Why should I upgrade the virtual machine configuration version?
When you move or import a virtual machine to a computer that runs Hyper-V on Windows Server 2019, Windows Server 2016, or Windows 10, the virtual machine"s configuration isn’t automatically updated. This means that you can move the virtual machine back to a Hyper-V host that runs a previous version of Windows or Windows Server. But, this also means that you can’t use some of the new virtual machine features until you manually update the configuration version. You can’t downgrade the virtual machine configuration version after you’ve upgraded it.
The virtual machine configuration version represents the compatibility of the virtual machine’s configuration, saved state, and snapshot files with the version of Hyper-V. When you update the configuration version, you change the file structure that is used to store the virtual machines configuration and the checkpoint files. You also update the configuration version to the latest version supported by that Hyper-V host. Upgraded virtual machines use a new configuration file format, which is designed to increase the efficiency of reading and writing virtual machine configuration data. The upgrade also reduces the potential for data corruption in the event of a storage failure.
With PowerShell we check what versions I have running
Get-VM * | Format-Table Name, Version
As you can see I have version 5.0 – 9.0 running time for some upgrading.
This VM has version 5 and I’m upgrading this to version 9.0 , Windows server 2019 default.
Microsoft Windows 10 October 2018 Update/Server 2019 9.0 True
Update-VMVersion HYD-DC1
Confirming and done.
If you want to upgrade all vm’s then use a *
Update-VMVersion *
Get-VMHostSupportedVersion –Default
Microsoft Windows 10 October 2018 Update/Server 2019 9.0 True
In the table below you can see the versions between the OS versions and LTSC and SAC.
Supported VM configuration versions for long-term servicing hosts
The following table lists the VM configuration versions that are supported on hosts running a long-term servicing version of Windows.
Supported VM configuration versions for semi-annual channel hosts
The following table lists the VM configuration versions for hosts running a currently supported semi-annual channel version of Windows.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
As Windows Server 2019 Still holds Internet Explorer and no Edge Chromium or other browser. therefore all initial internet contact is done by the Internet Explorer. This can be annoying when you want to do something on the server and connect to Azure and first you need to install another browser.
This is just a quick blog on the Azure portal app, as this could be handy on any machine without using the browser.
Or you can download the Azure portal app.
When opening the IE browser and go to https://Portal.azure.com
You will see this, the option to download the Application to manage the portal.
Agreeing on the Terms and download
The Azueportalinstaller can also be deployed by SCCM or intune if you want. its not only an application that can be used on older machines.
The setup is easy and you only need to logon.
Use your Azure credentials and you good to go.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
Sometimes you are building things in Azure and thinking if this is possible than that would be a cool feature. Suddenly you are building this and noticed that it is already there in Azure. How Cool is that.
Today I was building a demo website but I did not want to expose this directly to the web, play with this and still get the use of Azure Cloud over the internet. Reading the Azure Endpoint services there is no WebApp Endpoint services. Using a NSG or enable the Azure Firewall well it is just a test so lets see what we can do with all the basic stuff. But during the test I saw this option Microsoft.Web in the service endpoints.
More security is needed in everything you expose to the internet. And in Azure it all starts with a Vnet.
Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network.
First we create a new Vnet, while we creating this wen can enable an pick the right service endpoints. this can also be done afterwards.
Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.
In case you have already a Vnet, just go to the Service points and add the selected service you want to add or select it all.
At this point there is no Configuration, it is just adding a services to the network or subnet.
Below is a list of the Azure services that are currently available.
Generally available
Public Preview
The Web app is not listed but the option is there, and working. The Azure service Endpoint is not a Firewall, as the Azure Firewall this is a totally different service.
For Samples you have a Web application, and it needs to have connection to storage or SQL server and connection to an other Web services, without setting this open to Any – Any you can restrict this with the Azure Service Endpoints
Creating the Rules is a quick process, these are similar as in the NSG.
First we go the the Web App Service. in Networking and the non readers will click the VNet integration. #Wrong
In this case I don’t want a premium network, So we go to Configure Access Restrictions
Here we create a access rule, on who gets access to this web application.
I created a deny rule for a specific IP.
And the pages shows an error webapp is stopped. here you can also see the difference between a complete port block and no access to the application.
