cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security baseline with Hyper-V default switch

Deleted
Not applicable

‎Jul 16 2019 11:49 PM - edited ‎Dec 06 2022 05:00 PM

‎Jul 16 2019 11:49 PM - edited ‎Dec 06 2022 05:00 PM

Security baseline with Hyper-V default switch

Continued from old TechNet blog discussion...

 

Thanks @Aaron Margosis. I've figured out what is preventing clipboard file copying. It is the GPO setting "Do not allow drive redirection" (Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection).

 

Haven't figured out why applying the security baseline disables guest VM network connectivity through the "Default Switch" (automatically created on Client Hyper-V), but a solution is to connect guest VMs directly to the external network adapter using the "External Switch".

 

UPDATE: Network connectivity issues caused by GPO blocking local firewall rules (inbound allow rules are needed for Default Switch to work, see below discussion).

6,896 Views
1 Like
5 Replies
Reply
5 Replies
mattgailer

‎Aug 06 2021 09:10 PM

‎Aug 06 2021 09:10 PM

Re: [continued] Security baseline with Hyper-V enhanced session

@Deleted did you ever figure out what in the Security Baseline was blocking the "Default Switch" in Windows 10 Hyper-V to allow the virtual machines to have internet access? I am really wanting to have an environment where the Security Baseline is applied, but need the same capability you have mentioned. I don't want to do the workaround of creating another external Virtual Switch, as I've actually found that has impacted internet connectivity bandwidth on the host device.

0 Likes
Reply

‎Aug 06 2021 09:51 PM - edited ‎Dec 06 2022 05:02 PM

‎Aug 06 2021 09:51 PM - edited ‎Dec 06 2022 05:02 PM

Re: [continued] Security baseline with Hyper-V enhanced session

@mattgailer I believe it was an inbound firewall issue.

 

The Security Baseline disables local firewall rules for Public networks, so the auto-generated Hyper-V Container Networking allow rules (inbound) aren't applied - you'll have to manually allow UDP inbound on local ports 53, 67, 68 via GPO or allow local firewall rules.

 

From memory that was the only issue, and things like ''Prohibit use of Internet Connection Sharing on your DNS domain network'' are fine to leave as Enabled.

 

Hope that helps!

0 Likes
Reply
olavrb

‎Aug 17 2021 08:18 AM

‎Aug 17 2021 08:18 AM

Re: [continued] Security baseline with Hyper-V enhanced session

 

I think I'm facing similar issues here; Intune enrolled PC with Security Baseline applied, Default Swtich won't work. VM does not seems to get an IP address.

 

Can anyone be more specific on the firewall rule that has to be made?

 

0 Likes
Reply
mattgailer

‎Aug 17 2021 03:53 PM

‎Aug 17 2021 03:53 PM

Re: [continued] Security baseline with Hyper-V enhanced session

I ended up changing the following two settings that helped me to work (helped by David's replies)

1. "Connection security rules from group policy not merged" - NOT CONFIGURED
2. "Policy rules from group policy not merged" - NOT CONFIGURED

David mentioned creation of rules to open ports in the firewall, but when I looked locally there was already a rule existing (no doubt created when I enabled the Hyper-V role), so I didn't punch any additional holes through the firewall. I think the wording of these policies is probably poor, as I believe the intention is to say "don't acknowledge rules created in any other way - just do what Intune tells you". Could be wrong in my summary, but I'm certainly working happily now on the Default Switch with that change.
1 Like
Reply
olavrb

‎Aug 18 2021 06:00 AM - edited ‎Aug 18 2021 06:38 AM

‎Aug 18 2021 06:00 AM - edited ‎Aug 18 2021 06:38 AM

Re: [continued] Security baseline with Hyper-V enhanced session

@mattgailer 

Thank you sir. Will test this and come back with results. :)

 

Edit: It worked right away! Had a VM open, unassigned me from Security Baseline, synced with Company Portal, and suddenly the VM got a IP and all is good.

0 Likes
Reply