WTG drive is off-line by default;
  • When building the WTG key you can enable BitLocker
  • Although BitLocker on the WTG key cannot be tied to a TPM chip, it will have a password associated.

In other words, in order to compromise the key from another installation of Windows, you would have to bring the WTG key on-line, unlock it, and provide a password.  In other words, if you trust the person to whom you gave the key.  If you don’t, he probably should not be on your systems in the first place.

The second answer is probably a happier one.  Because Windows to Go is (or can be) a managed environment (including domain membership, Group Policy, and even System Center management) the key can be locked down as you see fit.  How you would do it depends on which of the tools you have at your disposal… but yes, this can be done.

I hope this helps you to make your environment more secure using Windows To Go!

Managing Hyper-V Virtual Machines with Windows PowerShell

Warning: The following post was written by a scripting luddite.  The author readily admits that he would have difficulty coding his way out of a paper bag, and if the fate of the world depended on his ability to either write code or develop software then you had better start hoarding bottled water and cans of tuna.  Fortunately for everyone, there are heroes to help him!

I love the Graphical User Interface (GUI).  I use it every day in both the Windows client and Windows Server operating systems.  It makes my life easier on a day to day basis.

With that being said, there are several tasks that administrators must do on a regular basis.  There is no simple and reliable way to create repetitive task macros in the GUI.  Hence we can either work harder, or we can learn to use scripting tools like Windows PowerShell.

Along the way I have gotten some help from some friends.  Ed Wilson’s books have provided a wealth of information for me, and Sean Kearney has been my go-to guy when I need help.  There was a time when I was teaching a class and was asked ‘Can PowerShell do that?’  I replied by saying that if I asked Sean Kearney to write a PowerShell script to tie my shoes, I was reasonably sure he could do it because PowerShell can do ANYTHING.  Well one of my students posted that comment on Twitter, and got the following reply from Sean (@EnergizedTech):

Get-Shoe | Invoke-Tie

It makes sense too…because PowerShell works with a very simple Verb-Noun structure, and if you speak English it is easy to learn.

I may be a scripting luddite, but I do know a thing or two about virtualization, and especially Hyper-V.  So it only stands to reason that if I was going to start learning (and even scarier, teaching) PowerShell, I would start with the Hyper-V module.  As a good little Microsoft MVP and Community Leader, it only makes sense that I would take you along for the ride :)

Most of what can be done in PowerShell can also be done in the GUI.  If I want to see a list of the virtual machines on my system, I simply open the Hyper-V Manager and there it is.

Get-GUI

PowerShell is almost as simple… Type Get-VM.

Get-PS

By the way you can filter it… if you only want virtual machines that start with the letter S, try:

Get-VM S*

One of the advantages of PowerShell is that it allows you to manage remote servers, rather than having to log into them you can simply run scripts against them.  If you have a server called SWMI-Host1, you can simply type:

Get-VM –Server SWMI-Host1

Starting and stopping virtual machines is simple…

Start-VM Admin

Stop-VM VMM

Again, your wildcards will work here:

Start-VM O*

This command will start all VMs that start with the letter O.

If you want to check how much memory you have assigned to all of your virtual machines (very useful when planning as well as reporting) simply run the command:

Get-VMMemory *

Get-VMMemory

I did mention that you could use this command for reporting… to make it into an HTML report run the following:

Get-VMMemory * | ConvertTo-HTML | Out-File c:\VMs\MemReport.htm

To make it into a comma separated values (CSV) file that can easily be read in Microsoft Office Excel, just change the command slightly:

Get-VMMemory * | ConvertTo-CSV | Out-File c:\VMs\MemReport.csv

The report created is much more detailed than the original screen output, but not so much so as to be unusable.  See:

Making Changes

So far we have looked at VMs, we have started and stopped them… but we haven’t actually made any changes to them. Let’s create a new virtual machine, then make the changes we would make in a real world scenario.

New-VM –Name PSblog –MemoryStartupBytes 1024MB –NewVHDPath c:\VHDs\PSblog.vhdx –NewVHDSizeBytes 40GB –SwitchName CorpNet

With this simple script I created a virtual machine named PSblog with 1024MB of RAM, a new virtual hard disk called PSblog.vhdx that is 40GB in size, and connected it to CorpNet.

Now that will work, but you are stuck with static memory.  Seeing as one of the great features of Hyper-V is Dynamic Memory, let’s use it with the following script:

Set-VMMemory –VMName PSblog –DynamicMemoryEnabled $true –MinimumBytes 512MB –StartupBytes 1024MB MaximumBytes 2048MB

Now we’ve enabled dynamic memory for this VM, setting the minimum to 512MB, the maximum to 2048MB, and of course the startup RAM to 1024MB.

