vSphere VM Hotplug functionality confuses AD GPO and locks out non system drives

vSphere VM Hotplug functionality confuses AD GPO and locks out non system drives

I was asked to look at an issue on a customer account where when a server VM, used as a XenApp Dynamic Desktop server is moved from Computers OU to the desired destination OU and gpupdate run then suddenly the D and E drives were inaccessible.  They could be seen in “My Computer” and also in “Disk Management” but only listed as NTFS and no used/free space in My Computer, despite me having admin rights.

Obviously this had to be caused by policy as that’s the difference between moving the VM into the new OU and running gpupdate.

I reviewed the policies, there weren’t a vast number, but none appeared to have anything about locking down local fixed drives.

The key word there is FIXED.  There was a setting in one GPO under the section

Administrative Templates/System/Removable Storage Access

For

All Removable Storage classes: Deny all access

Which was to lock down USB drives etc.

But these were fixed drives……………..or were they?

Well this is where VMware is clever and Windows isn’t quite caught up, or you might argue VMware is TOO clever.

The SCSI controller provided by VMware is detected as hotplug.  You can confirm this by going to the system tray and clicking the eject/remove drive icon

sg

Fortunately as it booted from it C isn’t able to be ejected, but the other drives were therefore seen as removable storage and locked down.

Two solutions presented here.  One is change the GPO.  This is a VM on a host in a secure data center.  No-one’s plugging a USB into that host and mapping it to the VM via vCenter or Directpath any time soon.

However there is a VMware workaround.  You can disabled the hotplug functionality of the scsi controller driver.  Thereby “un-confusing” Windows.

Simply edit the VM configuration under the settings options/general/configuration parameters and add the setting

disable.hotplug and set the value to false

as described here.

VMware KB: Disabling the HotAdd/HotPlug capability in ESXi 5.x and ESXi/ESX 4.x virtual machines

And a reboot later and Windows now knows these aren’t removable drives and all is well with the world

Comments

We ran into a similar problem. In our case we found that it only happened to our Windows Server 2012 VMs in ESXi. We found two resolutions, we could downgrade the SCSI controller driver inside of the Device Manager or we could disable the hotadd capability on each machine.

The correct setting is "devices.hotplug"  false. Not "disable.hotplug" which BTW doesn't make sense.

Version history
Revision #:
1 of 1
Last update:
‎09-22-2014 04:01 AM
Updated by: