Every organization is looking for ways to equip their mobile workforce, whether remote employees, travelling sales staff/representatives, or just providing more ways employees can work efficiently. Today I want to talk about Microsoft Teams Phone and VDI – a match made in the Cloud.
I’m one of those people who travel frequently and rely not only on having a reliable working environment, but also having access to telecommunications.
Running Teams Phone on VDI is a clear win in these regards!
VDI and VoIP, a common struggle
As most of you know, VDI and VoIP applications can be a major struggle with 3rd party applications not providing audio optimizations for environments that use VDI. This commonly results in in sluggish, jolty, delayed, and/or poor audio quality, in addition to audio processing in your VDI environment which uses resources on your VDI cluster.
For years, the most common applications including Microsoft Teams, Zoom, and even Skype for Business provided VDI optimizations to allow high quality (optimized) audio processing, resulting in almost perfect video/audio telecommunications via VDI sessions, when implemented properly.
I was tired of using a 3rd party VoIP app, and wanted a more seamless experience, so I migrated over to Teams Phone for my organization, and I’m using it on VDI with VMware Horizon.
Microsoft Teams Phone
While I’ve heard a lot about Teams phone, Microsoft’s Phone System, and PSTN capabilities, I’ve only ever seen it deployed once in a client’s production environment. This put it on my list of curiosities to investigate in the future a few years back.
This past week I decided to migrate over to Microsoft Teams Phone for my organizations telephony and PSTN connectivity requirements. Not only did this eliminate my VoIP app on my desktops and laptops, but it also removed the requirement for a problematic VoIP client on my smartphone.
Teams Phone Benefits
Single app for team collaboration and VoIP
Single phone number (eliminates multiple extensions for multiple computers and devices)
Microsoft Phone System provides PBX capabilities
Cloud Based – No on-premise infrastructure required (except device & internet for client app)
I regularly use Microsoft Teams on all my desktops, laptops, and VDI sessions, along with my mobile phone, so the built-in capabilities for VoIP services, in an already fairly reliable app was a win-win!
I’ll go in to further detail on Teams Phone in a future blog post.
Teams Phone on VDI
Microsoft Teams already has VDI optimizations for video and audio in the original client and the new client. This provides an amazing high quality experience for users, while also offloading audio and video processing from your VDI environment to Microsoft Teams (handled by the endpoints and Microsoft’s servers).
When implementing Teams Phone on VDI, you take advantage of these capabilities providing an optimized and enhanced audio session for voice calls to the PSTN network.
This means you can have Teams running on a number of devices including your desktop, laptop, smartphone, VDI session, and have a single PSTN phone number that you can make and receive calls from, seamlessly.
Pretty cool, hey?
The Final Result
In my example, the final result will:
Reduce my corporate telephony costs by 50%
Eliminate the requirement for an on-prem PBX system
Remove the need for a 3rd party VoIP app on my workstations and mobile phone
Provide a higher quality end-user experience
Utilize existing VDI audio optimizations for a better experience
In this guide we will deploy and install the new Microsoft Teams for VDI (Virtual Desktop Infrastructure) client, and enable Microsoft Teams Media Optimization on VMware Horizon.
This guide replaces and supersedes my old guide “Microsoft (Classic) Teams VDI Optimization for VMware Horizon” which covered the old Classic Teams client and VDI optimizations. The new Microsoft Teams app requires the same special considerations on VDI, and requires special installation instructions to function VMware Horizon and other VDI environments.
You can run the old and new Teams applications side by side in your environment as you transition users.
Let’s cover what the new Microsoft Teams app is about, and how to install it in your VDI deployment.
Ultimately, it’s way faster, and consumes way less memory. And fortunately for us, it supports media optimizations for VDI environments.
My close friend and colleague, mobile jon, did a fantastic in-depth Deep Dive into the New Microsoft Teams and it’s inner workings that I highly recommend reading.
Interestingly enough, it uses the same media optimization channels for VDI as the old client used, so enablement and/or migrating from the old version is very simple if you’re running VMware Horizon, Citrix, AVD, and/or Windows 365.
Install New Microsoft Teams for VDI
While installing the new Teams is fairly simple for non-VDI environment (by simply either enabling the new version in the Teams Admin portal, or using your application manager to deploy the installer), a special method is required to deploy on your VDI images, whether persistent or non-persistent.
Do not include and bundle the Microsoft Teams install with your Microsoft 365 (Office 365) deployment as these need to be installed separately.
Please Note: If you have deployed non-persistent VDI (Instant Clones), you’ll want to make sure you disable auto-updates, as these should be performed manually on the base image. For persistent VDI, you will want auto updates enabled. See below for more information on configurating auto-updates.
You will also need to enable Microsoft Teams Media Optimization for the VDI platform you are using (in my case and example, VMware Horizon).
New Teams client app uses the same VDI media optimization channels as the old teams (for VMware Horizon, Citrix, AVD, and W365)
If you have already enabled Media Optimization for Teams on VDI for the old version, you can simply install the client using the special bulk installer for all users as shown below, as the new client uses the existing media optimizations.
While it is recommended to uninstall the old client and install the new client, you can choose to run both versions side by side together, providing an option to your users as to which version they would like to use.
Enable Media Optimization for Microsoft Teams on VDI
If you haven’t previously for the old client, you’ll need to enable the Teams Media Optimizations for VDI for your VDI platform.
For VMware Horizon, we’ll create a GPO and set the “Enable HTML5 Features” and “Enable Media Optimization for Microsoft Teams”, to “Enabled”. If you have done this for the old Teams app, you can skip this.
Computer Configuration -> Policies -> Administrative Templates -> VMware View Agent Configuration -> VMware HTML5 Features -> VMware WebRTC Redirection Features -> Enable Media Optimization for Microsoft Teams
When installing the VMware Horizon client on Windows computers, you’ll need to make sure you check and enable the “Media Optimization for Microsoft Teams” option on the installer if prompted. Your install may automatically include Teams Optimization and not prompt.
If you are using a thin client or zero client, you’ll need to make sure you have the required firmware version installed, and any applicable vendor plugins installed and/or configurables enabled.
Install New Microsoft Teams client on VDI
At this time, we will now install the new Teams app on to both non-persistent images, and persistent VDI VM guests. This method performs a live download and provisions as Administrator. If running this un-elevated, an elevation prompt will appear:
For the offline installation, you’ll need to download the appropriate MSI-X file in additional to the bootstrapper above. See below for download links:
For non-persistent environments, you’ll want to disable the auto update feature and install updates manually on your base image.
To disable auto-updates for the new Teams client, configure the registry key below on your base image:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams
Create a DWORD value called “disableAutoUpdate”, and set to value of “1”.
New Teams app disappears after Optimization with OSOT
If you are using the VMware Operating System Optimization Tool (OSOT), you may notice that after installing New Teams in your base or golden image, that it disappears when publishing and pushing the image to your desktop pool.
The New Teams application is a Windows Store app, and organizations commonly choose to remove all Windows Store apps inside the golden image using the OSOT tool when optimizing the image. Doing this will remove New Teams from your image.
To workaround this issue, you’ll need to choose “Keep all Windows Store Applications” in the OSOT common options, which won’t remove Teams.
Using New Microsoft Teams with FSLogix Profile Containers
When using the new Teams client with FSLogix Profile Containers on non-persistent VDI, you must upgrade to FSLogix version 2.9.8716.30241 to support the new teams client.
Confirm New Microsoft Teams VDI Optimization is working
To confirm that VDI Optimization is working on New Teams, open New Teams, click the “…” in the top right next to your user icon, click “Settings”, then click on “About Teams” on the far bottom of the Settings menu.
