Category Archives: Uncategorized

Windows 2012 R2 Virtual Machine Automatic Activation

With the last release of Windows Server, Microsoft introduced a new interesting feature: Virtual Machine Automatic Activation (VMAA).

This feature enables the Hypervisor to automatically activate VMs without the support of a KMS server.

Why Microsoft built this feature? Because if you are a Service Provider and you want to provide VMs as a service you need to create those machines already activated.

If the VM is connected only with the tenant/customer network, you need a KMS server in place on this network or you need a different smart way to activate your VM.

What you need to know is that:

  • The Hyper-V host needs to be a Windows 2012 R2 Datacenter Edition (VMAA doesn’t work on a R2 Standard edition or 2008/2012 edition or a third party Hypervisor)
  • The Hyper-V host needs to be activated
  • The automatically activated guests need to be Windows 2012 R2 (Standard, Datacenter or Essential Edition)
  • The VMs needs to have a specific product keys in order to succeed in using VMAA (see below)
  • If you want to move your autmatically activated VM from a Windows 2012 R2 Datacenter Edition to a different Windows Hypervisor (for example a Windows 2012 R2 Standard Edition) the VM will be deactivated in a week and you will need to use another method to re-activate it (KMS for example)

The specific product keys that you need to install in your guest VMs are Link:

  • Windows Server 2012 R2 Datacenter:           Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
  • Windows Server 2012 R2 Standard:               DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
  • Windows Server 2012 R2 Essentials:              K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

You can use an unattended file or System Center Virtual Machine templates in order to inject the new product key.

Building an Answer File: Link

Creating Virtual Machine Templates in System Center VMM: Link

Windows Server Hyper-V 2012 R2 Shared VHDX Feature

With Windows Server Hyper-V 2012 R2 you can share a virtual disk between virtual machines.

This is very useful in Clustering scenarios  and you can read more about this technology here:

http://blogs.technet.com/b/storageserver/archive/2013/11/25/shared-vhdx-files-my-favorite-new-feature-in-windows-server-2012-r2.aspx

I’d like to share this additional information rised during a q&a with collegues from product group:

Question: Using shared VHDX feature which are the implications for Live Migration? With Shared VHDX can you perform:

  1. Live Migration?
  2. Live Storage Migration?
  3. Shared Nothing Live Migration?

As a quick reminder, here are the different types of Live Migration and a brief description…

  1. Live Migration. In this scenario, the virtual machine running state is moved between compute nodes while the virtual machine storage stays in place.
  2. Live Storage Migration. In this scenario, the virtual machine running state stays on the same compute node while the virtual machine storage is migrated to a new location.
  3. Shared Nothing Live Migration. In this scenario, the virtual machine running state and the virtual machine storage is moved.

Answer:  Shared VHDX works with Live Migration however it doesn’t work with Shared Nothing Live Migration and Live Storage Migration because moving a virtual machine with Shared VHDX requires systematically coordinating configuration updates for the associated virtual machines across multiple hosts.

System Center Operations Manager – Manually remove dependencies from Management Packs

My friend Riccardo Corna wrote an interesting article about how to remove dependencies from Management Packs in Microsoft System Center Operations Manager.

The original article is written in italian so you can read it here: http://riccardocorna.com/rimuovere-manualmente-dipendenze-management-pack-microsoft-systemcenter-securereferenceoverride/

If you are an English reader, you can read it using the (automatically) translated version: http://translate.google.com/translate?langpair=it%7Cen&u=http://riccardocorna.com/rimuovere-manualmente-dipendenze-management-pack-microsoft-systemcenter-securereferenceoverride/

Use Windows Store in an Enterprise Environment

Windows 8.x introduces a new kind of applications named “Modern”

These kind of applications are packaged as .appx files and are published using the Microsoft Windows Store.

I created a personal FAQ based on my experience with enterprise customers that are interested in using Windows 8.

As you will see, the Windows Store actually is very “consumer” and not really “enterprise”

NOTE: The following informations are updated to Janurary 2014

Q: It’s mandatory to have a Microsoft Account to install and update the modern apps published in the Windows Store?

A: Yes, the only apps that you can update without having a Microsoft Account are the Windows 8 embedded Modern apps (Mail, Calendar, People, Video…)

Q: Can I create a large number of Microsoft Accounts using a script or some service provided by Microsoft

A: No

Q: Can I federate my enterprise directory with the Windows Store in order to avoid the need of a Microsoft Account and provide a single sign-on experience?

A: No

Q: If I develop my own Modern Application I need to publish it on the Windows Store?

A: No, you can distribute it using SCCM, Intune or other products due the fact that you own the .appx file

Q: Can I distribute a Modern Application that is placed in the public store to my users?

