A posting on a MSDN blog … Basically how to run BitLocker on a Windows 7 VM without access to the host’s TPM chip using a virtual floppy to hold the start-up key to allow the machine to boot.
Time server MCSE with a BSc degree in engineering. Returning to work after a career break and studying like mad to update my certifications.
Sunday, 31 March 2013
Friday, 29 March 2013
Windows 7 … I can remember the password now!!!
Password Recovery Disk
Did a little experiment with Windows 7 on a Hyper-V VM.
Created a fresh user account on a non-domain VM
Attached and formatted a Virtual Floppy.
Created a password recovery disk for this new user.
Got the password wrong and reset the password multiple times using the password reset disk.
Logged on as a local admin and reset the test account password. I expected this to make the password recovery disk useless … NO … could still use the password recovery disk to reset the password to get back into the user account.
Okay what about encrypted files?
Created a very important text document and encrypted it.
If you logon as local admin and change the password the user should NOT be able to get back into the file.
Logged on as the user with the changed password and could NOT access the encrypted file as expected.
What if … I can remember the password now!!
Used the password recovery disk to change the password back to the one used when the file was encrypted and I could get back into the encrypted file.
What if I change the password again using the Password Recovery Disk … YES … can still get into the encrypted file.
Useful tool or great big gapping security hole!!!
You decide …
Default Local Groups
Windows 2008 and Windows 7 Default Local Groups
Did you know:
- The Power Users group has no default rights, is present for backward compatibility and has no more rights than the Users group. A security template must be applied to enact its legacy role.
- Members of the Users group cannot share folders or create local printers.
While user rights can be configured through Group Policy it is still easier and more transparent to apply through security groups.
Administrators | Unrestricted access |
Backup Operators | Override file and folder access to backup and restore data. |
Cryptographic Operators | Windows need to be deployed in Common Criteria Mode |
Distributed COM Users | Manipulate Distributed COM objects |
Event Log Readers | Read event logs |
Network Configuration Operators | Change TCP/IP settings |
Performance Log Users | Schedule logging of performance counters, enable and collect event traces |
Performance Monitor Users | Access performance counter data locally and remotely |
Power Users | Legacy use only |
Remote Desktop Users | Use remote desktop |
Replicator | Support file replication in domain |
For a fuller understanding of the Default Local Groups visit the TechNet link it is Windows Server 2008 but relates to Windows 7
Credentials Manager virtualapp/didlogical
On opening Windows 7 or Windows 8 Credentials Manager you may notice under Generic Credentials virtualapp/didlogical with a random username you do not recognise.
This appears to be a harmless entry for Windows Live. If in doubt delete but it may return uninstall Windows Live and it should stay away.
Hyper-V Remote Desktop Slow Large Send Offload
Large Send Offload Slows Remote Desktop
I have issues with Hyper-V connectivity that appear to be resolved by disabling Large Send Offload IPv4 on the Virtual Machines.
The two problems this appears to resolve are Windows Updates not working and Remote Desktop being painfully slow.
The workaround until I found this setting was to change the VM to the legacy NIC
Windows Updates would not work on VMs although the machine quite happily browsed the web made the initial connection to windows updates and downloaded the latest window update client. Do not know if this is the case with WSUS.
The second issue I have just resolved is that Remote Desktop runs painfully slow although remote connections from the Hyper-V Manager are unaffected.
Thursday, 28 March 2013
Disable UAC at Domain Level
Want to disable User Account Control (UAC) across you domain.
NOT recommended but here is how you do it.
Start Group Policy Management Editor
Drill down through the following levels Computer Configuration, Window Settings, Security Settings, Local Policy, Security Options
Find the following:
User Account Control: Run All Administrators in Admin Approval Mode
and Disable
NOT recommended … for information only
Windows RUNAS and UAC gotcha!
When it comes to Windows 7 and UAC there appears to be three types of account. The standard user, member of the local Administrators group and the “built in” Administrator account (local and domain).
So here is the command that caused me problems:
runas /user:mylocaladmin “mmc.exe gpedit.msc”
Here is the scenario:
Visit a users machine with them logged on and run Group Policy Editor from a normal command prompt with a new account that is a member of the local Administrators. You cannot enable the built-in Administrator account.
RUNAS ERROR: Unable to run – mmc.exe gpedit.msc
740: The requested operation requires elevation
In short you can’t execute this runas command using an account that is a member of local or domain administrators group, unless you disable UAC.
If UAC is enabled then this command above can only be run using the built in Domain or local Administrator account.
Good practice dictates that support staff don’t use built in admin accounts and elevate commands from within a standard account using and account that is a member of domain or local admin groups.
Solution:
Run the command prompt as administrator.
TechNet Group Policy processing and precedence
Okay so you have local group policies on your PCs and several policies that have been setup by colleagues over time at various levels within active directory. What takes precedence, Local, Site, Domain or OU?
Order of precedence of policy types
The Local machine policies are applied first then Site, Domain and OU Polices are executed from the topmost OU down through the various child OUs until finally you execute any Policy attached to the OU that contains the computer. The Policy applied last has the greatest precedence.
What if multiple Policies are Linked to an OU, Site or Domain ?
There is only one Local Policy on an individual PC however their can be multiple policies linked to a Site, Domain and OU levels.
Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The last to process has the highest precedence.
For further information:
TechNet: Group Policy processing and precedence
Other Relevant TechNet Documents:
Deployment considerations for Group PolicyControlling the Scope of Group Policy Objects using GPMC
Tuesday, 26 March 2013
Windows Server 2012 Incorrect Time Zone
Windows Server 2012 Incorrect Time Zone after fresh install
Was doing some work on my test servers and found that my newly installed Windows Server 2012 was running 7 hours late. (All VM clients running on the same Hyper-V Host)
Running w32tm /tz I noticed that the time zone was Pacific Standard Time not GMT. All the regional setting where correct!!
Opened the date and time and the time zone was set to Pacific Time (US & Canada) changed time zone to the correct (UTC) Dublin, Edinburgh, Lisbon, London setting.
Run w32tm /tz again and time zone correctly set to GMT.
The regional setting were correct so what happened to the Time Zone … my fault or Windows 2012 glitch!!
Monday, 25 March 2013
Hyper-V Windows Update error 80072ee2
Hyper-V Windows Update would stop working with error 80072ee2
After building a Windows 2008 R1 VM Windows Update stopped working.
Windows Update Installed the latest update for Windows Update then any further attempts to check for updates resulted in a 80072ee2 error.
It was still possible to browse the web.
A temp fix was to use the Legacy NIC on the virtual machine and windows updates started working again.
Just built a Windows 2008 R2 VM with the same problem but tracked it down to a setting on the VM NIC. The specific property Large Send Offload Version 2 (IPv4) must be set to Disabled and Windows updates starts working.
How It’s done:
Open Local Area Connection properties
Select Configure
Select the Advanced tab
You are looking for a property Send Offload IPv4
Disable this property and Windows Updates should start working again
Disabled this on the Windows 2008 R1 server with similar results.
How does basic networking work in Hyper-V?
Do you have a test server running Hyper-V?
Need to understand the basics of running Hyper-V with a single NIC?
Need to understand the basics of running Hyper-V with Dual NICs?
This blog entry from a member of the Hyper-V team should be a starting point.
Saturday, 23 March 2013
Run Windows PE from USB Flash Drive
Useful tip that took longer to write the blog entry than do!
After trying a few methods to “burn” an ISO to USB Flash Drive I found this work using the free version of UltraISO. I wanted to boot Windows PE from USB but also wanted a method that would work for any Windows OS.
Burn the Windows PE ISO to a USB Flash Drive as follows:
Open the Windows PE ISO with UltraISO
Open Bootable menu option select Write Disk Image…
Select your USB Flash Drive under "Disk Drive"
Ensure Write Method USB-HDD+ selected
Select Write
All that remains is to ensure that your boot order is correctly set on your computer and your good to go.
Boot Virtual Machines from USB Flash Drive
Portable-VirtualBox is a free and open source software tool that lets you run any operating system from a USB stick.
