Contents

Virtualization
Guarded fabric and shielded VMs
Hyper-V
Technology Overview
What's new in Hyper-V
System requirements
Supported Windows guest operating systems
Supported Linux and FreeBSD VMs
CentOS and Red Hat Enterprise Linux VMs
Debian VMs
Oracle Linux VMs
SUSE VMs
Ubuntu VMs
FreeBSD VMs
Feature Descriptions for Linux and FreeBSD VMs
Best Practices for running Linux
Best practices for running FreeBSD
Feature compatibility by generation and guest
Get started
Install Hyper-V
Create a virtual switch
Create a virtual machine
Plan
VM Generation
Networking
Scalability
Security
Discrete Device Assignment
Deploy
 Export and import virtual machines
Set up hosts for live migration
Upgrade virtual machine version
Deploy graphics devices using DDA
Deploy storage devices using DDA
Manage
Configuring Persistent Memory Devices for Hyper-V VMs
Choose between standard or production checkpoints
Create a VHD set
Enable or disable checkpoints
Manage hosts with Hyper-V Manager
Manage host CPU resource controls
Using VM CPU Groups
Manage hypervisor scheduler types
About Hyper-V scheduler type selection
Manage Integration Services
Manage Windows VMs with PowerShell Direct
Set up Hyper-V Replica
Move VMs with live migration
Live Migration Overview
Set up hosts for live migration
Use live migration without Failover Clustering
Hyper-V Performance Tuning
Hyper-V Virtual Switch
Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)
Manage Hyper-V Virtual Switch
Configure and View VLAN Settings on Hyper-V Virtual Switch Ports
Create Security Policies with extended Port Access Control lists
 T IP

Looking for information about older versions of Windows Server? Check out our other Windows Server libraries on
docs.microsoft.com. You can also search this site for specific information.

Virtualization in Windows Server is one of the foundational technologies required to create your software defined infrastructure.
Along with networking and storage, virtualization features deliver the flexibility you need to power workloads for your customers.

Guarded Fabric and Shielded VMs

As a cloud service provider or enterprise private cloud administrator, you can use a guarded fabric to provide a more secure
environment for VMs. A guarded fabric consists of one Host Guardian Service (HGS ) - typically, a cluster of three nodes -
plus one or more guarded hosts, and a set of shielded VMs.

Microsoft Hyper- V Server

The Hyper-V technology provides computing resources through hardware virtualization. Hyper-V creates a software
version of a computer, called a virtual machine, which you use to run an operating system and applications. You can run
multiple virtual machines at the same time, and can create and delete them as needed.

Windows Containers
Windows Containers provide operating system-level virtualization that allows multiple isolated applications to be run on a
single system. Two different types of container runtimes are included with the feature, each with a different degree of
application isolation.

Windows 10 for the enterprise: Ways to use devices for work

The Hyper-V technology provides computing resources through hardware virtualization. Hyper-V creates a software
version of a computer, called a virtual machine, which you use to run an operating system and applications. You can run
multiple virtual machines at the same time, and can create and delete them as needed.

Hyper- V Virtual Switch

The Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is included in all versions of Hyper-V.

Hyper-V Virtual Switch is available in Hyper-V Manager after you install the Hyper-V server role.

Included in Hyper-V Virtual Switch are programmatically managed and extensible capabilities that allow you to connect
virtual machines to both virtual networks and the physical network.

In addition, Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels.

Related
Hyper-V requires specific hardware to create the virtualization environment. For details, see System requirements for
Hyper-V on Windows Server 2016.
For more information about Hyper-V on Windows 10, see Hyper-V on Windows 10.
 Guarded fabric and shielded VMs
3/12/2019 • 2 minutes to read • Edit Online

Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

One of the most important goals of providing a hosted environment is to guarantee the security of the virtual
machines running in the environment. As a cloud service provider or enterprise private cloud administrator, you
can use a guarded fabric to provide a more secure environment for VMs. A guarded fabric consists of one Host
Guardian Service (HGS ) - typically, a cluster of three nodes - plus one or more guarded hosts, and a set of shielded
virtual machines (VMs).

IMPORTANT
Ensure that you have installed the latest cumulative update before you deploy shielded virtual machines in production.

Videos, blog, and overview topic about guarded fabrics and shielded
VMs
Video: How to protect your virtualization fabric from insider threats with Windows Server 2019
Video: Introduction to Shielded Virtual Machines in Windows Server 2016
Video: Dive into Shielded VMs with Windows Server 2016 Hyper-V
Video: Deploying Shielded VMs and a Guarded Fabric with Windows Server 2016
Blog: Datacenter and Private Cloud Security Blog
Overview: Guarded fabric and shielded VMs overview

Planning topics
Planning guide for hosters
Planning guide for tenants

Deployment topics
Deployment Guide
Quick start
Deploy HGS
Deploy guarded hosts
Configuring the fabric DNS for hosts that will become guarded hosts
Deploy a guarded host using AD mode
Deploy a guarded host using TPM mode
Confirm guarded hosts can attest
Shielded VMs - Hosting service provider deploys guarded hosts in VMM
Deploy shielded VMs
Create a shielded VM template
Prepare a VM Shielding helper VHD
Set up Windows Azure Pack
Create a shielding data file
 Deploy a shielded VM by using Windows Azure Pack
Deploy a shielded VM by using Virtual Machine Manager

Operations and management topic

Managing the Host Guardian Service
 Hyper-V on Windows Server
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2019

The Hyper-V role in Windows Server lets you create a virtualized computing environment where you can create
and manage virtual machines. You can run multiple operating systems on one physical computer and isolate the
operating systems from each other. With this technology, you can improve the efficiency of your computing
resources and free up your hardware resources.
See the topics in the following table to learn more about Hyper-V on Windows Server.

Hyper-V resources for IT Pros

TASK RESOURCES

Evaluate Hyper-V

- Hyper-V Technology Overview

- What's new in Hyper-V on Windows Server
- System requirements for Hyper-V on Windows Server
- Supported Windows guest operating systems for Hyper-V
- Supported Linux and FreeBSD virtual machines
- Feature compatibility by generation and guest

Plan for Hyper-V

- Should I create a generation 1 or 2 virtual machine in Hyper-

V?
- Plan for Hyper-V scalability in Windows Server
- Plan for Hyper-V networking in Windows Server
- Plan for Hyper-V security in Windows Server

Get started with Hyper-V

- Download and install Windows Server 2019

Server Core or GUI installation option of Windows

Server 2019 as virtual machine host

- Install the Hyper-V role on Windows Server

- Create a virtual switch for Hyper-V virtual machines
- Create a virtual machine in Hyper-V
 TASK RESOURCES

Upgrade Hyper-V hosts and virtual machines

- Upgrade Windows Server cluster nodes

- Upgrade virtual machine version

Configure and manage Hyper-V

- Set up hosts for live migration without Failover Clustering

- Managing Nano Server remotely
- Choose between standard or production checkpoints
- Enable or disable checkpoints
- Manage Windows virtual machines with PowerShell Direct
- Set up Hyper-V Replica

Blogs

Check out the latest posts from Program Managers, Product

Managers, Developers and Testers in the Microsoft
Virtualization and Hyper-V teams.

- Virtualization Blog
- Windows Server Blog
- Ben Armstrong's Virtualization Blog (archived)

Forum and newsgroups

Got questions? Talk to your peers, MVPs, and the Hyper-V

product team.

- Windows Server Community

- Windows Server Hyper-V TechNet forum

Related technologies
The following table lists technologies that you might want to use in your virtualization computing environment.

TECHNOLOGY DESCRIPTION

Client Hyper-V Virtualization technology included with Windows 8, Windows

8.1 and Windows 10 that you can install through Programs
and Features in the Control Panel.

Failover Clustering Windows Server feature that provides high availability for
Hyper-V hosts and virtual machines.

Virtual Machine Manager System Center component that provides a management

solution for the virtualized datacenter. You can configure and
manage your virtualization hosts, networks, and storage
resources so you can create and deploy virtual machines and
services to private clouds that you've created.

Windows Containers Use Windows Server and Hyper-V containers to provide

standardized environments for development, test, and
production teams.
 Hyper-V Technology Overview
3/12/2019 • 5 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Hyper-V is Microsoft's hardware virtualization product. It lets you create and run a software version of a computer,
called a virtual machine. Each virtual machine acts like a complete computer, running an operating system and
programs. When you need computing resources, virtual machines give you more flexibility, help save time and
money, and are a more efficient way to use hardware than just running one operating system on physical hardware.
Hyper-V runs each virtual machine in its own isolated space, which means you can run more than one virtual
machine on the same hardware at the same time. You might want to do this to avoid problems such as a crash
affecting the other workloads, or to give different people, groups or services access to different systems.

Some ways Hyper-V can help you

Hyper-V can help you:
Establish or expand a private cloud environment. Provide more flexible, on-demand IT services by
moving to or expanding your use of shared resources and adjust utilization as demand changes.
Use your hardware more effectively. Consolidate servers and workloads onto fewer, more powerful
physical computers to use less power and physical space.
Improve business continuity. Minimize the impact of both scheduled and unscheduled downtime of your
workloads.
Establish or expand a virtual desktop infrastructure (VDI ). Use a centralized desktop strategy with VDI
can help you increase business agility and data security, as well as simplify regulatory compliance and
manage desktop operating systems and applications. Deploy Hyper-V and Remote Desktop Virtualization
Host (RD Virtualization Host) on the same server to make personal virtual desktops or virtual desktop pools
available to your users.
Make development and test more efficient. Reproduce different computing environments without
having to buy or maintain all the hardware you'd need if you only used physical systems.

Hyper-V and other virtualization products

Hyper-V in Windows and Windows Server replaces older hardware virtualization products, such as Microsoft
Virtual PC, Microsoft Virtual Server, and Windows Virtual PC. Hyper-V offers networking, performance, storage
and security features not available in these older products.
Hyper-V and most third-party virtualization applications that require the same processor features aren't
compatible. That's because the processor features, known as hardware virtualization extensions, are designed to
not be shared. For details, see Virtualization applications do not work together with Hyper-V, Device Guard, and
Credential Guard.

What features does Hyper-V have?

Hyper-V offers many features. This is an overview, grouped by what the features provide or help you do.
Computing environment - A Hyper-V virtual machine includes the same basic parts as a physical computer, such
as memory, processor, storage, and networking. All these parts have features and options that you can configure
different ways to meet different needs. Storage and networking can each be considered categories of their own,
because of the many ways you can configure them.
Disaster recovery and backup - For disaster recovery, Hyper-V Replica creates copies of virtual machines,
intended to be stored in another physical location, so you can restore the virtual machine from the copy. For
backup, Hyper-V offers two types. One uses saved states and the other uses Volume Shadow Copy Service (VSS )
so you can make application-consistent backups for programs that support VSS.
Optimization - Each supported guest operating system has a customized set of services and drivers, called
integration services, that make it easier to use the operating system in a Hyper-V virtual machine.
Portability - Features such as live migration, storage migration, and import/export make it easier to move or
distribute a virtual machine.
Remote connectivity - Hyper-V includes Virtual Machine Connection, a remote connection tool for use with both
Windows and Linux. Unlike Remote Desktop, this tool gives you console access, so you can see what's happening in
the guest even when the operating system isn't booted yet.
Security - Secure boot and shielded virtual machines help protect against malware and other unauthorized access
to a virtual machine and its data.
For a summary of the features introduced in this version, see What's new in Hyper-V on Windows Server. Some
features or parts have a limit to how many can be configured. For details, see Plan for Hyper-V scalability in
Windows Server 2016.

How to get Hyper-V

Hyper-V is available in Windows Server and Windows, as a server role available for x64 versions of Windows
Server. For server instructions, see Install the Hyper-V role on Windows Server. On Windows, it's available as
feature in some 64-bit versions of Windows. It's also available as a downloadable, standalone server product,
Microsoft Hyper-V Server.

Supported operating systems

Many operating systems will run on virtual machines. In general, an operating system that uses an x86 architecture
will run on a Hyper-V virtual machine. Not all operating systems that can be run are tested and supported by
Microsoft, however. For lists of what's supported, see:
Supported Linux and FreeBSD virtual machines for Hyper-V on Windows
Supported Windows guest operating systems for Hyper-V on Windows Server

How Hyper-V works

Hyper-V is a hypervisor-based virtualization technology. Hyper-V uses the Windows hypervisor, which requires a
physical processor with specific features. For hardware details, see System requirements for Hyper-V on Windows
Server.
In most cases, the hypervisor manages the interactions between the hardware and the virtual machines. This
hypervisor-controlled access to the hardware gives virtual machines the isolated environment in which they run. In
some configurations, a virtual machine or the operating system running in the virtual machine has direct access to
graphics, networking, or storage hardware.

What does Hyper-V consist of?

Hyper-V has required parts that work together so you can create and run virtual machines. Together, these parts
are called the virtualization platform. They're installed as a set when you install the Hyper-V role. The required
parts include Windows hypervisor, Hyper-V Virtual Machine Management Service, the virtualization WMI provider,
the virtual machine bus (VMbus), virtualization service provider (VSP ) and virtual infrastructure driver (VID ).
Hyper-V also has tools for management and connectivity. You can install these on the same computer that Hyper-V
role is installed on, and on computers without the Hyper-V role installed. These tools are:
Hyper-V Manager
Hyper-V module for Windows PowerShell
Virtual Machine Connection (sometimes called VMConnect)
Windows PowerShell Direct

Related technologies
These are some technologies from Microsoft that are often used with Hyper-V:
Failover Clustering
Remote Desktop Services
System Center Virtual Machine Manager
Various storage technologies: cluster shared volumes, SMB 3.0, storage spaces direct
Windows containers offer another approach to virtualization. See the Windows Containers library on MSDN.
 What's new in Hyper-V on Windows Server
6/20/2019 • 15 minutes to read • Edit Online

Applies To: Windows Server 2019, Microsoft Hyper-V Server 2016, Windows Server 2016

This article explains the new and changed functionality of Hyper-V on Windows Server 2019, Windows Server
2016, and Microsoft Hyper-V Server 2016. To use new features on virtual machines created with Windows Server
2012 R2 and moved or imported to a server that runs Hyper-V on Windows Server 2019 or Windows Server
2016, you'll need to manually upgrade the virtual machine configuration version. For instructions, see Upgrade
virtual machine version.
Here's what's included in this article and whether the functionality is new or updated.

Windows Server, version 1903

Add Hyper-V Manager to Server Core installations (updated)
As you might know, we recommend using the Server Core installation option when using Windows Server, Semi-
Annual Channel in production. However, Server Core by default omits a number of useful management tools. You
can add many of the most commonly used tools by installing the App Compatibility feature, but there have still
been some missing tools.
So, based on customer feedback, we added one more tools to the App Compatibility feature in this version: Hyper-
V Manager (virtmgmt.msc).
For more info, see Server Core app compatibility feature.

Windows Server 2019

Security: Shielded Virtual Machines improvements (new)
Branch office improvements
You can now run shielded virtual machines on machines with intermittent connectivity to the Host Guardian
Service by leveraging the new fallback HGS and offline mode features. Fallback HGS allows you to configure
a second set of URLs for Hyper-V to try if it can't reach your primary HGS server.
Offline mode allows you to continue to start up your shielded VMs, even if HGS can't be reached, as long as
the VM has started successfully once, and the host's security configuration has not changed.
Troubleshooting improvements
We've also made it easier to troubleshoot your shielded virtual machines by enabling support for
VMConnect Enhanced Session Mode and PowerShell Direct. These tools are particularly useful if you've lost
network connectivity to your VM and need to update its configuration to restore access.
These features do not need to be configured, and they become available automatically when a shielded VM
is placed on a Hyper-V host running Windows Server version 1803 or later.
Linux support
If you run mixed-OS environments, Windows Server 2019 now supports running Ubuntu, Red Hat
Enterprise Linux, and SUSE Linux Enterprise Server inside shielded virtual machines.
Windows Server 2016
Compatible with Connected Standby (new)
When the Hyper-V role is installed on a computer that uses the Always On/Always Connected (AOAC ) power
model, the Connected Standby power state is now available.
Discrete device assignment (new)
This feature lets you give a virtual machine direct and exclusive access to some PCIe hardware devices. Using a
device in this way bypasses the Hyper-V virtualization stack, which results in faster access. For details on supported
hardware, see "Discrete device assignment" in System requirements for Hyper-V on Windows Server 2016. For
details, including how to use this feature and considerations, see the post "Discrete Device Assignment —
Description and background" in the Virtualization blog.
Encryption support for the operating system disk in generation 1 virtual machines (new)
You can now protect the operating system disk using BitLocker drive encryption in generation 1 virtual machines. A
new feature, key storage, creates a small, dedicated drive to store the system drive’s BitLocker key. This is done
instead of using a virtual Trusted Platform Module (TPM ), which is available only in generation 2 virtual machines.
To decrypt the disk and start the virtual machine, the Hyper-V host must either be part of an authorized guarded
fabric or have the private key from one of the virtual machine's guardians. Key storage requires a version 8 virtual
machine. For information on virtual machine version, see Upgrade virtual machine version in Hyper-V on
Windows 10 or Windows Server 2016.
Host resource protection (new)
This feature helps prevent a virtual machine from using more than its share of system resources by looking for
excessive levels of activity. This can help prevent a virtual machine's excessive activity from degrading the
performance of the host or other virtual machines. When monitoring detects a virtual machine with excessive
activity, the virtual machine is given fewer resources. This monitoring and enforcement is off by default. Use
Windows PowerShell to turn it on or off. To turn it on, run this command:

Set-VMProcessor TestVM -EnableHostResourceProtection $true

For details about this cmdlet, see Set-VMProcessor.

Hot add and remove for network adapters and memory (new)
You can now add or remove a network adapter while the virtual machine is running, without incurring downtime.
This works for generation 2 virtual machines that run either Windows or Linux operating systems.
You can also adjust the amount of memory assigned to a virtual machine while it's running, even if you haven't
enabled Dynamic Memory. This works for both generation 1 and generation 2 virtual machines, running Windows
Server 2016 or Windows 10.
Hyper-V Manager improvements (updated)
Alternate credentials support - You can now use a different set of credentials in Hyper-V Manager when
you connect to another Windows Server 2016 or Windows 10 remote host. You can also save these
credentials to make it easier to log on again.
Manage earlier versions - With Hyper-V Manager in Windows Server 2019, Windows Server 2016, and
Windows 10, you can manage computers running Hyper-V on Windows Server 2012, Windows 8, Windows
Server 2012 R2 and Windows 8.1.
Updated management protocol - Hyper-V Manager now communicates with remote Hyper-V hosts
using the WS -MAN protocol, which permits CredSSP, Kerberos or NTLM authentication. When you use
CredSSP to connect to a remote Hyper-V host, you can do a live migration without enabling constrained
delegation in Active Directory. The WS -MAN -based infrastructure also makes it easier to enable a host for
 remote management. WS -MAN connects over port 80, which is open by default.
Integration services delivered through Windows Update (updated)
Updates to integration services for Windows guests are distributed through Windows Update. For service
providers and private cloud hosters, this puts the control of applying updates into the hands of the tenants who
own the virtual machines. Tenants can now update their Windows virtual machines with all updates, including the
integration services, using a single method. For details about integration services for Linux guests, see Linux and
FreeBSD Virtual Machines on Hyper-V.

IMPORTANT
The vmguest.iso image file is no longer needed, so it isn't included with Hyper-V on Windows Server 2016.

Linux Secure Boot (new)

Linux operating systems running on generation 2 virtual machines can now boot with the Secure Boot option
enabled. Ubuntu 14.04 and later, SUSE Linux Enterprise Server 12 and later, Red Hat Enterprise Linux 7.0 and later,
and CentOS 7.0 and later are enabled for Secure Boot on hosts that run Windows Server 2016. Before you boot
the virtual machine for the first time, you must configure the virtual machine to use the Microsoft UEFI Certificate
Authority. You can do this from Hyper-V Manager, Virtual Machine Manager, or an elevated Windows Powershell
session. For Windows PowerShell, run this command:

Set-VMFirmware TestVM -SecureBootTemplate MicrosoftUEFICertificateAuthority

For more information about Linux virtual machines on Hyper-V, see Linux and FreeBSD Virtual Machines on
Hyper-V. For more information about the cmdlet, see Set-VMFirmware.
More memory and processors for generation 2 virtual machines and Hyper-V hosts (updated)
Starting with version 8, generation 2 virtual machines can use significantly more memory and virtual processors.
Hosts also can be configured with significantly more memory and virtual processors than were previously
supported. These changes support new scenarios such as running e-commerce large in-memory databases for
online transaction processing (OLTP ) and data warehousing (DW ). The Windows Server blog recently published
the performance results of a virtual machine with 5.5 terabytes of memory and 128 virtual processors running 4
TB in-memory database. Performance was greater than 95% of the performance of a physical server. For details,
see Windows Server 2016 Hyper-V large-scale VM performance for in-memory transaction processing. For details
about virtual machine versions, see Upgrade virtual machine version in Hyper-V on Windows 10 or Windows
Server 2016. For the full list of supported maximum configurations, see Plan for Hyper-V scalability in Windows
Server 2016.
Nested virtualization (new)
This feature lets you use a virtual machine as a Hyper-V host and create virtual machines within that virtualized
host. This can be especially useful for development and test environments. To use nested virtualization, you'll need:
To run at least Windows Server 2019, Windows Server 2016 or Windows 10 on both the physical Hyper-V
host and the virtualized host.
A processor with Intel VT-x (nested virtualization is available only for Intel processors at this time).
For details and instructions, see Run Hyper-V in a Virtual Machine with Nested Virtualization.
Networking features (new)
New networking features include:
Remote direct memory access (RDMA ) and switch embedded teaming (SET). You can set up RDMA
on network adapters bound to a Hyper-V virtual switch, regardless of whether SET is also used. SET
 provides a virtual switch with some of same capabilities as NIC teaming. For details, see Remote Direct
Memory Access (RDMA) and Switch Embedded Teaming (SET).
Virtual machine multi queues (VMMQ ). Improves on VMQ throughput by allocating multiple hardware
queues per virtual machine. The default queue becomes a set of queues for a virtual machine, and traffic is
spread between the queues.
Quality of service (QoS ) for software-defined networks. Manages the default class of traffic through
the virtual switch within the default class bandwidth.
For more about new networking features, see What's new in Networking.
Production checkpoints (new)
Production checkpoints are "point-in-time" images of a virtual machine. These give you a way to apply a checkpoint
that complies with support policies when a virtual machine runs a production workload. Production checkpoints
are based on backup technology inside the guest instead of a saved state. For Windows virtual machines, the
Volume Snapshot Service (VSS ) is used. For Linux virtual machines, the file system buffers are flushed to create a
checkpoint that's consistent with the file system. If you'd rather use checkpoints based on saved states, choose
standard checkpoints instead. For details, see Choose between standard or production checkpoints in Hyper-V.

IMPORTANT
New virtual machines use production checkpoints as the default.

Rolling Hyper-V Cluster upgrade (new)

You can now add a node running Windows Server 2019 or Windows Server 2016 to a Hyper-V Cluster with nodes
running Windows Server 2012 R2. This allows you to upgrade the cluster without downtime. The cluster runs at a
Windows Server 2012 R2 feature level until you upgrade all nodes in the cluster and update the cluster functional
level with the Windows PowerShell cmdlet, Update-ClusterFunctionalLevel.

IMPORTANT
After you update the cluster functional level, you can't return it to Windows Server 2012 R2.

For a Hyper-V cluster with a functional level of Windows Server 2012 R2 with nodes running Windows Server
2012 R2, Windows Server 2019 and Windows Server 2016, note the following:
Manage the cluster, Hyper-V, and virtual machines from a node running Windows Server 2016 or Windows
10.
You can move virtual machines between all of the nodes in the Hyper-V cluster.
To use new Hyper-V features, all nodes must run Windows Server 2016 or and the cluster functional level
must be updated.
The virtual machine configuration version for existing virtual machines isn't upgraded. You can upgrade the
configuration version only after you upgrade the cluster functional level.
Virtual machines that you create are compatible with Windows Server 2012 R2, virtual machine
configuration level 5.
After you update the cluster functional level:
You can enable new Hyper-V features.
To make new virtual machine features available, use the Update-VmConfigurationVersion cmdlet to
 manually update the virtual machine configuration level. For instructions, see Upgrade virtual machine
version.
You can't add a node to the Hyper-V Cluster that runs Windows Server 2012 R2.

NOTE
Hyper-V on Windows 10 doesn't support failover clustering.

For details and instructions, see the Cluster Operating System Rolling Upgrade.
Shared virtual hard disks (updated)
You can now resize shared virtual hard disks (.vhdx files) used for guest clustering, without downtime. Shared
virtual hard disks can be grown or shrunk while the virtual machine is online. Guest clusters can now also protect
shared virtual hard disks by using Hyper-V Replica for disaster recovery.
Enable replication on the collection. Enabling replication on a collection is only exposed through the WMI
interface. See the documentation for Msvm_CollectionReplicationService class for more details. You cannot
manage replication of a collection through PowerShell cmdlet or UI. The VMs should be on hosts that are
part of a Hyper-V cluster to access features that are specific to a collection. This includes Shared VHD - shared
VHDs on stand-alone hosts are not supported by Hyper-V Replica.
Follow the guidelines for shared VHDs in Virtual Hard Disk Sharing Overview, and be sure that your shared VHDs
are part of a guest cluster.
A collection with a shared VHD but no associated guest cluster cannot create reference points for the collection
(regardless of whether the shared VHD is included in the reference point creation or not).
Virtual machine backup(new)
If you are backing up a single virtual machine (regardless of whether host is clustered or not), you should not use a
VM group. Nor should you use a snapshot collection. VM groups and snapshot collection are meant to be used
solely for backing up guest clusters that are using shared vhdx. Instead, you should take a snapshot using the
Hyper-V WMI v2 provider. Likewise, do not use the Failover Cluster WMI provider.
Shielded virtual machines (new)
Shielded virtual machines use several features to make it harder for Hyper-V administrators and malware on the
host to inspect, tamper with, or steal data from the state of a shielded virtual machine. Data and state is encrypted,
Hyper-V administrators can't see the video output and disks, and the virtual machines can be restricted to run only
on known, healthy hosts, as determined by a Host Guardian Server. For details, see Guarded Fabric and Shielded
VMs.

NOTE
Shielded virtual machines are compatible with Hyper-V Replica. To replicate a shielded virtual machine, the host you want to
replicate to must be authorized to run that shielded virtual machine.

Start order priority for clustered virtual machines (new)

This feature gives you more control over which clustered virtual machines are started or restarted first. This makes
it easier to start virtual machines that provide services before virtual machines that use those services. Define sets,
place virtual machines in sets, and specify dependencies. Use Windows PowerShell cmdlets to manage the sets,
such as New -ClusterGroupSet, Get-ClusterGroupSet, and Add-ClusterGroupSetDependency. .
Storage quality of service (QoS ) (updated)
You can now create storage QoS policies on a Scale-Out File Server and assign them to one or more virtual disks
on Hyper-V virtual machines. Storage performance is automatically readjusted to meet policies as the storage load
fluctuates. For details, see Storage Quality of Service.
Virtual machine configuration file format (updated)
Virtual machine configuration files use a new format that makes reading and writing configuration data more
efficient. The format also makes data corruption less likely if a storage failure occurs. Virtual machine configuration
data files use a .vmcx file name extension and runtime state data files use a .vmrs file name extension.

IMPORTANT
The .vmcx file name extension indicates a binary file. Editing .vmcx or .vmrs files isn't supported.

Virtual machine configuration version (updated)

The version represents the compatibility of the virtual machine's configuration, saved state, and snapshot files with
the version of Hyper-V. Virtual machines with version 5 are compatible with Windows Server 2012 R2 and can run
on both Windows Server 2012 R2 and Windows Server 2016. Virtual machines with versions introduced in
Windows Server 2016 and Windows Server 2019 won't run in Hyper-V on Windows Server 2012 R2.
If you move or import a virtual machine to a server that runs Hyper-V on Windows Server 2016 or Windows
Server 2019 from Windows Server 2012 R2, the virtual machine's configuration isn't automatically updated. This
means you can move the virtual machine back to a server that runs Windows Server 2012 R2. But, this also means
you can't use the new virtual machine features until you manually update the version of the virtual machine
configuration.
For instructions on checking and upgrading the version, see Upgrade virtual machine version. This article also lists
the version in which some features were introduced.

IMPORTANT
After you update the version, you can't move the virtual machine to a server that runs Windows Server 2012 R2.
You can't downgrade the configuration to a previous version.
The Update-VMVersion cmdlet is blocked on a Hyper-V Cluster when the cluster functional level is Windows Server 2012
R2.

Virtualization-based security for generation 2 virtual machines (new)

Virtualization-based security powers features such as Device Guard and Credential Guard, offering increased
protection of the operating system against exploits from malware. Virtualization based-security is available in
generation 2 guest virtual machines starting with version 8. For information on virtual machine version, see
Upgrade virtual machine version in Hyper-V on Windows 10 or Windows Server 2016.
Windows Containers (new)
Windows Containers allow many isolated applications to run on one computer system. They're fast to build and are
highly scalable and portable. Two types of container runtime are available, each with a different degree of
application isolation. Windows Server Containers use namespace and process isolation. Hyper-V Containers use a
light-weight virtual machine for each container.
Key features include:
Support for web sites and applications using HTTPS
Nano server can host both Windows Server and Hyper-V Containers
Ability to manage data through container shared folders
Ability to restrict container resources
For details, including quick start guides, see the Windows Containers Documentation.
Windows PowerShell Direct (new)
This gives you a way to run Windows PowerShell commands in a virtual machine from the host. Windows
PowerShell Direct runs between the host and the virtual machine. This means it doesn't require networking or
firewall requirements, and it works regardless of your remote management configuration.
Windows PowerShell Direct is an alternative to the existing tools that Hyper-V administrators use to connect to a
virtual machine on a Hyper-V host:
Remote management tools such as PowerShell or Remote Desktop
Hyper-V Virtual Machine Connection (VMConnect)
Those tools work well, but have trade-offs: VMConnect is reliable, but can be hard to automate. Remote PowerShell
is powerful, but can be hard to set up and maintain. These trade-offs may become more important as your Hyper-V
deployment grows. Windows PowerShell Direct addresses this by providing a powerful scripting and automation
experience that's as simple as using VMConnect.
For requirements and instructions, see Manage Windows virtual machines with PowerShell Direct.
 System requirements for Hyper-V on Windows Server
6/7/2019 • 3 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Hyper-V has specific hardware requirements, and some Hyper-V features have additional requirements. Use the
details in this article to decide what requirements your system must meet so you can use Hyper-V the way you plan
to. Then, review the Windows Server catalog. Keep in mind that requirements for Hyper-V exceed the general
minimum requirements for Windows Server 2016 because a virtualization environment requires more computing
resources.
If you're already using Hyper-V, it's likely that you can use your existing hardware. The general hardware
requirements haven't changed significantly from Windows Server 2012 R2 . But, you will need newer hardware to
use shielded virtual machines or discrete device assignment. Those features rely on specific hardware support, as
described below. Other than that, the main difference in hardware is that second-level address translation (SLAT) is
now required instead of recommended.
For details about maximum supported configurations for Hyper-V, such as the number of running virtual
machines, see Plan for Hyper-V scalability in Windows Server 2016. The list of operating systems you can run in
your virtual machines is covered in Supported Windows guest operating systems for Hyper-V on Windows Server.

General requirements
Regardless of the Hyper-V features you want to use, you'll need:
A 64-bit processor with second-level address translation (SLAT). To install the Hyper-V virtualization
components such as Windows hypervisor, the processor must have SLAT. However, it's not required to
install Hyper-V management tools like Virtual Machine Connection (VMConnect), Hyper-V Manager, and
the Hyper-V cmdlets for Windows PowerShell. See "How to check for Hyper-V requirements," below, to find
out if your processor has SLAT.
VM Monitor Mode extensions
Enough memory - plan for at least 4 GB of RAM. More memory is better. You'll need enough memory for
the host and all virtual machines that you want to run at the same time.
Virtualization support turned on in the BIOS or UEFI:
Hardware-assisted virtualization. This is available in processors that include a virtualization option -
specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD -V )
technology.
Hardware-enforced Data Execution Prevention (DEP ) must be available and enabled. For Intel
systems, this is the XD bit (execute disable bit). For AMD systems, this is the NX bit (no execute bit).

How to check for Hyper-V requirements

Open Windows PowerShell or a command prompt and type:

Systeminfo.exe
Scroll to the Hyper-V Requirements section to review the report.

