Remotely Managing Hyper-V Server in a Workgroup or non-domain

In this post, my goal is to provide the steps one must take in a typical non-domain environment to set up Hyper-V Server 2016 and remotely manage it via Hyper-V Manager from a Windows 10 PC. I will split this post into three sections; what to do on the Hyper-V Server host, the Windows 10 PC, and some troubleshooting steps.

When you aren’t using Hyper-V Server in a domain in which you have group policies in place to take care of the automatic configuration of systems for seamless remote manageability, there are quite a few steps one must take on both the Hyper-V Server host and the Windows 10 PC from which you are trying to manage the host.

Most of the information out there regarding managing Hyper-V remotely in a workgroup or non-domain environment results in one of these two outcomes: not enough information, therefore leaving you still unable to connect properly to your Hyper-V host, or too much information, leaving your systems vulnerable and insecure, possibly still unable to connect to the Hyper-V host.

Hyper-V Server 2016 Host

All steps in this section are to be done on your Hyper-V Server 2016 host server. I am starting from a fresh install of Hyper-V Server 2016 that is fully patched and up-to-date as of the end of July 2018.

  1. Install Hyper-V Server 2016
    1. Go through the typical install dance:

    2. Set a password at first boot.
    3. Change the computer name in sconfig (option 2).
    4. Verify Remote Management is Enabled (option 4).
    5. Enable Remote Desktop (option 7).

  2. Run Windows Update and make sure your server is 100% up-to-date. (option 6, then (A)ll updates)
    1. This is the most important step, because depending on which patch level Hyper-V Server 2016 is on, versus the patch level of your Windows 10 PC, you WILL get errors and will not be able to remotely connect via Hyper-V Manager.

  3. Enable PSRemoting:
    1. Enter the following command in an elevated PowerShell window:
      Enable-PSRemoting
  4. Allow remote access on public zones and enable firewall rules for CredSSP and WinRM:
    1. Enter the following command in an elevated PowerShell window, then enter Y when prompted:
      Enable-WSManCredSSP -Role server

Windows 10 PC

All steps in this section are to be done on your Windows 10 PC. I used a fresh installed of Windows 10 Pro 1803 fully patched and up to date as of the end of July 2018. I know, scary! (but working)

  1. Run Windows Update:
    1. This is very important, and depending on which patch level your Windows 10 PC and Hyper-V Server 2016 host is on, you WILL get errors and will not be able to remotely manage your Hyper-V host:

  2. Install the Hyper-V Management Tools:
    1. Open up an elevated PowerShell window (Run as Administrator)
    2. Enter the following command, which installs the Hyper-V Management tools, then enter Y to reboot:
      Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All -All
  3. Set the network connection category to private:
    1. Enter the following command in an elevated PowerShell window:
      Set-NetConnectionProfile -InterfaceAlias Ethernet -NetworkCategory Private

      1. You may need to change “Ethernet” (InterfaceAlias) to match the name of your network connection(s).
      2. You can use Get-NetConnectionProfile to list your connections and their categories.
  4. Add the Hyper-V Server 2016 host to the local “hosts” file:
    1. Enter the following command, which appends the host name of the Hyper-V host and it’s IP address to the local hosts file:
      Add-Content -Path C:\Windows\System32\drivers\etc\hosts -Value "`n172.30.32.151`tHVTEST01"

      1. The `n is new line
      2. The `t is horizontal tab character
      3. Replace HVTEST01 and 172.30.32.151 with the host name and IP address of your Hyper-V Server host.
  5. Configure Remote Management Service:
    1. Enter the following in an elevated PowerShell window, and enter Y when prompted:
      winrm quickconfig

  6. Add the Hyper-V Server 2016 host to the trusted hosts of the Win10 PC:
    1. Enter the following command in an elevated PowerShell window, and enter Y when prompted:
      Set-Item WSMan:\localhost\Client\TrustedHosts -Value "HVTEST01"

  7. Allow the Win10 PC credentials to be delegated to the Hyper-V Server 2016 host:
    1. Enter the following command in an elevated PowerShell window, enter Y when prompted:
      Enable-WSManCredSSP -Role client -DelegateComputer "HVTEST01"

  8. Allow delegating fresh credentials with NTLM-only server authentication:
    1. Enter the following commands in an elevated PowerShell window:
      New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\" -Name 'CredentialsDelegation'
      New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\" -Name 'AllowFreshCredentialsWhenNTLMOnly' -PropertyType DWord -Value "00000001"
      New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\" -Name 'ConcatenateDefaults_AllowFreshNTLMOnly' -PropertyType DWord -Value "00000001"
      New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\" -Name 'AllowFreshCredentialsWhenNTLMOnly'
      New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\" -Name '1' -Value "wsman/HVTEST01"
      
    2. Or, configure the following local group policy (does the same as above):

      1. Change “HVTEST01” to match the name of your Hyper-V host in either of the above steps.
  9. Open up Hyper-V Manager:
    1. Right-Click on “Hyper-V Manager”, and select “Connect to server…”.
    2. Select “Another computer” and type the name of your Hyper-V Server 2016 host.
    3. Check “Connect as another user”, then use the local admin account of the Hyper-V Host. Check “Remember me”. Use HOSTNAME\Administrator

  10. Success!
    1. It should now connect successfully, allowing you to mange your Hyper-V Server 2016 host, set-up, and configure VMs:

Troubleshooting

The operation is not supported

You get an error when trying to connect to the Hyper-V host (pictured below):

“An error occurred while attempting to connect to server <serverName>. Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.

The operation is not supported.

The Fix

The most likely resolution to this issue is to make sure all systems involved are up to date. This error may be related to this error:

https://timothygruber.com/hyper-v-2/remotely-managing-hyper-v-server-in-a-workgroup-or-non-domain/#An_authentication_error_has_occurred_CredSSP_encryption8230

An error occurred while attempting to connect; WinRM, TrustedHosts, operation failed…

If you see the following error (pictured below):

An error occurred while attempting to connect to server “<serverName>”. Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.

The operation on computer ‘<serverName>’ failed: The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config.

It means you are unable to connect to the Hyper-V Server 2016 host, and the most likely causes are that the remote server is not in the TrustedHosts and WinRM isn’t configured properly (obviously, there’s more to it than that). Hyper-V Server 2016 has the “Virtual Machine Management” service running by default, so we know it’s not that, but you can veryify this by running the following command on your Hyper-V host:

Get-Service vmms

The Fix

The best way to resolve this error is to verify all the above steps have been completed.

An authentication error has occurred. CredSSP encryption…

If you see the following error (pictured below):

An authentication error has occurred.
The function requested is not supported

Remote computer: <computerName>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

This error is most likely being produced due to a recent update in March 2018 to either your Hyper-V Server host or the PC in which you are trying to connect from.

The fix

To fix this error, you must make sure all systems involved are updated. This means your Hyper-V host, the VM you’re trying to access, and the PC you are trying to connect from.

Click the link below for more inforation from Microsoft:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

References

Remotely Manage Hyper-V Hosts via Microsoft Docs:

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/remotely-manage-hyper-v-hosts#manage-hyper-v-hosts-remotely

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *