My Take On Windows Nano Server & Hyper-V Containers

Microsoft made two significant announcements yesterday, further innovating their platform for cloud deployments.

Hyper-V Containers

Last year Microsoft announced a partnership with Docker, a leader in application containerization. The concept is similar to Server App-V, the now deprecated service virtualization solution from Microsoft. Instead of having 1 OS per app, containers allow you to deploy multiple applications per OS. The OS is shared, and sets of binaries and libraries are shared between similar/common apps.

Hypervisor versus application containers

These containers are can be deployed on a physical machine OS or within the guest OS of a virtual machine. Right now, you can deployed Docker app containers onto Ubuntu VMs in Azure, that are managed from Windows.

Why would you do this? Because app containers are FAST to deploy. Mark Russinovich demonstrated a WordPress install being deployed in a second at TechEd last year. That’s incredible! How long does it take you to deploy a VM? File copies are quick enough, especially over SMB 3.0 Direct Access and Multichannel, but the OS specialisation and updates take quite a while, even with enhancements. And Azure is actually quite slow, compared to a modern Hyper-V install, at deploying VMs.

Microsoft use the phrase “at the speed of business” when discussing containers. They want devs and devops to be able to deploy applications quickly, without the need to wait for an OS. And it doesn’t hurt, either, that there are fewer OSs to manage, patch, and break.

Microsoft also announced, with their partnership with Docker, that Windows Server vNext would offer Windows Server Containers. This is a means of app containers that is native to Windows Server, all manageable via the Microsoft and Docker open source stack.

But there is a problem with containers; they share a common OS, and sets of libraries and binaries. Anyone who understands virtualization will know that this creates a vulnerability gateway … a means to a “breakout”. If one application container is successfully compromised then the OS is vulnerable. And that is a nice foothold for any attacker, especially when you are talking about publicly facing containers, such as those that might be in a public cloud.

And this is why Microsoft has offered a second container option in Windows Server vNext, based on the security boundaries of their hypervisor, Hyper-V.

Windows Server vNext offers Windows Containers and Hyper-V Containers

Hyper-V provides secure isolation for running each container, using the security of the hypervisor to create a boundary between each container. How this is accomplished has not been discussed publicly yet. We do know that Hyper-V containers will share the same management as Windows Server containers and that applications will be compatible with both.

Nano Server

It’s been a little while since a Microsoft employee leaked some details of Nano Server. There was a lot of speculation about Nano, most of which was wrong. Nano is a result of Microsoft’s, and their customers’, experiences in cloud computing:

  • Infrastructure and compute
  • Application hosting

Customers in these true cloud scenarios have the need for a smaller operating system and this is what Nano gives them. The OS is beyond Server Core. It’s not just Windows without the UI; it is Windows without the I (interface). There is no logon prompt and no remote desktop. This is a headless server installation option, that requires remote management via:

  • WMI
  • PowerShell
  • Desired State Configuration (DSC) – you deploy the OS and it configures itself from a template you host
  • RSAT (probably)
  • System Center (probably)

Microsoft also removed:

  • 32 bit support (WOW64) so Nano will run just 64-bit code
  • MSI meaning that you need a new way to deploy applications … hmm … where did we hear about that very recently *cough*
  • A number of default Server Core components

Nano is a stripped down OS, truly being incapable of doing anything until you add the functionality

The intended scenarios for Nano usage are in the cloud:

  • Hyper-V compute and storage (Scale-Out File Server)
  • “Born-in-the-cloud” applications, such as Windows Server containers and Hyper-V containers

In theory, a stripped down OS should speed up deployment, make install footprints smaller (we need non-OEM SD card installation support, Microsoft), reduce reboot times, reduce patching (pointless if I reboot just once per month), and reduce the number of bugs and zero day vulnerabilities.

Nano Server sounds exciting, right? But is it another Server Core? Core was exciting back in W2008. A lot of us tried it, and today, Core is used in a teeny tiny number of installs, despite some folks in Redmond thinking that (a) it’s the best install type and (b) it’s what customers are doing. They were and still are wrong. Core was a failure because:

  • Admins are not prepared to use it
  • The need to have on-console access

We have the ability add/remove a UI in WS2012 but that system is broken when you do all your updates. Not good.

As for troubleshooting, Microsoft says to treat your servers like cattle, not like pets. Hah! How many of you have all your applications running across dozens of load balanced servers? Even big enterprise deploys applications the same way as an SME: on one to a handful of valuable machines that cannot be lost. How can you really troubleshoot headless machines that are having networking issues?

On the compute/storage stack, almost every issue I see on Windows Server and Hyper-V is related to failures in certified drivers and firmwares, e.g. Emulex VMQ. Am I really expected to deploy a headless OS onto hardware where the HCL certification has the value of a bucket with a hole in it? If I was to deploy Nano, even in cloud-scale installations, then I would need a super-HCL that stress tests all of the hardware enhancements. And I would want ALL of those hardware offloads turned OFF by default so that I can verify functionality for myself, because clearly, neither Microsoft’s HCL testers nor the OEMs are capable of even the most basic test right now.


In my opinion, the entry of containers into Windows Server and Hyper-V is a huge deal for larger customers and cloud service providers. This is true innovation. As for Nano, I can see the potential for cloud-scale deployments, but I cannot trust the troubleshooting-incapable installation option until Microsoft gives the OEMs a serous beating around the head and turns off hardware offloads by default.

Microsoft News – 27 March 2015

Welcome to the Azure Times! Or so it seems. Lots of Azure developments since I posted one of these news aggregations.

Windows Client



Office 365

Microsoft News – 13 March 2015

Quite bit of stuff to read since my last aggregation post on the 3rd.

Windows Server


Windows Client


Office 365



An Open Letter To W2003 Upgrade Objectors

This post is dedicated to the person that refuses to upgrade from Windows Server 2003. I’m not targeting service providers and those who want to upgrade but face continued resistance. But if you are part of the problem, then please feel free to be offended. Please read it before you hurt your tired fingers writing a response.

I’m not going to pussy-foot around the issue. I couldn’t give a flying f**k if your delicate little feelings are dented. You are what’s wrong in our industry and I’ll welcome your departure.

Yes. You are professionally negligent. You’ve decided to put your customers,stockholders, and bosses at legal risk because you’re lazy.

You know that support is ending on July 14th 2015 for Windows Server 2003, Windows Server 2003 R2, SBS 2003 and SBS 2003 R2, but still you plan on not upgrading. Why?

You say that it still works? Sure, and so did this:


 Photo of Windows Server 2003 administrator telling the world that they won’t upgrade

You think you’ll still get security fixes? Microsoft is STOPPING support, just like they did for XP. Were you right then? No, because you are an idiot. So you work for some government agency and you’ll reach a deal with Microsoft? On behalf of the tax payers of your state, let me thank you for being a total bollocks – we’ll be paying at least $1 million for year one of support, and that doubles each year. We’ll be landed with more debt because your incompetent work-shy habits.

You think third parties like some yellow-pack anti-malware or some dodgy pay-per-fix third party will secure you? Let me give you my professional assessment of that premise: HAHAHAHAAHAHAHAHAH!

Maybe other vendors will continue supporting their software on W2003? That’s about as useful as a deity offering extended support for the extracted failed kidney of a donor patient. If Microsoft isn’t supporting W2003, etc, then how exactly is Honest Bob’s Backup going to support it for you? Who are they going to call when there’s a problem that they need assistance on? Are you really that naive?

Even regulators recognise that “end of support” is a terminal condition. VISA will be terminating business with anyone still using W2003 as part of the payment operation. You won’t be able to continue PCI compliance. Insurance companies will see that W2003 as a business risk that it outside the scope of the policy. And hackers will have an easy route to attack your network.

“Oh poor me – I have an LOB app that can’t be replaced and only runs on W2003”. Well; why don’t you upgrade everything else and isolate the crap out of that service? Allegedly, there is an organ rattling inside that skull of yours so you might want to shake the dust off and engage it!

I have zero sympathy for your excuses. I know some of you will protest my comments. Your excuses, not reasons, only highlight your negligence. You’ve had a decade and 4 opportunities to upgrade your server OS. You can switch to OPEX cloud systems (big 3 or local) to minimise costs. You could have up-skilled and deployed services that are included in the cost of licensing WS2012 R2 instead of spending your stockholders or tax payers funds on 3rd party solutions. Yeah, I don’t have many good things to say to you, the objector, because, to be quite honest, there is little good to be said about you as an IT professional.

