Skip to content

Add legacy driver and GlobalFlag IPU blocker detection to OSUpgrade Assessment script#1

Open
jdickson289 wants to merge 195 commits into
masterfrom
feature/ipu-legacy-driver-detection
Open

Add legacy driver and GlobalFlag IPU blocker detection to OSUpgrade Assessment script#1
jdickson289 wants to merge 195 commits into
masterfrom
feature/ipu-legacy-driver-detection

Conversation

@jdickson289

Copy link
Copy Markdown
Owner

Summary

Adds two new pre-upgrade checks to Windows_OSUpgrade_Assessment_Validation.ps1 to detect known IPU blockers on lift-and-shift Azure VMs migrated from VMware/on-premises environments.

New Checks

1. Legacy VMware / Ghost Hardware Driver Detection

Scans HKLM:\SYSTEM\CurrentControlSet\Services for known legacy drivers set to load (Start <= 3):

  • vmmouse, vm3dmp, flpydisk, vmhgfs, vmrawdsk, vmusbmouse, vmvss, vmscsi, vmxnet

These drivers cause IPU to fail with 0xC1900101-0x50016 when Windows Setup boots into SafeOS and encounters hardware unsupported by the Azure Hyper-V host.

2. GlobalFlag Debug Mode Detection

Checks for GlobalFlag set in HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager. When enabled, this forces Windows Setup into PageHeap/debug mode — throttling memory operations and causing IPU to time out and roll back.

Output

Both checks produce [Failed] checklist items with inline remediation guidance:

  • Legacy drivers: Disable (do not Uninstall) in Device Manager before retrying IPU
  • GlobalFlag: Remove via reg delete and reboot before retrying IPU

Testing

Validated locally — script correctly detects flpydisk as a blocker on a lift-and-shift test VM.

Related

  • ADO Work Item: #35892966 (IPU: Pre-upgrade compat failures — Upgrade Error WGA Rules & Docs)

pagienge and others added 30 commits April 29, 2025 13:53
Uploaded a new version of Ghosted NICs removal script with time warning added
Let's move the scripts. Readmes need more content
Added link to Ghosted NIC Removal script on GitHub
V2 Update Windows_GhostedNIC_Check_Time_warning.ps1
Adding warning to backup VM before running script
Just an update to messaging, no substantial code change
Big Change - move scripts from runcommand

Add readme.mds
sss
jdickson289 and others added 30 commits January 29, 2026 08:41
doc and bug fix for vmassist linux
Update Windows_WindowsActivation_Validation.ps1
Refactor string splitting to use splitlines method
Add RHUI connectivity check script v2.
Add RHUI Break/Fix script for testing scenarios
…Azure service endpoints.

.SYNOPSIS
    Validates Windows Firewall configuration and checks connectivity to Azure service endpoints.

.DESCRIPTION
    This script performs the following checks:
    - Verifies Windows Firewall service status
    - Checks firewall profile states (Domain, Private, Public)
    - Validates RDP (3389), WinRM (5985/5986), SMB (445), HTTP/HTTPS port accessibility
    - Tests connectivity to comprehensive Azure endpoints including:
      * Infrastructure: IMDS, WireServer, KMS, Time Sync
      * Management: ARM, Azure Portal
      * Identity: Azure AD/Entra ID, Microsoft Graph
      * Storage: Blob, File, Table, Queue
      * Monitoring: Azure Monitor, Log Analytics, Application Insights
      * Backup: Azure Backup, Site Recovery
      * Security: Key Vault, Defender
      * Updates: Windows Update, WSUS
      * Certificates: DigiCert, Microsoft CRL/OCSP
      * DevOps: Azure DevOps, NuGet
      * Containers: ACR, MCR
    - Checks PerfInsights storage account connectivity if configured
    - Identifies blocking rules for Azure infrastructure IPs
    - Provides remediation guidance for detected issues
…eStuff

    Validates Windows Firewall configuration and checks connectivity to Azure service endpoints.
… and volatile temp-drive references on Azure VMs.

.SYNOPSIS
    Analyzes Windows service dependency chains, startup type mismatches, and
    volatile temp-drive references on Azure VMs.

.DESCRIPTION
    WindowsServiceDependencyAnalyzer performs three categories of checks:

    1. Dependency Chain Analysis
       - Maps each service's DependOnService list and reverse-depends (dependents)
       - Detects circular dependencies
       - Identifies chains deeper than 4 levels (fragile startup order)
       - Flags services depending on a Disabled or Manual service

    2. Startup Type Mismatch Detection
       - Services set to Automatic that are currently Stopped (and not trigger-started)
       - Services set to Disabled that have active dependents set to Automatic
       - Services in a failed state (StartType = Automatic, Status = Stopped,
         ExitCode != 0)

    3. Volatile Path Detection
       - Scans service ImagePath and common registry parameters for references to
         the Azure temp drive (typically D:\) or well-known volatile paths
       - Flags services whose binaries or data live on drives that are wiped on
         redeployment/resize

    Output is a structured report with findings grouped by severity:
      CRITICAL  - Service failures or broken dependency chains
      WARNING   - Mismatches likely to cause issues after reboot/redeploy
      INFO      - Advisory observations
  Analyzes Windows service dependency chains, startup type mismatches and  volatile temp-drive references on Azure VMs.
Update Beta_Windows_Update_Common_Error_Detections.ps1
This script is a read-only Secure Boot health check for Windows devices.

It collects registry, event log, firmware, and task data to determine whether the UEFI CA 2023 Secure Boot update is fully applied, then prints a color-coded report with clear next steps.
Secure Boot Certificate Check script
Detects Mellanox mlx5 network adapter driver versions on Azure Windows VMs
and checks for DRIVER_IRQL_NOT_LESS_OR_EQUAL (0x000000D1) bugcheck events.

Related TSG: Mellanox mlx5 Driver Crash - Outdated Driver (Windows)
https://dev.azure.com/Supportability/AzureIaaSVM/_wiki/wikis/AzureIaaSVM/2539440/

- Detection only - no system changes
- Follows Windows_GhostedNIC_Detection pattern
- Includes README with TSG reference and usage table
- Added README.md with full documentation: overview, requirements, parameters, usage examples (local, Azure Portal, CLI, Az module), script logic walkthrough, sample output, and full error code table
- Renamed Beta_Windows_Update_Common_Error_Detections.ps1 to Windows_Update_Common_Error_Detections.ps1 (removed Beta_ prefix)
…r-detection-readme

Add README and rename script for Windows_Update_Common_Error_Detection
…-driver-validation

Add Windows_Mellanox_Driver_Validation RunCommand script
…k-readme

Add README for SecureBootCertCheck script
…ssessment script

Adds two new pre-upgrade checks to Windows_OSUpgrade_Assessment_Validation.ps1:

1. Get-LegacyDriverBlockers: Scans the Services registry for known legacy
   VMware/ghost hardware drivers (vmmouse, vm3dmp, flpydisk, vmhgfs, vmrawdsk,
   vmusbmouse, vmvss, vmscsi, vmxnet) that are set to load (Start <= 3).
   These drivers cause IPU to fail with 0xC1900101-0x50016 when Windows Setup
   boots into SafeOS and encounters hardware unsupported by the Azure Hyper-V host.

2. Get-GlobalFlagStatus: Detects GlobalFlag enabled in Session Manager
   (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager). When set, this
   forces Windows Setup into PageHeap/debug mode, throttling memory operations
   and causing IPU to time out and roll back.

Both checks output [Failed] checklist items with inline remediation guidance:
- Disable (not Uninstall) legacy devices in Device Manager before retrying IPU
- Remove GlobalFlag via reg delete and reboot before retrying IPU

Addresses scenario: lift-and-shift Azure VMs from VMware/on-premises environments.
Related ADO: #35892966

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants