Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
In Windows Admin Center Security you can Configure Secured-Core :
Secured-Core in Windows Admin Center 21.10
You can activate 6 secured-Core feature :
Hypervisor Enforced Code Integrity (HVCI)
Boot DMA Protection
System Guard
Secure Boot
Virtualization-based Security (VBS)
Trusted Platform Module 2.0 (TPM2.0)
You now can simply activate the Security Feature.
Needs a Reboot
Hypervisor Enforced Code Integrity (HVCI) is enabled.
The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects. For more information, see Windows Security Baselines.
Baseline security policies for Windows Server 2022.
But what’s new in Microsoft Windows Server 2022?
Here we have some new Windows Server 2022 security features :
Secured-core server
Hardware root-of-trust
Firmware protection
Virtualization-based security (VBS)
Secure connectivity
Transport: HTTPS and TLS 1.3 enabled by default on Windows Server 2022
Secure DNS: Encrypted DNS name resolution requests with DNS-over-HTTPS
Server Message Block (SMB): SMB AES-256 encryption for the most security conscious
SMB: East-West SMB encryption controls for internal cluster communications
In the following steps you will see some of the security features of Microsoft Windows Server 2022.
When your Windows Server 2022 is running on a Hypervisor like Hyper-V, you can set Memory integrity under Windows Security to ON.
This prevents attacks from inserting malicious code into high security processes. When you set this security feature on, the Server needs a reboot to activate. Memory Integrity needs a reboot.
Windows Security Notifications.
By default Virus & Threat protection notification is active, when you want notifications about Microsoft defender firewall blocking a new application, you have to turn this feature on and select the firewalls.
In Windows security we have also ransomware protection.
Protect your files against threats like ransomware, and see how to restore files in case of an attack.
You can do this by Controlled folder access. Protect files, folders and memory on your Server from unauthorized changes by software.
Protected folders.
New in Windows Server 2022 is Tamper protection in Windows Security.
This Prevents others from tampering with important security features.
This was all Microsoft Windows Server 2022 security in the VM, but how about your Windows Server 2022 Hyper-V Hypervisors?
Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Here you find a great video with a session of Jeff Woolsey Principal Program Manager at Microsoft. It’s all about What’s new in Windows Server 2022.
Conclusion
Start with Microsoft Windows Server 2022 today and make your test environment to play with Windows Server 2022 and Security.
Make your core business application solution more secure then ever, and let a ethical hacker do pen tests on your solution.
When you have security by default in your architectural designs, and test your Windows Server 2022 for production workloads it makes a big different to keep your environment and solution safe. And when you monitor your Windows Server 2022 solution pro-active with Azure Monitor, Azure Security Center, Azure Defender like this with Azure Arc enabled Servers
This keeps you in Control on Security by design for your business.
With Windows Admin Center you can remotely manage Windows Server running anywhere—physical, virtual, on-premises, in Azure, or in a hosted environment.
The tool, available with your Windows Server license at no additional charge, consolidates and reimagines Windows OS tools in a single, browser-based, graphical user interface.
At Microsoft Ignite 2021 Global Virtual Event they launched Windows Admin Center version 2103. Here you find the download.
Set Proxy Server in Windows Admin Center Settings.
Open in a Separate Window
This is a Separate Window on my Second Screen, this works Awesome!
Windows Admin Center Virtual Tool improvements 🙂
Conclusion
Microsoft is working hard to make Hybrid IT Management better for Administrators to manage Hybrid Cloud datacenters. Windows Admin Center is a must have for managing
Windows Server Core, AzureStack HCI, and Cluster Services. I can say: I love to work with Windows Admin Center 🙂
Manage all your server environments with familiar yet modernized tools, such as the reimagined Server Manager and streamlined MMC tools, from a single, browser-based, graphical user interface. Admins can manage Windows Server instances anywhere: on-premises, in Azure, or in any cloud.
Operate hybrid seamlessly
Extend on-premises deployments of Windows Server to the cloud by using the Azure hybrid services found in Windows Admin Center. Use Azure for:
Backup and disaster recovery
Additional capacity for compute, file servers and storage
Centralized management for monitoring, threat protection and update management
In the following steps we will install Windows Server Core 20H2 version Build 10.0.19042 via Windows Admin Center on my Hyper-V Host called Starship01.mvplab.cloud.
I have Windows Admin Center already running for my MVPLAB with a Windows Server 2019 Hypervisor host. From here I will install a New Windows Server Core 20H2 Machine.
Click in the Left toolbar on Virtual Machines
and then on Add New
Deployment settings for the New Virtual Machine.
Here we set the following settings :
Virtual Machine Name
Generation VM ( gen 2 is recommended )
The path of the VM settings and Disk
Virtual Processors
a mark for nested virtualization ( for the Hyper-V feature )
Memory
Network / Virtual Switch
Storage
When you Add Storage you can select also the new ISO file for Installation.
I changed the Size of the Operating Disk from 127GB to 50GB
And I selected the path to the Windows Server Core 20H2 ISO.
Then Click on Create.
Windows Admin Center will create the Virtual Machine really fast.
Now the Window Virtual Machine Dark20H2 is created by Windows Admin Center on the Hyper-V Host, we can do the Windows Server Core 20H2 Installation by starting the Virtual Machine.
Before you Start running the VM, have a look at the settings
If you want you can set more Security features here.
You can set Encryption and Security Policy.
Start the Virtual Machine here for Installation of Windows Server Core 20H2
( The ISO is connected )
Installation of Windows Server Core 20H2 version Build 10.0.19042
The virtual Machine is running and now we can connect it via Windows Admin Center to do the installation of Windows Server.
Click on Connect
Use your Windows Admin Center account and mark
for the certificate. Then Click on Connect
Here we see the Console for the Windows Server Installation.
Install Now.
The Windows Server Core 20H2 is Installed.
Of course you can now configure the Machine via SConfig.exe, I only gave the Server name and a static IP address with DNS.
Via Windows Admin Center ( Manage) you can add the Machine to the domain.
Add the Server to the domain with your account and Click on Join
Server will Restart, Click on Yes
Dark20H2 Joined the Domain MVPLAB.CLOUD Successfully
Adding the Windows Server Core 20H2 to Windows Admin Center
Add Dark20H2.mvplab.cloud to Windows Admin Center.
Of course I want to manage the server with Windows Admin Center and use all the tools I need to securely manage this Server.
Windows Server Core 20H2 in Windows Admin Center.
First thing what I do in my MVPLAB is Windows Updates.
December Updates for Windows Server Core 20H2
Updates Installed Successfully 🙂
Azure Hybrid Services
Azure Hybrid Services
You can extend on-premises deployments of Windows Server to the cloud by using Azure hybrid services. These cloud services provide an array of useful functions, both for extending on-premises into Azure, and for centrally managing from Azure. Think of :
Windows Admin Center is a must have when you have to manage Windows Server Core versions, you don’t have to worry about all the Commands of Windows Server Core. With Windows Admin Center it becomes easy to do the complete installation of the server and this include also all features of Windows Server Core 202H2 Build 10.0.19042. It becomes really powerful when you use it in a Hybrid way by connecting to Microsoft Azure Cloud Services. Earlier I wrote a blogpost about Windows Admin Center and Azure Security Center
I Hope this is useful for you, and start your journey with Windows Admin Center & Windows Server Core versions 😉
Azure Stack HCI is a Hyper-Converged Infrastructure (HCI) cluster solution that hosts virtualized Windows and Linux workloads and their storage in a hybrid on-premises environment. Azure hybrid services enhance the cluster with capabilities such as cloud-based monitoring, Site Recovery, and VM backups, as well as a central view of all of your Azure Stack HCI deployments in the Azure portal. You can manage the cluster with your existing tools including Windows Admin Center, System Center, and PowerShell.
