[[TOC(inline, depth=1)]] = Introduction = Microsoft has some documentation about HLK testing and WHQL signing, but it is quite incomplete, and there is lots of room for speculation and anecdotes. Practical testing is often required to understand the requirements fully. Therefore some of the requirements documented in this article are bound to change. Different Windows versions have different kernel-mode signing options: * Windows 7/8/8.1/Server 2012r2 * Cross-signing * WHQL-certified (HCR) * Windows 10 desktop * Attestation signing * WHQL-certified (HLK) * Windows Server 2016/2019 * WHQL-certified (HLK) In this article we focus on HLK testing, which allows getting a WHQL signature for a kernel-mode driver. This is the only way to make a driver load on Windows Server 2016 and later. = Getting source code for tap-windows6 = Sgstair patched tap-windows6 to pass the HLK tests. [https://github.com/sgstair/tap-windows6/tree/hlkwork His work] has now been merged to the upstream tap-windows6 project = HLK test environment overview = HLK testing always requires a HLK !Controller/Studio node, plus one or more HLK clients. The HLK client Windows version and HLK versions need to be in sync [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/ as described in MS documentation]. According to practical testing done by [https://www.wintun.net/ wintun] developers it is possible to get a code signature that is valid for all Windows 10 platforms using the following HLK clients: * Windows Server 2019 Desktop (64-bit) * Currently the [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/6ab6df93-423c-4af6-ad48-8ea1049155ae Static Tools Logo Test] has to run on "Desktop" Server variant * Windows Server 2019 Core (64-bit) * The [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/ac3eb111-539a-4b7b-93f2-d542bd8a2135 Operate in Server Core test] needs to run on "Core" server variant * Windows 10 desktop (32-bit) Wintun was able to pass HLK testing without any ''physical'' HLK clients. But because Wintun advertised itself as a virtual device it had a narrower scope and had to pass fewer HLK tests (~50 in total) than tap-windows6 (68 tests with filters applied). For the HLK controller you can use a virtualized (Virtualbox, VMware) Windows Server 2016 or 2012r2 instance. For tap-windows6 testing a support machine is also needed. To be on the safe side use the same OS version and build as the HLK client. There are some additional requirements for tap-windows6 that stem from generic [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/lan-testing-prerequisites LAN testing prerequisites]: * HLK client needs at least 4 virtual processor cores (unverified) for Windows Server certification * HLK clients need to be physical computers, not virtualized (unverified) Also try to get a quality fast network switch. Slow switches can cause issues on some of the tests. However, a cheap 10€ switch may end up working just fine. = Installing HLK software = For HLK software installation please refer to the official MS documentation, check out [https://github.com/Puppet-Finland/puppet-hlk/ puppet-hlk] and [https://github.com/Puppet-Finland/puppet-hlk_tap6_openvpn puppet-hlk_tap6_openvpn] or try out the [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/getstarted/getstarted-vhlk Windows Virtual Hardware Lab Kit]. The version of HLK you need to install depends on the version of Windows you're attempting certify as described in [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/ Microsoft documentation]. To check Windows version from Powershell do: {{{ PS> [System.Environment]::OSVersion.Version }}} = Preparing HLK clients = For multimachine tests you need to name some of the devices on the HLK test client (that actually runs the tests) and support machine (second machine that is connected “back to back” through the VPN). The non-VPN interface through which the nodes communicate with the HLK controller should be named "MessageDevice" and the tap-windows6 adapter on the support machine should be named "SupportDevice0". Details in [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/lan-testing-prerequisites LAN testing prerequisites]. You also have to enable test signing so that you can load unsigned ("to be tested") drivers on both HLK client and support machine: {{{ PS> bcdedit /set testsigning on PS> shutdown /r }}} Then you need to install the HLK client software from the HLKInstall SMB share on the controller. You also need the automatically generated test certificate ("WDKTest*") from the tap-windows6 build machine to the Windows certificate store on the HLK clients. After all this you can install the test-signed driver without signature errors. = Setting up OpenVPN for HLK tests = The "Run tests" in HLK fail consistently unless the tap-windows6 adapter has an IPv6 gateway address. This can be resolved by a simple bridged peer to peer OpenVPN setup, where interface settings are configured statically outside of OpenVPN. The first steps are: * Install the latest OpenVPN 2.x on the HLK client and support machine * Install the same, test-signed (to-be-HLK-tested) tap-windows6 driver on the HLK clients * Configure static IP, netmask, gateway, etc. for the TAP interface * Disable Windows Firewall for the TAP adapter / Private networks. This is not strictly necessary, but saves time. Then generate a shared secret with "openvpn --genkey" so that you can use it in the OpenVPN config. The OpenVPN configuration file for HLK client and support machines can be identical except for the "remote" settings: {{{ dev tap mode p2p cipher AES-256-CBC secret hlk.key remote verb 3 }}} The above setup is symmetric in the sense that neither node is a client or a server, and either one can initiate the connection. This is similar to what is described in the [https://openvpn.net/community-resources/static-key-mini-howto/ static key mini-howto]. To verify OpenVPN connectivity launch it from an administrator Powershell session first on both machines: {{{ PS> cd C:\Program Files\OpenVPN\config PS> ..\bin\openvpn.exe --config hlk.ovpn }}} If you see that connection was established try to ping the VPN IPs (IPv4 and IPv6) of the other party from both ends. If that succeeds, you can stop OpenVPN and let OpenVPNService manage it from there on: {{{ PS> Set-Service OpenVPNService -StartupType Automatic -Status Running }}} Some have had more luck with the legacy service (OpenVPNServiceLegacy). = Preparing HLK studio/controller = == Select the device to test == When you have created a Project the next step is to select what to test. Go to "Selection" tab and select "TAP-Windows Adapter V9" of the HLK client (not support) machine. == Set product type == In the HLK Studio's Project tab you will see a category called "Product Types" at the right, like in [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/hlk-studio here]. When you create a new project the "Product Types" section will be empty, and you need to make it says LAN, or you end up doing all the testing work and only get certified as an "Other Driver". HLK product types are listed in the [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/hlk-product-type-matrix product type matrix]. The way to add the "LAN" product type is to go to the "Selection" Tab, select "Device Manager" on the left, then right click on the TAP adapter and add the feature for Device.Network.LAN.PM (power management). HLK then notices that all features for the "LAN" product type are met and it adds the "LAN" product type to the project. == Loading compatibility playlists == Make sure to get the HLK Hardware Compatibility Playlists (on the main HLK download page), and apply the one for the correct context, e.g. HLK Version 1809 CompatPlaylist x64 Server.xml. The playlist narrows down the list of tests to the set required to get an HLK certification, removes some extra stress/failure verification type tests designed to help find driver crashes. There’s a “Load Playlist” option in the tests panel in the HLK studio app that you can use. == Adding machines to pool == It seems required/useful to add HLK clients to the pool first, then the support machine. Otherwise when you select the driver in "Device manager" tab HLK will assume that the HLK support machine has the driver under test. This ''may'' create problems down the line. = Configuring and running the mandatory HLK tests = == Multi-machine tests == Then when you go to schedule the multimachine test, you can change the “role” dropdown to the support machine, and select the support machine (should be there if you have two ready machines in the pool). Some of the non-NDIS tests that require “a working network connection” can just be given a valid IPV6 address on the VPN network and they will be happy with that. Whenever you see the “WDTFREMOTESYSTEM” parameter when scheduling a test, set it to an IPv6 address the system can ping over the VPN link. This could be the ipv6 address of the “support” system, or it could be some other arbitrary system on the VPN. This might not be necessary if the device under test has a working IPv6 gateway address that points to, say, support machine's tap adapter interface. But wearing belt and suspenders is not a bad idea when running HLK tests. == NDISTest 6.5 - 2 machine - Linkcheck == This test tests plugging and unplugging the (virtual) ethernet cable. For this test you have two options: * Start and stop the service when running this to make the link start and stop * Note that you can't do this from Powershell prompt of the DTMLLUAdminUser which you may end up being in. You