Offline Virtual Machine Servicing Tool v2.1 (VHD)


Virtualization affects how we plan, build, deploy, operate, and service workloads. Customers are creating large libraries of virtual machines containing various configurations. The patch-state of these virtual machines are not always known. Ensuring that offline virtual machines are properly patched and won’t become vulnerable the instant they come online is critical.

I am therefore very pleased to state that the Offline Virtual Machine Servicing Tool v2.1 has now been released!

Congratulations to the Solution Accelerator team for this release!

The Offline Virtual Machine Servicing Tool 2.1 has free, tested guidance and automated tools to help customers keep their virtualized machines updated, without introducing vulnerabilities into their IT infrastructure.

The tool combines the Windows Workflow programming model with the Windows PowerShell interface to automatically bring groups of virtual machines online, service them with the latest security updates, and return them to an offline state.

What’s New?

Release 2.1 is a direct response to customer and Microsoft field requests to support the R2 wave. Offline Virtual Machine Servicing Tool 2.1 now supports the following products:
· Hyper-V-R2
· VMM 2008 R2
· SCCM 2007 SP2
· WSUS 3.0 SP2
· OVMST 2.1 also supports updates to Windows 7 and Windows Server 2008 R2 virtual machines.

Download here; Offline Virtual Machine Servicing Tool  2.1
More info;

Microsoft’s Hyper-V R2 vs. VMware’s vSphere: A feature comparison

VMware and Microsoft are ramping up their virtualization games with relatively new releases. Scott Lowe compares and contrasts some of the major features in vSphere and Hyper-V R2.


Microsoft was late to the virtualization game, but the company has made gains against its primary competitor in the virtualization marketplace, VMware. In recent months, both companies released major updates to their respective hypervisors: Microsoft’s Hyper-V R2 and VMware’s vSphere. In this look at the hypervisor products from both companies, I’ll compare and contrast some of the products’ more common features and capabilities. I do not, however, make recommendations about which product might be right for your organization.

Table A compares items in four editions of vSphere and three available editions of Hyper-V R2. Below the table, I explain each of the comparison items. (Product note: With the release of vSphere, VMware has released an Enterprise Plus edition of its hypervisor product. Enterprise Plus provides an expanded set of capabilities that were not present in older product versions. Customers have to upgrade from Enterprise to Enterprise Plus in order to obtain these capabilities.)

Table A

Continue reading

New tool Sysinternals, disk2vhd!

I am a big fan of sysinternals tools and I use these tools quite often to debug OS related issues. These tools are quite useful when you want to understand internals of OS. Mark and his team has been doing a great job in keeping these tools up to date and adding new features once in a while. One such new tool that got released yesterday is Disk2VHD. You can download it here. Here is how TechNet link decribes this new tool.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted)


I downloaded this tool in the morning and experimented a bit on my Windows 7 system. Usage of this tool is straight forward. You see a dialog with all disk partitions as listed in the screen shot here. All you need to do is select all the partitions you want to export to a VHD and click “Create”. The VHD export will take sometime based on the overall disk size you selected. For my experiments, I just selected first two partitions. This is because I have all the BCD information on partition 1 and without that my new VHD will be meaningless. You may see lot of CPU/memory utilization while the export is in progress. On my system, it looked something like this.

Once the export is complete, I rebooted my system in to Windows Server 2008  R2 and created a virtual machine and attached the exported VHD. That is it. My virtual machine is ready with installed OS and all the applications I was running on the physical Windows 7 system.

As I powered on the VM, the first screen showed me the boot menu I usually see on my physical machine. This is because I never removed the additional multi-boot entries I had in the BCD stored on first partition.  This entries — if selected — won’t work because I did not export the partitions containing those OS images to the VHD.


At this point, I continued selecting the Windows 7 entry and started booting OS. Within a few seconds, I could see the user selection screen and after I logged in using my regualr user account, I could see all the applications working as usual. I also have Windows Virtual PC with WinXP mode in the VHD image. But — as I expected — that did not work as it requires hardware assisted virtualization which is something that will not be availble inside a virtual machine.


