BM-Bloggers

The blogs of Black Marble staff

Book Review: Windows Virus and Malware Troubleshooting by Andrew Bettany and Mike Halsey

Summary: A very useful volume that discusses what malware is, how to defend against it and how to remove it. Clear and simple instructions are given on ways to improve security on your PC, as well as how to deal with malware that may end up on your PC. Recommended.

Presented in a very easy to read writing style, this book immediately appeals due to the clear, concise and no-nonsense approach taken when discussing malware, what it is, how it can attack and affect your PC, how to defend against it and what to do if the worst should happen and your PC gets infected.

The first chapter provides a nice potted history of viruses and malware on PCs, discussing the various types and how both the proliferation and seriousness of infections has risen from the very first, typically benign examples to the modern day infections such as ransomware that has been in the news so much recently.

Chapter 2 deals with prevention and defence, and introduces the many security features that are built into modern versions of Microsoft Windows to help stop the initial infection. There’s a clear progression in security features as newer versions of Windows have been introduced, and it’s interesting to compare the versions of Windows that were most susceptible to the recent ‘WannaCry’ ransomware attack. Looking at the features discussed (and having been to a few presentations on the subject), this provides an excellent set of reasons for an upgrade to Windows 10 if you’ve not already done so!

Chapter 3 discusses defence in depth and includes information on firewalls, including the Windows firewall, as well as organisational firewalls (I.e. hardware firewalls and appliances) and how to generate a multi-layer defence. While at first glance this section appears to be more targeted at the organisational user, it’s actually also targeted at the home user with a hardware router/firewall combination, and some clarification that this is the case would, I feel, have been useful here. This chapter also bizarrely includes a section on keylogging software, which I feel would have been more useful in the first chapter

This chapter also provides some information on blacklists and whitelists (I.e. internet filtering) and the Internet of Things (IoT). For both of these sections I feel that there’s perhaps been a bit of a lost opportunity, for example a brief discussion of the filtering options available might have been helpful for home users (e.g. my Netgear router at home comes complete with an OpenDNS-based filtering option that can be enabled and configured quickly and easily and seems to provide reasonable protection) and further information on IoT security recommendations, particularly changing the default username and password on devices would be beneficial here.

Chapter 4 deals with identifying attacks starting with how malware infects a PC and providing pointers on how to identify both internal and external attacks. I was very pleased in this section to see information on social engineering and the role that this plays in malware infections.

Chapter 5 provides a very useful list of external resources that can be utilised to help protect your PC and clean a malware infection, including the Microsoft Malware Protection Center, a great location for finding updates, additional security recommendations and products etc. This chapter also provides some limited information on third-party tools that are available. Again, I would have liked to see a more expansive list here, and it’s worth mentioning that many anti-virus vendors provide a free option of their products.

Chapter 6 deals with manually removing malware, and for me this was probably the most useful part of this book. What do you do when malware has ended up on your PC despite your best efforts and you’re now having issues running the automated tools to get rid if it? This chapter helps in this scenario, and provides some steps to take to identify what’s running on the PC, suspend and/or kill the process and remove the infection. In particular I’m pleased to see the Microsoft Sysinternals tools discussed (albeit briefly) as they are my ‘go to’ toolset when dealing with an infection on a PC. If you’re interested in these and how they can be used, it’s worth looking at some of Mark Russinovich'sCase of the Unexplained’ videos as Mark goes through the use of these tools in more detail.

There are one or two downsides; the book is only a slim volume. This has both plusses and minuses insofar as being slim, more people are likely to read it end-to-end and therefore benefit the most from it, however in one or two areas a few more details might be appreciated. For such a slim volume, it’s also more expensive than I would hope for at an RRP of £14.99, which may limit its take-up.

All in all however this is a very easily accessible book that provides great guidance on how to secure your PC, what to watch out for and how to deal with a malware infection. I’ll be encouraging a few people I know to buy a copy and read it!

Title: Windows Virus and Malware Troubleshooting
Author(s): Andrew Bettany, MVP and Mike Halsey, MVP
Publisher: Apress
ISBN-13: 978-1-4842-2606-3

Windows Home Server 2011 Backup of UEFI/GPT Windows 8.1

Since upgrading to Windows 8.1 at home, I’ve had issues with backing up the computer using my Home Server (not that I helped by introducing a GPT disk and a UEFI rig at the same time…). The symptoms were that the client backup process appeared stuck at 1% progress for a long time before eventually failing.

I finally got a bit of time to look at the machines in question over the weekend and here are the issues that appeared to be causing problems for which I needed to find solutions:

  • The PC is a UEFI machine.
  • The PC uses a GPT hard disk.
  • A VSS error was appearing in the event log on the PC being backed up.
  • A CAPI2 error was appearing in the event log on the PC being backed up.

The first two issues were dealt with quickly by a hotfix for Home Server 2011: http://support.microsoft.com/kb/2781272. Note that the same issue also affects Windows Storage Server 2008 R2 Essentials and Windows Small Business Server 2011 Essentials. More information for these platforms can be found at http://support.microsoft.com/kb/2781278

The VSS error manifests as the event 8194 appearing in the event log of the PC that the backup attempt is run on:

VSS Error 8194

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.

Examination of the binary data for event 8194 indicates that ‘NT AUTHORITY\NETWORK SERVICE’ is account receiving the access denied error:

VSS Error Binary Data

Event 8194 is caused by the inability of one or more VSS system writers to communicate with the backup application VSS requesting process via the COM calls exposed in the IVssWriterCallback interface. The issue is not caused by a functional error in the backup application, but rather is a security issue caused by the selected VSS writers running as a service under the ‘Network Service’ (or ‘Local Service’) account, not the Local System or Administrator account. By default, in order for a Windows service to perform a COM activation it must be running as Local System or as a member of the Administrators group.

There are two ways to fix this issue; either change the account under which the erroring VSS writers are running from Network Service to Local System (at which point the service will be running with higher privileges than was originally designed), or add the Network Service account to the list of default COM activation permissions allowing this user account to activate the IVssWrtierCallback interface. This latter option is the preferred one to use and can be performed by completing the following steps:

  1. Run dcomcnfg to open the Component Services dialog.
  2. Expand Component Services, then Computers and then right-click on My Computer and select Properties:
    Component Services
  3. Select the COM Security tab and click the Edit Default… button in the Access Permissions area at the top of the dialog.
  4. Click Add and enter Network Service as the account to be added.
  5. Click OK and ensure that only the Local Access checkbox is selected.
  6. Click OK to close the Access Permission dialog, then clock OK to close the My Computer Properties dialog.
  7. Close the Component Services Dialog and restart the computer to apply the changes. Event 8194 should not longer appear in the event log for the Home Server backup.

The CAPI2 error manifests as the event 513 appearing in the event log of the PC that the backup attempt is run on:

CAPI2 Error 513

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
.

The Microsoft Link-Layer Discovery Protocol binary is located at C:\Windows\System32\drivers\mslldp.sys. During the backup process, the VSS process running under the Network Service account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the driver records in Service Control Manager database and tries opening each one of them. The function fails on the MSLLDP record with an ‘Access Denied’ error.

The mslldp.sys configuration registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp and the binary security descriptor for the record is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security.

Examining the security descriptor for mslldp using AccessChk (part of the SysInternals suite, available at http://technet.microsoft.com/en-us/sysinternals/bb664922) gives the following result (note: your security descriptor may differ from the permissions below):

C:\>accesschk.exe -c mslldp

Accesschk v5.2 - Reports effective permissions for securable objects
Copyright (C) 2006-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc

Checking the access rights of another driver in the same location gives the following result:

C:\>accesschk.exe -c mspclock

Accesschk v5.2 - Reports effective permissions for securable objects
Copyright (C) 2006-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

mspclock
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE

In the case of mslldp.sys, there is no entry for ‘NT AUTHORITY\SERVICE’, therefore no service account will have access to the mslldp driver, hence the error.