For the virtual machine we are creating we might need multiple CPUs, and because some of our hosts may be newer and other ones older we should set the compatibility mode on the virtual CPU to make sure we can Live Migrate between all of our Intel-based hosts:

Set-VMProcessor –VMName PSblog –Count 4 –CompatibilityForMigrationEnabled $true

At this point we have created a new virtual machine, configured processor, memory, networking, and storage (the four food groups of virtualization), and are ready to go.

I will be delving deeper into Hyper-V management with PowerShell over the next few weeks, so stay tuned!

NOTE: While nothing in this article is plagiarized, I do want to thank a number of sources, on whose expertise I have leaned rather heavily.  Brien Posey has a great series of articles on Managing Hyper-V From the Command Line on www.VirtualizationAdmin.com which is definitely worth reading.  He focuses on an add-on set of tools called the Hyper-V Management Library (available from www.Codeplex.com) so many of the scripts he discusses are not available out of the box, but the articles are definitely worth a read.  Rob McShinsky has an article on SearchServerVirtualization (a www.TechTarget.com property) called Making sense of new Hyper-V 2012 PowerShell cmdlets which is great, and links to several scripts for both Server 2008 R2 and Server 2012.  Thanks to both of them for lending me a crutch… you are both worthy of your MVP Awards!

Getting Started With Hyper-V in Server 2012 and Windows 8

You all know by now that I am a huge Hyper-V fan… I have been using it since 2008, but with the latest release I am unabashedly loving Microsoft’s Layer 1 hypervisor.  The fact that it has been included in Windows 8  – as in, no different from the virtualization platform I use in my servers – is just the icing on the cake.

It is true that almost any IT Pro would be able to install and use Hyper-V on either the server or client platform without much guidance.  However when you do start out – either with Hyper-V in general, or on a new system – there are a few things that you should know before you go.  Here are some of my tips, in no particular order of importance.

1) Change the default file locations!

The default file locations for virtual hard disks and virtual machines are a bit obscure.  I like to change them right out of the gate.  Depending on which drive I want to store them on (in Windows 8 it is usually the C drive, while on proper servers it will usually not be) I will store them both right off the root… x:\VHDs and x:\VMs.  That way I do not have to navigate to the defaults whenever I want to copy a file.  I find x:\VHDs much easier than c:\Users\Public\Documents\Hyper-V\Virtual Hard Disks and c:\ProgramData\Microsoft\Windows\Hyper-V.

If I am going to use Failover Clustering with Cluster Shared Volumes the defaults will be different, but for standalone servers these defaults suit me fine.

STEPS:

  1. In Hyper-V Manager click on Hyper-V Settings… in the Actions Pane.
  2. Under the Server context, click on Virtual Hard Disks and change the default location.  You will have to create the directory before going ahead.
  3. Still under the Server context, click on Virtual Machines and change the default location.  Again, you will have to create the directory first.

It’s as easy as that.  Of course, VMs that are already there will not be moved, but going forward all VMs will be placed in the proper directory.

2) Create your Virtual Switch!

When you start creating virtual machines there will be nowhere for them to go and nobody for them to talk to… that is, unless you create a virtual switch (previously called virtual network) to connect them to.  Depending on your server and your environment this might be simple or complex, and may require more planning.  However the long and the short of it is you have to make three decisions when creating a virtual switch:

  • Is the network going to be External (can communicate beyond the physical host), Internal (can only communicate with other VMs on the same host, plus with the host), or Private (can only communicate with other VMs on the same host)?
  • If External, what physical NIC (uplink) will it be bound to?
  • Can the Management OS (on the host) use the same NIC?

STEPS:

  1. In the Action Pane of Hyper-V Manager click Virtual Switch Manager…
  2. In the navigation pane click New virtual switch
  3. In the right screen select External, Internal, or Private and click Create Virtual Switch
  4. In the Virtual Switch Properties window delete New Virtual Switch and name the switch something that you will understand (i.e.: CorpNet).
  5. Click OK to close the Virtual Switch Manager.

Again, this is all there is to it.  Plain and easy, no fuss, no muss.