A: You can publish a “deep link” that is a sort of web link to the Windows Store page where the user can install the application. It’s not possible to retrieve the .appx file of a Modern App published in Windows Store and it’s not possible to push the installation of a Modern App published in the Windows Store

Q: Can I update a Modern Application that is placed in the public store to my users?

A: No, you can only publish the deep link to the updated version of the app but it’s the user that must open the store and click “update”

Q: It’s possible to buy a large number of Modern Apps from the Windows Store?

A: Actually it’s not possible to buy Modern Applications in bulk. Every single application needs to be bought by the user using a credit card associated with the Microsoft Account

Q: I bought a Modern Application from the Windows Store for a user that is leaving the company. Can I reassign the App?

A: No, the license is chained with the Microsoft Account and you cannot trasfert it

Q: Can I disable the access to the store?

A: Yes using Group policies

Q: Can I prevent users to install some kind of applications from the store?

A: Using App Locker you can prevent the installation of a given set/type of applications

My first project with Windows To Go

I just finished a BYOD project based on Windows To Go technology for an italian customer.

Windows To Go is a technology that permit to run a Windows installation from an USB key.

Customer Opportunity

The technical need was that the customer wanted to supply a standard and managed Windows build to External Consultant in order to be sure that every security constrains are met when a PC is plugged into the customer network.

The business need was that the customer wanted to avoid as much as possible the costs related with hardware supplied to External consultant.

Technology Overview

In order to create a Windows To Go usb key you must first be sure that the usb key is certified

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/devices/windowstogo.aspx

The creation process can use three different Technologies:

  • The creator included in Windows 8 installation (it’s useful only if you need to create a few number of usb keys)
  • The SCCM 2012 SP1 or higher version (it provides a self service capability)
  • Use powershell script (custom procedures)

Project Overview

My customer asks to use powershell because he’s not using SCCM and he need to create 2500 usb Keys.

The operating system used was Windows 8 RTM (now they are testing 8.1) and the usb key used was supplied by Kingston http://www.kingston.com/wtg/)

We leverage the customer custom internal portal in order to provide an easy WTG creation wizard.

http://technet.microsoft.com/en-us/library/jj721578.aspx

The steps that an user needs to perform in order to create his key are:

  • Log into the internal portal and start the WTG creation wizard
  • Answer about few questions related to which kind of products they need on top of the WTG istallation
  • Insert the usb key into the pc connected to the portal
  • Wait until the first part of creation has done
  • Insert usb key into his own hardware and perform boot from the key
  • Follow few more steps that will personalize the operating system (name, join to domain, bitlocker encryption)

The Windows 8 build used in a WTG context is not a “special” build… We used the same sysprepped .WIM file that we used to install Windows 8 to the internal hard drive of tablet and desktop machines.

The only difference is that during the deployment process a local policy named “SAN policy” is added.

This policy is useful to avoid the user, that is running the WTG environment, to view and access the phisical hard drive of his notebook. This is a best practice that wants to avoid accidental data leakage between Windows To Go and the host system and prevent problems with hibernation files.

More infromations about that: http://www.verboon.info/2012/12/how-to-access-data-from-the-local-disk-when-running-a-windows-to-go-workspace/

Lessons Learned

We didn’t had hardware to certify due the fact that every user was an External consultant with his own laptop. This was very problematic because we faced a lot of service ticket due to the lack of drivers (due the fact that the users were not local administrators of the machines, they were not able to install missing drivers by themself)

The other problem was about hardware requirements: Microsoft states that the minimum hardware requirement for Windows to go are a pc (Apple Mac not supported) that is certified for running Windows 7 or 8 and that has a BIOS that permit the boot from usb of an operating system.

Several External consultant used Mac and lot of others used old hardware not certified for Windows 7 or 8.

We had several tickets about users that were not able to boot the operating system from USB. This kind of tickets were all resolved installing a new version of BIOS.

We had only a problem with a PC that was certified for Windows 7 but the vendor didn’t provide a BIOS that permits to boot an operating system from USB.

We had several tickets about users that had lost the bitlocker pin and they asked to retrieve the recovery key (the customer chose to not implement MBAM or other Bitlocker management solutions so the answer was “reimage your USB key”… )

Conclusions

IMHO Windows To Go was not the best choice due to the impossibility to certify all the hardware machines.

It’s less expensive than a VDI solution and it can be used in a offline context but it doesn’t fit all scenarios.

IMHO in this context , Windows To Go was not the best choice due to the impossibility to certify all the hardware machines.

It’s less expensive than a VDI solution and it can be used offline but it doesn’t fit all scenarios.

It’s also important to understand that if an IT introduces a new service it must support it. The lack of Bitlocker support is not a good choice. MBAM is a simple product that provides also self service recovery. If you don’t want to use MBAM you can store the bitlocker recovery key in Active Directory for free… So why don’t do it?

BYOD needs to support the hardware and software owned by users or at least needs to provide a list of supported and certified hw/software in order to permit users to buy or install them.