To correct this issue, complete the following steps:

  1. From an elevated command prompt, run
    sc sdshow mslldp
    You should receive the following output, or something similar:
    D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    Note: Details on Security Descriptor Definition Language can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx
  2. Add the ‘NT AUTHORITY\SERVICE’ entry immediately before the S::(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) entry and use this with the sdset option, for example using the output from the sdshow option above, this would be:
    sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    Note: The above should all be on a single line when entering/pasting it; do not include line breaks in the command. It’s also important to use the output you receive from the command rather than that which I got as yours may be different.
  3. Check the access permissions again with:
    accesschk.exe -c mslldp
    You should now see a list of permissions that includes ‘NT AUTHORITY\SERVICE’:
    C:\>accesschk.exe -c mslldp
  4. Accesschk v5.2 - Reports effective permissions for securable objects
    Copyright (C) 2006-2014 Mark Russinovich
    Sysinternals - www.sysinternals.com

    mslldp
      RW NT AUTHORITY\SYSTEM
      RW BUILTIN\Administrators
      RW S-1-5-32-549
      R  NT SERVICE\NlaSvc
      R  NT AUTHORITY\SERVICE

  5. Now that the ‘NT AUTHORIT\SERVICE’ permission has been added, Network Service should be able to access the mslldp.sys driver file.

Following the above fixes, my computer is now being successfully backed up using Home Server 2011.

Generation 2 Virtual Machines on Windows 8.1 and Server 2012 R2 plus other nice new features

DDD North 2013 was a fantastic community conference but sadly I didn’t get chance to deliver my grok talk on Generation 2 virtual machines. A few people came up to me beforehand to say they were interested in the topic, and a few more spoke to me afterwards to ask if I would blog. I had planned to write a post anyway, but when you know it’s something people want to read you get a bit more of a push.

This post will cover two areas of Hyper-V in Windows 8.1 and Server 2012: Generation 2 virtual machines which are completely new and a number of changes that should apply to all VMs, be they gen 1 or gen 2. What I not going to cover, as it’s a post all of it’s own, is the new and improved software-defined-networking in hyper-v.

Generation Next

As you can see in the screenshot below, when creating a virtual machine in the Windows 8.1 and Server 2012 you are asked which generation of VM you want. The screen gives a brief and reasonable summary of what the differences are… to a point.

image

Generation 1 virtual machines are a mix of synthetic and emulated hardware. This goes all the way back to previous virtualisation solutions where the virtual machine was usually a software emulation of the good old faithful Intel 440BX motherboard.

  • The emulated hardware delivered a high level of compatibility across a range of operating systems. Old versions of DOS, Windows NT, Netware etc would all fairly happily boot and run on the 440BX hardware. You didn’t get all the cleverness of a guest that knew it was inside a VM but it worked.
  • PXE (network) boot was not possible on the implementation of the synthetic network adapter in Hyper-V. That meant that you had to use the emulated NIC if you wanted to do this.
  • Virtual hard disks could be added to the virtual SCSI adapter whilst the machine was running, but not the IDE adapter. You couldn’t boot from a SCSI device, however, so many machines had to have drives on both devices.
  • Emulated keyboard controllers and other system devices were also implemented for compatibility.

Generation 2 virtual machines get rid of all that legacy, emulated hardware. From what I’ve read and heard, all the devices in a generation 2 VM are synthetic, software generated. This makes the VM leaner and more efficient in how it uses resources, and potentially faster as gen 2 VMs are much closer to the kind of hardware found in a modern PC.

There are three key changes in Gen as far as most users are concerned:

  • SCSI disks are not bootable. There is no IDE channel at all; all drives (VHD or virtual optical drive) are now on the SCSI channel. This is far simpler than before.
  • Synthetic network adapters support PXE boot. Gone is the old legacy network adapter.
  • The system uses UEFI rather than BIOS. That means you can implement secure boot on a VM. Whilst this might sound unnecessary it could be of great interest to organisations where security is key.

