Part 1 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’
Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote
Quick links to the all parts in the series: 1, 2, 3, 4 and 5
After the many emails I’ve had about this, it seemed only appropriate to write up a detailed post (or two actually) about how to resolve this.
You will hit this problem when using the Hyper-V Vista management tools connecting to a remote Windows Server 2008 machine with the Hyper-V role enabled, and where both machines are in a workgroup (or in a domain environment where you genuinely don’t have access - but that's another blog entry).
There are several additional configuration steps you need to complete to make remote management work in a workgroup environment.
Step 1 (On Client and Server)
Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience).
Step 2A (On Server core installations)
Step 2B (On Server full installations)
Enable the firewall rules on the server for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
Make sure the command is successful and responds Updated 4 rules(s). Ok.
Note: The string in quotes must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.
If you now open “Windows Firewall with Advanced Security” from Administrative Tools on the start menu, you will notice four rules, three inbound and one outbound have been enabled. (It helps to sort by Group)
Step 3 (On Server)
This step grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. Depending on your circumstances, you can add the individual users (they must obviously have an account already on the server), a group, or you can allow all users by select the “Authenticated Users” group.
Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.
Right-Click on My Computer, select Properties and select the “COM Security” tab.
In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area (not to be confused with the Edit Limits in the “Access Permissions” area).
Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate)
Click OK, then select the added user or group
In the Allow column, select Remote Launch and Remote Activation, then click OK.
Close Component Services
Step 4 (On Server)
This step grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.
Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control
Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.
IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.
Click the Security button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 3 above to add them.
Now select the user and click the Advanced button below the “Permissions for <user>” area.
Again, make sure the user/group is selected and click Edit
You need to make three changes here:
- In the “Apply to:” drop-down, select “This namespace and subnamespaces”
- In the Allow column, select Remote Enable
- Check “Apply these permissions to objects and/or containers within this container only”
The screen should look like below. If so, click OK through the open dialogs.
Repeat for the Root\virtualization namespace
Click OK as appropriate to confirm all open dialogs and close Computer Management.
Step 5 (On Server)
This step configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.
Open Authorization Manager by typing “azman.msc” in the box on the start menu.
Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.
Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK.
I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.
In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.
Add the appropriate users or groups (here you can see the “john” account)
Close the Authorization Manager MMC.
IMPORTANT. You must now reboot your server for the above changes to take effect.
In part 2, I'll walk through the client configuration steps.
Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote
Cheers,
John.
Comments
Anonymous
January 01, 2003
Hyper-V Monitor Gadget for Windows SidebarAnonymous
January 01, 2003
As I mentioned in my previous post , last month I built out a new virtual environment using Hyper-V onAnonymous
January 01, 2003
So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessaryAnonymous
January 01, 2003
A TechNet Magazin júniusi számában megjelent cikkem teljes változata. Valamivel több képpel. KülönösAnonymous
January 01, 2003
It is time to update everyone on the issues our support engineers have been seeing for Hyper-V for theAnonymous
January 01, 2003
Apologies for a lack of a new post on the WMI scripts, look for a new double part post Wednesday morning. Anonymous
January 01, 2003
Announcing "HVRemote"...., a tool to "automagically" configure Hyper-V Remote ManagementAnonymous
January 01, 2003
In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build andAnonymous
January 01, 2003
With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visitAnonymous
January 01, 2003
Source: Microsoft Virtualization Team Blog Apologies for a lack of a new post on the WMI scripts, lookAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
I wanted to allow a colleague access to my Hyper-V. Following the instructions at http://blogs.technet.com/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspAnonymous
January 01, 2003
I am feeling lazy today - but thankfully my colleagues have been working hard :-) Mike Kolitz has doneAnonymous
January 01, 2003
This is the one you have been waiting for, get it, install it.  Enjoy :) Windows Server 2008 x64Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Hyper-V Serverをドメイン環境で使用するには特別な設定する必要は特にありませんが、ワークグループの場合は、あいにくいろいろな設定をいじることが必要になります。 まず、必要なサーバー側とクライアント側の設定があります。変更の比較的少ないサーバーの設定を先に説明します。Anonymous
January 01, 2003
More for my own reference, as I keep having to search the Internet for this document and never bookmarkAnonymous
January 01, 2003
You may have seen from a recent post that I received a new laptop that was capable of running Hyper-V.Anonymous
January 01, 2003
Well I just want to introduce you to a new writer who is gonna come along and help giving you great contentAnonymous
January 01, 2003
It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've comeAnonymous
January 01, 2003
Soon, I promise, I will be publishing part 3 which is the workgroup server-core version of “ Hyper-VAnonymous
January 01, 2003
[Weekly Issue] Hyper-V Core e controllo remotoAnonymous
January 01, 2003
Tore Lervik: I've created a sidebar gadget so I can see what the Hyper-V server is doing from myAnonymous
January 01, 2003
Amir - just to follow up due to other emails I had, I've also seen this problem reported now after 3rd party AV and firewall application have been installed on the client machine. Thanks, JohnAnonymous
January 01, 2003
  I've created a sidebar gadget so I can see what the Hyper-V server is doing from my workstationAnonymous
January 01, 2003
Kent - there's nothing I can spot wrong with the configuration - the length of the computer name should not matter. Are you sure you have the right password set in cmdkey on the client for the account "mhyperkmorstain" on the server, and that the password is not null (blank). If you have a blank password, you need to set a password on the server, and recreate the cmdkey entry. You can verify access to the server by running wbemtest from the client and hitting connect, entering \mhyperrootcimv2 in the namespace, and entering the credentials mhyperkmorstain in the user, plus the password of the kmorstain account on the server. Does this connect OK? If so, hit the "query" button and enter (no quotes) "select * from win32_computersystem" then apply. Do you get one record returned? (Win32_computerSystem.Name="mhyper"). Thanks, John.Anonymous
January 01, 2003
Yesterday I finally got around to installing SCVMM 2008 beta onto a virtual machine (mainly to help usAnonymous
January 01, 2003
PingBack from http://blogs.technet.com/jhoward/archive/2008/03/28/part-2-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspxAnonymous
January 01, 2003
Source: Mindre.net Tore Lervik has create a very cool Hyper-V Monitor Gadget for Windows Sidebar. TheAnonymous
January 01, 2003
@Alberto. Just finishing off the write up. Hopefully I'll have the finished post ready tomorrow. Thanks, John.Anonymous
January 01, 2003
Tore Lervik: I've created a sidebar gadget so I can see what the Hyper-V server is doing from myAnonymous
January 01, 2003
Hyper-V Monitor Gadget for Windows SidebarAnonymous
January 01, 2003
Mike - I'm not sure I understand your point. Hyper-V server is like Windows Server 2008 server core installation - there is no GUI. You have to manage both remotely if you want to use GUI tools which is what this (and the other 4 posts) are about. I recommend though you use HVRemote (link at top) as that makes the process much simpler. Thanks, John.Anonymous
January 01, 2003
It is time to update everyone on the types of issues our support engineers have been seeing for Hyper-V.Anonymous
January 01, 2003
Народ начал активно устанавливать и использовать виртуализацию Hyper-V, особенно бесплатный MicrosoftAnonymous
January 01, 2003
Hyper-V Management Console on Vista x64Anonymous
January 01, 2003
Aujourd'hui deux outils pour Hyper-V. Pas tout neufs, mais extrêmement utiles. Le premier vous serviraAnonymous
January 01, 2003
Se gestite (o pensate di gestire :) ) diversi server Hyper-V da una macchina Windows Vista SP1, questoAnonymous
January 01, 2003
Improvements Over Hyper-V RC0 In addition to bug fixes and stability improvements, Microsoft also madeAnonymous
January 01, 2003
Hyper-V Server First ImpressionsAnonymous
January 01, 2003
Shiva - I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces. General RDP clients will not be able to connect over RDP using port 2179 - although VMConnect uses the RDP protocol, the connection establishment is not the quite the same. If you need to deploy directly to the Internet, I would recommend you look at building out a Terminal Service Web Access/Gateway protected behind an ISA server (I have previously run through configuring exactly this on my blog, last year IIRC). It would be far more secure. Thanks, John.Anonymous
January 01, 2003
I got home from San Francisco on Friday afternoon.  I had one thing in mind (this is going to beAnonymous
January 01, 2003
So far, I’ve covered the following Hyper-V Remote Management scenarios: Workgroup: Vista client to remoteAnonymous
January 01, 2003
Hyper-V Beta released as part Windows Server 2008. The final release of Hyper-V happened shortly afterAnonymous
January 01, 2003
Καλησπέρα σε όλους τουςAnonymous
January 01, 2003
Alex - I replied to the other comment you left. Thanks, JOhn.Anonymous
January 01, 2003
日本語だと↓なエラーが出る件です。 「このタスクを完了するために必要なアクセス許可がありません。このコンピュータ ‘xxxxxxx’ の承認ポリシーの管理者に問い合わせてください。」Anonymous
January 01, 2003
  Top Issues for Microsoft Support for Windows Server 2008 Hyper-V Hyper-V Beta released as partAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Pieter - did you copy or type the command in? If you copied, I believe the quotes are in "word" format and won't be recognised. Thanks, John.Anonymous
January 01, 2003
