Uncategorized

Windows Server 2016 no longer offers to add or remove GUI Layers

In a surprising move, Microsoft decided to remove a feature, that from a security point of view was perhaps the most useful feature in Windows Server.

Let’s look at the recent history of Windows Server:

 

Windows Server 2008 (R2)

Windows Server 2008 and Windows Server 2008 R2 were the first two versions of Windows Server that offered the ability to install the Operating System (OS) as Server Core installations. These optimized installations of Windows Server offered more security (due to a smaller attack surface), less resource use and more agility.

Even though, Windows Server 2008 Server Core headed for a dead end street in some scenarios, some organizations opted to install their Windows Servers as Server Core installs.

 

Windows Server 2012 (R2)

To allow even greater agility, but also to get the installation ‘just right’ using the Graphical User Interface (GUI), Microsoft offered to add and remove GUI layers in Windows Server 2012 and Windows Server 2012 R2. This way, system admins can switch from Full Installations (even with the Desktop Experience feature turned on) to Server Core Installations. We’ve discussed it here, roughly five years ago.

We saw an uptick in the adoption of Server Core due to this opportunity and believe it made the life of admins easier, even though they would not fully benefit as much as they would with a Server Core Installation from the get-go.

 

Windows Server 2016

Now, in Windows Server 2016, Microsoft no longer offers to add and remove GUI layers.

Admittedly, many of the Server Core benefits have become moot points with Windows Server 2016: The newly added security measures in Windows Server add a lot. This removes most of the urgency of removing the GUI, although you can’t install Internet Explorer from Windows Server 2016…

Also, many of the (graphical) tools we needed in Windows Servers to configure the Windows Server installation just right also have grown up and now offer command-line, if not PowerShell support. There’s less and less need to install Windows Server as a Full Installation to configure it.

 

I guess time will tell if Microsoft has made a wise decision by removing the ability to add and remove GUI layers…

Three things to consider when switching the GUI in Windows Server

Windows Server 2012 and Windows Server 2012 R2 allow to switch the Graphical User Interface (GUI) on and off. It’s easy, and already the topic of a previous blogpost.

Note:
The ability to switch GUIs in Windows Server has been removed in Windows Server 2016.

I’ve already showed you how to actually switch between these three GUI modes (with a choice between dism.exe and PowerShell), but what I haven’t pointed out yet, is the things you need to consider when you actually switch between GUI modes:

 

1. Only update in your desired GUI mode

One of the benefits of running a Server Core installation is a smaller attack surface, compared to a Full installation. The attack surface in a Full installation results in a higher amount of vulnerabilities and a higher frequency of updates for the Operating System.

Another benefit of Server Core is a smaller disk footprint, compared to a Full installation. This benefit becomes partly undone when we start installing updates for a Full installation, that we no longer need when we run the server as a Server Core installation most of the time. To this date, there is no way or tool to determine which updates are no longer needed or to actually uninstall these in a simple way.

 

2. Take notice of the support matrix of your agents and add-ons

Even the server running your easiest of tasks needs to adhere to your information security strategy. This results in the installation of many agents and add-ons. Backup, anti-malware and UPS all need their respective software. When your environment also features System Center, you will need software like the Server App-V agent and the System Center Configuration Manager agent.

Even though the Server Core team communicated a whole lot within Microsoft, it’s not plausible to assume every product team took notice of the ability for administrators to switch between GUIs. So, the problems with Microsoft software may already be big, but the bigger question is which software producers have also got the message? Did your anti-malware supplier get it?

Two ways to make sure you’ll be in the clear while switching GUIs, are:

  1. Consult the support matrix from the suppliers of your agents and add-ons
  2. Test your configuration

The best choice, however, remains to install agents and add-ons (remotely) with the Server installation in the desired GUI.

 

3. Take notice of the support matrix of your server applications

The SQL Server team has actively communicated SQL Server 2012 and up supports installation on Server Core. They are one of the product teams outside the Windows Server group to get onboard with Server Core. Other Microsoft Server products, like Exchange Server and Skype for Business Server have not communicated plans in that direction.

Even though the Server Core team communicated a whole lot within Microsoft, not every product displays a warning at installation, warning you not to switch the GUI after installing the product. Many non-Microsoft products also might not contain the warning, at least in the early period after their releases.

