Category: Containers

Last updated by at .

Microsoft Edge Windows Defender Application Guard

Enable Windows Defender Application Guard on Windows 10 using PowerShell

A couple of days back I saw a tweet form Stefan Stranger (Consultant at Microsoft) which reminded me of a feature called Windows Defender Application Guard, which is included in Windows 10 Enterprise since the Fall Creators Update (1709). If you have never heard of Application Guard, you might want to check out this blog post: Introducing Windows Defender Application Guard for Microsoft Edge

Basically Windows Defender Application Guard starts Microsoft Edge in a Hyper-V Container and uses Hyper-V isolation. So if a user browses on a malicious site, the site is separate from the host operating system.

Application Guard Hardware Isolation

What is Windows Defender Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can’t get to your employee’s enterprise credentials.

Source: Windows Defender Application Guard overview

Usually Windows Defender Application Guard is configured using a Enterprise devices management tool like System Center Configuration Manager, Microsoft Intune or another third-party tool. But if you want to use this on your standalone Windows 10 PC you can also do this using PowerShell.

The only thing you need to run this is:

  • Windows 10 Enterprise 1709 (Fall Creators Update) or higher
  • A computer which supports Hyper-V
    • A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS)
    • Extended page tables, also called Second Level Address Translation (SLAT)
    • One of the following virtualization extensions for VBS:
      • Intel VT-x
      • AMD-V
    • Microsoft recommends 8GB RAM for optimal performance
    • 5 GB free space, solid state disk (SSD) recommended
    • Input/Output Memory Management Unit (IOMMU) support is strongly recommended
  •  Microsoft Edge and Internet Explorer

Enable Windows Defender Application Guard using PowerShell

You can simply install Application Guard using the following command:

New Application Guard Windows in Microsoft Edge

This will reboot your computer and after this you will be able to open a new Microsoft Edge windows in Application Guard.

Microsoft Edge Windows Defender Application Guard

This does added some extra security, however it does not really protect against like the Meltdown and Spectre attacks.

Application Guard Virtual Machine Worker Process

If you have a look at the processes running on your computer you can now see that there is a new Virtual Machine Worker Process which is used by the Application Guard.

This is a great example how the Hyper-V isolation can not only be used for Hyper-V Virtual Machines but also other features like Hyper-V Containers or for example on the Xbox One.



Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown & Spectre)

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities



Azure Cloud Shell

Azure Cloud Shell – shell.azure.com and in Visual Studio Code

Back in May Microsoft made the Azure Cloud Shell available in the Microsoft Azure Portal. Now you can use it even quicker by just go to shell.azure.com. First you login with your Microsoft account or Work and School account, and if your account is in multiple Azure Active Directory tenants, you select the right tenant and you will be automatically logged in. So even if you are on a PC where you can not install the Azure CLI or the Azure PowerShell module, you can still easily fire up a shell where you can run the Azure CLI, Azure PowerShell and other CLI tools like Docker, Kubectl, emacs, vim, nano, git and more.

In addition you can also open up Azure Cloud Shell directly from Visual Studio Code

Azure Cloud Shell Visual Studio Code

With that, enjoy your holidays and I wish you a good start in the new year!



ExpertsLive US 2018

Speaking at Experts Live US 2018 in Houston

I am happy and proud that I will speak at next years Experts Live US 2018 in Houston. This will be the first Experts Live Conference in the United States taking place from February 8 – 9 2018. I am happy to present at this event, and be part of the Experts Live journey over the globe, where I have been able to speak at Experts Live in Europe, Asia and Australia.

At Experts Live I will be presenting the following sessions:

Azure Stack: Your Cloud, Your Datacenter

Microsoft released Azure Stack as a Azure appliance for your datacenter. Learn what Azure Stack is, what challenges it solves, how you deploy, manage and operate a Azure Stack in your datacenter. Learn about the features and services you will get by offering Azure Stack to your customers and how you can build a true Hybrid Cloud experience. In this presentation Thomas Maurer (Microsoft MVP) will guide you through the highly anticipated innovations and experience during the Azure Stack Early Adaption Program and Azure Stack Technology Adoption Program (TAP).

Windows Server – What is next for Windows Server

A little less than one year ago Microsoft released Windows Server 2016. In Fall 2017 Microsoft has updated Windows Server to the next Semi-Annual Channel release with new features and improvements and Microsoft will now release new SAC and LTSC releases. Join this session for the best of Windows Server, learn how the new Servicing Model of Windows Server works and what does it mean to use SAC or LTSC releases, and what new improvement and features Microsoft offers in the latest releases such as 1709 and 1803. You’ll get an overview about the new, exciting improvements that are in Windows Server and how they’ll improve your day-to-day job.   In this presentation Thomas Maurer (Microsoft MVP) will guide you through the highly anticipated innovations including: · Windows Server Containers · Hyper-V features · Nano Server · Storage · Networking · Security · Windows Server Containers And more!

10 hidden Hyper-V features you should know about!

In this session Thomas Maurer will talk about 10 hidden Hyper-V features everyone should know about. This covers different features for Hyper-V on Windows Server as well as on Windows 10.

I will also be part of the AMA (Ask me Anything) Discusison Panel: Hybrid Cloud , together with my friends John Joyner (Microsoft MVP) and Janaka Rangama (Microsoft MVP).

AMA Discusison Panel: Hybrid Cloud

Bring your questions on Azure Stack, Windows 2016, Hyper-V and Disaster Recovery in this “ask me anything (AMA) panel discussion.

Hope fully I see you in Houston at Experts Live US 2018!



Thomas Maurer Speaking

Speaking at HPE Discover 2017 Madrid

Today I am happy to announce that I have the honor to speak at HPE Discover in Madrid next week. In a presentation together with HP Enterprise I will talk about how HPE and Microsoft improve the Hybrid Cloud experience using Microsoft Azure Stack.

HPE Discover 2017 Madrid Azure Stack

Building your Azure hybrid cloud business is easier when you work with Hewlett Packard Enterprise

With the release of Azure Stack, now is the time to develop your hybrid cloud business. Hewlett Packard Enterprise and Microsoft have partnered to make it easy for you to accelerate your business by offering Azure-consistent services with HPE ProLiant for Microsoft Azure Stack. Come hear about HPE’s solution for Azure Stack and how HPE can help you develop and grow your Azure business. This session is designed for HPE partners.

I hope to see you next week in Madrid, if you have the chance, step by the HIAG Data booth and ask for me.



Windows Server Semi-annual Channel Overview

Windows Server – Semi-Annual Channel (SAC) vs Long-Term Servicing Channel (LTSC)

I was already blogging about the new Windows Server servicing options including the Long-Term Servicing Channel (LTSC) and the new Semi-Annual Channel (SAC) options. It seems that there is a lot of confusion about what the purpose and the advantages of the Semi-Annual Channel releases. With that blog post I will try to explain what both servicing options are and when which servicing option should be used. Especially since SAC releases, like Windows Server 1709, will only be available as Windows Server Core. Spoiler alert: Windows Server Semi-Annual Channel releases are not for everyone and everything.

Windows Server Long-Term Servicing Channel (LTSC)

The Long-term Servicing Channel is the release model you’re already familiar with (currently called the “Long-term Servicing Branch”) where a new major version of Windows Server is released every 2-3 years. Users are entitled to 5 years of mainstream support, 5 years of extended support, and optionally 6 more years with Premium Assurance. This channel is appropriate for systems that require a longer servicing option and functional stability. Deployments of Windows Server 2016 and earlier versions of Windows Server will not be affected by the new Semi-annual Channel releases. The Long-term Servicing Channel will continue to receive security and non-security updates, but it will not receive the new features and functionality.

Example for Long-Term Servicing Channel releases

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Long-Term Servicing Channel installation options

  • Windows Server Core
  • Windows Server with Desktop Experience
  • Windows Server Core as a container Image

Use cases for Long-Term Servicing Channel releases

As use cases for the Long-Term Servicing Channel releases you can basically count everything in which need predictable long term support, do not support Windows Server Core and where you don’t use the new features included in the Semi-Annual Servicing Channel releases and you prefer less updating.

  • General Purpose File Server – Traditional information worker file server which need long term support
  • Legacy Software – Legacy software which do not support server core
  • Static Software – Software which does not leverage any of the new features of Semi-Annual Channel releases, which need predictable long term support
  • Legacy Hardware – End of life hardware
  • SQL Server – Traditional databases with long lifecycles which need predictable long term support
  • Active Directory and other infrastructure roles – which benefit from long term support

Semi-Annual Channel (SAC)

Windows Server 1709

The Semi-annual Channel releases will deliver new functionality for customers who are moving at a “cloud cadence,” such as those on rapid development cycles or service providers keeping up with the latest Hyper-V and Storage investments. Windows Server products in the Semi-annual Channel will have new releases available twice a year, in spring and fall. Each release in this channel will be supported for 18 months from the initial release.

Most of the features introduced in the Semi-annual Channel will be rolled up into the next Long-term Servicing Channel release of Windows Server. The editions, functionality, and supporting content might vary from release to release depending on customer feedback.

