TechEd 2014: Deploying Windows 8.1

Session: WIN-B323 Deploying Windows 8.1 in the Enterprise

This was a high level session by two Dell employees covering some tips about deploying Windows 8.1 in the enterprise.

OSD Planning and Reference Build

  • Application compatibility: Antivirus, third party encryption, Office (32-bit or 64-bit), IE enterprise mode

Enterprise Mode in IE 11

  • EMIE is a bridge between modern browsing and investments in older applications
  • Locally – User can specify sites to be rendered in IE8 compatibility mode
  • Managed – Crowd sourcing centralizes compatibility lists
  • Can turn on via group policy or the registry

Group Policy Considerations

  • OneDrive options need to be reviewed to avoid overlap between home and work environments. Sync options are managed by group policy.
  • Personal account Sync items: Start screen, appearance, lots of other options with

Customizing Start

  • Why customize? Better OOBE, train by example, fit and finish
  • Options: Copy profile, appsFolderLayout, StartTiles, Group Policy. Dell uses AppsFolderLayout for customization.

UEFI Secure Boot

  • Enhances security in pre-boot environment
  • Windows 8 logo certification support for secure boot
  • UEFI: replacement for BIOS, secure, faster boot/resume times
  • Requires UEFI native (no legacy boot option ROMs)
  • OSD challenges with secure boot: x64 HW requires x64 OS boot disk and OS, manual touch to enable and configure

Refresh/Reset

  • Use your corporate image to refresh the PC
  • Can reduce time to repair for a corrupted machine down to 30 minutes
  • “Push button” reset capability for the enterprise
  • Great TechNet articles on how to do this
  • Adds about 20 minutes to the end of the build process
  • Great for remote employees
  • Tip: Shift-restart brings you into the recovery environment

Deploying Modern Applications

  • Deploy vs. Provision
  • Provision installs the app upon next login

 Patching

  • Install all monthly updates (including security and platform/office updates)

TechEd: Windows 8.1 Security Enhancements (WCA-B375)

This was a highly technical session going into the depths of a few new Windows 8.1 security features. The session focused on passwords, and how bad they are, and establishing trusted identity with BYOD. Virtual smart cards were also on the agenda, which are really cool.

The speaker was very knowledgeable and really explained the security features very well. If your organization is concerned about client security, then keep reading. The bottom line is that for BYOD, with Windows 8.1 you can leverage the TPM to validate the device is trusted and can connect to resources. You can also leverage virtual smart cards to provide remote two-factor authentication from tablets or other devices without having a physical smart card.

Agenda

  • Biometric fingerprints – Moving beyond passwords
  • TPM Key attestation
  • Establishing user identity on BYOD devices

Passwords

  • Very hard to type on touch surfaces
  • Easily phishable
  • Hard to remember
  • Passwords are not sufficient to keep users safe
  • Passwords are easily re-playable
  • Passwords are symmetrical
  • Users often re-use passwords
  • 10,000 most common passwords would have accessed 98.1% of all accounts

Biometrics: Beyond Login

  • Need low false rejection rate
  • Fingerprints are the best method with today’s technology
  • Goals for Windows 8.1: Ease user’s struggle to enter credentials on touch devices
  • Built-in Windows experience (no third party add-ons needed)
  • Introduce a new “touch” fingerprint sensors. Swipe sensors suck.
  • Light up a few engaging scenarios
  • Test user group loved the simplicity – very intuitive and quick. Single quick tap logs you into the system.

Demo

  • Showed a demo that just by touching the sensor it logged her in to her enterprise AD account. No need to specify a profile or username. Windows knows what account the biometric is associated with.
  • Touches with a different enrolled finger and shows her personal local account. Again, no need to specify an account.
  • Shows that in the Windows app store it required a biometric authentication to complete a purchase.
  • In-app purchase can also be biometric enabled as well
  • An app (such as a banking app or tax app) can require biometric authentication before providing access
  • The API only returns yes/no to the app, not any credential information
  • Showed logging in with a VPN connection via a quick tap

Hardware TPM and Keys and Certs

  • TPM KSP to generate certificates with keys sealed by TPM
  • Admin CA templates to select TPM KSP
  • Customers want to guarantee that the key or cert is actually protected by the TPM
  • Customers want to limit what TPMs are trusted for BYOD
  • Solution: TPM Key attestation
  • Users should perform sensitive operations from trusted devices
  • A strong binding between user and device hardware

TPM Key Attestation

  • EK: Endorsement key – Inserted at manufacturing time. Keys can not be tampered with or exported. Very unique and can be used at geolocation information.
  • EKCert: Endorsement certificate – Some TPMs ship with EK certificate that chains up to a trusted root
  • AIK: Attestation identity key – An intermediate key to hide EK in protocol due to privacy concerns
  • PowerShell commands to pull EK public keys so only known devices are trusted
  • Certificates issued to devices have a special OID (object ID) to signify TPM key attestation
  • Certificate shows three new properties showing TPM attestation
  • Microsoft v4 certificate template. New tab on a CA cert “Key attestation”

Certificates

  • Simple Certificate Enrollment Protocol (SCEP) – Designed by management of mobile and routers/switches (10+ years old)
  • Windows 8 did not support SCEP
  • Most MDMs know how to provision SCEP certs for iOS devices
  • Server component protocols had many security vulnerabiliites which are now addressed in Windows Server 2012 R2 servers
  • Windows 8.1 will natively support SCEP
  • SCEP APIs are available to any MDM software

Smartcards

  • Modern world you can’t easily plug a smartcard reader into tables
  • Two factor authentication: Virtual Smart Card
  • Virtual smart cards enables devices to be used as a virtual smart card
  • TPM provides three most important features of smart cards: non-exportability, isolated crypto, anti-hammering
  • Not all TPMs have consistent blocking policies, so MS inserted a software layer to buffer and keep consistent blocking policies
  • Virtual smart card acts and looks exactly like physical smart cards in every sense for all OS and application purposes

Virtual Smart Card

  • 2 factor authentication for local and remote access
  • Client authentication/mutual auth SSL
  • VSC redirection for remote connections
  • S/MIME email encryption
  • Bitlocker keys for data volumes (e.g. drive cannot be removed from the device)

Windows 8.1 VSC

  • MSIT pilot moved to production. 7K enrolled on Surfaces, 75K on x86 machines
  • VSC on Surfaces enables PIN and remote access apps

Summary

  • Passwords are NOT safe anymore
  • With Windows 8.1 we offer several methods to fix authentication fiasco with stronger user credentials
  • Rooted in hardware, based on asymmetric secrets, strong multi-factor authentication
  • Biometric data is only stored on the device, and NEVER in AD or other applications.

TechEd: Building Windows 8 Image Engineering (WCA-B351)

This session covered the process of building a Windows 8 image. There are a variety of ways to build your image, which could range from custom built scripts to using MS provided tools. The big takeaway from this session was to use MDT 2012 Update 1 (or later) to create your customized Windows images. The resulting WIM and ISOs can be used with any MS or third party deployment product. MDT can inject drivers, software, and run custom scripts. It can even inject Windows update patches, using a repeatable and automated method. This would enable you to product frequent Windows images, that follow your business process.

Imaging Process

  • 1) Identify requirements for the master image – Use the new PoC offering to capture requirements
  • 2) Create automated image engineering task sequences using MDT 2012 U1 deployment workbench
  • 3) Automate as much as possible using MDT functions and scripting
  • You can fully automate the WIM build process and even bake-in Windows update patches

Identify Requirements

  • 32-bit or 64-bit or both? Look at both hardware and software compatibility. Best bet is to do both.
  • Thick, thin or hybrid images? Thin image is just the base OS with only minor changes/additions. Thick image is packed with applications and changes. Thick images are good for call centers or training labs.
  • Deployment – How will the image be delivered to client machines? MDT can create images used for any deployment method be it MS or third-party tools

How about Office?

  • Recommend to bake Office into the image.
  • Able to automate the Office installation through transforms

Proof of Concept Jumpstart Kit (Free)

  • Proof of concept jumpstart offer on connect. Lots of documents and pre-created scripts. Download: Windows 7 kit Windows 8 kit
  • Hydration kit creates 5 pre-configured VMs for a DC, MDT, and other services with pre-created customized settings and eval OS images
  • Contains infopath form to walk you through the configuration requirements gathering process
  • Solution Kit for Win8 adds a lot of custom tasks not in the base MDT kit

Deployment Basics

  • Build a reference image answer file (XML file) – Windows SIM (system image manager)
  • Create Bootable Windows PE Media – Windows ADK
  • Build and Capture a reference device – WinPE/DISM/ImageX
  • Build a deployment answer file – Windows SIM
  • Migrate data and settings – USMT
  • Deploy reference image – WinPE/DISM/ImageX

MDT 2012 Update 1

  • Basically just a file share with all the components needed to build the image
  • MDT is a platform that simplifies and automates the build process

Image Engineering Process

  • Install the vanilla operating system (Windows 8) – Use a VM for this
  • Customize the OS and install core applications/utilities
  • Sysprep and capture the machine with imagex (creates .WIM)

Other resources: Deployment Guys blog

TechEd: Prospecting for Windows 8 Gold (WCA-B360)

This session was by Mark Minasi, who is one of the must hear TechEd speakers. Highly entertaining and highly informative. If you ever come to TechEd, you must attend one of his sessions. This session was focused on Windows 8, and going beyond the arguably ugly skin and going under the covers to the hidden gold. If you can get past the UX issues with Win8, there are a lot of great features under the covers, including big security improvements.

Windows 8 is worth trying out

  • Best reason: Domain join your tablet
  • Learn the shortcut keys to navigate Windows
  • Windows Key + D get back to the desktop from the start screen
  • Windows + E Opens Explorer
  • Windows + . (cycles through snap options)
  • Windows + z (shows options)
  • Alt-F4 closes Modern app windows
  • Windows + x (lots of goodies)
  • Windows + c (for charms)
  • Windows + I (settings)
  • Windows Page Up/Down swaps Modern screen on dual monitors
  • Windows + o locks orientation

Understanding the new Apps

  • Modern Apps, Windows Store Apps, Immersive Apps
  • Very sandboxed and extremely hard to write malware within the app
  • You can screw up your own profile settings but not system settings
  • Non-admin users can install apps
  • App deployment story is quite different
  • Four ways to get a store app:
  • 1) User installs it herself with the Windows Store application
  • 2) User installs it himself from a private “company app store” the admin created
  • 3) User finds a provisioned app that is on the computer (up to 24 apps)
  • 4) User runs a PowerShell command “add-appxpackage” to install the app (side loading)
  • Codeplex has a free Company app store tool
  • If an administrator installs a Modern app, it does NOT install it for all users. Only the user can install apps for themselves.
  • Provision apps in your image
  • Each 64K of an appx package has a hash, and if any byte changes, the app kills itself
  • To provision a Modern app you must have the appx package. You can’t get the appx package from the app store yourself. You must contact the developer/company to get the package.

Sideloading Apps

  • Group policy setting to enable side loading
  • Win8 home cannot side load
  • Only WindowsRT and Windows 8 Pro/Enterprise can sideload
  • Applications must be digitally signed (can use your own CA)
  • Enterprise comes with a license to sideload, must be purchased for professional
  • Powershell: import-certificate to load a certificate into the Windows store
  • Domain joined enterprise server has a built-in free license
  • Windows Professional requires license (MS sells them for $30 each in packs of 100)

New Cool Stuff

  • Native 4K support (faster, cheaper, bigger drives)
  • Windows 8 recognizes SSDs and turns off defragmenter and uses the TRIM command
  • Most of the new SAN like storage spaces from server 2012 are in Windows 8
  • You could mount ISOs and VHDs from Explorer
  • Chkdsk is way smarter and faster
  • chkdsk /f /sdcleanup driveletter: finds and removes dead SIDs on ACLs
  • chkdsk /scan runs at low priority several times a day and makes mental notes on stuff to fix later
  • chkdsk /spotfix will just fix the list of problems
  • Powershell: repair-volume (but does NOT warn you when it takes a volume offline)
  • Recovery tip: make a recovery stick
  • F8 doesn’t take you safe mode anymore
  • Create a recovery disk on a USB stick from the control panel (search on “recovery”)

Security Upgrades

  • UEFI support means “secure boot” which means rootkits and bootkits are nearly impossible
  • Hyper-V 2012/R2 can now create UEFI VMs
  • Early launch anti-malware protection (ELAM)
  • Defender protects against malware now
  • Look at “offline defender” for cold scanning a suspected infected machine

PowerShell Goodies

  • 2000+ PowerShell commandlets
  • disk cmdlets: get-volume, clear-disk, get-tpm, set-partition changes drive letters easily
  • networking: add-vpnconnection, set-dnsclientserveraddress, get-smbopenfile
  • -scheduledtask commandlets
  • printing: get-printerdriver, add-printerdriver (admin rights needed), add-printer, get-printer,

Other Goodies

  • Use the Windows 8 ADK tomake a bootable USB stick:
  • makewinpemedia /ufd c:\winpe4-64 h:
  • WinPE 4.0 supports PowerShell
  • “Refresh” returns your PC back to a known state
  • Roaming profiles can be limited to “primary” PCs using set-aduser to limit roaming settings
  • powercfg /batteryreport

TechEd: Windows 8 and 8.1 Security Enhancements (WCA-B210)

This session covered new security features in Windows 8, and at the end, some of the new features in Windows 8.1. It was an excellent session, with a very well organized presenter. It was a firehose of information, but clearly laid out and easy to take notes from. The bottom line is that Windows 8 is much more secure than Windows 7, with malware infection rates per 1000 machines 3x-8x lower than Windows 7. Windows 8.1 builds on that foundation, and adds even more features to catch vulnerabilities such as those presented by the Flame malware. It also greatly extends biometric authentication with native support, and with partner hardware, greatly enhances the biometic experience.

Although not mentioned in this session, the combination of Hyper-V 2012 R2 and Windows 8.1 for VDI could be compelling for organizations concerned with high security. Since Hyper-V supports UEFI native booting and secure boot, you can now (with third party add-ons designed for Government/defense industry) provide remote attestation and assured device health for VDI. You could even go as far as bitlocker volumes for Hyper-V VM storage, for full encryption with virtually no overhead. The session notes below provide the name of companies gearing Windows 8 remote attestation solutions for the defense sector.

Introduction

  • Windows XP SP2 was a huge release in terms of security
  • Vista was a new security model, at the sacrifice of app compatibility
  • Windows 8 investment areas: Malware resistance, securing the boot, securing the code and core, and securing the desktop
  • Protect sensitive data – Securing data with encryption
  • Modern access control – Securing the sign-in, secure access to resources
  • Trustworthy hardware – UEFI, TPM
  • Windows 8 started the move away from passwords (virtual smart cards, TPM, multi-factor authentication, etc.)
  • Windows 8 certified hardware is much more secure (required to support UEFI, secure boot)

Challenges in preventing Malware

  • Malware could compromise the PC before Windows even starts
  • Malware can hide from anti-malware software
  • Passwords aren’t good enough

UEFI 2.3.1

  • Replacement for the traditional BIOS
  • Key benefits: Architecture-independent
  • Enables: Secure boot, encrypted HDs, network unlock for Bitlocker
  • A Windows 8+ certification requirement
  • UEFI bootloaders are being signed for some Linxus distros
  • “Encrypted harddrive” have new firmware that fully supports Windows encryption features. “Self-encrypting HDs” are legacy and not supported by Windows for key management. “Encrypted HD” models are just now starting to show up in the market, so don’t get a “SED” (self-encrypting drive).

Securing and Maintaining UEFI

  • UEFI requires firmware to be signed
  • UEFI firmware updates can come through Windows update
  • Unsigned options ROMs can not run
  • UEFI can never roll back to a previous version
  • Secure root of trust, knowing that the platform is very secure

TPM 2.0

  • Enables commercial-grade security via physical and virtual key isolation from OS
  • Intel Haswell will support a firmware-based software TPM (lowers costs for OEMs)
  • Intel Atom has built-in TPM-like functionality
  • TPM functionality will now start trickling into consumer devices
  • In 2015 MS will require all certified devices to have TPM functionality

Securing the Core

  • SDL – Secure Development Lifecycle started back in the XP SP2 era to address major security vulnerabilities
  • In Q3 2012 the Kaspersky report has no MS products in the top-10 vulnerability list
  • ASLR, DEP, Windows Heap are all much more secure than Windows 7
  • Entire sections of the Win7 core were NOT covered by DEP and ASLR
  • Windows 8 in whole has DEP and ASLR used across the code base
  • 8 bits of entropy in Win7, now 32-bit entropy in Windows 8

Securing the Boot

  • Trusted Boot – Hardens the end to end boot process
  • Protects all system boot components and the anti-malware driver (ELAM)
  • Ensures defenses are running before malware goes a chance to start
  • Automatic remediation/self healing if compromised
  • Measured boot – Comprehensive set of integrity measurements

Securing the Sign-In

  • New sign-in options with varying security
  • Passwords, pin and picture password
  • MS uses an 8 character PIN code (most companies use 6)
  • Picture passwords are not ideal in the enterprise. More a consumer feature.
  • Securing Option GPO policy (puts the device into a recovery mode if using boot locker if a brute force password attack is detected)

Securing the System Post Boot

  • Trustworthy apps from the Windows Store
  • ISV onboarding and app screening process
  • Community based ratings and reviews
  • WinRT apps are all sandboxed from the start, but the apps can talk to each other but gated between apps
  • DLLs are public and any app can call them. So the WinRT platform gates which features apps can call in other apps, to limit exploits spreading
  • IE10 – Smart screen, enhanced protected mode

Securing Resources from Unhealthy Clients

  • Traditional access control is based on ACLs and user validation (not device health)
  • Modern method in Win8: Add vetting of a device security state to the access decision making process
  • Leverages Windows 8 measured boot, remote attestation, enhanced access control (server side)
  • MS has a current solution for Government and Defense customers since ISVs have been slow to adopt (solutions out later in 2013)
  • McAfee and Symantec
  • JW Secure, General Dynamics C4 Systems, ID Data/Web, DMI are four companies to offer device attestation solutions

Win8 Security Success

  • Showed a graph of malware infections
  • Windows 8 3x less likely to be infected with malware (no malware solution present). 2.7 per 1000 impacted (Win8 x64)
  • Windows 8 6x less likely to be infected when anti-malware software is installed. 0.2 per 1000 (win8 x64)

