Samba 4, shares, wsdd and Windows 10 – how to list Linux Samba servers in the Win 10 Explorer

These days I relatively often need to work with Windows 10 at home (home-office, corona virus, ...). Normally, I isolate my own Win 10 instance in a VMware virtual machine. But on a few temporary occasions I want to the Win 10 system to access a Samba exchange directory on a KVM virtualized Linux instance. (I do not like Windows to directly interfere with my hosts!)

Of course we want to use the SMB protocol in a modern version, i.e. version 3.x (SMB3) over TCP/IP for this purpose (port 445). In addition we need some mechanism to detect SMB servers. In the old days NetBIOS was used for the latter. On the Linux side we had the nmbd-daemon for it - and we could set up a special Samba server as a WINS server.

Microsoft - via updates and new builds of Windows 10 - has during the last year followed a consistent policy of deactivating the use of SMBV1.0 systematically. This, however, led to problems - not only between Windows PCs, but also between Win 10 instances and Samba 4 servers. This article addresses one of these problems: the missing list of available Samba servers in the Windows Explorer.

There are many contributions on the Internet describing this problem and some even say that you only can solve it by restoring SMBV1 capabilities in Win 10 again. In this article I want to recommend two different solutions:

  • Ignore the problem of Samba server detection and use your Samba shares on Win 10 with the SMB3 protocol as network drives.
  • If you absolutely want to see and list your Samba servers in the Windows Explorer of a Win 10 client, use the "Web-Service-Discovery" service via a WSD-daemon provided by a Python script of Steffen Christgau.

I should say that I got on the right track of solving the named problem by an article of a guy called "Stilez". His article is the first one listed under the section "Links" below. I recommend strongly to read it; it is Stilez who deserves all credit in pointing out both the problem and the solution. I just applied his insight to my own situation with virtualized Samba servers based on Opensuse Leap 15.1.

SMB V1.0 should be avoided - but NetBIOS needs it to exchange information about SMB servers

SMB, especially version SMB1.0, is well known for security problems. Even MS has understood this - especially after the Wannacry disaster. See e.g. the links in the section "Links" => "Warnings of SMBV1" at the end of this article. MS has deactivated SMBV1 in the background via some updates of Win 8 and Win 10.

One of the resulting problem is that we do not see Samba servers in the Windows Explorer any longer. In the section "Network" of the Explorer you normally should see a list of servers which are members of a Workgroup and offer shares.

Two years ago it was clear that we would use NetBIOS's discovery protocol and a WINS server to get this information. Unfortunately, the NetBIOS service detection ability depends on SMB1 features. The stupid thing is that we for a long while now had and have a relatively secure SMB2/3, but NetBIOS discovery only worked with SMBV1 enabled on the Windows client. Deactivating SMBV1 means deactivating NetBIOS at the same time - and if you watch your Firewall logs for incoming packets from the Win 10 clients you will notice that exactly such a thing happened on Win 10 clients.

This actually means that you can have a full featured Samba/NetBIOS setup on the Linux side, have opened the right ports on the firewalls for your Samba/WINS server and client systems, but still you will not get any display of available Samba servers on a Win 10's Explorer. 🙁

Having understood this leads to the key question for our problem:

By what did MS replace the detection features of NetBIOS in combination with SMB-services?

Settings on the MS Win side - which alone will not help

When you google a bit regarding the problem of a missing list of network servers in the Windows Explorer you find many hints regarding settings by which you activate network "discovery" functionalities via two Windows services. See

https://www.wintips.org/fix-windows-10-network-computers-not-showing/
https://winaero.com/blog/network-computers-not-visible-windows-10-version-1803/

You can follow these recommendations. If you want to see your own PC and other Windows systems in the Explorer's list oif network resources you must have activated them (see below). However, in my Win 10 client the recommended settings were already activated - with the exception of SMBV1, which I do not wish to reactivate again. The "discovery" settings may directly help with other Windows systems, but they do not enable a listing of Samba 4 servers without additional measures.

Then we find another category of hints, which in my opinion are contra-productive regarding security. See https://devanswers.co/network-error-problem-windows-cannot-access-hostname-samba/
Why activate an insecure setting? Especially, as such a setting does not help with our special problem? 🙁

A last set of hints concerns the settings on the Samba server. I find it especially nice when the recommendations come from Microsoft. See: http://woshub.com/cannot-access-smb-network-shares-windows-10-1709/

[global]
server min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
encrypt passwords = true
restrict anonymous = 2

Well, these are kind hints. Thx MS - we Linux users were too stupid up to now to understand that we should not use SMBV1 .... But, actually, these hints are insufficient regarding the Explorer problem ...

What you could do - but should NOT do

Once you have understood that NetBIOS and SMBV1 still have an intimate relation (at least on the Windows systems) you may get the idea that there might exist an option to reactivate SMBV1 again on the Win 10 system. This is indeed possible. See here:
https://community.nethserver.org/t/windows-10-not-showing-servers-shares-in-network-browser/14263/4
https://www.wintips.org/fix-windows-10-network-computers-not-showing/

If you follow the advice of the authors and in addition re-open the standard ports for NetBIOS (UDP) 137, 138, (TCP) 139 on your firewalls between the Win 10 machine and your Samba servers you will - almost at once - get up the list of your accessible Samba servers in the Network section of the Win 10 Explorer. (Maybe you have to restart the smb and nmb services on your Linux machines).

But: You should not do this! SMBV1 should definitely become history!

Fortunately, we will find out that a re-activation of SMBV1 on a Win 10 system is NOT required to mount Samba shares on Win 10 and that it is not even necessary to get a list of Samba servers in the Explorer.

What you should do: Win 10 service settings

There are two service settings which are required to see other servers and also your own Win10 PC itself in the list of network hosts in the Windows explorer:
Start services.msc (Windows key + R => Enter "services.msc" in the dialog / or start it via the Control Panel => System and Security => Services)

  • Look for "Function Discovery Provider Host" => Set : Startup Type => Automatic
  • Look for "Function Discovery Resource Publication" => Set : Startup Type => Automatic (Delayed Start) !!

I noticed that on my VMware Win 10 guests the second setting appeared to be crucial to get the Win 10 PC itself listed among the network servers.

What you should do: Use the SMBV3 protocol!

As you as a Linux user meanwhile have probably replaced all your virtualized Win 7 guests, you should use the following settings in the [global] section of the configuration file "/etc/samba/smb.conf" of your Samba servers:

[global]
...
"protocol = SMB3".
...

That is what Win 10 supports; you need SMB2_10 with some builds of Win 8 (???), only. Remember also that port 445 must be open on a firewall between the Win 10 client and your Samba server.

For Linux requirements to use SMB3 see
https://wiki.samba.org: SMB3 kernel status
For "SMB Direct" (RDMA) you normally need a kernel version > 4.16. On Opensuse Leap 15.1 most of the required kernel features have been backported. In Win 10 SMB Direct is normally activated; you find it in the "Window-Features" settings (https://www.windowscentral.com/how-manage-optional-features-windows-10)

Not seeing Samba servers in the Explorer does not mean that mounting Samba shares as network drive does not work

Not seeing the Samba servers in the Win 10 Explorer - because the NetBIOS detection is defunct - does not mean that you cannot work with a Samba share on a Win 10 system. You can just "mount" it on Windows as a "network drive":

Open a Windows Explorer, choose "This PC" on the left side, then click "Map network drive" in the upper area of the window and follow the instructions:
You choose a free drive letter and provide the Samba server name and its share in the usual MS form as "\\SERVERNAME\SHARE".
Afterwards, you must activate the option "Connect using different credentials" in the dialog on the Win 10 side, if your Win 10 user for security reasons has a different UID and Password on the Samba server than on Win 10. Needless to say that this is a setting I strongly recommend - and of course we do not allow any direct anonymous or guest access to our Samba server without credentials delivered from a Windows machine (at least not without any central authentication systems).
So, you eventually must provide a valid Samba user name on your Samba server and the password - and there you happily go and use your resources on the Samba share from your Win 10 client.

I assumed of course that you have allowed access from the Win 10 host and the user by respective settings of "hosts allow" and "valid users" for the share in your Samba configuration.
Note: You need not mark the option for reconnecting the share in the Windows dialog for network drives if you only use the Samba exchange shares temporarily.

On an Opensuse system this works perfectly with the protocol settings for SMB3 on the server. So, you can use your shares even without seeing the samba server in the Explorer: You just have to know what your shares are named and on which Samba servers they are located. No problem for a Linux admin.

In my opinion this approach is the most secure one among all "peer to peer"-approaches which have to work without a central network wide authentication service. It only requires to open port 445 for the time of a Samba session to a specific Samba server. Otherwise you do not provide any information for free to the Win 10 system and its "users". (Well, an open question is what MS really does with the provided Samba credentials. But that is another story ....)

What you should do: Use WSDD service on your Samba server

If you allow for some information sharing between your virtualized Win 10 and other KVM based virtual Samba machines in your LAN - and are not afraid of Microsoft or Antivirus companies on the Windows system to collect respective information - then there is a working option to get a stable list of the available Samba servers in the Windows Explorer - without the use of SMBV1.0.

Windows 10 implements web service detection via multiple mechanisms; among them: Multicast messages over ports 3702 (UDP), TCP 5357 and 1900 (UDP). For a detection of Samba services you "only" need ports 3072 (UDP) and 5357 (TCP). The general service detection port 1900 can remain closed in the firewalls between your Win 10 instances and your Linux world for our specific purpose. See
https://www.speedguide.net/port.php?port=5357
https://www.speedguide.net/port.php?port=3702
https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-the-wsd-port-monitor/ba-p/372760
https://en.wikipedia.org/wiki/Simple Service Discovery Protocol

The mechanism using ports 3702 and 5351 is called "Web Service Discovery" and was introduced by MS to cover the detection of printers and other devices in networks. In combination with SMB2 and SMB3 it is used today to detect SMB-services, too.

OK, do we have something like a counter-part available on a Linux system? Obviously, such a service is not (yet?) included in Samba 4 - at least not in the 4.9 version on my Opensuse system. WSD is not (yet?) a part of Samba - maybe for good reasons. See link.
One can understand the reservations and hesitation to include it as WSD also serves other purposes than just the detection of SMB services.

Fortunately, a guy named Steffen Christgau, has written an (interesting) Python 3 script, which offers you the basic WSD functionality. See https://github.com/christgau/wsdd.

You can use the script in form of a daemon process on a Linux system - hence we speak of WSDD.

Using YaST I quickly found out that a WSDD RPM package is actually included in my "Opensuse Leap 15.1 Update" repository. People with other Linux distros may download the present WSDD version from GitHub.

On Opensuse it comes with an associated systemd service-file which you find in the directory "/usr/lib/systemd/system".

[Unit]
Description=Web Services Dynamic Discovery host daemon
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
AmbientCapabilities=CAP_SYS_CHROOT
PermissionsStartOnly=true
Environment= WSDD_ARGS=-p
ExecStartPre=/usr/lib/wsdd/wsdd-init.sh
EnvironmentFile=-/run/sysconfig/wsdd
ExecStart=/usr/sbin/wsdd --shortlog -c /run/wsdd $WSDD_ARGS
ExecStartPost=/usr/bin/rm /run/sysconfig/wsdd
User=wsdd
Group=wsdd

[Install]
WantedBy=multi-user.target

Reading the documentation you find out that the daemon runs chrooted - which is a reasonable security measure.
And, nicely, Opensuse provides an elementary configuration file in "/etc/sysconfig/wsdd".

I used the parameter

WSDD_WORKGROUP="MYWORKGROUP"

there to announce the right Workgroup for my (virtualized) Samba server.

So, I had everything ready to start WSDD by "rcwsdd start" (or by "systemctl start wsdd.service") on my Samba server.

On a local firewall at the server I opened

  • port 445 (TCP) for SMB(3) In/Out for the server and from/to the Win-10-Client,
  • port 3702 (UDP) for incoming packets to the server and outgoing packets from the server to the Multicast address 239.255.255.250,
  • port 5357 (TCP) In/Out for the server and from/to the Win 10 client.

And I closed all NetBIOS ports (UDP 137, 138 / TCP 139) and stopped the "nmbd"-service on the Samba server! (UDP 137, 138 / TCP 139)

But, within a second or so, my Samba 4 server appeared in the Windows 10 Explorer!

Further hints:
As the 3702 port is used with the UDP protocol it should be viewed upon as basically and potentially dangerous. See: https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html
The port 1900 which appeared in the firewall logs does not seem to be important. I blocked it.

So far, so good. However, when I refreshed the list in the Win 10 Explorer my SAMBA server disappeared again. 🙁

What you should do: Take special care about the network interface which WSDD should be attached to

It took me a while to find out that the origin of the last problem had to do with the fact that my virtualized server and my Win 10 client have (multiple) network interfaces on virtualized bridges (without loops in the network). It seems, however, that multiple broadcasts arrive at the server via the KVM bridge and are answered - and thus multiple return messages appear at the Win 10 client during a refresh - which Win 10 does not like (see the discussion in the following link.
https://github.com/christgau/wsdd/issues/8

When I restricted the answer of the server to exactly one bridged interface via the "/etc/sysconfig/wsdd"-configuration file with the parameter "WSDD_INTERFACES" everything went fine. Refreshes now lead to an immediate update including the Samba server.

So, be a little careful, when you have some complicated bridge structures associated with your virtualized VMware or KVM guests. The WSDD service should be limited to exactly one interface of the server.

Note: As we do not need NetBIOS any longer - block ports 137, 138 (UDP) and 139 (TCP) in your firewalls now! Made me feel better instantaneously.

Conclusion

The "end" of SMBV1 on Win 10 is a reasonable step. However, it undermines the visibility of Samba servers in the Windows Explorers. The reason is that NetBIOS requires SMB1.0 features on Windows. NetBIOS is/was therefore consistently deactivated on Win 10, too. The service detection on the network is replaced by the WSD service which was originally introduced for printer detection (and possibly other devices). Activating it on the Win 10 system may help with the detection of other Windows (8 and 10) systems on the network, but not with Samba 4 servers. Samba servers presently only serve NetBIOS requests of Win clients to allow for server and share detection. Therefore they will not be displayed in the Windows Explorer of a regular Win 10 client.

This does, however, not restrict the usage of Samba shares on the Win 10 client via the SMB3 protocol. They can be used as "network drives" just as before. Not distributing name and device information on a network has its advantages regarding security.

If you absolutely must see your Samba servers in the Win 10 Explorer install and configure the WSDD package of Steffen Christgau. You can use it as a systemd service. You should restrict the interfaces WSDD gets attached to - especially if you have your servers on virtualization bridges (Linux bridges or VMware bridges).

So:

  • Disable SMBV1 in Windows 10 if an update has not yet done it for you!
  • Set the protocol in the Samba servers to SMBV3!
  • Try to work with "networks drives" on your Win 10 guests, only!
  • Install, configure and use WSDD, if you really need to see your Samba servers in the Windows Explorer.
  • Open the port 445 (TCP, IN/OUT between the Win 10 client and the server), 3072 (UDP, OUT from the server and the Win 10 client to 239.255.255.250, IN to the server from the Win 10 client / IN to the Win 10 client from the server; rules details depending on the firewall location), port 5357 (TCP; In/OUT between the Samba server and the Win 10 client) on your firewalls between the Samba server and the Win 10 system.
  • Close the NetBIOS ports in your firewalls!
  • You should also take care of stopping multicast messages leaving perimeter firewalls; normally packets to multicast addresses should not be routed, but blocking them explicitly for certain interfaces is no harm, either.

Of course you must repeat the WSDD and firewall setup for all your Samba servers. But as a Linux admin you have your tools for distributing common configuration files or copying virtualization setups.

Links

The real story
!!!! / !!!

https://forums.linuxmint.com/viewtopic.php?p=1799875

https://devanswers.co/discover-ubuntu-machines-samba-shares-windows-10-network/

https://bugs.launchpad.net/ubuntu/ source/ samba/ +bug/ 1831441

https://forums.opensuse.org/ showthread.php/ 540083-Samba-Network-Device-Type-for-Windows-10

https://kofler.info/zugriff-auf-netzwerkverzeichnisse-mit-nautilus/

WSDD and its problems
https://github.com/christgau/wsdd
https://github.com/christgau/wsdd/issues/8
https://forums.opensuse.org/ showthread.php/ 540083-Samba-Network-Device-Type-for-Windows-10

Warnings of SMBV1
https://docs.microsoft.com/de-de/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/
https://securityboulevard.com/2018/12/whats-the-problem-with-smb-1-and-should-you-worry-about-smb-2-and-3/
https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
https://www.cubespotter.de/cubespotter/wannacry-nsa-exploits-und-das-maerchen-von-smbv1/

Problems with Win 10 and shares
https://social.technet.microsoft.com/ Forums/ en-US: cannot-connect-to-cifs-smb-samba-network-shares-amp-shared-folders-in-windows-10-after-update?forum=win10itpronetworking

RDMA and SMB Direct
https://searchstorage.techtarget.com/ definition/ Remote-Direct-Memory-Access

Other settings in the SMB/Samba environment of minor relevance
http://woshub.com/cannot-access-smb-network-shares-windows-10-1709/
https://superuser.com/questions/1466968/unable-to-connect-to-a-linux-samba-server-via-hostname-on-windows-10
https://superuser.com/questions/1522896/windows-10-cannot-connect-to-linux-samba-shares-except-from-smb1-cifs
https://www.reddit.com/ r/ techsupport/ comments/ 3yevip/ windows 10 cant see samba shares/
https://devanswers.co/network-error-problem-windows-cannot-access-hostname-samba/

 

Upgrading Win 7 to Win 10 guests on Opensuse/Linux based VMware hosts – I – some experiences

As my readers know I am not a fan of MS or any "Windows N" operating system - whatever the version number N. But some of you may be facing the same situation as me:

A customer or an employer enforces the use of MS products - as e.g. MS Office, clients for MS Exchange, Skype for Business, Sharepoint, components for effort booking and so on. For the fulfillment of most of your customer's demands you can use browser based interfaces or Linux clients.

However, something that regularly leads to problems is the heavy use of MS Office programs or graphics tools in their latest versions. Despite other claims: A friction-less back and forth between Libreoffice and MS Office is still a dream. Crossover Office is nice - but the latest MS Office versions are often not yet covered when you need them. Another very reasonable field of using MS Windows guests on Linux is, by the way, training for pen-testing and security measures.

So, even Linux enthusiasts are sometimes forced to work with or within a native Windows environment. We would use a virtualized Windows guest machine then - on a Linux host with the help of VMware, KVM or Virtualbox. Regarding graphical performance, support of basic 3D features, Direct X and of the latest USB-versions in the emulated system environment I have a tendency to use VMware Workstation, despite its high price. Get me right: I practically never use VMware to virtualize Linux systems - for this purpose I use LXC containers or KVM. But for "Win 7" or "Win 10" VMware seemed to be a good choice - so far.

Upgrade to Win 10

During the last days of orchestrated panic regarding the transition from Windows 7 to Windows 10 I eventually gave in and upgraded some of my VMware-virtualized Windows 7 systems to Windows 10. More because of having some free time to get into this process than because assuming a sudden drop in security. (As if we ever trusted in the security of Windows system ... I come back to security and privacy aspects in a second article.) However, on a perspective of some weeks or months the transition from Win 7 to Win 10 is probably unavoidable - if you cannot isolate your Windows machine completely from the Internet and/or from other external servers which bring a potential attack risk with them. The latter may even hold for servers of your clients.

I was a bit skeptical about the outcome of the upgrade procedure and the effort it would require on my side. A good friend of mine, who sells and administers Windows system professionally, had told me that he had experienced a whole variety of different problems - depending on the Win 7 setup, the amount and character of application SW installed, hardware drivers and the validity of licenses.

Well, my Windows 7 Pro clients were equipped with rather elementary SW: MS Office in different versions, MS Project, Lexware, Adobe Creative suite in an old version, some mind mapping SW, Adobe Reader, Anti malware SW. The "hardware" of the virtual machines is standard, partially emulated by VMware with appropriate drivers. So, no need to be especially nervous.

To be on the safe side I also ordered a VMware WS Pro upgrade to version 15.X. (I own WS 12.5.9 and WS 14 licenses.) Reason: I had read that only the WS 15.5 Pro supports the latest Win 10 versions fully. Well reading without thinking may lead to a waste of resources - see below.

Another rumor you often hear is that Windows 10 requires rather new hardware and is quite resource-demanding. MS itself recommends to buy a new PC or laptop on its web-sites - of course often followed by advertisement for MS notebook models on the very same web page. Yeah, money makes the world turn around. Well, regarding resources for my Windows guest systems I was/am rather restrictive:

Virtual machines for MS Win never get a lot of RAM from me - a maximum of 4 GB at most. This is enough for office purposes. (All really resource craving things I do on Linux 🙂 ). Neither do my virtualized Win systems get a lot of disk space - typically < 60 GB. I mostly use vmdk-files to provide virtual hard disks - without full space allocation at startup, but dynamically added 4GB extents. vdmk files allow for an easy movement of virtual machines and simple backup procedures. And I usually give my virtual Win machines a maximum of 2 processor cores. So, these limitations contributed a bit to my skepticism. In addition I have 3D support on for my Win 7 guests in the virtual machine setup.

Meanwhile, I have successfully performed multiple upgrades on a rather old Linux host with an i7 950 CPU and newer hosts with I7 6700 K and modern i9 9900 processors. The operative system on all hosts run Opensuse Leap 15.1; I did not find the time to test my Debian hosts, yet.

I had some nice and some annoying experiences. I also found some aspects which you should take care of ahead of the Win 7 to Win 10 upgrade.

Make a backup!

As always with critical operations: Make a backup first! This is quite easy with a VMware virtual machine based on "vmdk"-files: Just copy the machines directory with all its files to some Linux formatted backup medium and keep up all the access rights during copying (=> cp -dpRv). In case of partition based virtual machines - make a copy of the partition with "dd".

If you should need to restore the virtual machine in its old state again and to copy your backup files to their old places: VMware will notice this and will ask you whether you moved or copied the guest. Then answer "moved" (!) - which appears a bit paradox. But otherwise there is a very high probability that trouble with your Windows license will follow. VMware interprets a "copy"-operation as a duplication of a virtual machine and puts a related information somewhere (?) which Windows evaluates. Windows will almost certainly ask for a reactivation of your installation in case that your Win license was/is an individual one - as e.g. an OEM license.

Good news and potentially bad news regarding the upgrade to Win 10

The good news is:

  • Provided that you have valid licences for your Win 7 and for all SW components installed and provided that there is enough real and virtual disk space available, the Win 7 to Win 10 upgrade works smoothly. However, it takes a considerable amount of time.
  • I did not experience any performance problems after the upgrades - not even regarding transparency effects and other gimmicks in comparison to Windows 7. VMware's 3D support for Win works - in WS 15 even for DirectX 10.

The requirement for time depends partially on the bandwidth of your Internet connection and partially on the performance of your disk access as well as your CPU and the available RAM. In my case I had to invest around 1 hr - in those cases when everything went straight through.

The potentially bad news comprises the following points:

  • The upgrade requires a considerable amount of free space on your virtual machine's hard disk, which will be used temporarily. So, you should carefully check the available disk space - inside the virtual machine and - a bit surprising - also on the Linux filesystem keeping the vmdk-files. I ran into problems with limited space for multiple upgrades on both sides; see below. Whether you will experience something similar depends on your safety margin policies with respect to disk space in the guest and on the host.
  • A really annoying aspect of the upgrade had to do with VMware's development and market strategy. From advertisement you may conclude that it would be best to use VMware WS 14 or 15 to handle Windows 10. However, on older Intel based systems you should absolutely check whether the CPU is compatible with VMware WS 14 and 15. Check it, before you think upgrading a Vmware WS 12 license to anything higher. On my Intel i7 950 neither WS 14 nor WS 15 did work at all. Even if you get these WS versions working by a trick (see below) they perform badly.
  • Then there is a certain privacy aspect. As said, the upgrade takes a lot of time during which you are connected to the Internet and to Microsoft servers. This is only partially due to the fact that Win 10 SW has to be downloaded during the upgrade process; there are more phases of information exchange. It is also quite understandable that MS has to analyze and check your system on a full scale. But do we know what Big Brother [BB] MS is doing during this time and what information/data they transfer to their own systems? No, we do not. So, if you have any sensitive data files on your system - how to protect them? You cannot isolate your Windows 10 during the upgrade. And even worse: Later on you will be more or less forced to perform updates within certain periods. So, how to keep sensitive data inaccessible for BB during the upgrade and beyond?

I address the first two aspects below. The last point of privacy is an interesting but complicated one. I shall discuss it in a separate article.

Which VMware workstation version should I use?

Do not get misguided by reports or advertisement on the Internet that certain MS Win 10 require the latest version of VMware Workstation! WS 12 Pro was the first version which supported Win 10 in late 2015. Now VMware 15.X has arrived. And yes, there are articles that claim incompatibility of VMware WS 12, WS 14 and early subversions of WS 15 with some of the latest Win 10 builds and updates. See the following links and discussions therein:
https://communities.vmware.com/thread/608589
https://www.borncity.com/blog/2019/10/03/windows-10-update-kb4522015-breaks-vmware-workstation/
https://www.askwoody.com/forums/topic/vmware-12-and-newer-incompatible-with-windows-10-1903/

But read carefully: The statements on incompatibility refer mostly (if not only) to using a MS Win 10 system as a host for VMware! But we guys are using Linux systems as hosts.

Therefore the good message is:

Windows 10 as a VMware guest is already supported by VM WS 12.5.9 Pro, which runs also on older CPUs. For all practical purposes and 2D graphics a Win 10 guest installation works quite well on a Linux host with VMware 12.5.9.

At least, I have not yet noticed anything wrong on my hosts with Opensuse Leap 15.1 and VMware WS 12.5.9 PRO for a Win 10 guests. (Neither did I see problems with WS 14 or WS 15 on those hosts where I could use these versions).

The compatibility of WS 12.5 with Win 10 guest on Linux is more important than you may think if your host has an older CPU. If you really want to spend money and use WS 14 or WS 15 please note:

WS 14 Pro and WS 15 Pro require that your CPU provides Intel VT-x virtualization technology and EPT abilities.

So, the potentially bad message for you as the still proud owner of an older but capable CPU is:

The present VMware WS versions 14 and 15 which support Win 10 fully (as guest and host system) may not be compatible with your CPU!

Check compatibility twice BEFORE you intend to upgrade VMware Workstation ahead of a "Win7 to Win 10"-upgrade. It would be a major waste of money if your CPU is not supported. And as stated: Win 12.5 does a good job with Win 10 guests.

VMware has deserved a lot of criticism with their decision to ignore older processors with WS Pro versions > 14. See
https://communities.vmware.com/thread/572931
https://vinfrastructure.it/2018/07/vmware-workstation-pro-14-issues-with-old-cpu/
https://www.heise.de/newsticker/meldung/VMware-Workstation-14-braucht-juengere-Prozessoren-3847372.html
For me this is a good reason to try a bit harder with KVM for the virtualization of Windows - and drop VMware wherever possible.

There is a small trick, though, to get WS 14 Pro running on an i7 950 and other older processors: In the file "/etc/vmware/config" you can add the setting

monitor.allowLegacyCPU = "true"

See https://communities.vmware.com/thread/572804.

But: I have tested this and found that a Win 7 start takes around 3 minutes! You really have to be very patient... This is crazy - and for me unacceptable. After you once are logged in, performance of Win 7 seems to be OK - maybe a bit sluggish. Still I cannot bear the waiting at boot time. So, I went back to WS 12 Pro on the machine with an i7 950.

Another problem for you may be that the installation of WS 12.5.9 on both Opensuse Leap 15.0 and 15.1 requires some special settings and tricks which I have written about in this blog. See:
Upgrade auf Opensuse Leap 15.0 – Probleme mit Nvidia-Treiber aus dem Repository und mit VMware WS 12.5.9
Upgrade Laptop to Opensuse 42.3, Probleme mit Bumblebee und VMware WS 12.5, Workarounds
The first article is relevant also for Opensuse 15.1.

Use the Windows Upgrade site and the Media Creation Tool page to save money

If you have a valid Win 7 license for all of your virtualized Win 7 installations it is not required to spend money on a new Win 10 license. Microsoft's offer for a cost free upgrade to Win 10 still works. See e.g.:
https://www.cnet.com/how-to/windows-10-dont-wait-on-free-upgrade-because-windows-7-officially-done/
https://www.techbook.de/apps/kostenloses-update-windows-10
Follow the steps there - as I have done successfully myself.

Problems with disk space within the VMware Windows 7 guest during upgrade

My first Win7 to Win10 upgrade trial ran into trouble twice. The first problem occurred during the upgrade process and within the virtual machine:
I got a warning from the upgrade program at its start that I should free at least some 8.5 GByte.

Not so funny - as said, I am a bit picky about resources. The virtual guest machine had only a 60 GB C-disk. Fortunately, there were a lot of temporary files which could be deleted. Actually Gigabytes and partially years old - makes you wonder why Win 7 kept those files piled up. I also could move a bunch of data files to a D-disk. And I deinstalled some programs. All in all - it just worked out. The upgrade itself afterwards went friction-free and without

So one message is:

Ensure that you have around 15 GB free on your virtual C-disk.

It is better to solve the problems with freeing C-disk space inside Win 7 without pressure - meaning: ahead of the upgrade to Win 10. If you run into the described problem it may be better to abort the Win 10 upgrade. I have tested this - and the Win 7 system was restored - apparently in good health. I got a strange message during reboot that the system was prepared for first use - but after everything was as before.

On another system I got a warning during the upgrade, when the "search for updates" began, that I should clear some 10 GByte of temporarily required disk space or attach an external drive (USB) to be used for temporary operations. The latter went OK in this case. But be careful the USB disk must be kept attached to the virtual machine over some reboots. Do not touch it until the upgrade has finalized.

So, a second message is:

Be prepared to have some external device with some free 20 GB ready if you have a complex installation with a lot of application SW and/or a complex virtual HW configuration.

I advise you to check your external USB drive, USB stick or whatever you use for filesystem errors before attaching it. And have your VMware window active whilst attaching the device! VMware will then warn you that the Linux host may claim access to the device and you just have to click the buttons in the dialog boxes to give the VMware guest full control instead of the host OS.

If you now should think about a general enlargement of the virtual disk(s) of your existing Win 7 installation please take into account the following:

On the one hand side an enlargement is of course possible and relatively easy to handle if you use vdmk files for disk virtualization and have free space on the Linux partition which hosts the vmdks. VMware supports the resizing process in the disk section of the virtual machine "settings". On Win 7 you afterward can use the Win admin tools to extend the NTFS filesystem to the full extent of the newly configured disk.

But, on the other side, please, consider that Windows may react allergic to a change of the main C-disk and request a new activation due to major hardware changes. 🙁

This is one of the points why we do not like Windows ....
So, how you solve a potential free disk problem depends a bit on what you think is the bigger problem - reactivation or freeing disk space by deletions, movement of files or deinstallations.

Addendum: Also check old restore points Win 7 may have created over time! After a successful upgrade to Win 10 I stumbled across an option to release all restore information for old installations (in this case for Win 7 and its kept restore points). This will give you again many Gigabytes if you had not deleted "restore point" data for a long time in your Win 7. In my case I gained remarkable 17 GB! => Should have deleted some old restore points data already before the upgrade.

Problems with disk space on the Linux host

The second problem with disk space occurred after or during some upgrades to Win 10: I ran out of space in the Linux filesystem containing the vmdk files of my virtual machine. In one case the upgrade simply stopped. In another case the problem occurred a while after the upgrade - without me actually doing much on the new Win 10 installation. VMware suddenly issued a warning regarding the Linux file system and paused the virtual machine. I was first a bit surprised as I had not experienced this lack of space during normal usage of the previous Win 7 installation.

The explanation was simple: As said, I had set up the virtual disk such that the required space was not allocated at once, but as required. Due to the upgrade the VMware had created all 4GB-extends to provide the full disk space the guest needed. In addition I had activated "Autoprotect Snapshots" on VMware (3 per day) - the first automatically created snapshot after the upgrade required a lot of additional space on the Linux file system - due to heavy changes on the hard disk.

My virtualized machines most often reside on specific (encrypted) LVM-based Linux partitions. And there it just got tight - when VMware stopped the virtual machine only 3.5 GB were left free. Not funny: You cannot kill snapshots on a paused virtual guest - the guest must be running or be shut down. And if you want to enlarge a Linux partition - which is possible if there is (neighboring) space free on your hard disk - then the filesystem should best be unmounted. Well, you can enlarge a GPT-partition with the ext4-filesystem in operation (e.g. with YaST) - but it gives you an uncomfortable feeling.

In my case I decided to brutally power down the virtual machines. In one case where this problem occurred I could at least eliminate one snapshot. I could start the virtual machine then again and let Windows check the NTFS filesystems for errors. Then I shut down the virtual machine again, deleted another snapshot and used the tools of VMware to defragment and compact the virtual disks. This gave me a considerable amount of free GBs. Good!
Afterwards I additionally reduced the number of protection snapshots - if this still seemed to be necessary.

On another system with a more important Win 7/10 installation I really extended the Linux partition and its ext4 filesystem by 20 GB - I had some spare space, fortunately - and then followed the steps just described.

So, there is a whole spectrum of options to regain disk space after the upgrade. See also:
thebackroomtech.com : reduce-size-virtual-machine-disk-vmware-workstation/

My third message is:

Ensure a reasonable amount of free space in the Linux filesystem - for required extents and snapshots!
After the backup of your old Win 7 installation, eliminate all VMware snapshots which you do not absolutely need - in the snapshot manager from the left to the right. Also use the VMware tools to defragment and compact your virtual disks ahead of the upgrade.

By the way: I hope that it is clear that snapshots do NOT replace backups. You should make a backup of your successfully upgraded Win 10 installation after you have tested the functionality of your applications and before you start working seriously with your new Win 10. You do not want to go through the upgrade procedure again ..

Addendum: Circumvent the enforcement of Windows 10 updates after your upgrade

Updates on Windows 7 have often lead to trouble in the past - and as an administrator you were happy to have some control over the download and installation points for updates in time. After reading a bit, I got the impression that the situation has not changed much: There have occurred some major problems related to updates of Win 10 since 2016. Yet, Windows 10 enforces updates more rigidly than Win 7.

I, therefore, generally recommend the following:

Delay or stop automatic updates on Win 10. Then use VMware's snapshot mechanism before manual updates to be able to turn back to a running Win 10 guest version. In this order.

The first point is not so easy as it may seem - there are no basic and directly accessible options to only get informed about available updates as on Win 7. Win 10 enforces updates if you have enabled "Windows Update"; there is no "inform only" or "download only". You have to either disable updates totally or to delay them. The latter only works for a maximum period of 35 days. How to deactivate updates completely is described here:

https://www.easeus.com/todo-backup-resource/how-to-stop-windows-10-from-automatically-update.html
https://www.t-online.de/digital/software/id_77429674/windows-10-automatische-updates-deaktivieren-so-geht-s.html

There is also a description on "Upgrade" values for a related registry entry:
www.deskmodder.de/wiki/index.php/Automatische-Updates-deaktivieren-oder-auf-manuell-setzen-Windows-10#Windows_10_1607.2C-1703-Pro-Updates-auf-manuell-setzen-oder-deaktivieren

I am not sure whether this works on Win 10 Pro build 1909 - we shall see.

Conclusion

Win 7 and Win 10 can be run on VMware WS Pro versions 12.5 up to 15.5 on Linux hosts. Before you upgrade VMware WS check for compatibility with your CPU! An upgrade of a Win 7 Pro installation on a VMware virtual machine to Win 10 Pro basically works smoothly - but you should take care of providing enough disk space within the virtual machine and also on the host's filesystem containing the vdmk-files for the virtual disks.

It is not necessary to change the quality of the virtualized hardware configuration. Win 10 appears to be running with at least the same performance as the old Win 7 on a given virtual machine.

In the next article I will discuss some privacy aspects during the upgrade and after. The main question there will be: What can we do to prevent the transfer of sensitive data files from a Win 10 installation?

 

Windows 10 und die Süddeutsche Zeitung

Man würde meinen, dass die Technik-Sparte einer seriösen Zeitung wie der SZ von Journalisten gestaltet wird, die die Kunst der kritischen Distanzwahrung und der sachlichen Informationsweitergabe zu kontroversen Themen gelernt haben. Oder im Zweifel zumindest Fachleute (!) mit unterschiedlichen, aber begründeten Ansichten zu einem kontroversen Thema zu Wort kommen lassen.

Hrn. Hurtz von der SZ hat es heute mit seinem Artikel
"Heute noch geschenkt, bald richtig teuer"
(http://www.sueddeutsche.de/wirtschaft/windows-betriebssystem-heute-noch-geschenkt-bald-richtig-teuer-1.3095229)
zur kommenden Kostenpflichtigkeit von Windows 10 geschafft, technischen Journalismus in ungeahnte Tiefen zu führen. Und er hat den erreichten Tiefpunkt dann nochmal durch einen nachgeschobenen Online-Artikel
http://www.sueddeutsche.de/digital/microsoft-warum-sie-keine-angst-vor-windows-haben-muessen-1.2835023
tiefer gelegt.

Ich habe die genannten Artikel gleich dreimal lesen müssen, weil man es ja kaum für möglich hält, wie distanzlos sich die SZ - hoffentlich ungewollt - vor den Karren der Interessen Microsofts spannen lässt. Ich persönlich halte bekanntermaßen wenig von MS-PC-Produkten - das ist eine, nämlich meine Sache. Aber Artikel, in der die Presse in fast humorigem Ton die Werbe-Arbeit von MS verrichtet, ist eine andere. Ich erlaube mir, in diesem Fall ein großes Fragezeichen hinter die Seriosität der genannten Artikel und hinter die interne Qualitätssicherung bei der SZ zu setzen. Ehrlich, die Lektüre ist mir aufs Gemüt geschlagen - ich hätte es nicht für möglich gehalten, dass die SZ so was publiziert. Der Frust macht ein wenig Polemik zur erneuten Gewinnung des inneren Gleichgewichts fast unerlässlich. Wohlgemerkt, mir geht es dabei gar nicht um Microsoft. Das vertritt wie jedes Unternehmen legitimerweise seine Interessen - und Windows 10 interessiert mich nun wirklich nur peripher. Mir geht es darum, wie abgrundtief schlecht die obigen Artikel sind.

Welche neutrale Sachinformationen liefert uns der erste der genannten Artikel, der sich in der heutigen Druckausgabe der SZ über 5 Spalten erstreckt und vom nicht bebilderten Teil der Seite etwa die Hälfte einnimmt? Genau zwei: Windows 10 wird ab August etwas kosten. Und MS hat das eigene Ziel von 1 Milliarde Upgrades bislang weit verfehlt. Das war's. Dafür würde man wohl kaum 5 Spalten brauchen. Nun könnte sich an die Sachinformationen ja z.B. eine Gegenüberstellung begründeter (!) Argumente für und gegen ein Upgrade von Windows 10 anschließen. Aber was lesen wir?

Da ist zunächst wortgewaltig von "religiösem Eifer" und "Glaubenskriegen" der Gegner von Windows 10 die Rede. Wir erfahren unter Zuhilfenahme eines Zitats von Umberto Ecco von 1994 (!), dass die IT-Welt schon immer in 2, seit kurzem aber sogar 3 religiöse Lager geteilt sei: Apple-Anhänger, Windows 10- und Windows 7-Anhänger. Dass die schärfste Kritik an Windows 10 möglicherweise gar nicht von Apple- oder Windows 7 Anhängern kommt, muss man sich als Leser erst viel später aus der beiläufigen Erwähnung von Klagen deutscher Verbraucherschutz-Verbände erschließen.

Der Rest des verfügbaren Platzes wird durch die Wiedergabe von Einschätzungen des Leiters des Geschäftsbereichs für Windows von MS Deutschland zur Kritik an Win 10 in Anspruch genommen. Von diesem Herrn erfahren wir dann lang und breit, welche wenig stichhaltige Argumente die Windows 10 Gegner (angeblich) ins Feld führen - etwa "never touch a running system" (gemeint ist Windows 7). Das sitzt ... ich reibe mir die Augen und bin echt betroffen. So hatte ich das Thema Windows 10 zwar noch nie gesehen; aber wenn ein Geschäftsführer von MS das sagt ..... Richtig beeindruckend, diese saubere, gründliche Journalistenarbeit von der SZ ....

Und dann wird es wirklich interessant - es geht um "Die beiden zentralen Kritikpunkte an Windows 10 - Datenschutzbedenken und Zwangsupgrade". Na, was erfahren wir wohl dazu? Ja, die halte der Leiter des Windows-Geschäftsbereichs Deutschland für "überschätzt". Ach wirklich? Echt ???... das hätte ich nun überhaupt nicht erwartet.... Der journalistische Tiefgang des Artikels, der das alles kommentarlos weitergibt, beeindruckt mich immer mehr ...

Und weiter: Wer wolle, könne ja die "meisten Überwachungsfunktionen abschalten". usw., usw.. "Und was viele Nutzer als penetrante Aufforderung zum Upgrade empfunden haben" hält der Geschäftsführer von MS für ein vernünftiges Vorgehen. "Niemand sei ... zwangsbeglückt worden". Diese Botschaft freut sicher jeden, der mal versucht hat, die "Beglückung" durch Werkeln in der Wndows-Registry abzuschalten.

Die journalistische Meisterleistung von Hrn. Hurtz wird abschließend von der Wiederholung seiner Erkenntnis gekrönt, dass sich die Tech-Szene in Kürze in drei "Religionen" (Apple, Win 10, Win 7) teilen werde. Halt - da entdeckt der SZ-Journalist doch noch eine weitere Gruppe - nämlich die "Atheisten" - ja, liebe Leute, das sind wir, die mit Linux.

