Hyper-V, Credential Guard, Device Guard, or why doesn’t VMware Workstation or VirtualBox work on Windows 10?

It’s frustrating if you’re seeing the the message from VMware Workstation about Device Guard or Credential Guard or the similar one from VirtualBox.

But, there are a few thing to clarify before going off on a search for those devices.  First, if you’ve got Hyper-V installed, that is the most likely culprit here and disabling or removing that feature should solve your issue.

Some things to consider:

If you’ve got Windows 10 Home, then you don’t have Hyper-V enabled. See: https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/hyper-v-requirements

If you have Windows 10 Home or Pro you do not have Credential Guard enabled.  It is a feature only in Enterprise, Education, and IoT Enterprise versions of Windows 10. See: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements

 

This is great info, but what do you do about getting Workstation or VirtualBox to work?

Again, the most likely culprit is Hyper-V.  Disabling or removing and a reboot should resolve this.

Disable or Remove Hyper-V

Disable Hyper-V

Open an elevated command prompt or PowerShell (right-click and select Run as Administrator)

Enter: bcdedit /set hypervisorlaunchtype off

Reboot.  (To re-enable Hyper-V, open an elevated prompt and enter:  bcdedit /set hypervisorlaunchtype auto and reboot.)

Remove Hyper-V

Go to Control Panel–>Programs and Features, select Turn Windows features on or off.

Expand Hyper-V, then expand Hyper-V Platform.

Uncheck Hyper-V Hypervisor.

Reboot.  Please note that removing Hyper-V could affect the functionality of other features of Windows 10 such as Docker.

 

Windows Hypervisor Platform

While this is supposed to allow 3rd party virtualization to access the hardware virtualization on the host, it doesn’t seem to work for either Workstation or VirtualBox.  Workstation  gives the same standard Credential Guard message.  VirtualBox is supposed to work per their changelog, but the communities have posts reporting failure and a bug report on it.

Disable Windows Hypervisor Platform

Go to Control Panel–>Programs and Features, select Turn Windows features on or off.

Uncheck Windows Hypervisor Platform

Reboot.

 

Disable Device Guard

Editing the Registry will disable this feature.  Please make sure you have a backup of your system, as editing the Registry can result in an unusable or broken Windows.

Edit the following key:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity

Set:  Name = “Enabled”  Type =dword  Data = 0

Reboot.

Alternately, you can use the Local Group Policy Editor to manage Device Guard.

Start gpedit.msc or find Local Security Policy from the start menu.

Expand Computer Configuration\Administrative Templates\System\Device Guard and change the state to disabled.  If you see the same settings as below, you probably don’t have Device Guard enabled.

 

Credential Guard

Credential Guard is controlled via Group Policy, so it’s likely that if this is the issue, you’ll be unable to do anything about it yourself.  You’ll need to contact your IT department to have this turned off.  Again, Credential Guard is only available on Enterprise, Education, and IoT Enterprise.  If you don’t have one of these versions, this isn’t the culprit.

 

Antivirus Utilities

There is one more culprit that could be causing the issue.  Some antivirus software blocks hardware virtualization.

Check with your antivirus vendor to confirm this isn’t an issue and if there is a way to disable it on your AV software.

 

Due to the various builds of Windows 10, you might not find these settings in exactly the same place as described or shown.

 

More info:  https://support.microsoft.com/en-us/help/3204980/virtualization-applications-do-not-work-together-with-hyper-v-device-g

 

Update: I’ve added a new post here:

https://smudj.wordpress.com/2023/10/02/why-is-there-a-hypervisor-enabled/

Another culprit that uses a hypervisor is Core Isolation.  Check the link above for more details, but if you’ve enabled Core Isolation, then you’ve got a hypervisor running.

To disable: Settings>Privacy & Security>Windows security>Device Security>Core Isolation

Slide to OFF.

 

The Poor Tech’s Hyper-V Lab Setup

A lot of lab tutorials assume you have access to powerful systems with 32 or 64GB of RAM, RAID arrays, dual CPU server systems and so on.

Like my VMware Workstation set up here:

Setting Up an All-in-One Windows AD Test Environment (VMware Workstation Edition)

or VirtualBox

Setting up an All-In-One Windows AD Test Environment (VirtualBox Edition)

This one’s different.  I’m taking a couple relatively modern workstations with 16GB or less RAM each and creating a Windows Active Directory domain environment.  The cool thing here is with an extra switch we can add multiple physical systems into our virtual lab.

Keep in mind that you can still use a powerful workstation/server setup here and just skip setting up the second physical workstation and end up with the same setup as the VMware Workstation or VirtualBox tutorial.

