Install Hyper V and add current user to Hyper V administrators

So, a customer of mine wanted to install Hyper V and add the current user to Hyper V administrators. They wanted to use Hyper V on their Intune Managed Devices to use virtual machines to have a test device in Intune and a sequencing machine to develop application packages and App Control policies.

TLDR: The scripts are at the bottom of the page.

I immediately figured that a PowerShell script could install the role and add a user to the group. I choose remediations to deploy these via Intune to the targeted devices.

Firstly, we need to install the hyper role by using PowerShell. You can do so by using this:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients -NoRestart

There was a caveat though. The script must run in system context to install the hyper v role but the it needs to add the current user as an Hyper V administrator.

So, I logged on to my Intune test device and opened PowerShell. After that, I executed PSExec to get in to system context:

After that, I queried the machine for the logged on user:

You see that username has a “>” in front of it:

We need to remove that line. You can do so by use this code:

We now have the correct username and we need to add “AzureAD\” and “@yourdomain.com”. This code helps you to do so:

Lastly, we can add the user to the group:

After that the current user can start Hyper V Manager on their Intune Managed device:

And if we bind this all together we have a detection script:

$Hyper_v_Full = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor).State
$Hyper_V_GUI = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients).State

Start-Transcript "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\WindowsLogsHyper-V-Detect.log"

if ($Hyper_v_Full -eq "Disabled" -or $Hyper_V_GUI -eq "Disabled") {
    Exit 1
}
else {
    Exit 0
}

Stop-Transcript

And a remediation script:

# Microsoft-Hyper-V-Hypervisor remediation
$Hyper_v_Full = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor).State
$Hyper_V_GUI = (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients).State

Start-Transcript "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\WindowsLogsHyper-V-Remediation.log"

if ($Hyper_v_Full -eq "Disabled" -or $Hyper_V_GUI -eq "Disabled") {
    try {
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-Clients -NoRestart
        Write-Output "Hyper-V has been enabled"
    }
    catch {
        Write-Error $_.Exception.Message
    }
}

$User = (query user) -split "\n" -replace '\s\s+', ';' | convertfrom-csv -Delimiter ';'

$Username = ($User.username) -replace ">", ""

$EntraUsername = "AzureAD\" + $Username + "@yourdomain.com"

Net localgroup "Hyper-V Administrators" $EntraUsername /add

Stop-Transcript

Leave a Comment