Tag: ARM

Jun302020June 30, 2020June 30, 20200Commentby Thomas Maurer
Windows 10 on ARM PowerShell 7 Windows Terminal ARM64

How to Install PowerShell 7 on Windows 10 on ARM

Posted in Microsoft, PowerShell, Windows, Windows 10

As you know I am running Surface Pro X as my daily driver, which comes with Windows 10 on ARM. With the release of PowerShell 7.0.2, I want to show you how you can install PowerShell 7 on Windows 10 on ARM and the Surface Pro X. The ARM64 release is still marked as a preview. The PowerShell team is working on bringing PowerShell 7 to the Microsoft Store, which will create a much ns smoother experience. However, if you are like me and want to try out PowerShell 7 on your Surface Pro X today, you can do that.

Windows 10 on ARM runs on PCs powered by ARM processors, like the Surface Pro X. And if you want to know more about what’s new in PowerShell 7, check out my blog post. ℹ

How to Install PowerShell 7 on Windows 10 on ARM and the Surface Pro X

With the release 7.0.2 of PowerShell 7, the ARM64 build arrived again. You can download a new .msix file with an ARM64 version from the GitHub release page.

PowerShell 7 on Windows 10 on ARM Surface Pro X

PowerShell 7 on Windows 10 on ARM Surface Pro X

If your Windows 10 machine has developer mode enabled, you can now add the MSIX package to your Windows installation. You can use the Add-AppxPackage to add the .msix package.

Add-AppxPackage .\PowerShell-7.0.2-win-arm64.msix

After that, you can find PowerShell 7 in your start menu, or directly in the new Windows Terminal.

Windows 10 on ARM PowerShell 7 Windows Terminal ARM64

Windows 10 on ARM PowerShell 7 Windows Terminal ARM64

Conclusion

I hope this helped you an explained to you how you can install PowerShell 7 on Windows 10 on ARM. If you want to know more about installing and updating PowerShell 7, check out my blog post. And if you need more information, here is the official documentation on Microsoft Docs.

You can find more information about what’s new in PowerShell 7 on my blog. If you have any questions, please let me know in the comments.


Jun152020June 15, 2020June 15, 20206Commentsby Thomas Maurer
Run Hyper-V on Windows 10 on ARM and the Surface Pro X

Run Hyper-V on Windows 10 on ARM and the Surface Pro X

Posted in Hyper-V, Microsoft, PowerShell, Surface, Virtualization, Windows, Windows 10

Here is a quick blog post on how you can run Hyper-V virtual machines (VM) on Windows 10 on ARM and the Surface Pro X.

I am running the Surface Pro X as my daily driver for a couple of months. It is a fantastic device and combines a light designed and the Surface Pro form factor with a 13-inch screen. But the most significant difference to the other Surface devices like the Surface Pro 7, is that the Surface Pro X is running Windows 10 on ARM. It has a custom Microsoft SQ1 chip. This limits it to run native ARM64 or emulated 32-bit x86 applications, and it can’t run classic 64-bit x64 applications at the moment. Another limitation was that I wasn’t able to run Hyper-V virtual machines (VMs) on my Surface Pro X.

With the Windows 10 Insider Preview build 19559, you were able to install Hyper-V. However, you didn’t have a compatible image to run inside the virtual machine (VM). With the Windows 10 Insider Preview Build 19631, Microsoft is now also providing an ARM64 VHDX file, which you can download and run as a guest OS in Hyper-V.

How to enable Hyper-V on Windows 10 on ARM

You need a Windows 10 ARM-based PC with a Microsoft SQ1, Qualcomm Snapdragon 8cx, or Qualcomm Snapdragon 850 processor. To enable the Hyper-V feature on Windows 10 on ARM and the Surface Pro X, you will also need to have installed the Windows 10 Insider Preview build 19559 or higher and have Windows 10 Pro or Windows 10 Enterprise.

  1. Join the Windows Insider Program and update to the latest Windows 10 Insider Fast Ring build 19559 or newer
  2. Upgrade your Windows edition from Home to Windows 10 Pro or Windows 10 Enterprise
  3. Install the Hyper-V feature on Windows 10You can run the following PowerShell command to install the Hyper-V feature. 
    Enable-WindowsOptionalFeature -Online -FeatureName:Microsoft-Hyper-V -All
  4. Download the Windows 10 on ARM VHDX file from here.
  5. After that, you can create a Hyper-V virtual machine (VM) with an existing VHDX file on your Surface Pro X.
  6. Visit Windows 10 on ARM developer center for more details and documentation.

Conclusion

I hope this gives an overview of how to run Hyper-V VMs on Windows 10 on ARM. This is still in preview, but if you are like me and want to give it a try, you can. Let me know if you have any questions.


Feb042020February 4, 2020March 15, 20203Commentsby Thomas Maurer
Azure Locks - Governance

Prevent Azure Resources from unexpected deletion using Locks

Posted in Cloud, Microsoft, Microsoft Azure, PowerShell

In this blog post, we will have a quick look at the basics of Azure Governance and how you can use Locks in Azure to govern your environment and protect resources from accidental deletion or changes. Cloud Computing is excellent, and you can deploy and delete services in seconds and go full speed. However, with that, there are also many challenges that are coming your way. Think about control over cost, security, or compliance. You don’t want everyone to be able to deploy a large Mv2-series virtual machine to test their application, and you might also not want people deploying services all over the world using one of the 55 Azure regions worldwide. The way to prevent things like this is called technical governance. However, it can be implemented in different ways.

Technical Governance

Technical Governance

The traditional approach was that you set a team or a person in front of the cloud, which can be called a cloud custodian or cloud broker team. And this team then decided on which services are going to get deployed and how. Now with that approach, people and processes become the limiting factor if you look at speed and agility.

Read More

Dec192019December 19, 2019December 19, 20193Commentsby Thomas Maurer
Surface Pro X Windows 10 on ARM WSL 2

How to Install WSL 2 on Windows 10 on ARM

Posted in Hardware, Hyper-V, Microsoft, PowerShell, Surface, Virtualization, Windows, Windows 10

This is just a quick blog post about the experience on running the Windows Subsystem for Linux 2 (WSL 2) on Windows 10 on ARM, which comes on devices like the Surface Pro X. Since I got many questions from developers and IT Pros about the Surface Pro X and how it can handle different workflows on Windows 10 on ARM, I decided to write a blog post, on how you can install WSL 2 on Windows 10 on ARM and the Surface Pro X.

Requirements

You need a device that runs Windows 10 on ARM like the Surface Pro X. Yes, WSL 2 works on the Surface Pro X, and you can run Ubuntu 18.04, which comes as an ARM compiled distro. But you will need to install at Windows Insider build (19041 or higher, also known as Windows 10 20H1 or Windows 10 version 2004). And yes, if you are running an Intel or AMD based machine, you can also install and run WSL 2 on Windows 10.

Install Windows 10 on ARM Windows Insider Build

Install Windows 10 on ARM Windows Insider Build

To run Windows 10 Insider Builds, you can go to Settings, Update & Security, and the Windows Insider Program and join the program. If you get asked to choose the Ring, you will need to select the Insider Slow Ring. You will need to reboot your machine and check for updates, to install the Windows Insider builds.

Install WSL 2 on Windows 10 on ARM

To install the Windows Subsystem for Linux 2 (WSL 2), you need to follow these tasks.

  • Enable the Windows Subsystem for Linux Optional feature (WSL 1 and WSL 2)
  • Install a distro for the Windows Subsystem for Linux
  • Enable the ‘Virtual Machine Platform’ optional feature (WSL 2)
  • Configure the distro to use WSL 2

Enable the Windows Subsystem for Linux and Virtual Machine Platform

Windows 10 on ARM Control Panel WSL2

Windows 10 on ARM Control Panel WSL2

You can enable the Windows Subsystem for Linux (WSL) and the Virtual Machine Platform feature in the Control Panel or with PowerShell.

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
 
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform

These commands will need a reboot of the machine.

Install a Linux distro for the Windows Subsystem for Linux

If you don’t already have installed a WSL distro, you can download and install it from the Windows 10 store. You can find more here: Crazy times – You can now run Linux on Windows 10 from the Windows Store.

Install Ubuntu ARM WSL 2 Windows Store on the Surface Pro X

Install Ubuntu ARM WSL 2 Windows Store on the Surface Pro X

If you want to run a full Ubuntu virtual machine on Windows 10 Hyper-V, you can check out my blog post.

Set WSL distro to use version 2

After you completed the first two steps, you will need to configure the distro to use WSL 2. Run the following command to list the available distros in PowerShell:

wsl -l -v

If this command doesn’t work with the -v parameter, you don’t have the right Windows 10 build installed.

To set a distro to WSL 2, you can run the following command:

wsl --set-version DistroName 2
Convert to WSL 2

Convert to WSL 2

You can also set WSL 2 as the default. You can also run the command before you start the Linux distro for the first time, which will give you faster setup speeds.

wsl --set-default-version 2

To find out more about installing WSL 2, check out the Microsoft Docs page.

After you have enabled WSL 2 you can see that WSL 1 was running kernel version 4.4.0.

WSL 1 Kernel Version

WSL 1 Kernel Version

 

WSL 2 is running Linux kernel version 4.19.84

WSL 2 Kernel Version

WSL 2 Kernel Version

You can also see, that this is an ARM version of Ubuntu.

Ubuntu ARM

Ubuntu ARM

Conclusion

I hope this helps you and gives you a quick overview on how you can install WSL 2 on Windows 10 on ARM and the Surface Pro X. If you have any questions, let me know in the comments and check out the WSL 2 FAQ. The Windows Subsystem for Linux 2 Kernel is also open-source, you can follow the project on GitHub.

By the way, you can now also start using Docker Desktop together with the Windows Subsystem for Linux 2 and even use WSL 2 on Windows Server.


Dec102019December 10, 2019December 11, 201913Commentsby Thomas Maurer
Surface Pro X User Review

Surface Pro X – First Impressions and Review

Posted in Hardware, Hardware, Microsoft, Surface, Windows 10

I just got my brand new Surface Pro X two weeks ago, and since then, I spent a couple of days with it and started to use it as my daily driver. Since I got a lot of questions around the device, how I am using it, and what the limitations are, I decided to write this short blog post. There are many reviews out there from a lot of professional reviewers who focus more on specifications and restrictions to run all possible workloads. In my Surface Pro X review, I try to share my first impressions and write a short review of how the device works for me. Here is a brief review and my first impressions on the Surface Pro X, which is more focused on my use case and what I think the device is good for as well as where you might hit some limitations.

My First Impression 👓

I want to spend a couple of words on the first impressions I had on the Surface Pro X when I opened the box. Don’t get me wrong, all the Surface devices had an excellent built quality and design, but I have the feeling that the Surface Pro X is on the next level. It is hard to describe why, but the design and the details make it feel a real premium device.

Surface Pro X Body

Surface Pro X Body

On the software side, I was trying to stick with ARM64 apps as much as possible, and with the new Microsoft Edge Insider Canary version, I have almost all the apps I need. With the ARM64 apps, the performance is excellent, with no issues at all. Even emulated x86 32-bit apps like Visual Studio Code run very well for my personal tasks. However, I am not sure what the impact on battery life is if you run these apps most of the time. If you have a Surface Go, which I like very much, I can tell you that the Surface Pro X is way faster.

Why I love the Surface Pro X ❤

After using the Surface Pro X for more than a week, I can say this might be my favorite Surface device ever made. Don’t get me wrong; it can’t run 100% of the workloads I need, like containers and Hyper-V, for example. But for that, I also have my Surface Book 2, which runs all workloads and also provides a larger 15-inch screen.

Surface Pro X vs Surface Pro 7

Surface Pro X vs. Surface Pro 7

However, I was traveling, writing, and presenting a lot in the last couple of days, and I love the weight (774g), the size (287 mm x 208 mm x 7.3 mm), and the 13-inch screen in a 12-inch chassis with very thin bezels. It is very convenient to travel with since it provides the form-factor of a Surface Pro with the kickstand, but it also adds a 13-inch screen. The screen is bright, and the 13-inch display with the 3:2 aspect ratio is fantastic for productivity. The Surface Pro X is also 1mm thinner than the Surface Pro 7, which doesn’t sound like much, but you can feel the difference.

Enabled by the custom Microsoft SQ1 processor, one thing I completely underestimated is the possibility of having an always-on device. If you open up the Type Cover or start the Surface Pro X, it is instantly on and available. With Windows Hello, you are logged in immediately, and you can start working. When you close it and put it in your bag, or you leave it overnight, the battery doesn’t really drain much — speaking about battery life, which seems to be great so far, I get enough out of the machine for a travel day or a day at a conference. Another great feature the new Surface devices have is that they all come with fast-charging, which allows us to charge the machine very quickly.

Surface Pro X and Surface Pro 7

Surface Pro X and Surface Pro 7

The Surface Pro X also comes with a 5.0MP front-facing camera with 1080p full HD video and a 10.0MP rear-facing autofocus camera with 1080p HD and 4k video. Since I started to work more with video, having great cameras for recordings and Microsoft Team calls, and great audio with dual far-field studio mics, recording videos and doing conf calls works excellent. The 2W stereo speakers with Dolby Audio Premium are surprisingly good.

Connectivity Qualcomm

Connectivity Qualcomm

I am also pleased about the connectivity options, the Surface Pro X comes with Wi-Fi 5 (802.11ac), Bluetooth 5.0 and a Qualcomm Snapdragon X24 LTE Modem with nanoSIM and eSIM support. This is my first tablet with LTE support, and I like to have that option to be always connected. All of the wireless adapters are now coming from Qualcomm, and I didn’t have any Wi-Fi or Bluetooth issues; everything worked fine and at full speed.

The Surface Pro X also comes with two USB-C ports and a Surface Connect port, which means you can use your existing Surface adapters and chargers.

Alcantara Type Cover

Alcantara Type Cover

I am not sure if the Surface Type Cover for the Surface Pro X is different from the Surface Pro 6 and 7; however, for me, it somehow feels different. The typing experience is excellent, and I love the track-pad. I also got a couple of questions around the new Surface Slim Pen, which you can store in the Type Cover and supports wireless charging. For me, I even like it better than the existing Surface Pen. That said, I am mostly using the Surface Pen to take notes or using the Whiteboard app, and for that, it works great.

If you want to know more about the Surface Pro X Specifications, you can find them here.

What do I run on the Surface Pro X 💻

For me, the Surface Pro X is a great travel and work device. The small form-factor, weight, and the 13-inch display combined with all the Surface features like the touch-screen, Surface Slim Pen, kickstand, and many more, make it a great productivity device. I mostly use it for office tasks, mail, web browsing, note-taking, and doing presentations, and the Surface Pro X is excellent in doing all of that. Especially the mobility and always-on feature combine with the connectivity make is a fantastic device for me.

Surface Pro X with Slim Pen

Surface Pro X with Slim Pen

What I use and what works fine:

  • Office Desktop Apps (Office 365, Outlook, PowerPoint, Word, Excel) ARM version
  • OneNote ARM version
  • Microsoft Edge Insider (Edge based on Chromium) ARM version
  • Visual Studio Code Emulated x86 32-bit version
  • PowerShell
  • Microsoft Whiteboard App

What I am missing for my workflow:

  • An ARM version of Microsoft Teams, I am currently using the web version of teams and installed it as a progressive web application (PWA), which works great. You can also install the 32-bit version. However, this impacts performance and battery life.
  • Camtasia to do screen recordings
  • A native ARM64 version of Paint.NET. I am currently using the emulated 32-bit version from the Microsoft Store, which works well, but again I would like to see a native ARM64 version with more performance and better battery life.
Install MS Teams PWA

Install MS Teams PWA

I also connect my Surface Pro X to the Surface Docking station, which works great, and it powers to of my monitors.

Limitations and things to consider 🧱

The Surface Pro X runs Windows 10 on ARM, and this is not comparable to Windows RT or Windows 10 S. Windows 10 on ARM can currently run ARM64 apps or emulated x86 32-bit apps. So you can install your Windows applications as long as they are not 64-bit. Something to consider is that applications which are not compiled for ARM64, run emulated. This can have an impact on performance in battery life. In my use case, I run from time to time Visual Studio Code, which doesn’t seem to be an issue or have an impact on battery life. Some of the applications you are using today might are x64 apps. For example, a couple of Adobe apps or others, these apps can currently not run on Windows 10 on ARM. However, Adobe and others are working on bringing and compiling applications to ARM64, so they can run natively on the Surface Pro X and other ARM Windows devices.

Another limitation for me is that I can’t run Hyper-V on Windows 10 on ARM. That means I can’t use it for all my workloads and demos I do with virtual machines and containers. However, that isn’t a big problem, since I am doing more powerful tasks like this on my Surface Book 2 or maybe in the future on a Surface Laptop 3. But yes, you can run the Windows Subsystem for Linux and the Windows Subsystem for Linux 2 (WSL 2).

  • Drivers for hardware, games and apps will only work if they’re designed for a Windows 10 ARM-based PC. For more info, check with the hardware manufacturer or the organization that developed the driver. Drivers are software programs that communicate with hardware devices—they’re commonly used for antivirus and antimalware software, printing or PDF software, assistive technologies, CD and DVD utilities, and virtualization software.
    If a driver doesn’t work, the app or hardware that relies on it won’t work either (at least not fully). Peripherals and devices only work if the drivers they depend on are built into Windows 10, or if the hardware developer has released ARM64 drivers for the device.
  • 64-bit (x64) apps won’t work. You’ll need 64-bit (ARM64) apps, 32-bit (ARM32) apps, or 32-bit (x86) apps. You can usually find 32-bit (x86) versions of apps, but some app developers only offer 64-bit (x64) apps.
  • Certain games won’t work. Games and apps won’t work if they use a version of OpenGL greater than 1.1, or if they rely on “anti-cheat” drivers that haven’t been made for Windows 10 ARM-based PCs. Check with your game publisher to see if a game will work.
  • Apps that customize the Windows experience might have problems. This includes some input method editors (IMEs), assistive technologies, and cloud storage apps. The organization that develops the app determines whether their app will work on a Windows 10 ARM-based PC.
  • Some third-party antivirus software can’t be installed. You won’t be able to install some third-party antivirus software on a Windows 10 ARM-based PC. However, Windows Security will help keep you safe for the supported lifetime of your Windows 10 device.
  • Windows Fax and Scan isn’t available. This feature isn’t available on a Windows 10 ARM-based PC.

On the hardware, you need to be aware of is that the black color looks great, but it also picks up a lot of fingerprints. I also don’t like it too much that the Surface Connect port (for charging and connecting the docking station) moved a little up on the side. I think the reason for this is that the bottom of the tablet is just too thin. This is not a big deal, but just something to be aware of.

Conclusion 📝

The question is, should you buy it? And my answer is, it depends. Again I love the hardware and how it works together with Windows 10 on ARM. If you are looking for a machine, which can do what you need to do, then it is a no-brainer. If you are running 64-bit apps, for example, some of the Adobe applications, you might want to may go with a Surface Pro 7 or Surface Laptop 3.

For me personally, the Surface Pro X is a great companion to my Surface Book 2 or the Surface Laptop 3. Depending on what I need to do, I only travel with my Surface Pro X, because it is light and brings all the advantages of the Surface Pro form-factor. If I am traveling for a longer period of time, I will also bring my Surface Book 2 with a large 15-inch screen, as a mobile workstation.

Surface Pro X and Surface Laptop 3

Surface Pro X and Surface Laptop 3

If I am traveling, I can use the Surface Pro X as a secondary screen.

Surface Pro X Box

Surface Pro X Box

I hope this review gives you a couple of impressions about the Surface Pro X and why you should or shouldn’t get it. If you have any questions, feel free to leave a comment. Just to make sure, in case you didn’t know, I am a Microsoft employee working in the Azure Engineering team. I am not evolved in the Surface product at all.

By the way, this review was written on the Microsoft Surface Pro X.


Jan052018January 5, 2018February 24, 201810Commentsby Thomas Maurer
Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown and Spectre)

Posted in Apple, Cloud, Containers, Hardware, Hardware, Hyper-V, Microsoft, Microsoft Azure, Office365, PowerShell, Server Core, Surface, Virtualization, Windows, Windows 10, Windows 8, Windows 8.1, Windows Server, Windows Server 1709, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Work

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities


Jun132017June 13, 2017May 13, 20191Commentby Thomas Maurer
AzureStack Admin Portal

Microsoft Azure Stack – Azure Extension in your Datacenter

Posted in Active Directory, Cloud, Hyper-V, Microsoft, Microsoft Azure, Microsoft Azure Stack, Nano Server, PowerShell, Private Cloud, Server Core, Virtualization, Windows, Windows Server, Windows Server 2016, Work

A couple of weeks ago, I had the chance to attend the Microsoft Azure Certified for Hybrid Cloud Airlift in Bellevue WA, which is close to the Microsoft campus in Redmond. I had the chance to spend the week there and talk with the Microsoft PG about different Azure Stack scenarios. Most of the discussions and presentations are under NDA, but there are a few things I can share, since they are publicly announced. I prepared this blog post already a couple of months ago, when I was talking to a lot of different customers about Azure Stack, and since then Microsoft also shared some new information about the release of Azure Stack Technical Preview 3.

The Azure Stack Announcement

Azure vs Azure Stack

Microsoft announced Azure Stack at Microsoft Ignite in May 2015. Back at this time Microsoft did only mention about the vision of Azure Stack and that it will bring cloud consistency between the Microsoft Azure Public Cloud and your Private Cloud. But Microsoft did not really announce exactly what Azure Stack will be and how it will be implemented in your Datacenter.

During the Microsoft World Wide Partner Conference (WPC 2016), Microsoft announced more information about the availability of Azure Stack. For more information, you can read the Microsoft blog posts, but I tried to summarize the most important parts.

Building a true Hybrid Cloud and Consistency with Microsoft Azure

Azure Stack

This is probably the most important part about Azure Stack today. Microsoft Azure Stack will bring Azure consistency between the Microsoft Azure Public Cloud and your Private Cloud or your Hosters Service Provider Cloud using the Azure Resource Manager. So you will be able to not only operate an Azure-like environment, like you could with Windows Azure Pack and System Center, you now get real consistency between Azure and Azure Stack. You not only get the exact look and feel from the Microsoft Azure Public Cloud, you also can use the same Azure Resource Templates and deployment methods as you can in the Public Cloud. This allows customers to really operate in a Hybrid Cloud environment, between the Microsoft Public Cloud, their own Private Cloud and also local Service Provider Clouds.

Bring the agility and fast-paced innovation of cloud computing to your on-premises environment with Azure Stack. This extension of Azure allows you to modernize your applications across hybrid cloud environments, balancing flexibility and control. Plus, developers can build applications using a consistent set of Azure services and DevOps processes and tools, then collaborate with operations to deploy to the location that best meets your business, technical, and regulatory requirements. Pre-built solutions from the Azure Marketplace, including open source tools and technologies, allow developers to speed up new cloud application development.

The Integrated System Approach

Azure Stack Integrated System

(picture by Microsoft)

Microsoft announced that Azure Stack will be available as an appliance from different hardware vendors in Mid 2017. The confirmed hardware providers delivering Azure Stack Appliance at this point in time will be: Dell EMC, HPE and Lenovo and later in 2017 we will also see an appliance from Cisco, Huawei and Avanade.

The big difference here is that Microsoft delivers the Azure Stack platform first in an appliance way, which is really different from the way they delivered Windows Azure Pack. Windows Azure Pack was based on System Center and Windows Server and every customer could design his own environment based on their needs.

This was great, but also had some huge challenges for customers. Clouds needed different designs, this ended up in very complex design workshops where we basically discussed the customer solutions. The installation and configuration of a Windows Azure Pack platform was also very complex and a lot of work which needed a lot of resources, knowledge and of course a lot of project costs. Before customers could start saving money, they had to invest money to get things up and running. Of course, system integrators like itnetX and others, built automation to spin up clouds based on Windows Azure Pack, but still the investment needed to be done.

The use of an appliance approach not only helps to spin up clouds faster, but also build environments on tested hardware, firmware and drivers. Another point here which makes a great case for an appliance solution, are management and operations. Management and operation of a cloud-like environment is not easy, doesn’t matter what software you are using. Keeping the platform stable, maintained and operational will end up in a lot of work, especially if every cloud looks different. The last thing I want to mention here is upgrading, if you want real Azure consistency, you need to keep up with the ultra-fast pace of the Azure Public Cloud, which is basically impossible or extremely expensive. An integrated system scenario can really help you keep things up-to-date, since updates and upgrades can be pre-tested before they are released for you to deploy. This will help you save a huge amount of testing since every environment looks the same.

Operating Azure Stack

Azure Stack Administration and Operation

As already mentioned, Azure Stack will be delivered as an integrated system. OEMs, will help you to set up and install your Azure Stack appliance in your datacenter, but they will not adequately manage the integrated system. You will need to have some Cloud Operator managing and operating your Azure Stack. With this, all the host will be sealed, and administrators do not have access to the hosts or Hyper-V Manager or Failover Cluster Manager to manage the systems. Instead, Administrators or Cloud Operators will manage the system for a management portal.

