Wake on LAN for Hyper-V Guests

When you turn your VM off, it’s off.  As in off-off, off: equivalent to powering it off and pulling out all the cables.  This is why you can’t use Wake on LAN (WoL) for Hyper-V guests because the network adaptor for the VM is off-off.  Which is annoying if you have a bunch of VMs that you use on a regular basis; to boot them all you have to first RDP onto the Hyper-V host and then boot each one in turn – I know, I know, a real first world problem – but it annoys me!  There are a couple of products available to help with this but they are all pretty overpriced in my opinion, especially as they provide something so simple.

WoL is pretty simple: it’s a UDP broadcast to the entire network, usually on port 7, using something called a “magic packet”.  This packet contains the MAC address of the computer to start (amongst other data).  A network adaptor listens out for these packets and reacts by powering on the computer; this all happens within the network card and the computer never gets involved (it’s off-off remember).  WoL doesn’t wait for a response, there’s no encryption/security for it, and it has no additional options/configurations other than this.

This simplicity is great news though because it means that PowerShell can be used to recreate the missing WoL functionality for Hyper-V guests.  The below script sits on your Hyper-V host listening for magic packets.  When it receives one it checks to see if the MAC Address contained matches the MAC Address of one of the VMs that it is hosting, if so it turns it on.  Simple.

With this script I can now take out my Windows Phone, open the Wake-on-LAN app, send the magic packets, and boot up my entire lab before I’ve even made it up the stairs to my office   🙂

untitled

Set the script to run permanently on your Hyper-V host, as per the above screenshot.  Upon start the code will enumerate the MAC Addresses for all VMs detected locally and will then sit in the background reading any magic packet that it sees go out across the network and react accordingly.  All informational and error messages are written out to the console window.
Prerequisites:
  • UDP port 7 should opened on your Windows Server firewall – not usually a requirement because WoL is processed by the hardware, but here we are having to process it within the operating system.
  • PowerShell execution policy will need to be set to allow the script to run
  • The script currently runs in a logged on session, so a user session needs to stay open (I’ll attempt to address this in future versions).  I have my server logged on and locked to accommodate this.
  • A WoL app on your phone and/or computer to send the requests.  Some apps require specifying the IP address of the computer as well as it’s MAC Address.  If this is the case you can either specify the IP of your Hyper-V host or use 255.255.255.255.
The script is very much a work in progress project at the moment, but please try it and feedback to me any issues you have, or any other feedback, via the comments at the bottom.  As I improve it I’ll update this blog.  I’ve only tested the script on Windows Server 2016, using a non-admin account.
Advertisements

Quickly Applying MBAM Policy

Implementing Microsoft Bitlocker Administration and Monitoring (MBAM) is a great way to manage Bitlocker on your devices and can be quickly included in the deployment task sequence so that devices are encrypted as part of the task sequence and policy is enforced right from the start… almost.

My preferred way to implement MBAM during an OS deployment is to configure Bitlocker to use the protector “TPM Only” and encrypt the disk as part of the task sequence.  Once the deployment is complete the computer reboots and Group Policy is then applied.  In this Group Policy are the MBAM policy settings that dictate that devices should be protected by both the “TPM Only” and “Startup PIN” protectors.  Therefore, when the MBAM agent refreshes policy, it realises the discrepancy between how Bitlocker is currently configured (TPM Only) and what Group Policy is stipulating and then goes ahead and prompts the user to configure a PIN via the MBAM GUI.

Doing it this way works great except for one simple fact: you need to wait for the MBAM agent policy refresh cycle to run and display the GUI to the user to resolve the configuration discrepancy.  This can take up to 90 minutes which means that during this time window a device is not configured with the Startup PIN as required.

If you don’t want to wait for this policy refresh you can shortcut it by using the below trick.

 

The MBAM agent actually detects straight away that the configuration set on the device does not match Group Policy and logs an error 2 event in the MBAM event log, but it doesn’t display the MBAM GUI immediately that obliges the user to add the PIN.  You can use the Windows Task Scheduler to attach a task to this event so that, when it is logged, the GUI will be loaded immediately.

The below screenshots show the configuration I use in the scheduled task.

I publish the scheduled task via a Group Policy Preference which means that it is automatically deployed to all in-scope computers as soon as they are built.  Doing it this way means it can be centrally managed and updated easily.

Updating your NO-IP account with PowerShell

This is a little off topic from our usual stuff, but I could find no PowerShell examples anywhere on the web for this so thought it could be useful to someone else!

I run a server at home and have been using No-IP services for free DNS for years.  I had my Internet router configured to update NO-IP directly when my external IP address changed.  Recently though I changed the router for a new one, only to discover that it only supports updates to the DynDNS service, which is no longer free.

Rather than installing the No-IP agent onto my server I wondered if it would be possible to script it in PowerShell and run it as a scheduled task.  There are plenty of Linux and Python scripts on the web that do this, but none I could find in PowerShell; so I wrote my own 🙂

It’s simple to use, just follow the below steps:

  1. Create new EventLog source by running the following command from an elevated PowerShell window: New-EventLog -LogName “Application” -Source “NO-IP Updater”  –  all events logged by the script will appear in this log
  2. Add the below code to a PowerShell script file
  3. Modify the values at the top of the script with your own values
  4. Set it to run as a scheduled task

The script currently pushes an update to the No-IP servers on a schedule, even if your IP has not changed.  Also, it only logs in the Application EventLog the return code from No-IP and does not take any actions based on the value returned.  I’ll fix both of this points at some point in the future if they prove to be in demand.

Finally, it uses an external site in order to discover your external IP address.  This request can sometimes fail for no reason.  When this happens there is a routine in the script to try again from a different source.

 

# Set static content
$myUser = “MyUser”
$myPass = “MyPassword”
$myHost = “MyDomain.no-ip.org”

Write-Eventlog  -Logname ‘Application’ -Source ‘No-IP Updater’ -EventID 666 -EntryType Information -Message “Starting…”

# Fetch external IP
Write-Host “Fetching external IP…”
$myIP = (Invoke-WebRequest curlmyip.com).Content
$myIP = $myIP.Trim()

Write-Host “Value $myIP found, validating…”

# Validating IP
$IPCheck = [bool]($myIP -as [ipaddress])
Write-Host “Validation result: $IPCheck $myIP”

If ($IPCheck -eq $false)
{
    Write-Host “Failed to get external IP.  Trying with different host”
   
    $myIP = (Invoke-WebRequest ifconfig.me/ip).Content
    Write-Host “External IP: $myIP”

    Exit
}

Write-Host “External IP: $myIP”

# Build URL for update
$URL = “https://dynupdate.no-ip.com/dns?username=$myUser&password=$myPass&hostname=$myHost&ip=$myIP”

# Print output
Write-Host “Updating host $myHost with IP $myIP”

# Updated
$update = Invoke-WebRequest $URL

# Write to EventLog
$strToLog = “Error returned: $update`r`nFull HTTPS string used: $URL”
Write-Host “Writing to log: $strToLog”
Write-Eventlog  -Logname ‘Application’ -Source ‘No-IP Updater’ -EventID 666 -EntryType Information -Message $strToLog

Scripting the Creation of Windows 7 Libraries

Firstly: happy new year!  Secondly: yes I know this is about Windows 7 but there are still plenty of Windows 7 desktops out there!  I haven’t tested this on Windows 8.x yet, so if you do please let me know how it goes 🙂

Ever since Windows 7 was first released in Beta, one of the common gripes amongst the techies doing deployment projects was how to automate through scripting, and therefore MDT, the creation/modification of the Windows 7 Libraries.  I’ve seen a few different solutions but they were all rather ugly as they involved hacking the registry using a process discovered (no idea by who) through trial-and-error. I never liked these hacks so would always steer customers well away from them (as well as towing the Microsoft line of “this is an unsupported method” etc.).

Well, fret no more, because it seems that Microsoft finally got round to creating such a tool – and even published the source code for it!  You can find the MSDN documentation for SHLIB.exe here: http://msdn.microsoft.com/library/dd940379

Here are the usage instructions for it: shlib.exe SUBCOMMAND

Supported commands:

create   –   Creates a library at the specified path.
info   –   Prints info about the given library.
enum   –   Enumerates the folders in the library.
setattrib   –   Modifies the attributes of the library.
add   –   Adds the specified folder to the specified library.
remove   –   Removes the specified folder from the library.
setsaveloc   –   Sets the default save location of the library.
resolve   –   Resolves the specified folder in the library.
resolveall   –   Resolves all locations in the library in bulk.
manage   –   Displays the Manage Library Dialog for the library.

By the way, Raymond Chen also blogged about it here: http://blogs.msdn.com/b/oldnewthing/archive/2012/08/28/10343980.aspx

Snippet #1 – Checking for Admin Rights with PowerShell

I know we’ve all been rather slack with the blog lately, this post is a more concerted effort by me to resolve this!

As a die-hard VBScript-er I never really saw the need for me to learn Microsoft PowerShell… until I was required to use it to conform to the coding standards on a project I was working on. Well I get it now, it works and is immensely powerful.  Also, why write 20 lines of VBS when you can achieve the same with a single line of PowerShell? It works a treat, although I still drop back to VBS from time to time 🙂

Over time I’ll share code snippets that I use frequently that could prove useful to the masses, even if it is just to show the simplicity of something in PowerShell. The first snippet I’m sharing is how to check if your script is running with admin rights or not.

Add it as a function to your script, it will then return a Boolean value back to your caller.

$boolAdminRights = funcCheckAdminRights
Write-Host $boolAdminRights

Function funcCheckAdminRights
{
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$windowsPrincipal = new-object ‘System.Security.Principal.WindowsPrincipal’ $windowsIdentity
$AdminRights = $windowsPrincipal.IsInRole(“Administrators”)

If ($AdminRights)
{
# Admin rights OK
Return $True
}
Else
{
# No admin rights
Return $False
}
}

Pretty simple!

Windows 8.1 and Windows Server 2012 R2 KMS Keys

I’ve had to go look for this information twice this month, both times struggling to remember how I found the information, so it seems only right to blog the answer as well as the link for both myself and anyone who is searching for it.
The below table lists all the KMS installation keys for Windows 8.1 and Windows Server 2012 R2.  You can use these keys to complete an installation of Windows and also to activate an already installed instance.

Operating system edition KMS Client Setup Key
Windows 8.1 Professional GCRJD-8NW9H-F2CDX-CCM8D-9D6T9
Windows 8.1 Professional N HMCNV-VVBFX-7HMBH-CTY9B-B4FXY
Windows 8.1 Enterprise MHF9N-XY6XB-WVXMC-BTDCT-MKKG7
Windows 8.1 Enterprise N TT4HM-HN7YT-62K67-RGRQJ-JFFXW
Windows Server 2012 R2 Server Standard D2N9P-3P6X9-2R39C-7RTCD-MDVJX
Windows Server 2012 R2 Datacenter W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
Windows Server 2012 R2 Essentials KNC87-3J2TX-XB4WP-VCPJV-M4FWM

In the source link below you can find the KMS keys for the following operating systems:

  • Windows Server 2012 R2 and Windows 8.1 Client Setup Keys
  • Windows Server 2012 and Windows 8 Client Setup Keys
  • Windows 7 and Windows Server 2008 R2
  • Windows Vista and Windows Server 2008

Source: http://technet.microsoft.com/en-us/library/jj612867.aspx

Internet Explorer Enhanced Protected Mode

Let’s be honest, Internet Explorer (IE) has had a bad reputation for a long time.  IE6 was probably the worst browser ever, and it hung around like a bad smell for year after year (much like Windows XP!).  But credit where credit’s due – Microsoft has raised their game immensely with Internet Explorer lately to the point where Internet Explorer is, in my opinion, now one of the best browsers available – the trouble is that its delinquent youth still haunts it meaning people are often all too quick to jump on the “Internet Explorer is rubbish” bandwagon!

But…….. with IE10 a new security feature was introduced, Enhanced Protected Mode.  Greatly simplified, this feature locks down even further the access that the browser has to your information, regardless of the security context it is running in.  Although a good thing, I’ve seen this feature trip some people up as it can pretty much cripple your browsing experience if you don’t know what is going on and make provisions for it.

When enabled the browser will have severely reduced permissions on your desktop, including any add-ons that it loads.  Indeed, if your add-ons are not specifically designed to work with Enhanced Protected Mode they will simply be disabled by IE, resulting in a “black X” placeholder being displayed instead of the expected content on the page.  So, when planning your browser upgrade/rollout, make sure you test all your browser plug-ins, and try to ensure that they are compatible with this feature – otherwise, disable it (for now).

Enhanced Protected Mode in Internet-Explorer

Your ultimate goal should be to resolve any compatibility issues with the view to re-enabling the feature, as it is beneficial to overall browser security.  Resolving these issues though may require upgrading these incompatible browser plug-ins, and this in itself could be a major task or even impossible if the plug-in vendor is unwilling to help.