Server Core/Hyper-V Server specific Group Policies

In our little digital wonderland, we are compelled encouraged by our security department to apply some rather draconian Group Policy Objects.  It’s a PITA, but security doesn’t care.  Since I’ve been doing these for a while, I can usually see whether or not a particular setting will f*** us before it’s implemented.  But considering there’s like three quadrillon settings, sometimes even I can’t always predict what will happen.  Here’s a little ditty about one of those times:

I was logged in on a remote session to one of our Server Core installs.  If I remember correctly, I was trying to install an unsigned driver (it was a DSM for MPIO to our SANs, for all you standard nerds).  Well, just like that hot chick you bumped into at the bar last week… the promised call never came.  No error, no freeze, nothing.  Just a new command prompt line.

After much heartache, we found that the culprit was two UAC policy settings:
– User Account Control: Admin Approval Mode for the Built-in Administrator Account (Enabled)
– User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (3)
(Both of these are found in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | User Account Control)

Now I can’t say whether it was the fact that the exe was unsigned, or that it expected UAC, but the installer was blocked from starting.  So how to fix this?  Easy!  With another GPO that overrides the offending settings to Disabled and Elevate without prompting, respectively.  Scope this GPO to apply only to the Server Core machine and you’ll make your SAs AND security happy!

Not content to leave well enough alone, I wasn’t satisfied with listing every single Server Core machine in the GPO scope.  Nope.  If you know me, you know I don’t like to half-ass anything; I’m a whole-ass kind of guy.  This is where WMI (where have you been all my life? I love you!) comes in.

In Group Policy Management, create a new WMI filter in the WMI filters node.  In this filter, give it a clever name (like Server Core Only).  For the query, use the default root\CIMv2 namespace and the following for the query text:

SELECT * FROM Win32_OperatingSystem
WHERE OperatingSystemSKU = 12
OR OperatingSystemSKU = 13
OR OperatingSystemSKU = 14
OR OperatingSystemSKU = 42

Assign this filter to your GPO and you can fuggedaboutit.  In case you’re wondering where I got the SKUs, they can be found here: (search for OperatingSystemSKU).  Note that SKU 42 is not listed; this is for Hyper-V Server.

Don’t say I never helped you out…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: