Forum Discussion

Anonymous's avatar
Anonymous
Jul 17, 2019

Security baseline with Hyper-V default switch

Continued from old TechNet blog discussion...   Thanks Aaron Margosis. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (Computer C...
mattgailer's avatar
mattgailer
Copper Contributor
Aug 07, 2021

Deleted did you ever figure out what in the Security Baseline was blocking the "Default Switch" in Windows 10 Hyper-V to allow the virtual machines to have internet access? I am really wanting to have an environment where the Security Baseline is applied, but need the same capability you have mentioned. I don't want to do the workaround of creating another external Virtual Switch, as I've actually found that has impacted internet connectivity bandwidth on the host device.

Anonymous's avatar
Anonymous
Aug 07, 2021

mattgailer I believe it was an inbound firewall issue.

 

The Security Baseline disables local firewall rules for Public networks, so the auto-generated Hyper-V Container Networking allow rules (inbound) aren't applied - you'll have to manually allow UDP inbound on local ports 53, 67, 68 via GPO or allow local firewall rules.

 

From memory that was the only issue, and things like ''Prohibit use of Internet Connection Sharing on your DNS domain network'' are fine to leave as Enabled.

 

Hope that helps!

  • olavrb's avatar
    olavrb
    Brass Contributor
    Aug 17, 2021

     

    I think I'm facing similar issues here; Intune enrolled PC with Security Baseline applied, Default Swtich won't work. VM does not seems to get an IP address.

     

    Can anyone be more specific on the firewall rule that has to be made?

     

    • mattgailer's avatar
      mattgailer
      Copper Contributor
      Aug 17, 2021
      I ended up changing the following two settings that helped me to work (helped by David's replies)

      1. "Connection security rules from group policy not merged" - NOT CONFIGURED
      2. "Policy rules from group policy not merged" - NOT CONFIGURED

      David mentioned creation of rules to open ports in the firewall, but when I looked locally there was already a rule existing (no doubt created when I enabled the Hyper-V role), so I didn't punch any additional holes through the firewall. I think the wording of these policies is probably poor, as I believe the intention is to say "don't acknowledge rules created in any other way - just do what Intune tells you". Could be wrong in my summary, but I'm certainly working happily now on the Default Switch with that change.
      • olavrb's avatar
        olavrb
        Brass Contributor
        Aug 18, 2021

        mattgailer 

        Thank you sir. Will test this and come back with results. 🙂

         

        Edit: It worked right away! Had a VM open, unassigned me from Security Baseline, synced with Company Portal, and suddenly the VM got a IP and all is good.

Resources