can still use the graphical services management, or possibly use an elevated Powershell prompt. * Use Tapdiag to change link state on the test system In either case follow the interactive messagebox prompts. You may need to detach and attach the "cable" twice. == NDISTest 6.0 - 2 Machine - 2c_Priority == Use Tapdiag to enable 802.1Q on both machines before running the NDIS QoS test (2c_Priority). The process for using tapdiag is: 1. tapdiag /enable # Sets a registry key that enables the .tapdiag endpoint in the driver 1. Restart the TAP driver, reboot or disable/enable in device manager. May need to stop the openvpn service to avoid a reboot – Reconnect VPN 1. tapdiag /link:[on|off] # Use to unplug/plug ethernet cable 1. tapdiag /setq:[on|off|always] # to set the 802.1Q handling. Driver now disables 802.1Q by default. Note that the tapdiag configuration is runtime only – if you reboot the test machine, you will lose the 802.1Q state. == NDISTest 6.5 - 2 Machine - !AddressChange == This will definitely fail on slower machines. It worked fine on 1 year old i7 systems. == NDISTest 6.5 - 2 Machine - E2EPerf == The ''E2EPerf'' test seems to fail if the test adapter and the support adapter have different link speeds. This is visible from the logs of "Run NDISTest Client (no verifier)": {{{ ERROR: Support Adapter must be connected at a link speed greater than or equal to the Test Adapter }}} This is a problem if the support machine has an old tap-windows6 driver version that claims to be 100Mbps whereas the device under test ("DUT") is advertising itself as 1Gbps device. Resolve by installing the correct (1Gbps) tap-windows6 driver version to the support machine as well. == NDISTest 6.0 - 1 machine - 1c_FaultHandling == This test can if you happen to have even one Network device that does not have a functional driver. The failure will then happen at the "Run NDISTest Client" phase when it tries to stop the (tap-windows6) driver: {{{ Error: Unable to stop driver Error Type: NT_STATUS Error Code: 0x5473 Error Text: Error 0x00005473 }}} More details are available in the log file ''ndistest.htm'': {{{ Variation #3 StopDriver StopDriver - GUID: {0CCB2729-3A97-4B26-863E-1FA8162F2F99} [1062062]NDTSupp: Unable to open NetCfg device registry key. Error = 0xe0000204 Unable to collect setup information for all network devices Unable to build PNP information translation list [1062062]NDTSupp: Unable to convert GUID to an instance ID FAILED: [21619] Unable to stop driver }}} The only hint here that tap-windows6 itself might not be to blame is the phrase "all network devices". In my case on Windows Server 2019 Datacenter Evaluation the problem was a Wireless LAN adapter whose driver was not functioning properly. The fix was to disable Wireless LAN altogether from BIOS. Installing a working driver would probably have solved the problem as well. Once you get past these failure, at the end of the test !OpenvpnService might not re-establish a link. WHQL seems to get the OpenVPN service into a bad state, just restart the OpenVPN service and the test will pass. The test waits a few minutes for the link to come back up. == NDISTest 6.0 - 1 machine - 1c_NdisRequestCov == This test may fail at "Run NDISTest Client" -> "Restore protocol bindings" phase: {{{ Error: Unable to restore device settings at the end of the test Error Type: NT_STATUS Error Code: 0x15b38 Error Text: Error 0x00015b38 }}} While the error message is not the same as with 1c_FaultHandling and with 1c_Registry, the cause seems to be the same, as well as the remedy: ensure that you don't have any disfunctional network device (drivers). == NDISTest 6.0 - 1 machine - 1c_Registry == This test has the same issues as 1c_FaultHandling, above. The same remedies apply. == NDISTest 6.0 - 2 machine - 2c_Mini6Stress == Sometimes this test will hit a breakpoint in the NDIS test code. The breakpoint seems harmless and complained about some packets not getting confirmed. If you don't connect a kernel debugger this will cause a !BugCheck and the test will fail. If this happens connect a kernel debugger and rerun the test. When the breakpoint is hit press (l) Always Ignore and the test will pass. You may also get away with just rerunning the test until it passes. == TDI filters and LSPs are not allowed == This test may fail due to broken network drive mappings. The hints are available in "Infrastructure -> Execution Logs -> WttEa.log: {{{ 2980 4496 2019:5:31 18:48:8:90 Error: 0x8205aaaf, Error 0x8205aaaf winsockerror code of 11001 File=sdktools\wtt\jobs\wtttransportproviders\wttcommtcpip\src\wttcommtcpip.cpp Line=656 PersistManager:EA:JobCancel::token::57M710T-> --- snip -- 2980 5488 2019:5:31 18:48:11:210 Error: 0x800704c3, Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. CRunManager::GetLogLocation()::(null)::CAUSE:Error returned from EnableShareAccess to the root of "\\controller.hlk.local\HLKLogs\EaFolderAccessCheck\4825BE12-3B91-4414-B8E2-5AD703D69BB3" File=sdktools\wtt\jobs\runtime\wttexecutionagent\eamanager\runmanager\src\runmanager.cpp Line=2379 }}} If this happens you should see a network share that is unavailable: {{{ PS C:\Users\Administrator> net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------------------- Unavailable R: \\hlk-controller.openvpn.in\HLKInstall Microsoft Windows Network The command completed successfully. }}} To resolve, unmount the network drive: {{{ PS C:\Users\Administrator> net use R: /DELETE R: was deleted successfully. }}} == Static Tools Logo Test == The [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/6ab6df93-423c-4af6-ad48-8ea1049155ae Static Tools Logo Test] checks for the presence of a Driver Verification Log (DVL) log file as described in the [https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/creating-a-driver-verification-log official MS documentation]. The verification log does not have to come from the same ''build'' as the one you install to the HLK clients, but it almost certainly has to be based on the exact same ''source code''. Tap-windows6 buildsystem runs code analysis automatically for x64 Release builds, so build that variant as the first step. Test analysis files are under directory ''tap-windows6\src\x64\Release'' named as ''.nativecodeanalysis.xml''. Results of the code analysis are not enough, as you also need to [https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/creating-a-log-file-for-static-driver-verifier Creating a log file for Static Driver Verifier]. Creating the Static Driver Verifier logs is a simple process once you know it. Launch a ''x64 Native Tools command prompt'' that comes with Visual Studio 2019. Then {{{ PS> cd tap-windows6\src PS> msbuild C:\users\samuli\opt\tap-windows6\src\tap-windows6.vcxproj /p:Configuration=Release /p:Platform=x64 /target:sdv /p:inputs="/check" }}} Note that you need to "cd" to the "src" directory. You also need to provide the full path to the vcxproj file. The SDV tests will take quite a bit of time so don't wait holding your breath. Once they pass you need to merge the results of SDV and codeanalysis. You can do this from Visual Studio 2019 from the "Extensions" -> "Driver" menu, or using the command-line: {{{ cd tap-windows6\src $ msbuild tap-windows6.vcxproj /target:DVL /p:Configuration=Release;Platform=x64 }}} The end result is a file called ''tap0901.DVL.XML'', which you should copy to ''C:\DVL'' on one of the HLK clients, after which the Static Tools Logo Test should pass. = Various known issues = == Failures to Copy downlevel NDISTest binaries == An issue that occurs in many tests and which ''looks'' serious, but is actually not that, is the error at "Copy downlevel NDISTest binaries", where it starts to look for non-existing files from the Controller SMB share: {{{ Cause : Failed to Start the Task Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis62\ndprot62.sys" Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis62\ndprot62.sys" Failure : Failed to Start the Task "Copy downlevel NDISTest binaries" Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis62\ndprot62.sys" Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis61\ndprot61.sys" Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis61\ndprot61.sys" Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis61\ndprot61.sys" Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis6\ndprot60.sys" Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis6\ndprot60.sys" Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis6\ndprot60.sys" Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis51\ndprot51.sys" Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis51\ndprot51.sys" Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis51\ndprot51.sys" }}} If you mount the share manually on the HLK client you'll notice that either the entire directories or individual .sys files are missing indeed: {{{ PS> net use X: \\controller.hlk.local\tests The command completed successfully. PS> Get-Childitem x:\amd64\NetHlk\NDISTest\bin\ -filter "ntndis*" Directory: x:\amd64\NetHlk\NDISTest\bin Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/30/2019 7:07 AM ntndis51 d----- 5/30/2019 7:07 AM ntndis630 d----- 5/30/2019 7:07 AM ntndis650 d----- 5/30/2019 7:07 AM ntndis660 d----- 5/30/2019 7:07 AM ntndis680 }}} While this step fails, it seems that it ''can'' fail yet the test as a whole can pass. The failure reason icon (see [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/troubleshooting-windows-hlk-test-failures here]) in this case should be "Canceled", i.e. "A user canceled the test, or a task has been canceled