- Patch management tips: Updating IT systems in large and small networks - Wed, Oct 20 2021
- Set up Windows 11 Home with an offline account - Mon, Oct 18 2021
- Reset a Windows 11 password and the Windows Server 2022 administrator password - Mon, Sep 20 2021
One of our customers, a small business owner, asked us to replace his current server. There was an old installation of Windows Server 2008 R2 installed directly on the server. Of course, we immediately decided to use the free Hyper-V Server offered by Microsoft, and utilize the two VM virtualization rights included in the Windows 2019 Standard license. For security reasons, the first VM would be used to host the domain controller and other core services, and the second VM would host file, print, and other user services.
First, I read a post here on 4sysops written by Wolfgang about the features and limitations of the free Hyper-V Server 2019. His post mentioned there is no Hyper-V Manager. At that point, I was thinking, "How am I going to manage the hypervisor? I don't really want to do everything by PowerShell or via the Windows Admin Center!"
While it is true that the Hyper-V Manager is not included in the free Hyper-V Server installation, as the installation is a Server Core version, you can still use the Hyper-V Manager installed on your Windows 10 machine and connect remotely. If you don't have Hyper-V Manager installed yet, go to Programs and Features > Turn Windows features on or off and enable Hyper-V Management Tools.
So I installed the hypervisor and did basic network configuration. At this point, as this was the first server available in my environment, I had no Active Directory domain available. The Hyper-V Server was a WORKGROUP member. Next, I opened Hyper-V Manager on my Windows 10 machine and selected Connect to Server…
Note that I used the short NetBIOS name "HVTEST" and selected Connect as another user. Once I entered the credentials and confirmed, I was prompted to Enable delegation of user credentials.
At this point, I was asked to delegate credentials to an FQDN "HVTEST.local" instead of just "HVTEST." After I clicked Yes, the following error message was returned: "Delegation of credentials to the server "HVTEST" could not be enabled."
The message also said that administrator privileges are required to enable CredSSP.
At this point, I started to search for advice on the internet. I found multiple articles. Some of them contained totally misleading information, such as modifying COM object security settings. Others, like the one in Microsoft documentation, did not contain very specific details or contained extra steps that were unnecessary. That's why I dove deep into this topic and got everything tested for you. In this post, you will find the exact steps needed to make things work.
Enable PowerShell remoting ^
The first step in the MS documentation is to enable PowerShell remoting on both Hyper-V server and Windows 10. But hold on a second—my Hyper-V console shows that remote management is already enabled.
It is important to mention here that after you install the Hyper-V Server, the network profile is set to Public and Remoting is still enabled.
If you would try to enable PowerShell remoting on a Windows 10 machine with a Public profile set, it will fail.
So I only enable remoting on my Windows 10 machine:
Enable CredSSP authentication ^
The next step is to enable CredSSP on my Hyper-V server.
Enable-WSManCredSSP –Role Server
Next, since I am still in a workgroup, I need to add my Hyper-V server to the TrustedHosts list on my Windows 10 machine.
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "HVTEST"
I also need to enable CredSSP on my Windows 10 machine.
Enable-WSManCredSSP -Role client -DelegateComputer "HVTEST"
Modifying the local group policy ^
The last step to fix this issue is to modify credential delegation settings in the local group policy. In the Local Group Policy Editor (gpedit.msc), go to Computer Configuration > Administrative Templates > System > Credentials Delegation. Here you may notice that Allow delegating fresh credentials is already enabled.
This was actually configured by the Enable-WsManCredSSP command we executed. Note that two values were added – wsman/HVTEST and wsman/HVTEST.local.
I also have to enable these values for the Allow delegating fresh credentials with NTLM-only server authentication to my host option.
Note that it also works if I add only wsman/HVTEST.local, but will not work if I add only wsman/HVTEST.
That's it. Now I can manage my free Hyper-V Server Core with the Hyper-V Manager in a workgroup.
Adding the Hyper-V Server Core to the domain ^
If you already have Active Directory available, it is a completely different thing. Simply join the Hyper-V Server to your domain (option 1 in the Hyper-V Server console) and you are free to use the Hyper-V Manager with no further configuration. Watch out for two things—correct time settings on your Hyper-V Server and a proper DNS record available for your host. Kerberos authentication does not like incorrect time configuration and cannot be used with the IP address.
Subscribe to 4sysops newsletter!
I really like the free Hyper-V Server offered by Microsoft as I can deploy it for my customers and fully utilize their hardware. As you can see, when you download and install the free Hyper-V Server Core, it might be a little tricky to connect to it with the Hyper-V Manager, especially if you have no domain available yet. I hope this article helped you to solve this issue with the fewest possible configuration steps. This procedure also applies to both Hyper-V Server 2016/2019 and Hyper-V Server with GUI installation.