November, 2014 | Aidan Finn, IT Pro

Altaro – Webinar & eBook On Microsoft Licensing For Virtual Environments

Altaro has published a free e-book called Licensing Microsoft Server in a Virtual Environment. I know this is a hot topic because it’s one of this site’s top search results every month. The ebook, written by Eric Siron, covers:

The concept of Microsoft licensing in a virtual environment
Windows Server, Hyper-V Server 2012 & 2012 R2 licensing
Difference between keys & licenses
Understand license transfers, stacking & implications for a cluster
Mapped example diagrams of common virtual licensing environment

Altaro is also running a webinar on this topic on Decentber 4th, featuring fellow Hyper-V MVP Thomas Maurer and Andrew Syrewicze. This webinar will run for 45 minutes with live Q&A, starting at 10am EST or 3pm GMT.

Getting An Ultrabook To Boot From USB

Do you have a new laptop that refuses to boot from USB? You’re failing to get Windows to install from a removable device? Don’t have an RJ45 port to do PXE installs?

If so, I think I have a hack for you. This is what I used for my Toshiba KIRAbook when wiping Windows 10 Techniacl Preview to reinstall Windows 8.1 – it took a lot of Googling and experimentation to get the thing to boot from USB. My fix is not perfect because you sacrifice Secure Boot, but it works. And no, this page from Microsoft, which is copied endlessly on the Internet, is Bull$h1t.

The cause of the issue is UEFI, the successor to BIOS. You are going to have to configure 3 things:

1) Disable Secure Boot

Reboot your laptop into the UEFI setup (probably one of the function keys – this page is pretty good).

2) Enable CSM Boot/Disable UEFI Boot

In my Toshiba KIRAbook, I found this under Advance > System Configuration. The setting name changes depending on if it is enabled or not.

Note that this setting might be greyed out if you haven’t disabled Secure Boot yet.

3) Prepare a Boot Stick

I used a free tool called Rufus to prepare a USB stick from the Windows 8.1 with Update ISO file.

You can now install Windows on your laptop. You’ve lost Secure Boot and UEFI Boot (Windows 8.1 will not start when they are enabled), but you are able to install Windows. I’ll update this post if anyone comes up with something better.

Note: I hate this bolloxology. This stuff should be much easier.

Microsoft News – 24 November 2014

It’s been a slow few news days in the Microsoft world. Stuff I’m not linking to: the infinitely linked webcasts on mobility management and the Reign malware infecting computers in Ireland, Russia, and Saudi Arabia.

Windows Server

Microsoft’s View on Hyper-Convergence: A post I wrote for Petri.com.
Technical Preview Step-by-Step Guide -Storage Replica: Learn to implement this WS vNext feature.

Windows Client

Windows 10 Management Options Coming With New Windows Store: Microsoft plans to add Windows Store management capabilities for organizations using Windows 10 apps "in the coming months."

Azure

Configure Multiple NICs in an Azure Virtual Machine: On Petri.com
Architecting a disaster recovery plan for multi-tier web applications using Microsoft Azure Site Recovery: What it says on the tin.
Importing Windows Azure Cloud Services into Remote Desktop Connection Manager (RDC Man): Third article in a series.

Office 365

Simplification Comes to Office 365 Activation: Cutting out the VLSC/OSA copy/paste key step for Open licensing customers.

Miscellaneous

Growing concern in Ireland over online data privacy: A blog post by Microsoft Ireland MD, Catriona Hallahan, on the USA/Cloud issue.

Technorati Tags: Microsoft,WIndows Server 2015,Windows 10,Azure,Networking,Storage,DR,RDS,Office 365,Licensing,Security

Microsoft News – 20 November 2014

There are a lot of upset people because of (1) the Azure outage and (2) how Microsoft communicated during the outage. We had a couple of affected customers. The only advice I can give to Microsoft is:

Don’t deploy your updates to everything at the same time.
Now you know how customers feel when bad updates are issued. Bring back complete testing.
Communicate clearly during an issue – that includes sending emails to affected customers. You’ve got monitoring systems & automation – use them. Heck, you even blogged about how (Azure) Automation could be used by customers to trigger actions.

Hyper-V

Backup Jobs Failing Post Nov Rollup Install: Hyper-V PM Taylor Brown has an update.

Azure

Microsoft Azure Services Hit By Widespread Outages: There’s a lot of anger out there because of how Microsoft reported these issues.
Update on Azure Storage Service Interruption: A little bit of information on the issues of the previous 24 hours.
Create a Multi-NIC VM with a Public IP in Azure: Take advantage of this new feature.

Miscellaneous

An Overview of the Microsoft Cloud Platform System: A post by me on Petri.com about Microsoft CPS.

Technorati Tags: Microsoft,Hyper-V,Windows Server 2012,WIndows Server 2012 R2,Backup,Azure,Storage,Cloud,Cloud Computing,Networking,Virtualisation,Hardware

November 2014 Update Rollup For Windows–And It Has Issues

Microsoft released November 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 yesterday. This rollup includes lots of fixes, including improved performance of a SOFS cluster during parallelized restores. As usual, I recommend waiting 4 weeks to let others be Microsoft’s testing canaries.

Correction: There are no known problems with the above update.

However, an update rollup released at the same time for Windows Server 2012 DOES in fact have a problem. Microsoft Hyper-V PM, Taylor Brown, tweeted that applying KB2996928 fixes the issue.

Technorati Tags: Windows Server 2012 R2,Hyper-V,Virtualisation

Microsoft News – 19 November 2014

Pay attention to the security update for Windows that was released out of band last night. It’s an important one that prevents people from crafting custom Kerberos tickets.

Hyper-V

How to Build Azure-Like Virtual Machines on Hyper-V: A post I wrote on Petri.com

Windows Server

November 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2: This is a big update that you should test and deploy (after waiting a time you deem appropriate).
Introducing Cloud Witness: Leveraging Azure to get quorum for multi-site clusters.
Failover Clustering in Windows Server Technical Preview: A post by me on Petri.com

Azure

Monitoring Azure Services and External Systems with Azure Automation: Using Azure automation to perform checks.
Azure Disk IOPS and Virtual Machines in IaaS: Each disk has storage QoS caps applied to it.
Enabling Multiple Subscriptions to Share an ExpressRoute Circuit: Multiple vNets across multiple Azure subscriptions connected via one ExpressRoute connection for complex deployments.
Microsoft Azure Desktop Hosting: RD Gateway Farm Deployment Guidance Updated To Support Azure Load Balancer Client IP Affinity: What it says on the tin.

Security

Microsoft Releases Emergency Security Update: MS14-068 fixes a serious issue in Kerberos. This looks like one of those "push it out ASAP" (test first, of course) security fixes.

Office 365

Microsoft rebrands Identity Manager (again) and delivers new public preview: And that’s all she wrote on Forefront.
Microsoft Identity Manager Public Preview is now available! Microsoft has released the preview of MIM, formerly FIM.
Microsoft Launches Office 365 Video: Ever feel like there’s a "throw mud on the wall" thing going on?

Technorati Tags: Microsoft,Hyper-V,Virtualisation,Azure,Hybrid Cloud,Cloud,Cloud Computing,Windows Server 2012 R2,Windows Server 2015,Storage,Failover Clustering,PowerShell,Scripting,Networking,Remote Desktop Services,Office 365,Active Directory

Microsoft News – 17 November 2014

I’ve had a crazy few weeks with TechEd Europe 2014, followed by the MVP Summit, followed by a week of events and catchup at work. Today, I’ve finally gotten to go through my news feeds. There is a LOT of Azure stuff from TEE14.

Hyper-V

What’s New in Windows Server vNext Hyper-V: A post by me on Petri.com
Cluster Shared Volume Failure Handling: How CSV handles storage failures and how it hides failures from applications.
Updating Integration Components over Windows Update: Microsoft announced that they would be releasing updated integration components over Windows Update from now on.
Windows 10 Technical Preview: Hot Add / Remove of Network Adapter: You can now add and remove network adapters from running Generation 2 virtual machines.

Windows Server

vNext Failover Clustering in Windows Server Technical Preview: A video with clustering master, Elden Christensen.
Storage Quality of Service Guide Released for Windows Server Technical Preview: A step-by-step guide.
RemoteFX vGPU Updates in Windows Server Next: Capabilities that improve the experience for end users in a Windows VDI environment for ‘Engineering/Designer’ application workloads that require OpenGL API support and all graphics applications (DX and OpenGL) that require higher video memory.

System Center

Update Rollup 4 for System Center 2012 R2: Wait 1 month. Trust me.
Update Rollup 8 for System Center 2012 Service Pack 1: See previous. Trust me.

Windows Client

Windows 10 – Making Deployment Easier: Using an in-place upgrade instead of the traditional wipe-and-load approach that organizations have historically used to deploy new Windows versions. This upgrade process is designed to preserve the apps, data, and configuration from the existing Windows installation, taking care to put things back the way they need to be after Windows 10 has been installed on the system. And support for traditional deployment tools.
Windows 10 – Manageability Choices: Ensuring that Windows works better when using Active Directory and Azure Active Directory together. When connecting the two, users can automatically be signed-in to cloud-based services like Office 365, Microsoft Intune, and the Windows Store, even when logging in to their machine using Active Directory accounts. For users, this will mean no longer needing to remember additional user IDs or passwords.