because the preceding task failed." == HLK clients can't be activated == If you upgrade HLK software on both controller and client/support you may end up with a situation where you can't put any of the clients into "Ready" state. You may be able to resolve this by removing the machines from the pool, and deleting them from the default pool, and then restarting HLKSvc service on the clients. == Packet transmission too slow == This can result in test errors like "Expected minimum of 237 packets but we received 200 packets". The test allows one second after all the sends have been completed for all the packets to be received. Disabling verbose log printing in the server makes it more reliable. == Packets reordering == Packets can (rarely) be reordered in flight, which causes an assertion in the test driver. Hints are errors such as * "1 total breakpoints were hit in the protocol driver while this test was executing" * "Out of order indication" * "Dropped indications" HLK doesn't complain if some packets are lost, instead these errors are raised when out of order packets are received. The OpenVPN architecture has some inherent race conditions that can cause reordering of packets. This has happened 2 or 3 times over dozens of runs, and does cause a test failure, but a rerun should pass. == Address Change test failures == You may encounter failures in the "Address Change" test. It’s a combination of a few factors: * OpenVPN client sets the network link status around a second before the server actually starts forwarding any packets to the client. This is quite possibly an order of operations bug in openvpn. * That would be well and good, but the address change test has extremely aggressive timings * It starts sending packets almost immediately once the link status comes up, and stops listening for packets less than a second after that. This failure seems to be related to newer OpenVPN versions. Logs for reference: {{{ (Test system connecting after MAC address changes) … Wed Feb 20 22:03:43 2019 us=810407 vpnclient-nopass/192.168.1.36:1194 Data Channel MTU parms [ L:1581 D:1450 EF:49 EB:411 ET:32 EL:3 ] Wed Feb 20 22:03:43 2019 us=810637 vpnclient-nopass/192.168.1.36:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Feb 20 22:03:43 2019 us=810765 vpnclient-nopass/192.168.1.36:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key (Other system starts to send test packets) WWWWRWed Feb 20 22:03:48 2019 us=680899 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood wWRWed Feb 20 22:03:48 2019 us=681534 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood wWRWed Feb 20 22:03:48 2019 us=681869 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood … wWRWed Feb 20 22:03:49 2019 us=158052 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood (Other system is done sending packets) (Openvpn server starts forwarding packets at around this point.) wWRRRWed Feb 20 22:03:50 2019 us=472525 vpnclient-nopass/192.168.1.36:1194 MULTI: Learn: 02:02:04:06:08:08 -> vpnclient-nopass/192.168.1.36:1194 … }}} Another side note – The “unicast destination [00:ff:e9:88:37:ca]” in those messages is incorrect – those packets are actually directed to the “02:02:04:06:08:08” address. The flood message in the patch is showing the source address. == HLK client version mismatches == The HLK client version (e.g. Windows 1809) needs to match the HLK version (HLK 1809). If there is a mismatch there can be some setup issues (some semantics of driver verifier configuration changed, or some of the test components might have failed on the OS version). == Controller misuses support machine == The controller seems to arbitrarily pick which machine is Support and which one is under Test. If it has trouble picking name one of the TAP adapters SupportDevice0. Picking the options in the UI didn't change the behavior. So for the tests you are baby sitting pay attention to which the server and and which one the client is. The server will run a server.htm in NDIS test so it will be obvious. == Driver parameters == Not sure if the below had any effect but was changed when doing this test: In !OemVista.inf.in: *!PhysicalMediaType = 0x0 ; !NdisPhysicalMediumUnspecified This was done to be consistent with what was in constants.h, but it also seemed to get some tests passing. == Test-signing issues == You may encounter the follwoing error when building with EWDK from the command-line with buildtap.py with --hlk switch, which has test-signing enabled: {{{ SIGNTASK : SignTool error : No certificates were found that met all the given criteria. }}} This happens even though a properly named (e.g. "WDKTest samuli") certificate is present under ''cert:\!CurrentUser\My''. This problem was probably caused doing a "Hlk" build from inside Visual Studio 2019 Community, which