Getting started with RemoteFX vGPU on Windows Server 2012 R2

Now Microsoft has made alot of improvements with the latest RemoteFX feature in 2012 R2, (Now i’ve written a bit of the requirements of remoteFX before –>

Most important thing to remember about remoteFX vGPU is that it is only supported on Enterprise Client OS (Therefore Windows 7 and 8 Enterprise SKUes)

It also requires Hyper-V 2012 / 2012 R2 installed with Remote Desktop Virtualization Host role installed.

It also requires a graphics card,

In my case I have Dell R720 with S7000 Firepro card. Now you need to install the FirePro drivers for 2012 R2 on the host.

After that you need to check for enabled the GPU to be used for RemoteFX. image

After that you need to have a virtual machine installed with Windows 7/8 enterprise Generation 1, and you need to attach a RemoteFX adapter to it. NOTE if you are running Windows 7 you need to update integration services!


Note that the number of monitors and resolution define how much video memory is dediated to the virtual machine. You can see the vRAM allocation overview here –>

Now when you have configured a virtual machine with RemoteFX you can boot it and RDP to it.

To be sure that you are using RemoteFX you can look at the following.



Device Manager:


Now to have optimal performance you need make sure that TCP/UDP 3389 is open, since RemoteFX uses UDP for most of the graphic transport. Now remember thet vGPU only supports DirectX acceleration (not OpenGL)

there are custom performance counters within the virtual machine to monitor, if for instance network is the issue/ performance locally or something else.


Now Microsoft states that RemoteFX is now supported on WAN and yeah it does work, but not at the same performance that Citrix or VMware has at the moment. ill come back with some more detailed tests on remoteFX vGPU comparted to 3D vGPU HDX later.

Azure Pack configuration for Windows Server 2012 R2

So Microsoft has released the new wave of products into preview, including the next version of Katal (Azure Services) for Microsoft, called Azure Pack. This pack transforms your datacenter into Azure allowing users to sign up using plans and be able to use your infrastructure into a IaaS platform.

You can download the trial for Azure Pack here –>

Now there are some prerequisites for using this pack.
You can read more about them here –>

But in order to integrate Azure pack with your on-premise solution it uses Service Provider Foundation (Which is included in the Orchestrator installation media)


Not that this requires the installation of SCVMM 2012 R2 Console on the same machine as SPF since it uses the VMM APIs to communicate with it.

It also requires some other prerequisites such as


WCF Data Services 5.0 can be found here –>

.NET features 4.5 WCF is a part of .Net 4.5 which can be installed from Server Manager

Management ODATA IIS is also a part of 2012 R2 installation media

ASP.NET MVC 4 can be downloaded from here –>

Next we configure a database for use for SPF


In this database the SPF stores information such as
Usage Records
Gallery Items
And Tenants Stamps

Next we choose where to deploy the SPF files and what certificate we want to use.
In my case for this demo I used a self-signed certificate.


Next we define credentials for the admin web service


NOTE: If you choose Network Service here you need to make sure that the machine account is a VMM administrator

In my case I choose a Service Account and entered a domain user.
After that you are done with SPF


Next we move on to the Azure Pack installation
You can download the pack from here –>

All it does is download a profile which uses webdeploy.


Now by default it will install all the web roles on the same servere


Click I accept (ill come back to what the different roles do)
And Note this installing part may take some time.

After that is done, press Continue and ill will start the Service Management Configuration site.


It will open a browser window on the localhost on port 30101, and again we will have to define a Database and server for the Azure Pack.

Here you have the option to use a Windows user or a regular SQL user.
Remember that you have to enable Mixed Mode on the SQL server in order to use regular SQL users.


Make sure that you write down the passphrase. If you forget or lose this passphrase, there is no way to recover it. This is used to encrypt and decrypt the Configuration Store..

Next we define a FQDN for the host


After this is done it will start configuring the different roles on the Server


After that is done we continue on with the configuration


NOTE: You may need to log out of your system and log back in before you can access the management portal for administrators. This is due to Windows authentication and the need to add the security group to your security token.

If you continue to see an access denied error, even after logging back in, close all Internet Explorer windows, and run Internet Explorer as an administrator.