Hardware used:

Workstation 1 (W1): Windows 10 Pro (1809) with Hyper-V, i5-4570, 16GB RAM, 500GB SSD, dual NICs (one onboard NIC, one SB3 1Gb NIC)

*workstation 1 requires 2 network cards.

Workstation 2 (W2): Windows 10 Pro (1809) with Hyper-V,  i7-870, 12GB RAM, 256GB SSD, onboard NIC

optional:  Ethernet switch (not used in your existing network environment), additional Windows 10 Pro, Windows Server, Hyper-V Server workstations

---

ISO media needed:

• IPFire or comparable router/Linux distro https://www.ipfire.org
• Windows Server Evaluation: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019?filetype=ISO

At the time of writing Windows Server 2012–2019 are currently available.  This lab will use Windows Server 2016.

Optional ISOs

• Windows 10 64 bit Enterprise Evaluation (https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise)  This is needed if additional clients are set up in Hyper-V on W1 or W2

Download these ISOs and place then in an easily accessible location for later use.

1. Hardware Setup
   1. Connect both NICs in W1.
      1. NIC1 will be connected to your regular network environment
      2. NIC2 will be connected to W2 directly, or to the optional switch
         1. Assign a static IP to NIC2
            1. IP Address: 172.16.1.100
            2. Subnet mask: 255.255.255.0
         2. Assign static DNS to NIC2
            1. Primary:  172.16.1.201  Hint: this will be the IP of our Windows domain controller
   2. Connect NIC in W2 to switch**, if not directly connected to W1.  **Most modern NICs no longer need a crossover cable to directly connect.  If you’re having issues with a connection, a switch should resolve this, or a cross-over cable.
2. Virtual router Setup for Internal lab environment
   1. Create virtual switches on W1
      1. Start Hyper-V Manager
      2. Click Virtual Switch Manager
      3. Select External, and click Create Virtual Switch
      4. Under Name, enter External Access, and assign the NIC connected in step 1 above to your regular network environment, and click OK.
      5. 
      6. Click select External, Create Virtual Switch again.  Under Name, enter Internal Lab, select the second NIC and click OK.
      7. Click OK to exit the Virtual Switch Manager.
   2. Set IP Address for second NIC.
      1. Go to Control Panel, Network and Sharing Center and click Change Adapter Settings
      2. Right-click on vEthernet (Internal Lab) and select Properties.
      3. Select Internet Protocol Version 4 (TCP/IPv4), then click Properties.
      4. Enter the following IP information:
         1. IP Address: 172.16.1.100   <– this is the address of W1 in the internal lab network
         2. Subnnet mask: 255.255.255.0
         3. Default gateway:  172.16.1.1 <– this is the address of the virtual router we will set up next
      5. Click Ok.  Click Close.
   3. Create the virtual router VM
      1. Return to the Hyper-V Manager and click New –> Virtual Machine.
      2. Click Next to begin the wizard, enter the info in the fields and click Next when finished.
         1. Name:  Lab Router 
         2. Generation: Generation 1
         3. Startup memory: 512MB, uncheck Use Dynamic Memory
         4. Connection:  Select External Access
         5. Virtual Hard Disk:  accept defaults and click Finish
      3. Select Lab Router from Virtual Machines and click Settings.
         1. Select Network Adapter and click Add
         2. Select Internal Lab from Virtual Switch and click Apply
         3. Select DVD Drive, then select Image file. 
         4. Click Browse and go to the location where the IPFire ISO is stored.  Double-click the ISO.  Click OK.
      4. Start the Lab Router VM.
         1. Click Start, then Connect.
      5. Install IPFire.
         1. Press Enter to begin the installation. Note: Window title will appear before instructions for this section.
         2. Language selection: Press Enter to accept English
         3. IPFire: Press Enter to Start installation
         4. License Agreement:  Press tab to move to license acceptance box, then press the spacebar to accept.  Press tab and Enter to complete.
         5. Disk Setup:  Press Enter to accept and Delete all data
         6. Filesystem Selection: Press tab and Enter to accept the default.
         7. Congratulations: Press Enter to reboot
      6. Configure IPFire Pre-config info.
         1. While IPFire is rebooting, we need to determine which NIC’s MAC address is the External Lab’s.
         2. In the Hyper-V Manager with Lab Router selected, click Settings.
         3. Click on plus (+) next to Network Adapter External Access, then click Advanced Features to view the adapters MAC.
         4. 
         5. Leave this window open, or make note of the MAC as we will need it soon.
      7. Configure IPFire
         1. Keyboard Mapping:  Press Enter to select the default mapping.
         2. Timezone:  Choose the correct timezone and press enter. Hint: pressing a letter will jump to that section.  US Pacific (press P and arrow to PST8PDT) can be found this way quickly.
         3. Hostname:  Press Enter twice to accept the default, ipfire.
         4. Domain name: Press Enter twice to accept the default.
         5. Root password:  Enter a memorable password, tab to the verification field, and tab again to OK.  Press Enter.  Hint: no characters will appear when entering the password.
         6. Admin password: Enter a memorable password, tab to the verification field, and tab again to OK.  Press Enter.  Hint: no characters will appear when entering the password.  Extra hint:  for our lab, this can be the same password as the root account for simplicity.
         7. Network configuration:  network configuration type: GREEN + RED should already be selected.
         8. Arrow key down to select Drivers and card assignments, press Enter
            1. Assigned cards: GREEN:  Press Enter to select.  Hint: the GREEN network is our Internal Lab network.
               1. Choose the card that does NOT have the MAC from step 6.3.  Use the arrow key to highlight and press Enter
            2. Assigned cards:  use the arrow keys to highlight RED, and press Enter
               1. Press Enter to select the remaining card.
            3. Assigned cards:  press tab to move and highlight Done.  Press Enter
         9. Arrow key down to select Address settings and press Enter
            1. Address settings: GREEN.  Press Enter to reconfigure
               1. Warning: press Enter.  Hint: we are not connected remotely, so this does not apply
               2. Interface GREEN: IP Address:  172.16.1.1  Network mask:  255.255.255.0  Press tab to move between fields, press Enter when complete
            2. Address settings: RED: Press Enter to reconfigure.
               1. Down arrow key to select DHCP, press spacebar to select. Tab to OK and press Enter.  Hint: our external network will use the existing network DHCP server
            3. Address settings:  Press tab to move to Done, press Enter.
         10. Arrow key down to Done and press Enter.  Hint: we do not need to set the DNS and Gateway settings, the DHCP option selected above in 9-2 will autopopulate this for the RED network.
         11. DHCP server configuration:  We will use the DHCP and DNS services on our Windows Server VM that we will set up later.
             1. Tab to OK and press Enter to leave the IPFire DHCP server unconfigured.
         12. Setup is complete:  Press Enter.  IPFire will reboot.
         13. IPFire/Lab Router VM should remain running.
         14. Close the Lab Router settings window, if needed.
3. Windows Server (Domain Controller) for Internal Lab environment
   1. Create Windows Server VM
      1. Return to the Hyper-V Manager and click New –> Virtual Machine.
      2. Click Next to begin the wizard, enter the info in the fields and click Next when finished.
         1. Name:  Windows Server 1 
         2. Generation: Generation 1
         3. Startup memory: 4096MB, uncheck Use Dynamic Memory
         4. Connection:  Select Internal Lab
         5. Virtual Hard Disk:  accept defaults and click Finish
      3. Select Windows Server 1 from Virtual Machines and click Settings.
         1. Select DVD Drive, then select Image file.
         2. Click Browse and go to the location where the IPFire ISO is stored.  Double-click the ISO.  Click OK.
   2. Install Windows Server 2016
      1. Start Windows Server 1
         1. Click Start, and then Connect.
      2. Install Windows Server 2016
         1. Click Next to begin the installation
         2. Click Install now
         3. Select Windows Server 2016 Datacenter Evaluation (Desktop Experience) and click Next.
         4. Click I accept the license terms, then click Next
         5. Click Custom: Install Windows only
         6. Click Next, to accept the default installation location
         7. Customize settings:  enter a memorable Administrator password, reenter, and click Finish
      3. Configure Windows Server 1 (WS1)
         1. Press control+alt+end to log into WS1, or use the menu options: Action–>Control+Alt+Del
         2. Go to the Control Panel, change View by to Small Icons
         3. Click Network and Sharing Center
         4. Click Change Adapter Settings
         5. Right-click Ethernet and click Properties
            1. Select Internet Protocol Version 4 and click Properties
            2. Click Use the following IP address:
               1. IP Address: 172.16.1.201
               2. Subnet mask: 255.255.255.0
               3. Default gateway: 172.16.1.1
            3. Click Use the following DNS server addresses
               1. Preferred DNS server: 172.16.1.201    Hint: We will setup AD, DNS, and DHCP on this server
            4. Click OK, then click Close
         6. Networks:  when prompted, click Yes to allow your PC to be discoverable.
         7. In Control Panel, go to System.  Under Computer name, click Change Settings.
            1. Click Change, enter WS1, as the computer name.  Click OK.  Click OK at the prompt
            2. Click Close
            3. Click Restart Now
      4. Setup WS1 as a domain controller with DHCP
         1. Start the Add Roles and Feature Wizard
            1. Add the following roles:
               1. Active Directory Domain Services
               2. DHCP Services
               3. DNS Services
            2. Follow the wizard’s steps.  All the defaults can be used for our lab purposes.
            3. Promote: Add a new forest.
            4. Enter the domain name, Hyper-LAB.net, and follow the wizard.  Hint: you will get a warning about DNS, this will be resolved later.
            5. More details for setting up an DC in Windows 2016 can be found here: https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/
         2. Configure DNS and DHCP
            1. Log into your new domain controller.