Jörn - are you logging on with a smartcard? What happens if you go into Hyper-V Manager, and uncheck use default credentials under the user credentials node? Thanks, John.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Kent - please can you provide the output with /target:computername rather than /targetcomputer. Thanks, John.Anonymous
January 01, 2003
Kent - please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards. Thanks, John.Anonymous
January 01, 2003
Hola Una herramienta imprescindible para configurar los servidores con Hyper-V para que se puedan administraAnonymous
January 01, 2003
Please. I have a windows Hyper-V Server Edition, and is only core mode. how i configure security options do enable remote managment ?Anonymous
January 01, 2003
NL - No, that isn't actually necessary. Thanks, John.Anonymous
January 01, 2003
I have gone through these steps twice now for my Win 2008 R2 datacenter cluster. I created a local and domain user of the same name and password as the local user on my Win 7 workstation (workgroup). I also destroyed the cluster and tried again, same error. Seems there is some additional permission or policy that needs to be changed. Has anyone been successful with 2008 R2?Anonymous
January 01, 2003
Siavash - unfortunately this is not possible in Hyper-V today. Thanks, John.Anonymous
January 01, 2003
Ryan - what changed from working to now getting the error - in particular, you mention about passwords being in sync, so could this be tied to that and there's been a typo on syncing the passwords, especially as you indicate you are getting MMC failures too? It doesn't sounds like it's Hyper-V specific, in other words. Are you using cmdkey to set credentials on the client to authenticate to the server? Do all users fail now? Thanks, John.Anonymous
January 01, 2003
Lduval - I'll add it to a list, but I should be up front and say it may be some time off yet. However, you should still be able to run from the command prompt in Hyper-V server net localgroup "Distrubuted COM Users" <username> /add to solve this. Thanks, John.Anonymous
January 01, 2003
Jerrold - unfortunately you've pasted the client bit into the server output.... Thanks, John.Anonymous
January 01, 2003
David - there is no different in terms of remote management configuration between "v1" and Windows Server 2008 R2/Hyper-V Server R2. Thanks, John.Anonymous
January 01, 2003
Sebastien/Alberto - see the write up, now published here: http://blogs.technet.com/jhoward/archive/2008/03/30/part-3-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx Cheers, John.Anonymous
January 01, 2003
Scott - it would be helpful for diagnosis or ease of configuration (unless you really want to do the steps manually) to use HVRemote instead. The link is at the top of the page. Follow that, take a look at the documentation and if you still have problems, please post back the output of hvremote /show on both the client and the server. Cheers, JohnAnonymous
January 01, 2003
FrankM - please post the output of hvremote /show /target:otherboxname from both boxes. (Obviously correct any suggestions it makes if you see errors first). Thanks, John.Anonymous
January 01, 2003
Thanks John, very useful.Anonymous
January 01, 2003
Shva - sorry, I'm not sure what you mean by "consume". What is the goal you are trying to achieve? THanks, John.Anonymous
January 01, 2003
Fábio & Impactro - please use HVRemote (link at top of article), or see other parts of this series which explain how to perform the steps manually on core. However, I strongly recommend you use HVRemote. Thanks, John.Anonymous
January 01, 2003
Hi Christopher - that's a good one too. Cheers, John.Anonymous
January 01, 2003
Mike - that directory is hidden. Navigate to it using the address bar in Windows explorer by typing c:programdata..... replacing c: with your system drive. Thanks, John.Anonymous
January 01, 2003
Olexandr - You don't need that rule enabled on the server firewall. Can you post the full output of hvremote /show /target:othercomputername from both boxes? Thanks, John.Anonymous
January 01, 2003
@Sebastien - actually, no that is not correct. This does work on server core with a few variations. Give me a couple of days - I'm documenting the exact steps and will be posting it up soon. (And part 3 really IS a valiant effort. You'll see why when you see it!!!) Thanks, John.Anonymous
January 01, 2003
Shiva - no this is not possible in Hyper-V through VMConnect. To the best of my knowledge, it is not possible in RDP, but that's outside of my area of authoritative expertise. You may want to ask that question on one of the Technet Windows Server forums. Thanks, John.Anonymous
January 01, 2003
Hi Jerrold - unfortunately, you missed the bit I needed :) Can you run hvremote /show on both the server and the client? You shouldn't need to add the /debug - I'll almost certainly get everything I need from just the /show with the v0.3 version you're running. Can you also confirm you are running from an elevated command prompt? Thanks, John.Anonymous
January 01, 2003
This is failing because you have incorrect stored credentials from the client to authenticate to the server. From the client output:
Stored Credentials
Currently stored credentials: Target: morstainhyperv Type: Domain Password User: morstainhypervaccount The server output indicates that you have created and granted an account "morstainhypervkmorstain" access. On the client use cmdkey to remove the currently stored credentials and replace them with morstainhypervkmortain. Cheers, John.
Anonymous
January 01, 2003
Matthew - yes, I wrote these articles a few months before RTM came out. You want http://support.microsoft.com/kb/952627 for Vista SP1. The RTM links are on the far right of the blog page. Thanks, JohnAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Yes, this is expected. Saved states are not compatible between 2008 and 2008 R2. You need to cleanly shut down the machines in 2008 before export. You should also merge any online snapshots as these have an implicit saved state in them too. Thanks, John.Anonymous
January 01, 2003
Mike - can you check that the VMMS service is actually running on the target server? (sc query vmms). If you find it is stopping, I'd be interested to see if there's something in the event logs. Thanks, John.Anonymous
January 01, 2003
Kent - please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards. Thanks, John.Anonymous
January 01, 2003
Jerrold You're logged on to client as zeusvmcmd, but there's several bits missing from the server side. Client looks good. You should simply need to run hvremote /add:vmcmd on the server and reboot (possibly) both sides, depending on whether there are active connections outstanding. You also need to make sure the vmcmd user password is the same on both sides as this is a workgroup. Thanks, John.Anonymous
January 01, 2003
Franck - this is part of our Authorization Manager (AZMan) infrastructure. More information on this will be available in the official documentation very soon. It's also something that my colleague Ben (http://blogs.msdn.com/virtual_pc_guy) was looking to provide some unofficial (ie blog) information on soon. Thanks, John.Anonymous
January 01, 2003
Amir - see part two for the client firewall settings. Essentially you need to run netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console" Also see part 5 for the domain client to workgroup server configuration. Thanks, John.Anonymous
January 01, 2003
Asshen - yes, point well taken, but similar steps are necessary for any form of remote WMI/DCOM - it's not stricly specific to Hyper-V. We're looking to see how we can get this improved. Thanks, John.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
John, You rock! thanks a lot for this 'patch'Anonymous
January 01, 2003
Mohsen - no, it's not going anywhere. Cheers, John.Anonymous
January 01, 2003
Shiva - wow, I thought I'd heard every question there possibly could be was relating to remote management of Hyper-V. But you've stunned me with this one! Does this happen every time? When you say restart - as in blue screen, or graceful reboot? In either case, is there anything in the event logs? If a blue-screen, do you have a memory dump file we could analyse? Have you seen the server exhibit similar behaviour at any other time, or is only when using VMConnect? Hardware specs would be useful too. Thanks, John.Anonymous
March 29, 2008
This is really tricky John. What if i have Hyper-v installed on a core based install?Anonymous
March 29, 2008
This cannot work on a core install, because you need to generate the OLE registry key yourself and repalce it, as dcomcnfg is not available. I've been playing around with this for two days and resorted to creating a new AD forest. Quicker and more reliable. I wish I found your articles sooner, as they would've confirmed my suspicions much earlier and save me a day of procmon and experimenting with security settings! Thanks for the valiant effort though. SebAnonymous
April 23, 2008
This article saved me several days of work! Thanks, Thanks, Thanks!!!Anonymous
May 31, 2008
I followed this as far as step 5 but I don't have a directory ProgramDataMicrosoftWindowsHyper-V on my W2K8 Server I cannot find a file called InitialStore.xmlAnonymous
June 01, 2008
Step 2B fails on US English W2K8: "Group cannot be specified along with other identification conditions." Looking at the firewall rules, there are three inbound rules and one outbound rule, resembling the name, neither an exact match: "Windows Management Instrumentation (ASync-In)" "Windows Management Instrumentation (DCOM-In)" "Windows Management Instrumentation (WMI-In)" "Windows Management Instrumentation (WMI-Out)" I really feel spoiled by how simple is is to use VMWare Server, no need for a 5 part series on how to get the remote functionality to work. Will RTM make automate this manual configuration process to allow "seamless" remote management?Anonymous
June 05, 2008
I'm stuck on step 5. I navigate to ProgramDataMicrosoftWindows but there is no Hyper-V folder. Hyper-V is running on core and I'm trying to access it through VIsta SP1.Anonymous
June 25, 2008
I see PingBack is't a very good feature in most blogs. Sorry about the spam John, feel free to remove the comments above! :)Anonymous
June 27, 2008
and if I need to delegate one user administer one VM, not the entire Hyper-V machine... How should I do ?Anonymous
July 10, 2008
Thank you for spending the 2+ hours to capture this for us. It really made my life so much easier: I would not have figured this out myself this side of Christmas! Thank you!!!Anonymous
July 27, 2008
Hi, Great write up! Just one question...do I need to reboot the server everytime I add a new hyper-v user in azman? Or is the reboot required only for initial setup of the remote management? Thanks!Anonymous
August 12, 2008
John, Great detailed information and walk-through! Thank you for your time and sharing it. However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop. My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home. I have followed allthe steps to the letter. The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions. I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well. when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer '<the server IP address>' failed. Any idea, what is missing? BTW, I initially posted this comment by mistake to Part 3 which is for Core installation. I have full WIN2K8 installation. Thanks, AmirAnonymous
August 14, 2008
John, further to my note above, I learned that possibly the firewall setting on my laptop is blocking the inbound communication. These firewall settings are controlled by the firewall rules in the Local Security Policy. I even cannot ping my laptop from the WIN2K8 server and get timed out while on the other hand I can do remote desktop to the server from my laptop. Do you know what inbound or outbound firewall rules I need to enable in order to get Hyper-V Manager on my Vista laptop (joined to a domain) communicate with my WIN2K8 server (on a local work group)? Thanks for any tips. AmirAnonymous
August 14, 2008
Is it just me, or did Microsoft make this much too complicated ???Anonymous
September 05, 2008
Hey John just wanted to say thanks for the help but now I have run into some real problems. I am not using remote management tool, but am instead going into RDP and have tried KVM to get Hyper V to work. I have failed miserably and no matter what I try I can't create VMs and cannot do anything except "remove server" I am hopelessly lost with a "you might not have permission to perform this task error" Help ! =) Troubled Tim-Anonymous
September 14, 2008
ow after 3rd party AV and firewall application have been installed on the client machine. Thanks,Anonymous
September 28, 2008
You keep posting "You do not have the "requested" permission to complete this task. " However the error actually reads: "You do not have the REQUIRED permission to complete this task". It was difficult to find this page because the correct search string in Google was not found.Anonymous
October 03, 2008
The comment has been removedAnonymous
October 16, 2008
Hi John, Could you please write a similar guide for "Hyper-V Server 2008" (Baremetal). I can't apply this one to connect with Vista on an Hyper-V in Workgroup BECAUSE there is nothing like DCOMCNFG in "Hyper-V Server 2008" (which is not a real Core Server).Anonymous
November 13, 2008
Those links to the management tools don't work, and I can't find the tools anywhere. Any ideas?Anonymous
November 22, 2008
The comment has been removedAnonymous
November 23, 2008
John, In the previous message I left out the response I got when I ran on the server : 'netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Microsoft Management Console" ' The response is: "The following command was not found ..." Below is the client response (ran at elevated prompt) and server response (ran as administrator) to hvremote /show. Thanks again, Jerrold Client response: Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Hyper-V Remote Management Configuration & Checkup Utility John Howard, Microsoft Corporation. http://blogs.technet.com/jhoward Version 0.3 20th Nov 2008 INFO: Computername is ZEUS INFO: Computer is in workgroup WORKGROUP INFO: Current user is zeusvmcmd INFO: Assuming /mode:client as the Hyper-V role is not installed
DACL for COM Security Access Permissions
Everyone (S-1-1-0) Allow: LocalLaunch RemoteLaunch (7) BUILTINPerformance Log Users (S-1-5-32-559) Allow: LocalLaunch RemoteLaunch (7) BUILTINDistributed COM Users (S-1-5-32-562) Allow: LocalLaunch RemoteLaunch (7) NT AUTHORITYANONYMOUS LOGON (S-1-5-7) Allow: LocalLaunch RemoteLaunch (7)
ANONYMOUS LOGON Machine DCOM Access