Windows 8.1 Threat Background

  • Modern threats: cyber-espionage, cyber-warfare, state sponsored actions (unlimited resources), assume breach (protect at all levels)
  • All sectors and even suppliers are now under attack, and supply chain
  • Without UEFI you can’t protect yourself against bootkit threats
  • You are now dealing with the digital equivalent lent of Seal Team Six attacking you
  • Lockheed Martin publically stated they can protect themselves, but attackers are going against sub-contractors

What’s new in Windows 8.1

  • “Provable PC Health”
  • Utilizes free cloud MS services. MS will have a huge database of all known hashes for all MS products, certified drivers, and other products/drivers.
  • Windows client will send hash values for a large amount of system values to the cloud for verification
  • Protects against Flame-like attacks
  • Sent data is completely anonymous – Triggers machine remediation

Windows 8.1 Defender and IE 11

  • Windows Defender – Adding high performance behavior monitoring. Identifies malicious patterns of behavior based (file registry, process, threads, etc.)
  • IE 11: API available that enables anti-malware solutions to scan before execution

Windows 8.1 Demo

  • Showed a touch-based surface for biometric authentication device
  • Device injects a current into your finger to detect if the finger is alive or dead
  • Showed instantly signing in with near 100% accuracy. No swiping. Just tap the sensor and instantly get your desktop.
  • Apps can ask for biometic authentication at any time, even after you sign in. A split-second tap is all that is required.
  • Could add biometric authentication for file access to app specific files (not yet in Explorer…app specific).

MS Security Compliance Manager 3.0 Hits the streets

One of the absolute best tools for managing security group policy settings in a Microsoft environment is their Security Compliance Manager. Hot off the presses is version 3.0, which is a major step forward in both functionality and OS/product support.

The full product announcement from Microsoft is here. The most exciting news for me is full support of Windows Server 2012, IE 10, and configuring stand-alone machines. Oh yes, Windows 8 support, but who’s even using that?

Not new to the 3.0 release, is the ability to compare different baselines, archive baselines, and create your own custom baselines that you can export to a GPO. Your IA guys should love it!  And in case you missed it, there’s a beta version of a SCM baseline for SQL Server 2012 you can find here.

WMI GPO Filters for Windows Server 2012 and Windows 8

When deploying Group Policies in a Windows environment, often you may have different GPOs for different versions of the operating systems. With the recent release of Windows 8 and Windows Server 2012, it’s likely you will have new GPOs just for these operating systems. You could build out new OUs for the each OS type, but that can get messy rather quickly.

My personal preference for most cases is to use WMI filtering to limit which operating systems a GPO applies to. This way you can dump all your member servers in one OU, and filter GPOs based on OS type.

To create a WMI filter, first you need to open the GPMC and locate the WMI Filters node. Start the new WMI filter creation wizard, and enter a name of your WMI filter. I always put the OS type, so it’s clear what OS the filter is for.

Now you need to add the actual WMI filter by clicking on the Add button. Next up is the tricky part! You need to type in or paste the WMI query for your operating system type. There are several ways to do this, but I like using the OS version number, since that is independent of the OS flavor (enterprise, datacenter, professional, etc.). See the bottom of my post for all the OS WMI queries you can choose from.

After you have created the WMI filter, you now need to configure one or more GPOs to use the filter. At the bottom of the Scope tab on any GPO you will see the WMI Filtering option. From the drop down select the appropriate WMI filter.

And that’s all there is to it! You can create more complex WMI queries, that could cover multiple operating systems, or filter on almost any other computer property such as memory, particular application, etc. If you can query it with WMI, then you can probably filter a GPO with it.

You can also export/import WMI Queries from the GPMC as well, if you want to easily transport them between environments. As always, test them out before applying a GPO that may hose up an OS if they get the wrong settings.

Windows XP
select * from Win32_OperatingSystem WHERE Version LIKE “5.1%”

Windows 7
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” and ProductType = “1”

Windows 8
select * from Win32_OperatingSystem WHERE Version LIKE “6.2%” and ProductType = “1”

Windows Server 2003 R2
select * from Win32_OperatingSystem WHERE Version LIKE “5.2%”

Windows Server 2008
select * from Win32_OperatingSystem WHERE Version LIKE “6.0%” AND ( ProductType = “2” or ProductType = “3” )

Windows Server 2008 R2
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” AND ( ProductType = “2” or ProductType = “3” )

Windows Server  2012
select * from Win32_OperatingSystem WHERE Version LIKE “6.2%” AND ( ProductType = “2” or ProductType = “3” )

How To: Configure Windows 8/Server 2012 Secure Boot

Windows 8 and Windows Server 2012 have a number of brand new boot-time security features to help combat malware. While this article is not going to discuss them in depth, I will briefly describe them so you understand what they are and how to configure one feature, Secure Boot. Microsoft has a good blog article herefor additional details on boot-time security enhancements.

Secure Boot

Secure boot is a feature which defines an enforcement policy which ensures that only trusted (digitally signed) software is executed during the Windows boot process. Unsigned code, like a rootkit, does not execute. In fact, Windows will attempt an automatic repair process if tampered code is detected. Yes, malware like Flame, which was digitally signed with a fraudulent Microsoft certificate, could possibly go undetected. Another part of the secure boot process is Early-launch Anti-Malware (ELAM), which ensures that anti-malware software is loaded very early in the secure boot process before malware has a chance to load and ‘hide.’  For a detailed whitepaper on ELAM, see this Microsoft whitepaper.

Secure Boot is required for all retail Windows 8 computers that get Microsoft’s stamp of approval. Individually sold motherboards for built-it-yourself PCs can also implement secure boot. To support secure boot the BIOS must be UEFI based, and also specifically support the Windows 8 secure boot extensions and embedded Microsoft certificates. A TPM (trusted platform module) is NOT required for secure boot or ELAM.

Measured Boot

Measured boot provides anti-malware software with a trusted log of all boot components that are started before the anti-malware software. If the anti-malware software supports Measured Boot, it can validate that the boot process was not tampered with. To ensure a trusted log is created, a TPM is required, as each component is recorded in the TPM. The anti-malware software uses the evidence in the TPM to attest the boot state of the PC.

In enterprise environments one can leverage remote attestation, where only trusted computers (via the Secure Boot and Measure Boot process) are allowed to access resources, increasing the confidence that the computer has not been compromised. For an excellent Microsoft whitepaper on this subject check out this download. To see how Microsoft uses a TPM in Windows Server 2012, check out this article.

Configuring Windows 8 Secure Boot

New security features in Windows always pique my interest, and secure boot was no exception. So this weekend I built myself a new PC, which I specifically pieced together to support Windows 8 secure boot. After extensive motherboard research, I ended up with an Asus P8Z77-M Pro motherboard, which is Windows 8 ready. Flashing it with the latest BIOS enabled the Windows 8 secure boot UEFI feature. You can check out other Asus Windows 8 motherboards here.

Now the tricky part was figuring out exactly how to install Windows 8 to leverage the new UEFI secure boot extensions of my motherboard. After a lot of re-installs and testing, the process is actually not that difficult and there’s even a powershell command to tell you if secure boot is enabled and functioning so you aren’t guessing whether the process worked or not.

The instructions are specific to my motherboard and firmware revision, so your screens and features may not be the same and require some tweaking to get the right combination of settings to work.

There is a problem with Asus firmware version 1406 for my motherboard which does not allow Windows 8 in UEFI boot mode to recognize hard drives when the SATA mode selection is set to “RAID”. I wanted to use Intel Smart Response with my SSD to boost access to my legacy spinning drive, but that’s out of the question until Asus fixes their firmware. So for now I’m using AHCI mode and no Intel Smart Response. According to Intel RAID+EUFI is a supported configuration, and they’ve even released firmware for their own motherboards to fix the same problem on their boards.

Next you need to disable boot CSM (compatibility support mode), which helps lock down the boot process and turns off the legacy BIOS support for option ROMs.

Now you should change the OS type to Windows 8 EUFI and ensure secure boot mode is set to standard mode, as shown below.

In order to boot Windows 8 into EUFI mode you need to either write the ISO image to physical DVD media, or boot from a FAT32 formatted USB stick specially prepared via these instructions (just do steps 1-2). Note that NTFS formatted USB sticks do NOT work with UEFI. Note that installing Win8 from USB is super fast, even to a legacy magnetic hard drive. Total install time was about 7 minutes.

Power off your PC, insert the Windows 8 media of your choice, then power on your PC and immediately enter the UEFI configuration screen. On the Boot menu of my Asus motherboard I saw my Blu-ray drive was a boot option and it was prefixed by UEFI, which means it will boot into the EFI mode, which is what we want. I happened to have an existing Win8 installation due to prior installs, so that’s why you see the Windows Boot Manger listing in the screenshot below. You will not see that on your system, unless Win8 is already installed in EFI mode.

After the Windows 8 installation starts you will arrive at the disk partitioning screen. EFI, and thus secure boot, require the disk to be in GPT mode not MBR. Thankfully through my various tests it appears Windows does all the reconfiguration under the covers so no diskpart magic is required. I had previously blown away my partitions, so all the disk space was unallocated. If your disk as partitions, delete all of them as secure boot requires four custom partitions which the installer will create if you start with a blank drive.

Assuming you want to use the whole disk for Windows 8, a neat trick is to select Next on this screen WITHOUT creating any partitions manually. If you do that, Windows will magically create all of the required partitions (four of them) with the appropriate sizes and partition designators.

At this point you can let the installation rip (which is extremely fast, even from legacy DVD media). Once you reach the Windows 8 start screen, open an elevated powershell command prompt and type:

confirm-SecureBootUEFI

And if secure boot is enabled and properly functioning it should return a value of TRUE. If you get any other response (not supported command, etc.) then you are not using secure boot. As you can see below, I was successful in installing Windows 8 to use secure boot!

For an additional resource you can check out the geeky Microsoft whitepaper Installing Windows on UEFI Systems. For some additional details on WHQL certification and secure boot requirements for machines that bear the Windows 8 logo, check out this MSDN article.

WCL286: Windows 8 Malware Resistence

This was a REALLY great session on the significant advances Microsoft has made in Windows 8 to increase its security posture. They claim whole classes of attacks have been mitigated by a combination of Windows 8 and hardware features such as UEFI and TPM. There are other security features that don’t rely on the very latest hardware, such as much stronger ASLR and DEP for OS components. Although not specifically mentioned in this session, Windows Server 2012 is built on the same code base so many of the features mentioned below apply to WS 2012 too.

Note, if you are thinking of virtualizing Windos 8 for VDI, there is no hypervisor that can virtualize a TPM module. So you will not get a lot of the benefits of trusted boot, measured boot, and remote attestation that you get with physical Windows 8 instances on appropriate hardware. So if you will be using Windows 8 for VDI, make sure you understand what security features you cannot take advantage of and how the loss of those features will affect your security posture.

One cool scenario that is possible with a physical Windows 8 instance, UEFI, TPM and Windows Server 2012 file server is the ability of the file server to validate the health claim of the Win8 client before it allows access to the file share. The validation utilizes the very secure boot process, measured boot, and other features to ensure an extremely high degree of confidence that the OS has not been tampered with and is trusted. But this remote attestation is only available on physical Windows 8 clients with a UEFI and a TPM. So VDI implemenations will not be able to use this powerful security feature.

The speakers had a lot of jam packed slides, so I didn’t get all of the information written down. If you have access to the recorded session on Channel 9 or MyTechNet, I strongly urge you to listen as it will be a well spent 75 minutes, if you value security in the enterprise.

Session Summary:

  • Windows 8 Investments in client security
    • Protect and Manage threats
    • Protect Sensitive data
    • Protect Access to Resources
    • Microsoft spent more on security in Windows 8 than any previous OS
    • “Groundbreaking” malware resistence
    • Pervasive device encryption
    • Modernized Access Control – Virtualized smart cards (no longer need a physical card); Dynamic access control
  • Challenges that we can face in combating malware
    • Vulnerabilities can be minimzied but not completely eliminated
    • Malware can compromise a PC before it starts
    • Malware can compromise anti-malware by tampering or starting
    • Malware can hide from anti-malware software
    • Anti-virus is always playing catch-up with latest malware
  • Secure Hardware
    • Why UEFI?
      • What is UEFI? An interface that is built on top of and replaces the legacy BIOS
      • Key benefits: Architecture-independent
      • Key security features: Secure boot, encrypted drive support for Bitlocker, Network unlock support for Bitlocker
      • Windows certification requirement on Windows 8 certified devices
    • Trusted Platform Module 2.0
      • TPM value proposition – Enables commercial-grade security via physical and virtual key isoloation
      • TCG standard evoluation: TPM 2.0
        • Algorithm extensible allows deployment in additional countries (China, Russia)
      • Windows 8 TPM support enables implemention choice
        • Discrete TPM
        • Firmware-based (Intel’s Platform Trust Technology)
    • Feature Usage of TPM in Windows 8
      • Bitlocker: volume encryption
      • Bitlocker: Volume network unlock
      • Measured boot
      • Virtual smart cards
      • …More
  • Securing the Code and Core
    • Preventing vulnerabilities – Software Development Lifecycle
    • Tools: Thread modeling, Static Code Analysis, Fuzzers
    • Reduce the ability to exploit vulnerabilities
      • Analyzed telemetry to determine requirements
      • Add mitigations to reduce the impact of exploits
      • ASLR, DEP, Windows Heap, process integrity levels. ASLR has been VASTLY improved in Windows 8 (higher entropy), applied to a broader memory space and to critical OS. DEP has been greatly increased as well, and now OS has much broader DEP protection.
      • MS says the IQ of an attacker will need to be much higher to combat these new security enhancements. Quite different from what’s in Windows 7.
  • Securing the Boot
    • Legacy boot: BIOS, OS Loader (Malware), OS Start
    • UEFI Secure Boot: Native UEFI, Verified OS Loader Only, OS Start
      • The firmware enforces policy, only starts signed OS loaders
      • OS loader enforces signature vertification of Windows components.
    • Securing and Maintaining UEFI
      • UEFI is secure by design
        • UEFI firmware, drivers, applications and loaders must be signed
        • UEFI database lists trusted and untrusted keys, CAs and image hashes
        • Secured rollback feature prevents rollback to insecure version
        • Untrusted option ROMs can not run
      • Maintaining UEF with Windows Update
        • Updates to UEFI firwmare, drivers, applications and loaders
        • Revocation process for signatures and iamges hashes
      • UEFI remediation
        • UEFI able to execute UEFI firmware integrity check and self-remediate
        • UEFI able to recover Windows boot manager if integrity checks fail
    • Trusted and Measured Boot
      • Trusted Boot
        • End to end boot process protection
          • Windows operating system loader
          • Windows system files and drivers
          • Anti-malware software
        • Ensures and prevents
          • A compromised OS from starting
          • Software from starting before Windows
          • 3rd party software starting before anti-malware
        • Automatic remediation/self healing if compromised
      • Measured Boot
        • Creates comphrehnsive set of measusrements based on trusted boot execution
        • Can offer measurements to a remote attestation service for analysis
      • Trusted Boot: Early Load anti-malware
        • Windows 7 Legacy Bios -> OS Loader (malware) -> 3rd party drivers (malware) -> Anti-malware start -> Windows logon
        • Windows 8: Native UEFI -> Windows 8 OS Loader (signed) -> Anti-malware start (signed) -> 3rd party drivers -> Windows Logon
        • Secure boot loads anti-malware early in the boot process
        • Runs WinRE in the background and does extensive remediation checks and pulls trusted binaries out of the trusted store. No prompts, no user interaction used. Completely automated.
      • Measured Boot
        • Windows 7: Bios (measured)-> MBR & Boot sector (measured)-> OS Loader (measured) -> Kernel initialization -> 3rd party drivers -> anti-malware software start
          • Measurements of some boot components evaluated as part of boot
          • Only enabled when bitlocker has been provisioned
        • Windows 8: UEFI (measured) -> Windows 8 OS Loader (measured)-> Windows Kernel & Drivers (measured) -> Anti-malware software (measured) -> 3rd party drivers -> Remote attestation
          • Measures all boot components
          • Measurements are stored in a TPM
          • Remote attestation is now available
        • Remote attestation allows allows a file server (for example) to validate only trusted computers with a health claim can gain access.
    • Secureing After the Boot
      • Protecting the system from know and unknown threats
        • Windows Defender is now a full fledged product
        • Protects against full range of malware, not just adware or malware
        • Real-time active protection
        • High performance
        • Optimized for the user experience
      • System Center Endpoint Protection (SCEP) adds managemanility
        • Shares same anti-malware engine with Windows defender
    • Securing the System Post Boot – Metro Apps
      • Windows store contains Trustworthy Apps
        • ISV onboarding and app screening process
        • Community based ratings and reviews
      • Installation
        • Handled completely by the OS
        • Discrete and private location for each app
      • Application capabilities
        • Run with low provilege
        • Access to Resources
        • Contracts – Apps can advertise their service to other apps or OS
    • Internet Explorer 10 – Smart Screen
      • Application reputation has been moved into core
      • Protects users regardless of browser, mail, IE, etc. client
    • Internet Explorer 10 – Enhanced protected Mode
      • Difficult to exploit due to ASLR
      • Tabs and Process Isolation
      • Requires user interaction to gain access to user data
      • Do Not Track (DNT) capability
  • Windows Editions and Device Considerations
    • All Windows editions editions contain basic new security features (trusted boot, smartscreen, etc.) but other features like Bitlocker are only on Professional and higher
    • Windows RT always uses device encryption powered by Bitlocker
    • Windows 8 certified devices will have UEFI, and need TPM 2.3.1 for secure boot

Windows 8: Hyper-V 3.0 baked in!

Wow this is pretty darn cool..in the latest leaked build of Windows 8 x64, a blogger found Hyper-V 3.0 is baked in and is sporting a number of new features. This is the first time MS has baked in a hypervisor to a client operating system. While some of the new features aren’t really relevant to a desktop user (like a virtual fibre channel adapter) or 16TB VDHX files with power fail resiliency, it does open up a world of possibilities for handling application compatibility issues. For the more geeky folks that like to use a type-2 hypervisor like VMware Workstation, there’s finally a MS solution for running 64-bit VMs on your desktop operating system.

You can check out all of the new features and some screen shots here. A short summary of enhancements include:

  • Support for more than four cores
  • Virtual Machine Queue and IPsec offload
  • Bandwidth management
  • DHCP Guard
  • Router Guard
  • Monitor Port
  • Virtual Switch extensions
  • Network Resource Pools

Since Windows 8 RTM isn’t expected until mid to late 2012, there is plenty of time for Microsoft to add additional features. Of course Microsoft could also pull Hyper-V 3.0 from the client OS too, but let’s hope not.