Install and Configure Hyper-V Tools for Remote Administration

  • Article

Applies To: Windows Server 2008

The Hyper-V management tools consist of Hyper-V Manager, which is a Microsoft Management Console (MMC) snap-in, and Virtual Machine Connection, which provides remote connectivity directly to a virtual machine. These tools are installed automatically when you install the Hyper-V role. However, you can also install them by themselves to remotely manage a server running Hyper-V.

Compatibility between the Hyper-V remote management tools and the server running Hyper-V is affected by the version of the tools and the version of Hyper-V. As a general rule, you can use a newer version of the tools to manage an older version of Hyper-V, but you cannot use an older version of the tools to manage a newer version of Hyper-V.

The following table identifies the versions of Hyper-V that you can manage with a particular version of the tools, as well as the operating system you can install the tools on.

Note

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

Version of Hyper-V Tools Version of Hyper-V Windows Client Operating System

Remote Server Administration Tools for Windows 7 (https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d)

Windows Server 2008 R2

Windows Server 2008 SP2

Windows Server 2008, with Hyper-V RTM update installed (KB950500)

Windows 7 Enterprise, Windows 7 Professional, or Windows 7 Ultimate editions)

Windows Server 2008 R2

Windows Server 2008 R2

Windows Server 2008 R2 (which versions?)

Update for Windows Vista Service Pack 2 Management Tools for Hyper-V (KB970203) https://www.microsoft.com/downloads/details.aspx?familyid=551A9B83-241B-4E86-B329-441374DDCF23&displaylang=en

Windows Server 2008 Service Pack 2 (SP2)

??

Windows Server 2008 32-bit or 64-bit, as follows:

For 32-bit, download and apply update NNN. For 64-bit, NNN

Windows Vista, download and apply update KB952627 https://support.microsoft.com/kb/952627

Windows Server 2008, with Hyper-V RTM update installed (KB950500)

Windows Vista Service Pack 1 (SP1) (Supported on Windows°Vista Ultimate with SP1, Windows°Vista Enterprise with SP1, and Windows°Vista Business with SP1) https://www.microsoft.com/downloads/details.aspx?familyid=BF909242-2125-4D06-A968-C8A3D75FF2AA&displaylang=en

Update for Windows Vista Service Pack 2 Management Tools for Hyper-V (KB970203) https://www.microsoft.com/downloads/details.aspx?familyid=551A9B83-241B-4E86-B329-441374DDCF23&displaylang=en

Windows Server 2008, with Hyper-V RTM update installed (KB950500)

Windows Vista Service Pack 2 (SP2)

Hyper-V Remote Management Update for Windows Vista for x64-based Systems (KB952627) https://www.microsoft.com/downloads/details.aspx?familyid=88208468-0AD6-47DE-8580-085CBA42C0C2&displaylang=en

Windows Server 2008, with Hyper-V RTM update installed (KB950500)

Installing the management tools

Before you install the management tools, you might need to obtain an update package that includes the tools. The table in the previous section identifies the operating systems for which the tools are distributed in an update package. The table also contains links to the update packages

To install the management tools on Windows 7 or Windows Vista SP1

  1. Download the update package and then double-click the .msu file.

  2. If you are installing the tools on a supported version of Windows Vista SP1, no additional installation steps are required, so you can proceed to the configuration instructions.

To install the management tools on Windows Server

  1. If you are installing a version that is distributed in an update package, do one of the following:

  2. Open Server Manager. (If Server Manager is not running, click Start, point to Administrative Tools, click Server Manager, and then, if prompted for permission to continue, click Continue.)

  3. In Server Manager, under Features Summary, click Add Features.

  4. On the Select Features page, expand Remote Server Administration Tools, and then expand Remote Administration Tools.

  5. Click Hyper-V Tools, and then proceed through the rest of the wizard.

Configuring the management tools

The configuration process consists of modifying various components that control access and communications between the server running Hyper-V and the computer on which you will run the Hyper-V management tools.

Note

No additional configuration is required if you are using the management tools on a computer running Windows Server 2008 and the same user account is a member of the Administrators group on both computers.

Configuring the server running Hyper-V

The following procedures describe how to configure the server running Hyper-V. When domain-level trust is not established, perform all the steps. When domain-level trust exists but the remote user is not a member of the Administrators group on the server running Hyper-V, you must modify the authorization policy, but you can skip the steps for modifying the Distributed COM Users group and the Windows Management Instrumentation (WMI) namespaces.

Note

The following procedures assume that you have installed the Hyper-V role on the server. For instructions about installing the Hyper-V role, see Install the Hyper-V Role on a Full Installation of Windows Server 2008 or Install the Hyper-V Role on a Server Core Installation of Windows Server 2008.

To configure the Hyper-V role for remote management on a full installation of Windows Server 2008

  1. Enable the firewall rules for Windows Management Instrumentation. From an elevated command prompt, type:

    netsh advfirewall firewall set rule group=“Windows Management Instrumentation (WMI)” new enable=yes

    The command has succeeded when it returns the following message: “Updated 4 rules(s). Ok.”

Note

To verify that the command succeeded, you can view the results in Windows Firewall with Advanced Security. Click Start, click Control Panel, switch to Classic View if you are not using that view, click Administrative Tools, and then click Windows Firewall with Advanced Security. Select inbound rules or outbound rules and then sort by the Group column. There should be three inbound rules and one outbound rule enabled for Windows Management Instrumentation.

  1. The next steps configure the authorization policy for the server running the Hyper-V role. If the user who requires remote access to the server running Hyper-V belongs to the Administrators group on both computers, then it is not necessary to configure the authorization policy.

Note

The instructions for configuring the authorization policy assume that the default authorization policy has not been modified, including the default location, and that the account you are configuring for remote access requires full administrative access to the Hyper-V role.

  1. Click Start, click Start Search and type azman.msc. If you are prompted to confirm the action, click Continue. The Authorization Manager MMC snap-in opens.

  2. In the navigation pane, right-click Authorization Manager and click Open Authorization Store. Make sure that XML file is selected. Browse to the %system drive%\ProgramData\Microsoft\Windows\Hyper-V folder, select InitialStore.xml, click Open and then click OK.

Note

The Program Data folder is a hidden folder by default. If the folder is not visible, type: <system_drive>\ProgramData\Microsoft\Windows\Hyper-V\initialstore.xml

  1. In the navigation pane, click Hyper-V services, and then click Role Assignments. Right-click Administrator, point to Assign Users and Groups, and then point to From Windows and Active Directory. In the Select Users, Computers, or Groups dialog box, type the domain name and user name of the user account, and then click OK.

  2. Close Authorization Manager.

  3. Next, you add the remote user to the Distributed COM Users group to provide access to the remote user. Click Start, point to Administrative tools, and click Computer Management. If User Account Control is enabled, click Continue. Component Services opens.

  4. Expand Local Users and Groups, and then click Groups. Right-click Distributed COM Users and click Add to Group.

  5. In the Distributed COM Users Properties dialog box, click Add.

  6. In the Select Users, Computers, or Groups dialog box, type the name of the user and click OK.

  7. Click OK again to close the Distributed COM Users Properties dialog box. Close Component Services.

  8. The remaining steps grant the required WMI permissions to the remote user for two namespaces: the CIMV2 namespace and the virtualization namespace. Click Start, click Administrative Tools, and then click Computer Management.

  9. In the navigation pane, click Services and Applications, right-click WMI Control, and then click Properties.

  10. Click the Security tab, click Root, and then click CIMV2. Below the namespace list, click Security.

  11. In the Security for ROOT\CIMV2 dialog box, check to see if the appropriate user is listed. If not, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user and click OK.

  12. On the Security tab, select the name of the user. Under Permissions for <user or group name>, click Advanced. On the Permissions tab, verify that the user you want is selected and then click Edit. In the Permission Entry for CIMV2 dialog box, modify three settings as follows:

    • For Apply to, select This namespace and subnamespaces.

    • In the Permissions list, in the Allow column, select the Remote Enable check box.

    • Below the Permissions list, select the Apply these permissions to objects and/or containers within this container only check box.

  13. Click OK in each dialog box until you return to the WMI Control Properties dialog box.

  14. Next, you repeat the process for the virtualization namespace. Scroll down if necessary until you can see the virtualization namespace. Click virtualization. Below the namespace list, click Security.

  15. In the Security for ROOT\virtualization dialog box, check to see if the appropriate user is listed. If not, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user and click OK.

  16. On the Security tab, select the name of the user. Under Permissions for <user or group name>, click Advanced. On the Permissions tab, verify that the user you want is selected and then click Edit. In the Permission Entry for virtualization dialog box, modify three settings as follows:

    • For Apply to, select This namespace and subnamespaces.

    • In the Permissions list, in the Allow column, select the Remote Enable check box.

    • Below the Permissions list, select the Apply these permissions to objects and/or containers within this container only check box.

  17. Click OK in each dialog box and then close Computer Management.

  18. Restart the server to apply the changes to the authorization policy.

To configure the Hyper-V role for remote management on a Server Core installation of Windows Server 2008

  1. Enable the firewall rules on the server for Windows Management Instrumentation. From an elevated command prompt, type:

    netsh advfirewall firewall set rule group=“Windows Management Instrumentation (WMI)” new enable=yes

    The command has succeeded when it returns the following message: “Updated 4 rules(s). Ok.”

  2. Next, you modify the Distributed COM permissions to provide access to the remote user. Type:

    net localgroup “Distributed COM Users” /add <domain_name>\<user_name>

    where <domain_name> is the domain that the user account belongs to and <user_name> is the user account you want to grant remote access to.

  3. Next, you connect remotely to the server running the Server Core installation so you can modify the authorization policy and the two WMI namespaces, using MMC snap-ins that are not available on the Server Core installation.

    Log on to the computer on which you will run the Hyper-V management tools, using a domain account that is a member of the Administrators group on the computer running a Server Core installation. (If you need to add this user, see the instructions in Install the Hyper-V Role on a Server Core Installation of Windows Server 2008.)

Note

The instructions for configuring the authorization policy assume that the default authorization policy has not been modified, including the default location, and that the account you are configuring for remote access requires full administrative access to the Hyper-V role.

  1. Click Start, click Start Search and type azman.msc. If you are prompted to confirm the action, click Continue. The Authorization Manager snap-in opens.

  2. In the navigation pane, right-click Authorization Manager and click Open Authorization Store. Make sure that XML file is selected and type:

    \\<remote_computer>\c$\ProgramData\Microsoft\Windows\Hyper-V\initialstore.xml

    where <remote_computer> is the name of the computer running the Server Core installation.

    Click Open and then click OK.

  3. In the navigation pane, click Hyper-V services, and then click Role Assignments. Right-click Administrator, point to Assign Users and Groups, and then point to From Windows and Active Directory. In the Select Users, Computers, or Groups dialog box, type the domain name and user name of the user account, and then click OK.

  4. Close Authorization Manager.

  5. The remaining steps grant the required WMI permissions to the remote user for two namespaces: the CIMV2 namespace and the virtualization namespace. Click Start, click Administrative Tools, and then click Computer Management.

  6. In the navigation pane, click Services and Applications, right-click WMI Control, and then click Properties.

  7. Click the Security tab. Click Root and then click CIMV2. Below the namespace list, click Security.

  8. In the Security for ROOT\CIMV2 dialog box, check to see if the appropriate user is listed. If not, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user and click OK.

  9. On the Security tab, select the name of the user. Under Permissions for <user or group name>, click Advanced. On the Permissions tab, verify that the user you want is selected and then click Edit. In the Permission Entry for CIMV2 dialog box, modify three settings as follows:

    • For Apply to, select This namespace and subnamespaces.

    • In the Permissions list, in the Allow column, select the Remote Enable check box.

    • Below the Permissions list, select the Apply these permissions to objects and/or containers within this container only check box.

  10. Click OK in each dialog box until you return to the WMI Control Properties dialog box.

  11. Next, you repeat the process for the virtualization namespace. Scroll down if necessary until you can see the virtualization namespace. Click virtualization. Below the namespace list, click Security.

  12. In the Security for ROOT\virtualization dialog box, check to see if the appropriate user is listed. If not, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user and click OK.

  13. On the Security tab, select the name of the user. Under Permissions for <user or group name>, click Advanced. On the Permissions tab, verify that the user you want is selected and then click Edit. In the Permission Entry for virtualization dialog box, modify three settings as follows:

    • For Apply to, select This namespace and subnamespaces.

    • In the Permissions list, in the Allow column, select the Remote Enable check box.

    • Below the Permissions list, select the Apply these permissions to objects and/or containers within this container only check box.

  14. Click OK in each dialog box and then close Computer Management.

  15. Restart the computer running a Server Core installation to apply the changes to the authorization policy.

Configuring Windows Vista SP1

The following procedure describes how to configure Windows Vista SP1 when domain-level trust is not established.

To configure Windows Vista SP1

  1. Log on to the computer running Windows Vista SP1.

  2. Enable the firewall rules for Windows Management Instrumentation. From an elevated command prompt, type:

    netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes

    The command has succeeded when it returns the following message: “Updated 8 rules(s). Ok.”

Note

To verify that the command succeeded, you can view the results in Windows Firewall with Advanced Security. Click Start, click Control Panel, switch to Classic View if you are not using that view, click Administrative Tools, and then click Windows Firewall with Advanced Security. Select inbound rules or outbound rules and then sort by the Group column. There should be six inbound rules and two outbound rules enabled for Windows Management Instrumentation.

  1. Enable a firewall exception for the Microsoft Management Console. From an elevated command prompt, type:

    Netsh firewall add allowedprogram program=%windir%\system32\mmc.exe name="Microsoft Management Console"

  2. Start Hyper-V Manager to verify that you can connect remotely to the server. Click Start, click the Start Search box, type Hyper-V Manager and press ENTER. If you are prompted to confirm the action, click Continue. In Hyper-V Manager, under Actions, click Connect to Server. Type the name of the computer or browse to it, and click OK. If Hyper-V Manager can connect to the remote computer, the computer name will appear in the navigation pane and the results pane will list all the virtual machines configured on the server.