The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Posts Tagged ‘Windows 10’

Windows 10 Insider – New Fun Feature

Posted by Mikael Nystrom on February 2, 2017

In future releases of Windows 10 (Build 15014 or later), there is a new feature in Hyper-V currently called “Quick Create”

It basically means that you do not need to run trough the entire wizard to create a VM, instead it is a single page, like this:

image

Have fun.

/The Bunny

Posted in Hyper-V, Insider, Windows 10 | Tagged: , , | Leave a Comment »

Windows Server 2016 – Create a NAT network using the Hyper-V switch

Posted by Mikael Nystrom on March 3, 2016

In Windows Server 2016 (TP4) and Windows 10 1511 it is possible to create a Hyper-V Switch with NAT functionality, including publishing rules. The purpose is to run containers, but it can of course be used to run normal virtual machines. This means that you can very easy build an infrastructure environment with access to Internet and reverse without having a virtual router or firewall, pretty neat IMHO. Currently, the only way to create the switch is using PowerShell, but hey, I don’t mind…

Create the Switch

The following command will create a VM Switch for NAT usage with a subnet of 192.168.1.0/24. The net result will be a switch and an Internal network adapter with the IP address 192.168.1.1

New-VMSwitch -Name ViaMonstraNAT -SwitchType NAT -NATSubnetAddress 192.168.1.0/24

Create the NAT rule to get out

The following command will create a NAT rule for all machines connected to the Switch that uses the default gateway to get out.

New-NetNat -Name ViaMonstraNAT -InternalIPInterfaceAddressPrefix 192.168.1.0/24

Create a publishing rule

The following rule will open the “firewall” and redirect traffic on the hyper-v host port tcp/80 to the machine on the VM Switch with the IP address 192.168.1.200 to tcp/80

Add-NetNatStaticMapping -NatName ViaMonstraNAT -Protocol TCP -ExternalPort 80 -InternalIPAddress 192.168.1.200 -InternalPort 80 -ExternalIPAddress 0.0.0.0

Check if it works

You can use the following PowerShell commandlets to see the configuration after it has been done.

image
Get-VMSwitch will show you the switch with SwitchType NAT.

image
Get-NetNat will show you the NAT configuration bound to the switch.

image
Get-NetNatStaticMapping will show you the publishing rule.

image
Get-NetNatSession will show you current NAT sessions.

/Mike

Posted in Hyper-V, Windows 10, Windows Server 2016 | Tagged: , , | 3 Comments »

OS Deployment – Allow PXE deployment to the same MAC Address by configure SMS_DISCOVERY_DATA_MANAGER in ConfigMgr, or How to deploy Windows to shared docking stations and usb network adapters

Posted by Mikael Nystrom on January 29, 2016

This is very simple, when you deploy a device uisng PXE, ConfigMgr will inventory the MAC address, but that will prevent that mac address from being used once more unless the hardware inventory is executed after the machine has been deployed and removed from the docking station (similar)

The fix:

  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components \SMS_DISCOVERY_DATA_MANAGER on the primary site server
  • Add a MultiString entry called ExcludeMACAddress
  • Add all Mac Address to ExcludeMACAddress

For a complete story I strongly recommend you to read the following post:

http://blogs.technet.com/b/system_center_configuration_manager_operating_system_deployment_support_blog/archive/2015/08/27/re_2d00_use-the-same-nic-for-multiple-pxe-initiated-deployments.aspx

/mike

Posted in OS Deployment, OSD, Windows 10 | Tagged: , , | 1 Comment »

Working in the Datacenter–Enable Virtual TPM in Hyper-V gives you the ability to test bitlocker in a VM

Posted by Mikael Nystrom on January 26, 2016

Last night a friend contaced me and said “-Did you ever post the vTPM thing?”, i did say yes, but i was wrong, so here it is…

Simple, without testing and verfication, a deployment solution will fail. One of the tasks that takes a lot of time to test and verify is BitLocker and that also includes TPM. Windows 10 and Windows Server 2016 gives you the ability to create Virtuial Machines with a Virtual TPM Chip 2.0.

image
A VM running Windows Server 2012 R2 with a vTPM chip, The VM is running on Windows Server 2016.

The How-To Part

You need to run Windows Server 2016 TP4 or Windows 10.

On the host, add Isolated UserMode, Hyper-V and Hostguardian Services, by running the following powershell command(elevated):

Add-WindowsFeature -Name “Isolated-UserMode”,”Hyper-V”,”HostGuardian” -IncludeAllSubFeature –IncludeManagementTools

If needed, restart the host.

Before you can enable the vTPM you need to have a Guardian Service guardian object and with that you can crerate a Key Protector.