The drawback of gen 2 is that, right now, only Windows 8, Server 2012 and their respective new updated versions can be run as a guest in a gen 2 VM. I’m not sure that this will change in terms of Microsoft operating systems, but I do expect a number of Linux systems to be able to join the club eventually. I have done a good deal of experimentation here, with a large range of Linux distributions. Pretty much across the board I could get the installation media to boot but install failed because the hardware was unknown. What this means is that when Microsoft release new versions of the hyper-v kernel additions for Linux we should see support expand in this regard.

The screenshot below shows the new hardware configuration screen for a generation 2 virtual machine. Note the much shorted list of devices in the left hand column:

image

Useful changes across generations

There have been some other changes that, in theory, span generations. More on that in a bit.

Drives

When Server 2012/Windows 8 arrived, Microsoft added bandwidth management for VMs. That useful for IT pros who want to manage what resources servers can consume but it’s also jolly handy for developers who would like to try low bandwidth connections during testing. We can’t do anything about latency with this approach, but it’s nice to be able to dial a connection down to 1Mb to see what the impact is.

Server 2012 R2/Windows 8.1 add a similar option for the virtual hard drive. We can now specify QoS for the virtual hard disks, in IoPs. The system allows you to set a minimum and maximum. It’s important to remember here that this does depend on the physical tin beneath your VM. I run two SSDs in my laptops now, but before that my VMs ran on a 5400rpm drive. Trying to set a high value for minimum IoPs wouldn’t get me very far here. What is more useful, however, is being able to set the maximum value so we can start to simulate slow drives for testing.

As with network bandwidth management, I think this is also a great feature for IT pros who need to manage contention between VMs and focus resource on key machines.

The screenshot below shows the disk options screen with QoS and more.

image

Also new is the ability to resize a VHD that is attached to a running machine. This is only possible with disks attached to SCSI channels, so gen 2 VMs may get more benefit here. Additionally, VHDs can now be shared between VMS. Again, this is SCSI only but this is a really useful change because it means we can build clusters with shared storage hosted on VHDs rather than direct attached iSCSI or fibrechannel. The end result is to make more options available to the little guys who don’t have the resources for expensive tin. It’s also great for building test environments that need to mirror those of a customer – we do that all the time and it’s going to give us lots of options.

Networks

I already said that I’m not going to dive into the new software-defined-networking here. If terms like NVGRE get you excited then there are people with more knowledge of comms than I have writing on the subject. Suffice to say it looks really useful for IT pros but not really for developers, I don’t think.

Also not much use for developers but incredibly useful for developers is the new Protected Network functionality. The concept of this is really simple and so, so useful:

Imagine you have a two node cluster. Each node has a network connection for VMs, not shared by the host OS, and one for the OS itself that the cluster uses. Node 1 suddenly loses connectivity on the VM connection. What happens? Absolutely nothing with Server 2012 because the VMs are still running and nothing knows that the VMs no longer have connectivity. With Server 2012 R2/Windows 8.1 you can enable protect network for the virtual adapter. Now, the systems are checking connectivity to the VM and in our scenario all the VMs on node 1 will fail merrily over to node 2, which still has a connection.

I know we will find this new feature useful on our clustered, production VM hosts. Again, this really helps smaller organisations get better resilience from simpler hardware solutions.

The screenshot below shows the advanced options for a network adapter with network protection enabled.

image

Enhanced session mode

I said that, in theory, many of the new changes are pan-generation (and pan-guest OS). According to the documentation, enhanced session mode should work on more than just Windows 8.1 or Server 2012 FR2 guest operating systems. In practice, I have not found this to be the case, even after updating the VM additions on my machines to the latest version.

It is useful, however. When you enable enhanced session mode then, providing you have enabled remote desktop on the guest, this will be used to connect to the VM. Even if the guest has no network connection to the host OS, or even a network adapter!).

The screenshot below shows the option for enhanced session mode. This is enabled by default in Windows 8.1 and disabled by default in Server 2012 R2.

image

When you have the option enabled you will see a new button on the right of the toolbar, as shown in the image below.

image

That little PC with a plus symbol toggles the VM connection between old-style and the new, RDP-based connection. The end result is that you get more screen resolution choices, you can copy and paste properly between your host and the VM (no more paste keystrokes and you can copy files and documents!) and all the USB device pass-through from the host works too.