Now the setup will open a browser on port 30091 which is the default port for the management portal for administrators



Now you can see the difference between “Katal” and Azure Pack

Katal (The old version)


(Azure Pack the New one)


New stuff is including
Reporting provider (This is also a feature that is on the Orchestrator installation media)
Service Bus Clouds (Read more about setting up service bus here –> )
Automation (This requires Service Management Automation web service)

So in my case I define the Service Provider Foundation endpoint for Azure Pack
And then Go to VM Clouds and connect to my VMM Management Server.

Add some bugs when connecting to my cloud but after a IISreset it worked just fine


This gets the cloud container from VMM, from here I can view resources in my cloud


Now for the end-user I can sign up using the tenant portal.
Which is on the same server you installed Azure Pack only on port 30081 remember thou that you need to create a plan and publish it in order for users to subscribe to that plan.

Here I signed up with a regular user account


Choose Add Plan and select a public plan which was created on the management portal.
Note thou that here we have external users created we can also use AD authentication

For the tenant portal you can configure this using ADFS here –>

Note when you sign up for a plan you need to go back to the administration portal and approve the subscription.

Now If I want to automate a task associated with VM create I can do this in the management portal


All for this time, all dive in a bit more when I got the time Smilefjes 
Stay tuned

ARP guard in Hyper-V 2012

So I decided to try the ARP guard functionality in Hyper-V 2012 and see how it works, and in the same case check if it is possible to change the Mac address.

I took a look at what documentation Microsoft had around the subject

And what they say here is that

 I am sure you already browsed the new Hyper-V Manager UI and found a couple of new settings like DHCP Guard, Router Guard but nothing specific for ARP Spoofing.
Well, the feature you are looking for is called Port Access Control Lists and is implemented in the new Hyper-V switch and must be configured via PowerShell.

Arp Spoofing is a technique that allows for man-in-the-middle attack.

I can for instance place my computer in the middle of another user and intercept all the traffic going between the end-user and the gateway and place a sniffer on my computer and scan all the traffic going in and out.
Without the user even knowing it. This can happen because of how the Arp protocol is built. It is built on trust, and how computers can find other computers on the same subnet and was never thought of as a secure protocol.

So in order to test this out I had to setup a minor lab built with a couple of VM’s running on a hyper-v 2012 virtual switch.
1: with Windows Server 2008 R2
1: one domain controller
1: Linux Backtrack (which I will use arp spoof and mac changer on)

So when I start my newly installed WS2008 server It has a clean arp table (which consists of the broadcast address)

And as you can see this computer has the IP address
So what happens when I ping this server from the backtrack computer ? First the arp request (who owns this ip ? )

You can see the arp request first, then the ICMP protocol start. Then the Arp table is updated.

As an dynamic update. Then I ping the domain controller, which has ip,

and it has added itself to the list, look at difference between the mac addresses of 1 and 77.
Next I start the arp-spoof attack from my backtrack computer.

And I can see in wireshark that I am spamming with ARP traffic

And notice here I am saying that IP is at another MAC address.
If you check the arp table now on the other computer you can see that the arp table is updated (poisoned)

And after I activate IP forwarding on the backtrack server I can «act» as a man in the middle.
As you can see now when I try to ping I get a response

but from my Backtrack server instead of my domain controller. And according to my server it responds fine from

So how does the arpguard in Windows Server fit in here? In addition, where can I configure it?
The answer is Port Access Control Lists via PowerShell.

This is configured on the Hyper-V host I find it a best to do it via the PowerShell ISE.
so what can I do ? First, I have to create a port ACL that defines that the virtual machine can ONLY communicate out with the IP address of and not any other.

So when I apply this port ACL and try to ping It will not receive a response, and since it does not get a response I tries an ARP request again and my backtrack computer is unable to respons because of the Port ACL

And the arp table is restored to its default.



Veeam under panseret del 2

Backup and Replication er som jeg nevnte I forrige post, er rettet mot virtuell infrastruktur. For å kunne vise hvordan det fungerer kommer jeg til å sette opp B&R mot et miljø bestående av Hyper-V, B&R består I all hovesak av 3 komponenter.

Proxy Server : Det er denne som gjør jobben med å hente ut data fra serveren som det skal tas backup av og legger dette på et repository.
Backup Server : Administrasjonsserveren, her legger du inn backup jobbene som du ønsker og kjøre. Alt av jobber og statistikk blir lagret in en SQL database tilknyttet serveren.
Repository : Det er her backupdata blir lagt.

Så I all hovedsak så er det Proxy serveren som går inn  og henter ut data fra serveren og sender dette videre til et Backup Repository. Visst du merker at en backup job tar for lang tid kan du enkelt legge til flere proxy servere (da Proxy serveren jobber veldig CPU intensivt)
Jeg skal vise hvordan man kan definere ulike proxy servere for ulike jobber I en neste post.
Men når man skal avdekke bottlenecks er det 4 ting å se etter. NB: Visst Veeam avdekker at det er en bottleneck vil den senke ned “farten” på resten av komponentene til å kunne den farten som det svakeste leddet håndterer. 
1: Hyper-V hosten (Mye lese og skrive mot disk ? )
2: Proxy serveren (Er CPU’en nådd maks ? )
3: Nettverket (Har det nådd maks båndbredde?)
4: Target repository  (Mye lese og skrive mot disk ? )

Andre komponenter:

Enterprise Backup Server: Muligheten til og administrere flere backup servere, den gir deg også mulighet til å søke gjennom backupene etter enkeltfiler
Backup Search: Bruker MOSS integration Services på en Microsoft search server for og kunne kjappere søke igjennom data.

Arkitekturen på Hyper-V


I utgangspunktet vil det bli innstallert en proxy server på Hyper-V hosten, visst du har behov for å ta lasten vekk fra Hyper-V hosten må du ha en server som er satt opp som Offhost Data Proxy
(Dette krever en server som er installert med Hyper-V pga VSS og bør være samme Hyper-V versjon som hosten den skal ta backup av)

Arkitekturen på VMware


For VMware sin del er det ingenting som blir installert på selve hosten, du må sette opp en egen Windows server som kjører som Backup Proxy (Denne serveren bør ha tilgang til samme lagringen som VMware hosten)
denne serveren kan også være en virtuell maskin som kjører på VMware men dette krever at serveren har HotAdd tilgang til VMene på Datastoren)

Støttet systemer:


Microsoft Hyper‑V Server 2008 R2 SP1
Microsoft Windows Server 2008 R2 SP1 med Hyper-V
Microsoft Windows Server 2012 med Hyper-V

Management Server (Ikke nødvendig)
Visst man ønsker å ta backup mot VMM krever det installasjon av VMM konsollet på Backup serveren)

Microsoft System Center 2008 Virtual Machine Manager R2 SP1
Microsoft System Center 2012 Virtual Machine Manager

Du kan lese mer om anbefalinger rundt hardware og supporterte systemer her –>

Installasjonen av Veeam krever at man også har installert
.Net Framework 4.0
En SQL Server enten lokalt eller på en annen server.

Visst man ikke har noen av delene vil Veeam installasjonen installere begge deler (dog en SQL Express utgave av 2008 R2)

Installasjonen er veldig enkel og strømlinjeformet


Legg inn lisensnøkkelen du har fått utgitt.


Management Console (Er Backupserveren med komponenter)
Catalog Service (Er ansvarlig for å indeksere VM OS filer)
PowerShell snap-in (Gir deg PowerShell kommandoer som kan brukes til å automatisere backup akviteter via script)


Visst du ikke har noen SQL database server tilgjengelig velger du lokalt oppsett (Da vil installasjonen sette opp en SQL Express 2008R2)
Applikasjonen har støtte for de fleste MSSQL versjoner

•Microsoft SQL Server 2005 (Full og Express Edition)
•Microsoft SQL Server 2008 (Full og Express Edition)
•Microsoft SQL Server 2008 R2 (Full og Express Edition)
•Microsoft SQL Server 2012 (Full og Express Edition)


Her må du oppgi en bruker som har full database tilganger på databasen. Samme brukeren vil også automatisk bli gitt “Log on as a service” rettigheten på serveren.
Så her er det å anbefale å bruke en least-privilege bruker.


Deretter er det bare å klikke Next og så install.
B&R kan nå startes fra skrivebordet eller under startmenyen.


Før vi begynner å legge til Hyper-V servere og konfigurer backup er det viktig at vi går igjennom oppsettet på serveren å hvilken konfigurasjons muligheter som finnes der.
Slik ser grensesnittet ut når du inne.


Det er I all hovedsak delt opp I 5 faner.

Backup & Replication (Her definerer du backup og replikerings jobber, får opp alle backupene du har satt opp)
Virtual Machines (Lister opp alle virtuelle maskiner som er knyttet opp I mot Veeam )
Files (Lister opp filer på de fysiske hostene)
Backup Infrastructure (Her definerer du hvilken servere som skal være Proxy servere, hvilken server som skal være repository og hvilken servere som er administrert av Veeam)
History (Lister opp alle jobbene som har blitt kjørt via Veeam)

I tillegg har du en ekstra meny når du klikker på Session Tools knappen øverst til venstre, her får du tilgang til PowerShell modulen, muligheter til å sette
brukertilganger, definere traffic throttling, ta backup av konfigurasjonen og sette opp varsling (snmp og e-post) Jeg kommer til å komme litt innom PowerShell og eksempler du kan bruke senere.
Under “Help” menyen har du også mulighet til å se på lisensen som er bundet opp I mot Veeam serveren og muligheten til å endre lisensen.


Da ble denne posten lang nok, neste gang vil jeg gå igjennom hvordan man legger til Hyper-V servere å setter opp en Backup Job og hva de ulike innstillingene gjør for noe.

Windows Server 2012 deployment via PowerShell

Now with the release of Windows Server 2012, Microsoft has added a huge huge huge improvement in PowerShell, there are about 2400 cmdlets available, and Microsoft have said that there are more to tome.
Just to display how easy it is, I thought Id give a walkthrough deployment of a simple Server 2012 farm.
1x AD Domain Controller
1x RDS server session deployment with remoteapps.
1x File Server using data DE duplication and used for serving the user profile disks on the RDS server with NIC teaming. And Having 3 disks in a storage space and volumes using disk parity.

Now we are going to host all of these 3 servers on a WS2012 Hyper-V server. So first of we create a virtual network where these hosts are going to be.

First we create the switch

New-VMswitch –name vm-switch –switchtype internal

Then we create the first virtual machine and add it to that internal network.

New-VM -NewVHDPath e:\vm\ad.vhdx -NewVHDSizeBytes 20GB -BootDevice CD -MemoryStartupBytes 2GB -Name AD
Remove-VMNetworkAdapter –VMName AD –Name “Network Adapter”
Add-VMNetworkAdapter -VMName AD -Name «Network Adapter» -SwitchName vm-switch

After that we can boot the first computer. This is going to be our domain controller, and for the purpose of this demonstration we are going to install this as a Server Core server. (Server Core is a stripped down server which basically gives you an command prompt that you can work from.
IF you wish to manage the server you either need to use sconfig, PowerShell or Server Manager

If you wish to install full GUI on it afterwards you can do this using the commands

Install-WindowsFeature server-gui-mgmt-infra,server-gui-shell -source:wim:d:\sources\install.wim:4 –restart

If you look at the last command there you see that I needed to specify the source (Because when I install with Server Core it removes all the unnecessary binaries from the install so you need to insert the installation media and in my case it was ISO file on the D: drive.  And I also needed to specify the install WIM file and the WIM file contains the images for Datacenter and Standard Core and with GUI so the number 4 states Datacenter with GUI.

When the server is up and running we have to configure the network, domain name and such.

New-Netipaddress –ipaddress –interfacealias «Ethernet» –Prefixlenght 24
Set-DnsClientServerAddress -InterfaceAlias «Ethernet» -ServerAddresses
Rename-computer adds

This will add the IP address of on the interface Ethernet with a subnet mask of /24
And set the DNSclient to itself (since the ADDS installs DNS as well)
Renames the computer ADDS and does a restart.

After that we install ADDS. This is the simplest setup and uses most of the default values.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest –DomainName test.local

This will install a ADDS domain service on this server (as well including DNS server) with the domain name of test.local
after that you have to restart the computer. When the server is finished booting, you have a fully functional domain server so now its time to install the RDS server.