Azure

New Marketplace, Network Improvements, New Batch Service, Automation Service, more: TechEd announcement by Scott Guthrie
SAN Replication based Enterprise Grade Disaster Recovery with ASR and System Center: Enterprises that seek to leverage the snapshot and replication capabilities of their Storage Area Network (SAN) Arrays to enable high performance synchronous and asynchronous replication between their on-premises private clouds can now orchestrate end-to-end storage array-based replication and disaster recovery with ASR and System Center Virtual Machine Manager (SCVMM).

ASR SAN replication topology

Announcing the Azure Marketplace: Offers Microsoft Azure Certified and open-source community virtual machine images including SAP, Cloudera, DataStax, CommVault, Veeam, Trend Micro, and Core OS as well as virtual machine extensions including McAfee and Octopus Deploy.
Migrate your Websites to Azure in just a Few Clicks: A new tool from MSFT. See this Getting Started Guide & this video.
Windows Docker Client Demo Highlights Linux Containers on Azure: Docker, CoreOS, and Linux Documentation on Azure.
New Networking features and partnerships for Enterprise scenarios: A whole bunch of announcements: ExpressRoute enhancements include new strategic partnerships, a Meet-Me location in Australia, multi-site ExpressRoute for better disaster recovery, multiple subscriptions sharing the same ExpressRoute circuit, and support for 4,000 routes. We are improving overall security with Network Security Groups for easier subnet isolation in multi-tier topologies, Site to Site Forced Tunneling which sends network traffic back to on-premises for policy validation to meet compliance requirements, and VPN support for Perfect Forward Secrecy (PFS). A new high-performance gateway, multiple virtual NICs in a VM, access to VPN operations logs, nested Traffic Manager policies and Azure load balancer source IP affinity demonstrate our commitment to continually enhance Azure networking capabilities.
New – Azure Traffic Manager Nested Profiles: his feature enables you to create more flexible and powerful load-balancing and failover schemes to support the needs of larger, more complex deployments. Note you can also do hybrid site balancing now.
Azure Load Balancer new distribution mode: Adding a new distribution mode called Source IP Affinity (also known as session affinity or client IP affinity).
Azure Site Recovery – Announcing Windows Azure Pack integration and PowerShell Support: As part of update roll up of Windows Azure Pack UR 4.0, now cloud service providers will be able to offer Windows Azure Pack Plan or ADDONS with ASR capabilities. You now have the ASR PowerShell cmdlets for recovery solution between two on-premise hyper-V datacenters available as part of Azure PowerShell 0.8.10 release.
Using VNET integration and Hybrid connections with Azure Websites: This will outline the example of getting WordPress running on Azure Websites with a remote MySQL database and will be covered in two parts.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines: Real time protection from the latest threats, on-demand scheduled scanning, and collection of antimalware events to your storage account via Azure Diagnostics at no additional charge.
Introducing PowerShell support for Azure Site Recovery: PowerShell support for recovery between two Hyper-V sites managed by Azure Site Recovery.
Red Teaming – Using Cutting-Edge Threat Simulation to Harden the Microsoft Enterprise Cloud: How Microsoft performs penetration tests on Azure and Office 365.
Deploying Your Own Private Docker Registry on Azure: In order to ship your containerized applications to the cloud, you use Docker tools to construct a Docker container image. Although the Docker Hub is a paid service for storing private images, Docker respects developers’ needs and provides the open source “Docker Registry” software used to build the Docker Hub. It is designed to store and provide container images, but the best part about it is that you can host your own private registry with it.
Offering Managed DR for IaaS Workloads with ASR and Azure Pack: Service Providers can now offer Managed DR as a premium service to their customers on top of IaaS workloads.
Deploy to Azure Button for Azure Websites: Deploying to Azure Websites from a Git repository just got a little easier with the Deploy to Azure Button.
Azure Websites Authentication / Authorization: Azure Websites Authentication / Authorization allows you to quickly and easily restrict access to your websites running on Azure Websites by leveraging Azure Active Directory.
Encrypting Azure Virtual Machines with CloudLink SecureVM: CloudLink SecureVM Agent which enables for disk encryption for your Azure Virtual Machines.
AzCopy – Announcing General Availability of AzCopy 3.0 plus preview release of AzCopy 4.0 with Table and File support
Create a VM with multiple NICs in Azure: Done using updated version of Azure PowerShell.
Monitoring Azure Site Recovery: The monitoring capabilities of Azure Site Recovery.
Microsoft announces Exchange Support for Azure VM as a Witness Server: As of January 1, 2015, Microsoft will support using an Azure laaS file server VM as a witness server for an on-premises DAG .