Windows Server 2008 Service pack 2 has reached rtm!

On Wednesday April 29th , the Release to Manufacturing (RTM) of Windows Server 2008 Service Pack 2 (SP2) was achieved! Windows Server 2008 has seen great success and SP2 will make it that much better! SP2 includes all updates delivered since the release of Windows Server 2008, as well as support for new types of hardware and emerging hardware standards.

IT Professionals will see numerous benefits from SP2, the key benefits are below:

o SP2 provides the Hyper-V virtualization environment as a fully integrated feature of Windows Server 2008, including one virtual instance Windows Server 2008 Standard, four free instances with Windows Server 2008 Enterprise and an unlimited number of free instances with Windows Server 2008 Datacenter.

o SP2 improves backwards compatibility for Terminal server license keys

o SP2 includes additional power profile improvements over Windows Server 2008 RTM

Last, but certainly not least, there is a single service pack that applies to both Windows Server 2008 and Windows Vista for x86 and x64 versions. Now IT Professionals only have to deploy, manage, and support one package for both client and server!

We understand that some customers may not be ready to deploy SP2 when it becomes available for download, which is why we have the Service Pack Blocker Tool available for you. The Service Pack Blocker Tool allows you to block the installation of SP2 on all or some of the machines in your infrastructure for up to 12 months after general availability of SP2. The download package includes tools for using group policy, remote script execution, or a signed executable to accomplish this. All the pertinent information can be found on the Blocker Tool link above.

Windows Server 2008 and Windows Vista SP2 will be available for download publicly in Q2 2009.


Justin Graham
Windows Server Team

Microsoft Hyper-V Server 2008 R2 Release Candidate available now! FREE!

Microsoft® Hyper-V™ Server 2008 R2 is a stand-alone product that provides a reliable and optimized virtualization solution enabling organizations to improve server utilization and reduce costs. With the addition of new features such as live migration and expanded processor and memory support for host systems, it allows organizations to consolidate workloads onto a single physical server and is a good solution for organizations who are consolidating servers as well as for development and test environments.

By having the ability to plug into existing IT infrastructures Microsoft Hyper-V Server 2008 R2 enables companies to reduce costs, improve utilization and provision new servers. It allows IT professionals to leverage existing patching, provisioning, management and support tools and processes. IT Professionals can continue to leverage their individual skills and the collective knowledge of Microsoft tools, minimizing the learning curve to manage Microsoft Hyper-V Server 2008 R2. In addition, with Microsoft providing comprehensive support for Microsoft applications and heterogeneous guest operating systems support, customers can virtualize with confidence and peace of mind.

Note: This is a pre-release version of Microsoft® Hyper-V™ Server 2008 R2 and not intended to be used in a production environment.

Microsoft Hyper-V Server 2008 R2 Release Candidate! (Free Live Migration/HA Anyone?)

The Virtualization team is pleased to announce the availability of the Microsoft Hyper-V Server 2008 R2 Release Candidate for download. Hyper-V Server 2008 R2, our free standalone hypervisor, represents our continued commitment to providing high performance, hypervisor based virtualization for everyone, especially small and mid-market customers. This release underscores our customer focus by adding key new capabilities such as Live Migration and High Availability (and more.). The Microsoft Hyper-V Server 2008 Release Candidate is available here:

Free Live Migration and High Availability? Really?

A couple weeks ago, Zane Adam first blogged the news that Hyper-V Server 2008 R2 would include Live Migration and High Availability at no charge. The response from our customers was "AWESOME!! When is the final release?" :-) Understandably, the phone’s been ringing off the hook, my inbox has been on overdrive and some folks in the blogosphere have been trying to imply <cough, cough, FUD> that there are some strings attached. So, I wanted to take a moment to provide more details about the upcoming Hyper-V Server 2008 R2 release and free Live Migration & High Availability.