Wem der Salat an MS-Meinungswiedergabe als Haupt-"Information" des Artikels noch nicht gereicht hat, der konnte ergänzend einen 2-spaltigen Kasten mit Kleingedrucktem lesen, in dem die schöne neue Welt von Windows angepriesen wird: Nur noch laufende Updates eines ewigen Windows 10 und verbesserte Funktionen "eines bereits stimmigen Betriebssystems". Ja, wer's mag - wie offenbar besagter Redakteur der SZ - für den ist das halt das Höchste ..

In dieser begrenzten Logik bleibt die (IT-) Erde auch weiterhin eine Scheibe ... sie wird in Zukunft nur viel runder und noch stimmiger. Never touch a running ideology ... die religiösen Eiferer aus dem Apple und Win 7-Lager und wir, die "Atheisten" aus dem Linux-Lager, haben da nur noch nicht genau genug hingesehen. Der Abgrund am Rand der Scheibe ist jetzt dank ausführlicher Nutzungsklauseln sogar markiert und mit dem verbesserten Angebot kann man noch tiefer in ihn hineinsehen - kein Grund mehr ihn zu überschätzen ... Danke, liebe SZ, für diese humorig verfasste "Information" - endlich habe ich es begriffen! Bleibt nur die Frage, warum Hr. Hurtz nicht einfach, kurz und prägnant geschrieben hat:

Liebe MS-Gläubigen, die ihr bisher der täglichen frohen Upgrade-Botschaft aus völlig unverständlichen bis ketzerischen Gründen nicht gefolgt seid: Beeilt euch mal - denn sonst muss MS den Klingelbeutel in der Gemeinde rumgehen lassen. Und wie wir aus gewöhnlich bestens informierten Kreisen der MS-Geschäftsführung erfahren haben, sind alle eure Motive, Windows 10 nicht einzusetzen, in der Nähe religiösen Eifertums angesiedelt, aber objektiv nicht nachvollziehbar. Die MS-Geschäftsführung weiß das - und natürlich auch, was wirklich gut für euch ist !! Ihr müsst es einfach nur glauben. Und Datenschutz in Europa und Deutschland ist ja eh' schon immer überschätzt worden. Nun aber bitte gleich upgraden - damit MS seine Geschäftsziele erreicht. Sonst Strafgebühr ....

Das wäre wenigstens klar, ehrlich und platzsparend gewesen - und man müsste sich als Leser nach der Lektüre nicht verzweifelt die Frage stellen, ob Hr. Hurtz in seinem aufklärerischen Eifer schlicht nicht gemerkt hat, dass dieser Artikel auch aus der Werbeabteilung Microsofts stammen könnte. Bis 15:00 Uhr habe ich noch an Unbedarftheit geglaubt; aber dann wird von der SZ online noch ein weiterer Artikel nachgeschoben mit dem Titel: "Warum Sie keine Angst vor Windows 10 haben müssen".

Einige Argumente werden auch in diesem Artikel wieder aus dem reichen Erkenntnisschatz von MS geliefert: Das Datenabgreifen erfolge ja im besten Interesse des Nutzers und würde nur in anonyme Statistiken einfließen. Wer die Nutzungsbedingungen ganz lese (was aber wegen der Länge kaum einer tue) könne das begreifen. Und MS würde nie persönliche Mails durchsuchen, um Werbung zu schalten. Sagt MS - und dann wird es ja wohl stimmen und muss von der SZ unreflektiert verbreitet werden. Offen bleibt in diesem einseitigen Diskurs die Frage der Ketzer: Aber warum werden z.B. die Mails der Windows 10 User dann überhaupt auf MS-Server übertragen?

Ich selbst habe alle Nutzungsbedingungen von MS Win 10 sehr genau gelesen - auch das flankierende Service Agreement: Da bleiben eigentlich keine Fragen offen. Du akzeptierst als Nutzer, dass MS bei Standardeinstellungen und im Zweifel zu Wartungszwecken alle deine Daten auf eigene Server transferiert. Wozu? Tja, da muss der MS-Adept halt einfach glauben, dass das zu seinem Wohle ist. Zu platt? Stimmt, denn selbst Hrn. Hurtz kommt dann auf Seite 2 des Artikels der schlimme Verdacht, das selbst die bislang Gläubigen nicht so einfach von neuen Götzen zu überzeugen sein werden. Und die Predigt nimmt dann eine neue Richtung:

"Komfort gibt es nur im Tausch gegen Privatsphäre ...jeder Zugewinn an Komfort geht mit einem kleinen Verlust an Privatsphäre einher. Das ist bei Google und Apple aber nicht anders." Denn: Das mit dem Komfort funktioniert nur - Zitat - "wenn man bereit ist, einen Teil seiner Privatsphäre zu opfern. Es gibt gute Gründe, diese Entwicklung zu bedauern. Aber es gibt keinen guten Grund, allein Microsoft an den Pranger zu stellen, weil sie mit der Zeit gehen. Wer diesen Weg nicht mitgehen will, hat längst eine gute Alternative zu Windows und iOS. Sie heißt Linux."

Aha, Überraschung: Privatsphäre geht bei Einsatz von Windows 10 womöglich doch verloren - aber ich soll MS halt glauben, dass das zu meinem Besten ist. Und dass andere Anbieter von PC- und Smartphone -Betriebs-Systemen auch nicht besser sind, ist dabei ein wirklich tröstlicher und tiefer Gedanke von Hrn. Hurtz. Habt keine Angst, liebe Gläubigen ...in den Paradiesen der zukünftigen IT werden wir alle gleich unfrei sein.

Der Artikel erteilt dann abschließend noch die Absolution für die Ketzer; moderne Botschafter von Betriebssystem-Religionen sind schließlich liberal. Denn wer die beschriebene Opferung der informationellen Selbstbestimmung auf dem Altar des Dogmas "Komfort hat den Preis der Privatsphäre" partout nicht einsehen wolle, könne sich ja (ganz im Sinne des ersten Artikels) als Atheist aus den genannten drei Kirchen abmelden - durch die Benutzung von Linux. Letzteres muss gemäß der Hurtz'schen Argumentation und Logik aber leider höllisch unkomfortabel sein.

Na dann, liebe Linuxer - auf ins Fegefeuer ... da muss man wenigstens keinen miserablen Journalismus mehr ertragen ...