Backup VM Encryption & VM Signing certificate for Shielded VMs with Powershell

One of the new technologies that was introduced in Hyper-V 2016 is Shielded Virtual Machines.

In this post, I will show you how to back up Shielded VM Local Certificates with powershell.

These certificates are critical. If you loose them, there is no way to start Shielded VMs and they are permanently lost.

More info on this great article here https://www.altaro.com/hyper-v/hyper-v-2016-shielded-virtual-machines-stand-alone-hosts/

This is the powershell script that I use to back up those certificates. Once, those certificates are exported/zipped, you need to move them to a secure location.
Currently, I'm using RMM tool to backup and move those certificate to a safe place automatically.

$ExportDestination = "c:\data\certs"
$certs = certutil -store "Shielded VM Local Certificates" 
$password = "YourCertPassword"

$shieldedVMEncryption = '*Issuer: CN=Shielded Vm Encryption Certificate*'
for ($i = 0; $i -lt $certs.Length; $i++) {

    if ($certs[$i] -like $shieldedVMEncryption) {
        $issuer = ((($certs[$i]).split(' ')))[-1]
        $issuer = $issuer.Replace('(', '')
        $issuer = $issuer.Replace(')', '')
        Write-host "Shielded cert is stored in line $($i-1)"
        $ShieldedCert = $certs[$i - 1]
        $FinalShieldedCert = $ShieldedCert.Split(" ")[-1]
        Write-host  $FinalShieldedCert -ForegroundColor Yellow
        certutil -exportPFX -p $password "Shielded VM Local Certificates" `
        $FinalShieldedCert  "$($ExportDestination)\\$($issuer)-ShieldedVMEncryption-$($i)-$($FinalShieldedCert).pfx"
    }

}

#For Signing Certificate
$shieldedVMSigning = '*Issuer: CN=Shielded Vm Signing Certificate*'
for ($i = 0; $i -lt $certs.Length; $i++) {

    if ($certs[$i] -like $shieldedVMSigning) {
        $issuer = ((($certs[$i]).split(' ')))[-1]
        $issuer = $issuer.Replace('(', '')
        $issuer = $issuer.Replace(')', '')
        Write-host "Shielded cert is stored in line $($i-1)"
        $ShieldedCert = $certs[$i - 1]
        $FinalShieldedCert = $ShieldedCert.Split(" ")[-1]
        Write-host  $FinalShieldedCert -ForegroundColor Yellow
        certutil -exportPFX -p $password "Shielded VM Local Certificates" `
        $FinalShieldedCert  "$($ExportDestination)\$($issuer)-ShieldedVMSigning-$($i)-$($FinalShieldedCert).pfx"
    }

}


$compress = @{

    path            = "$ExportDestination\*.pfx"
    DestinationPath = "$ExportDestination\ShieldedCerts"
}

Compress-Archive @compress -Force

Replace HyperV virtual switch for VMs with Powershell

Replace HyperV virtual switch for VMs with Powershell

In this post, I will show you how to replace virtual switch for VMs in an easy way with Powershell.

Recently I had to remove existing switch for all Virtual machines (~ 50) on one HyperV host. One of the reason why you would do that is to enable "SR-IOV" as you can't do that after you create switch.

All Vms had two network adapters with internal and public switches. In this case, we had to reconfigure those network adapters that use Public switch.

In order to accomplish this, you have to follow these steps:

1. Create new temporary switch that will replace existing public switch

2. Replace existing public switch with the new temp switch using these Powershell commands

$vms = get-vm  

foreach ($vm in $vms){

Get-VMNetworkAdapter -VMName $vm.name | where switchname -eq 'public' |

Connect-VMNetworkAdapter -SwitchName 'tempswitch'

}

3. Check if new switch is properly applied and remove 'old' public switch

4. Create new Public switch that will replace temp switch

4. Replace temp switch with a new Public switch using these Powershell commands

$vms = get-vm 

foreach ($vm in $vms){

Get-VMNetworkAdapter -VMName $vm.name | where switchname -eq 'tempswitch' |

Connect-VMNetworkAdapter -SwitchName 'public'

}

Dell Raid Configuration HTML Report via Powershell

This script generates HTML report regarding RAID configuration on Dell servers.

This report includes:

- Controllers information (status, state, firmware version etc.)

- Dell virtual disk information

- Information for each Virtual disk (Disk states, VD status, Capacity etc..)

Full report

Windows Server report wih powershell (including Hyperv)

This script will help you to get all-in-one report for a windows server. Report is dynamic which means, if server has HyperV role installed and at least one VM configured, HyperV report will be visible inside this report, otherwise, you will see nothing regarding HyperV.

 

Script is divided into several parts so let's see what we have

 

1. The first part is related to general server information like whether the server is physical or virtual, OS information, Disk information, IP configuration etc. Regarding disk information, we will be warned if disk space is lower than 15%

1. The second part is related to HyperV server configuration. In order to keep the report clean, I used hyperlinks which stores more information. If you see yellow asterisk sign or word is underlined in a report, that means there are probably some more information by hovering the mouse. For example, if you hover over Disk part (differencing disk), you will have information about location etc.

 

3. In the third part, you will see whether a PC is a domain joined, domain controller etc. as well as shared  folders information

 

 

4. In this part you will have CPU and Memory information

 

5. The last part is related to server Roles & Features

 

 

 

Link to download script here 

 

 

 

 

 

Redirect known folders to OneDrive for Business with Powershell

This script will help you migrate user's data for multiple PC's to OneDrive for business and create documentation.

Let's see what you will see in Powershell console during the script execution and what the final html report will look like (note that it depends on what happens during the migration).

I intentionally removed permission from some files in source so that those files can't be migrated so we can see how result will be displayed in a console and final report as well. Beside that I removed permission from already created destination folder so we can see script behavior in that case as well.

Information in powershell console during migration

Final report without errors

Part of final report with some errors

Registry entries that are changed when you redirect user's data to a custom location

These are registry values :

Desktop -  {754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5}
Documents - {F42EE2D3-909F-4907-8871-4C22FC0BF756}
Pictures - {0DDD015D-B06C-45D5-8C4C-F59713854639}
Music - {A0C69A99-21C8-4671-8703-7934162FCF1D}
Videos - {35286A68-3C57-41A1-BBB1-0EAE73D76C95}



Let's see what happens when you run this powershell script

Note: I wanted to predict almost every situation that might happen during migration and I didn't see any problems during testing and actual migrations.  

Please always test or backup files before executing any scripts.

1. It will check current size, locations of  user's known data and open html automatically. This will give us good overview before actually starting migration.

2. If you decide to continue with migration after review, script check if you have multiple OneDrive configured on that PC. If yes, you you will be asked which one to use as a redirection destination. Note that I excluded personal OneDrive and will not be listed here (you can change that if you want to)

3. When you choose which location you are going to use, script checks some prerequisites before migration such as write rights to in destination location etc.

4. If some user's data are already redirected to OneDrive, script will detect that and migration for that user data such as music, videos etc. will be skipped. You should see that in final report as well.

5. If we have some data already stored in destination OneDrive for some reason (we used that location before for data storage etc.) script will copy only newer files to the destination folder.

For example, we already have Music folder in OneDrive with some data in it, but actual Music user folder is not set in OneDrive, only newer files will be migrated. Older files will be left in the source folder for later review or delete. I just didn't want to automatically delete source files after successful migration in this situation. You will see that as partially migrated and  how many files/folders failed to migrate.

The author of this script is not responsible for any damage that might happen.

You can download powershell script here