You’ll notice “VMware Media Optimized” which indicates VDI Optimization for VMware Horizon is functioning. The text will reflect for other platforms as well.
Uninstall New Microsoft Teams on VDI
The Teams Boot Strap utility can also remove teams for all users on this machine as well by using the “-x” flag. Please see below for all the options for “teamsbootstrapper.exe”:
C:\Users\Administrator.DOMAIN\Downloads>teamsbootstrapper.exe --help
Provisioning program for Microsoft Teams.
Usage: teamsbootstrapper.exe [OPTIONS]
Options:
-p, --provision-admin Provision Teams for all users on this machine.
-x, --deprovision-admin Remove Teams for all users on this machine.
-h, --help Print help
Install New Microsoft Teams on VMware App Volumes / Citrix App Layering
Using the New Teams bootstrapper, it appears that it evades and doesn’t work with App Packaging and App attaching technologies such as VMware App Volumes and Citrix Application layering.
The New Teams bootstrapper downloads and installs an MSIX app package to the computer running the bootstrapper.
To deploy and install new Teams on VMware App Volumes or Citrix App Layering (or other app technologies), you’ll most likely need to download and import the MSIX package in to the application manager and deploy using that.
Conclusion
It’s great news that we finally have a better performing Microsoft Teams client that supports VDI optimizations. With new Teams support for VDI reaching GA, and with the extensive testing I’ve performed in my own environment, I’d highly recommend switching over at your convenience!
If you’re anything like me, you were excited to get your hands on the latest Windows 11 22H2 Feature Update after it was released on September 20th, 2022. However, while it was releassed, as with all feature upgrades, it is deployed on a slow basis and not widely immediately available for download. So you may be asking how to force Windows 11 22H2 Feature Update.
From what I understand, for most x86 users, the Windows 11 22H2 Feature Upgrade made itself available slowly over the months after it’s release, however there may be some of you who still don’t have access to it.
Additionally, there may be some of you who are using special hardware such as ARM64, like me with my Lenovo X13s Windows-on-ARM laptop, who haven’t been offered the update as I believe it’s being rolled out slower than its x86 counterpart.
However, if you’re using ARM64, you cannot use any of those above as they are designed for x86 systems. I waited some time, but decided I wanted to find a way to force this update.
Inside of WSUS, I tried to approve the Windows 11 22H2 Feature Update, however that had no success, as the system wasn’t checking for that update (it wasn’t “required”). I then tried to modify the local GPOs to force the feature update, which to my surprise worked!
Instructions to force the update
This should work on systems that are not domain joined, as well as systems that are domain joined, even with WSUS.
Please note that this will only force the update if your system is approved for the update. Microsoft has various safeguards in place for certain scenarios and hardware, to block the update. See below on how to disable safeguards for feature updates.
In order to Force Windows 11 22H2 Feature Update, follow the instructions below:
Open the Local Group Policy via the start menu, or run “gpedit.msc”.
Expand “Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update”
Open “Select the target Feature Update version”
Set the first field (Which Windows product version would you like to receive feature updates for), to “Windows 11”
Set the second field (Target Version for Feature Updates) to “22H2”.
Click Apply, Click Ok, close the windows.
Either restart the system, or run “gpupdate /force” to force the system to see the settings.
Check for Windows Update (From Microsoft Update if you’re using WSUS), you should now see the update available. You may need to check a few times and/or restart the system again.
Install the Feature Upgrade, and then go back to the setting and set to “Not Configured” to ensure you receive future feature upgrades.
See below for a screenshot of the setting:
For those with a domain and/or work environment, you could deploy this setting over a wide variety of computers using your Active Directory Domain’s Group Policy Objects.
Disable Safeguards for Feature Updates
If the above doesn’t work there is a chance that you may be blocked from upgrading due to safeguards put in place by Microsoft to protect you against known issues from the “Windows 11, version 22H2 known issues and notifications” page.
Keep in mind that these safeguards are in place to protect you and your system from experiencing issues, possibly even issues that could result in a unrecoverable situation. I do not recommend doing this unless you have a backup and know what you are doing.
To disable safeguards for features:
Make sure you still have the “Local Group Policy” MMC still open on “Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update”.
Open “Disable Safeguards for Feature Updates”
Set this option to “Enabled”, click Apply, and then OK.
See below for a screenshot of the setting:
After applying this, you should now be able to upgrade to Windows 11, version 22H2.
However, in some rare cases you may have everything configured properly, however the backup may continue to present these warnings with where it’s unable to truncate Microsoft SQL Server transaction logs.
The Problem
I recently deployed an SQL Server in a domain, and of course made sure to setup the proper backup procedures as I’ve done a million times.
However, when performing a backup, the backup would present a warning with the following message:
Unable to truncate Microsoft SQL Server transaction logs. Details: Failed to call RPC function 'Vss.TruncateSqlLogs': Error code: 0x80004005. Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command. Failed to logon user [ReallyLongDomainName\Admin-Account]. Win32 error:The user name or password is incorrect. Code: 1326.
This was very odd as I configured everything properly, and even confirmed it when referring the Veeam KB listed above in this post.
So I decided to look at this as if it was something different, something with credentials, or a different problem.
I noticed that in this specific customer environment, that their FQDN for their domain was so long, that the NETBIOS domain name did not equal their FQDN domain name.
Due to the length of the domain, they shortened the NETBIOS domain with abbreviated letters.
When configuring the Veeam credentials for guest processing, one would assume that when using the “AD Search” function, it would have pulled the “LCNDOMAIN\BackupAdminProcessing” account, however when using the check feature, it actually created an entry for “LongCompanyName\BackupAdminProcessing”, which was technically incorrect as it didn’t match the SAM logon format for the account.
The Fix
Because of the observation noted above, I created a manual credential entry for “LCNDOMAIN\BackupAdminProcessing”, reconfigured the backup job to use those new credentials, and it worked!
The issue is because when using the AD search function in the credential manager, Veeam doesn’t translate and pull the NETBIOS domain, but uses the SAM logon format and assumes the UPN Domain matches the NETBIOS domain name.
While this may hold true in most scenarios, there may be rare situations (like above) where the NETBIOS domain name does not match the domain used in the UPN suffix.
When it comes to troubleshooting login times with non-persistent VDI (VMware Horizon Instant Clones), I often find delays associated with printer drivers not being included in the golden image. In this post, I’m going to show you how to add a printer driver to an Instant Clone golden image!
Printing with non-persistent VDI and Instant Clones
In most environments, printers will be mapped for users during logon. If a printer is mapped or added and the driver is not added to the golden image, it will usually be retrieved from the print server and installed, adding to the login process and ultimately leading to a delay.
Due of the nature of non-persistent VDI and Instant Clones, every time the user goes to login and get’s a new VM, the driver will then be downloaded and installed each of these times, creating a redundant process wasting time and network bandwidth.
To avoid this, we need to inject the required printer drivers in to the golden image. You can add numerous drivers and should include all the drivers that any and all the users are expecting to use.
An important consideration: Try using Universal Print Drivers as much as possible. Universal Printer Drivers often support numerous different printers, which allows you to install one driver to support many different printers from the same vendor.
How to add a printer driver to an instant clone golden image
Below, I’ll show you how to inject a driver in to the Instant Clone golden image. Note that this doesn’t actually add a printer, but only installs the printer driver in to the Windows operating system so it is available for a printer to be configured and/or mapped.
Let’s get started! In this example we’ll add the HP Universal Driver. These instructions work on both Windows 10 and Windows 11 (as well as Windows Server operating systems):
Click Start, type in “Print Management” and open the “Print Management”. You can also click Start, Run, and type “printmanagement.msc”.
On the left hand side, expand “Print Servers”, then expand your computer name, and select “Drivers”.
Right click on “Drivers” and select “Add Driver”.
When the “Welcome to the Add Printer Driver Wizard” opens, click Next.
Leave the default for the architecture. It should default to the architecture of the golden image.
When you are at the “Printer Driver Selection” stage, click on “Have Disk”.
Browse to the location of your printer driver. In this example, we navigate to the extracted HP Universal Print Driver.
Select the driver you want to install.
Click on Finish to complete the driver installation.
The driver you installed should now appear in the list as it has been installed in to the operating system and is now available should a user add a printer, or have a printer automatically mapped.
Now seal, snap, and deploy your image, and you’re good to go!
Many of you may be not aware of the Azure AD Connect 1.x End of Life on August 31st, 2022. What this means is that as of August 31st, 2022 (later this month), you’ll no longer be able to use Azure AD Connect 1.4 or Azure AD Connect 1.6 to sync your on-premise Active Directory to Azure AD.
It’s time to plan your upgrade and/or migration!
This is catching a lot of System Administrators by surprise. In quite a few environments, Azure AD connect was implemented on older servers that haven’t been touched (except for Windows Updates) in the years that they’ve been running, because Azure AD Connect “just works”.
Azure AD Connect End of Life
Azure AD Connect has to major releases that are being used right now, being 1.x and 2.x.
Version 1.x which is the release going end of life is the first release, generally seen installed on older Windows Server 2012 R2 systems (or even earlier versions).
Version 2.x which is the version you *should* be running, does not support Windows Server 2012. Azure AD Connect 2.x can only be deployed on Windows Server 2016 or higher.
For a lot of you, there is no easy in-place upgrade unless you have 1.x installed on Windows Server 2016 or higher. If you are running 1.x on Server 2016 or higher, you can simply do an in-place upgrade!
If you’re running Windows Server 2012 R2 or earlier, because 2.x requires Server 2016 or higher, you will need to migrate to another system running a newer version of Windows Server.
However, the process to migrate to a newer server is simpler and cleaner than most would suspect. I highly recommend reviewing all the Microsoft documentation (see below), but a simplified overview of the process is as follows:
Deploy new Windows Server (version 2016 or higher)
Export Configuration (JSON file) from old Azure AD Connect 1.x server
Install the latest version of Azure AD Connect 2.x on new server, load configuration file and place in staging mode.
Enable Staging mode on old server (this stops syncing of old server)
Disable Staging mode on new server (this starts syncing of new server)
Decommission old server (uninstall Azure AD Connect, unjoin from domain)
As always, I highly recommend having an “Alternative Admin” account on your Azure AD. If you lose the ability to sync or authenticate against Azure AD, you’ll need a local Azure AD admin account to connect and manage and re-establish the synchronization.
I purchased the new Lenovo X13s Windows on ARM laptop, and wanted to share my first impressions with the device. I plan on creating a full review in a later post, however I wanted to provide some insight on my initial first impressions, as these can be a game changer or deal breaker for most people considering purchasing this laptop.
I’m going to break this blog post up in to a few key sections that were the most important, and most noticeable when first getting my hands on this device.
I’ll be limiting this post to the first impressions as much as possible saving the rest for the full review.
Pre-purchase expectations and initial thoughts
With lots of travel approaching, and with an aging laptop (Lenovo X1 Carbon Gen-2013), I needed to purchase a new laptop that I could use that would fit my requirements:
WWAN (Preferably 5G)
Good Battery Life
Good Performance
Stylish
Application Use
VDI – VMware Horizon Client
Microsoft Office
IT Applications (Putty, WinSCP, RDP)
Microsoft Teams
Zoom
You can see that my usage is similar to the business road warrior professional, with an IT add-on. I’m usually always connected to a VDI session, and also spend 50-100% of the day on Zoom or Microsoft Teams meetings.
With full knowledge about ARM architecture, and the new laptops and devices that have been released, I decided to take a big risk and try one of the new Windows on ARM laptops, specially the Lenovo X13s.