PowerShell versions you can expect and get on Server Core Installations

Windows PowerShell and Server Manager are the preferred ways to manage Server Core installations of Windows Server. This works great at later builds of Windows Server, but it wasn’t all Hallelujah from the start of Server Core.

Windows PowerShell and Server Manager are the preferred ways to manage Server Core installations of Windows Server. This works great at later builds of Windows Server, but it wasn’t all Hallelujah from the start of Server Core.

 

Built-in versions of PowerShell

The following versions of Windows PowerShell are available by default to Server Core installations, per version of Windows Server:

Windows Server 2008

Server Core installations of Windows Server 2008 do not offer Windows PowerShell due to a lack of .NET Framework.

Windows Server 2008 R2

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 2.0.

Windows Server 2012

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 3.0.

Windows Server 2012 R2

Server Core installations of Windows Server 2008 R2, by default, offer Windows PowerShell 4.0.

 

Upgradeable versions of PowerShell

When you’d like a newer version of Windows PowerShell on a Server Core installation, you can upgrade it.

Windows Server 2008

Server Core installations of Windows Server 2008 do not offer Windows PowerShell, nor upgrades to Windows PowerShell.

There is no supported way to get Windows PowerShell on these systems.

Windows Server 2008 R2

Server Core installations of Windows Server 2008 R2 can be upgraded to:

  • Windows PowerShell 3.0
    (as part of Windows Management Framework 3.0)
  • Windows PowerShell 4.0
    (as part of Windows Management Framework 4.0)

The Windows Management Framework is a group of several management-related tools, like PowerShell, BITS and the WinRM service.

Windows Server 2012

Server Core installations of Windows Server 2008 R2 can be upgraded to Windows PowerShell 4.0.

The Windows Management Framework is a group of several management-related tools, like PowerShell, BITS and the WinRM service.

Windows Server 2012 R2

There is no upgrade for Windows PowerShell available yet, beyond Windows PowerShell 4.0

About Codename “Tuva”

While discussing Server Core and Nano Server with Aleksandar Nikolic, an old friend and a Microsoft MVP for roughly as long as I have, he shared an interesting tidbit on Nano Server with me.

About Nano Server

Windows Server 2016 offers a new installation option: Nano Server. It is a remotely managed option similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents. It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts than Windows Server with the full desktop experience.

See Getting Started with Nano Server for full details.

Apparently, Nano Server’s codename within Microsoft was ‘Tuva’.

About Tuva

Tuva is a region and is a federal subject of Russia according to Wikipedia.
Tuva was an independent state between the World Wars; between 1921 and 1944 Tuva constituted a sovereign, independent nation, under the name of Tannu Tuva, officially, the Tuvan People’s Republic, or the People’s Republic of Tannu Tuva. The independence of Tannu Tuva, however, was recognized only by its neighbours: the Soviet Union and Mongolia.

Tyva voluntarily became a part of The Soviet Union in 1944 and was part of Russia the shortest of all republics in the USSR.

Verifiying the codename

Now, of course, you are curious how to verify the above information.
With the command below you can check the Nano Server codename:

Get-CimInstance win32_operatingsystem | Select caption

 

Concluding

Congratulations, you’ve wasted a minute of your time to learn up on a little known fact of Nano Server, that will make you a more interesting person for small talk.

You’re welcome. 🙂

Making NanoServerImageGenerator.psm1 more useful on a daily basis

I’ve been playing around with Nano Server these couple of days, but grew a bit tired of needing to import the NanoServerImageGenerator.psm1 Windows PowerShell Module at the beginning of every Windows PowerShell session.

Now, you might say I’m a bit too tidy, because I properly close any session I don’t need for the next two minutes. Additionally, the fact that Windows PowerShell Cmdlets from the built-in Windows PowerShell Modules automatically load, doesn’t help me in using the Windows PowerShell Cmdlets from the NanoServerImageGenerator.psm1 Windows PowerShell Module. Yes, I’m that spoiled. 😉

So, I decided to copy the PowerShell Module to the PowerShell Modules folder to get access to its function without even importing  it on the session, effectively adding it to the collection of built-in Windows PowerShell Modules. Using your Windows Server 2016 Installation Media, copy it with these three example PowerShell one-liners in an elevated PowerShell window:

New-Item “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator” -Type Directory

Copy-Item “X:\NanoServer\NanoServerImageGenerator.psm1″ -Destination “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psm1” -Force

New-ModuleManifest -Path  “C:\Program Files\WindowsPowerShell\Modules\NanoServerImageGenerator\NanoServerImageGenerator.psd1” -RootModule NanoServerImageGenerator.psm1

Now, on this system, I can build the Nano Server images I’d want, without running into the otherwise inevitable is not recognized as the name of a cmdlet, function, script file, or operable program errors for the Windows PowerShell Cmdlets in the NanoServerImageGenerator Windows PowerShell Module.

Available packages for Nano Server in Windows Server 2016 Technical Preview 4

As described in my blogpost on the differences between Server Core and Nano Server, I stipulated that Nano Server is intended for fabric purposes; to provide the best platform for Microsoft’s cloud platform, like hypervisor hosts, scale-out file servers and such.

This also becomes clear from the packages available in the fourth Technical Preview of Windows Server 2016.

When looking at the contents of the Packages subfolder of the NanoServer folder on the Windows Server 2016 TP4 installation media, the following packages are available:

  • Microsoft-NanoServer-Compute-Package
  • Microsoft-NanoServer-Containers-Package
  • Microsoft-NanoServer-DCB-Package
  • Microsoft-NanoServer-DNS-Package
  • Microsoft-NanoServer-DSC-Package
  • Microsoft-NanoServer-Defender-Package
  • Microsoft-NanoServer-FailoverCluster-Package
  • Microsoft-NanoServer-Guest-Package
  • Microsoft-NanoServer-IIS-Package
  • Microsoft-NanoServer-NPDS-Package
  • Microsoft-NanoServer-OEM-Drivers-Package
  • Microsoft-NanoServer-Storage-Package
  • Microsoft-OneCore-ReverseForwarders-Package
  • Microsoft-Windows-Server-SCVMM-Compute-Package
  • Microsoft-Windows-Server-SCVMM-Package

 

All the above packages are available as .cab files.

The packages can be added to your NanoServer installation image using the New-NanoServerImage PowerShell Cmdlet from the NanoServerImageGenerator.psm1 PowerShell Module in the NanoServer folder on the Windows Server 2016 TP4 installation media.

How is Nano Server different from Server Core?

I get this question a lot:

How is Nano Server different from Server Core?

Obviously, both configuration options for Microsoft’s upcoming Windows Server 2016 release share similarities. In other areas, they are different:

 

Nano Server is a refactoring

Where Server Core installations of Windows Server, since Windows Server 2008, can be seen as skimmed down versions of Windows Server – a normal Windows Servers with bits thrown out -, Nano Server is a complete refactoring of the Operating System.

 

Nano Server is a revolution, not an evolution

Where the goal with Server Core was to provide less attack surface and require less reboots, the goal with Nano Server is to provide the best platform for Microsoft’s cloud platform, like hypervisor hosts, scale-out file servers and such.

Of course, Nano Server does provide a smaller disk footprint (-93%), does require fewer critical security bulletins (-92%) and does require fewer reboots (-80%), but its aim is to provide the fabric for Azure and Azure Stack.

 

Nano Server is introduced in Windows Server 2016

Where Server Core is available since Windows Server 2008, Nano Server will be introduced with Windows Server 2016. Surprisingly, Nano Server will be made available in roughly the same way Server Core was made available in its first reincarnation on Windows Server 2008: There’s no way to switch from Nano Server to a full-blown or Server Core version of Windows Server 2016.

Nano Server is not installed in a traditional way

A main difference, though, between installing Server Core in Windows Server 2008 and Nano Server in Windows Server 2016, though, is that a Nano Server installation is not achieved through the traditional Windows Server Installation Wizard. There are only two options in Windows Server 2016 Installation Wizard:

  1. Windows Server 2016 with Desktop Experience
  2. Windows Server 2016

Where the second option corresponds to a Server Core-like installation.

Instead, Nano Server installations originate from the NanoServer folder on the Windows Server 2006 Installation Media. A new Nano Server VHD image can be built from the PowerShell Module in this folder using the New-NanoServerImage PowerShell Cmdlet.

 

Nano Server is headless

Where Server Core installations offered a management infrastructure, Nano Server is basically headless. Yes, you can log onto it, but it will return an experience that is best described as DOS with the ability to fix networking.

But, you can use Server Manager remotely, as you probably already would have done with Server Core installations of Windows Server 2012 R2, and you can Remote PowerShell into it, which should give you all the configuration goodness you need.

Guess who’s back?

A little while ago, I wrote about Benjamin Herila.

Two months ago, however, Ned Pyle gave an answer to a Server Core-related question. His advice was to contact Andrew Mason. I laughed out loud, but Ned was more up to date with current affairs than I was at that point.

After two years at Amazon, Andrew Mason decided to return to Microsoft.

 

I met Andrew at IT/DEV Connections in Las Vegas last week.

About Andrew Mason

It was a fun reunion. Andrew told me he rejoined Microsoft because the company and its strategies are still close to his heart. Bear in mind; Andrew has worked for Microsoft for many years before he plunged into his Amazon adventure…

Andrew is now working as a Principal Program Manager, focusing on Nano, this time around. He’s still very driven on untangling spaghetti code, and still very passionate at making Windows lean and mean.

His team is not a big team, but neither was his Original Server Core team back in the days. Andrew is a people-person and from his stories, most of his work is to make Program Managers from other teams make their teams deliver on the promises of lean and mean Windows. Yes, that’s called ‘Nano Server‘, these days, but don’t expect a finish line for these initiatives any time soon.

Personal note

Personally, I feel that Andrew is a great asset to Microsoft. It would be a waste if Microsoft would decide to let him go, but Andrew assured me that he won’t be leaving himself, any time soon.

I posted a series on 4SysOps

I would like to point those looking at Server Core in Windows Server 2012, to 4SysOps.

I’ve posted a series there:

 

Enjoy! 🙂

How to get going with PowerShell in Server Core R2

Server Core installations of Windows Server 2008 R2 and installations of Hyper-V Server 2008 R2 offer Windows PowerShell. A lot has been written on the geekiness of PowerShell, how it wasn’t included in Server Core installations of Windows Server 2008 R2 and how you could enable it anyway. The question however is, how do you get started with using PowerShell in Server Core?

This blogpost shows you how to install PowerShell, how to start it up and issue some basic commands.

Installing PowerShell

To install Windows Powershell on a Server Core installation of Windows Server 2008 R2, issue the following three commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets

These commands will install the .Net Framework 2.0 binaries. This is a package, Windows PowerShell depends on. After you’ve successfully installed the .Net Framework you can install Windows PowerShell. Use the last command to be able to use the built-in PowerShell cmdlets for Server Manager.

Note:
The above commands are case sensitive.

 

If you also need 32bit support in Windows Powershell, also issue the following two (again: case sensitive) commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64

Tip!
You don’t need to install the base Windows on Windows (WoW) 64 package into a Server Core installation of Windows Server 2008 R2. This package is installed by default.

  

Starting PowerShell

To start using PowerShell you need to start it up. For some strange reason the path where PowerShell resides is not added to the %PATH% variable after installing, so you need to drill down to it, before you can start PowerShell.

Use the following commands:

cd C:Windowssystem32WindowsPowerShellv1.0
powershell

 

Now PowerShell is started. (Congratulations!)

Showing off PowerShell

One of the strongest examples of the strength of PowerShell is the ability to add and remove Server Roles and Server Features, without the need to worry whether you’re typing them right. (remember, the dism.exe command is case-sensitive)

for instance, on the PowerShell you can use the following command to install the Windows on Windows (WoW) 64 support for .Net Framework 2.0:

PS > enable-windowsfeature netFX2-ServerCore-WoW64

 

Also, one of the nice benefit of using the get-windowsfeature PowerShell cmdlet is you get the hierarchy, instead of the long list of Server Roles and Features you get when you use dism /online /get-features. See for yourselves, when you execute the following command:

PS > import-module ServerManager
PS > get-windowsfeature

  

Further reading

Windows Server Core: Overview
Learning Windows Server 2008 R2 – Server Core…
Windows Server 2008 R2 Rocks!
How to enable PowerShell in Hyper-V Server 2008 R2
Setup Core Configurator on Windows Server 2008 R2
Using PowerShell on Windows Server 2008 R2 Server Core
Has Microsoft redeemed itself?