vSphere VM Hotplug functionality confuses AD GPO and locks out non system drives

I was asked to look at an issue on a customer account where when a server VM, used as a XenApp Dynamic Desktop server is moved from Computers OU to the desired destination OU and gpupdate run then suddenly the D and E drives were inaccessible.  They could be seen in “My Computer” and also in “Disk Management” but only listed as NTFS and no used/free space in My Computer, despite me having admin rights.

 

Obviously this had to be caused by policy as that’s the difference between moving the VM into the new OU and running gpupdate.

 

I reviewed the policies, there weren’t a vast number, but none appeared to have anything about locking down local fixed drives.

The key word there is FIXED.  There was a setting in one GPO under the section

Administrative Templates/System/Removable Storage Access

For

All Removable Storage classes: Deny all access

Which was to lock down USB drives etc.

 

But these were fixed drives……………..or were they?

Well this is where VMware is clever and Windows isn’t quite caught up, or you might argue VMware is TOO clever.

The SCSI controller provided by VMware is detected as hotplug.  You can confirm this by going to the system tray and clicking the eject/remove drive icon

sg

Fortunately as it booted from it C isn’t able to be ejected, but the other drives were therefore seen as removable storage and locked down.

 

Two solutions presented here.  One is change the GPO.  This is a VM on a host in a secure data center.  No-one’s plugging a USB into that host and mapping it to the VM via vCenter or Directpath any time soon.

 

However there is a VMware workaround.  You can disabled the hotplug functionality of the scsi controller driver.  Thereby “un-confusing” Windows.

Simply edit the VM configuration under the settings options/general/configuration parameters and add the setting

devices.hotplug and set the value to false

as described here.

VMware KB: Disabling the HotAdd/HotPlug capability in ESXi 5.x and ESXi/ESX 4.x virtual machines

 

And a reboot later and Windows now knows these aren’t removable drives and all is well with the world

 

Advertisements

2 thoughts on “vSphere VM Hotplug functionality confuses AD GPO and locks out non system drives

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s