This post was written by Aidan Finn and has no association with my employers, or any other firm I have associated with. If you’re upset, then go cry in a dark room where you won’t annoy anyone else.

Microsoft News – 2 February 2015

The big news of the last few days was the announcement that the next version of “Windows Server and System Center” won’t be released until 2016. This is quite disappointing.

Windows Server

Windows Client



  • IaaS Gotchas: Compliance gotchas as it pertains to providing infrastructure as a service.

Microsoft News Summary – 17 September 2014

Microsoft’s patch woes continue. A September update for Lync was pulled this week. Please: do not approve updates immediately; wait 1 month and let some other mug find the bugs for Microsoft.



  • Announcing the Message Analyzer 1.1 Release: The completely indecipherable replacement for Network Monitor has just been upgraded to v1.1. I find this replacement for NetMon to be a complete mystery and the UI looks like something Symantec would come up with (random). It’s no wonder WireShark remains the #1 choice.
  • Introduction to Message Analyzer 1.1: A YouTube video to give you a high-level introduction to Message Analyzer 1.1. Includes a run-through of the UI and an overview of general features.


Office 365


Microsoft News Summary – 10 September 2014

In other news, Apple proves that wearable devices are a pointless Gartner-esque fad, and those preachy tax-avoiding frakkers, U2, suck donkey balls.


System Center Operations Manager

  • OM12 Sizing Helper: This is a Windows Phone app version of the OpsMgr 2012 Sizing Helper document.



  • Microsoft rumored to be poised to buy Minecraft creator for $2 billion: This blocky game is the hottest thing with kids. I’ve spent many an hour *cough* helping *yes, helping* with constructions & adventures on an iPad and Xbox. And to be honest, it is a good problem solving game and it encourages kids to interact, based on what I’ve observed.

Microsoft News Summary – 22 August 2014

Here’s the latest news from the Microsoft wires. More new services have popped up on Azure, mostly for devs, but the SQL AlwaysOn template should be a massive time saver.




OS Deployment

Office 365

Avoiding Microsoft “Fast Fail” Updates Using SCCM 2012/R2 Automatic Deployment Rules

I know there’s a risk in telling you to delay deploying updates for 1 month. Some think that means switching to manual approval – and that is an oxymoron because manual approval rarely happens. No; I would rather see large enterprises use a model that automatically deploys updates after delaying them for 1 month, just as you can do with System Center 2012 (R2) Configuration Manager (SCCM).

I’m going to refer you to the excellent guides by SCCM MVP, Niall C. Brady. SCCM uses WSUS to download the Windows Catalog. When I configure SCCM I configure WSUS to automatically sync and to automatically supersede updates. That means if Microsoft releases a replacement update, the old version is automatically replaced. That’s important so keep that in mind when reading the rest of the solution.

I will configure automatic deployment rules (ADRs) for each product. The ADR will be set up as follows:

  • Software Available Time: Set this to something like 21 days. That means that SCCM will hold back any applicable update for 3 weeks. That gives Microsoft lots of time to fix an update and the replacement will supersede the dodgy update.
  • Installation Deadline: With this set to 7 days, we have 4 weeks before updates are pushed out … and that assuming that we haven’t applied maintenance windows to any collections (servers, VMs, call centre PCs, etc) that might further delay the deployment.


With the above configuration, the dodgy August updates would not have been deployed to PCs or servers on your network. Instead, a tested and fixed update will be released, SCCM will sit on it and automatically approve it at a later date.

BTW, I do a similar thing with Endpoint Protection updates by delaying approval for 4 hours with immediate deployment.

I don’t know of a method for accomplishing this in Windows Intune – I’d like to see it. The same goes for WSUS, but a commenter suggested using cmdlets from this site for WSUS to write a script; I’d rather see a clean solution from Microsoft similar to what we have in ConfigMgr but less granular.

Microsoft News Summary – 15 August 2014

Here’s the latest from the last 24 hours: