Knowledge

7. Accessing BPA with PowerShell

The Best Practices Analyzer (BPA) lets Windows Server 2019 check its own health and the installed server roles to look for incorrect configurations. The fastest way to start the BPA is to launch it from PowerShell:

Get-BPAModel | Invoke-BpaModel

If you want to start a scan process for a certain role only, first discover the ID of the corresponding model; then, start the test(s):

Invoke-BPAmodel -modelId Microsoft/Windows/DNServer,Microsoft/Windows/FileServices

You always need to specify the ID as a complete path, which you discover with Get-BPAModel. Hyper-V, for example, has the ID Microsoft/Windows/Hyper-V . You can also use a single command to discover the BPA model and start the scan process immediately:

Get-BPAmodel <ID> | Invoke-BPAmodel

If you do not specify an ID, all roles are scanned. To read the roles and search for the "Error" string, enter:

Get-BpaResult -ModelId Microsoft/Windows/DirectoryServices | Where-Object Severity -eq "Error" | Format-List Title

To display all results from specific server roles (BPA models), use:

Get-BPAResult Microsoft/Windows/DNS Server,Microsoft/Windows/FileServices

You can export the BPA results (e.g., to an HTML file) from PowerShell:

Get-BPAResult <model ID> | convertTo-Html | Set-Content <path>

By way of example, write the information of the file services to an HTML file:

Get-BPAResult Microsoft/Windows/FileServices | convertTo-Html | Set-ContentC:\BPAResults\FileServices.htm

Finally, the command:

Get-BPAResult Microsoft/Windows/FileServices | Export-CSVC:\BPAResults\FileServices.txt

exports the results to a comma-separated values file.

8. Changing the Data Medium Format

You can only convert an MBR disk to a GPT disk and vice versa if the disk is empty. To do this, right-click on the disk in the Windows Disk Manager and select the corresponding command. You can also perform the conversion at the command line. Start a command prompt and type:

diskpart
list disk
select disk <disk no. to convert>

Now use:

clean
convert gpt

The reverse approach uses:

convert mbr

In the Disk Manager (diskmgmt.msc), you can discover the partition style by right-clicking a volume and choosing Properties . In PowerShell, you can display the partition style with

Get-Disk | select FriendlyName, PartitionStyle

To set the partition style to GPT, use the command:

Initialize-Disk <Number> -PartitionStyle GPT

Another example is

Get-Disk 1 | Clear-Disk -RemoveData
New-Partition -DiskNumber 1 -UseMaximumSize -IsActive -DriveLetter Z | Format-Volume -FileSystem NTFS -NewFileSystemLabel Data

to create and format a disk.

9. BitLocker Without a TPM Chip

Hard disk encryption with BitLocker usually relies on a Trusted Platform Module (TPM) chip built into the computer. However, it can also be used if no TPM chip is installed. The associated settings are managed with group policies. In the navigation pane, go to Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System Drives . In the right pane, double-click on the Require additional authentication at startup policy and check the Enabled option in the dialog box (Figure 4).

Figure 4: BitLocker enabled without a TPM chip.

Make sure the Allow BitLocker without a compatible TPM checkbox is selected and click OK . The policy is then assigned the value Enabled in the Status column. After these tasks are complete, you can enable BitLocker.