Microsoft released a new update rollup to replace the very broken and costly (our time = our money) June rollup, KB3161606. These issues affected Hyper-V on Windows 8.1 and Windows Server 2012 R2 (WS2012 R2).
It’s sad that I have to write this post, but, unfortunately, untested updates are still being released by Microsoft. This is why I advise that updates are delayed by 2 months.
In the case of the issues in the June 2016 update rollup, the fixes are going to require human effort … customers’ human effort … and that means customers are paying for issues caused by a supplier. I’ll let you judge what you think of that (feel free to comment below).
A month after news of the issues in the update became known (the update rollup was already in the wild for a week or two), Microsoft has issued a superseding update that will fix the issues. At the same time, they finally publicly acknowledge the issues in the June update:
So it took 1.5 months, from the initial release, for Microsoft to get this update right. That’s why I advise a 2 month delay on approving/deploying updates, and I continue to do so.
What Microsoft needs to fix?
- Change the way updates are created/packaged. This problem has been going on for years. Support are not good at this stuff, and it needs to move into the product groups.
- Microsoft has successfully reacted to market pressure by making a special emphasis to change, e.g. The Internet, secure coding, The Cloud. Satya Nadella needs to do the same for quality assurance (QA), something that I learned in software engineering classes was as important as the code. I get that edge scenarios are hard to test, but installing/upgrading ICs in a Hyper-V guest OS is hardly a rare situation.
- Start communicating. Put your hands up publicly, and say “mea culpa”, show what went wrong and follow it up with progress reports on the fix.
Numerous sources have reported that KB3161606, an update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (WS2012 R2), are breaking the upgrade of Hyper-V VM integration components. This has been confirmed & Microsoft is aware of the situation.
As noted below by the many comments, Microsoft eventually released a superseding update to resolve these issues.
The scenario is:
- You deploy the update to your hosts – which upgrades the ISO for the Hyper-V ICs
- You deploy the update to your VMs because it contains many Windows updates, not just the ICs.
- You attempt to upgrade the ICs in your VMs to stay current. The upgrade will fail.
Note that if you upgrade the ICs before deploying the update rollup inside of the VM, then the upgrade works.
My advice is the same as it has been for a while now. If you have the means to manage updates, then do not approve them for 2 months (I used to say 1 month, but System Center Service Manager decided to cause havoc a little while ago). Let someone else be the tester that gets burned and fired.
Here’s hoping that Microsoft re-releases the update in a way that doesn’t require uninstalls. Those who have done the deployment already in their VMs won’t want another painful maintenance window that requires uninstall-reboot-install-reboot across all of their VMs.
Microsoft is working on a fix for the Hyper-V IC issue. After multiple reports of issues on scale-out file servers (SOFS), it’s become clear that you should not install KB3161606 on SOFS clusters either.
Microsoft released a security hotfix for Hyper-V last night. They describe it as:
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application that could cause Windows Hyper-V to incorrectly apply access control list (ACL) configuration settings. Customers who have not enabled the Hyper-V role are not affected.
This security update is rated Important for all supported editions of Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows 10 for x64-based Systems. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting how Hyper-V applies ACL configuration settings. For more information about the vulnerability, see the Vulnerability Information section.
KB3091287 does go into any more detail.
Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows 10 improperly processes ACL settings, which allows local users to bypass intended network-traffic restrictions via a crafted application, aka “Hyper-V Security Feature Bypass Vulnerability.”
Affected OSs are:
- Windows 10
- Windows 8.1
- Windows Server 2012 R2
No Windows 8 or WS2012 – that makes me wonder if this is something to do with Extended Port ACLs.
Credit: Patrick Lownds (MVP) for tweeting the link.
This is one of those rare occasions where I’m going to say: put aside everything you are doing, test this MS15-068 patch now, and deploy it as soon as possible.
The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.
This security update is rated Critical for Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. For more information, see the Affected Software section.
The security update addresses the vulnerabilities by correcting how Hyper-V initializes system data structures in guest virtual machines.
I don’t know if this is definitely what we would call a “breakout attack” (I’m awaiting confirmation), one where a hacker in a compromised VM can reach out to the host, but it sure reads like it. This makes it the first one of these that I’ve heard of in the life of Hyper-V (since beta of W2008) – VMware fanboys, you’ve had a few of these so be quiet.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
It sounds like a reasonable organization found and privately disclosed this bug, thus allowing Microsoft to protect their customers before it became public knowledge. Google could learn something here.