Requirements for specific features

Here are the requirements for discrete device assignment and shielded virtual machines. For descriptions of these
features, see What's new in Hyper-V on Windows Server.
Discrete device assignment
Host requirements are similar to the existing requirements for the SR -IOV feature in Hyper-V.
The processor must have either Intel's Extended Page Table (EPT) or AMD's Nested Page Table (NPT).
The chipset must have:
Interrupt remapping - Intel's VT-d with the Interrupt Remapping capability (VT-d2) or any version of
AMD I/O Memory Management Unit (I/O MMU ).
DMA remapping - Intel's VT-d with Queued Invalidations or any AMD I/O MMU.
Access control services (ACS ) on PCI Express root ports.
The firmware tables must expose the I/O MMU to the Windows hypervisor. Note that this feature might be
turned off in the UEFI or BIOS. For instructions, see the hardware documentation or contact your hardware
manufacturer.
Devices need GPU or non-volatile memory express (NVMe). For GPU, only certain devices support discrete
device assignment. To verify, see the hardware documentation or contact your hardware manufacturer. For details
about this feature, including how to use it and considerations, see the post "Discrete Device Assignment --
Description and background" in the Virtualization blog.
Shielded virtual machines
These virtual machines rely on virtualization-based security and are available starting with Windows Server 2016.
Host requirements are:
UEFI 2.3.1c - supports secure, measured boot
The following two are optional for virtualization-based security in general, but required for the host if you
want the protection these features provide:
TPM v2.0 - protects platform security assets
IOMMU (Intel VT-D ) - so the hypervisor can provide direct memory access (DMA) protection
Virtual machine requirements are:
Generation 2
Windows Server 2012 or newer as the guest operating system
 Supported Windows guest operating systems for
Hyper-V on Windows Server
8/6/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2019

Hyper-V supports several versions of Windows Server, Windows, and Linux distributions to run in virtual
machines, as guest operating systems. This article covers supported Windows Server and Windows guest
operating systems. For Linux and FreeBSD distributions, see Supported Linux and FreeBSD virtual machines for
Hyper-V on Windows.
Some operating systems have the integration services built-in. Others require that you install or upgrade
integration services as a separate step after you set up the operating system in the virtual machine. For more
information, see the sections below and Integration Services.

Supported Windows Server guest operating systems

Following are the versions of Windows Server that are supported as guest operating systems for Hyper-V in
Windows Server 2016 and Windows Server 2019.

GUEST OPERATING SYSTEM MAXIMUM NUMBER OF

(SERVER) VIRTUAL PROCESSORS INTEGRATION SERVICES NOTES

Windows Server, version 240 for generation 2; Built-in

1903 64 for generation 1

Windows Server, version 240 for generation 2; Built-in

1809 64 for generation 1

Windows Server 2019 240 for generation 2; Built-in

64 for generation 1

Windows Server, version 240 for generation 2; Built-in

1803 64 for generation 1

Windows Server 2016 240 for generation 2; Built-in

64 for generation 1

Windows Server 2012 R2 64 Built-in

Windows Server 2012 64 Built-in

Windows Server 2008 R2 64 Install all critical Windows Datacenter, Enterprise,

with Service Pack 1 (SP 1) updates after you set up the Standard and Web editions.
guest operating system.

Windows Server 2008 with 8 Install all critical Windows Datacenter, Enterprise,
Service Pack 2 (SP2) updates after you set up the Standard and Web editions
guest operating system. (32-bit and 64-bit).
Supported Windows client guest operating systems
Following are the versions of Windows client that are supported as guest operating systems for Hyper-V in
Windows Server 2016 and Windows Server 2019.

GUEST OPERATING SYSTEM MAXIMUM NUMBER OF

(CLIENT) VIRTUAL PROCESSORS INTEGRATION SERVICES NOTES

Windows 10 32 Built-in

Windows 8.1 32 Built-in

Windows 7 with Service Pack 4 Upgrade the integration Ultimate, Enterprise, and
1 (SP 1) services after you set up the Professional editions (32-bit
guest operating system. and 64-bit).

Guest operating system support on other versions of Windows

The following table gives links to information about guest operating systems supported for Hyper-V on other
versions of Windows.

HOST OPERATING SYSTEM TOPIC

Windows 10 Supported Guest Operating Systems for Client Hyper-V in

Windows 10

Windows Server 2012 R2 and Windows 8.1 - Supported Windows Guest Operating Systems for Hyper-V
in Windows Server 2012 R2 and Windows 8.1
- Linux and FreeBSD Virtual Machines on Hyper-V

Windows Server 2012 and Windows 8 Supported Windows Guest Operating Systems for Hyper-V in
Windows Server 2012 and Windows 8

Windows Server 2008 and Windows Server 2008 R2 About Virtual Machines and Guest Operating Systems

How Microsoft provides support for guest operating systems

Microsoft provides support for guest operating systems in the following manner:
Issues found in Microsoft operating systems and in integration services are supported by Microsoft support.
For issues found in other operating systems that have been certified by the operating system vendor to run
on Hyper-V, support is provided by the vendor.
For issues found in other operating systems, Microsoft submits the issue to the multi-vendor support
community, TSANet.

See also
Linux and FreeBSD Virtual Machines on Hyper-V
Supported Guest Operating Systems for Client Hyper-V in Windows 10
 Supported Linux and FreeBSD virtual machines for
Hyper-V on Windows
7/18/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2019, Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2,
Hyper-V Server 2012 R2, Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows
10, Windows 8.1, Windows 8, Windows 7.1, Windows 7

Hyper-V supports both emulated and Hyper-V -specific devices for Linux and FreeBSD virtual machines. When
running with emulated devices, no additional software is required to be installed. However emulated devices do not
provide high performance and cannot leverage the rich virtual machine management infrastructure that the Hyper-
V technology offers. In order to make full use of all benefits that Hyper-V provides, it is best to use Hyper-V -
specific devices for Linux and FreeBSD. The collection of drivers that are required to run Hyper-V -specific devices
are known as Linux Integration Services (LIS ) or FreeBSD Integration Services (BIS ).
LIS has been added to the Linux kernel and is updated for new releases. But Linux distributions based on older
kernels may not have the latest enhancements or fixes. Microsoft provides a download containing installable LIS
drivers for some Linux installations based on these older kernels. Because distribution vendors include versions of
Linux Integration Services, it is best to install the latest downloadable version of LIS, if applicable, for your
installation.
For other Linux distributions LIS changes are regularly integrated into the operating system kernel and applications
so no separate download or installation is required.
For older FreeBSD releases (before 10.0), Microsoft provides ports that contain the installable BIS drivers and
corresponding daemons for FreeBSD virtual machines. For newer FreeBSD releases, BIS is built in to the FreeBSD
operating system, and no separate download or installation is required except for a KVP ports download that is
needed for FreeBSD 10.0.

TIP
Download Windows Server 2019 from the Evaluation Center.

The goal of this content is to provide information that helps facilitate your Linux or FreeBSD deployment on Hyper-
V. Specific details include:
Linux distributions or FreeBSD releases that require the download and installation of LIS or BIS drivers.
Linux distributions or FreeBSD releases that contain built-in LIS or BIS drivers.
Feature distribution maps that indicate the features in major Linux distributions or FreeBSD releases.
Known issues and workarounds for each distribution or release.
Feature description for each LIS or BIS feature.
Want to make a suggestion about features and functionality? Is there something we could do better? You can
use the Windows Server User Voice site to suggest new features and capabilities for Linux and FreeBSD Virtual
Machines on Hyper-V, and to see what other people are saying.
In this section
Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V
Supported Debian virtual machines on Hyper-V
Supported Oracle Linux virtual machines on Hyper-V
Supported SUSE virtual machines on Hyper-V
Supported Ubuntu virtual machines on Hyper-V
Supported FreeBSD virtual machines on Hyper-V
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
Best practices for running FreeBSD on Hyper-V
 Supported CentOS and Red Hat Enterprise Linux
virtual machines on Hyper-V
7/26/2019 • 13 minutes to read • Edit Online

Applies To: Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2, Hyper-V Server 2012 R2,
Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows 10, Windows 8.1, Windows
8, Windows 7.1, Windows 7

The following feature distribution maps indicate the features that are present in built-in and downloadable versions
of Linux Integration Services. The known issues and workarounds for each distribution are listed after the tables.
The built-in Red Hat Enterprise Linux Integration Services drivers for Hyper-V (available since Red Hat Enterprise
Linux 6.4) are sufficient for Red Hat Enterprise Linux guests to run using the high performance synthetic devices on
Hyper-V hosts.These built-in drivers are certified by Red Hat for this use. Certified configurations can be viewed on
this Red Hat web page: Red Hat Certification Catalog. It isn't necessary to download and install Linux Integration
Services packages from the Microsoft Download Center, and doing so may limit your Red Hat support as described
in Red Hat Knowledgebase article 1067: Red Hat Knowledgebase 1067.
Because of potential conflicts between the built-in LIS support and the downloadable LIS support when you
upgrade the kernel, disable automatic updates, uninstall the LIS downloadable packages, update the kernel, reboot,
and then install the latest LIS release, and reboot again.

NOTE
Official Red Hat Enterprise Linux certification information is available through the Red Hat Customer Portal.

In this section:
RHEL/CentOS 8.x Series
RHEL/CentOS 7.x Series
RHEL/CentOS 6.x Series
RHEL/CentOS 5.x Series
Notes

Table legend
Built in - LIS are included as part of this Linux distribution. The kernel module version numbers for the built
in LIS (as shown by lsmod, for example) are different from the version number on the Microsoft-provided
LIS download package. A mismatch does not indicate that the built in LIS is out of date.
✔ - Feature available

(blank) - Feature not available

RHEL/CentOS 8.x Series

FEATURE WINDOWS SERVER VERSION 8.0

Availability

Core 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

Windows Server 2016 Accurate Time 2019, 2016 ✔

Networking

Jumbo frames 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

VLAN tagging and trunking 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

Live Migration 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

Static IP Injection 2019, 2016, 2012 R2, 2012 ✔ Note 2

vRSS 2019, 2016, 2012 R2 ✔

TCP Segmentation and Checksum 2019, 2016, 2012 R2, 2012, 2008 R2 ✔
Offloads

SR-IOV 2019, 2016 ✔

Storage

VHDX resize 2019, 2016, 2012 R2 ✔

Virtual Fibre Channel 2019, 2016, 2012 R2 ✔ Note 3

Live virtual machine backup 2019, 2016, 2012 R2 ✔ Note 5

TRIM support 2019, 2016, 2012 R2 ✔

SCSI WWN 2019, 2016, 2012 R2 ✔

Memory

PAE Kernel Support 2019, 2016, 2012 R2, 2012, 2008 R2 N/A

Configuration of MMIO gap 2019, 2016, 2012 R2 ✔

Dynamic Memory - Hot-Add 2019, 2016, 2012 R2, 2012 ✔ Note 8, 9, 10

Dynamic Memory - Ballooning 2019, 2016, 2012 R2, 2012 ✔ Note 8, 9, 10

Runtime Memory Resize 2019, 2016 ✔

Video

Hyper-V-specific video device 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

 FEATURE WINDOWS SERVER VERSION 8.0

Miscellaneous

Key-Value Pair 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

Non-Maskable Interrupt 2019, 2016, 2012 R2 ✔

File copy from host to guest 2019, 2016, 2012 R2 ✔

lsvmbus command 2019, 2016, 2012 R2, 2012, 2008 R2 ✔

Hyper-V Sockets 2019, 2016 ✔

PCI Passthrough/DDA 2019, 2016 ✔

Generation 2 virtual machines

Boot using UEFI 2019, 2016, 2012 R2 ✔ Note 14

Secure boot 2019, 2016 ✔

RHEL/CentOS 7.x Series

This series only has 64-bit kernels.

WINDO
WS
SERVER
FEATUR VERSIO
E N 7.5-7.6 7.3-7.4 7.0-7.2 7.5-7.6 7.4 7.3 7.2 7.1 7.0

Availa LIS 4.3 LIS 4.3 LIS 4.3 Built in Built in Built in Built in Built in Built in
bility

Core 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
2016,
2012
R2,
2012,
2008
R2

Windo 2019, ✔ ✔
ws 2016
Server
2016
Accurat
e Time

Netwo
rking
 WINDO
WS
SERVER
FEATUR VERSIO
E N 7.5-7.6 7.3-7.4 7.0-7.2 7.5-7.6 7.4 7.3 7.2 7.1 7.0

Jumbo 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
frames 2016,
2012
R2,
2012,
2008
R2

VLAN 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
taggin 2016,
g and 2012
trunkin R2,
g 2012,
2008
R2

Live 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Migrati 2016,
on 2012
R2,
2012,
2008
R2

Static 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
IP 2016, Note 2 Note 2 Note 2 Note 2 Note 2 Note 2 Note 2 Note 2 Note 2
Injectio 2012
n R2,
2012

vRSS 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
2016,
2012
R2

TCP 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Segme 2016,
ntation 2012
and R2,
Checks 2012,
um 2008
Offload R2
s

SR-IOV 2019, ✔ ✔ ✔ ✔ ✔
2016

Storag
e

VHDX 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
resize 2016,
2012
R2
 WINDO
WS
SERVER
FEATUR VERSIO
E N 7.5-7.6 7.3-7.4 7.0-7.2 7.5-7.6 7.4 7.3 7.2 7.1 7.0

Virtual 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Fibre 2016, Note 3 Note 3 Note 3 Note 3 Note 3 Note 3 Note 3 Note 3 Note 3
Chann 2012
el R2

Live 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
virtual 2016, Note 5 Note 5 Note 5 Note Note 4, Note 4, Note 4, Note 4, Note 4,
machin 2012 4,5 5 5 5 5 5
e R2
backup

TRIM 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
suppor 2016,
t 2012
R2

SCSI 2019, ✔ ✔ ✔ ✔
WWN 2016,
2012
R2

Memo
ry

PAE 2019, N/A N/A N/A N/A N/A N/A N/A N/A N/A
Kernel 2016,
Suppor 2012
t R2,
2012,
2008
R2

Config 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
uration 2016,
of 2012
MMIO R2
gap

Dynam 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ic 2016, Note 8, Note 8, Note 8, Note 9, Note 9, Note 9, Note 9, Note 9, Note 8,
Memor 2012 9, 10 9, 10 9, 10 10 10 10 10 10 9, 10
y- R2,
Hot- 2012
Add

Dynam 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ic 2016, Note 8, Note 8, Note 8, Note 9, Note 9, Note 9, Note 9, Note 9, Note 8,
Memor 2012 9, 10 9, 10 9, 10 10 10 10 10 10 9, 10
y- R2,
Balloon 2012
ing
 WINDO
WS
SERVER
FEATUR VERSIO
E N 7.5-7.6 7.3-7.4 7.0-7.2 7.5-7.6 7.4 7.3 7.2 7.1 7.0

Runtim 2019, ✔ ✔ ✔
e 2016
Memor
y
Resize

Video

Hyper- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
V- 2016,
specific 2012
video R2,
device 2012,
2008
R2

Miscell
aneou
s

Key- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Value 2016,
Pair 2012
R2,
2012,
2008
R2

Non- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Maska 2016,
ble 2012
Interru R2
pt

File 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
copy 2016,
from 2012
host to R2
guest

lsvmbu 2019, ✔ ✔ ✔
s 2016,
comma 2012
nd R2,
2012,
2008
R2

Hyper- 2019, ✔ ✔ ✔
V 2016
Sockets
 WINDO
WS
SERVER
FEATUR VERSIO
E N 7.5-7.6 7.3-7.4 7.0-7.2 7.5-7.6 7.4 7.3 7.2 7.1 7.0

PCI 2019, ✔ ✔ ✔ ✔ ✔
Passthr 2016
ough/
DDA

Gener
ation 2
virtual
machi
nes

Boot 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
using 2016, Note Note Note Note Note Note Note Note Note
UEFI 2012 14 14 14 14 14 14 14 14 14
R2

Secure 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
boot 2016

RHEL/CentOS 6.x Series

The 32-bit kernel for this series is PAE enabled. There is no built-in LIS support for RHEL/CentOS 6.0-6.3.

WINDOWS
SERVER 6.10, 6.9,
FEATURE VERSION 6.7-6.10 6.4-6.6 6.0-6.3 6.8 6.6, 6.7 6.5 6.4

Availabili LIS 4.3 LIS 4.3 LIS 4.3 Built in Built in Built in Built in
ty

Core 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
2016,
2012 R2,
2012,
2008 R2

Windows 2019,
Server 2016
2016
Accurate
Time

Networki
ng

Jumbo 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
frames 2016,
2012 R2,
2012,
2008 R2
 WINDOWS
SERVER 6.10, 6.9,
FEATURE VERSION 6.7-6.10 6.4-6.6 6.0-6.3 6.8 6.6, 6.7 6.5 6.4

VLAN 2019, ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1

tagging 2016,
and 2012 R2,
trunking 2012,
2008 R2

Live 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
Migration 2016,
2012 R2,
2012,
2008 R2

Static IP 2019, ✔ Note 2 ✔ Note 2 ✔ Note 2 ✔ Note 2 ✔ Note 2 ✔ Note 2 ✔ Note 2

Injection 2016,
2012 R2,
2012

vRSS 2019, ✔ ✔ ✔ ✔ ✔
2016,
2012 R2

TCP 2019, ✔ ✔ ✔ ✔ ✔
Segmenta 2016,
tion and 2012 R2,
Checksum 2012,
Offloads 2008 R2

SR-IOV 2019,
2016

Storage

VHDX 2019, ✔ ✔ ✔ ✔ ✔ ✔
resize 2016,
2012 R2

Virtual 2019, ✔ Note 3 ✔ Note 3 ✔ Note 3 ✔ Note 3 ✔ Note 3 ✔ Note 3

Fibre 2016,
Channel 2012 R2

Live 2019, ✔ Note 5 ✔ Note 5 ✔ Note 5 ✔ Note 4, ✔ Note 4, ✔ Note 4, ✔ Note 4,

virtual 2016, 5 5 5, 6 5, 6
machine 2012 R2
backup

TRIM 2019, ✔ ✔ ✔ ✔
support 2016,
2012 R2

SCSI 2019, ✔ ✔ ✔
WWN 2016,
2012 R2

Memory
 WINDOWS
SERVER 6.10, 6.9,
FEATURE VERSION 6.7-6.10 6.4-6.6 6.0-6.3 6.8 6.6, 6.7 6.5 6.4

PAE 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
Kernel 2016,
Support 2012 R2,
2012,
2008 R2

Configura 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
tion of 2016,
MMIO 2012 R2
gap

Dynamic 2019, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7,

Memory - 2016, 9, 10 9, 10 9, 10 9, 10 8, 9, 10 8, 9, 10
Hot-Add 2012 R2,
2012

Dynamic 2019, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7,

Memory - 2016, 9, 10 9, 10 9, 10 9, 10 9, 10 9, 10 9, 10, 11
Balloonin 2012 R2,
g 2012

Runtime 2019,
Memory 2016
Resize

Video

Hyper-V- 2019, ✔ ✔ ✔ ✔ ✔ ✔
specific 2016,
video 2012 R2,
device 2012,
2008 R2

Miscellan
eous

Key-Value 2019, ✔ ✔ ✔ ✔ Note ✔ Note ✔ Note ✔ Note

Pair 2016, 12 12 12, 13 12, 13
2012 R2,
2012,
2008 R2

Non- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
Maskable 2016,
Interrupt 2012 R2

File copy 2019, ✔ ✔ ✔ ✔ ✔

from host 2016,
to guest 2012 R2

lsvmbus 2019, ✔ ✔ ✔
command 2016,
2012 R2,
2012,
2008 R2
 WINDOWS
SERVER 6.10, 6.9,
FEATURE VERSION 6.7-6.10 6.4-6.6 6.0-6.3 6.8 6.6, 6.7 6.5 6.4

Hyper-V 2019, ✔ ✔ ✔
Sockets 2016

PCI 2019, ✔
Passthrou 2016
gh/DDA

Generati
on 2
virtual
machines

Boot 2012 R2
using
UEFI

2019, ✔ Note ✔ Note ✔ Note ✔ Note

2016 14 14 14 14

Secure 2019,
boot 2016

RHEL/CentOS 5.x Series

This series has a supported 32-bit PAE kernel available. There is no built-in LIS support for RHEL/CentOS before
5.9.

WINDOWS SERVER
FEATURE VERSION 5.2 -5.11 5.2-5.11 5.9 - 5.11

Availability LIS 4.3 LIS 4.1 Built in

Core 2019, 2016, 2012 R2, ✔ ✔ ✔

2012, 2008 R2

Windows Server 2016 2019, 2016

Accurate Time

Networking

Jumbo frames 2019, 2016, 2012 R2, ✔ ✔ ✔

2012, 2008 R2

VLAN tagging and 2019, 2016, 2012 R2, ✔ Note 1 ✔ Note 1 ✔ Note 1
trunking 2012, 2008 R2

Live Migration 2019, 2016, 2012 R2, ✔ ✔ ✔

2012, 2008 R2

Static IP Injection 2019, 2016, 2012 R2, ✔ Note 2 ✔ Note 2 ✔ Note 2

2012
 WINDOWS SERVER
FEATURE VERSION 5.2 -5.11 5.2-5.11 5.9 - 5.11

vRSS 2019, 2016, 2012 R2

TCP Segmentation 2019, 2016, 2012 R2, ✔ ✔

and Checksum 2012, 2008 R2
Offloads

SR-IOV 2019, 2016

Storage

VHDX resize 2019, 2016, 2012 R2 ✔ ✔

Virtual Fibre Channel 2019, 2016, 2012 R2 ✔ Note 3 ✔ Note 3

Live virtual machine 2019, 2016, 2012 R2 ✔ Note 5, 15 ✔ Note 5 ✔ Note 4, 5, 6

backup

TRIM support 2019, 2016, 2012 R2

SCSI WWN 2019, 2016, 2012 R2

Memory

PAE Kernel Support 2019, 2016, 2012 R2, ✔ ✔ ✔

2012, 2008 R2

Configuration of 2019, 2016, 2012 R2 ✔ ✔ ✔

MMIO gap

Dynamic Memory - 2019, 2016, 2012 R2,

Hot-Add 2012

Dynamic Memory - 2019, 2016, 2012 R2, ✔ Note 7, 9, 10, 11 ✔ Note 7, 9, 10, 11
Ballooning 2012

Runtime Memory 2019, 2016

Resize

Video

Hyper-V-specific 2019, 2016, 2012 R2, ✔ ✔

video device 2012, 2008 R2

Miscellaneous

Key-Value Pair 2019, 2016, 2012 R2, ✔ ✔

2012, 2008 R2

Non-Maskable 2019, 2016, 2012 R2 ✔ ✔ ✔

Interrupt
 WINDOWS SERVER
FEATURE VERSION 5.2 -5.11 5.2-5.11 5.9 - 5.11

File copy from host to 2019, 2016, 2012 R2 ✔ ✔

guest

lsvmbus command 2019, 2016, 2012 R2,

2012, 2008 R2

Hyper-V Sockets 2019, 2016

PCI Passthrough/DDA 2019, 2016

Generation 2 virtual
machines

Boot using UEFI 2019, 2016, 2012 R2

Secure boot 2019, 2016

Notes
1. For this RHEL/CentOS release, VLAN tagging works but VLAN trunking does not.
2. Static IP injection may not work if Network Manager has been configured for a given synthetic network
adapter on the virtual machine. For smooth functioning of static IP injection please make sure that either
Network Manager is either turned off completely or has been turned off for a specific network adapter
through its ifcfg-ethX file.
3. On Windows Server 2012 R2 while using virtual fibre channel devices, make sure that logical unit number 0
(LUN 0) has been populated. If LUN 0 has not been populated, a Linux virtual machine might not be able to
mount fibre channel devices natively.
4. For built-in LIS, the "hyperv-daemons" package must be installed for this functionality.
5. If there are open file handles during a live virtual machine backup operation, then in some corner cases, the
backed-up VHDs might have to undergo a file system consistency check (fsck) on restore. Live backup
operations can fail silently if the virtual machine has an attached iSCSI device or direct-attached storage
(also known as a pass-through disk).
6. While the Linux Integration Services download is preferred, live backup support for RHEL/CentOS 5.9 -
5.11/6.4/6.5 is also available through Hyper-V Backup Essentials for Linux.
7. Dynamic memory support is only available on 64-bit virtual machines.
8. Hot-Add support is not enabled by default in this distribution. To enable Hot-Add support you need to add a
udev rule under /etc/udev/rules.d/ as follows:
a. Create a file /etc/udev/rules.d/100-balloon.rules. You may use any other desired name for the file.
b. Add the following content to the file: SUBSYSTEM=="memory", ACTION=="add", ATTR{state}="online"

c. Reboot the system to enable Hot-Add support.

While the Linux Integration Services download creates this rule on installation, the rule is also removed
when LIS is uninstalled, so the rule must be recreated if dynamic memory is needed after uninstallation.
9. Dynamic memory operations can fail if the guest operating system is running too low on memory. The
 following are some best practices:
Startup memory and minimal memory should be equal to or greater than the amount of memory
that the distribution vendor recommends.
Applications that tend to consume the entire available memory on a system are limited to consuming
up to 80 percent of available RAM.
10. If you are using Dynamic Memory on a Windows Server 2016 or Windows Server 2012 R2 operating
system, specify Startup memory, Minimum memory, and Maximum memory parameters in multiples
of 128 megabytes (MB ). Failure to do so can lead to hot-add failures, and you may not see any memory
increase in a guest operating system.
11. Certain distributions, including those using LIS 4.0 and 4.1, only provide Ballooning support and do not
provide Hot-Add support. In such a scenario, the dynamic memory feature can be used by setting the
Startup memory parameter to a value which is equal to the Maximum memory parameter. This results in all
the requisite memory being Hot-Added to the virtual machine at boot time and then later depending upon
the memory requirements of the host, Hyper-V can freely allocate or deallocate memory from the guest
using Ballooning. Please configure Startup Memory and Minimum Memory at or above the
recommended value for the distribution.
12. To enable key/value pair (KVP ) infrastructure, install the hypervkvpd or hyperv-daemons rpm package from
your RHEL ISO. Alternatively the package can be installed directly from RHEL repositories.
13. The key/value pair (KVP ) infrastructure might not function correctly without a Linux software update.
Contact your distribution vendor to obtain the software update in case you see problems with this feature.
14. On Windows Server 2012 R2 Generation 2 virtual machines have secure boot enabled by default and some
Linux virtual machines will not boot unless the secure boot option is disabled. You can disable secure boot in
the Firmware section of the settings for the virtual machine in Hyper-V Manager or you can disable it
using Powershell:

Set-VMFirmware -VMName "VMname" -EnableSecureBoot Off

The Linux Integration Services download can be applied to existing Generation 2 VMs but does not impart
Generation 2 capability.
15. In Red Hat Enterprise Linux or CentOS 5.2, 5.3, and 5.4 the filesystem freeze functionality is not available, so
Live Virtual Machine Backup is also not available.
See Also
Set-VMFirmware
Supported Debian virtual machines on Hyper-V
Supported Oracle Linux virtual machines on Hyper-V
Supported SUSE virtual machines on Hyper-V
Supported Ubuntu virtual machines on Hyper-V
Supported FreeBSD virtual machines on Hyper-V
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
Red Hat Hardware Certification
 Supported Debian virtual machines on Hyper-V
7/26/2019 • 3 minutes to read • Edit Online

Applies To: Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2, Hyper-V Server 2012 R2,
Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows 10, Windows 8.1, Windows
8, Windows 7.1, Windows 7

The following feature distribution map indicates the features that are present in each version. The known issues and
workarounds for each distribution are listed after the table.

Table legend
Built in - LIS are included as part of this Linux distribution. The Microsoft-provided LIS download package
doesn't work for this distribution so do not install it. The kernel module version numbers for the built in LIS
(as shown by lsmod, for example) are different from the version number on the Microsoft-provided LIS
download package. A mismatch does not indicate that the built in LIS is out of date.
✔ - Feature available

(blank) - Feature not available

WINDOWS SERVER
OPERATING
FEATURE SYSTEM VERSION 10 (BUSTER) 9.0-9.6 (STRETCH) 8.0-8.11 (JESSIE) 7.0-7.11 (WHEEZY)

Availability Built in Built in Built in Built in (Note 6)

Core 2019, 2016, ✔ ✔ ✔ ✔

2012 R2, 2012,
2008 R2

Windows Server 2019, 2016 ✔ Note 8 ✔ Note 8

2016 Accurate
Time

Networking

Jumbo frames 2019, 2016, ✔ ✔ ✔ ✔

2012 R2, 2012,
2008 R2

VLAN tagging 2019, 2016, ✔ ✔ ✔ ✔

and trunking 2012 R2, 2012,
2008 R2

Live Migration 2019, 2016, ✔ ✔ ✔ ✔

2012 R2, 2012,
2008 R2

Static IP Injection 2019, 2016,

2012 R2, 2012
 WINDOWS SERVER
OPERATING
FEATURE SYSTEM VERSION 10 (BUSTER) 9.0-9.6 (STRETCH) 8.0-8.11 (JESSIE) 7.0-7.11 (WHEEZY)

vRSS 2019, 2016, ✔ Note 8 ✔ Note 8

2012 R2

TCP 2019, 2016, ✔ Note 8 ✔ Note 8

Segmentation 2012 R2, 2012,
and Checksum 2008 R2
Offloads

SR-IOV 2019, 2016 ✔ Note 8 ✔ Note 8

Storage

VHDX resize 2019, 2016, ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1

2012 R2

Virtual Fibre 2019, 2016,

Channel 2012 R2

Live virtual 2019, 2016, ✔ Note 4,5 ✔ Note 4,5 ✔ Note 4,5 ✔ Note 4
machine backup 2012 R2

TRIM support 2019, 2016, ✔ Note 8 ✔ Note 8

2012 R2

SCSI WWN 2019, 2016, ✔ Note 8 ✔ Note 8

2012 R2

Memory

PAE Kernel 2019, 2016, ✔ ✔ ✔ ✔

Support 2012 R2, 2012,
2008 R2

Configuration of 2019, 2016, ✔ ✔ ✔ ✔

MMIO gap 2012 R2

Dynamic Memory 2019, 2016, ✔ Note 8 ✔ Note 8

- Hot-Add 2012 R2, 2012

Dynamic Memory 2019, 2016, ✔ Note 8 ✔ Note 8

- Ballooning 2012 R2, 2012

Runtime Memory 2019, 2016 ✔ Note 8 ✔ Note 8

Resize

Video

Hyper-V-specific 2019, 2016, ✔ ✔ ✔

video device 2012 R2, 2012,
2008 R2

Miscellaneous
 WINDOWS SERVER
OPERATING
FEATURE SYSTEM VERSION 10 (BUSTER) 9.0-9.6 (STRETCH) 8.0-8.11 (JESSIE) 7.0-7.11 (WHEEZY)

Key-Value Pair 2019, 2016, ✔ Note 4 ✔ Note 4 ✔ Note 4

2012 R2, 2012,
2008 R2

Non-Maskable 2019, 2016, ✔ ✔ ✔

Interrupt 2012 R2

File copy from 2019, 2016, ✔ Note 4 ✔ Note 4 ✔ Note 4

host to guest 2012 R2

lsvmbus 2019, 2016,

command 2012 R2, 2012,
2008 R2

Hyper-V Sockets 2019, 2016 ✔ Note 8 ✔ Note 8

PCI 2019, 2016 ✔ Note 8 ✔ Note 8

Passthrough/DD
A

Generation 2
virtual machines

Boot using UEFI 2019, 2016, ✔ Note 7 ✔ Note 7 ✔ Note 7

2012 R2

Secure boot 2019, 2016

Notes
1. Creating file systems on VHDs larger than 2TB is not supported.
2. On Windows Server 2008 R2 SCSI disks create 8 different entries in /dev/sd*.
3. Windows Server 2012 R2 a VM with 8 cores or more will have all interrupts routed to a single vCPU.
4. Starting with Debian 8.3 the manually-installed Debian package "hyperv-daemons" contains the key-value
pair, fcopy, and VSS daemons. On Debian 7.x and 8.0-8.2 the hyperv-daemons package must come from
Debian backports.
5. Live virtual machine backup will not work with ext2 file systems. The default layout created by the Debian
installer includes ext2 filesystems, you must customize the layout to not create this filesystem type.
6. While Debian 7.x is out of support and uses an older kernel, the kernel included in Debian backports for
Debian 7.x has improved Hyper-V capabilities.
7. On Windows Server 2012 R2 Generation 2 virtual machines have secure boot enabled by default and some
Linux virtual machines will not boot unless the secure boot option is disabled. You can disable secure boot in
the Firmware section of the settings for the virtual machine in Hyper-V Manager or you can disable it
using Powershell:
 Set-VMFirmware -VMName "VMname" -EnableSecureBoot Off

8. The latest upstream kernel capabilities are only available by using the kernel included Debian backports.
See Also
Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V
Supported Oracle Linux virtual machines on Hyper-V
Supported SUSE virtual machines on Hyper-V
Supported Ubuntu virtual machines on Hyper-V
Supported FreeBSD virtual machines on Hyper-V
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
 Supported Oracle Linux virtual machines on Hyper-V
7/26/2019 • 9 minutes to read • Edit Online

Applies To: Windows Server 2019, Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2,
Hyper-V Server 2012 R2, Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows
10, Windows 8.1, Windows 8, Windows 7.1, Windows 7

The following feature distribution map indicates the features that are present in each version. The known issues and
workarounds for each distribution are listed after the table.
In this section:
Red Hat Compatible Kernel Series
Unbreakable Enterprise Kernel Series
Notes

Table legend
Built in - LIS are included as part of this Linux distribution. The kernel module version numbers for the built
in LIS (as shown by lsmod, for example) are different from the version number on the Microsoft-provided
LIS download package. A mismatch doesn't indicate that the built in LIS is out of date.
✔ - Feature available

(blank) - Feature not available

UEK R*x QU*y - Unbreakable Enterprise Kernel (UEK) where x is the release number and y is the quarterly
update.

Red Hat Compatible Kernel Series

The 32-bit kernel for the 6.x series is PAE enabled. There is no built-in LIS support for Oracle Linux RHCK 6.0-6.3.
Oracle Linux 7.x kernels are 64-bit only.

WINDO
WS
SERVER 6.4-6.8 6.4-6.8
FEATUR VERSIO AND AND RHCK RHCK RHCK RHCK RHCK6.
E N 7.5-7.6 7.4 7.0-7.3 7.0-7.2 7.0-7.2 6.8 6.6, 6.7 6.5 4

Availa Built in Built in LIS 4.2 LIS 4.1 Built in Built in Built in Built in Built in
bility

Core 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
2016,
2012
R2,
2012,
2008
R2
 WINDO
WS
SERVER 6.4-6.8 6.4-6.8
FEATUR VERSIO AND AND RHCK RHCK RHCK RHCK RHCK6.
E N 7.5-7.6 7.4 7.0-7.3 7.0-7.2 7.0-7.2 6.8 6.6, 6.7 6.5 4

Windo 2019,
ws 2016
Server
2016
Accurat
e Time

Netwo
rking

Jumbo 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
frames 2016,
2012
R2,
2012,
2008
R2

VLAN 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
taggin 2016, (Note 1 (Note 1 Note 1 Note 1 Note 1 Note 1
g and 2012 for 6.4- for 6.4-
trunkin R2, 6.8) 6.8)
g 2012,
2008
R2

Live 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Migrati 2016,
on 2012
R2,
2012,
2008
R2

Static 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
IP 2016, Note Note
Injectio 2012 14 14
n R2,
2012

vRSS 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
2016,
2012
R2

TCP 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔
Segme 2016,
ntation 2012
and R2,
Checks 2012,
um 2008
Offload R2
s
 WINDO
WS
SERVER 6.4-6.8 6.4-6.8
FEATUR VERSIO AND AND RHCK RHCK RHCK RHCK RHCK6.
E N 7.5-7.6 7.4 7.0-7.3 7.0-7.2 7.0-7.2 6.8 6.6, 6.7 6.5 4

SR-IOV 2019, ✔ ✔
2016

Storag
e

VHDX 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
resize 2016,
2012
R2

Virtual 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Fibre 2016, Note 2 Note 2 Note 2 Note 2 Note 2 Note 2 Note 2 Note 2
Chann 2012
el R2

Live 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
virtual 2016, Note Note Note 3, Note 3, Note 3, Note 3, Note 3, Note 3, Note 3,
machin 2012 11,3 11, 3 4 4 4, 11 4, 11 4, 11 4, 5, 11 4, 5, 11
e R2
backup

TRIM 2019, ✔ ✔ ✔ ✔ ✔ ✔
suppor 2016,
t 2012
R2

SCSI 2019, ✔ ✔ ✔
WWN 2016,
2012
R2

Memo
ry

PAE 2019, N/A N/A ✔ (6.x ✔ (6.x N/A ✔ ✔ ✔ ✔

Kernel 2016, only) only)
Suppor 2012
t R2,
2012,
2008
R2

Config 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
uration 2016,
of 2012
MMIO R2
gap
 WINDO
WS
SERVER 6.4-6.8 6.4-6.8
FEATUR VERSIO AND AND RHCK RHCK RHCK RHCK RHCK6.
E N 7.5-7.6 7.4 7.0-7.3 7.0-7.2 7.0-7.2 6.8 6.6, 6.7 6.5 4

Dynam 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ic 2016, Note 8, Note 8, Note 7, Note 7, Note 6, Note 6, Note 6, Note 6,
Memor 2012 9 9 8, 9, 10 8, 9, 10 7, 8, 9 7, 8, 9 7, 8, 9 7, 8, 9
y- R2, (Note 6 (Note 6
Hot- 2012 for 6.4- for 6.4-
Add 6.7) 6.7)

Dynam 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ic 2016, Note 8, Note 8, Note 7, Note 7, Note 6, Note 6, Note 6, Note 6, Note 6,
Memor 2012 9 9 9, 10 9, 10 8, 9 8, 9 8, 9 8, 9 8, 9, 10
y- R2, (Note 6 (Note 6
Balloon 2012 for 6.4- for 6.4-
ing 6.7) 6.7)

Runtim 2019,
e 2016
Memor
y
Resize

Video

Hyper- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
V- 2016,2
specific 012 R2,
video 2012,
device 2008
R2

Miscell
aneou
s

Key- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Value 2016, Note Note Note Note Note
Pair 2012 12 12 12 12 12
R2,
2012,
2008
R2

Non- 2019, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Maska 2016,
ble 2012
Interru R2
pt

File 2019, ✔ ✔ ✔ ✔ ✔
copy 2016,
from 2012
host to R2
guest
 WINDO
WS
SERVER 6.4-6.8 6.4-6.8
FEATUR VERSIO AND AND RHCK RHCK RHCK RHCK RHCK6.
E N 7.5-7.6 7.4 7.0-7.3 7.0-7.2 7.0-7.2 6.8 6.6, 6.7 6.5 4

lsvmbu 2019, ✔ ✔
s 2016,
comma 2012
nd R2,
2012,
2008
R2

Hyper- 2019, ✔ ✔
V 2016
Sockets

PCI 2019, ✔ ✔
Passthr 2016
ough/
DDA

Gener
ation 2
virtual
machi
nes

Boot 2019, ✔ ✔ ✔ ✔ ✔ ✔
using 2016, Note Note Note Note Note Note
UEFI 2012 13 13 13 13 13 13
R2

Secure 2019, ✔ ✔
boot 2016

Unbreakable Enterprise Kernel Series

The Oracle Linux Unbreakable Enterprise Kernel (UEK) is 64-bit only and has LIS support built-in.

WINDOWS
SERVER
FEATURE VERSION UEK R5 UEK R4 UEK R3 QU3 UEK R3 QU2 UEK R3 QU1

Availability Built in Built in Built in Built in Built in

Core 2019, 2016, ✔ ✔ ✔ ✔ ✔

2012 R2,
2012, 2008
R2

Windows 2019, 2016

Server 2016
Accurate Time

Networking
 WINDOWS
SERVER
FEATURE VERSION UEK R5 UEK R4 UEK R3 QU3 UEK R3 QU2 UEK R3 QU1

Jumbo frames 2019, 2016, ✔ ✔ ✔ ✔ ✔

2012 R2,
2012, 2008
R2

VLAN tagging 2019, 2016, ✔ ✔ ✔ ✔ ✔

and trunking 2012 R2,
2012, 2008
R2

Live Migration 2019, 2016, ✔ ✔ ✔ ✔ ✔

2012 R2,
2012, 2008
R2

Static IP 2019, 2016, ✔ ✔ ✔ ✔

Injection 2012 R2,
2012

vRSS 2019, 2016, ✔ ✔

2012 R2

TCP 2019, 2016, ✔ ✔

Segmentation 2012 R2,
and 2012, 2008
Checksum R2
Offloads

SR-IOV 2019, 2016

Storage

VHDX resize 2019, 2016, ✔ ✔ ✔ ✔

2012 R2

Virtual Fibre 2019, 2016, ✔ ✔ ✔ ✔

Channel 2012 R2

Live virtual 2019, 2016, ✔ Note 3, 4, ✔ Note 3, 4, ✔ Note 3, 4, ✔ Note 3, 4,

machine 2012 R2 5, 11 5, 11 5, 11 5, 11
backup

TRIM support 2019, 2016, ✔ ✔

2012 R2

SCSI WWN 2019, 2016,

2012 R2

Memory
 WINDOWS
SERVER
FEATURE VERSION UEK R5 UEK R4 UEK R3 QU3 UEK R3 QU2 UEK R3 QU1

PAE Kernel 2019, 2016, N/A N/A N/A N/A N/A

Support 2012 R2,
2012, 2008
R2

Configuration 2019, 2016, ✔ ✔ ✔ ✔ ✔

of MMIO gap 2012 R2

Dynamic 2019, 2016, ✔ ✔

Memory - 2012 R2,
Hot-Add 2012

Dynamic 2019, 2016, ✔ ✔

Memory - 2012 R2,
Ballooning 2012

Runtime 2019, 2016

Memory
Resize

Video

Hyper-V- 2019, 2016, ✔ ✔ ✔ ✔

specific video 2012 R2,
device 2012, 2008
R2

Miscellaneou
s

Key-Value Pair 2019, 2016, ✔ Note 11, ✔ Note 11, ✔ Note 11, ✔ Note 11, ✔ Note 11,
2012 R2, 12 12 12 12 12
2012, 2008
R2

Non- 2019, 2016, ✔ ✔ ✔ ✔ ✔

Maskable 2012 R2
Interrupt

File copy from 2019, 2016, ✔ Note 11 ✔ Note 11 ✔ Note 11 ✔ Note 11 ✔ Note 11
host to guest 2012 R2

lsvmbus 2019, 2016,

command 2012 R2,
2012, 2008
R2

Hyper-V 2019, 2016

Sockets

PCI 2019, 2016

Passthrough/
DDA
 WINDOWS
SERVER
FEATURE VERSION UEK R5 UEK R4 UEK R3 QU3 UEK R3 QU2 UEK R3 QU1

Generation 2
virtual
machines

Boot using 2019, 2016, ✔ ✔

UEFI 2012 R2

Secure boot 2019, 2016 ✔ ✔

Notes
1. For this Oracle Linux release, VLAN tagging works but VLAN trunking does not.
2. While using virtual fibre channel devices, ensure that logical unit number 0 (LUN 0) has been populated. If
LUN 0 has not been populated, a Linux virtual machine might not be able to mount fibre channel devices
natively.
3. If there are open file handles during a live virtual machine backup operation, then in some corner cases, the
backed-up VHDs might have to undergo a file system consistency check (fsck) on restore.
4. Live backup operations can fail silently if the virtual machine has an attached iSCSI device or direct-attached
storage (also known as a pass-through disk).
5. Live backup support for Oracle Linux 6.4/6.5/UEKR3 QU2 and QU3 is available through Hyper-V Backup
Essentials for Linux.
6. Dynamic memory support is only available on 64-bit virtual machines.
7. Hot-Add support is not enabled by default in this distribution. To enable Hot-Add support you need to add a
udev rule under /etc/udev/rules.d/ as follows:
a. Create a file /etc/udev/rules.d/100-balloon.rules. You may use any other desired name for the file.
b. Add the following content to the file: SUBSYSTEM=="memory", ACTION=="add", ATTR{state}="online"

c. Reboot the system to enable Hot-Add support.

While the Linux Integration Services download creates this rule on installation, the rule is also removed
when LIS is uninstalled, so the rule must be recreated if dynamic memory is needed after uninstallation.
8. Dynamic memory operations can fail if the guest operating system is running too low on memory. The
following are some best practices:
Startup memory and minimal memory should be equal to or greater than the amount of memory
that the distribution vendor recommends.
Applications that tend to consume the entire available memory on a system are limited to consuming
up to 80 percent of available RAM.
9. If you are using Dynamic Memory on a Windows Server 2016 or Windows Server 2012 R2 operating
system, specify Startup memory, Minimum memory, and Maximum memory parameters in multiples
of 128 megabytes (MB ). Failure to do so can lead to hot-add failures, and you may not see any memory
increase in a guest operating system.
10. Certain distributions, including those using LIS 3.5 or LIS 4.0, only provide Ballooning support and do not
 provide Hot-Add support. In such a scenario, the dynamic memory feature can be used by setting the
Startup memory parameter to a value which is equal to the Maximum memory parameter. This results in all
the requisite memory being Hot-Added to the virtual machine at boot time and then later depending upon
the memory requirements of the host, Hyper-V can freely allocate or deallocate memory from the guest
using Ballooning. Please configure Startup Memory and Minimum Memory at or above the
recommended value for the distribution.
11. Oracle Linux Hyper-V daemons are not installed by default. To use these daemons, install the hyperv-
daemons package. This package conflicts with downloaded Linux Integration Services and should not be
installed on systems with downloaded LIS.
12. The key/value pair (KVP ) infrastructure might not function correctly without a Linux software update.
Contact your distribution vendor to obtain the software update in case you see problems with this feature.
13. OnWindows Server 2012 R2Generation 2 virtual machines have secure boot enabled by default and some
Linux virtual machines will not boot unless the secure boot option is disabled. You can disable secure boot in
the Firmware section of the settings for the virtual machine in Hyper-V Manager or you can disable it
using Powershell:

Set-VMFirmware -VMName "VMname" -EnableSecureBoot Off

The Linux Integration Services download can be applied to existing Generation 2 VMs but does not impart
Generation 2 capability.
14. Static IP injection may not work if Network Manager has been configured for a given synthetic network
adapter on the virtual machine. For smooth functioning of static IP injection please make sure that either
Network Manager is either turned off completely or has been turned off for a specific network adapter
through its ifcfg-ethX file.
See Also
Set-VMFirmware
Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V
Supported Debian virtual machines on Hyper-V
Supported SUSE virtual machines on Hyper-V
Supported Ubuntu virtual machines on Hyper-V
Supported FreeBSD virtual machines on Hyper-V
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
 Supported SUSE virtual machines on Hyper-V
5/24/2019 • 5 minutes to read • Edit Online

Applies To: Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2, Hyper-V Server 2012 R2,
Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows 10, Windows 8.1, Windows
8, Windows 7.1, Windows 7

The following is a feature distribution map that indicates the features in each version. The known issues and
workarounds for each distribution are listed after the table.
The built-in SUSE Linux Enterprise Service drivers for Hyper-V are certified by SUSE. An example configuration
can be viewed in this bulletin: SUSE YES Certification Bulletin.

Table legend
Built in - LIS are included as part of this Linux distribution.The Microsoft-provided LIS download package
does not work for this distribution, so do not install it.The kernel module version numbers for the built in LIS
(as shown by lsmod, for example) are different from the version number on the Microsoft-provided LIS
download package. A mismatch doesn't indicate that the built in LIS is out of date.
✔ - Feature available

(blank) - Feature not available

SLES12+ is 64-bit only.

WINDOWS
SERVER
OPERATING
SYSTEM SLES 12
FEATURE VERSION SLES 15 SP3/SP4 SLES 12 SP2 SLES 12 SP1 SLES 11 SP4 SLES 11 SP3

Availabilit Built-in Built-in Built-in Built-in Built-in Built-in

y

Core 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

2012 R2,
2012, 2008
R2

Windows 2019, 2016 ✔ ✔ ✔

Server 2016
Accurate
Time

Networkin
g

Jumbo 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

frames 2012 R2,
2012, 2008
R2
 WINDOWS
SERVER
OPERATING
SYSTEM SLES 12
FEATURE VERSION SLES 15 SP3/SP4 SLES 12 SP2 SLES 12 SP1 SLES 11 SP4 SLES 11 SP3

VLAN 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

tagging and 2012 R2,
trunking 2012, 2008
R2

Live 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

migration 2012 R2,
2012, 2008
R2

Static IP 2019, 2016, ✔Note 1 ✔Note 1 ✔Note 1 ✔Note 1 ✔Note 1 ✔Note 1

Injection 2012 R2,
2012

vRSS 2019, 2016, ✔ ✔ ✔ ✔

2012 R2

TCP 2019, 2016, ✔ ✔ ✔ ✔ ✔

Segmentati 2012 R2,
on and 2012, 2008
Checksum R2
Offloads

SR-IOV 2019, 2016 ✔ ✔ ✔

Storage

VHDX resize 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

2012 R2

Virtual Fibre 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

Channel 2012 R2

Live virtual 2019, 2016, ✔ Note 2, ✔ Note 2, ✔ Note 2, ✔ Note 2, ✔ Note 2, ✔ Note 2,
machine 2012 R2 3, 8 3, 8 3, 8 3, 8 3, 8 3, 8
backup

TRIM 2019, 2016, ✔ ✔ ✔ ✔ ✔

support 2012 R2

SCSI WWN 2019, 2016, ✔ ✔ ✔

2012 R2

Memory

PAE Kernel 2019, 2016, N/A N/A N/A N/A ✔ ✔

Support 2012 R2,
2012, 2008
R2
 WINDOWS
SERVER
OPERATING
SYSTEM SLES 12
FEATURE VERSION SLES 15 SP3/SP4 SLES 12 SP2 SLES 12 SP1 SLES 11 SP4 SLES 11 SP3

Configurati 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

on of 2012 R2
MMIO gap

Dynamic 2019, 2016, ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 4, ✔ Note 4,

Memory - 2012 R2, 5, 6 5, 6
Hot-Add 2012

Dynamic 2019, 2016, ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 4, ✔ Note 4,

Memory - 2012 R2, 5, 6 5, 6
Ballooning 2012

Runtime 2019, 2016 ✔ Note 5, 6 ✔ Note 5, 6 ✔ Note 5, 6

Memory
Resize

Video

Hyper-V- 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

specific 2012 R2,
video device 2012, 2008
R2

Miscellane
ous

Key/value 2019, 2016, ✔ ✔ ✔ ✔ ✔ Note 7 ✔ Note 7

pair 2012 R2,
2012, 2008
R2

Non- 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

Maskable 2012 R2
Interrupt

File copy 2019, 2016, ✔ ✔ ✔ ✔ ✔

from host 2012 R2
to guest

lsvmbus 2019, 2016, ✔ ✔ ✔

command 2012 R2,
2012, 2008
R2

Hyper-V 2019, 2016 ✔ ✔

Sockets

PCI 2019, 2016 ✔ ✔ ✔ ✔

Passthroug
h/DDA
 WINDOWS
SERVER
OPERATING
SYSTEM SLES 12
FEATURE VERSION SLES 15 SP3/SP4 SLES 12 SP2 SLES 12 SP1 SLES 11 SP4 SLES 11 SP3

Generation
2 virtual
machines

Boot using 2019, 2016, ✔ Note 9 ✔ Note 9 ✔ Note 9 ✔ Note 9 ✔ Note 9

UEFI 2012 R2

Secure boot 2019, 2016 ✔ ✔ ✔ ✔

Notes
1. Static IP injection may not work if Network Manager has been configured for a given Hyper-V -specific
network adapter on the virtual machine. To ensure smooth functioning of static IP injection please ensure
that Network Manager is turned off completely or has been turned off for a specific network adapter
through its ifcfg-ethX file.
2. If there are open file handles during a live virtual machine backup operation, then in some corner cases, the
backed-up VHDs might have to undergo a file system consistency check (fsck) on restore.
3. Live backup operations can fail silently if the virtual machine has an attached iSCSI device or direct-attached
storage (also known as a pass-through disk).
4. Dynamic memory operations can fail if the guest operating system is running too low on memory. The
following are some best practices:
Startup memory and minimal memory should be equal to or greater than the amount of memory
that the distribution vendor recommends.
Applications that tend to consume the entire available memory on a system are limited to consuming
up to 80 percent of available RAM.
5. Dynamic memory support is only available on 64-bit virtual machines.
6. If you are using Dynamic Memory on Windows Server 2016 or Windows Server 2012 operating systems,
specify Startup memory, Minimum memory, and Maximum memory parameters in multiples of 128
megabytes (MB ). Failure to do so can lead to Hot-Add failures, and you may not see any memory increase in
a guest operating system.
7. In Windows Server 2016 or Windows Server 2012 R2, the key/value pair infrastructure might not function
correctly without a Linux software update. Contact your distribution vendor to obtain the software update in
case you see problems with this feature.
8. VSS backup will fail if a single partition is mounted multiple times.
9. On Windows Server 2012 R2, Generation 2 virtual machines have secure boot enabled by default and
Generation 2 Linux virtual machines will not boot unless the secure boot option is disabled. You can disable
secure boot in the Firmware section of the settings for the virtual machine in Hyper-V Manager or you can
disable it using Powershell:

Set-VMFirmware -VMName "VMname" -EnableSecureBoot Off

See Also
Set-VMFirmware
Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V
Supported Debian virtual machines on Hyper-V
Supported Oracle Linux virtual machines on Hyper-V
Supported Ubuntu virtual machines on Hyper-V
Supported FreeBSD virtual machines on Hyper-V
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
 Supported Ubuntu virtual machines on Hyper-V
7/26/2019 • 7 minutes to read • Edit Online

Applies To: Windows Server 2019, 2016, Hyper-V Server 2019, 2016, Windows Server 2012 R2, Hyper-V
Server 2012 R2, Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows 10,
Windows 8.1, Windows 8, Windows 7.1, Windows 7

Beginning with Ubuntu 12.04, loading the "linux-virtual" package installs a kernel suitable for use as a guest virtual
machine. This package always depends on the latest minimal generic kernel image and headers used for virtual
machines. While its use is optional, the linux-virtual kernel will load fewer drivers and may boot faster and have less
memory overhead than a generic image.
To get full use of Hyper-V, install the appropriate linux-tools and linux-cloud-tools packages to install tools and
daemons for use with virtual machines. When using the linux-virtual kernel, load linux-tools-virtual and linux-
cloud-tools-virtual.
The following feature distribution map indicates the features in each version. The known issues and workarounds
for each distribution are listed after the table.

Table legend
Built in - LIS are included as part of this Linux distribution. The Microsoft-provided LIS download package
doesn't work for this distribution, so don't install it. The kernel module version numbers for the built in LIS
(as shown by lsmod, for example) are different from the version number on the Microsoft-provided LIS
download package. A mismatch doesn't indicate that the built in LIS is out of date.
✔ - Feature available

(blank) - Feature not available

WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 19.04 18.10 18.04 LTS 16.04 LTS 14.04 LTS 12.04 LTS

Availabilit Built-in Built-in Built-in Built-in Built-in Built-in

y

Core 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

2012 R2,
2012, 2008
R2

Windows 2019, 2016 ✔ ✔ ✔ ✔

Server 2016
Accurate
Time

Networkin
g
 WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 19.04 18.10 18.04 LTS 16.04 LTS 14.04 LTS 12.04 LTS

Jumbo 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

frames 2012 R2,
2012, 2008
R2

VLAN 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

tagging and 2012 R2,
trunking 2012, 2008
R2

Live 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

migration 2012 R2,
2012, 2008
R2

Static IP 2019, 2016, ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1 ✔ Note 1

Injection 2012 R2,
2012

vRSS 2019, 2016, ✔ ✔ ✔ ✔ ✔

2012 R2

TCP 2019, 2016, ✔ ✔ ✔ ✔ ✔

Segmentati 2012 R2,
on and 2012, 2008
Checksum R2
Offloads

SR-IOV 2019, 2016 ✔ ✔ ✔ ✔

Storage

VHDX resize 2019, 2016, ✔ ✔ ✔ ✔ ✔

2012 R2

Virtual Fibre 2019, 2016, ✔ Note 2 ✔ Note 2 ✔ Note 2 ✔ Note 2 ✔ Note 2

Channel 2012 R2

Live virtual 2019, 2016, ✔ Note 3, ✔ Note 3, ✔ Note 3, ✔ Note 3, ✔ Note 3,

machine 2012 R2 4, 6 4, 6 4, 5 4, 5 4, 5
backup

TRIM 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

support 2012 R2

SCSI WWN 2019, 2016, ✔ ✔ ✔ ✔ ✔

2012 R2

Memory
 WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 19.04 18.10 18.04 LTS 16.04 LTS 14.04 LTS 12.04 LTS

PAE Kernel 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

Support 2012 R2,
2012, 2008
R2

Configurati 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

on of 2012 R2
MMIO gap

Dynamic 2019, 2016, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7,

Memory - 2012 R2, 8, 9 8, 9 8, 9 8, 9 8, 9
Hot-Add 2012

Dynamic 2019, 2016, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7, ✔ Note 7,

Memory - 2012 R2, 8, 9 8, 9 8, 9 8, 9 8, 9
Ballooning 2012

Runtime 2019, 2016 ✔ ✔ ✔ ✔ ✔

Memory
Resize

Video

Hyper-V 2019, 2016, ✔ ✔ ✔ ✔ ✔

specific 2012 R2,
video device 2012, 2008
R2

Miscellane
ous

Key/value 2019, 2016, ✔ Note 6, ✔ Note 6, ✔ Note 5, ✔ Note 5, ✔ Note 5, ✔ Note 5,

pair 2012 R2, 10 10 10 10 10 10
2012, 2008
R2

Non- 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

Maskable 2012 R2
Interrupt

File copy 2019, 2016, ✔ ✔ ✔ ✔ ✔

from host 2012 R2
to guest

lsvmbus 2019, 2016, ✔ ✔ ✔ ✔ ✔

command 2012 R2,
2012, 2008
R2

Hyper-V 2019, 2016

Sockets
 WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 19.04 18.10 18.04 LTS 16.04 LTS 14.04 LTS 12.04 LTS

PCI 2019, 2016 ✔ ✔ ✔ ✔ ✔

Passthroug
h/DDA

Generation
2 virtual
machines

Boot using 2019, 2016, ✔ Note 11, ✔ Note 11, ✔ Note 11, ✔ Note 11, ✔ Note 11,
UEFI 2012 R2 12 12 12 12 12

Secure boot 2019, 2016 ✔ ✔ ✔ ✔ ✔

Notes
1. Static IP injection may not work if Network Manager has been configured for a given Hyper-V -specific
network adapter on the virtual machine. To ensure smooth functioning of static IP injection please ensure
that Network Manager is turned off completely or has been turned off for a specific network adapter
through its ifcfg-ethX file.
2. While using virtual fiber channel devices, ensure that logical unit number 0 (LUN 0) has been populated. If
LUN 0 has not been populated, a Linux virtual machine might not be able to mount fiber channel devices
natively.
3. If there are open file handles during a live virtual machine backup operation, then in some corner cases, the
backed-up VHDs might have to undergo a file system consistency check ( fsck ) on restore.
4. Live backup operations can fail silently if the virtual machine has an attached iSCSI device or direct-attached
storage (also known as a pass-through disk).
5. On long term support (LTS ) releases use latest virtual Hardware Enablement (HWE ) kernel for up to date
Linux Integration Services.
To install the Azure-tuned kernel on 14.04, 16.04 and 18.04, run the following commands as root (or sudo):

# apt-get update
# apt-get install linux-azure

12.04 does not have a separate virtual kernel. To install the generic HWE kernel on 12.04, run the following
commands as root (or sudo):

# apt-get update
# apt-get install linux-generic-lts-trusty

On Ubuntu 12.04 the following Hyper-V daemons are in a separately installed package:
VSS Snapshot daemon - This daemon is required to create live Linux virtual machine backups.
KVP daemon - This daemon allows setting and querying intrinsic and extrinsic key value pairs.
fcopy daemon - This daemon implements a file copying service between the host and guest.
To install the KVP daemon on 12.04, run the following commands as root (or sudo).
 # apt-get install hv-kvp-daemon-init linux-tools-lts-trusty linux-cloud-tools-generic-lts-trusty

Whenever the kernel is updated, the virtual machine must be rebooted to use it.
6. On Ubuntu 18.10 or 19.04, use the latest virtual kernel to have up-to-date Hyper-V capabilities.
To install the virtual kernel on 18.10 or 19.04, run the following commands as root (or sudo):

# apt-get update
# apt-get install linux-azure

Whenever the kernel is updated, the virtual machine must be rebooted to use it.
7. Dynamic memory support is only available on 64-bit virtual machines.
8. Dynamic Memory operations can fail if the guest operating system is running too low on memory. The
following are some best practices:
Startup memory and minimal memory should be equal to or greater than the amount of memory
that the distribution vendor recommends.
Applications that tend to consume the entire available memory on a system are limited to consuming
up to 80 percent of available RAM.
9. If you are using Dynamic Memory on Windows Server 2019, Windows Server 2016 or Windows Server
2012/2012 R2 operating systems, specify Startup memory, Minimum memory, and Maximum
memory parameters in multiples of 128 megabytes (MB ). Failure to do so can lead to Hot-Add failures, and
you might not see any memory increase on a guest operating system.
10. In Windows Server 2019, Windows Server 2016 or Windows Server 2012 R2, the key/value pair
infrastructure might not function correctly without a Linux software update. Contact your distribution vendor
to obtain the software update in case you see problems with this feature.
11. On Windows Server 2012 R2, Generation 2 virtual machines have secure boot enabled by default and some
Linux virtual machines will not boot unless the secure boot option is disabled. You can disable secure boot in
the Firmware section of the settings for the virtual machine in Hyper-V Manager or you can disable it
using Powershell:

Set-VMFirmware -VMName "VMname" -EnableSecureBoot Off

12. Before attempting to copy the VHD of an existing Generation 2 VHD virtual machine to create new
Generation 2 virtual machines, follow these steps:
a. Log in to the existing Generation 2 virtual machine.
b. Change directory to the boot EFI directory:

# cd /boot/efi/EFI

c. Copy the ubuntu directory in to a new directory named boot:

# sudo cp -r ubuntu/ boot

d. Change directory to the newly created boot directory:

 # cd boot

e. Rename the shimx64.efi file:

# sudo mv shimx64.efi bootx64.efi

See Also
Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V
Supported Debian virtual machines on Hyper-V
Supported Oracle Linux virtual machines on Hyper-V
Supported SUSE virtual machines on Hyper-V
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
Set-VMFirmware
Ubuntu 14.04 in a Generation 2 VM - Ben Armstrong's Virtualization Blog
 Supported FreeBSD virtual machines on Hyper-V
7/26/2019 • 3 minutes to read • Edit Online

Applies To: Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2, Hyper-V Server 2012 R2,
Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows 10, Windows 8.1, Windows
8, Windows 7.1, Windows 7

The following feature distribution map indicates the features in each version. The known issues and workarounds
for each distribution are listed after the table.

Table legend
Built in - BIS (FreeBSD Integration Service) are included as part of this FreeBSD release.
✔ - Feature available

(blank) - Feature not available

WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 11.1/11.2 11.0 10.3 10.2 10.0 - 10.1 9.1 - 9.3, 8.4

Availabilit Built in Built in Built in Built in Built in Ports

y

Core 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

2012 R2,
2012, 2008
R2

Windows 2019, 2016 ✔

Server 2016
Accurate
Time

Networkin
g

Jumbo 2019, 2016, ✔ Note 3 ✔ Note 3 ✔ Note 3 ✔ Note 3 ✔ Note 3 ✔ Note 3

frames 2012 R2,
2012, 2008
R2

VLAN 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

tagging and 2012 R2,
trunking 2012, 2008
R2

Live 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

migration 2012 R2,
2012, 2008
R2
 WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 11.1/11.2 11.0 10.3 10.2 10.0 - 10.1 9.1 - 9.3, 8.4

Static IP 2019, 2016, ✔ Note 4 ✔ Note 4 ✔ Note 4 ✔ Note 4 ✔ Note 4 ✔

Injection 2012 R2,
2012

vRSS 2019, 2016, ✔ ✔

2012 R2

TCP 2019, 2016, ✔ ✔ ✔ ✔

Segmentati 2012 R2,
on and 2012, 2008
Checksum R2
Offloads

Large 2019, 2016, ✔ ✔ ✔

Receive 2012 R2,
Offload 2012, 2008
(LRO) R2

SR-IOV 2019, 2016

Storage Note 1 Note 1 Note 1 Note 1 Note 1,2 Note 1,2

VHDX resize 2019, 2016, ✔ Note 7 ✔ Note 7

2012 R2

Virtual Fibre 2019, 2016,

Channel 2012 R2

Live virtual 2019, 2016, ✔

machine 2012 R2
backup

TRIM 2019, 2016, ✔

support 2012 R2

SCSI WWN 2019, 2016,

2012 R2

Memory

PAE Kernel 2019, 2016,

Support 2012 R2,
2012, 2008
R2

Configurati 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

on of 2012 R2
MMIO gap

Dynamic 2019, 2016,

Memory - 2012 R2,
Hot-Add 2012
 WINDOWS
SERVER
OPERATING
SYSTEM
FEATURE VERSION 11.1/11.2 11.0 10.3 10.2 10.0 - 10.1 9.1 - 9.3, 8.4

Dynamic 2019, 2016,

Memory - 2012 R2,
Ballooning 2012

Runtime 2019, 2016

Memory
Resize

Video

Hyper-V 2019, 2016,

specific 2012 R2,
video device 2012, 2008
R2

Miscellane
ous

Key/value 2019, 2016, ✔ ✔ ✔ ✔ Note 6 ✔ Note 5, 6 ✔ Note 6

pair 2012 R2,
2012, 2008
R2

Non- 2019, 2016, ✔ ✔ ✔ ✔ ✔ ✔

Maskable 2012 R2
Interrupt

File copy 2019, 2016,

from host 2012 R2
to guest

lsvmbus 2019, 2016,

command 2012 R2,
2012, 2008
R2

Hyper-V 2019, 2016

Sockets

PCI 2019, 2016 ✔

Passthroug
h/DDA

Generation
2 virtual
machines

Boot using 2019, 2016, ✔

UEFI 2012 R2

Secure boot 2019, 2016

Notes
1. Suggest to Label Disk Devices to avoid ROOT MOUNT ERROR during startup.
2. The virtual DVD drive may not be recognized when BIS drivers are loaded on FreeBSD 8.x and 9.x unless
you enable the legacy ATA driver through the following command.

# echo ‘hw.ata.disk_enable=1’ >> /boot/loader.conf

# shutdown -r now

3. 9126 is the maximum supported MTU size.

4. In a failover scenario, you cannot set a static IPv6 address in the replica server. Use an IPv4 address instead.
5. KVP is provided by ports on FreeBSD 10.0. See the FreeBSD 10.0 ports on FreeBSD.org for more
information.
6. KVP may not work on Windows Server 2008 R2.
7. To make VHDX online resizing work properly in FreeBSD 11.0, a special manual step is required to work
around a GEOM bug which is fixed in 11.0+, after the host resizes the VHDX disk - open the disk for write,
and run “gpart recover” as the following.

# dd if=/dev/da1 of=/dev/da1 count=0

# gpart recover da1

Additional Notes: The feature matrix of 10 stable and 11 stable is same with FreeBSD 11.1 release. In
addition, FreeBSD 10.2 and previous versions (10.1, 10.0, 9.x, 8.x) are end of life. Please refer here for an up-
to-date list of supported releases and the latest security advisories.
Additional Notes: The feature matrix of 10 stable and 11 stable is same with FreeBSD 11.1 release. In addition,
FreeBSD 10.2 and previous versions (10.1, 10.0, 9.x, 8.x) are end of life. Please refer here for an up-to-date list of
supported releases and the latest security advisories.

See Also
Feature Descriptions for Linux and FreeBSD virtual machines on Hyper-V
Best practices for running FreeBSD on Hyper-V
 Feature Descriptions for Linux and FreeBSD virtual
machines on Hyper-V
5/24/2019 • 8 minutes to read • Edit Online

Applies To: Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2, Hyper-V Server 2012 R2,
Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows 10, Windows 8.1, Windows
8, Windows 7.1, Windows 7

This article describes features available in components such as core, networking, storage, and memory when using
Linux and FreeBSD on a virtual machine.

Core
FEATURE DESCRIPTION

Integrated shutdown With this feature, an administrator can shut down virtual
machines from the Hyper-V Manager. For more information,
see Operating system shutdown.

Time synchronization This feature ensures that the maintained time inside a virtual
machine is kept synchronized with the maintained time on the
host. For more information, see Time synchronization.

Windows Server 2016 Accurate Time This feature allows the guest to use the Windows Server 2016
Accurate Time capability, which improves time synchronization
with the host to 1ms accuracy. For more information, see
Windows Server 2016 Accurate Time

Multiprocessing support With this feature, a virtual machine can use multiple
processors on the host by configuring multiple virtual CPUs.

Heartbeat With this feature, the host to can track the state of the virtual
machine. For more information, see Heartbeat.

Integrated mouse support With this feature, you can use a mouse on a virtual machine's
desktop and also use the mouse seamlessly between the
Windows Server desktop and the Hyper-V console for the
virtual machine.

Hyper-V specific Storage device This feature grants high-performance access to storage
devices that are attached to a virtual machine.

Hyper-V specific Network device This feature grants high-performance access to network
adapters that are attached to a virtual machine.

Networking
 FEATURE DESCRIPTION

Jumbo frames With this feature, an administrator can increase the size of
network frames beyond 1500 bytes, which leads to a
significant increase in network performance.

VLAN tagging and trunking This feature allows you to configure virtual LAN (VLAN) traffic
for virtual machines.

Live Migration With this feature, you can migrate a virtual machine from one
host to another host. For more information, see Virtual
Machine Live Migration Overview.

Static IP Injection With this feature, you can replicate the static IP address of a
virtual machine after it has been failed over to its replica on a
different host. Such IP replication ensures that network
workloads continue to work seamlessly after a failover event.

vRSS (Virtual Receive Side Scaling) Spreads the load from a virtual network adapter across
multiple virtual processors in a virtual machine.For more
information, see Virtual Receive-side Scaling in Windows Server
2012 R2.

TCP Segmentation and Checksum Offloads Transfers segmentation and checksum work from the guest
CPU to the host virtual switch or network adapter during
network data transfers.

Large Receive Offload (LRO) Increases inbound throughput of high-bandwidth connections

by aggregating multiple packets into a larger buffer,
decreasing CPU overhead.

SR-IOV Single Root I/O devices use DDA to allow guests access to
portions of specific NIC cards allowing for reduced latency and
increased throughput. SR-IOV requires up to date physical
function (PF) drivers on the host and virtual function (VF)
drivers on the guest.

Storage
FEATURE DESCRIPTION

VHDX resize With this feature, an administrator can resize a fixed-size .vhdx
file that is attached to a virtual machine. For more information,
see Online Virtual Hard Disk Resizing Overview.

Virtual Fibre Channel With this feature, virtual machines can recognize a fiber
channel device and mount it natively. For more information,
see Hyper-V Virtual Fibre Channel Overview.
FEATURE DESCRIPTION

Live virtual machine backup This feature facilitates zero down time backup of live virtual
machines.

Note that the backup operation does not succeed if the virtual
machine has virtual hard disks (VHDs) that are hosted on
remote storage such as a Server Message Block (SMB) share or
an iSCSI volume. Additionally, ensure that the backup target
does not reside on the same volume as the volume that you
back up.

TRIM support TRIM hints notify the drive that certain sectors that were
previously allocated are no longer required by the app and can
be purged. This process is typically used when an app makes
large space allocations via a file and then self-manages the
allocations to the file, for example, to virtual hard disk files.

SCSI WWN The storvsc driver extracts World Wide Name (WWN)
information from the port and node of devices attached to the
virtual machine and creates the appropriate sysfs files.

Memory
FEATURE DESCRIPTION

PAE Kernel Support Physical Address Extension (PAE) technology allows a 32-bit
kernel to access a physical address space that is larger than
4GB. Older Linux distributions such as RHEL 5.x used to ship a
separate kernel that was PAE enabled. Newer distributions
such as RHEL 6.x have pre-built PAE support.

Configuration of MMIO gap With this feature, appliance manufacturers can configure the
location of the Memory Mapped I/O (MMIO) gap. The MMIO
gap is typically used to divide the available physical memory
between an appliance's Just Enough Operating Systems (JeOS)
and the actual software infrastructure that powers the
appliance.
FEATURE DESCRIPTION

Dynamic Memory - Hot-Add The host can dynamically increase or decrease the amount of
memory available to a virtual machine while it is in operation.
Before provisioning, the Administrator enables Dynamic
Memory in the Virtual Machine Settings panel and specify the
Startup Memory, Minimum Memory, and Maximum Memory
for the virtual machine. When the virtual machine is in
operation Dynamic Memory cannot be disabled and only the
Minimum and Maximum settings can be changed. (It is a best
practice to specify these memory sizes as multiples of 128MB.)

When the virtual machine is first started available memory is

equal to the Startup Memory. As Memory Demand increases
due to application workloads Hyper-V may dynamically
allocate more memory to the virtual machine via the Hot-Add
mechanism, if supported by that version of the kernel. The
maximum amount of memory allocated is capped by the value
of the Maximum Memory parameter.

The Memory tab of Hyper-V manager will display the amount

of memory assigned to the virtual machine, but memory
statistics within the virtual machine will show the highest
amount of memory allocated.

For more information, see Hyper-V Dynamic Memory

Overview.

Dynamic Memory - Ballooning The host can dynamically increase or decrease the amount of
memory available to a virtual machine while it is in operation.
Before provisioning, the Administrator enables Dynamic
Memory in the Virtual Machine Settings panel and specify the
Startup Memory, Minimum Memory, and Maximum Memory
for the virtual machine. When the virtual machine is in
operation Dynamic Memory cannot be disabled and only the
Minimum and Maximum settings can be changed. (It is a best
practice to specify these memory sizes as multiples of 128MB.)

When the virtual machine is first started available memory is

equal to the Startup Memory. As Memory Demand increases
due to application workloads Hyper-V may dynamically
allocate more memory to the virtual machine via the Hot-Add
mechanism (above). As Memory Demand decreases Hyper-V
may automatically deprovision memory from the virtual
machine via the Balloon mechanism. Hyper-V will not
deprovision memory below the Minimum Memory
parameter.

The Memory tab of Hyper-V manager will display the amount

of memory assigned to the virtual machine, but memory
statistics within the virtual machine will show the highest
amount of memory allocated.

For more information, see Hyper-V Dynamic Memory

Overview.
 FEATURE DESCRIPTION

Runtime Memory Resize An administrator can set the amount of memory available to a
virtual machine while it is in operation, either increasing
memory ("Hot Add") or decreasing it ("Hot Remove"). Memory
is returned to Hyper-V via the balloon driver (see "Dynamic
Memory - Ballooning"). The balloon driver maintains a
minimum amount of free memory after ballooning, called the
"floor", so assigned memory cannot be reduced below the
current demand plus this floor amount. The Memory tab of
Hyper-V manager will display the amount of memory assigned
to the virtual machine, but memory statistics within the virtual
machine will show the highest amount of memory allocated.
(It is a best practice to specify memory values as multiples of
128MB.)

Video
FEATURE DESCRIPTION

Hyper-V-specific video device This feature provides high-performance graphics and superior
resolution for virtual machines. This device does not provide
Enhanced Session Mode or RemoteFX capabilities.

Miscellaneous
FEATURE DESCRIPTION

KVP (Key-Value pair) exchange This feature provides a key/value pair (KVP) exchange service
for virtual machines. Typically administrators use the KVP
mechanism to perform read and write custom data operations
on a virtual machine. For more information, see Data
Exchange: Using key-value pairs to share information between
the host and guest on Hyper-V.

Non-Maskable Interrupt With this feature, an administrator can issue Non-Maskable

Interrupts (NMI) to a virtual machine. NMIs are useful in
obtaining crash dumps of operating systems that have
become unresponsive due to application bugs. These crash
dumps can be diagnosed after you restart.

File copy from host to guest This feature allows files to be copied from the host physical
computer to the guest virtual machines without using the
network adaptor. For more information, see Guest services.

lsvmbus command This command gets information about devices on the Hyper-V
virtual machine bus (VMBus) similiar to information
commands like lspci.

Hyper-V Sockets This is an additional communication channel between the host

and guest operating system. To load and use the Hyper-V
Sockets kernel module, see Make your own integration
services.
 FEATURE DESCRIPTION

PCI Passthrough/DDA With Windows Server 2016 administrators can pass through
PCI Express devices via the Discrete Device Assignment
mechanism. Common devices are network cards, graphics
cards, and special storage devices. The virtual machine will
require the appropriate driver to use the exposed hardware.
The hardware must be assigned to the virtual machine for it to
be used.

For more information, see Discrete Device Assignment -

Description and Background.

DDA is a pre-requisite for SR-IOV networking. Virtual ports

will need to be assigned to the virtual machine and the virtual
machine must use the correct Virtual Function (VF) drivers for
device multiplexing.

Generation 2 virtual machines

FEATURE DESCRIPTION

Boot using UEFI This feature allows virtual machines to boot using Unified
Extensible Firmware Interface (UEFI).

For more information, see Generation 2 Virtual Machine

Overview.

Secure boot This feature allows virtual machines to use UEFI based secure
boot mode. When a virtual machine is booted in secure mode,
various operating system components are verified using
signatures present in the UEFI data store.

For more information, see Secure Boot.

See Also
Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V
Supported Debian virtual machines on Hyper-V
Supported Oracle Linux virtual machines on Hyper-V
Supported SUSE virtual machines on Hyper-V
Supported Ubuntu virtual machines on Hyper-V
Supported FreeBSD virtual machines on Hyper-V
Best Practices for running Linux on Hyper-V
Best practices for running FreeBSD on Hyper-V
 Best Practices for running Linux on Hyper-V
6/20/2019 • 4 minutes to read • Edit Online

Applies To: Windows Server 2019, Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2,
Hyper-V Server 2012 R2, Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows
10, Windows 8.1, Windows 8, Windows 7.1, Windows 7

This topic contains a list of recommendations for running Linux virtual machine on Hyper-V.

Tuning Linux File Systems on Dynamic VHDX Files

Some Linux file systems may consume significant amounts of real disk space even when the file system is mostly
empty. To reduce the amount of real disk space usage of dynamic VHDX files, consider the following
recommendations:
When creating the VHDX, use 1MB BlockSizeBytes (from the default 32MB ) in PowerShell, for example:

PS > New-VHD -Path C:\MyVHDs\test.vhdx -SizeBytes 127GB -Dynamic -BlockSizeBytes 1MB

The ext4 format is preferred to ext3 because ext4 is more space efficient than ext3 when used with dynamic
VHDX files.
When creating the filesystem specify the number of groups to be 4096, for example:

# mkfs.ext4 -G 4096 /dev/sdX1

Grub Menu Timeout on Generation 2 Virtual Machines

Because of legacy hardware being removed from emulation in Generation 2 virtual machines, the grub menu
countdown timer counts down too quickly for the grub menu to be displayed, immediately loading the default
entry. Until grub is fixed to use the EFI-supported timer, modify /boot/grub/grub.conf, /etc/default/grub, or
equivalent to have "timeout=100000" instead of the default "timeout=5".

PxE Boot on Generation 2 Virtual Machines

Because the PIT timer is not present in Generation 2 Virtual Machines, network connections to the PxE TFTP server
can be prematurely terminated and prevent the bootloader from reading Grub configuration and loading a kernel
from the server.
On RHEL 6.x, the legacy grub v0.97 EFI bootloader can be used instead of grub2 as described here:
https://access.redhat.com/documentation/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-netboot-pxe-
config-efi.html
On Linux distributions other than RHEL 6.x, similar steps can be followed to configure grub v0.97 to load Linux
kernels from a PxE server.
Additionally, on RHEL/CentOS 6.6 keyboard and mouse input will not work with the pre-install kernel which
prevents specifying installation options in the menu. A serial console must be configured to allow choosing
installation options.
 In the efidefault file on the PxE server, add the following kernel parameter "console=ttyS1"
On the VM in Hyper-V, setup a COM port using this PowerShell cmdlet:

Set-VMComPort -VMName <Name> -Number 2 -Path \\.\pipe\dbg1

Specifying a kickstart file to the pre-install kernel would also avoid the need for keyboard and mouse input during
installation.

Use static MAC addresses with failover clustering

Linux virtual machines that will be deployed using failover clustering should be configured with a static media
access control (MAC ) address for each virtual network adapter. In some versions of Linux, the networking
configuration may be lost after failover because a new MAC address is assigned to the virtual network adapter. To
avoid losing the network configuration, ensure that each virtual network adapter has a static MAC address. You can
configure the MAC address by editing the settings of the virtual machine in Hyper-V Manager or Failover Cluster
Manager.

Use Hyper-V-specific network adapters, not the legacy network adapter

Configure and use the virtual Ethernet adapter, which is a Hyper-V -specific network card with enhanced
performance. If both legacy and Hyper-V -specific network adapters are attached to a virtual machine, the network
names in the output of ifconfig -a might show random values such as _tmp12000801310. To avoid this issue,
remove all legacy network adapters when using Hyper-V -specific network adapters in a Linux virtual machine.

Use I/O scheduler NOOP for better disk I/O performance

The Linux kernel has four different I/O schedulers to reorder requests with different algorithms. NOOP is a first-in
first-out queue that passes the schedule decision to be made by the hypervisor. It is recommended to use NOOP as
the scheduler when running Linux virtual machine on Hyper-V. To change the scheduler for a specific device, in the
boot loader's configuration (/etc/grub.conf, for example), add elevator=noop to the kernel parameters, and then
restart.

NUMA
Linux kernel versions earlier than 2.6.37 don't support NUMA on Hyper-V with larger VM sizes. This issue
primarily impacts older distributions using the upstream Red Hat 2.6.32 kernel, and was fixed in Red Hat Enterprise
Linux (RHEL ) 6.6 (kernel-2.6.32-504). Systems running custom kernels older than 2.6.37, or RHEL -based kernels
older than 2.6.32-504 must set the boot parameter numa=off on the kernel command line in grub.conf. For more
information, see Red Hat KB 436883.

Reserve more memory for kdump

In case the dump capture kernel ends up with a panic on boot, reserve more memory for the kernel. For example,
change the parameter crashkernel=384M -:128M to crashkernel=384M -:256M in the Ubuntu grub
configuration file.

Shrinking VHDX or expanding VHD and VHDX files can result in

erroneous GPT partition tables
Hyper-V allows shrinking virtual disk (VHDX) files without regard for any partition, volume, or file system data
structures that may exist on the disk. If the VHDX is shrunk to where the end of the VHDX comes before the end of
a partition, data can be lost, that partition can become corrupted, or invalid data can be returned when the partition
is read.
After resizing a VHD or VHDX, administrators should use a utility like fdisk or parted to update the partition,
volume, and file system structures to reflect the change in the size of the disk. Shrinking or expanding the size of a
VHD or VHDX that has a GUID Partition Table (GPT) will cause a warning when a partition management tool is
used to check the partition layout, and the administrator will be warned to fix the first and secondary GPT headers.
This manual step is safe to perform without data loss.

