Can't add domain users to Hyper-V Admin group

[msft-mbrant]

Dev Home version

0.1401.505.0

Windows build number

10.0.22631.3593

Other software

No response

Steps to reproduce the bug

Dev Home is asking me to add my user account to the Hyper-V admin groups on my domain joined machine. However, when looking at the group in Computer Management, I can only add local computer users to this local group.

Is the Hyper-V Admin Group membership really needed? I'm already Admin on my box and Hyper-V administration works just fine as an Admin.

Expected result

Local admins should be able to use Dev Home Hyper-V functions without being a member of Hyper-V Admin group as non-local accounts can't join this group.

Actual result

Dev Home refused to use Hyper-V because I'm not in the Hyper-V Admin Group on my machine, even though I have full control over Windows, hardware and Hyper-V

Included System Information

No response

Included Extensions Information

No response

[github-actions[bot]]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• Hyper-V not enabled message confusing (#2784), similarity score: 0.75

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

[msft-mbrant]

As a workaround for the Computer Management GUI not allowing non-local users in the local Hyper-V Admin group, Marc-André on social media pointed me to this piece of code:

$CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name if (-Not (Get-LocalGroupMember -Group "Hyper-V Administrators" -Member $CurrentUser -ErrorAction SilentlyContinue)) { Add-LocalGroupMember -Group "Hyper-V Administrators" -Member @($CurrentUser) }

[bbonaby]

Hey @msft-mbrant , the reason why we prompt you to be added into the Hyper-V administrators group is because Dev Home does not run as admin. In order for the Hyper-V extension to use Hyper-V functionality like the Hyper-V powershell cmdlets (like the Hyper-V extension uses) or the Hyper-V WMI apis, the extensions process needs to be running with administrative privileges or the user needs to be in the Hyper-V Administrators group. (Then either reboot or log off/on again as the change won't take effect for the users logon session until the users security token is updated). That is why we prompt you to be added into the group and ask for you to reboot.

The Hyper-V Manager for example actually runs with elevated privileges: E.g if you change your UAC settings to the following:

you'll see that the next time you launch the Hyper-V manager you'll be prompted with a UAC prompt even though you are an admin to your computer. Under the hood with normal UAC settings the Hyper-V manager is auto elevating and using a mechanism we can't use in Dev Home. I hope that answers your question.

When users are added to this group, they will be able to view and manage their VMs from Dev Home or any software that uses the Hyper-V apis outside of the Hyper-V manager without being in an elevated process.

[msft-mbrant]

I figured as much when I saw the function of the Hyper-V group. The "Add me" button however doesn't work in the DevHome (for me at least) and the Computer Management MMC GUI won't let me add non-local users. So we need to figure out a way we can get non-local users into that group but from a nice GUI. Ideally the button should work or perhaps a note "Run Dev Home as Admin to see Hyper-V Envs" but I guess that has security implications.

[joadoumie]

@btueffers @jsidewhite @bbonaby @nieubank @EricJohnson327 @krschau this is another scenario where we'd want to be leveraging some standard UAC flow in Dev Home. I have a task in the Dependencies tasklist under this issue - https://github.com/microsoft/devhome/issues/2920. I think we should probably convert that to an issue and sync to ensure we are covering all of the necessary scenarios.

[marklnz]

Ideally the button should work or perhaps a note "Run Dev Home as Admin to see Hyper-V Envs" but I guess that has security implications.

I tried running Dev Home as an admin but it seems there are more issues with that ... I get an error stating that I have to "Install an extension that supports environments and refresh the page"

I do have extensions that support environments installed, and I can see those in the "Provider" dropdown when I open Dev Home with my usual (domain) account.