This is one of those tool that I just want to test but don’t have the time. It allows you to store and run virtual machines from a USB Flash Drive.
Windows 7 USB/DVD download tool
Want your Windows 7 DVD running from a USB Drive.
This is an official Microsoft tool available free from the Microsoft store. You can now run a Windows 7 installation from a USB drive with at least 4GB space.
Windows 7 USB/DVD download tool
Note: This is only for Windows 7 downloaded from the Microsoft store try it with any other Windows 7 ISO file and you get an invalid ISO message.
Friday, 22 March 2013
Hyper-V create Virtual Floppy
I wanted a Virtual Floppy disc to try using answer files in unattended Windows 7 builds on Hyper-V Virtual Machines. The process is straight forward you create a virtual disk attach it to an existing machine, format it, add files, then it can be connected to any other virtual machine.
The process to create a virtual floppy
- Open Hyper-V Manager
- Go to the Actions pane
- Select New, then select Floppy Disk...
- Create Virtual Floppy Disk dialog box
- Browse to a folder where you want to store the file than will act as a virtual floppy the default location is on the Hyper-V Server (Host). Enter a a file name then click Create
To use a Virtual Floppy Disk:
- Open the setting of a virtual machine
- Under Hardware select diskette drive the browse to the Virtual Floppy .vfd file.
- The first time you try to access the Virtual Floppy you will be asked to format it.
- You can then disconnect it and connect it to an other Virtual Machine
I have not tested whether you can connect it to multiple VMs at the same time.
Thursday, 21 March 2013
Windows 7 TechNet Walkthroughs
Explore features of Windows 7 with short screencasts then learn how to accomplish common planning, migration, deployment, and management tasks with more in-depth demonstrations and tutorials.
Tuesday, 19 March 2013
Windows PE 3.0 custom image with DISM
How do you create anything other than the standard PE images?
How do you changing the regional settings?
The primary tool for customizing Windows PE 3.0 is the command-line tool Deployment Image Servicing and Management (DISM).
TechNet Walkthrough: Create a Custom Windows PE Image
TechNet Walkthrough: Add Multilingual Support to Windows Setup
Monday, 18 March 2013
Windows 7 Automated Installation Kit (AIK)
Windows Automated Installation Kit (AIK) for Windows 7 assists in the installation, customize, and deployment of the Microsoft Windows 7 and Windows Server 2008 R2 family of operating systems.
Large download but took me less than 10 minutes on a fast broadband connection.
Sunday, 17 March 2013
Install any version of Windows 7 or Windows 8
Need a 30 day evaluation copy of Windows 7 Ultimate but only have a Windows 7 Professional DVD.
I am installing to a virtual machine on Hyper-V so have created an ISO from the original DVD and build from that.
Removing the ie.cfg from the ISO will cause the installation process to prompt you for the version to install.
I put the binpatcher.exe file in the folder with the Windows 7 ISO ran the exe was prompted for the ISO file select the ISO and no drama.
Created the Windows 7 Ultimate virtual machine in less time than it took me to write this post.
The ie.cfg file can also be edited within the ISO image and set to your choice of version; you will need something like Magic ISO that will let you extract the file and write the updated one back to the ISO (free version will not let you save the ISO).
You don’t need an activation code to try for 30 days.
A link to the tool I used is below and I believe it works with Windows 8 as well (I cannot verify that as yet). Just a thought what about Windows Server 2008 versions standard v’s enterprise.
Friday, 15 March 2013
Windows 7 Slipstream Internet Explorer 9
Here is a link to a TechNet video explaining how to slipstream Internet Explorer 9 with Windows 7 Service Pack 1. I assume it would be a similar process for Internet Explorer 10.
I will be evaluating this process in the near future until then proceed at your own risk :)
Tuesday, 5 March 2013
Windows Server 2012 Jump Start Series
If you are already have some experienced with Windows Server 2008 the Microsoft TechNet Jump Start give an insight into Windows Server 2012.
The link below is to the first in the series with the remaining videos linked from that page.
Windows Server 2012 Jump Start (01): Core Hyper-V
I would encourage you to look at the other Jump Start series such as Windows 8.