Office 365

Enterprise Mobility TechEd Announcements: Lots of stuff.
Configuring AD FS Servers in an Internal Load-Balanced Set in Azure for Office365 Single Sign-On: Third post in a series on how to enable hybrid single using-in solution using a hybrid Azure deployment.
Office 365 Business Users Getting New ‘Clutter’ E-Mail Feature: Don’t know if I’d trust this.
Microsoft To Rename Lync as ‘Skype for Business’ Next Year:

Intune

New Microsoft Intune capabilities coming this week: The Intune team will be rolling out a service update between November 17, 2014 and November 19, 2014 that introduces new capabilities to Intune standalone (cloud only).

Operational Insights

Microsoft Releases Azure Operational Insights Preview: Starting with a limited free option. The preview is available in the Azure U.S. East region.

Licensing

Microsoft to make per-user Windows licensing available to enterprise customers: A popular move.

Technorati Tags: Microsoft,Hyper-V,Virtualisation,Windows 10,Windows Server 2012 R2,WIndows Server 2015,Failover Clustering,Storage,RDS,System Center,Azure,Hybrid Cloud,Cloud,Cloud Computing,Networking,DR,PowerShell,Scripting,Linux,Security,Exchange,Office 365,Intune,Licensing

TEE14 Scripted Demo 6 – Extended Port ACLs

My sixth TechEd Europe 2014 demo was a fun one: Extended Port ACLs, which is the ability to apply network security rules in the virtual switch port, which cannot be overruled by the guest OS admin.

There is a demo VM that is running IIS with a default site. The Windows Firewall is turned off in the guest OS. The script will:

Clean up the demo lab
Open a window with a continuous ping to the VM, showing the open network status
Starts IE and browses to the VM’s site
Kills IE and applies an extended port ACL to block everything.
IE is re-opened (with flushed cache) and fails to load the site. Ping packets are dropping in the continuous ping.
Kills IE and creates another extended port ACL to allow inbound TCP 80
Reopens IE to show the site is accessible. Meanwhile, pings continue to fail.

There’s plenty of process management, and controlling IE in this script.

cls
#Clean up the demo to start up with
Get-VMNetworkAdapterExtendedAcl -VMName PortACLs | Remove-VMNetworkAdapterExtendedAcl

$DemoVM = "PortACLS"

Write-Host "Extended Port ACLs Demo"

#Clear IE Cache
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8

#Ping the VM
Start-Process Ping -ArgumentList "-t","PortACLS"

#Start IE
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")

#Block all traffic script block
Read-Host "Block all traffic to the VM"
#Kill IE
Get-Process -Name IEXPLORE | Stop-Process
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
Write-Host "`nAdd-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action `“Deny`” –Direction `“Inbound`” –Weight 1"
Sleep 3
Write-Host "`nAll inbound traffic to the virtual machine is blocked" -foregroundcolor red -backgroundcolor yellow
Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action “Deny” –Direction “Inbound” –Weight 1
#Start IE to show the site is offline
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")

#Put in web traffic exception script block
Read-Host "`n`n`nAllow HTTP traffic to the VM"
#Kill IE
Get-Process -Name IEXPLORE | Stop-Process
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
Write-Host "Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action `“Allow`” –Direction `“Inbound`” –LocalPort 80 –Protocol `“TCP`” –Weight 10"
Sleep 3
Write-Host "`nAll inbound traffic to the virtual machine is blocked EXCEPT for HTTP" -foregroundcolor red -backgroundcolor yellow
Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action “Allow” –Direction “Inbound” –LocalPort 80 –Protocol “TCP” –Weight 10
#Start IE to show that the website is now back online, despite all other traffic being blocked
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")

Read-Host "`n`n`nEnd the demo"

#Clean up after the demo
Get-Process -Name Ping | Stop-Process
Get-Process -Name IEXPLORE | Stop-Process
Get-VMNetworkAdapterExtendedAcl -VMName PortACLs | Remove-VMNetworkAdapterExtendedAcl

Ever Wonder HOW Microsoft Upgrades The Firmware of New Employees? I Have Evidence!