3) Configure Dynamic Memory

When you create a virtual machine there are a few defaults that Hyper-V thinks is a good idea… which I don’t.  The main one that comes to mind is the Dynamic Memory option (per VM).  When you configure Dynamic Memory the defaults are going to be:

Startup RAM: 512 MB

Minimum RAM: 512 MB

Maximum RAM: 1048576 MB

Ok, for a lot of our virtual machines 512MB may be a fine minimum… but unless you are driving a BAWL (Big @$$ Work Load) server on the VM you will nearly never need a terabyte of RAM.  Granted it is nice that we have that ability, it is not going to be the norm.  On the other hand, not setting a realistic maximum would mean that if your VM were to place a huge memory demand – say, because of an unchecked memory leak or a compromised server, or even something as simple as an Exchange Server grabbing as much physical (ahem… virtual) RAM as it can – then this would necessarily be at the expense of contention resources, which would no longer be available to other virtual machines on the same host.

My recommended best practice is to pick minimums and maximums that are reasonable to you for each server (and those will be different from VM to VM, depending on the load expectations).  You will be able to tweak these up or down as needed, but the point is you will have reasonable limits.  For many of my servers I set limits such as these:

Startup RAM: 512 MB

Minimum RAM: 512 MB

Maximum RAM: 4096 MB

These settings allow the VM to consume up to 4 GB of RAM when needed and available, but no more than that.  If I discover the VM workload needs more then I will tweak it up incrementally.  I am not letting resources go to waste, and I am making sure that my VMs work within their means – i.e.: as efficiently as they can.

STEPS:

  1. imageWithin Hyper-V Manager click on the VM in question and then in the Action Pane (VM Name) click Settings…
  2. In the Navigation Pane click Memory
  3. In the Memory window change the Minimum and Maximum RAM as needed.
  4. Click OK.

4) …and Hard Disks!

By default the virtual hard disks that are created for us in the New Virtual Machine Wizard will be 127 GB.  But do they really need to be that big?  Actually, in a lot of cases they do.  In many cases they should be bigger.  Sometimes they should be smaller.  If you are creating your disks this way then you should right-size them in the wizard.

With that being said, the one question that the wizard does not ask you is ‘what type of disk would you like to create?’  In Server 2012 there are actually three questions that you should be asked that are only asked when creating your disks using the New Virtual Hard Disk Wizard:

a) Would you like to create a VHD file (with backward-compatibility, and limited to 2 TB in size) or a VHDX file (which adds resilience to consistency issues that might occur from power failures, and are limited to 64 TB in size but offer no backward compatibility)

b) Would you like the disk to be Fixed size (pre-provisioned storage), Dynamically expanding (storage on demand), or Differencing disk (associated with a parent-child relationship with another disk)?

c) Would you like to create the new VHD(X) file based on the contents of an attached physical drive?

The solution is to pre-create your VHD(X) files to spec, and then point to them from the New Virtual Machine Wizard.  While dynamically expanding disks are fine for labs and offer greater portability, I never recommend them in a production environment.  Also if you think you might need to port your VMs back to Server 2008 (or Windows 7) then VHD will be required.

STEPS:

    1. From the Hyper-V Manager console in the Actions Pane click New > Hard Disk…
    2. Go through the wizard and select the options you choose.
    3. From the New Virtual Machine Wizard click the radio button Use an existing virtual hard disk and point to the right file.
    4. Click Finish.

image

Alternately, you could select the radio Attach a virtual hard disk later and create your VMs, then create your VHD(X) files, and then attach them.  It seems like more work to me though…

5) …and CPUs!

There are a few new settings in the Processor tab of Hyper-V VMs than there used to be.  Not only can you set the number of virtual processors (to the lesser of either a maximum of 64, or the number of physical cores in your computer), but you can also set the VM reserve, the percent of total system resources, the VM limit, and the relative weight.  These are all set in the main screen of the Processor Settings page.

imageWhat a lot of people do not realize is that there are two subsections to the Processor tab: Compatibility and NUMA.  In order to access these you need to expand the + next to Processor in the navigation pane.

NUMA stands for Non-Uniform Memory Architecture, and essentially means that a single VM can use memory that is assigned to different physical CPUs.

Compatibility in this context refers to CPU families, and is a very handy option indeed.  In virtualization there is no way to live-migrate a VM from a host running on AMD CPUs to a host running on Intel CPUs.  This is not a limitation of Hyper-V, rather of the architecture of CPUs, and is identical in VMware.  However CPU family is not the only limiting factor to allow live migrations; CPU properties are a factor too, and because of advancements in the technology it would generally not be possible to live migrate a VM from a host with an older CPU to a host with a newer CPU.

A few years ago VMware saw this as an issue, and along with Intel developed a technology called EVC, or Enhanced vMotion Compatibility.  What EVC does is it masks the newer chipset features (generally multimedia signatures and things like that) from the VM, so that all of a sudden you can migrate between older and newer hosts (say, an Intel i7 to an Intel Core Duo).  In VMware this is assigned at the Cluster level.