            2. DNS.  We need to add a forwarder for our DNS settings.
               1. From Administrative Tools (or Server Manager–>Tools), open DNS
               2. Right-click on your server and click Properties.
               3. Click the Forwarders tab
               4. Click Edit, and add your external DNS servers like 4.2.2.1, 4.2.2.2, 8.8.8.8, and 8.8.4.4.
               5. Click OK, when completed.  Click OK, to close Properties.
               6. Close the DNS Manager
            3. DHCP
               1. Double-click DHCP from Administrative Tools or Server Manager–>Tools
               2. Expand IPv4 and right-click, click New Scope from the menu.
               3. Enter a Name: Hyper-Lab client scope, click Next
                  1. Start IP address: 172.16.1.50
                  2. End IP address:  172.16.1.99
                  3. Length: 24 or Subnet mask: 255.255.255.0
                  4. Click Next
               4. The remaining settings can be default for now.
               5. When asked to configure scope options, select “Yes” and click Next.
               6. Router/Default gateway will be the IP we used to configure the GREEN NIC, enter: 172.16.1.1.  Click Add. Click Next.
               7. Domain name and DNS should be pre-configured. You should see the server’s IP in IP address box, 172.16.1.201. Click Next.
               8. WINS does not need to be configured at this time.  Click Next.
               9. When prompted to activate scope, select “Yes” and click Next.
               10. Click Finish to complete the wizard.
               11. Right-click on the server’s name under DHCP, and click Authorize from the menu. Right-click the server name and click Refresh and IPv4 should have a green circle with a white check mark
               12. 
         3. WS1 configuration is complete.  You should be able to ping an IP address, ex: 4.2.2.2 as well as a DNS name:  ex: http://www.google.com
4. Workstation 2 setup and configuration
   1. After the successful configuration of WS1, a network prompt on W2 should appear
      1. 
      2. Verify DHCP is configured for W1, if no prompt
      3. Networks:  when prompted, click Yes to allow your PC to be discoverable
      4. Ping will not work until we disable the firewall, or turn on file and print sharing for the Private network.
   2. Set a static IP for W2:
      1. IP Address: 172.16.1.101
      2. Subnet mask: 172.16.1.1
      3. DNS: 172.16.1.201
   3. Configure an External Virtual Switch
      1. Create virtual switches on W1
         1. Start Hyper-V Manager
         2. Click Virtual Switch Manager
         3. Select External, and click Create Virtual Switch
         4. Under Name, enter Internal Lab, and assign the NIC and click OK.
      2. If the network is set to public, we need to change it to private
         1. Open an elevated Powershell
         2. Set Internal Lab to private:  Set-NetConnectionProfile -InterfaceAlias “vEthernet (Internal Lab)” -NetworkCategory Private   Hint: If the Default Switch is set to Public, we need to change that one also
         3. Set Default Switch to private: Set-NetConnectionProfile -InterfaceAlias “vEthernet (Default Switch)” -NetworkCategory Private 
         4. Enable firewall rules and delegation:  Enable-WSManCredSSP -Role server
   4. Set up Remote Desktop for W2
      1. Go to Control Panel, click Category, then Small icons
      2. Click System
      3. Click Remote Settings, select Allow remote connections to this computer, uncheck Allow connections only from computers running with NLA
      4. Click OK
   5. Configure W1 to access W2’s Hyper-V Manager (optional, we can manage W2 via RDP or directly from W2)
      1. Complete details found here: https://timothygruber.com/hyper-v-2/remotely-managing-hyper-v-server-in-a-workgroup-or-non-domain/
      2. When you try to connect with Hyper-V Manager you’ll receive an error from Hyper-V Manager that it’s either not running or you are not authorized.
         1. Start an elevated PowerShell prompt on W1
         2. You may need to set the Internal Lab network to private, then we need to add W2 to the hosts file and run winrm quickconfig:
            1. Set Internal Lab to private:  Set-NetConnectionProfile -InterfaceAlias “vEthernet (Internal Lab)” -NetworkCategory Private
            2. Add W2 to the hosts file:  Add-Content -Path C:\Windows\System32\drivers\etc\hosts -Value “`n172.16.1.101`tW2”   Hint:  the ` is not a single quote, but a grave, the grave/tilde key is left of the 1 key
            3. Run quickconfig:  winrm quickconfig    Enter “y” to make the changes.
            4. Enable delegation: Enable-WSManCredSSP -Role client -DelegateComputer “W2”
         3.   Enable Local Group Policy
            1. Run gpedit
            2. Go to Computer Configuration–>Administrative Templates–>System–>Credentials Delegation->Allow delegating fresh credentials with NTLM-only server authentication
               1. Select Enabled.  Click Show, enter wsman/W2. Click OK twice.
      3. Connect to W2
         1. In Hyper-V Manager, click Connect to Server
         2. Select Another Computer, enter W2.
         3. Select Connect as another user, enter W2\hyperlab1 and the password you set for this account on W2
         4. 
      4. Copy the Windows 10 ISO to W2 for setting up a new VM
5. Your basic lab is now setup.  You can manage both Hyper-V systems from W1

You can add more Hyper-V “servers” to your network with a switch for the Internal Lab network between W1, W2, and the other servers, follow the steps for W2 with each new Hyper-V server.

Keep in mind that you can just use low-end workstations for clients in this scenario also.  They just need to be added to the Internal Lab network’s switch.

Hyper-V VMGuest.iso for older Windows OSes in Win10/2016

If you’re playing around with older OSes in the latest versions of Hyper-V, you’re missing one thing, the Integration Components (IC).

With Win10/Server2016 they no longer include this ISO as the current “supported” OSes all get their IC viaWindows Update.

You can get the IC from Hyper-V 2012/2012R2 Server, a free download, here:

https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2 ( to extract, you’ll need to mount the ISO, open the x:\sources\install.wim file with something like 7zip, browse to Windows\system32, and extract the vmguest.iso or install Hyper-V Server in a VM to get the vmguest.iso)

Or, if you’ve got a Windows 8/8.1/2012/2012R2 VM/system available with Hyper-V installed you’ll find it in the C:\windows\system32\ folder.

I’ve got a copy from Hyper-V 2012 R2 here: https://1drv.ms/u/s!AnbqFQxI6C6pibttEpT9LXnRf4jcYg 

Hyper-V 2008 R2 here: https://1drv.ms/u/s!AnbqFQxI6C6pio4TpkS4Yi9Pl0_Ejg 

Hyper-V 2008 here: https://1drv.ms/u/s!AnbqFQxI6C6pio4UYt3Jn_VLbrQs4w

No guarantees how long MS will allow it will stay up here, though it’s freely distributed with Hyper-V Server.

After installing the IC on OSes older than Windows Server 2012R2,  you will still see 2 unknown devices.  Per Microsoft, this is expected: https://support.microsoft.com/en-us/help/2925727/unknown-device-vmbus-in-device-manager-in-virtual-machine-for-avma

If you view the properties of these devices and check driver details, Hardware IDs or Compatible IDs, they will show the following:

• vmbus\{4487b255-b88c-403f-bb51-d1f69cf17f87}
• vmbus\{3375baf4-9e15-4b30-b765-67acb10d607b}
• vmbus\{99221fa0-24ad-11e2-be98-001aa01bbf6e}
• vmbus\{f8e65716-3cb3-4a06-9a60-1889c5cccab5}

These Virtual Devices (VDev) are provided for Automatic Virtual Machine Activation (AVMA) to communicate with the host. AVMA is only supported on virtual machines running Windows Server 2012 R2 or later versions of operating systems.

Windows XP Pro running in Hyper-V. Device Manager shows the 2 unknown devices after the IC have been installed.

—

Update:  The Integration Components won’t install in the Home and Starter versions of Windows.

Adding NAT to Hyper-V in Windows 10 and higher

–This is no longer necessary, as Microsoft includes a default switch with NAT in the newer versions of Windows 10

And, it seems that NAT is no longer an accepted switch type

———-Deprecated———-

I found about this new way to create a NAT virtual switch in Hyper-V, it’s a lot less work than my previously documented method here: https://smudj.wordpress.com/2015/05/14/windows-10-hyper-v-setting-up-networking-shared-and-bridged-options/

https://technet.microsoft.com/en-us/library/hh848455.aspx?f=255&MSPPError=-2147217396

New-VMSwitch

Creates a new virtual switch on one or more virtual machine hosts.

Syntax

Copy

Parameter Set: NetAdapterName
New-VMSwitch [-Name] <String> -NetAdapterName <String[]> [-AllowManagementOS <Boolean> ] [-CimSession <Microsoft.Management.Infrastructure.CimSession[]> ] [-ComputerName <String[]> ] [-Credential <System.Management.Automation.PSCredential[]> ] [-EnableEmbeddedTeaming <Nullable [System.Boolean]> ] [-EnableIov <Boolean]> ] [-EnablePacketDirect <Nullable [System.Boolean]> ] [-MinimumBandwidthMode <VMSwitchBandwidthMode> {Default | Weight | Absolute | None} ] [-NATSubnetAddress <System.String> ] [-Notes <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: NetAdapterInterfaceDescription
New-VMSwitch [-Name] <String> -NetAdapterInterfaceDescription <String[]> [-AllowManagementOS <Boolean> ] [-CimSession <Microsoft.Management.Infrastructure.CimSession[]> ] [-ComputerName <String[]> ] [-Credential <System.Management.Automation.PSCredential[]> ] [-EnableEmbeddedTeaming <Nullable [System.Boolean]> ] [-EnableIov <Boolean]> ] [-EnablePacketDirect <Nullable [System.Boolean]> ] [-MinimumBandwidthMode <VMSwitchBandwidthMode> {Default | Weight | Absolute | None} ] [-NATSubnetAddress <System.String> ] [-Notes <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: SwitchType
New-VMSwitch [-Name] <String> -SwitchType <VMSwitchType> {Private | Internal | External} [-CimSession <Microsoft.Management.Infrastructure.CimSession[]> ] [-ComputerName <String[]> ] [-Credential <System.Management.Automation.PSCredential[]> ] [-EnableEmbeddedTeaming <Nullable [System.Boolean]> ] [-EnableIov <Boolean]> ] [-EnablePacketDirect <Nullable [System.Boolean]> ] [-MinimumBandwidthMode <VMSwitchBandwidthMode> {Default | Weight | Absolute | None} ] [-NATSubnetAddress <System.String> ] [-Notes <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Example

New-VMSwitch -SwitchName "Virtual Switch" -SwitchType NAT -NATSubnetAddress "172.16.0.0/12"

Running Hyper-V Manager as a different user in Windows 10 (Runas)

I hit a small issue while working on building up a test SCCM/SCVMM lab in Hyper-V.

My primary system (call it One) has Windows 10 and is domain joined, but I’ve been doing the “Microsoft” thing and logging in with my “Microsoft” account instead of my local domain account.

I’ve got two Hyper-V hosts, one on Windows Server 2012 R2 and another running on Windows 10* (call it Two).  I’ve been able to launch my Hyper-V Manager on One and connect and manage the Hyper-V VMs on Server 2012.

However, I hit a roadblock trying to connect to Two.  The first thing I tried after failing and getting some error messages was to configure winrm.

On Two:

I opened an administrator PowerShell window and ran

winrm quickconfig

and followed the wizard and was able to start the winrm service and open the firewall.

On One:

Again in a administrator PowerShell window, I ran:

Enable-WSManCredSSP -role client -delegatecomputer two.mydomain.com

Failure!  I got a big text message in red that said to run winrm quickconfig.

This is odd, since I did none of this to connect to the Server 2012 Hyper-V instance.

I then shift+right-clicked on Hyper-V Manager and ran it with my domain credentials and it ran! Ah ha!  No problem, just create a runas shortcut for Hyper-V Manager.

C:\Windows\System32\runas.exe /user:mydomain\myusername /savecreds "%windir%\System32\mmc.exe "%windir%\System32\virtmgmt.msc""

Again, no joy.  Launching my new short-cut from a command prompt showed the error:

740: The requested operation requires elevation.

The command needs ADUC elevation, with some Googling** I finally found a solution, first launch a cmd prompt and then the command.  This allows you to receive the ADUC prompt and accept it.

C:\WINDOWS\system32\runas.exe /savecred /user:mydomain\myusername "cmd /c Start /B %windir%\System32\mmc.exe "%windir%\System32\virtmgmt.msc""

The path to the Hyper-V Manager icon is here:

%ProgramFiles%\Hyper-V\SnapInAbout.dll

...

*I don’t recall my logic in installing Windows 10 here instead of Server 2012…it may have just been laziness, an upgrade to Win10 from the previous Windows 8.1 OS that was installed.

 

**http://serverfault.com/questions/374342/run-active-directory-admin-center-as-another-user

Windows 10 Hyper-V: Setting up Networking Shared and Bridged Options

Update:  It’s now a lot easier to create networks (using PowerShell) in Windows 10 Hyper-V:  https://smudj.wordpress.com/2016/03/10/adding-nat-to-hyper-v-in-windows-10-and-higher/

Update 2:  Windows 10 now creates the Default Switch automatically, which is a non-configurable NAT virtual switch for Hyper-V.

