You can download a free third-party tool to help you identify if your server hardware supports the required features for Hyper-V and BitLocker:

If your processor is Intel, you can use their free Intel Processor Finder tool. Read more about it on their forum: http://communities.intel.com/openport/message/4575

SecurAble probes the system's processor to determine the presence, absence and operational status of three modern processor features:

• 64-bit instruction extensions
• Hardware support for detecting and preventing the execution of code in program data areas
• Hardware support for system resource “virtualization”

This Windows Server Catalog site shows what servers are certified for Hyper-V and Windows Server.

http://www.windowsservercatalog.com/results.aspx?&bCatID=1283&cpID=0&avc=10&ava=0&avq=22&OR=1&PGS=25&ready=0

If you need to produce diagrams as part of your Hyper-V deployment planning, you can download Hyper-V stencils for Visio and simultaneously using the free Microsoft Office Visio 2007 Professional Add-In for Rack Server Virtualization (Virtual Rack). Installing this add-In adds a new template called “Rack Server Virtualization“ under the “Connectors” Templates category. You can use this template without running the tool.

NOTE: this tool requires local admin privileges on every server you run it on, as well as:

1. .NET Framework 2.0

2. Microsoft Office Visio 2007

3. Microsoft VSTO 2005 SE Runtime

Running the inventory and analysis tool (if your datacenter allows it) gives you a visual picture of Power Drop and Rack space saved according the target virtualization consolication factor you entered (by default 3:1):

You can set the consolidation criteria based on several factors:

1. Power Rating: The server with higher Power Rating is considered to be a better candidate than server with lower Power Rating.

2. Rack Space Used: A Server that occupies more space is merged into the Server that occupies less space to minimize the space occupied by the Servers within a Rack.

3. CPU Utilization: A Server with lower CPU Utilization is merged into the Server with higher CPU Utilization.

4. Physical Memory: Server with lower Physical Memory will be merged into the Server with higher Physical Memory.

It gets a bit confusing if you want to improve the security of your Windows Server 2008 virtualization server and the VMs on it by running BitLocker Drive Encryption. Windows BitLocker Drive Encryption is a feature that encrypts one or more volumes (drives) attached to your computer and that can use a Trusted Platform Module (TPM) to verify the integrity of early startup components. Because BitLocker encrypts the entire volume of data, it requires the computer to be configured with an active partition, used for startup, which is separate from the operating system volume.

If you didn't set up BitLocker when you set up the machine, before you started running VMs, you'll need to download the BitLocker Drive Preparation Tool and run it to configure BitLocker. If you read the KB930063 "Description of the BitLocker Drive Preparation Tool" you can learn a lot about the tool, except where to download it! And that you'll need to verify that you have the hardware support (TPM) to make it work. The Windows Server 2008 Hyper-V and BitLocker Drive Encryption white paper also says "Obtain the BitLocker Drive Preparation Tool and install it."

After you get the drive prepared, and start the tool (Start>All Programs>Accessories>System Tools>BitLocker>BitLokcer Drive Preparation Tool - easy, right?) you can click the "What should I know about BitLocker Drive Encryption before I turn it on?" help link to learn: "During computer startup, if BitLocker detects a system condition that could represent a security risk (for example, disk errors, a change to the BIOS , or changes to any startup files), it will lock the drive and require a special BitLocker recovery password to unlock it. Make sure that you create this recovery password when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files." A little farther on, a warning states "BitLocker Drive Encryption reduces disk throughput. It should be used on high performance servers only if the computer is not in a physically secure location."

Ummm...kay....

Best to first read the Windows BitLocker Drive Encryption Design and Deployment Guides that describe the various aspects of planning for deploying Windows BitLocker Drive Encryption. The document is organized in two guides, and you should carefully consider each guide before you deploy BitLocker Drive Encryption. If your virtualization server is encrypted, and you don't have the recovery credentials, all your VMs are offline till you do. Ponder that before you enable BL. You can read more here about the BitLocker Drive Encryption Algorithm.

If you do get into trouble with a  domain-joined machine, you'll need the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.

Hope you never need the BitLocker Repair Tool: This tool helps access data encrypted with BitLocker if the hard disk has been physically damaged. This tool attempts to reconstruct critical data from the drive and salvage any recoverable data. To decrypt the data, a recovery password or recovery key is required. In some cases, a backup of the key package is also required. Use this command-line tool if the following conditions are true:

• A volume has been encrypted by using BitLocker Drive Encryption.
• Windows does not start, or you cannot start the BitLocker recovery console.
• You do not have a copy of the data that is contained on the encrypted volume.

Installing Hyper-V on a Server Core installation of Windows Server 2008 makes sense from a supportability and improving security perspective. It can be a challenge, here are some procedures, tips and resources to help you.

You can use unattended setup to configure a server running a Server Core installation and Hyper-V. For more information about unattended setup settings, see the Windows Automated Installation Kit (AIK). You can find more information and a sample unattend.xml file in the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.

NOTE: There is no way to upgrade from a full installation of Windows Server 2008 or a previous version of Windows Server to a Server Core installation. Only a clean installation is supported. There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, you should install a full installation of Windows Server 2008.

If you close all local command prompts while installing the Hyper-V role, you will have no way to manage the Server Core installation. If this happens, press CTRL+ALT+DELETE, click Start Task Manager, click File, click Run, and type cmd.exe. Alternatively, you can log off and log on again.

Install Hyper-V on a Server Core installation

1. You must perform a Server Core installation before you install the Hyper-V role. For instructions, see the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide, and complete the following tasks:

   • Setting the administrative password
   • Setting a static IP address (if required)
   • Activating the server

     You cannot activate a Server Core installation through a firewall that requires users to log on because there is no Web browser on a Server Core installation. Instead, you can activate by phone, using a Key Management Service (KMS) server, or remotely by typing the following command at a command prompt of a computer that is running Windows Vista or Windows Server 2008:

     cscript windows\system32\slmgr.vbs <ServerName> <UserName> <password>:-ato

   • Configuring the firewall for remote administration if you will be using a Microsoft Management Console (MMC) snap-in other than the Hyper-V snap-in for remote management
   • Joining a domain

     If you are going to join a server running a Server Core installation to an existing Windows domain, you need a user name and password for an account that has the administrative credentials to join a computer to the domain.

2. After you have installed Windows Server 2008, you must apply the Hyper-V update packages for Windows Server 2008 (KB950050). NOTE: Once you install these server updates, you will not be able to remove them. You should also apply any other require updates before you install the Hyper-V role.

   To view the list of software updates and see if any are missing, at the command prompt, type:

   wmic qfe list

   If you do not see “kbid=950050”, download the Hyper-V updates and then type the following command at a command prompt:

   wusa.exe Windows6.0-KB950050-x64.msu /quiet

   There are three update packages. The Update for Windows Server 2008 x64 editions (KB 950050), and Language pack for Hyper-V (KB951636) must be installed on the parent partition of the Server Core installation. After you install the server update you must restart the server.

   The Update for Windows Server 2008 (KB952627) is for remote management of the Server Core installation if you are managing the server from a computer running Windows Vista Service Pack 1 (SP1), and must be installed on the computer running Windows Vista SP1.

   Before you enable the Hyper-V role, ensure that you have enabled the required hardware-assisted virtualization and data execution prevention BIOS settings. Checks for these settings are performed before you enable the Hyper-V role on a full installation, but not on a Server Core installation.

   After you make the BIOS configuration changes to enable the required hardware features, you must complete a full power-cycle before proceeding. If you enable the Hyper-V role without modifying the BIOS settings, the Windows hypervisor may not work as expected. If this happens, check the event log for details, modify the BIOS settings according to the server hardware manufacturer instructions, complete a full power-cycle to restart the Server Core installation, and then install Hyper-V again.

   To check if your server hardware is compatible, see http://windowsservercatalog.com/. Click on the list of Certified Servers, and then click By additional qualifications – Hyper-V. For instructions about how to enable the BIOS settings, check with your hardware manufacturer.

3. The syntax for Ocsetup.exe is case sensitive. To install the Hyper-V role, at a command prompt, type:

   start /w ocsetup Microsoft-Hyper-V

4. Rename the server, if required. If your computer is joined to a domain, at a command prompt, type:

   netdom renamecomputer %computername% /NewName:<newname> /UserD:<domainusername> /PasswordD

   If your computer is not joined to a domain, at a command prompt, type:

   netdom renamecomputer %computername% /NewName:<newname>

   You must supply a value for placeholder text in angle brackets (<>)—do not type the brackets.

5. Enable Remote Desktop for Administration if you want to manage the server running a Server Core installation remotely. At a command prompt, type:

   cscript c:\windows\system32\scregedit.wsf /ar 0.

   If you are running the Terminal Services client on a previous version of Windows, you must turn off the higher security level that is set by default in Windows Server 2008. To do this, at a command prompt, type:

   cscript C:\Windows\System32\Scregedit.wsf /cs.

6. Add a user or group to the local Administrators group so that they can manage the Server Core installation remotely. To add a user to the local Administrators group, you must first add the user. At a command prompt type:

   net user <username> * /add

   To add a user to the local Administrators group, at a command prompt, type:

   net localgroup administrators /add <user>

   You cannot perform all management and configuration tasks at a command prompt or remotely through an MMC snap-in. A server that is running a Server Core installation does not generate any notifications for activation, new updates, or password expiration because these notifications require the Windows Explorer shell, which is not part of the Server Core installation. You can use the Scregedit.wsf script included with the Server Core installation to configure the following settings:

   • Enable automatic updates
   • Enable Remote Desktop for Administration
   • Enable Terminal Server clients on previous versions of Windows to connect to a server running a Server Core installation
   • Configure DNS SRV record weight and priority
   • Manage IPsec Monitor remotely

   The script is located in the \Windows\System32 folder of a server running a Server Core installation. At a command prompt, open the folder, and then use the following command to display the usage instructions for these options:

   cscript scregedit.wsf /?

   You can use this command with the /cli option to display a list of common command-line tools and their usage. To view your current Remote Desktop for Administration Settings, use the /v option. A "1" in the script output (without the quotes) means that remote connections are denied. A "0" means that remote connections are allowed.

7. If you wish to improve security by using BitLocker Drive Encryption to protext the server and VMs running on it, you should install the BitLocker feature before running any VMs. To install the BitLocker feature, at a command prompt type:

   start /w ocsetup BitLocker

   The BitLocker Drive Encryption feature requires additional hardware and BIOS configuration. For more information about using BitLocker with Hyper-V see Windows Server 2008 Hyper-V and BitLocker Drive Encryption.

8. Reboot the server by to make the changes take effect. At a command prompt type:

   shutdown /r /t 0

   The remote management tools are designed to manage one server running the Hyper-V role and the virtual machines on that server. To manage multiple servers running Hyper-V you can use System Center Virtual Machine Manager (SCVMM).

Additional information

• Windows Server 2008 Command Reference A-Z List
• OCSetup Command-Line Options for turning on BitLocker and such

You can use the Manage-bde.wsf script to encrypt data volumes. To view more detailed Help for this script, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf -h

If your server is domain-joined implement the guidelines in Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information, so that BitLocker recovery information (such as recovery passwords) will be automatically backed up to Active Directory whenever this information is created and changed.

• Windows Server 2008 Evaluation Virtual Hard Drive Images (for Hyper-V) (two images - one Full and one Server Core)
• Scott Hinsley's What is Server Core? blog post
• Keith Combs's webcast on Server Core Hyper-V Prerequisites
• The Vista SP1 x64 Management package.
• The Vista SP1 x86 Management package.
• The Windows Server 2008 x86 Management package.  Note This package is permanent.  Once installed, it cannot be uninstalled.
• Windows Server 2008 Hyper-V and BitLocker Drive Encryption white paper.

You can manage your Hyper-V server and the VMs running on it from a Vista SP1 machine. To manage multiple machines, use System Center Virtual Machine Manager (SCVMM).

Update for Windows Vista (KB949587)

Update for Windows Vista for x64-based Systems (KB949587)

Download the Windows Vista x64 Edition (KB949587) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=C420D8A3-F0A7-415A-B748-3726D66BF0C3)

After you have downloaded the package, you will need to modify the start menu to find them (Administrative Tools>Hyper-V Manager).

1. RightClick the Start menu and then click Properties
2. Click the Start Menu tab, and then click the Customize... button
3. Scroll down to the bottom of the list and click your choice for System administrative tools, then click OK twice

To start the Hyper-v Manager click Start>Administrative Tools> Hyper-V Manager

For more information about SCVMM see the System Center Virtual Machine Manager TechCenter.

It is a security best practice recommendation to ensure that all your VMs are fully patched before they are turned on in production.

One way you can do this is to create a designated "maintenance host" that is off the production network, but has access to the needed software updates. Migrate your VMs to the maintenance host, turn them on, patch them up, then migrate them to production. Virtual Machine Manager makes this easy.

Another way to accomplish this is to patch all your offline or stored VMs at the same time as you patch all your running machines. You can use the free Offline Virtual Machine Servicing Tool for this.

Download the Offline Virtual Machine Servicing Tool, which combines the Windows Workflow programming model with the Windows PowerShell interface to bring groups of virtual machines online just long enough for them to receive updates from either System Center Configuration Manager 2007 or Windows Server Update Services. As soon as the virtual machines are up-to-date, the tool returns them to the offline state in the Virtual Machine Manager library.

The download includes:

• OfflineVMServicing_x64 and OfflineVMServicing_x86. Setup files for the tool, for 64 bit and 32 bit versions of Windows Server 2003.
• OfflineVirtualMachineServicingToolGettingStartedGuide. Getting Started Guide, in docx and doc formats. Provides information about how the tool works, explains prerequisites for the tool, and describes how to install and configure the tool.
• Offline_VM_Servicing_Tool_Release_Notes.rtf. Notes provide information about this release, describe known issues in the tool, and include feedback instructions.
• Offline_Virtual_Machine_Servicing_Tool_Help. Help file for the tool. Provides instructions for using the tool.

System Requirements

• Supported Operating Systems: Windows Server 2003 R2 (32-Bit x86); Windows Server 2003 R2 x64 editions; Windows Server 2003 Service Pack 2

• Other Requirements: .NET Framework 2.0, .NET Framework 3.0, IIS with ASP .NET installed, Windows Remote Managment, Windows PowerShelll 1.0, Configuration Manager 2007, WSUS3.0, Virtual Machine Manager 2007 (VMM), Virtual Server 2005 R2 SP1 or higher, Windows Server 2003 R2 SP1 or higher, Active Directory, SQL Server 2005 SP1 or higher, SQL Server 2005 Express Edition (VMM only)

Windows Server 2008 Hyper-V and BitLocker Drive Encryption was recently published to the download center, but some folks are having trouble accessing it (it seems there is a lot of interest in all things Hyper-V). Here are the procedures in the doc to tide you over till your download comes through:

Deployment Overview

1. Install Windows Server 2008.
2. Install the Hyper-V role and the BitLocker feature.
3. Configure the system volume for BitLocker.
4. Turn on BitLocker and encrypt the operating system and data volumes.
5. Create new virtual machines.

Deployment Steps

For more information on to partition a hard disk drive for BitLocker Drive Encryption, see http://technet2.microsoft.com/WindowsServer2008/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx#BKMK_S1. NOTE: BitLocker requires that your TPM module is enabled and working. See Windows Trusted Platform Module Management Step-by-Step Guide.

Step 1

Install Windows Server 2008.

Step 2

Install the Hyper-V role and the BitLocker feature.

• Start Server Manager, navigate to the Device Manager tab, and verify that the prerequisite Trusted Platform Module (TPM) is present.
• In Server Manager, click Add Roles.
• Read the directions, and then click Next to continue.
• Select the Hyper-V role check box, and then click Next to continue.
• Read the directions, and then click Next to continue.
• Select the appropriate networking interface check boxes to create virtual networks, and then click Next to continue.
• To begin installation of the Hyper-V role, click Install.
• After installation of the Hyper-V role is complete, click Yes to restart your server.
• After reboot, start Server Manager and verify that the Hyper-V role has been installed successfully.
• In Server Manager, click Add Features.
• Select the BitLocker Drive Encryption check box, and then click Next to continue.
• To begin installation of the BitLocker Drive Encryption feature, click Install.
• After the BitLocker Drive Encryption initial installation phase is complete, click Yes to restart your server.

NOTE: After reboot, log on and Server Manager will be automatically started to complete the BitLocker Drive Encryption installation.

Now you must configure the system volume for BitLocker before turning on the installed BitLocker Drive Encryption from Control Panel.

Step 3

Download and read detailed information and instructions for the BitLocker Drive Preparation Tool at:
http://support.microsoft.com/default.aspx/kb/930063.

Download and install the installation kit from the Microsoft download center at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=320b9aa9-47e8-44f9-b8d0-4d7d6a75add0&DisplayLang=en

• Click BitLocker Drive Preparation Tool.
• Click I Accept to accept the software license terms.
• Read the warnings below Caution, follow them as appropriate, and then click Continue.
• After completion, the BitLocker Drive Preparation Tool requires you to restart the system. To reboot, click Finish.

Note: After reboot, the system volume (drive S) and the operating system volume (drive C) are separate, as shown in the following screenshot.

Step 4

Turn on BitLocker and encrypt the operating system and data volumes.

• Start Control Panel for BitLocker Drive Encryption.
• Click Turn On BitLocker.
• Click Continue with BitLocker Drive Encryption.
• Follow the steps to turn on the Trusted Platform Module (TPM) security hardware. The system firmware performs a Physical Presence Interface check. This is a form of authorization validation before the TPM ownership is allowed on this system
• After the TPM is initialized successfully, you must save the recovery password before you encrypt the operating system volume and any optional data volumes.
• To start encrypting the operating system volume, click Encrypt.
• Wait for the encryption of the operating system volume to complete, then repeat this task for the data volumes.

NOTE: If you have many data volumes to encrypt, consider using the manage-bde.wsf script. The manage-bde.wsf syntax is included in the "Windows BitLocker Drive Encryption Design Guide" and the "Windows BitLocker Deployment Guide," which are available from the Microsoft Download Center at go.microsoft.com/fwlink/?LinkId=115215.

For example, to mark data volume P: so that it must be manually unlocked, use the following command:

manage-bde.wsf –autounlock –disable P:

To turn autounlock back on for P:, use:

manage-bde.wsf –autounlock –enable P:

To view more detailed Help for this script, type the following command:

cscript.exe %windir%\system32\manage-bde.wsf -h

Step 5

Create new virtual machines.