Changing this to Allow the App is visible
Also for the KUDU SCM you can have different rules or apply the same rules. with the little check box
With these options you can create a more secure environment again this is a great add on.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
This post is already a long pending post, now that there is an updated ISO with 1903 thought it is time to dust off this draft post.
Originally it was more an overview on what is change and a first impression, but then the server 2019 got postponed.
On the MSDN there is the ISO 1903 Or download the evaluation version https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019
In the mean time on Microsoft doc’s there are already some overviews and these are showing all the details on what is changed between Server 2008,2012,2016 and 2019
Because Windows Server 2019 is a Long-Term Servicing Channel (LTSC) release, it includes the Desktop Experience. (Semi-Annual Channel (SAC) releases don’t include the Desktop Experience by design; they are strictly Server Core and Nano Server container image releases.) As with Windows Server 2016, during setup of the operating system you can choose between Server Core installations or Server with Desktop Experience installations.
Failover Clustering :
Here’s a list of what’s new in Failover Clustering.
- Cluster sets
- Azure-aware clusters
- Cross-domain cluster migration
- USB witness
- Cluster infrastructure improvements
- Cluster Aware Updating supports Storage Spaces Direct
- File share witness enhancements
- Cluster hardening
- Failover Cluster no longer uses NTLM authentication
- Application Platform
Setting up the Cluster is still the same, In powershell we install the feature and install some extra components like the file server and deDup etc
Get-WindowsFeature Failover-Clustering
install-WindowsFeature "Failover-Clustering","RSAT-Clustering","FS-FileServer","FS-Data-Deduplication","Print-Server","Containers","Storage-Replica"-IncludeAllSubFeature
install-WindowsFeature "Failover-Clustering","RSAT-Clustering","FS-FileServer","FS-Data-Deduplication","Print-Server","Containers","Storage-Replica","SMS","SMS-Proxy"-IncludeAllSubFeature
when installing the Cluster Components and creating the cluster you will see no difference.
Cluster based on Server 2016
Cluster based on server 2019
USB witness
You can now use a simple USB drive attached to a network switch as a witness in determining quorum for a cluster. This extends the File Share Witness to support any SMB2-compliant device.
This is a nice option, maybe not real enterprise but for small setups this is handy.
Failover Clusters no longer use NTLM authentication. Instead Kerberos and certificate-based authentication is used exclusively. There are no changes required by the user, or deployment tools, to take advantage of this security enhancement. It also allows failover clusters to be deployed in environments where NTLM has been disabled.
Clustering FileServer Data Deduplication
ReFS is the Recommended configuration for Storage spaces and can also configured with Data Deduplication
https://robertsmit.wordpress.com/2018/02/21/clustering-fileserver-data-deduplication-on-windows-2016-step-by-step-sofs-winserv-refs-windowsserver2016-dedupe/
Below the Server 2016 layout with no dedup option on the storage
On the sizing no big changes that we saw as a limit in the day to day setup. More storage can be added, A lot more.
This could be handy in large storage clusters.
When looking at the Cluster settings there are some differences, this is all default I did not change anything. also handy when you want to know the original setting.
On windows 2019 vs Windows 2016
The CSV cache is now enabled by default to boost virtual machine performance. MSDTC now supports Cluster Shared Volumes, to allow deploying MSDTC workloads on Storage Spaces Direct such as with SQL Server. Enhanced logic to detect partitioned nodes with self-healing to return nodes to cluster membership. Enhanced cluster network route detection and self-healing.
More options and better to tune in the Cluster site.
Intra-cluster communication over Server Message Block (SMB) for Cluster Shared Volumes and Storage Spaces Direct now leverages certificates to provide the most secure platform. This allows Failover Clusters to operate with no dependencies on NTLM and enable security baselines.
Cluster Aware Updating (CAU) is now integrated and aware of Storage Spaces Direct, validating and ensuring data resynchronization completes on each node. Cluster Aware Updating inspects updates to intelligently restart only if necessary. This enables orchestrating restarts of all servers in the cluster for planned maintenance.
Moving Cluster from one domain to an other is now days also a scenario, with moving to the cloud consolidation and domain change is often a part of the migration.
Failover Clusters can now dynamically move from one Active Directory domain to another, simplifying domain consolidation and allowing clusters to be created by hardware partners and joined to the customer’s domain later.
Storage Replica is now available in Windows Server 2019 Standard Edition (with some limits)
There are some big list on the changes see for your self on what is change in Window Server 2019, it could be your choice during the migration of Windows server 2008 R2 EOL.
What’s new in Windows Server 2019 :
Windows Server Evaluations : https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
With the up coming Windows 10 1903 version you better be prepared, and save some bandwidth by setting up the right settings like Delivery Optimization. https://blogs.windows.com/windowsexperience/2019/04/08/releasing-the-may-2019-update-to-the-release-preview-ring/#XSwellpKSbo6oeum.97
What is Delivery Optimization ?
Windows Update Delivery Optimization helps you get Windows updates and Microsoft Store apps more quickly and reliably.
In many business networks, downloading apps and updates can be slow, inefficient, and, in many markets, expensive. When speaking with our customers, we often hear that they have regional facilities in limited and/or metered markets where devices download the same content, redundantly impacting coveted bandwidth and, ultimately, the organization’s financial bottom line. In almost any network, Delivery Optimization can be a highly effective tool, efficiently delivering content to devices and reducing the need for more internet bandwidth.
Windows Update Delivery Optimization works by letting you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, like other PCs on your local network, or PCs on the Internet that are downloading the same files. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet, based on your settings. Sharing this data between PCs helps reduce the Internet bandwidth that’s needed to keep more than one device up to date or can make downloads more successful if you have a limited or unreliable Internet connection.
When Windows downloads an update or app using Delivery Optimization, it will look for other PCs on your local network (or from the Internet, depending on your settings) that have already downloaded that update or app. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows then gets parts of the update or app from the PCs that have it, and parts from Microsoft. Windows uses the fastest, most reliable download source for each part.
Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time.
you can turn this on in the update settings of Windows 10
But there is also a GPO control that can be used. But you need the latest ADMX files in your PolicyDefinitions folder. If you are uncertain if you have the latest file check here to get the files
Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)
https://www.microsoft.com/en-us/download/details.aspx?id=57576
With this GPO setting you can control the settings for Delivery Optimization
All these settings depends on your need and how your network is configured.
You can also use Delivery Optimization with SCCM. Microsoft recommends that you optimize Windows 10 quality update delivery using Configuration Manager with express installation files and a peer caching technology
the SCCM client settings
above a good overview on the difference between the different caching options.
To get some details on the caching there are some history charts and activity charts. these are depending on the system.
In this case these are just my lab machines so no big improvements here, and the machines are redeployed etc so for graphs not the best show models.
other adjustments can be made on cache settings or bandwidth,
Get-DeliveryOptimizationStatus
Get-DeliveryOptimizationPerfsnap
Get-DeliveryOptimizationPerfsnapThisMonth
Recommended Setting for Delivery Optimization Quick-reference table
Quick-reference table:
More info about Delivery-Optimization can be found here : https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
Azure Sentinel is Microsoft’s cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale.
This SIEM as a Service (SIEMaaS) solution is designed as a cloud-based security-monitoring platform that leverages the power of the cloud for analytics and detections.
https://azure.microsoft.com/en-us/services/azure-sentinel/
there is a good video https://www.youtube.com/watch?v=XXZp6LQZSJU&feature=youtu.be
Limitless cloud speed and scale
Azure Sentinel is the first SIEM built into a public cloud platform to help your security analysts focus on what really matters.
Easily connect your data sources
Azure Sentinel provides simple and easy integration with signals and intelligence from security solutions whether they are on premises, in Azure, or in other clouds.
Azure Sentinel provides seamless integration with Microsoft 365, Azure, and other Microsoft products, including Microsoft’s security products.
Detect suspicious activities in your organization
Azure Sentinel fuses together unique machine learning algorithms, world-class security research, and the breadth and depth of the critical security data available to Microsoft as a major enterprise vendor. Azure Sentinel helps you detect both known and unknown attack vectors, detecting threats across all stages of the kill chain.
Investigate and remediate breaches
Azure Sentinel gives you visibility into all the entities involved in an alert and provides a simple and instinctive UI to investigate the detection, helping you easily understand the scope of the breach.
To cut down on the volume of alerts you get, Azure Sentinel automatically investigates alerts to help you determine what action to take, enabling you to move from alert to remediation in minutes, at scale.
Leveraging the power of Logic Apps, Azure Sentinel helps you respond to incidents instantly, using built-in orchestration and automation playbooks.
Joining the Preview program give you the enable option and you will need some configuration in the Azure portal. Overall a great overview in the new dash boarding. one thing is I need more screens to show all this.
You will need a workspace I you have already one you can use this or just create a new one
I’ll pick my current one as all my VM’s are reporting into this.
Now we can install the add-on for data collection, there is already a big list.
As I already had a workspace there is already some content to use, at this point I don’t have any incidents, so no cases and alerts
I think this is a grate feature the “hunting” predefined query’s ready to run and adjustable to your need.
Reuse the custom query, for better adjustment in your site.
You can find more samples on github https://github.com/Azure/Azure-Sentinel
Also the Azure Notebooks for Azure Sentinel is a new option, create your Project in Jupyter
Azure Notebooks for Azure Sentinel
What is Azure Notebooks?
Azure Notebooks is a free hosted service to develop and run Jupyter notebooks in the cloud with no installation. Jupyter is an open source project that lets you easily combine markdown text, executable code (Python, R, and F#), persistent data, graphics, and visualizations onto a single, sharable canvas called a notebook.
How do Azure Notebooks work?
Interactive Azure Notebooks provides security insights and actions to investigate anomalies and hunt for malicious behaviors. Each Azure Notebook is purpose-built with a self-contained workflow for a specific use case. Visualizations are included in each Azure Notebook for faster data exploration and threat hunting. Click on the button below to clone our prebuilt investigation and hunting Azure Notebooks into projects that belong to you. Modify and tailor your projects to your environment. Either run the Azure Notebooks for free or, for better performance, run them on a dedicated virtual host. Click here to learn more.
Using the Notebooks locally or in other environments
Azure Sentinel will provision notebooks and supporting modules for you in Azure Notebooks. You can also download the notebooks and modules and use them locally in a supported Python environment (Anaconda is recommended) or another notebook hosting environment such as Azure Databricks or a JupyterHub environment that supports Python 3.6 or later.
With the import a copy will be made from the Github to your own repository to get you started.
this take some time after this the project page is opening for you.
You can check the samples and adjust them for your needs
Checking the Logs in the Azure Sentinel will give you a nice dashboard with all the content. I have limited amount of data in this so no big lines or exceptions.
A Sample dashboard with the infrastructure query in Azure Sentinel
A Sample dashboard with the infrastructure query in Azure Sentinel
A Sample dashboard with the general overview query in Azure Sentinel
Some are based on multiple pages, big screens are needed or smaller fonts but overall this is a nice addition to the Azure Family.
Azure Sentinel will take some time to get this running and configuring but once there is data you will see a very nice new tool that can help you to solve your problems in Azure better an quickly.
See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.
The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:
- Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
- Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
- Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
- Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
- Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
- Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.
Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.
Even in the Azure portal you can still connect to OMS
Complete feature set of Secure DevOps Kit for Azure
Setting up Secure DevOps Kit for Azure (AzSK)
First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.
Import-Module AzureRM.Automation
Get-AzSKAzureServicesSecurityStatus -SubscriptionId
Installing the Secure DevOps Kit for Azure (AzSK)
Install-Module AzSK -Scope CurrentUser
Now that the Powershell modules are installed we can start the (AzSK) Scan
Get-AzSKAzureServicesSecurityStatus –SubscriptionId ID
In this subscription there are 44 items that are been checked
Items are been checked on the security issues
Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.
As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.
This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.
If needed there is an URL that points you to the right solution.
As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)
The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.
Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.
Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there. (Timing)
Creating the OMS default dashboard we need to run some powershell scripts.
$omsSubId =”id” #subscription hosting the OMS workspace
$omsWSId =’OMS ID’
$omsRGName =’omsrsg’ #RG where the OMS workspace is hosted
$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.
#This command will deploy the AzSK view in the OMS workspace.
Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `
-OMSResourceGroup $omsRGName `
-OMSWorkspaceId $omsWSId `
-ViewName $azSkViewName
Note:
1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.
To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.
2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que
ries.
We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.
Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.
and with longer logging and more Items in azure you will get a different overview.
There are lots of options you can set and there is a detailed description on how to use this on Github
Setting up ARM policys is also one of the options
Set-AzSKARMPolicies –SubscriptionId
So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs
https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring
AzSK Security Controls Portal @https://aka.ms/azskosstcp
With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription
And If you combine this directly and not afterwards then this could be your time saver to fix all the security items
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