created the WDKTest certificate automatically, but in a way that EWDK was unable to use it. This problem can be resolved by simply removing the old certificate. For example: {{{ PS> Remove-Item Cert:\CurrentUser\My\91047502F73D5410C106E05CEC8A990219810FBE }}} Then just run buildtap.py with --hlk to create a new test-signing certificate. You will also need to export the new certificate from the certificate store. For example: {{{ PS> Get-Childitem Cert:\Currentuser\My\F1E725722C5BB56757B6D261D958425869213089|Export-Certificate -Filepath C:\users\samuli\opt\wdktest-samuli.cer }}} Then import that certificate to the certificate store on HLK clients. The puppet-hlk_tap6_openvpn module handles that part automatically with Powershell DSC. = HLK logging = HLK controller logs problems mostly to event logs, so when tests are failing in an unusual fashion you can possibly find out why in the event viewer. When you have issue putting an HLK client into "Ready" state, for example, have a look at the event log. The HLK tests fortunately provide tons of logging visible for HLK Studio. Check sections "Error", "Task log", "Infrastructure" in the context menu for the test in question to see what you can find. = Debugging = It is possible to get HLK into strange states. For example: * HLK clients / support machines do not get into "Ready" state * Launching two-machine tests fail with duplicate database key errors Some things you can try to get past these errors: * Restart the "hlksvc" Windows service * Reboot HLK nodes (controller, clients, support machine) * Reinstall HLK client software and reboot HLK client * Create a new HLK project * Create a new pool and move HLK client machines there * Delete HLK clients from the pool The are known to work sometimes, but so far I have not been able to establish any logic here. = Addendum = == Tap-windows6 as virtual network device == Changing the TAP interface type to be a virtual adapter in the INF file does not seem to work. It seems to mess up the NDIS tests which looked for a device that advertised as physical to assign a SupportDevice. Maybe this is something we can eventually work with Microsoft to fix. == Note on reboots == Reboots seems to happen randomly during test setup. This can be a nuisance if you are monitoring the services window or the network connections window. Helpful to make shortcuts to these so they can easily be opened. == Firewall rules for HLK server and clients == Installing HLK software automatically opens ports in the Windows firewall for HLK traffic. In case HLK controller and HLK clients are not in the same switch some firewall (e.g. EC2 security group rules) might block HLK traffic. Here is a reference for the ports which need to be open for HLK tests to work: * OpenVPN peer (udp/1194) <-> OpenVPN peer (udp/1194) * HLK clients -> HLK controller tcp/1771 (HLK Server Receiver Port) * HLK clients -> HLK controller tcp/1782 (HLKSvc Receiver Port) * HLK clients -> HLK controller tcp/445 (HLKInstall Samba share) * HLK controller -> HLK clients tcp/1771 (HLK Server Receiver Port) Outbound traffic is assumed to be unrestricted. If not, adjust egress rules accordingly. Also note that IPv6 traffic needs to flow properly in the OpenVPN virtual network as HLK tests require IPv6. = External links = * [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/device-network-tests Device.Network tests] (reference) * [https://download.microsoft.com/download/0/8/0/080BEFA0-416B-425A-BE37-B9E41B7C4C6B/WHCP-Documents-1809.zip WHCP Documents (HLK 1809)] * Zip containing PDFs that contain some of the best info on WHCP certification requirements * [https://techcommunity.microsoft.com/t5/Windows-Hardware-Certification/bg-p/WindowsHardwareCertification Windows Hardware Certification blog] ([http://certification1456.rssing.com/chan-30129828/latest.php update feed] on new HLK releases etc) * [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/troubleshooting-windows-hlk Troubleshooting Windows HLK] * [https://github.com/sgstair/tapdiag tapdiag]: a tool that is used to manipulate tap-windows6 at runtime for some HLK tests * [https://github.com/Puppet-Finland/puppet-hlk/ puppet-hlk]: Puppet module for setting up HLK controllers and HLK clients * [https://github.com/Puppet-Finland/puppet-hlk_tap6_openvpn puppet-hlk_tap6_openvpn]: Puppet module for setting up OpenVPN and network interface configurations for HLK testing * [https://docs.microsoft.com/en-us/windows-hardware/test/hlk/getstarted/getstarted-vhlk Windows Virtual Hardware Lab Kit] * [https://aka.ms/HLKPlaylist] Compatibility Play Lists (Understanding is these are the only ones necessary to get signed) * [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions Getting drivers signed by Microsoft for multiple Windows versions]