For developers working inside a VM this is is great – no more needing network connections to be able to RDP into a box. That means that you can run sensitive VMs, or multiple copies of a VM on multiple machines much more easily than before. If you enable the new connection mode on a VM, and restart it, when the VM begins to boot it connects in the old way, but as soon as it detects the RDP service on the guest you get a dialog asking you for the new resolution and it swtiches to the RDP style connection. It’s great.

I’m hoping that there will either be updates for older Microsoft OS versions, or updated VM additions that will give a consistent result that I have no so far experienced. In theory, updates to the Linux kernel additions could also add this new connection type, but again, so far my experience is that it doesn’t work right now.

Summary

To sum up then:

  • Generation 2 VMs – leaner, meaner and simpler all round but limited to the latest Microsoft desktop and server OS’. I can’t see a reason not to use them for the latest OS version.
  • Disk QoS – should be really useful for dev/test when you need to simulate a slow drive. Great for IT pros to manage environments with a mix of critical and non-critical VMs.
  • Online VHD resizing. There are so many times I’ve needed this on dev/test in the last few months alone. Shame it’s SCSI only so you can’t grow the OS disk on a gen 1 VM but you can’t have everything.
  • Shared VHD. Another useful new option that will help building dev/test environments and will also be useful for smaller organisations who want to build things like virtualised clustered file servers using a cluster shared volume (CSV).
  • Network protection. Great for IT pros running host clusters. Can’t see a use for devs.
  • Enhanced session mode. Useful all round, especially for devs who want to easily work on a VM. Useful for IT pros who need to copy stuff on to running VMs, but so far my experience is mixed as it only works on Windows 8.1 and Server 2012 guests.

Windows 8.1 is already on MSDN and TechNet so if you’re a dev or IT Pro with the right subscriptions, why aren’t you trying this stuff already? For everybody else, the 18th of this month sees general availability and I expect evaluation media will be available for you to play with.

Miracast with Surface Pro, Windows 8.1 release and Netgear Push2TV

One of the most useful features of Windows 8.1 for me is the native support for Miracast (which is compatible with Intel Widi) for connecting to a wireless projector or display. Being able to wander around with my tablet whilst speaking is really handy.

Sadly, whilst this worked for a little while during the preview, everything stopped with no reason. Searching the internet hive mind suggested that a Windows Defender update during the preview release had borked it, but nobody could confirm.

When the release media arrived on MSDN I upgraded my Surface Pro. Sadly, no joy with the Miracast feature. However, a new firmware update has been release by Microsoft (see  Mr Thurrott for details) and that has fixed the issue. I suspect it’s actually a set of updated display drivers, as a connection could always be be made to the device but nothing would show on screen.

The Push2TV is a great little device – it’s tiny (a couple of inches long, about an inch wide and less than half an inch deep) and will draw power from a USB port on the TV or projector. I got it for testing but I’d really like to be able to use it at our events. The universality of Miracast support in Windows 8.1 might just let me do that.

This isn’t our first rodeo, however. Thanks to a recommendation from Messrs May and Fryer I also have a Belkin Screencast. I couldn’t get that working during the preview of Windows 8.1 at all. I will test that when I get some time. I personally prefer the Netgear, but the Belkin isn’t a bad device. It’s bigger and has a separate PSU, but the big difference for me is that the Belkin insists on fiddling with firmware updates via the Widi connection and it’s a bit of a pain, frankly. The Netgear is a much friendlier, manual update over normal wifi.

Installing .Net 3.5 onto Windows 8 and 8.1 using DISM

This is one of those posts to save me searching the web every time I need to install .Net 3.5 on a Windows 8 (and now 8.1) system. If the automated installation via add/remove features fails then you need the correct DISM command.

For those who have not yet encountered it, DISM allows you to perform actions on Windows image files in a process called Offline Servicing. However, it also allows you to perform the same functions online – on your current windows system.

There is a handy TechNet post on the various ways of installing .Net 3.5 on Windows 8. It’s a useful reference.

For those, like me, who just want the quick steps:

  • Grab your Windows 8 media – USB stick, mounted ISO or DVD.
  • Open an Administrator-level command prompt.
  • Type: Dism /online /enable-feature /featurename:NetFx3 /All /LimitAccess /Source:x:\sources\sxs Where x is the drive letter of your source media.
  • Watch the installation progress. Job done.

Editing Windows Server 2012 Group Policies for Direct Access with Windows 8.1 Enterprise Preview

I finally got time to upgrade my Surface Pro to Windows 8.1 Enterprise. One of the things I most want to test is DirectAccess, as I live and die by this on my main laptop. However, despite the computer object for my machine being in the group that the DA group policies are applied to, no DA settings appeared.

TIP: On Windows 8.1, use Get-DAClientExperienceConfiguration in a PowerShell window to check your settings.

It turned out the policy wasn’t being applied because of the default Windows Server 2012 option of creating a WMI filter to only apply the Direct Access group policy to laptops. That filter had a bunch of Windows version statements in it.

To fix:

Open the Group Policy Management tool (on your DC or laptop with remote admin tools installed).

Find the group policy object “DirectAccess Client Settings”

At the bottom of the policy is WMI Filtering. You will see a filter called “DirectAccess – Laptop only WMI Filter”

Click the button to the right to open the filter. You should see something like the panel below. Click Edit Filter
image

Select the second entry. Click Edit.
image

 

The original filter text is:

Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE '6.2%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE '6.1%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

Windows 8.1 is version 6.3.x, so you need to change the filter toread as follows (edits highlighted in red):

Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR ((Version LIKE '6.2%' OR Version LIKE '6.3%') AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE '6.1%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

 

Give AD a few minutes to catch up then run gpupdate /force in a command prompt on your laptop. If you run the powershell again, you should see a full complement of DA settings. The network panel takes a few minutes to catch up, but you should soon see your DirectAccess connection listed.

Installing Windows 8.1 Enterprise on Surface Pro

Windows 8.1 Enterprise preview was released a week or two ago. Being on holiday prevented me trying it out until I returned to the office. Everyone has different methods for installing Windows 8/8.1 on a Surface Pro. It’s actually pretty simple. Windows 8 can be done in the same way as I list here. However, you will need to download the Surface Pro Driver pack from Microsoft – Windows 8 doesn’t automatically find all the hardware; Windows 8.1 does.

The first thing you need is a set of USB installation media that the Surface can read. Sadly, the Windows 7 ISO utility form Microsoft doesn’t create UEFI-bootable media. Enter stage left Rufus – a magnificent tool!

Grab your downloaded ISO file, find a nice fast USB3 drive that’s at least 4Gb in size and start the tool. Use the settings as in the screenshot, below. Select your ISO and hit go.

image

Once you’ve got your media you need to boot your Surface Pro from it. There are different notes on the internet about this. Some tell you to boot the machine whilst holding down the volume up button to enter the BIOS and change the secure boot options.

You don’t need to do this.

Instead, with your Pro switched off, plug in your USB drive. Hold down the volume down button and press the power button. keep the volume down button held down until you see the Surface start to boot from your USB setup volume. That’s all there is to it.

Once your Surface Pro has started setup you should be on familiar ground. Choose to do a full install, not an upgrade. However, when setup shows you a long list of partitions and asks where to install Windows, pause.

You can scrub the drive and install clean. If you do that, you lose all the nice original install of Windows 8 that you can fall back to when you stuff your machine. If you just install to the OS partition, you can use Windows’ really nice refresh my PC function to restore the original factory image.

If you want to install clean, go ahead. If, like me, you want to be more gentle, select Drive 0 partition 4. On my Surface Pro it was around 110.2Gb. Select the option to format the partition and then choose that for your installation.

After that, setup will chug for a few minutes, your Surface Pro will reboot and presto! A new Windows 8.1 install.

It too a reboot or two for all the devices to populate on my Pro, but at no point did I need to hunt down drivers. It all just works! Lovely.

Next stop, domain join to my domain and then bitlocker the hard drive and check out DirectAccess!