I’ve had a number of friends “go blue” over the years, that is, they joined Microsoft as full time employees (FTEs). All were like me, some things they liked and others they didn’t like at Microsoft … BEFORE they joined the company. Not long after joining, they flew to the mother ship in Redmond for “training” or “meetings” and returned very different people. Everything was awesome; even the dodgiest endeavours by Microsoft were the best things ever.

I and others would joke about our friends having their firmware updated. That was a joke … until now. I have the evidence that something mysterious is indeed happening. I was behind the curtains yesterday, and went to get a Coke from the fridge when I spotted this:

Sparking water made by … Microsoft! Of course, I will be taking this evidence to a lab to be analysed and searched for traces of psychotropic substances. I suspect this may indeed be the actual firmware upgrade that is supplied to unwitting new blue badges when they are transported to Redmond, WA. I shall follow up as soon as the results are in from the lab.

Note: This article is written with my tongue firmly in my cheek. If you are offended or think I am being serious in any way, then please visit a reality consultant.

TEE14 Scripted Demo 5 – Out-Of-Band File Copy

In my fight demo at TechEd Europe 2014, the topic was OOB File Copy, the ability to place a file into a VM’s storage, via the VMBus, and without network connectivity to the VM (e.g. tenant isolation).

The script does the following:

Cleans up the demo
Opens up notepad. I manually copy and paste text from a website into the file and save it.
Enable the Guest Service Interface for the VM to enable OOB File Copy
Copy the file to the VM
Disable Guest Service Interface
Connect to the VM. I manually log in and open the file to verify that the file I created is now inside of the VM
Clean up the demo

function KillProcess ($Target)
{
    $Processes = Get-Process
    Foreach ($Process in $Processes)
    {
        if ($Process.ProcessName -eq $Target)
        {
            Stop-Process $Process
        }
    }
}

cls

$DemoHost1 = "Demo-Host1"
$DemoVM1 = “OOBFileCopy”
$DemoFile = "CopyFile.txt"
$DemoFilePath = "C:\Scripts\TechEd\$DemoFile"
$VMConnect = "C:\Windows\system32\vmconnect.exe"
$VMConnectParams = "$DemoHost1 $DemoVM1"

#Prep the demo
#Use a remote command to delete the file from the VM
Invoke-Command -ComputerName $DemoVM1 -ScriptBlock {Remove-Item -ErrorAction SilentlyContinue "C:\CopyFile.txt" -Confirm:$False | Out-Null}
Disable-VMIntegrationService $DemoVM1 -Name "Guest Service Interface"
Remove-Item -ErrorAction SilentlyContinue $DemoFilePath -Confirm:$False | Out-Null
New-Item $DemoFilePath -ItemType File | Out-Null

#Start the demo

#Note to self – script the network disconenct of the VM along with a continuous ping to confirm it.

Read-Host "`nStart the demo"
Write-Host "`nCreate a file to be copied into the virtual machine" -foregroundcolor red -backgroundcolor yellow
Start-Process "c:\windows\system32\notepad.exe" -ArgumentList $DemoFilePath

#Copy the file
Read-Host "`nEnable the Guest Service Interface integration service"
Write-Host "`nEnable-VMIntegrationService $DemoVM1 -Name `"Guest Service Interface`""
Enable-VMIntegrationService $DemoVM1 -Name "Guest Service Interface"

Read-Host "`nCopy the file to the VM"
Write-Host "`nCopy-VMFile $DemoVM1 -SourcePath $DemoFilePath -DestinationPath C: -FileSource Host"
Copy-VMFile $DemoVM1 -SourcePath $DemoFilePath -DestinationPath C: -FileSource Host

Read-Host "`nDisable the Guest Service Interface integration service"
Write-Host "`nDisable-VMIntegrationService $DemoVM1 -Name `"Guest Service Interface`""
Disable-VMIntegrationService $DemoVM1 -Name "Guest Service Interface"

#Check the file
Read-Host "`nLog into the virtual machine to check the file"

Set-VMHost -EnableEnhancedSessionMode $true | Out-Null
Start-Process $VMConnect -ArgumentList $VMConnectParams

#End the demo
Read-Host "`nEnd the demo"
KillProcess "vmconnect"
Disable-VMIntegrationService $DemoVM1 -Name "Guest Service Interface"
Remove-Item -ErrorAction SilentlyContinue $DemoFilePath -Confirm:$False | Out-Null
#Use a remote command to delete the file from the VM
Invoke-Command -ComputerName $DemoVM1 -ScriptBlock {Remove-Item -ErrorAction SilentlyContinue "C:\CopyFile.txt" -Confirm:$False | Out-Null}

Technorati Tags: Hyper-V,Virtualisation,Windows Server 2012 R2,Storage,PowerShell,Scripting