Versions Compared

Old Version 2

changes.mady.by.user Sean Despres

Saved on

compared with

New Version Current

changes.mady.by.user JM Lopez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip

This how-to was contributed by Joe B. from the Architecture team at Information Security, ITS and edited and adapted by the ITS Private Cloud Team.

(tick) Prerequisites

Note

The process cannot be performed for versions prior to Windows 10/2016 (or some early Windows 10 versions), as they are End-Of-Life (EOL) and are no longer licensed or viable for use in the environment, without valid Extended Security Updates (ESU).

  •  Windows 10/2016+ Operating System.
  •  Ensure C: Drive has a least 5GB of free space.
  •  Server administrator rights.
  •  ITS Private Cloud Command-Line Interface access.

\uD83D\uDCD8 Instructions

Preparing the VM

  1. Verify if the virtual machine in question has any of the required security features:

    Code Block
    vss-cli --columns name,uuid,domain.name,version,vbs_enabled,firmware,tpm compute vm ls -f name=UTSGDEV-TEST

name                  uuid                                  domain.name    version    vbs_enabled    firmware    tpm
--------------------  ------------------------------------  -------------  ---------  -------------  ----------  -----
1812D-UTSGDEV-TEST {{uuid}} FD1            vmx-19     False          bios        []

  2. Take a virtual machine snapshot. More details Manage virtual machine snapshots

    Code Block
    vss-cli compute vm set {vm-id} snapshot mk --description 'Before hardening OS' --lifetime 4

Note that Operating System changes cannot be undone. Reverting to previous snapshot is the ONLY way to recover should something go wrong. But there also no need to keep the snapshot for any extended period. (i.e.--lifetime 4)

Converting the OS from BIOS to EFI

  1. VSS Console (or RDP) in the VM and open a Privileged Command Prompt (NOT PowerShell).

  2. Validating before Converting

    Code Block
    mbr2gpt /validate /allowFullOS

  3. Assuming you are converting the system disk

    Code Block
    mbr2gpt /convert /allowFullOS

    1. Successful migration:

    2. if you have a non-standard install you may specify the Disk # this the system and boot disk:

      Code Block
      mbr2gpt /convert /disk:0 /allowFullOS
Note

If you get an ERROR, revert to previous snapshot.

Converting the VM from BIOS to EFI

  1. Shutdown the Virtual Machine

    Code Block
    vss-cli --wait compute vm set {{uuid}} state -c shutdown

  2. Enable VBS on the Virtual Machine

    Code Block
    vss-cli --wait compute vm set {{uuid}} vbs on

  3. Validate the VBS Change

    Code Block
    vss-cli --columns name,uuid,domain.name,version,vbs_enabled,firmware,'tpm[*].label' compute vm ls -f name=UTSGDEV-RD
name                  uuid                                  domain.name    version    vbs_enabled    firmware    tpm[*].label
--------------------  ------------------------------------  -------------  ---------  -------------  ----------  --------------
1812D-UTSGDEV-RD-GW1   {{uuid}}                             FD1            vmx-15     True           efi         Virtual TPM

...

  1. Startup the Virtual Machine

    Code Block
    vss-cli --wait compute vm set {{uuid}} state on

Validate Operating System and Server Operation

Validate VBS and TPM

  1. From a privileged PowerShell session run the following command to verify the UEFI partition information.

    Code Block
    Get-WmiObject  -query 'Select Type from Win32_DiskPartition Where Type = "GPT: System"'

  2. From a privileged PowerShell session run the following command to verify the TPM information:

    Code Block
    Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftTpm" -query "Select * from Win32_Tpm"

Hide System Reserved Partition

As part of the MBR2GPT conversion the “System Reserved” partition is temporarily assigned “E:”, but is not automatically rehidden after completion.

  1. Press W+R to bring up the run window.

  2. Type diskmgmt.msc and press Enter, which will open Disk Management.

  3. Right-click on the target System Reserved partition and choose the "Change drive letter and paths" button.

  4. Click on Remove in order to remove the assigned drive letter, and then click Yes as the warning window appears. This picture below sets E drive as an example:

    hide a partition via disk management

  5. Now, you can click open File Explorer and check if the System Reserved partition has been hidden.

Apply Credential Guard GPO or Local Security Settings

...

Virtual Machine Snapshot Cleanup

After you have verified your Operating System functions as expected, a snapshot deletion is due, and to do so, you have two options.

...

If you set to manual disk consolidation, please follow Manage virtual machine snapshots to run disk consolidation.

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@32c6ab3f
sortmodified
showSpacefalse
reversetrue
typepage
labelskb-how-to-article
cqllabel = "kb-how-to-article" and type = "page" and space = "VSSPublic"