Hyper-V Server 2008 R2 Availability

When Hyper-V Server 2008 R2 goes gold and is released to manufacturing (RTM) the bits will be available as a free download here:

Hyper-V Server 2008 R2 will be available worldwide in 11 languages. Continue reading

VMware vSphere

There’s hardly any point in covering the announcements of today. There are so many people blogging right now that no one will have the chance to keep up with reading. That’s why I decided not to write or copy any of the announcements. Of course I just might give my thoughts on the webcast this evening but that’s probably it… Anyway, I divided it up in two major sections “News” and “Previews” and within these sections VMware and of course “Bloggers Community”. I will keep updating this post, make sure to visit it again.

Continue reading

How to convert VMWare image to Hyper-V images?

Here’s a small how-to based on my experiences:

1) Uninstall VM tools from your VM

2) Shutdown the VM

If your VMs are based on SCSI drives (like mine were – because VMware recommends SCSI) and the operating systems are Windows XP, 2003 or earlier then you have to add the IDE driver to your VM before you shut it down in VMware.

Otherwise you will end up with a converted VM that starts up in Hyper-V with a blue screen of death (BSOD) and 0x0000007B – “Inaccessible Boot Device” error. This is due to the fact that your converted VM will have no Primary IDE Channel and Hyper-V will presume that your converted disk is IDE type and located on the Primary IDE Channel.

Doing a Windows Repair Install can fix the 0x7B Inaccessible Boot Device error – but it’s both time consuming and the result might not be good. (Believe me – I had to redo a migration of a SharePoint installation because a Windows Repair Install messed it up. Luckily I then came up with the solution described below instead).

Please note that adding a temporary IDE disk to your VM is not necessary with VMs running Windows Vista or Windows 2008 – they seem to detect the Primary IDE Channel during initial boot phase.

3) Add a new IDE disk drive to your VM: (any size will do)

Make sure that you select “Adapter: IDE 0 Device: 0” under “Virtual Device Node” while creating the new disk (otherwise you might end up with yet another SCSI disk)

4) Boot up your virtual machine with both drives connected and check that it detects your new IDE drive (along with a primary IDE channel and a disk device driver). You should be able to see the new drive as "not initialized" in Disk Management.

5) Power off your virtual machine and remove the newly created IDE disk from your VM (you can delete it from disk as well). Do not power on your VMware Machine again!

6) Now convert your VMDK file to VHD format using the newest Vmdk2Vhd utility (currently version 1.0.13) that can be downloaded from

7) You can now uninstall VMware Server and install Hyper-V + current Windows Updates on your host server

8) Create a new Virtual Machine in Hyper-V. Make sure you select “Use an existing virtual hard disk” and select the VHD file that you just created.

9) Power it on, Install “Integration Services” and reboot when prompted:

10) Assign the original IP address(es) to your new network card(s)

11) Check device manager

12) Do another reboot

13) Check that all your applications and services are running

14) Done!


Note: if you have Win2008 VM’s then it’s not necessary to add a temporary IDE disk during migration but you might want to copy the relevant KB949219 ( update package to your VM before converting it. Otherwise it will start up with three warnings in the Device Manager for “Microsoft VMBus Video Device”, “Microsoft VMBus HID Miniport” and “Microsoft VMBus Network Adapter” – hence you will have no network access. I worked around it by “burning” the KB949219 updates to an ISO file using “ISO recorder“ ( and mounting the ISO file to my VM.

This Post lists the best practices for securing Terminal Server or Windows XP (for use with VDI)

How can I protect my terminal servers from Spyware, Malware, Trojans, Worms, Viruses and un-authorized software?