Of course the technology is simple enough, but the intellectual property is not.  EVC has the word vMotion (a trademark) in the title.  Microsoft cannot use the term vMotion.  As such their compatibility mechanism (which works the same way) is called Migrate to a physical computer with a different processor version (MTPCWDPV).  The name is not nearly as sexy as EVC, but they compensated by assigning it to the VM instead of the cluster.  It is a simple checkbox that you check (or uncheck) under the Compatibility Configuration screen.

If you are going to be using Live Migration between hosts with potentially incompatible CPU then follow these steps:

STEPS:

      1. imageWithin Hyper-V Manager click on the VM in question and then in the Action Pane (VM Name) click Settings…
      2. In the Navigation Pane click Processor, then click the + next to Processor to expand the tree.
      3. Click on Compatibility
      4. Click the checkbox Migrate to a physical computer with a different processor version.
      5. Click OK.

Following these simple best practices will not make you an expert in Hyper-V by any means, but it is a good start… what they will allow you to do is get started comfortably and play with the technology without hitting some of the more common stumbling blocks that beginners seem to run into.  As your needs grow you will be comfortable enough with the technology to try new things, explore new possibilities.  Before long you will be as virtualization expert, ready to tackle concepts such as Shared Nothing Live Migration, Failover Clustering, Cluster Shared Volumes, and much much more.

In the meantime dip your toes into the virtualization waters… it’s warm and inviting, the hazards are not too dangerous, and the rewards are incredible.  In no time you will be ready to get certified… but even if that is not your goal you have already taken the first steps to becoming a virtual wiz!

Refresh Your PC – Save your bacon!

Thursday morning I did something to my main laptop that I really should not have done, and the results were disastrous.  I succeeded in completely wrecking my installation of Windows 8.  I was able to boot into the OS, but as soon as I tried to launch any application my system went into an endless flash-loop, and was completely unusable.

I want to be clear that Windows 8 is a very solid and stable platform – it is built on the foundation of Windows 7 which most people agree was the most stable OS that Microsoft had ever released.  Unfortunately when you tart to play under the hood (where the vast majority of users would never be) things can go wrong… and indeed that is what happened to my system.

Normally under these circumstances I would simply reformat the laptop, or at the very least re-install Windows on the existing partition (so as to not wipe my data).  However because my system is protected with BitLocker I would have had to extract the BitLocker Recovery Key, which I have on file… somewhere.

Because my laptop has a Microsoft corporate image on it I could have gone to the IT Help Desk at the office and had them work it out with me… but it was Thursday, I wasn’t going to be in my office until Monday, and I had several presentations to do over the course of the week-end… not to mention blog articles, e-mail, and whatever else I might have had to do.

Since I was able to boot into Windows 8 I decided to try to Refresh my PC.  This is a new feature of the OS that is found under Settings – Change PC Settings – General that refreshes my PC without affecting any files.  Essentially it reinstalls the OS in place which restores anything that I would have messed up – and I know just how badly I messed it up.  However it retains my data and settings for all users – including domain membership, files, desktop… everything.

Refresh is BitLocker-aware, and warned me before starting that it would temporarily disable my BitLocker protection and then re-enable it when the process was complete.

It took about 15 minutes.  Refresh rebooted the PC a couple of times, fixed everything that was wrong, and when I booted back into Windows it prompted me to log on as b-mitchg – my alias in the Microsoft Active Directory.  My password worked, and so did my PC.  The desktop was exactly as I had left it – a little cluttered, although not as bad as it would have been on Windows 7.

Refresh restores all of your Windows 8 apps that were installed from the Windows Store; any applications that you installed ‘the legacy way’ will have to be re-installed.  However that was a small price to pay considering that most of my apps (with the exception of Microsoft Office 2013) are all from the Store, so I didn’t have a lot of loss.

My settings were all correct, my documents were in their place, and my SkyDrive connection was intact.  Everything was as it was before the refresh… except it all worked!

Of course there is a ‘one step further’ – Remove everything and re-install Windows.  This will not preserve any of your files, settings, or even your account.  Imagine you are selling your PC, giving it to your kids, or whatever.  You don’t have to do anything but click through to the Settings – Change PC Settings – General tab and click the option to Remove Everything.  You don’t have to go looking for your Windows media, it just takes care of everything for you.

Between these two options I can imagine that technicians will spend a lot less time trying to clean malware out of their PCs… the Refresh option is much quicker and just as effective.

I know it saved my bacon last week… it saved me from something far more dangerous than malware… it saved me from myself!