ARM laptops generally provide great performance, really good battery life, and an “always on” ready to go environment.
Specifications
I’ll be saving the tech spec deep dive for the full review, however I wanted to provide some basic information on the specifications of the model I purchased.
Part Number: 21BX0008US
CPU: Snapdragon® 8cx Gen 3 Compute Platform (3.00 GHz up to 3.00 GHz)
I specifically wanted a large SSD, lots of RAM, and definitely the 5G WWAN modem built in. I purchased the highest configured model without going custom (to take advantage of special pricing and promotions).
First Impressions
Design
Receiving the laptop, the first things that really stick out are the size, texture (quality of materials), thinness, and no fan ports. It’s a very beautifully designed laptop.
While it is smaller than I expected, it does not feel cheap. The materials used with this laptop give it the same quality and feel as the X1 Carbon.
Physical Size
For whatever reasons, I was expecting something the same size as my original X1 Carbon, however the X13s is thinner and has a slightly smaller width and height in comparison.
Originally I thought this was going to be a problem, but after using the laptop, I’m absolutely in love with the size of this. As far as portability and usability, based on first impressions, this thing has both!
Keyboard
Surprisngly, because of the smaller size of the laptop, I’ve actually found is very easy to type quickly. I’ve noticed that on all the of laptops I’ve owned, as well as desktop keyboards, I can type the fasted on the X13s, because of the size of the keyboard as well as the layout and feel.
Keystrokes feel and sounds amazing, with a perfectly built keyboard. I honestly have no complaints…
Display
The display is absolutely beautiful. Even though I thought there is an option for a 400-knit display, my model has the 300-knit because I wanted the touchscreen.
Visibility in my apartment with all the windows open on a sunny day, I can see everything crisply on this display.
The only thing I noticed is that when viewing black/gray scale content (most of my UI and apps are in dark mode), it looks like the backlight dims and sometimes text becomes faded. You can still see everything fine, however this causes for an odd effect when the screen content changes to something with white or color.
To fix this, uncheck “Help improved battery by optimizing the content shown and brightness” in settings:
After unchecking this option, everything is perfect!
Battery
The battery on this unit is absolutely blowing my mind. In 4 days of usage, I’ve never used a laptop that can hold up to this and barely use any battery.
Comparing this to my old X1 in 4 days of usage, I probably would have had to charge it 3-4 times. The X13s just keeps going and going and going.
Very impressed with this, as it’s going to help with travel and staying connected on the go.
Speakers and Sound
The sound is fantastic, and playing music sounds great. The laptop includes a sound system enhanced with Dolby.
I’m not much of an audiophile, but I have to say I was impressed with the volume and quality of audio that comes from the laptop.
Termperature
This laptop has no fans or air ducts. One would think this would make up for a laptop that runs up hot, but I have to say I haven’t really noticed any hot temperatures except for when I first booted it up and did Windows Updates, Lenovo Updates, Microsoft Office installer, and a bunch of other things.
Even under extremely heavy load during the installs, the heat generated was actually less than what I would have expected, or experienced with my old Lenovo X1 Carbon.
Windows 11 for ARM64 (Windows on ARM)
For the most part, if you didn’t understand what Windows on ARM was, processor architectures, or the difference between this laptop and others, you’d notice absolutely nothing different from a normal laptop (except maybe if you were gaming).
I have to say that Microsoft knocked it out of the park with the development of Windows 11 on ARM, and it’s definitely 100% ready for primetime use, both for regular users as well as enterprise/business users.
The one thing I can’t comment on is gaming. While I haven’t done any testing (as I don’t game much), there may be additional considerations as far as stability and performance, or even capabilities of gaming.
Applications
When it comes to applications, while the X13s does support x86 and x64 emulation, you should always try to run native ARM/ARM64 applications. Running applications native to the architecture will provide the best performance as well as battery life.