  1. Start with a secure installation of the Operating System.  Windows Server 2003 installs by default with the users being able to create files and folders in the root of the system drive and Windows 2000 Server installs by default with the Everyone group having Full Control NTFS Permissions to the entire System Drive.  To lock down the System Drive on Windows 2000 Server, start with the following settings:

    1. Root of System Drive – Authenticated Users = "Read and Execute"

    2. Root of System Drive – Administrators = "Full Control"

    3. Root of System Drive – System = "Full Control"

    4. Program Files Directory – Authenticated Users = "Read and Execute"

    5. Program Files Directory – Administrators = "Full Control"

    6. Program Files Directory – System = "Full Control"

  2. NEVER allow anyone to logon as an administrator or power user, unless they are a member of the IT Staff / IT Consulting Firm that is responsible for the server, and they are logging on to perform administrative functions, i.e. installing software, performing a backup…

  3. Force "Empty Temporary Internet Files when browser closed" via Group Policy.  This will delete most bad files from the Temp IE location of the user’s profile, and leave only the cookie files.

  4. Implement Roaming Terminal Server Profiles, Mandatory Terminal Server Profiles or Flex Terminal Server Profiles.

  5. Enable DeleteRoamingCache in the registry, or via "Delete Cached Copies of Roaming Profiles " in Group Policy.  Since the Roaming Profile does not propagate the user’s Temp Directory, enabling this policy will usually delete that anything the user downloaded unintentionally.  This policy deletes the user’s local profile at logoff once it’s been successfully unloaded and copied to the roaming location.

  6. Install the User Profile Hive Cleanup Service , which helps to ensure user sessions are completely terminated when a user logs off.  Without this service, user profiles are often not unloaded successfully which causes the copy to the roaming profile location and DeleteRoamingCache setting to fail.

  7. Install a Terminal Server compatible anti-virus scanner on each terminal server, a VSAPI anti-virus scanner on each SMTP Server, and an anti-virus scanner at the Internet Gateway.

  8. Set the Terminal Services Configuration Permission Compatibility to "Full Security" (Windows Server 2003) , or to "Windows 2000 Users" (Windows 2000 Server) . If you use the "Permissions compatible with Terminal Server 4.0 Users" (Windows 2000 Server) or "Relaxed Security" (Windows Server 2003), each user logging on is added to the TSUser Security Group, which has permissions and rights of the Power Users Group.

  9. Enable Software Restriction Policies in Group Policy, to define which files can be executed by users.

  10. If users need only one application, specify this program to start when they logon.  This can be done for everyone via Group Policy or Terminal Services Configuration , or for specific users via Active Directory or Local User Account.

  11. Consider locking down the user environment with a FREE program like BrsSuite , designed by Terminal Server Security Expert "Fabrice Cornet", of FC Consult, Belgium .

  12. Restrict access to applications normal users shouldn’t ever use, or that do not follow the policy restrictions in place, i.e. winfile and

How can provide the most secure access to terminal servers from the Public Internet?  The RDP Protocol is secure and uses RSA Security’s RC4 cipher, at either 56 or 128 bits, however the following should be considered when providing access to terminal servers over the Public Internet:

  1. Set the RDP-Tcp Encryption Level to "High" (Windows 2000 Server or Windows Server 2003)

  2. Define and enforce a strong password policy .

  3. If you require password authentication to access a Remote Desktop Web Connection (RDWC, aka TSAC or TSWeb), do so over an SSL Connection.  Since you have to logon to the Terminal Server, there really is no advantage to requiring authentication to access a RDWC.

  4. Do NOT use traditional client-to-server VPN to provide secure access to Terminal Servers.  This may sound strange, but traditional client-to-server VPNs require connectivity over non-standard ports client software on the remote computer. These often prevent remote users from being able to connect.  In addition to the connectivity problems traditional VPN can cause, traditional client-to-server VPNs can open the corporate network to viruses, trojans or worms, because they extend the corporate network to the remote client.

  5. Do consider providing secure access to terminal servers via SSL VPN or a Terminal Server Secure Gateway , as these can provide access over standard ports like 443 or 80, which makes connectivity easy for remote users.  These devices or software applications also provide access to a specific computer, or set of computers, instead of opening a secure tunnel to the entire corporate network.

d88946536a" />