Azure Stack Platform

Since this is an integrated system, you don’t even need to care what it is running in the background. But still, for a lot of us, it is still exciting to see how Azure Stack is built. In the back Azure Stack runs on “common” rack mount servers from HPE, Dell, Lenovo, and Cisco, for HPE this is the DL380 Gen9. From the software stack, it is running Windows Server 2016, and the Software Define Datacenter features such as Storage Spaces Direct, the new Windows Server 2016 Software-Defined Networking Stack a Hyper-V. In the release version of Azure Stack, we will see a Hyper-Converged Storage Spaces Direct architecture starting from 4 nodes. On top of this Microsoft used code from Azure to bring the Azure Resource Manager, Azure Resource Providers and the Azure Portal to the Azure Stack.

POC – Azure Stack Development Kit

Azure Stack Development Kit

Very early in the development process of Azure Stack, Microsoft releases Technical Previews to customers so they could test Azure Stack on one node deployments. This is called the Azure Stack POC, and you can download it today on a single physical server, and it was only designed for non-productive, non-HA environments. Microsoft officially announced that they would rename the Azure Stack POC to Azure Stack Development Kit after the General Availability Mid 2017. This is a great solution to quickly spin up a test environment of Azure Stack without having to invest in hardware.

Azure Stack HCI

In March 2019, Microsoft announced a new hyper-converged virtualization solution call Azure Stack HCI, check it out here on my blog.

Azure Marketplace Syndication

Azure Stack Marketplace Syndication

You will be able to create your own Marketplace items in Azure Stack, building your own templates and images and offer them to your customers. One of the greatest editions Microsoft made in the Azure Stack Technical Preview 3 is the Azure Marketplace Syndication. This allows you to get Marketplace items from Azure and offer them in your Azure Stack offering to your customers. With that you don’t need to build all Marketplace items by yourself.

Identity Management

Azure Stack has to be integrated into your datacenter. In terms of Identity, Microsoft allows you to use two ways to integrate. First, and from my site the preferred option, is Azure AD (AAD) which allows you to integrate with an existing Azure Active Directory. Azure AD can be synced and connected with your on-premise Active Directory and this will allow you to log in to Azure as well as Azure Stack. The other option Microsoft is offering is using ADFS to bring identities to your Azure Stack.

Azure Stack use cases

Since Azure Stack is consistent with Microsoft Azure, the question comes up, why are we not just using Azure. There are many good reasons to use Azure, but there are also some challenges with that. Azure Stack can make sense in a couple of scenarios.

  • Data Sovereignty – In some cases data cannot be stored outside of a specific country. With Azure Stack, customers have the option to deploy in even their own datacenter or on a service provider within the same country.
  • Latency – Even Microsoft offers a solution to reduce network latency to Azure, with using Azure Express Route, in some scenarios latency is still a big issue. With Azure Stack can customers place Azure very close to the location where resources are accessed from.
  • Disconnected Scenarios – In some scenarios you really want to benefit from the consistent deployment model, and for example use Azure Resource Manager (ARM), but not everywhere on earth do you have access to Azure or sometimes you have a very bad connection. Think about cruise ships or other scenarios where you need to run IT infrastructure but you are not able to connect to Azure.
  • Private Instance of Azure – For some companies shared infrastructures can be challenging, even security standards in Azure are extremely high, it is not always an option. With Azure Stack, companies can basically spin up their completely own instance of Azure.
  • Differentiation – Service Providers or even Enterprise companies cannot only use the Azure Marketplace, but they can also build their own solutions for the Azure Stack and make them available to their customers.

Pricing and Licensing

As mentioned Microsoft will offer Azure Stack from 5 different OEMs. HPE, Dell and Lenovo will deliver a solution at GA in mid-CY17, Cisco and Huawei will be available later. The hardware needs to be bought directly from the OEM or Partner. Some of them also offer a flexible investment model like the HPE Flexible Capacity. For the pricing model, Microsoft decided to deliver the licensing of Azure Stack on a pay-per-use base. This meets of course the cloud economics and there will be no upfront licensing costs for customers. Services will be typically metered on the same units as Azure, but prices will be lower, since customers operate their own hardware and facilities. For scenarios where customers are unable to have their metering information sent to Azure, Microsoft will also offer a fixed-price “capacity model” based on the number of cores in the system.

Azure Stack will be offered in two different models, Pay-as-you-use model and Capacity model. The pay-as-you-use model is licensed by Microsoft via the Enterprise Agreement (EA) or Cloud Service Provider (CSP) programs. The capacity model is available via EA only. It is purchased as an Azure Plan SKU via normal volume licensing channels. For typical use cases, Microsoft expects the pay-as-you-use model to be the “most economical” option.

The Azure Stack pricing models

Azure Stack will be offered in two different models, Pay-as-you-use model and Capacity model. The pay-as-you-use model is licensed by Microsoft via the Enterprise Agreement (EA) or Cloud Service Provider (CSP) programs. The capacity model is available via EA only. It is purchased as an Azure Plan SKU via normal volume licensing channels. For typical use cases, Microsoft expects the pay-as-you-use model to be the “most economical” option.

Pay-as-you-use model

For the pay-as-you-use model you will you can take advantage of the cloud economics and only pay for resources which are actually consumed, plus additional costs for the Azure Stack hardware and the operations.

Service prices:

  • Base virtual machine $0.008/vCPU/hour ($6/vCPU/month)
  • Windows Server virtual machine $0.046/vCPU/hour ($34/vCPU/month)
  • Azure Blob Storage $0.006/GB/month (no transaction fee)
  • Azure Table and Queue Storage $0.018/GB/month (no transaction fee)
  • Azure App Service (Web Apps, Mobile Apps, API Apps, Functions) $0.056/vCPU/hour ($42/vCPU/month)

Capacity model

For the capacity model, two packages are available which makes you license the physical cores of your Azure Stack system via an annual subscription. The packages are only available via Enterprise Agreement (EA).

  • App Service package ($400/core/year)
    Includes App Service, base virtual machines and Azure Storage
  • IaaS package ($144/core/year)
    Includes base virtual machines and Azure Storage

You will also need additional licenses if you deploy Windows Server and SQL Server virtual machines, like you would do if you are using your traditional Hyper-V servers.

What else will you need

  • Integrated System (hardware) – you will need to purchase the Azure Stack hardware from one of the OEM vendors
  • Support – you will need to purchase support from Microsoft for software support and a support package for the hardware from the hardware provider. If you already have Premier, Azure, or Partner support with Microsoft, your software support is included.
  • Service Providers – Service Provider can also license Azure Stack to others using the CSP (Cloud Solution Provider) channel.

Roadmap

At the Azure Stack GA release this summer, Microsoft will deliver hardware with provides from HPE, Dell and Lenovo. Later in 2017 Microsoft will also deliver Azure Stack with Cisco, Huawei and Avanade hardware. Azure Stack at GA will support 4-12 nodes, 1 single scale-unit and a single region.

Microsoft will also deliver some of the services at General Availability, and will add more and more services over time. At GA we will see:

  • Virtual Machines
  • Storage (Blob, Table and Queue)
  • Networking (Virtual Networks, S2S VPN, …)
  • App Service (in Preview)
  • SQL (in Preview)
  • MySQL (in Preview)

After GA, Microsoft  will continuously deliver additional capabilities through frequent updates. The first round of updates after GA are focused on two areas: 1) enhanced application modernization scenarios and 2) enhanced system management and scale. These updates will continue to expand customer choice of IaaS and PaaS technologies when developing applications, as well as improve manageability and grow the footprint of Azure Stack to accommodate growing portfolios of applications. Please be reminded that this will not just be a product you purchase, think about it as a service which will add features and functionality over time.

The choice for your datacenter

Windows Azure Pack

Microsoft is pushing Azure Stack since it will bring consistency to the Azure public cloud, which means your companies and people need to understand the advantages of using methods like DevOps and Infrastructure in code. This will help you to make the most out of Azure Stack and the Azure Resource Manager. If you already have Microsoft Azure know-how, this is great, because it will also apply to Azure Stack.

No worries, if you are not there yet, or for some reason, this doesn’t make sense to you, Microsoft still has a great solution to build traditional Virtualization platforms together with automation using System Center, Windows Server and if needed Windows Azure Pack. Both solutions, System Center and Windows Azure Pack, will be supported in the future and will get updates.



  • Follow Me

  • About

    Thomas Maurer

    My name is Thomas Maurer. I am a Senior Cloud Advocate at Microsoft. I am part of the Azure engineering team (Cloud + AI) and engage with the community and customers around the world. I am located in Switzerland. I am focusing on Microsoft technologies, especially cloud and datacenter solutions based on Microsoft Azure, Azure Stack and Windows Server. Opinions are my own.

  • Get Updates

  • Sponsor

  • Sponsor

    Starwind

  • Sponsor

    Scriptrunner PowerShell Ad

  • Sponsor

    Altaro Ad