Update 3: If you need a configurable NAT router, see step 2 shown here: https://smudj.wordpress.com/2019/03/18/the-poor-techs-hyper-v-lab-setup/ 

 

 

 

******Deprecated****** 

I do not recommend this method any longer.  Use one options from the updates above

Update: Build 10586.3–Loopback adapter was missing, added back, and checked Hyper-V Extensible Virtual Switch.  This seems to happen with each build update.  A reboot may also be required.

This procedure shows you how to set up bridged and shared (NAT) networking with a single physical network card.

Standard Bridged Networking

1. Start the Hyper-V Manager and click Virtual Switch Manager
2. Select External and click Create Virtual Switch
3. Enter Bridged or similar to identify this network as being on your physical network
4. Select the correct network adapter under External network, this should be an active network card, i.e. one that is connected to your network and your host is using.
   1. If you only have one network card, verify that Allow management operating system to share this network adapter.
   2. If you have multiple network cards, and want to use this card exclusively for VMs, uncheck Allow management operating system to share this network adapter.
5. Click OK and the new virtual switch will be created.
6. Verify that you don’t have any ongoing network tasks before clicking yes, as your network connection will likely be disrupted when the virtual switch is created.
7. This will create a network adapter under Network Connections called vEthernet (name_used), in this case, vEthernet (Bridged)

Shared Networking

Manually add a loopback adapter

1. Open a cmd prompt with Administrator privileges.
   1. Type cmd, right-click on the search result and click Run as administrator
2. Type hdwwiz and press enter
3. 
4. Click Next to start the wizard.
5. Select Install the hardware that I manually select from a list (Advanced), and click
6. Highlight Network Adapters, and click Next.
7. Select Microsoft from the Manufacturer column and Microsoft KM-TEST Loopback Adapter from the Model column and click Next.
8. 
9. 1. Click Finish to complete the wizard.
   2. Open Network Connections (CTRL+X and select Network Connections), locate the newly created loopback adapter, right-click it and click Rename, and rename it from Ethernet 2 or Ethernet 3 to Loopback.

Create the Shared Virtual Network Switch in Hyper-V

1. Open the Hyper-V Manager and click Virtual Switch Manager
2. Select External and click Create Virtual Switch
3. Enter a descriptive name, like Shared or NAT. This will create a network adapter under Network Connections called vEthernet (name_used), in this case, vEthernet (Shared)
4. Select the Loopback adapter under the External Network selection box, click OK, then click Yes, this operation will not disrupt your host networking.

Connect the Loopback Adapter and Virtual Switch to the Network

1. Open Network Connections (CTRL+X and select Network Connections)
2. Click Change adapter settings
3. Right-click and select Properties on the vEthernet (Bridged) network adapter created under Standard Bridged Networking.
4. Click the Sharing
5. Click Allow other network users to connect through this computer’s Internet connection.
6. 
7. Select the Shared network connection, it should be listed as vEthernet (Shared), or whatever name was used in place of Bridged.
8. Click Ok.

Note:  The Hyper-V networking is very fragile here, and you may need to reboot if you get errors when trying to connect and share the connections.

Here’s the completed Network Connections Window, note the Bridged and Shared Hyper-V adapters. Apologies for the pixelation, the Hyper-V Manager is not 4K screen friendly.

Here’s two VMs using the Shared networking, note, the 192.168.137.x network, the default used by ICS.  Also shown is a third VM using the host network and the host’s IP.

Windows 10 Hyper-V: Accessing ISOs from a Network Share

Keeping ISOs on a server/network share is a great way to save space for all your installation ISOs.  Unfortunately, Hyper-V does things a little different (it’s called constrained delegation) and can’t directly access an ISO file on a network share or mapped drive with your user account.  Hyper-V will ignore any mapped drives you’ve got, but with Windows 10 you can add a network location from Windows Explorer’s Computer tab (1). This makes it easy to get to a remote network share quickly.