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates
$Owner = Get-HgsGuardian -Name ‘Guardian’
$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Great, the last piece is to enable the vTPM

Set-VMKeyProtector -VMName ‘WSUS01’ -KeyProtector $KeyProtector.RawData
Enable-VMTPM -VMName ‘WSUS01’

/Mike

Posted in Deployment, Hyper-V, OSD, Windows 10, Windows Server 2016, Windows Server vNext | Tagged: , , , , , | 4 Comments »

Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit (and some PowerShell)

Posted by Mikael Nystrom on January 6, 2016

Yes, the book is finally done and it is up on Amazon. The book follows all the others by being a build-while-you-read book, it includes a complete set of PowerShell scripts that will build your entire lab environment (The script has been changed, so it will be easier to use them at customer sites or other test/lab environments if needed). The focus of the book is as you could guess by the title to deploy Windows 10 using MDT and LiteTouch. The versions we did use in the book are Windows 10 1511, MDT 2013 Update 2 and the new ADK. It has been hard work, late nights, but darn I still love writing books… You can find the book on Amazon.com as well as other sites. oh, btw, the book also includes a complete hydration kit that uses MDT and PowerShell to build your complete lab environment.

image

Happy reading and deploying

/mike

Posted in Book, Deployment, MDT | Tagged: , , , | 17 Comments »

OS Deployment in the real World – I really Need a KMS key, but i cannot find it in the VLSC site?

Posted by Mikael Nystrom on December 18, 2015

No KMS Key in the VLSC for Windows 10 for OPEN License  ???

Turns out to be correct, you need to request that since MAK keys now are “prefferd” for Open License. It is possible to order one:

– Call: PA Call Center

– Email: KMSADD

There is ONE blog that i have found that explains this…http://www.neighborgeek.net/2015/08/no-kms-key-in-vlsc-for-windows-10-for.html

So, all credits goes to Steve Whitcher

image

/Mike

Posted in OS Deployment, OSD, Windows 10 | Tagged: , , | Leave a Comment »

Working in the Datacenter – Add-DVDDrive does not work correctly in Windows Server 2016 TP4 (or in Windows 10)

Posted by Mikael Nystrom on December 17, 2015

Update 2015-12-17 : This is now a confirmed bug, and as soon as I know more I will update this post.

It seems to be a bug, hopefully it will be fixed soon. The issue is very simple. If you try to run Add-VMDvdDrive the –path must be specified, in previous version that could be left alone. This problem is more common when you create VM Gen 2, since it does not have a DVD by default, and yes when we build VM’s they usually have a empty DVD for various reasons. According to help in the command let, there is no differences in the cmdlet between 1.1 and 2.0, but in reality it is.

The Issue

The problem is that when using the command Add-VMDvdDrive -VMName $VMName it fails with Add-VMDvdDrive : Exception of type ‘System.ArgumentException’ was thrown because it does not have a path, so i have seen workarounds when you create a small ISO and mount that and then you can remove that, but that sucks. There are some other issues as well.

image
The issue.

The Workaround

Luckily there is 2 different PowerShell modules, 1.1 for older OS and 2.0 for Windows 10/Windows server 2016 TP4 so the only thing you need to do is unload the new PowerShell module for Hyper-V and load the old one, and when you are done, you can load the new module again.

(if you would like to know why there is 2 versions, here you go: http://blogs.msdn.com/b/virtual_pc_guy/archive/2015/11/16/why-are-there-two-hyper-v-powershell-modules-in-windows-10.aspx)

image
We run this in the beginning of the script to replace the module.

image
We run this in the end of the script to restore the module.

/mike

Here is the code on GHitHub

Posted in Datacenter, Hyper-V, PowerShell, Windows 10, Windows Server 2016 | Tagged: , , , | 1 Comment »

Working in a Datacenter – Nested Hyper-V or Running Hyper-V in Hyper-V

Posted by Mikael Nystrom on November 21, 2015

image

There are many reason where it make sense to run Hyper-V in Hyper-V, one of them being to enable Credential Guard (VSM) in Windows Server 2016 TP 4 and later. For training, demos, test. R&D it is great. For Windows Server 2016 TP4 it needs to be enable and configured to work and that means PowerShell. Currently there are also some limitations.

On the Host:

Device Guard Disable
Credential Guard Disable
Hyper-V Enabled
Hardware Intel VT-x
Windows Version Build 10565 or greater

 

In the VM:

Dynamic Memory No
Change memory while VM is running No
Using any kind of Checkpoint No
Live Migration No
Save/Resume No

 

You can read the fine print here: https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/nesting

The PowerShell Function/Script:

This script will enable Nested Hyper-V an a VM
Invoke-WebRequest "https://raw.githubusercontent.com/DeploymentBunny/Files/master/Tools/Enable-NestedHyperV/EnableNestedHyperV.ps1" -OutFile ~/EnableNestedHyperV.ps1
Import-Module ~/EnableNestedHyperV.ps1
Enable-NestedHyperV -VMname TEST100
This Script (Provided be Microsoft) will verify configuration
Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Get-NestedVirtStatus.ps1" -OutFile ~/Get-NestedVirtStatus.ps1
~/Get-NestedVirtStatus.ps1

/mike

Posted in Datacenter, Hyper-V, Windows 10, Windows Server, Windows Server 2016, Windows Server vNext | Tagged: , , , , | 1 Comment »

OS Deployment – Windows 10 and OUs, Policies and LAPS

Posted by Mikael Nystrom on November 4, 2015

So, you are about to deploy Windows 10 in your organization, that sounds like a great plan. Before you start I do have some recommendations when it comes to joining them in your domain.