The Semi-annual Channel will be available to volume-licensed customers with Software Assurance, as well as via the Azure Marketplace or other cloud/hosting service providers and loyalty programs such as MSDN.

Example for Semi-annual Channel releases

  • Windows Server 2016 Nano Server
  • Windows Server 1709
  • Windows Server 1803

Semi-annual Channel installation options

  • Windows Server Core
  • Windows Server Core Container Image
  • Windows Server Nano Server Container Image

Use cases for Semi-annual Channel releases

Use cases for the Semi-annual Channel releases right now are application and services which leverage new feature very quickly and go with cloud cadence.

  • Lift and Shift applications into Containers
  • New cloud-based applications
  • Applications which can be quickly and easily redeployed
  • Linux containers on Windows Server
  • Hyper-V and Cluster nodes for Hyper-converged scenarios
  • Hyper-V hosts which are benefiting from continuous innovation

Semi-Annual Channel (SAC) vs Long-Term Servicing Channel (LTSC) Overview

To make it a little easier, here is a quick overview of the two servicing channels:

 Long-Term Servicing ChannelSemi-Annual Channel
Recommend ScenariosGeneral purpose File Servers, SQL Servers, Active Directory and other infrastructure rolesContainerized applications and container hosts, Hyper-converged hosts benefiting form faster innovation
New ReleasesEvery 2-3 yearsEvery 6 months
Support5 years of Mainstream support +5 years of Extended support18 months
EditionsAll available Windows Server editionsStandard and Datacenter
Installation OptionsServer Core and Server with Desktop ExperienceServer Core only
LicensingAll customer through all channelsSoftware Assurance and Cloud customers only

Conclusion

As you can see, Windows Server Semi-annual channel are not designed for everyone. And if you don’t feel comfortable with Windows Server Core (btw you should check out Microsoft Project Honolulu), the fast release cadence or the short support life cycle you should go with the Windows Server Long-Term Servicing Channel. You will not lose anything you had today, you still will get new versions every 2-3 years with all the options you had today. If you need the fast innovation and you get something out of the new features the Semi-annual channel will provide you with 2 releases a year. But make sure, that your deployment, configuration and management is automated, otherwise you will suffer from the fast release cadence. I have three other very important points I want to make sure you know about:

  • Not all your servers have to go with LTSC only or SAC only – as long as you have the right licensing in place you can choose for each server, which ever fits your needs best.
  • You don’t have to switch now – you can also decided to go with LTSC today and switch to a SAC release as soon as you benefit from it. You can also switch back to LTSC from SAC if you don’t like it. (With Switch I mean redeploy)
  • Upgrades are not in-place – It doesn’t matter which servicing channel you are using, servers need to be redeployed. (Not like in Windows 10 where you can leverage in-place upgrades)

I hope this helps to understand the point about Windows Server Semi-Annual Channel (SAC) vs Long-Term Servicing Channel (LTSC). The Semi-Annual Channel releases are a new offer from Microsoft for customers to get their hands on new features much quicker, this offers a huge benefit if you can make use of it. But Microsoft is not forcing you to use SAC, LTSC for some scenarios and customers is still the better option. So both solutions are having huge value in different scenarios.



Windows Server 1709 Server Core Sconfig

How to install Windows Server 1709

Microsoft just released the new Windows Server version 1709 in the Semi-Annual Channel. This blog post is for beginners which want to do their first step setting up Windows Server Core.

First you boot your server or virtual machine form the Windows Server 1709 ISO file. and select which Operating System you want to install. You can choose between Windows Server Standard or Windows Server Datacenter. As you might see, there is only Server Core available. The Server with Desktop Experience or Full Server is only available in the LTSC (Long-Term Servicing Channel) in Windows Server 2016.

Windows Server 1709 Operating System

After accepting the license terms, you can choose the installation type. Even there is an upgrade option, you should choose Custom which will be a new install. Since an in-place upgrade from older Windows Server versions is not supported.

Windows Server 1709 Installation Type

Choose which drive you want to install and the partitioning you want to use

Windows Server 1709 Choose Disk

After that Windows Server will install itself, and reboot for a couple of times.

Windows Server 1709 Installation

After the installation is finished you have to set the default Administrator password.

Windows Server 1709 Admin Password

When you login for the first time, it runs the Windows command prompt with the common Windows commands, or you can run PowerShell, or if you need the magic key to the server core configuration you can run “sconfig” which allows you quickly to do configuration changes, install updates and more.

Windows Server 1709 Server Core Sconfig