WARN: ANONYMOUS LOGON does have remote access This setting should only be enabled if required as security on this machine has been lowered. It is needed if you need to manage Hyper-V on a remote server which is either in an an untrusted domain from this machine, or both machines are in a workgroup. Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off
Firewall Settings for Hyper-V Management Clients
Private Firewall Profile is active Enabled: Hyper-V Management Clients - WMI (Async-In) Enabled: Hyper-V Management Clients - WMI (TCP-Out) Enabled: Hyper-V Management Clients - WMI (TCP-In) Enabled: Hyper-V Management Clients - WMI (DCOM-In)
Windows Firewall exception rule(s) for mmc.exe
Private Firewall Profile is active Enabled: Microsoft Management Console (UDP) Enabled: Microsoft Management Console (TCP) INFO: Are running the latest version
Server response: Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Hyper-V Remote Management Configuration & Checkup Utility John Howard, Microsoft Corporation. http://blogs.technet.com/jhoward Version 0.3 20th Nov 2008 INFO: Computername is ZEUS INFO: Computer is in workgroup WORKGROUP INFO: Current user is zeusvmcmd INFO: Assuming /mode:client as the Hyper-V role is not installed
DACL for COM Security Access Permissions
Everyone (S-1-1-0) Allow: LocalLaunch RemoteLaunch (7) BUILTINPerformance Log Users (S-1-5-32-559) Allow: LocalLaunch RemoteLaunch (7) BUILTINDistributed COM Users (S-1-5-32-562) Allow: LocalLaunch RemoteLaunch (7) NT AUTHORITYANONYMOUS LOGON (S-1-5-7) Allow: LocalLaunch RemoteLaunch (7)
ANONYMOUS LOGON Machine DCOM Access
WARN: ANONYMOUS LOGON does have remote access This setting should only be enabled if required as security on this machine has been lowered. It is needed if you need to manage Hyper-V on a remote server which is either in an an untrusted domain from this machine, or both machines are in a workgroup. Use hvremote /Mode:Client /AnonDCOM:Revoke to turn off
Firewall Settings for Hyper-V Management Clients
Private Firewall Profile is active Enabled: Hyper-V Management Clients - WMI (Async-In) Enabled: Hyper-V Management Clients - WMI (TCP-Out) Enabled: Hyper-V Management Clients - WMI (TCP-In) Enabled: Hyper-V Management Clients - WMI (DCOM-In)
Windows Firewall exception rule(s) for mmc.exe
Private Firewall Profile is active Enabled: Microsoft Management Console (UDP) Enabled: Microsoft Management Console (TCP) INFO: Are running the latest version
Anonymous
November 23, 2008
The comment has been removedAnonymous
November 30, 2008
John, I am having these problems connecting to vmms (Virtual Machine Management) service on server! I am running the Hyper-V Manager snap-in under the default Administrator account which is as always a member of BUILTINAdministrators group. But when I selecct in the Hyper-V Manager, I get the snap-in connecting to the service and then the notorious "You might not have permission to perform this task". (No message to contact administrator or whoever it might be) This is observed on PDC build of Windows Server 2008 R2 (Windows Server 7). Any clue? I checked all the permissions for WMI and DCOM and they are all FULL CONTROL for BUILTINAdministrators. I installed both the Hyper-V role AND the RSAT-Hyper-V feature. Could it be that I should NOT to install RSAT on the same computer where I am running the Hyper-V role? Quite interesting, I was unable to install Hyper-V role using the Server Manager snap-in. I was getting errors from UI reported by CLR debugger. I was lucky to install the role only after I tried ServerManagerCMD.exe -install Hyper-V -allSubFeatures -restart Any clue how to get this working? BTW, this is what I get in Event Viewer Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin Source: Microsoft-Windows-Hyper-V-VMMS Date: 11/30/2008 7:32:59 AM Event ID: 14098 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Server7 Description: One or more driver required by the Virtual Machine Management service is not installed or is disabled. Try reinstalling the Hyper-V role. and right after that I get Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin Source: Microsoft-Windows-Hyper-V-VMMS Date: 11/30/2008 7:32:59 AM Event ID: 14096 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Server7 Description: Virtual Machine Management service failed to start.Anonymous
December 03, 2008
Ran through it a couple times and get the error: The Virtual Machine Management service is not available. when trying to run the Hyper-V Manager on the client. i can start the Hyper-V Manager on the server with no problem workgroup environment, no firewalls, host entries used to ensure name resolution, passwords verified to be the same, user an admin on both server and workstation. i can use the edit disk option to "view" disks on the server... just not connect to them management service. very strange. any ideas anyone?Anonymous
December 06, 2008
John, I'm running!!! Thanks so much for the help and the great tool! If you're free we'd love to have you this year (late Oct.) at Tulsa TechFest where you could present to about 500 people. Just let us know if you should have the time (another vacation maybe ;<) ) to be here. Thanks again, JerroldAnonymous
December 13, 2008
does anyone know about the standalone install of Hyper-V server? I have installed it and read everything i can, but i can not connect. I have the Hyper-V server installed, configured the name and IP (non domain) set the user and on my Vista SP1 computer with Hyper-V server tried to connect (same user name as server). I can not ping the HV server, but the HV server can ping my laptop. I have tried the commands on these pages by my Hyper-V server does not recognise most of the commands, such as netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes Any help would be muchly appriciated. ThanksAnonymous
December 14, 2008
This won't work in a Hyper-V server since it has no GUI, so what good is this??????????????????????????????????Anonymous
December 17, 2008
I followed the instructions and I am able to remotely configure Hyper-V from a Vista machine that is in the same domain as the server. I can create, start and stop VMs. However, I cannot connect to one, the server asks me for username and password and rejects everything I try, even admin account. What priviledge is required to connect to a VM?Anonymous
March 20, 2009
The comment has been removedAnonymous
April 24, 2009
I wonder why we can't create a icon " enable remote acess" or " allow <login name>" to access this hype-v . i agreed this Hype-v are helpful, but when come to " remote administrative" task. nightmare !!!Anonymous
April 25, 2009
i just wanted to how can i restrict "clipboard sharing" in vmconnect for a standard user it's not in operations in AZman.msc please help me THXAnonymous
May 24, 2009
The comment has been removedAnonymous
May 25, 2009
Hi John, We are facing a situation in VM Connect. We have a HyperV Server hosting VM's and this Host Server is available over the internet. Therefore any client machine with RDP Client will be able to connect to a VM via port 2179. The question is if the client machine is behind a firewall, is it require that the firewall has to open port 2179? Also if the server is behind a firewall, is there any specific settings to be taken care? if you have any informaton related to this please share with us as this will be of great help to us. Thanks and Regards SivakumarAnonymous
July 17, 2009
The comment has been removedAnonymous
July 20, 2009
Hi, John, to Shive you wrote: "I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces." Er, this is exactly what I want to do with Hyper-V... Use it as the core of my three (virtual) web servers. I thought it was a common scenario to maintain them all using SCVMM/SCOM?Anonymous
July 27, 2009
Hi John, In our environment we are using a work group server and domain connected clients. We hacve 2 people who use a vista client to remotely manage a server core. Everything was working. we now both get "You do not have the required permission to complete this task. " The passwords are kept up to date from our laptops to our server. We can not only not manage hyper-v but we cannot use any remote management mmc's. This was originally setup using your guide and i have since tried to confirm settings using your hvremote.wsf routine on server and workstion. I have not gotten a chance to restart the server to see if this solves the issue as there are production vm's on the system. Any suggestions?Anonymous
August 21, 2009
All this is great if you have a gui. In standalone there is no gui. I have followed and followed again the steps for HVRemote in a workgroup with no success. I get the dreaded "You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’ Everything I find seems to point back to GUI. Please help. KentAnonymous
August 21, 2009
The comment has been removedAnonymous
August 21, 2009
The clients hvremote show has an error: Failed to connect to rootcimv2 Error: -2147024891 So I tried the first step on the server to add user. When I try and run hvremote /add:kmorstain I get access denied on the server. I did add it as a net user and that worked. I guess they are not the same. Suggestions KentAnonymous
August 21, 2009
The comment has been removedAnonymous
August 21, 2009
The comment has been removedAnonymous
September 25, 2009
Hi John, In VMRC connections to Virtual server based VM's, multiple connections to the same virtual machine is possible. Is there a similiar feature in RDP Connectivity to Hyper-V based VM's? Please let me know if you have any information on the same. Thanks ShivaAnonymous
October 29, 2009
Hi, We are trying to Export Virtual machines in a saved state from Windows Server 2008 Enterprise Edition Service Pack 1-Hyper-V Manager Version: 6.0.6001.18016 to Windows Server 2008 R2 Hyper-V Manager Version: 6.1.7600.16385. We are facing a problem while trying to start the imported machine. (Error: Saved State file version is incompatible). Is this expected? Is there a solution to this problem? Thanks ShivaAnonymous
November 11, 2009
I've constantly recieved error at step - 5: - Simple query to rootcimv2 WMI namespace - prior I've enabled "File and Printer Sharing (Echo Request - ICMPv4-In)" firewall rule on server side (Workgroup member, Microsoft Hyper-V Server 2008 R2)Anonymous
December 03, 2009
Re Saved State incompatibility issues of 2008 and 2008 R2, Fabien Duchene's (MSFT) comment elsewhere on the nets helped me: Just apply your snapshot. Then right-click the VM and "delete saved state". And then you are now able to start the VM.Anonymous
January 12, 2010
The comment has been removedAnonymous
February 23, 2010
The comment has been removedAnonymous
February 24, 2010
Never Mind Solved it... wow, i had completely forgotten about enableling the firewall on my "CLIENT" side (Vista). fyi, the documentation everywhere shares about enabling the firewall on the server (Hyper-V) but little and small if any is there mention of enabling the firewall on the "CLIENT" side. i enabled: Start --> All Programs --> Administrative Tools --> Windows Firewall with Advanced Security --> Inbound Rules --> Remote Service Managment (RPC) Note: i enabled Remote Service Managment (RPC) for "Domain" only thx John..... HectorAnonymous
March 17, 2010
I got the 'WMI access denied' error, and then followed all the steps as described in this wonderful article, however I never managed to fixed the problem with everything given in this article/comments... The error I got when running: netsh firewall add allowedprogram program=%windir%system32mmc.exe name="Micros oft Management Console" Was: IMPORTANT: "netsh firewall" is deprecated A simple fix for this was: netsh advfirewall firewall add rule program=%windir%system32mmc.exe action=allow dir=in name="Microsoft Management Console" That single firewall rule solved all my problems! ChrisAnonymous
September 18, 2010
I followed everything in multiple iterations, but couldn't make remot managemtn of HyperV server work from another Windows 2008 R2 with HyperV role. The only way it can work is if I disable the firewall on HyperV Server completely. I set the WMI permissions, firewall rules and what not.Anonymous
October 02, 2010
The comment has been removedAnonymous
January 20, 2011
this is a very detailed and great article. is it going to be removed after some time or is it staying? because if it's going to be removed, then I'll need to copy the information to a word document for future use if that's ok with you.Anonymous
April 08, 2011
The comment has been removedAnonymous
January 26, 2012
The comment has been removedAnonymous
March 19, 2012
Chris: I first used the manual approach, then went back and used hvremote, but I can't get it to work. My client is Win 7 Ultimate x64 which is a domain member. My domain is SBS 2011-based running as a hyper-V guest on a Server 2008 R2 host, in a workgroup. I fear the problem is that my Win7 client uses Norton Internet Security, which disables the MS firewall.Anonymous
November 13, 2012
Hi, very helpfull! It works also for Windows 7 SP1 Hyper-V Client for Windows Server 2012. After the settings the VMs are in "Saved" mode and did not starts. More details see here: support.microsoft.com/.../2249906Anonymous
January 04, 2013
Thank you so much. I was struggling with this for 4 hours. I was thinking my powershell script was bugged with problem with WMI, or that my DCOM security was wrong. i was in ignorance of hyperv autorizatuon. It worked like a charm!Anonymous
January 23, 2013
Hi John, Thanks for the blog. It is really helpful. But I have one more question: Does it still work with Clients behind the NAT? Both Hyper-V Server and Client are located in the workgroup. Looking forward to your reply. Thanks in advance. Regards, JoyAnonymous
January 21, 2014
This is a whole lot of struggling and tweaking even before this thing has been installed. With VMware, all we did was install and go - no hassles and no problems out of the gate like this product.Anonymous
May 04, 2014
The comment has been removed