Translate

Wednesday, August 24, 2016

Virtualization based security (Device Guard, Credential Guard) vs. VMware Workstation

Recently a customer asked me what's about the coexistence of the new Microsoft security features like Credential Guard and Device Guard when you need to work with VMware Workstation where you have some VMs locally used for application compatibility where they run older OSes and they need specific interface types like COM Port or USB for their machine diagnostic software?


So the basic question is: Can virtualization based security in Windows 10 which uses Client Hyper-V underneath coexist with VMware Workstation?

When you need more to know about Credential Guard then check this here: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard


I took the question to MS an the clear answer currently is:
This is CURRENTLY not supported!  (as of Redstone 1 build release in 08/2016)
They are aware of this issue and looking to solve this in some point of time.


The main reason for this is that Client Hyper-V and VMware Workstation occupy exclusively the hardware virtualization extensions (like IOMMU or VT-X).
In this case nested virtualization does not work. For nested virtualization you find more info here:
https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/nesting

Also running other virtualization solutions like VirtualBox in a Hyper-V VM that supports nested virtualization is currently not supported!Some VMware Workstation users tried that recently as reported in forums and end up with bluescreens. Check out this here: https://communities.vmware.com/thread/528385?start=0&tstart=0

When you need VMs with older OSes regarding App Compat you have currently these options:

  1. Use Client Hyper-V for virtualization. And explore the improved interface mappings like COM-Port or USB port redirection.  To check out the new possibilities read this here:https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/learn-more/use-local-resources-on-hyper-v-virtual-machine-with-vmconnect
    for COM Port this may also help:
    https://blogs.technet.microsoft.com/jeff_stokes/2013/05/06/how-to-redirect-serial-ports-in-windows-server-2012-rdsvdi/
    or make use of Terminal server devices with physical com port redirection via TCP-IP like these here: http://www.fabulatech.com/serial-port-redirector.html  There are a couple different vendors available.

  2. A few other virtualization applications have an “emulator” mode.  This mode don’t require hardware virtualization extensions. But their performance is mostly really bad.
  3. Disable Credential Guard and Device Guard, and run a different virtualization technology.


So my recommendation is give Client Hyper-V another trial :-)
Hyper-V was further developed over the last years and is now really break even with VMware virtualization. In some points its even better :-)
 






Wednesday, August 17, 2016

Mobile Device Management - simplified joining options

With 1607 the options to join MDM while joining Active Directory or Azure AD where simplified a lot. So you do not need to check 2 different options anymore.


So best is to prepare your Azure AD with the right options first and enable auto MDM enrollment there.






See here:
https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/




From a user perspective you you have now 4 major options described further here:


https://msdn.microsoft.com/en-us/library/windows/hardware/dn925028(v=vs.85).aspx


Options are so far:
Corporate owned - Active Dirctory
Corporate owned - Azure Active Directory
Private owned - Azure Active Directory
Independent - MDM using a deeplink