Azure Stack HCI, version 20H2 is a new operating system now in Public Preview and available for download. It’s intended for on-premises clusters running virtualized workloads, with hybrid-cloud connections built-in. As such, Azure Stack HCI is delivered as an Azure service and billed on an Azure subscription. Azure Stack HCI also now includes the ability to host the Azure Kubernetes Service; for details, see Azure Kubernetes Service on Azure Stack HCI.
Get Started with Azure Stack HCI and Windows Admin Center
Windows Admin Center is a locally deployed, browser-based app for managing Azure Stack HCI. The simplest way to install Windows Admin Center is on a local management PC (desktop mode), although you can also install it on a server (service mode).
If you install Windows Admin Center on a server, tasks that require CredSSP, such as cluster creation and installing updates and extensions, require using an account that’s a member of the Gateway Administrators group on the Windows Admin Center server. For more information, see the first two sections of Configure User Access Control and Permissions.
Before you begin, you have to know that Azure Stack HCI is still in Preview and not for Production usage ready. But I’m installing it in my MVPLAB for testing purpose only and learn all the New Features.
What’s New in Azure Stack HCI
Clusters running Azure Stack HCI, version 20H2 have the following new features as compared to Windows Server 2019-based solutions:
New capabilities in Windows Admin Center: With the ability to create and update hyper-converged clusters via an intuitive UI, Azure Stack HCI is easier than ever to use.
Stretched clusters for automatic failover: Multi-site clustering with Storage Replica replication and automatic VM failover provides native disaster recovery and business continuity to clusters that use Storage Spaces Direct.
Affinity and anti-affinity rules: These can be used similarly to how Azure uses Availability Zones to keep VMs and storage together or apart in clusters with multiple fault domains, such as stretched clusters.
Azure portal integration: The Azure portal experience for Azure Stack HCI is designed to view all of your Azure Stack HCI clusters across the globe, with new features in development.
GPU acceleration for high-performance workloads: AI/ML applications can benefit from boosting performance with GPUs.
BitLocker encryption: You can now use BitLocker to encrypt the contents of data volumes on Azure Stack HCI, helping government and other customers stay compliant with standards such as FIPS 140-2 and HIPAA.
Improved Storage Spaces Direct volume repair speed: Repair volumes quickly and seamlessly.
In the Following Step-by-Step guide we install Azure Stack HCI Cluster with Windows Admin Center.
Click on Add and then Create New Server Cluster.
Choose for Azure Stack HCI.
Here you can also choose for both Azure Stack HCI nodes are in the same Site or you have more Azure Stack HCI Nodes in Two Sites for disaster Recovery and Business Continuity.
In my MVPLAB I have all Azure Stack HCI nodes in One Site. More information about Microsoft Azure Stack HCI Stretching Clusters can be found here.
This is what I like about Windows Admin Center, supporting you in all steps and choices for making an Azure Stack HCI Cluster with Storage Spaces Direct.
Specify your administrator Account and password and add the Azure Stack HCI Node Servers
Add the Nodes to the Domain.
Install Required Features on the Azure Stack HCI Node Servers
Install Updates on the Azure Stack HCI Node Servers
Here you get options from your hardware vendor
I don’t get this because it’s virtual.
Restart the Azure Stack HCI Node Servers and Click Next Networking
Networking adapters are UP and Running.
When you have Enough Nics in your Azure Stack HCI Node Server, you can choose here for a Teamed Management NIC.
I choose for a single management NIC. Plan your Azure Stack HCI Node network
Configure your Production and Storage network
Here you can configure different Switches for your workloads. Windows Admin Center will work with Software Defined Networking (SDN) I Skipped this in my MVPLAB.
Before creating the Azure Stack HCI Cluster, we have to Validate the Cluster first.
When the Cluster Validation is done, you can download the Cluster Validation report.
