I was asked to look at an issue on a customer account where when a server VM, used as a XenApp Dynamic Desktop server is moved from Computers OU to the desired destination OU and gpupdate run then suddenly the D and E drives were inaccessible. They could be seen in “My Computer” and also in “Disk Management” but only listed as NTFS and no used/free space in My Computer, despite me having admin rights.
Obviously this had to be caused by policy as that’s the difference between moving the VM into the new OU and running gpupdate.
I reviewed the policies, there weren’t a vast number, but none appeared to have anything about locking down local fixed drives.
The key word there is FIXED. There was a setting in one GPO under the section
Administrative Templates/System/Removable Storage Access
All Removable Storage classes: Deny all access
Which was to lock down USB drives etc.
But these were fixed drives……………..or were they?
Well this is where VMware is clever and Windows isn’t quite caught up, or you might argue VMware is TOO clever.
The SCSI controller provided by VMware is detected as hotplug. You can confirm this by going to the system tray and clicking the eject/remove drive icon
Fortunately as it booted from it C isn’t able to be ejected, but the other drives were therefore seen as removable storage and locked down.
Two solutions presented here. One is change the GPO. This is a VM on a host in a secure data center. No-one’s plugging a USB into that host and mapping it to the VM via vCenter or Directpath any time soon.
However there is a VMware workaround. You can disabled the hotplug functionality of the scsi controller driver. Thereby “un-confusing” Windows.
Simply edit the VM configuration under the settings options/general/configuration parameters and add the setting
devices.hotplug and set the value to false
as described here.
And a reboot later and Windows now knows these aren’t removable drives and all is well with the world