After getting going, I noticed the following applications had native ARM64 support:
Microsoft Office
Microsoft Teams
Zoom
Putty
Edge (built off Chromium)
I also loaded numerous applications that are x86/x64 and emulated:
VMware Horizon Client
Chrome
WinSCP
All the above applications, both ARM and x86/x64 run fantastic without any problems. I was concerned that the whole emulation error would be a mess but I’ve seriously had no problems.
Performance
I can’t say enough how snappy Windows 11 on ARM and the X13s is. I never thought I’d say it, but this is the fastest performing Windows 11 system I’ve used when it comes to responsiveness of the OS and applications.
Connectivity
The built-in 5G connectivity was super easy to setup. The laptop can use an eSIM or traditional physical SIM. I had the experience of using both at different points (because of issues with my cell phone provider).
The eSIM was super easy to setup and you can manage multiple different profiles. I simply purchased an eSIM, and scanned the QR code with the webcam.
When I had to switch to the physical SIM (because my provider doesn’t support 5G with eSIMs), I simply popped the SIM tray and install the card.
It’s very easy to not only switch between eSIM profiles, but also switch between the eSIM and normal SIM. This is great if you’re travelling to other countries as you can easily switch between your local providers eSIM, and install a foreign SIM to use local data.
You speed will vary depending on provider, but I was able to achieve full speed that was expected my provider, and I was pleasantly surprised with better than expected low latencies, which is great for VDI which I use regularly.
Always on
Because of the ARM processor, Windows is “always on”. There’s no resume from suspend time, just like your ARM based cell/mobile phone.
The laptop is virtually always on and ready to go when I need to work.
Overall First Impressions
Overall, my first impressions with this laptop have been fantastic and this laptop is exceeding my best expectations. Windows 11 on ARM is definitely a serious contender when it comes to choosing the right laptop/notebook.
The OS is snappy, everything works the way you’d expect on Windows, and so far I’m very happy with the investment I made when purchasing this laptop. I can’t wait to do some travelling with this to start using it to it’s full potential.
Add in 5G always-on connectivity, and it feels like this thing is unstoppable…
It’s been coming for a while: The requirement to deploy VMs with a TPM module… Today I’ll be showing you the easiest and quickest way to create and deploy Virtual Machines with vTPM on VMware vSphere ESXi!
As most of you know, Windows 11 has a requirement for Secureboot as well as a TPM module. It’s with no doubt that we’ll also possibly see this requirement with future Microsoft Windows Server operating systems.
While users struggle to deploy TPM modules on their own workstations to be eligible for the Windows 11 upgrade, ESXi administrators are also struggling with deploying Virtual TPM modules, or vTPM modules on their virtualized infrastructure.
What is a TPM Module?
TPM stands for Trusted Platform Module. A Trusted Platform Module, is a piece of hardware (or chip) inside or outside of your computer that provides secured computing features to the computer, system, or server that it’s attached to.
This TPM modules provides things like a random number generator, storage of encryption keys and cryptographic information, as well as aiding in secure authentication of the host system.
In a virtualization environment, we need to emulate this physical device with a Virtual TPM module, or vTPM.
What is a Virtual TPM (vTPM) Module?
A vTPM module is a virtualized software instance of a traditional physical TPM module. A vTPM can be attached to Virtual Machines and provide the same features and functionality that a physical TPM module would provide to a physical system.
vTPM modules can be can be deployed with VMware vSphere ESXi, and can be used to deploy Windows 11 on ESXi.
Deployment of vTPM modules, require a Key Provider on the vCenter Server.
Deploying vTPM (Virtual TPM Modules) on VMware vSphere ESXi
In order to deploy vTPM modules (and VM encryption, vSAN Encryption) on VMware vSphere ESXi, you need to configure a Key Provider on your vCenter Server.
Traditionally, this would be accomplished with a Standard Key Provider utilizing a Key Management Server (KMS), however this required a 3rd party KMS server and is what I would consider a complex deployment.
VMware has made this easy as of vSphere 7 Update 2 (7U2), with the Native Key Provider (NKP) on the vCenter Server.
The Native Key Provider, allows you to easily deploy technologies such as vTPM modules, VM encryption, vSAN encryption, and the best part is, it’s all built in to vCenter Server.
Enabling VMware Native Key Provider (NKP)
To enable NKP across your vSphere infrastructure:
Log on to your vCenter Server
Select your vCenter Server from the Inventory List
Select “Key Providers”
Click on “Add”, and select “Add Native Key Provider”
Give the new NKP a friendly name
De-select “Use key provider only with TPM protected ESXi hosts” to allow your ESXi hosts without a TPM to be able to use the native key provider.
In order to activate your new native key provider, you need to click on “Backup” to make sure you have it backed up. Keep this backup in a safe place. After the backup is complete, you NKP will be active and usable by your ESXi hosts.
There’s a few additional things to note:
Your ESXi hosts do NOT require a physical TPM module in order to use the Native Key Provider
Just make sure you disable the checkbox “Use key provider only with TPM protected ESXi hosts”
NKP can be used to enable vTPM modules on all editions of vSphere
If your ESXi hosts have a TPM module, using the Native Key Provider with your hosts TPM modules can provide enhanced security
Onboard TPM module allows keys to be stored and used if the vCenter server goes offline
If you delete the Native Key Provider, you are also deleting all the keys stored with it.
Make sure you have it backed up
Make sure you don’t have any hosts/VMs using the NKP before deleting
You can now deploy vTPM modules to virtual machines in your VMware environment.
We’re all used to updating our Windows Server operating systems with the Windows Update GUI, but did you know that you can update your server using command prompt and “sconfig”?
The past few years I’ve been managing quite a few Windows Server Core Instances that as we all know, do not have a GUI. In order to update those instances, you need to run Windows Update using the command line, but this method actually also works on normal Windows Server instances with the GUI as well!
Please enjoy this video or read on for why and how!
Why?
Using a GUI is great, however sometimes it’s not needed, and sometimes it even causes problems if it looses the backend connection where it’s pulling the data from. I’ve seen this true on newer Windows operating systems where the Windows Update GUI stops updating and you just sit there thinking the updates are running, when they are actually all complete.
The GUI also creates additional overhead and clutter. If there was an easier alternative to perform this function, wouldn’t it just make sense?
On Windows Server instances that have a GUI, I find it way faster and more responsive to just open an elevated (Administrative) command prompt, and kick off Windows Updates from there.
How
You can use this method on all modern Windows Server versions:
Windows Server (with a GUI)
Windows Server Core (without a GUI)
This also works with Windows Server Update Services so you can use this method either connecting to Windows Update (Microsoft Update) or Windows Server Update Services (WSUS).
Now lets get started!
Open an Administrative (elevated) command prompt
Run “sconfig” to launch the “Server Configuration” application
Select option “6” to “Download and Install Windows Updates”
Choose “A” for all updates, or “R” for recommended updates, and a scan will start
After the available updates are shown, choose “A” for all updates, “N” for no updates, or “S” for single update selection
After performing the above, the updates will download and install.
I find it so much easier to use this method when updating many/multiple servers instead of the GUI. Once the updates are complete and you’re back at the “Server Configuration” application, you can use option “13” to restart Windows.
Today we’re going to discuss and deploy Active Directory Certificate Services on a Windows Server 2022 Server. Additionally, we’ll also be generating a domain certificate request inside of IIS and then assign the resultant certificate to a WSUS Server.
This video will demonstrate and explain the process of deploying a Windows Server 2022 Certification Authority with AD CS.
Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.
Who’s this guide for
This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.
What’s included in the video
In this guide I will walk you through the following:
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.
Do you accept the use of cookies and accept our privacy policy? AcceptRejectCookie and Privacy Policy
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.