Here we give the Cluster a Name and a static IP.
Click Create Cluster.
Microsoft Azure Stack HCI Cluster is created 😉
Click Next for Storage.
Click Next
I Got some small disks Click Next.
Storage is validated and suitable for Storage Spaces Direct.
Storage Spaces Direct is enabled on your Azure Stack HCI Cluster.
Click Next for SDN
Here you can configure the Network Controller for the Azure Stack HCI Cluster
Done your Azure Stack HCI Cluster is made 🙂
Here we have the Dashboard in Windows Admin Center of my Azure Stack HCI Cluster
Management of your Azure Stack HCI Cluster
Managing your Azure Stack HCI Cluster with Windows Admin Center is important, because I have connected WAC with my Azure Subscription I can use Azure Monitor.
From here the Cluster is also connected with my Analytics workspace of Azure Monitor.
Azure Stack HCI Cluster Nodes connected with Azure Monitor.
With Windows Admin Center you can manage the Azure Stack HCI updates with Cluster Aware Updating (CAU) without any downtime for your workloads.
Start Cluster Aware Updating
Click on Install
One Azure Stack HCI Node is waiting and the other is Installing.
Now the other Azure Stack HCI Node is Installing the Update.
Updates Succeeded on both Azure Stack HCI Nodes.
Microsoft Azure Stack HCI Cluster is Running
Create your Virtual Machine on Azure Stack HCI Cluster.
Conclusion
Windows Admin Center supports you all the way for making your Microsoft Azure Stack HCI Cluster in easy steps deployment wizard. Of course you can make also your own PowerShell deployment scripts when you have to make more Azure Stack HCI Clusters for different platforms like Deploying virtual machines or AKS Kubernetes Clusters for Container Applications or a SQL environment. Here you find more information about PowerShell commands
After deploying Azure Stack HCI Clusters with your own PowerShell Script, you can add the Cluster into Windows Admin Center for IT Management.
The Installation time of the Cluster is really fast. I hope this will give you more inside information about the Preview of Microsoft Azure Stack HCI Cluster and Windows Admin Center better Together!
Next Step is AKS Kubernetes on Azure Stack HCI 😉
Windows Admin Center is a locally deployed, browser-based app for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows 10 PCs. It comes at no additional cost beyond Windows and is ready to use in production. If you want to work more secure with Windows Server Core images without the GUI or with Microsoft Azure Stack HCI operating system then Windows Admin Center is the tool for the Administrator to manage your workloads on-premises or in the Cloud. You have one web based interface for all your Server consoles (MMC) to manage your Hybrid Datacenter.
Here you can read more about Microsoft Windows Admin Center and download the free software.
Get the best with Windows Admin Center Extensions
Windows Admin Center and the Container Extension
When you have installed Microsoft Windows Admin Center you can configure the settings and extensions for your environment. When you want the benefits of the Microsoft azure Cloud Services you can configure your Azure subscription and add the extensions to your Windows Admin Center. There are also Third Party extensions like Dell, DataOn, Fujitsu and more. Here you find more information about how extensions work.
Container Extension
In the following step-by-step guide we will work with the Container Extension of Windows Admin Center on a Windows Server 2019. You have already added the server in WAC and installed the Container extension. In my MVPLAB.CLOUD is that Windows Server 2019 datacenter Starship01.mvplab.cloud. When you open the server you will come in the Overview of the Windows Server:
Click on Containers.
Click on Install for the Docker installation on Starship01.mvplab.cloud.
This will install Docker on the Windows Server 2019 and reboot when it’s ready to use for Containers. From this moment you can work with Windows Containers on the host via Windows Admin Center.
Remote Desktop in Windows Admin Center, the docker host is installed with the Windows Filter by default.
When you want to use Docker Linux Containers with Windows Server 2019 host, you have to configure the Linux kit LCOW with a distro on the host. More info here
Containers on Starship01.mvplab.cloud
To start with containers you can create your own, or pull an image from Docker Hub with Windows Admin Center. In my case I pull Windows Server 2019 ltsc with IIS image.
mcr.microsoft.com/windows/servercore/iis (Image)
windowsservercore-ltsc2019 (Tag)
Click then on Pull.
Select your image and click on Run.
Give your Container a name and set your settings.
Click on Run.
Click on Containers tab and you will see your running Container
More details you see the IP-Address of the Container.
IIS is running on Windows Server 2019 ltsc in a Docker Windows Container.
That was easy right 😉
Making your Own Docker file with Windows Admin Center Container Extension
When you have your own Github repository with your software, you can make your own docker file and make a docker image on your host for deployment. To show this I have used this sample on Microsoft docs, but you can clone also a github repository and copy the dockerfile on the host.
I copied the dockerfile on the host C:\BuildImage.
—————
# Sample Dockerfile
# Indicates that the windowsservercore image will be used as the base image. FROM mcr.microsoft.com/windows/servercore:ltsc2019
# Metadata indicating an image maintainer. LABEL maintainer=”jshelton@contoso.com”
# Uses dism.exe to install the IIS role. RUN dism.exe /online /enable-feature /all /featurename:iis-webserver /NoRestart
# Creates an HTML file and adds content to this file. RUN echo “Hello World – Dockerfile” > c:\inetpub\wwwroot\index.html
# Sets a command or process that will run each time a container is run from the new image. CMD [ “cmd” ]
In Windows Admin Center comes ITpro world and DevOps world Together in One web based console like with the Container extension. Microsoft is developing really fast in Windows Admin Center to get all the right Feature for ITPro, DevOps and SecOps Administrators in one place. Awesome are the Windows Admin Center Extensions, developers makes these better and better to do the job for Administrators 🚀
Windows Server 2019 Core and Azure Stack HCI are Operating systems without a GUI, and with Windows Admin Center they are really good to manage, update and keeping in control of security.
I like Windows Admin Center a lot and it Rocks for managing your hybrid Datacenter 😉
Send your comments and feedback via Microsoft GitHub repoby opening a new issue for the Container Extension. Follow @vrapolinario on Twitter
You can Follow Windows Admin Center here on Twitter : @servermgmt
Microsoft Windows Admin Center is a web based App working in your modern browser like Edge or Chrome to manage your datacenter infrastructure. You can download it here
You can manage Windows Servers, Windows10 Desktops, Clusters, Hyperconverged Clusters, Storage Spaces Direct and more in a Hybrid environment and that’s what I like.
My Servers can be on-premises or in the Cloud like Azure and will manage them with Windows Admin Center.
Microsoft Windows Admin Center for Hybrid IT Management
I really like to work with Microsoft Windows Admin Center for managing my Hybrid workloads Windows Servers in Azure Cloud Services but also our On-premises Servers on Hyper-V and VMware platform. Even our physical Windows Servers can be managed from Windows Admin Center.
You can extend on-premises deployments of Windows Server to the cloud by using Azure hybrid services. These cloud services provide an array of useful functions, including the following:
Protect virtual machines and use cloud-based backup and disaster recovery (HA/DR) with Azure Site Recovery.
Track what’s happening across your applications, network and infrastructure with the help of advanced analytics and machine learning in Azure Monitor.
Simplify network connectivity to Azure with Azure Network Adapter.
Keep virtual machines up to date with Azure Update Management.
Azure hybrid services work with Windows Servers in the following configurations:
Stand-alone physical servers and virtual machines (VMs)
I’m working with Windows Admin Center since day one, and you see the hybrid management tool evolving with great new features to make your life as an Administrator more easier. For example you get notifications when there are updates in extensions.
Notification details about update Extensions
When you click on the link “Go to Extensions” you will see the Extensions installed and the Updates which you can install from there.
Here you see an Azure Security Center Extension update.
There are not only Microsoft extensions, but also third party solution extensions and you could build your own extension for your solution. Here you find all the information about Windows Admin Center Extensions
Third Party Windows Admin Center Extensions
Installing a New extension is easy to do, the Azure Cloud Shell (Preview) was the last extension I installed in my Azure MVP Lab to work with. Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell. Cloud Shell enables access to a browser-based command-line experience built with Azure management tasks in mind. So how does this look in Windows Admin Center?
Install the Azure Cloud Shell (Preview) Extension
You find the Installed Azure Cloud Shell in the pulldown menu of WAC
For Management of your Windows Servers you need some tools and consoles. Windows Admin Center is supporting you to get the Management consoles in one place to do your administration and updates.
The next tree Features are in Windows Admin Center to manage your Windows Server.
Powershell inside WAC of my Domain Controller
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
Here you find more information about Windows Commands
Windows Update in Windows Admin Center.
Of course you need to update your Windows Servers, and what I like in WAC is that you get the information if an update needs a reboot before you click on Install Updates. This option is good for my Azure MVP Lab but when you need to update more then 100 Servers, you would do that centrally managed like with Update Management solution in Azure
Windows Remote Desktop in WAC
Remote Desktop is one of the Features of Windows Admin Center, to take over the desktop for installations of Applications for example.
Windows Admin Center got a lot more Features and Tools to Manage your Windows Servers in a Hybrid world.
Like these :
Storage
Security
System Insights
Scheduled Tasks
Installing Roles and Features of Windows Server
Registry
Processes running on your Windows Server
Managing and deploying Clusters
and much More………
You can install the following Resources to Manage with WAC
Windows Admin Center Overview
Conclusion:
Microsoft Windows Admin Center is the New Management tool for your Hybrid IT Management to Controle your Servers for your Business. It got all the Management consoles covered of Windows Servers to manage from one tool.
It’s easy to use and It keeps you Up-to-date of what is happening on your Windows Server but also what is New and updated. With Microsoft Windows Admin Center your are learning on the job and that’s what I Like 😉
Hope you will use Microsoft Windows Admin Center too for your Business, download it here for Free!
As enterprise environments now span on-premises to the cloud, customers look to leverage the innovation in Azure services using their on-premises tools. To enable this, Microsoft has integrated System Center with a set of management services in Azure to augment the on-premises tools.
With Service Map integration with System Center Operations Manager (SCOM), you can automatically create distributed application diagrams in Operations Manager (OM) that are based on the dynamic dependency maps in Service Map.
With Azure Management Pack, you can now view perf and alert metrics in SCOM, integrate with web application monitoring in Application Insights, and monitor more PaaS services, such as Azure Blob Storage, Azure Data Factory, etc.
Virtual Machine Manager (VMM) 2019 enables simplified patching of VMs by integrating with Azure Update Management.
What is New in Microsoft System Center 2019
Read here what is new on Microsoft System Center 2019 for your IT Management :
New features in DPM 2019
See the following sections for detailed information about the new features/feature updates supported in DPM 2019.
Modern Backup Storage (MBS) was introduced in System Center Data Protection Manager (DPM) 2016 to deliver 50% storage savings, 3X faster backups, and more efficient, workload-aware storage. DPM 2019 introduces further performance improvements with MBS resulting in 50-70% faster backup with Windows Server 2019. This article provides the upgrade information for System Center 2019 – Data Protection Manager (DPM).
New features in Operations Manager 2019
See the following sections for detailed information about the new and updated features in System Center 2019 – Operations Manager. Features and updates introduced in Operations Manager version 1801 and 1807 are included in version 2019. Plan your Upgrade to SCOM 2019
Service Map integration
Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. It automatically builds a common reference map of dependencies across your servers, processes, and third-party services. Integration between Service Map and System Center Operations Manager allows you to automatically create distributed application diagrams in Operations Manager that are based on the dynamic dependency maps in Service Map.
Cloud and Datacenter Management Blog 