You’ve got 2 options:

1. Go to the ISO location and mount it as a physical drive. This tricks Hyper-V into thinking the disk is local and not network shared.  It works great for everything but Gen2.
2. Constrained delegation configuration
   1. On a domain: this is easy, you just need to add your Hyper-V computer’s domain joined account to the network share.
      1. Go to the shared drive/folder and right-click–>Properties.
      2. Click the Sharing tab, click Advanced Sharing.
      3. Click Permissions, click Add.
      4. Click Object Types and select Computers, click OK.
      5. Enter the computer’s name, and click Check names, click OK to add.
   2. Workgroup/Microsoft accounts: this is a little more involved and care should be taken if this is used anywhere other than a home or lab network as you’re changing some security settings
      1. Go to Administrative Tools–>Local Security Policy, in Security Settings–>Local Policies–>Security Options change these settings:
         • Network Access: Do not allow anonymous enumeration of SAM accounts and shares – Change to: Disabled
         • Network Access: Let Everyone permissions apply to anonymous users – Change to: Enabled
         • Network Access: Restrict anonymous access to Named Pipes and Shares – Change to: Disabled
         • Network Access: Shares that can be accessed anonymously, add the name of the share on the Windows server, i.e. if the share name is “ISOs” add “ISOs” here. *I don’t have a non-Windows NAS, if you do and have found a solution for this, please let me know and I’ll post it

 

Footnote (1)

Notes:

• Add a network share:
  1. Open This PC via the start menu, or Win+E.
  2. Click Computer, click Add a network location
  3. 
  4. Follow the Add Network Location Wizard to finish
     1. For a standard Windows share, use the syntax: \\servername\sharename replacing with the actual name of the server and share.

**Content created and tested on Windows 10 Pro Insider Preview Build 10074

“Not enough memory” error message and Windows Phone 8 Emulator does not start in Windows 8.1

There is a recent KB that addresses some issues that have appeared every so often on the TechNet forums.  Since the WP8 emulator uses Hyper-V any related memory issues with running Hyper-V VMs on 8.1 should also be covered by this.

“Not enough memory” error message and Windows Phone 8 Emulator does not start in Windows 8.1

http://support.microsoft.com/kb/2911380

The Windows Phone 8 Emulator does not start on a computer that is running Windows 8.1 and that has fewer than 8 gigabytes (GB) of RAM if many programs are running at the same time. Additionally, you receive the following error message:
“The Windows Phone Emulator wasn’t able to ensure the virtual machine was running:

Something happened while starting a virtual machine: ‘Emulator Name’ could not initialize. (Virtual machine ID GUID)
Not enough memory in the system to start the virtual machine Emulator Name with ram size 1024 megabytes. (Virtual machine ID GUID)”

Additional troubleshooting can be found here:  https://smudj.wordpress.com/2013/02/22/troubleshooting-windows-8-and-hyper-vwindows-phone-8-emulator/

Hyper-v Architecture Poster and Teaming Deployment and Management Guide available

Hyper-v Architecture Poster

http://www.microsoft.com/en-us/download/details.aspx?id=40732

Provides a visual reference for understanding key Hyper-V technologies in Windows Server 2012 R2 and focuses on Generation 2 virtual machines, Hyper-V with virtual hard disk sharing, online virtual hard disk resizing, storage quality-of-service, enhanced session mode, live migration, Hyper-V failover clustering, and upgrading your private cloud.

 

Windows Server 2012 R2 NIC Teaming Deployment and Management guide
http://www.microsoft.com/en-us/download/confirmation.aspx?id=40319

Download this document to learn how to deploy and manage NIC Teaming, a Windows Server 2012 R2 High Speed Networking component.

HVRemote updated for Hyper-V v.3 including Windows 8, 8.1, Server 2012, and Server 2012 R2

HVRemote has been updated for Hyper-V v.3  for supported use with Windows 8.x and Windows Server 2012 and R2.

HVRemote reduces the manual configuration steps needed for Hyper-V Remote Management down to a few simple commands, and can diagnose common configuration errors.

http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6

Supported Servers:

• Windows Server 2008 SP1 with Hyper-V RTM update applied (KB950050), Core & Full installations
• Windows Server 2008 SP2, Core & Full installations
• Microsoft Hyper-V Server 2008 SP1 (already contains Hyper-V RTM update)
• Microsoft Hyper-V Server 2008 SP2
• Windows Server 2008 R2, Core & Full installations
• Windows Server 2008 R2 SP1, Core & Full installations
• Microsoft Hyper-V Server 2008 R2
• Microsoft Hyper-V Server 2008 R2 SP1
• Windows Server 2012 Core & Full installations (Version 1.x or later)
• Microsoft Hyper-V Server 2012 (Version 1.x or later)
• Windows 8 Pro & Enterprise x64 with Hyper-V enabled (Version 1.x or later)
• Windows Server 2012 R2 Core & Full installations (Version 1.08 or later)
• Microsoft Hyper-V Server 2012 R2 (Version 1.08 or later)
• Windows 8.1 x64 Client Hyper-V (Version 1.08 or later)