New-VM -NewVHDPath e:\vm\rds.vhdx -NewVHDSizeBytes 20GB -BootDevice CD -MemoryStartupBytes 2GB -Name RDS
Remove-Vmnetworkadapter –Vmware RDS –name “network adapter”
Add-VMNetworkAdapter -VMName AD -Name «Network Adapter» -SwitchName vm-switch

So now we run the same create vm command as we ran before just change the name and file name.
We install a full server with GUI this time since we want the remote desktop users to get a full desktop Smile
After the server is finished installing we need to setup the basic stuff as we did before.

New-Netipaddress –ipaddress –interfacealias «Ethernet» –Prefixlenght 24
Set-DnsClientServerAddress -InterfaceAlias «Ethernet» -ServerAddresses
Rename-computer rds
Add-Computer -Domainname test.local –Credential

This time we set the DNS client to point to the AD server. And change its name and join it to the domain. After the restart we have to install the RDS server role.
As we are going to host all the server roles on the same server (not very secure or recommended but simple Smile 

New-RDSessionDeployment -ConnectionBroker test02.test.local -WebAccessServer test02.test.local -SessionHost test02.test.local



Remove-RDSessionCollection QuickSessionCollection

New-RDSessionCollection -Collectionname Statistikk -sessionhost test02.test.local -connectionbroker test02.test.local

New-RDremoteApp -Collectionname Statistikk -Alias Notepad -Filepath C:\windows\system32\notepad.exe -ShowInWebAccess 1 -ConnectionBroker test02.test.local -Displayname skriveskrive

Now what this does is to 1: Install the RDS server roles and point to where each server role is located, and then restart the computer.
After that is done it removes the QuickSessionCollection as is created by default when using Quick Deployment.

Creates a new collection and points to which sessionshost and connection broker is included in this collection.
Then it publishes the application Notepad and makes in available to users via the RDweb portal.  And note I didn’t set up user profile disk on the RDS server yet since we need to set up the file server before we do that.

Now we have to create the file server, now this server needs to have multiple network cards and multiple disks in order to have High-availability.
So we start by creating the VM with multiple nics and hdds.

New-VM -NewVHDPath e:\vm\rds.vhdx -NewVHDSizeBytes 20GB -BootDevice CD -MemoryStartupBytes 2GB -Name FS

New-Netipaddress –ipaddress –interfacealias «Ethernet» –Prefixlenght 24
Set-DnsClientServerAddress -InterfaceAlias «Ethernet» -ServerAddresses
Rename-computer fs
Add-Computer -Domainname test.local –Credential

So here we create a fileserver virtual machine with 2 NICs and 3 virtual harddrives.
Drive 2 and 3 will be used for a storage pool with mirrored setup. Now setting up two virtual drives in a mirrored setup doesn’t make much sense but this is just to show how easy and flexible the deployment is.
Now after the server is finished installign and has joined the domain we can start by setting up the NIC teaming.

New-lbfoteam –name Test –Teammembers «ethernet 2», «ethernet» -loadbalancingalgorithm Ipaddresses –teamingmode switchindependent –teamnicname SuperPowah

You can run the command

get-lbfoteam and get-lbfoteamnic

To see the status of the team and the NIC (If its up and down or not )
Now what this does is to create a new load balance and failover team called Test, and it includes the two interfaces ethernet 2 and ethernet and the load balancing algorithm is based on IP addresses, and I choose the teaming mode switch independent and the team nice is called SuperPowah. Now that we have done that the first NIC loses it’s IP address settings so now we have to setup an IP setting for the new NIC name SuperPowah

New-Netipaddress –ipaddress –interfacealias «SuperPowah» –Prefixlenght 24
Set-DnsClientServerAddress -InterfaceAlias «SuperPowah» -ServerAddresses

Next we have to install the dedup features (Which is not installed by default. )

Install-windowsfeature FS-data-deduplication

By default the schedule for a dedup job is set to default 5 days, but that can be changed. You can also run it manually by running the command.

Start-dedupjob –volume e: –type optimization

You can view the status by running the command


If you wish to remove dedup from a disk you can run the command

Start-dedupjob –volume e: –type unoptimization

Next we create a new folder on the new share then we share the folder.

mkdir userdata on C:\
new-smbshare –path c:\userdata –name userdata

Now after that share is created. We have to update the RDS collection configuration

Set-RDSessionCollectionConfiguration –Collectionname statistikk –EnableUserProfileDisk –diskpath \\fs\userdata –MaxProfileDiskSizeGB 40

So there you go, I will try to update this with some other scenarios as well.

Error when starting a VM in Hyper-V 2012

Quick post!
Got an error after I’ve upgraded my servers from 2008 R2 to 2012 and I wanted to boot my VM’s.
In the event viewer I got this error message Hypervisor launch failed; Secure Mode Extensions have been enabled by the BIOS. Please disable Secure Mode Extensions in the BIOS to launch Hyper-V.
I the hyper-v manager I got the message:

Virtual machine ‘VM_Name’ could not be started because the hypervisor is not running (Virtual machine ID <Virtual_Machine_ID>). The following actions may help you resolve the problem:

  1. Verify that the processor of the physical computer has a supported version of hardware-assisted virtualization.
  2. Verify that hardware-assisted virtualization and hardware-assisted data execution protection are enabled in the BIOS of the physical computer. (If you edit the BIOS to enable either setting, you must turn off the power to the physical computer and then turn it back on. Resetting the physical computer is not sufficient.)
  3. If you have made changes to the Boot Configuration Data store, review these changes to ensure that the hypervisor is configured to launch automatically.

This was a bit odd since it was working for 2008 R2, so I tried the basics.

First I ran systeminfo and saw under Hyper-V requirements to see that it was fully supported.

Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes

I ran the command bcdedit /set hypervisorlaunchtype auto
Since it stated that the Hypervisor was not running.

Tried a reboot, but still nothing happened.
In my case it was because I had an old BIOS driver on my server so when I updated my BIOS everything started working again , so remember to check that you have the latest BIOS driver, that is always a good best practice Smile

Windows Server 2012 & System Center 2012 licensing

Even thou Microsoft said that it would be easier it was still a bit difficult for me to understand how it worked, but in the end I finally got a good grasp of how the licensing model works so therefore I would like to share it with you. Windows Server 2012 and System Center 2012 is licensed in the same manner, so therefore it easier to combine both of them.

First of System Center and Windows Server 2012 comes in two editions. Standard and Datacenter
The difference between the two is the the right to virtualize.

Standard allows you to have 2 virtual server OSE
Datacenter allows for unlimited virtual servers OSE 

And also remember that each license covers two processors
You also need to remember that there are no differences between Standard and Datacenter, they have all the same functions and they have no restrictions.
If you plan to have implement both these solutions you might want to consider a Core Infrastructure license with contains either Standard ( Windows Server & System Center ) or Datacenter ( Windows Server & System Center) at a reduced price.

Some estimated prices on Server: Datacenter $4,809 Standard $882
and on System Center: Datacenter $3,607 Standard $1,323

Some examples of pricing.
1 physical server, 1 CPU, 1 VM = 1 Standard license
1 physical server, 4 CPU, 1 VM = 2 Standard license (or 2 datacenter) 
1 physical server, 4 CPU, 10 VM = 5 Standard license ( or 2 datacenter)
1 physical server, 4 CPU, 20 VM = 10 standard license ( or 2 datacenter would be a lot cheaper to buy datacenter here)
2 physical server, 2 CPU each, 2 VM each = 2 standard license (or 2 datacenter ofc it would be a lot cheaper to buy standard here)

So some other examples (What if I have 1 Datacenter license on Server 2012 and System Center and I have 2 CPU’s and I have Operations Manager installed, what happens if I want to install Configuration Manager on some virtual machines on the server?) Nothing! licensing is based on physical processors not virtual.

So what is the catch, what else do I need to think of ?
For Server you still need a CAL for each user that is accessing the server
For System Center you still need a Client ML(Management License) for each managed device that run non-server OSE’s
And for System Center you have 3 different Client ML
Configuration Manager Client ML ( Configuration Manager and Virtual Machine Manager) (Included in Core CAL)
Endpoint Protection Subscription ( Endpoint Protection ) (Included in Core CAL)
Client Management Suite Client ML ( Service Manager, Operations Manager, Data Protection Manager, Orchestrator) (Included in Enterprise CAL)

So if have 1 server with 2 physical CPU (without virtual machines on that server) and you wish to manage 50 computers using ConfigMgr and have Endpoint Protection you would need
1 Standard Server license, 1 System Center Standard license, 50 Configuration Manager Client ML + Endpoint Protection Subscription (Unless you have an Core CAL in place)