So once again:
- Test the patch quickly
- Push it out to secure hosts and other VMs
Some digging by Flemming Riis (MVP) discover that credit goes to Thomas Garnier, Senior Security Software Development Engineer at Microsoft (a specialty in kernel, hypervisor, hardware, cloud and network security), and currently working on Azure OS (hence the Hyper-V interest, I guess). He is co-author of Sysinternals Sysmon with Mark Russinovich.
A nice little gadget appeared on my desk at work today: An Intel Compute Stick. Here are my first impressions of this device.
So what is an Intel Compute Stick? It’s a teeny tiny PC designed to plug into a HDMI display (monitor or TV). The device runs full blown Windows 8.1 (with Bing) on an x86 CPU (64-bit instruction set according to the spec page). It sets up just like a normal PC, and runs programs and apps like a normal PC. Think of it as an x86 Windows tablet without a monitor (hence the HDMI port). The device is powered by USB (phone lead) – I found that the supplied lead and DC power adapter were required because the Sony TV I tried it with didn’t output enough power.
Intel Compute Stick turns HDMI devices into PCs [Image credit: Intel][/caption]The device has a number of ports:
- USB 2.0: Required to set up the machine and pair a Bluetooth (4.0) keyboard and mouse (the eventual devices you’ll use to interact with the Stick)
- Micro-SD: Add on up to 128 GB of storage to supplement in internal 32 GB (18.9 GB free)
The device spec:
- Quad-core 1.3GHz Intel Atom Z3735F – no EPT so you won’t run Client Hyper-V or WS2016 Hyper-V on here
- 2 GB RAM
- 32 GB storage (18.9 GB free)
- WiFi 802.11bgn
The spec of the Intel Compute Stick [Image credit: Intel][/caption]Setting the machine up was tricky because it did require a USB keyboard. I had fun because I tried to set it up while it “drew” power from the TV and eventually it died. Rebooting it on DC power lead to a loop of repair modes, so a keyboard was required to navigate the options. There is no Bluetooth pairing button, so I set up the eventual peripherals using Settings in Windows. After that, it was Windows 8.1 as usual. The machine is not going to be confused with Alienware, but it is fast enough for what it’s intended for: light usage and media streaming. I streamed HD videos over wireless and it handled it well enough.
Let’s not be foolish here; the Intel Compute Stick will not replace the family PC. However, if you’re like me, and you like to have a “PC” connected to your TV (MiraCast suffers audio/video timing issues), then here’s another option (not the only one). What I would like to try is presenting (monitor in the conference room or HDMI projector) with this device instead of using the wireless display adapter.
A next-gen version of the Intel Compute Stick will feature:
- Intel Core M processor
- 4GB of RAM
- 64GB of SATA storage
- USB 3.0
- 802.11ac WiFi
- Support for 4K displays
- MHL (draw power from TV via USB)
Yesterday was the first time that I came “this close” to my prefect presenting peripherals setup. I’ve wanted to be able to present from a tablet without the tether of a VGA or HDMI cable for years but it has never been possible. I have tried various things, but none worked out … either the performance sucked, the screen resolution was too low, or it just flat-out didn’t work at all.
Then came along Miracast, powered by hardware and enabled in Windows 8.1 with no drivers required. Last year Microsoft launched the Wireless Display Adapter (Amazon.com, Amazon UK). This is a dongle that plugs into HDMI capable TVs and projectors, and is powered by USB (from the display device or direct from power). I picked one up last November in the USA, and my employer just started distributing them to resellers (not direct via retail) in Ireland.
Previous to yesterday, I have been using my dongle to project ripped video and Netflix to the TV. It works perfectly, sending video and audio to the TV. There are times when I work from home when I’m sitting on the couch working on my laptop while video streams to the TV. And in theory, I could even use the TV as a second monitor! And yes, I’ve even used the TV for rehearsing presentations.
But yesterday was the first time that I presented using Miracast via the Microsoft Wireless Display Adapter. I brought along a cheap Windows tablet with Office installed and the dongle was plugged into a nice HDMI ready projector, and power came direct from a socket. The tablet connected flawlessly. However, PowerPoint killed the tablet … 1 GB RAM is just not enough. I ended up using my KIRAbook to present … wirelessly. It was nice to set up in the room where I wanted to be instead of behind a podium. Sure I would have liked to have roamed … but it was not to be.
Anyway, next time, I’ll have a Toshiba Encore that has 2 GB RAM and I’ve verified that PowerPoint will work on. And that will allow me to roam, using presenter mode on the tablet and have my notes in front of me.
FYI: the dongle works really well. But we have a Sony display (a TV without a tuner) at work that we cannot get dongles to work with. Everything else has worked fine.
My quest to be able to present wirelessly via Windows 8.1 Miracast from a tablet continued. When at the MVP Summit in early November I ordered a Microsoft Wireless Display Adapter from the Microsoft Store (the brick and mortar store in Bellevue had none).
A few weeks ago I tried the device with a large Sony display TV that we have in the boardroom at work. The dongle is powered via USB – the intention is that you plug this into any available USB port in the TV. The dongle connects to the TV via HDMI. That’s easy to connect up and it only takes the device a few seconds to power up. It prompted me to connect my device.
So I tried my Toshiba KIRAbook. And then I tried my Lenovo Yoga. Both have compatible processors. And neither could connect. I had two symptoms:
- The Microsoft Wireless Display Adapter did not appear in the device search results
- If I could see the device to connect to it, I was not prompted with a PIN to confirm the connection and it would time out.
I thought I had a dud device – and me being back in Ireland would make a return impossible. I knew it wasn’t a regional issue because I know of a company in Ireland using one and MVP Didier Van Hoye confirmed that his one is working.
So I gave up … sort of. Today I had time (finally) to test it out again. This time I connected the USB port to a phone power adapter and plugged it straight into an electrical outlet. The HDMI port went into a TV. And then I tested with:
- Toshiba Encore 8” Windows 8.1 tablet
- Toahiba KIRAbook
And the connection worked. Right now, Family Guy (Netflix USA) is streaming video and audio to the TV from the KIRAbook.
So the problem is (I believe) that not all TVs output enough power via their USB port to adequately meet the needs of the dongle. The solution is to power the dongle directly from an electrical socket.
A new KB article by Microsoft solves an issue where a Windows 8.1 Client Hyper-V or Windows Server 2012 R2 Hyper-V virtual machine backup leaves the VM in a locked state.
Consider the following scenario:
- You’re running Microsoft System Center Data Protection Manager (DPM).
- You start a backup job in DPM to back up Hyper-V virtual machines (VMs).
In this scenario, DPM sometimes leaves the VM stuck in the backup state (locked).
A supported hotfix is available from Microsoft Support. To apply this update, you must first install update 2919355 in Windows 8.1 or Windows Server 2012 R2.
I love my Lenovo Yoga 8, an 8” Android tablet. It’s what keeps me sane while travelling, it’s my bedside reading machine, and it’s my “couch” machine for those evenings when I’m “meerkatting” in front of the TV.
That’s why I was excited to see a story on WPCentral that thinks maybe that Lenovo might launch a Windows 8.1 version of one of the Yoga tablets (there is also a 10” version).
The Android tablet is ARM based – a low power ARM CPU. If Lenovo are releasing a Windows tablet in this form factor then I hope it is Intel-based and not ARM; ARM would require the soon-to-be-extinct Windows RT.
The original story on HDBlog.it (in Italian) thinks that this might be based on the 10.1” HD+ tablet, a larger cersion of my 8” entertainment and consumption machine, also with crazy long battery life and a built-in mini-kickstand.
WPCentral says that Lenovo has an announcement on Windows and Android tablets on October 9th. We won’t have long to see if this rumour is a fact.
Microsoft posted a fix for Windows Server 2012, Windows 8, Windows Server 2012 R2, Windows 8.1, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 for when multipath I/O identifies different disks as the same disk in Windows.
The code in Microsoft Windows that converts a hexadecimal device ID to an ASCII string may drop the most significant nibble in each byte if the byte is less than 0x10. (The most significant nibble is 0.) This causes different disks to be identified as the same disk by Multipath I/O (MPIO). At the very least, this may cause problems in mounting affected disks. And architecturally, this could cause data corruption.
When you apply this hotfix, the conversion algorithm is fixed. Disks that were masked by this issue before you installed the hotfix may be raw disks that still have to be partitioned and formatted for use. After you apply this hotfix, check in Disk Management or Diskpart for previously hidden disks.
A supported hotfix is available from Microsoft Support.