Create a separate OU for your Windows 10 computers

Yes, I strongly recommend you to do this. When working with customers I see a lot of “-We have 850 GPO settings that we used for XP, should we apply the same for Windows 10?” and the the answer is of course NO!!!! Instead you create a new OU and start over, this is your chance to cleanup that mess. For most customers it turns out that you need just a small number of settings for Windows 10 computers, since most is already correct. Also, you might use ConfigMgr and are starting use the policy in there instead or shifting into MDM. Just have a blank and blocked OU for your Windows 10 computers until you have figured out exactly what you need to have. after that, you might want to move computers back, use WMI filter or re-arrange your OU structure.

image
A separate OU has been created for Windows computers.

What policy’s should you have?

This is a discussion I have with every customer and over time I have learn to explain this. I usually divide all settings in to four different categories and the simple rule is that if you cant tag your policy in any of these four categories, don’t use it!

Group Policy Settings Reference for Windows 10: http://www.microsoft.com/en-us/download/details.aspx?id=25250

image
Download Settings Ref.

Settings that will help the user to do the correct action

This could be to save documents in the correct place, to configure the Antivirus program to perform correctly and so on

Settings that brand the computer correctly

Branding is important from many aspects, one is that the user often sees  a non branded device as their “own”, while a branded computer belongs to the company and this also reflects they way people treat the device.

Settings that prevents the user from shooting them self in the foot

This is not security settings, this is more of the “Would you like to open Word Documents using Notepad instead of Word”, and that will prevent the user from working, kind of…

Real Security settings

As a first step, you need to have some kind of strategy around Security, there is not really any value in locking down a computer to insanity, while the user is a local admin anyway. As a first step use Security Compliance Manager 3.0 plus the draft for Windows 10 Security Settings (and final when that arrives) to determinate a baseline.

Windows 10 Security Compliance Manager Baselines: http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

Security Compliance Manager: http://www.microsoft.com/en-us/download/details.aspx?id=16776

image
The new template files for SCM and Windows 10 (draft).

Implement Local Administrator Password Solution (LAPS)

With LAPS you have a solution that will on a regular basis change the password of the local admin account and store it in Active Directory, this is one of those “Just install it, don’t ask)

LAPS: https://www.microsoft.com/en-us/download/details.aspx?id=46899

image
Download LAPS.

Update your ADMX and ADML files for Windows 10

Ok, so the basic is done, now you need to download the new ADMX and ADML files and store them in a Central Store

Download the ADMX and ADLM files

Tat is done here : http://www.microsoft.com/en-US/download/details.aspx?id=48257

After download, run the installer to unzip the files. Open the folder and remove all languages folders you don’t need. I usually only keep the en-US. The only reason to have other languages is that you have administrators that don’t understand English, this has nothing to do with end users, they will hopefully never, ever create or modify GPO’s

 

image
Download the ADMX and ADML files for Windows 10.

Update your Central Store

This is very much recomened, but it will work if you use a local store as well. The reason to have a central store is that all policys modified/created will use the same base, otherwise there is huge risk that a policy is created on one machine, with different languaes, different versionas and that could lead in to all kinds of disaster. (In this case the server is named SRVDC01 and the domain name is network.local)

So, the easy way is to rename the folder called \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions.old

And copy the new policydefinitions from your unzipped folder to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions like this:

image
The PolicyDefinitions folder in the correct location.

If you hade any custom policy files, copy them from the PolicyDefinitions.old to PolicyDefinitions to get them back. The reason I do this is because there are some policy’s that has been changed and instead of picking them out, it is easier to just rename the old folder and upload a new folder with correct policy’s. Note: this does not change ANY existing policy’s at all.When you create anew policy the Policy Editor will start using the new templates, that’s all.

To verify that you have the correct policy’s in place, just open GPEdit and create a new policy and browse to a new setting you don’t have before.

image
Here you can see that the template is fetched from Central Store and that I can Configure Device Guard that is a feature of Windows 10.

/mike

Posted in Deployment, Windows 10 | Tagged: , | 2 Comments »

Tip of the Day – In-place upgrade to Windows 10 in a non professional deployment scenario

Posted by Mikael Nystrom on August 3, 2015

Ok, so this is the blog post for friends, ex-wife’s, family and friends that would like to upgrade to Windows 10, this is NOT for enterprise deployment at all!

– Uninstall all software you DON’T use or need
– Run Windows update and make sure all patches are installed
– Reboot the machine at least one time after all the patches are installed and there are no more patches left to install
– Run the Disk Cleanup utility, select system and cleanup everything.
image
– Run the defrag utility
image
– Run the Error Check tool for the hard drive
– Upgrade to Windows 10!
– Run Windows update
– Have fun!

Note: If you are upgrading using media, do not run setup.exe over the network, make sure to copy the ISO locally first, or run from a USB, CD/DVD

Posted in OS Deployment, OSD, Windows 10 | Tagged: , , | Leave a Comment »