All posts by eric

Installation Configuration: Hyper-V Server 2012 R2

Upon first boot of Hyper-V Server 2012 R2 you are presented with a blue Server Configuration window

sconfig window in Hyper-V Server 2012
sconfig window in Hyper-V Server 2012

This window is called automatically by the system but it can be found in C:\Windows\System32

(Read more about Sconfig.cmd here:

If you closed the window you can always access it via command line by typing:

Helpful tip for Core mode: If you closed the command prompt and have nothing on the screen, press CTRL + ALT + END

Even after enabling Remote Management, I was not able to connect to my server via RDP. I enabled ping in the sconfig Network Settings to ensure that I could see the server from my desktop, and while ping was successful I still could not open a RDP session to manage my Core installation.

I figured it was the firewall, so I disabled it completely:

netsh advfirewall set currentprofile state off
Turning off the firewall with netsh

After turning the firewall off in its current profile I was able to successfully remote in to my Hyper-V Server 2012 R2 installation and finish up my settings.

Since this is a home lab setup, I am fine with the firewall being off. In a domain environment, you might turn the firewall off as well (depending on your security protocols).


At first I did not want to disable the firewall completely so I went down the path of figuring out why I could not RDP to my server. This turned out to be somewhat of a challenge.

I started by checking out the Remote Desktop rules. This command will return the name of the Remote Desktop rule and whether it is enabled:

get-netfirewallrule -displaygroup "remote desktop" | format-table name, enabled -autosize
List of firewall rules that are part of the "Remote Desktop" group
List of Windows Firewall rules that are part of the “Remote Desktop” group

If we had run this command prior to using sconfig to enable Remote Desktop, we would only see the first three rules. The second three rules are added and enabled when we use sconfig to enable Remote Desktop. The first three rules are not enabled, but the GUID rules are enabled.  Why did sconfig create three new rules to enable Remote Desktop?

You can see here that the GUID rule (the first in the image, after I renamed it from the GUID to match the DisplayName) matches the second rule shown: “RemoteDesktop-UserMode-In-TCP” (no spaces), except for the Profile attribute, which for the GUID rule (top) is Domain, Private and for the built-in rule (bottom) is Public.

Caption TBD
GUID Rule (top, renamed), Built-In rule (bottom)
(Read my post on renaming firewall rules with PowerShell)

Still, Remote Desktop is not enabled, so we can enable the three rules that are not enabled:

enable-netfirewallrule -displaygroup "remote desktop"
Enabling all rules in the "Remote Desktop" group
Enabling all rules in the “Remote Desktop” group

Another check of the rules:

Now all rules in the "Remote Desktop" group are enabled
Now all rules in the “Remote Desktop” group are enabled

Remote Desktop rules are all now enabled and I was able to successfully RDP to my server!

These steps would be the same for the full version of Windows Server 2012 R2 Core Edition Standard or Datacenter.

But WHY?!

I ended up figuring all of this out after a re-install of Hyper-V Server 2012 R2. What happened was that sconfig added the firewall rules for RDP (the GUID rules), but it added them for the Domain and Private firewall profiles. My server was set on the Public profile. Therefore, the rules that were added via sconfig were not applicable. Why does this happen out of the box? I suppose that is a question for Microsoft.

In the end I simply added the Domain and Private Profiles to the built-in rules, then enabled the group as above. I did NOT enable Remote Desktop with sconfig because I did not want it to add those three “extra” GUID rules. I suppose if you were going to have multiple connections using different firewall profiles then you would want separate rules, but this is for a lab setup and I like to make things less confusing!

In order to add the Domain and Private profiles to the built-in firewall rules, I used the following command. I included the Public profile just to be complete, even though it is already part of that rule:

set-netfirewallrule -name remotedesktop-shadow-in-tcp -profile Domain,Private,Public
Add Domain and Private profiles to the existing firewall rules
Add Domain and Private profiles to the existing firewall rules
All firewall profiles are now part of the built-in firewall rule
All firewall profiles are now part of the built-in firewall rule

Now repeat this command for your other two rules:


Happy Administration!