Windows 10 Creators Update 1703 includes a new tool to convert MBR disks to GPT disks

So I am working on converting a Windows 10 1703 installation that is installed on a MBR disk, and have been looking for the best way to convert it to a GPT disk, so that secure boot, credential guard, and device guard can be enabled. As you may or may not already know, if Windows 10 is installed on an MBR (Master Boot Record) disk, you can not take advantage of all the latest advances in security. Thankfully, Microsoft has included a tool called MBR2GPT.exe in the Windows\system32 directory. Although this tool is really supposed to be used from a PreInstallation Environment like WinPE, it can be used from inside a Windows 10 1703 Build 15063 installation if you use the command line switch /AllowFullOS.

However, it is not as easy to convert as one may think, especially if your first hard disk already has multiple partitions. This is a problem that I am working on fixing. I learned that running the command
MBR2GPT /validate /disk:0 /allowfullos
errors out for me and when I find the setuperr.log in the Windows directory, it says that the disk has too many partitions to convert to GPT. The log said this:
2017-04-02 17:29:34, Error ValidateLayout: Too many MBR partitions found, no room to create EFI system partition.
2017-04-02 17:29:34, Error Disk layout validation failed for disk 0
ValidateLayout: Too many MBR partitions found, no room to create EFI system partition.
Error Disk layout validation failed for disk 0

Therefore, I am going to have to blow away some partitions before converting this disk. This disk is an SSD with four partitions, but I have tried this from WinPE environment with a Disk that has only 2 partitions and it works. The problem with my SSD drive is that it has an MSR partition in the front, then the Windows C volume, then a Recovery partition, and then an HP Tools partition that I installed from an HP update for the BIOS.

Update: I went back and forth with the reader that commented below, via email and wanted to document how he fixed his problem so it could help someone else in the future. His first comment was :

I am getting an error when trying to do the validation:
ValidateLayout: Wrong boot partition count, expected 1 but found 0.

He then emailed me back and said that his OS Drive was on the first Physical Disk, but his boot partition aka system partition was on the second disk.

My next message to him was:

“Do you have any room to make another partition on the first drive?
I would try to shrink the OS Drive by like 500 mb, then create a new partition on the first drive, using FAT32 of 500mb, there is a way to label it MSR with diskpart, then try to copy the system files directly to that drive, but leave the system from the second disk in tact, so it will still boot, not sure if you can copy the boot files, but you can always try an in-place upgrade so you don’t lose any files. You want the MBR2GPT tool to think that the boot drive is on the first partition. You want the first drive to have two or three partitions, the FAT32 one where you copy the system and boot files over, the OS, and the Recovery drive if you need it. I don’t think I ever had the boot drive on another physical disk, but I have had to recreate the boot drive on my OS disk, and I used the macrium reflect rescue CD to rebuild the boot (System Drive for me). It makes it very easy, so I think it is possible. Let me know if you have any more questions.
Good luck

So he then tried this and came back and said :
That did the trick!
I created a new 500 mb partition using NTFS, copied the files from the old system partition. Ran mbr2gpt and everything works 🙂

Thank you so much !

Now I am not sure if secure boot will work now, because secure boot can be a little tricky to get going, but he was able to convert the first drive to GPT by shrinking the OS making a new partition on the OS Drive and copying the boot system partition from drive 2 to drive one. If anyone else has this problem in the future, try this… As far as getting secure boot enabled, that may just work, or it may require some more configuration. Hit me up if you need help with this.

Creating Dockerfiles to be built with Docker for Windows Community Edition.

Creating a Dockerfile is remarkably easy. A Dockerfile is basically a text file, that is used with Docker to build a container from a Docker image.  You usually start by creating a text file named Dockerfile in a new directory. You don’t want to put a Dockerfile in the root of the C drive for example, because every file and folder below the Dockerfile will get packaged into the built container.

First line of a Dockerfile usually is just a comment starting with a pound # sign.

Then you tell Docker what image to use when creating the container like this:

FROM ubuntu:15.04

Next you add a MAINTAINER which is your name and/or email address


Now we start the next line with a RUN command, that tells the container the first command to run. For example,

RUN apt-get update && /bin/bash

After the RUN command, you can then use EXPOSE 80,443 to open firewall ports 80 and 443,

there are a few different commands we can use here, but the last command will be CMD

This CMD line tells the container what process to run as its main process, and since most containers are supposed to run only one process, (although they can run more than one, best-practice is to only run one process in each container)

CMD commands should be written inside of [] brackets…

CMD [“apache2ctl”, “-D”, “FOREGROUND”]
Final Dockerfile should look like this:


# Apache Web Server Dockerfile with apache2-utils and vim
FROM ubuntu:15.04
RUN apt-get update && apt-get install -y \
        apache2 \
        apache2-utils \
        vim \
        && apt-get clean \
        && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
CMD [“apache2ctl”, “-D”, “FOREGROUND”]

Setting up Docker on windows server 2016

docker logo

Although Docker is available in Windows Server 2016, it is not immediately obvious how to set it up and start running containers on a Windows Server 2016 server. The first step is to enable the Windows Feature Containers with the PowerShell command Install-WindowsFeature -Name Containers -Verbose . After enabling the Containers feature, installing Docker requires executing the following PowerShell commands:

Install-PackageProvider -Name NuGet -MinimumVersion -Force
Install-Module -Name DockerMsftProvider -Force
Install-Package -Name docker -ProviderName DockerMsftProvider -Force
# Open firewall port 2375
netsh advfirewall firewall add rule name="docker engine" dir=in action=allow protocol=TCP localport=2375

# Configure Docker daemon to listen on both pipe and TCP (replaces docker --register-service invocation above)
Stop-Service docker
dockerd --unregister-service
dockerd -H npipe:// -H --register-service
Start-Service docker

Optionally you can also install the PowerShell Docker Dev module with the following commands:

Register-PSRepository -Name DockerPS-Dev -SourceLocation

Install-Module Docker -Repository DockerPS-Dev -Scope CurrentUser

To be sure that Docker is installed run the following commands in PowerShell or Command Prompt:
docker version
docker info

Now you can download the microsoft windowsservercore or nanoserver images and begin creating containers.

docker pull microsoft/windowsservercore
docker pull microsoft/nanoserver

Microsoft Policy Analyzer 3.0 Update available

WARNING: THIS link will download Policy Analyzer 3.0 and samples in a safe zip file from Microsoft:

Microsoft Policy Analyzer 3.0 is now available  and according to Aaron Margosis: “Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs).”  There is a pdf file that is included with the download that explains how to use the application. The new updated 3.0 version also includes several PolicyRules files that can be imported into the Policy Analyzer application and used to compare to the computer’s policies or any imported GPO backup files.

The best use of this software in my opinion is to use it in a domain to analyze your organization’s Group Policy Objects and to look for conflicts with Local Policies or within all the GPOs. You can point it to the SYSVOL folder and import the group policy objects that are being used in the domain. Then by comparing them, you will be alerted to any conflicts and you can export the results to an Excel spreadsheet. It is an excellent tool that will take some time to get used to, but it is extremely important for any security professional to do an analysis of an organization’s policies.

Shop Amazon Gift Cards. Any Occasion. No Expiration.

Microsoft Security Compliance Manager 4.0, Policy Analyzer, and LGPO – Security Admin Tools

(Microsoft’s Channel 9 Podcast – Defrag Tools)

I recently installed the Security Compliance Manager 4.0 using and already installed version of SQL Server 2016 express. This is how you need to install SCM 4.0 on windows 10, since SQL Server 2008 is no longer compatible with Windows 10. If you do not already have SQL Server Express installed, then you need to download and install SQL Server express 2014 or 2016 and install just the engine. Then you can install Security Compliance Manager 4.0 and it will ask for an installed instance of SQL Server and you must choose the name of the instance that you just installed. Then SCM4.0 will install successfully on Windows 10. Although has posted a review of Microsoft Security Compliance Manager in 2014, there is now a new version available and this post will discuss Version 4.0. Security Compliance Manager will allow you to download Microsoft recommended Security Baselines for Windows 7,8, and 10, and for Windows Server 2012, 2016, and SQL Server 2012. These baselines contain group policies and settings that are recommended by Microsoft to secure your Active Directory domains.

Also available now is Policy Analyzer.

Policy Analyzer

Photo of Policy Analyzer from Microsoft Security Guidance blog on Microsoft TechNet.

The most interesting of the new baselines is perhaps the Windows 10 1607 Security Baseline, and it is available to download after you install Security Compliance Manager 4.0. This baseline can be exported to an Excel spreadsheet that separates the settings and configurations into different tabs. For some reason I am not able to preview this page anymore as I type it, I think adding Google tag manager has screwed it up. So I’m going to post this and then investigate what happened, and I might have to remove the Google Tag Manager. Hopefully I will continue this post later, if you have any questions about these two security software applications from Microsoft feel free to email me at james at

Use the Nano Server Image Builder to build your Nano Server vhdx files for Hyper-V

Nano Server image builder Create New Image

Nano Server Image Builder Select Scenario page

The Nano Server Image Builder is a simple GUI tool that helps create a Virtual Hard Disk of a Nano Server image for a Virtual Machine, or it can create a bootable Usb drive for a physical installation. You can download the tool from the Microsoft Download Center.

Image Builder page two

NanoServer Page Two

Page 3

Nano Server Image Builder page 3

The first thing you want to do before you start creating a nano server image, is to mount a Windows Server 2016 ISO. This will cause a drive letter to be created with the Windows Server 2016 Image mounted, which is required for the application because the Nano Server media folder needs to be available for the application. This application is basically a front end for the PowerShell script New-NanoServerImage. Now go through the wizard and be sure to create a name for the Virtual Hard Disk, by entering Name.vhdx. If you are going to want to join this nano server to a domain before starting it, you will have to provision a djoin.exe blob. When the wizard completes and you create the NanoServer vhd or vhdx file, now you need to create a new virtual machine and use this vhdx as the hard drive for the new Hyper-V virtual machine.

Wizard Page 4

Nano Server Image Builder Wizard Page 4

Nano Server Image Builder pg 5

NanoServer Image Builder Page 5

Image Builder Page 6

Nano Server Image Builder Page 6

Nano Server Image Builder page 7

Nano server image builder page 7

Page 8 on nano server image builder

Nano server image builder page 8

Nano Server Image Builder page 9

Page 9 of the Nano Server Image Builder

Advanced Configuration

Nano Server Image Builder Page 10 – Advanced Configuration

Add Servicing Packages

Page 11 – Add Servicing Packages

Add Scripts and Binaries

Page 12 – Add Scripts and Binaries

Developer Mode

Turn on Debugging Mode and Developer mode

Final Page of Wizard

Final Page of Nano Server Image Builder

New Windows 10 services appearing in latest preview builds

Windows Spectrum – This service has the name of Spectrum, and is described with the following caption “Synthesizes perceived environment captured through reality understanding modules”. This service will most likely be used with Hololens and Augmented Reality or Virtual Reality accessories. If you are just using Windows 10 as a computer and not with any hololens-type devices, it should be safe to disable this service or just leave it set to manual.

WFDSConMgrSvc – This service is used with wireless devices, the exact description states “Manages connections to wireless services, including wireless display and docking.” It should also be safe to disable this service if you are not using any wireless screens or docking stations.

PrintWorkflowUserSvc_290d03 – This service is also new and could have a different combination of letters and numbers at the end of its name. Not much information here, its related to some type of printing workflow, perhaps 3D printing?

Payments and NFC/SE Manager – This service is named “SEMgrSvc” and should only be necessary if you are running windows on a newer mobile type pc that has Near Field Communications capabilities. On an old PC you can disable this service.

LPA Service – Also Named the wlpasvc – This service provides profile management for subscriber identity modules.

Dusmsvc – The Dusmsvc does not have an explanation, however Microsoft documentation explains that DUSM stands for Data Usage Subscription Management, so if you are just using your computer at home and don’t have to worry about data usage limits, than you can leave this service alone as well. You may want to leave it if you are ever curious how much data that Windows 10 uses, since it could be measured with the help of this service. MSDN Documentation explains that “The Data Usage Subscription Management (DUSM) schema defines elements that are used to describe cost information for a subscriber’s connection to a metered network.”




Protect Yourself with PepperSpray