PowerShell Direct Deep Dive #HyperV #WS2016 #PowerShell

Hello folks,

Microsoft introduced a new feature in Windows Server 2016 called PowerShell Direct.

What is PowerShell Direct?

PowerShell direct allows you to use PowerShell directly between your host operating system and virtual machines guest operating system (Specifically Windows 10, Windows Server 2016) without having any network configuration or any type of network at all, and you don’t even need to have a vmNIC attached to your virtual machine, and without configuring WinRM. You can just use PowerShell directly to your virtual machine from your Hyper-V host operating system.

By leveraging the VMBus architecture of Hyper-V, we are literally bypassing all the requirements for networking, firewall, remote management, and access settings. It’s really a fantastic feature.

Hyper-V-High-Level-Architecture

PowerShell Direct Syntax

Enter-PSSession -–VMName VMName –Credential

Invoke-Command –VMName VMName –Credential –ScriptBlock { Commands }

You can use either Enter-PSSession or Invoke-Command but instead of specifying the compute name, you can specify the virtual machine using two parameters –VMName or –VMGuid

PoSh-Direct01

PowerShell Direct Requirement

On the host side, you need to be member of the Hyper-V Administrator group, because you want to have access to your virtual machines in the first place, you need to be Hyper-V admin, if you are able to run Get-VM on the host, then you can use PowerShell direct very simple. However on the guest operating side, you can use any credential that are available on the guest OS, but obviously you will have correct limitation for those credentials, so you can run as Administrator or as Standard user based on what you need to do.

One important point to mention, PowerShell Direct is relying on PowerShell Remoting, so you do need to be able to run PowerShell Remoting in order to use PowerShell Direct.

Update: PowerShell Direct DOES NOT in any way require PowerShell Remoting. You can even stop the WinRM service on the host and in the guest and PowerShell Direct will work. 

PowerShell Direct Limitation

You can use PowerShell directly to your virtual machine from your host operating system, but really we need to get things in and out of the virtual machine, so file copy is not available at the moment. Hopefully this will change in the near future. Please use the user voice to vote for VM file copy. What about Linux guests and SSH? As for now you can use PowerShell direct with Windows 10 or above as guest OS.

Would you like to use PowerShell direct with Windows 8.1 and Windows Server 2012 R2? Please vote here.

What You Can do With PowerShell Direct?

In short, you can do everything. You can script an entire environment end to end using PowerShell Direct.

In this quick demo, I will share with you on how to setup a new domain controller inside a virtual machine from the host using PowerShell Direct.

This script is based on a Sysprepped VM with no configuration.

The nifty waitForPSDirect function is borrowed from Mr. Hyper-V Ben Armstrong (Principal program manager lead for Hyper-V at Microsoft). 

Here you go… 3 minutes later and you have a cooked Domain Controller ready to serve Winking smile

PoSh-Direct09

How to Protect Virtual Machine from PowerShell Direct?

PowerShell Direct is fantastic feature! Why you want to disable it for a Virtual Machine?

Well in certain scenarios for example, the admin who manages the virtual machines is not the same who manage the fabric, or in a hosting environment were the tenant want to block PowerShell Direct, but as I mentioned earlier in this post, you need to have guest credentials in order to use PowerShell direct.

Well you can protect a Virtual Machine from PowerShell Direct by disabling the “Hyper-V VM Session Service” inside a virtual machine.

Let’s see this in action. I have a VM here called SCVMM-TP3. If we query all Hyper-V Services inside the guest from the host, we can see 8 services up and running. The service which leverage PowerShell Direct is highlighted in yellow as showing in below figure.

PoSh-Direct05

I will disable and stop the Hyper-V VM Session Service by running the following cmdlet from the host.

PoSh-Direct06

Please note that it is not enough to stop the service only, because Hyper-V services inside the guest are set to Manual Trigger, so if you stop the service and try to use PowerShell Direct, the service will start again Smile

Let’s try and query Hyper-V VM Session Service again after we stopped and disabled the service.

PoSh-Direct07

Did you notice something? The service is stopped, but we are still able to use PowerShell direct, because it’s not enough to disable and stop the service, you need to restart the guest OS as well in order to disable PowerShell direct completely. Let’s restart the guest OS and try the operation again.

PoSh-Direct08

PowerShell Direct is completely disabled now. If you enable and start the service again within the guest, you can start using PowerShell Direct without restarting the guest OS.

By disabling and stopping the Hyper-V VM Session Service, no one can access the virtual machine using PowerShell Direct even if the user credentials are compromised. 

What about Shielded VMs, PowerShell direct is disabled by default on Shielded virtual machines at the time of writing this post.

Note: This is the current release of Windows Server 2016 Technical Preview 4 build, please note that things might change in the next bits…

Thanks to the Hyper-V team for delivering value added services and capabilities on an ongoing basis.

Until then… enjoy your weekend!

Cheers,
-Charbel

About Charbel Nemnom 303 Articles
Charbel Nemnom is a Microsoft Cloud Consultant and Technical Evangelist, totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 15 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

4 Trackbacks / Pingbacks

  1. Q&A from the Windows Server 2016 Preview JumpStart - Part III - Upgrades & Operational Efficiencies
  2. Hyper-V Hot Topics - November 2015
  3. Create mutiple VM from powershell in Hyper-V 2016 and powershell direct - Flemming Riis
  4. 12 Microsoft MVPs examine Hyper-V in Windows Server 2016

Leave a Reply