As I found out today, Hyper-V Server 2012 R2

(the FREE version!) does support Bitlocker! Hooray!

Here is how to set it up:

1. You have to install the Bitlocker feature.

# Check all the Roles / Features
Get-WindowsFeature
# If Bitlocker is listed, install it
# I like to also add the Management tools
Install-WindowsFeature Bitlocker -IncludeAllManagementTools
# After install a reboot is needed
# You might as well include the  '-restart' parameter in the above command
shutdown -r -f -t 0

2. If you don’t have a TPM you will need to allow the use of Bitlocker without a TPM via GP. Either in your domain or via the local group policy snapin on the machine in question. To do that edit the following group policy key to “Enabled”.

Since we are on the Hyper-V Core machine, you have to setup remote management first, and make use of the MMC -> Group Policy Object editor.

Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Require additional authentication at startup

Make sure to check “Alllow BitLocker without a compatible TPM”

3. Encrypting a drive with Bitlocker requires that a system administrator provides Bitlocker with one or more security protectors to protect the drive. I will be using a password, however one can also use a USB key and other methods to lock and unlock the Bitlocker volume.

# manage-bde: invokes the script
# -protectors: defines what we are going to do (add protectors to the drive)
# -add: lets manage-bde know we are going to add a protectors to the drive
# C: defines which drive should receive the new protector
# -password: will allow us to set a self defined password to unlock the drive
# -recoverypassword generates a random recovery key 
manage-bde -protectors -add C: -password -recoverypassword

You should be prompted to enter you self defined password twice and you should receive a randomly generated recovery key printed on the screen. You should copy this down immediately so it’s not lost as it will be the only way to recover the volume if the user password is forgotten.

HINT: To have the recovery key automatically saved to a USB thumb drive add the following to the end of the command:

-RecoveryKeyPath X:

Where X: should be the drive letter of the USB thumb drive.

Once the protectors have been put in place we can start the encryption of the volume with the following command:

# -on: Lets manage-bde know we want to enable Bitlocker on the drive
# C: defines the drive which will be encrypted using Bitlocker
# In case you are encrypting a thin-provisioned virtual machine you will have to add the -usedspaceonly trigger at the end of the command to encrypt the volume
manage-bde -on C:

After the command is executed you will be prompted to restart your computer to complete the Bitlocker drive test. The test checks that you are able to log in to your system with Bitlocker enabled. Once the computer has restarted and you have made it back into Windows Bitlocker should start encrypting the drive.

You can keep an eye on the status of the encryption process with the following command:

manage-bde -status

Source:

http://jack-brennan.com/bitlocker-on-server-2012-and-hyper-v-server-core

Soooo easy yet so helpful :o)

Since managing it remotely in anon domain environment is a pain in the neck and I’ll have to setup quite a few servers in the next couple of weeks, here a quick ‘how to’ mange Hyper-V Server 2016 remotely.

SERVER CONFIGURATION

1. Run

sconfig

1. Configure Remote Management + ping (Opt. 4 -> Opt. 4 -> Opt. 1)

2. Enabled Remote Desktop (Opt. 7 -> e -> Opt. 2)

3. Run this command to allow RDP through the server’s firewall:

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

1. Launch Powershell and execute this command:

Install-WindowsFeature –Name Hyper-V –IncludeManagementTools –Restart

**

CLIENT CONFIGURATION

**

1. Add an entry to the hostfile as you can not add a Hyper-V server via IP

(e.g. 192.168.1.1 HOSTSRV01.WORGROUP HOSTSRV01)

1. Run -> dcomcnfg, right-click on ‘My Computer’ -> Properties -> COM Security Tab -> Access Permissions -> Edit Limits -> Anonymous Logon -> Allow ‘Local & Remote’ Access

3.

cmdkey /add:<HostServerName> /user:<AdminUsername> /pass:"<Password>"

1. Install the RSAT Tools for your Operating system. Open the Server Manager and add the Hyper-V host as a server.

2. You should get a permission error, run the following command:

Set-Item wsman:\localhost\Client\TrustedHosts <HostServerName> -Concatenate -Force

Now you should be able to remote manage / create / edit your Hyper-V Server.

Alright so one of our customer’s shared drive broke, we were able to restore it and such, however the needed rights were gone. I found a cool nifty tool called “SubInACL” to help me out. The default install is in

C:\Program Files (x86)\Windows Resource Kits\Tools

The syntax for SubInCAL is like so:

SUBINACL /<service> \\MachineName\FOLDER\* /GRANT=[DomainName\]UserName[=Access]

So in my case I used:

subinack /file D:\Data\* /grant=system=F
subinack /file D:\Data\* /grant=<domainname>\<username>=F

The parameter follows this list:

F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

To get all the sub-directories you can use the switch ‘/subdirectories‘

Such an easy command saved the day!

We are still working on a migration for a LOT of users from a local infrastructure to solely working in the cloud. As part of that we have to move their roaming profiles in the cloud as well (why oh why did the previous MSP recommend roaming profiles… ;o( …). Anyways, so we moved the data via VPN and robocopy on the data server in AWS, however we still have to re-point the roaming profile path in AD. Sure enough there is no (or none that I found of anyways) way to easily re-point the TSProfilePath.

So I wrote a little script. I first got the SAMAccountName from all the users with a roaming profile and put them in a list.

Then went trough the list and updated the ADSI value for the _TerminalServicesProfilePath _value for each user in the list.

#  This AD is a mess so we don't need all the errors for non-existing (anymore) users 
$ErrorActionPreference= 'silentlycontinue'
# Get list.txt content for all roaming profile users
$List = Get-Content C:\list.txt
# Go through each line and get the line content (SAMAccountName)
foreach ($SAM in Get-Content C:\list.txt){

# Go to the SAMAccountName LDAP entry and update the TerminalServicesProfilePath
Get-ADUser $SAM | ForEach-Object  {
   $User = [ADSI]"LDAP://$($_.DistinguishedName)"
   $User.psbase.invokeset("TerminalServicesProfilePath","\\data\tsprofile\$SAM")
   $User.psbase.invokeset("TerminalServicesHomeDrive","H:")
   $User.psbase.invokeset("TerminalServicesHomeDirectory","") 
   $User.setinfo()
   }
}