See also
Supported Linux and FreeBSD virtual machines for Hyper-V on Windows
Best practices for running FreeBSD on Hyper-V
Deploy a Hyper-V Cluster
Create Linux Images for Azure
Optimize your Linux VM on Azure
 Best practices for running FreeBSD on Hyper-V
7/26/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2019, Windows Server 2016, Hyper-V Server 2016, Windows Server 2012 R2,
Hyper-V Server 2012 R2, Windows Server 2012, Hyper-V Server 2012, Windows Server 2008 R2, Windows
10, Windows 8.1, Windows 8, Windows 7.1, Windows 7

This topic contains a list of recommendations for running FreeBSD as a guest operating system on a Hyper-V
virtual machine.

Enable CARP in FreeBSD 10.2 on Hyper-V

The Common Address Redundancy Protocol (CARP ) allows multiple hosts to share the same IP address and
Virtual Host ID (VHID ) to help provide high availability for one or more services. If one or more hosts fail, the other
hosts transparently take over so users won't notice a service failure.To use CARP in FreeBSD 10.2, follow the
instructions in the FreeBSD handbook and do the following in Hyper-V Manager.
Verify the virtual machine has a Network Adapter and it's assigned a virtual switch. Select the virtual machine
and select Actions > Settings.

Enable MAC address spoofing. To do this,

1. Select the virtual machine and select Actions > Settings.
2. Expand Network Adapter and select Advanced Features.
3. Select Enable MAC Address spoofing.

Create labels for disk devices

During startup, device nodes are created as new devices are discovered. This can mean that device names can
change when new devices are added. If you get a ROOT MOUNT ERROR during startup, you should create labels
for each IDE partition to avoid conflicts and changes. To learn how, see Labeling Disk Devices. Below are examples.
 IMPORTANT
Make a backup copy of your fstab before making any changes.

1. Reboot the system into single user mode. This can be accomplished by selecting boot menu option 2 for
FreeBSD 10.3+ (option 4 for FreeBSD 8.x), or performing a 'boot -s' from the boot prompt.
2. In Single user mode, create GEOM labels for each of the IDE disk partitions listed in your fstab (both root
and swap). Below is an example of FreeBSD 10.3.

# cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/da0p2 / ufs rw 1 1
/dev/da0p3 none swap sw 0 0

# glabel label rootfs /dev/da0p2

# glabel label swap /dev/da0p3
# exit

Additional information on GEOM labels can be found at: Labeling Disk Devices.
3. The system will continue with multi-user boot. After the boot completes, edit /etc/fstab and replace the
conventional device names, with their respective labels. The final /etc/fstab will look like this:

# Device Mountpoint FStype Options Dump Pass#

/dev/label/rootfs / ufs rw 1 1
/dev/label/swap none swap sw 0 0

4. The system can now be rebooted. If everything went well, it will come up normally and mount will show:

# mount
/dev/label/rootfs on / (ufs, local, journaled soft-updates)
devfs on /dev (devfs, local, mutilabel)

Use a wireless network adapter as the virtual switch

If the virtual switch on the host is based on wireless network adapter, reduce the ARP expiration time to 60 seconds
by the following command. Otherwise the networking of the VM may stop working after a while.

# sysctl net.link.ether.inet.max_age=60

See also
Supported FreeBSD virtual machines on Hyper-V
 Hyper-V feature compatibility by generation and
guest
6/7/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016

The tables in this article show you the generations and operating systems that are compatible with some of the
Hyper-V features, grouped by categories. In general, you'll get the best availability of features with a generation 2
virtual machine that runs the newest operating system.
Keep in mind that some features rely on hardware or other infrastructure. For hardware details, see System
requirements for Hyper-V on Windows Server 2016. In some cases, a feature can be used with any supported
guest operating system. For details on which operating systems are supported, see:
Supported Linux and FreeBSD virtual machines
Supported Windows guest operating systems

Availability and backup

FEATURE GENERATION GUEST OPERATING SYSTEM

Checkpoints 1 and 2 Any supported guest

Guest clustering 1 and 2 Guests that run cluster-aware

applications and have iSCSI target
software installed

Replication 1 and 2 Any supported guest

Domain Controller 1 and 2 Any supported Windows Server guest

using only production checkpoints. See
Supported Windows Server guest
operating systems

Compute
FEATURE GENERATION GUEST OPERATING SYSTEM

Dynamic memory 1 and 2 Specific versions of supported guests.

See Hyper-V Dynamic Memory
Overview for versions older than
Windows Server 2016 and Windows 10.

Hot add/removal of memory 1 and 2 Windows Server 2016, Windows 10

Virtual NUMA 1 and 2 Any supported guest

Development and test

 FEATURE GENERATION GUEST OPERATING SYSTEM

COM/Serial ports 1 and 2 Any supported guest

Note: For generation 2, use Windows
PowerShell to configure. For details, see
Add a COM port for kernel debugging.

Mobility
FEATURE GENERATION GUEST OPERATING SYSTEM

Live migration 1 and 2 Any supported guest

Import/export 1 and 2 Any supported guest

Networking
FEATURE GENERATION GUEST OPERATING SYSTEM

Hot add/removal of virtual network 2 Any supported guest

adapter

Legacy virtual network adapter 1 Any supported guest

Single root input/output virtualization 1 and 2 64-bit Windows guests, starting with
(SR-IOV) Windows Server 2012 and Windows 8.

Virtual machine multi queue (VMMQ) 1 and 2 Any supported guest

Remote connection experience

FEATURE GENERATION GUEST OPERATING SYSTEM

Discrete device assignment (DDA) 1 and 2 Windows Server 2016, Windows Server
2012 R2 only with Update 3133690
installed, Windows 10
Note: For details on Update 3133690,
see this support article.

Enhanced session mode 1 and 2 Windows Server 2016, Windows Server

2012 R2, Windows 10, and Windows
8.1, with Remote Desktop Services
enabled
Note: You might need to also configure
the host. For details, see Use local
resources on Hyper-V virtual machine
with VMConnect.

RemoteFx 1 and 2 Generation 1 on 32-bit and 64-bit

Windows versions starting with
Windows 8.
Generation 2 on 64-bit Windows 10
versions
Security
FEATURE GENERATION GUEST OPERATING SYSTEM

Secure boot 2 Linux: Ubuntu 14.04 and later, SUSE

Linux Enterprise Server 12 and later, Red
Hat Enterprise Linux 7.0 and later, and
CentOS 7.0 and later
Windows: All supported versions that
can run on a generation 2 virtual
machine

Shielded virtual machines 2 Windows: All supported versions that

can run on a generation 2 virtual
machine

Storage
FEATURE GENERATION GUEST OPERATING SYSTEM

Shared virtual hard disks (VHDX only) 1 and 2 Windows Server 2016, Windows Server
2012 R2, Windows Server 2012

SMB3 1 and 2 All that support SMB3

Storage spaces direct 2 Windows Server 2016

Virtual Fibre Channel 1 and 2 Windows Server 2016, Windows Server

2012 R2, Windows Server 2012

VHDX format 1 and 2 Any supported guest

 Get started with Hyper-V on Windows Server
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Use the following resources to set up and try out Hyper-V on the Server Core or GUI installation option of
Windows Server 2019 or Windows Server 2016. But before you install anything, check the System Requirements
for Windows Server and the System Requirements for Hyper-V.
Download and install Windows Server
Install the Hyper-V role on Windows Server
Create a virtual switch for Hyper-V virtual machines
Create a virtual machine in Hyper-V
 Install the Hyper-V role on Windows Server
6/7/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2019

To create and run virtual machines, install the Hyper-V role on Windows Server by using Server Manager or the
Install-WindowsFeature cmdlet in Windows PowerShell. For Windows 10, see Install Hyper-V on Windows 10.
To learn more about Hyper-V, see the Hyper-V Technology Overview. To try out Windows Server 2019, you can
download and install an evaluation copy. See the Evaluation Center.
Before you install Windows Server or add the Hyper-V role, make sure that:
Your computer hardware is compatible. For details, see System Requirements for Windows Server and System
requirements for Hyper-V on Windows Server.
You don't plan to use third-party virtualization apps that rely on the same processor features that Hyper-V
requires. Examples include VMWare Workstation and VirtualBox. You can install Hyper-V without uninstalling
these other apps. But, if you try to use them to manage virtual machines when the Hyper-V hypervisor is
running, the virtual machines might not start or might run unreliably. For details and instructions for turning off
the Hyper-V hypervisor if you need to use one of these apps, see Virtualization applications do not work
together with Hyper-V, Device Guard, and Credential Guard.
If you want to install only the management tools, such as Hyper-V Manager, see Remotely manage Hyper-V hosts
with Hyper-V Manager.

Install Hyper-V by using Server Manager

1. In Server Manager, on the Manage menu, click Add Roles and Features.
2. On the Before you begin page, verify that your destination server and network environment are prepared
for the role and feature you want to install. Click Next.
3. On the Select installation type page, select Role-based or feature-based installation and then click
Next.
4. On the Select destination server page, select a server from the server pool and then click Next.
5. On the Select server roles page, select Hyper-V.
6. To add the tools that you use to create and manage virtual machines, click Add Features. On the Features
page, click Next.
7. On the Create Virtual Switches page, Virtual Machine Migration page, and Default Stores page, select
the appropriate options.
8. On the Confirm installation selections page, select Restart the destination server automatically if
required, and then click Install.
9. When installation is finished, verify that Hyper-V installed correctly. Open the All Servers page in Server
Manager and select a server on which you installed Hyper-V. Check the Roles and Features tile on the
page for the selected server.

Install Hyper-V by using the Install-WindowsFeature cmdlet

1. On the Windows desktop, click the Start button and type any part of the name Windows PowerShell.
2. Right-click Windows PowerShell and select Run as Administrator.
3. To install Hyper-V on a server you're connected to remotely, run the following command and replace
<computer_name> with the name of server.

Install-WindowsFeature -Name Hyper-V -ComputerName <computer_name> -IncludeManagementTools -Restart

If you're connected locally to the server, run the command without -ComputerName <computer_name> .
4. After the server restarts, you can see that the Hyper-V role is installed and see what other roles and features
are installed by running the following command:

Get-WindowsFeature -ComputerName <computer_name>

If you're connected locally to the server, run the command without -ComputerName <computer_name> .

NOTE
If you install this role on a server that runs the Server Core installation option of Windows Server 2016 and use the
parameter -IncludeManagementTools , only the Hyper-V Module for Windows PowerShell is installed. You can use the GUI
management tool, Hyper-V Manager, on another computer to remotely manage a Hyper-V host that runs on a Server Core
installation. For instructions on connecting remotely, see Remotely manage Hyper-V hosts with Hyper-V Manager.

See also
Install-WindowsFeature
 Create a virtual switch for Hyper-V virtual machines
5/24/2019 • 3 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019,
Microsoft Hyper-V Server 2019

A virtual switch allows virtual machines created on Hyper-V hosts to communicate with other computers. You can
create a virtual switch when you first install the Hyper-V role on Windows Server. To create additional virtual
switches, use Hyper-V Manager or Windows PowerShell. To learn more about virtual switches, see Hyper-V Virtual
Switch.
Virtual machine networking can be a complex subject. And there are several new virtual switch features that you
may want to use like Switch Embedded Teaming (SET). But basic networking is fairly easy to do. This topic covers
just enough so that you can create networked virtual machines in Hyper-V. To learn more about how you can set
up your networking infrastructure, review the Networking documentation.

Create a virtual switch by using Hyper-V Manager

1. Open Hyper-V Manager, select the Hyper-V host computer name.
2. Select Action > Virtual Switch Manager.

3. Choose the type of virtual switch you want.

CONNECTION TYPE DESCRIPTION

External Gives virtual machines access to a physical network to

communicate with servers and clients on an external
network. Allows virtual machines on the same Hyper-V
server to communicate with each other.

Internal Allows communication between virtual machines on the

same Hyper-V server, and between the virtual machines
and the management host operating system.

Private Only allows communication between virtual machines on

the same Hyper-V server. A private network is isolated
from all external network traffic on the Hyper-V server. This
type of network is useful when you must create an isolated
networking environment, like an isolated test domain.

4. Select Create Virtual Switch.

5. Add a name for the virtual switch.
6. If you select External, choose the network adapter (NIC ) that you want to use and any other options
 described in the following table.

SETTING NAME DESCRIPTION

Allow management operating system to share this Select this option if you want to allow the Hyper-V host to
network adapter share the use of the virtual switch and NIC or NIC team
with the virtual machine. With this enabled, the host can
use any of the settings that you configure for the virtual
switch like Quality of Service (QoS) settings, security
settings, or other features of the Hyper-V virtual switch.

Enable single-root I/O virtualization (SR-IOV) Select this option only if you want to allow virtual machine
traffic to bypass the virtual machine switch and go directly
to the physical NIC. For more information, see Single-Root
I/O Virtualization in the Poster Companion Reference:
Hyper-V Networking.

7. If you want to isolates network traffic from the management Hyper-V host operating system or other virtual
machines that share the same virtual switch, select Enable virtual LAN identification for management
operating system. You can change the VLAN ID to any number or leave the default. This is the virtual LAN
identification number that the management operating system will use for all network communication
through this virtual switch.

8. Click OK.
9. Click Yes.

Create a virtual switch by using Windows PowerShell

1. On the Windows desktop, click the Start button and type any part of the name Windows PowerShell.
2. Right-click Windows PowerShell and select Run as Administrator.
3. Find existing network adapters by running the Get-NetAdapter cmdlet. Make a note of the network adapter
name that you want to use for the virtual switch.

Get-NetAdapter

4. Create a virtual switch by using the New -VMSwitch cmdlet. For example, to create an external virtual switch
named ExternalSwitch, using the ethernet network adapter, and with Allow management operating
system to share this network adapter turned on, run the following command.

New-VMSwitch -name ExternalSwitch -NetAdapterName Ethernet -AllowManagementOS $true

To create an internal switch, run the following command.

New-VMSwitch -name InternalSwitch -SwitchType Internal

To create an private switch, run the following command.

New-VMSwitch -name PrivateSwitch -SwitchType Private

For more advanced Windows PowerShell scripts that cover improved or new virtual switch features in Windows
Server 2016, see Remote Direct Memory Access and Switch Embedded Teaming.

Next step
Create a virtual machine in Hyper-V
 Create a virtual machine in Hyper-V
6/7/2019 • 4 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019,
Microsoft Hyper-V Server 2019

Learn how to create a virtual machine by using Hyper-V Manager and Windows PowerShell and what options you
have when you create a virtual machine in Hyper-V Manager.

Create a virtual machine by using Hyper-V Manager

1. Open Hyper-V Manager.
2. From the Action pane, click New, and then click Virtual Machine.
3. From the New Virtual Machine Wizard, click Next.
4. Make the appropriate choices for your virtual machine on each of the pages. For more information, see New
virtual machine options and defaults in Hyper-V Manager later in this topic.
5. After verifying your choices in the Summary page, click Finish.
6. In Hyper-V Manager, right-click the virtual machine and select connect.
7. In the Virtual Machine Connection window, select Action > Start.

Create a virtual machine by using Windows PowerShell

1. On the Windows desktop, click the Start button and type any part of the name Windows PowerShell.
2. Right-click Windows PowerShell and select Run as administrator.
3. Get the name of the virtual switch that you want the virtual machine to use by using Get-VMSwitch. For
example,

Get-VMSwitch * | Format-Table Name

4. Use the New -VM cmdlet to create the virtual machine. See the following examples.

NOTE
If you may move this virtual machine to a Hyper-V host that runs Windows Server 2012 R2, use the -Version
parameter with New-VM to set the virtual machine configuration version to 5. The default virtual machine
configuration version for Windows Server 2016 isn't supported by Windows Server 2012 R2 or earlier versions. You
can't change the virtual machine configuration version after the virtual machine is created. For more information, see
Supported virtual machine configuration versions.

Existing virtual hard disk - To create a virtual machine with an existing virtual hard disk, you can
use the following command where,
-Name is the name that you provide for the virtual machine that you're creating.
-MemoryStartupBytes is the amount of memory that is available to the virtual machine at
 start up.
-BootDevice is the device that the virtual machine boots to when it starts like the network
adapter (NetworkAdapter) or virtual hard disk (VHD ).
-VHDPath is the path to the virtual machine disk that you want to use.
-Path is the path to store the virtual machine configuration files.
-Generation is the virtual machine generation. Use generation 1 for VHD and generation 2
for VHDX. See Should I create a generation 1 or 2 virtual machine in Hyper-V?.
-Switch is the name of the virtual switch that you want the virtual machine to use to connect
to other virtual machines or the network. See Create a virtual switch for Hyper-V virtual
machines.

New-VM -Name <Name> -MemoryStartupBytes <Memory> -BootDevice <BootDevice> -VHDPath

<VHDPath> -Path <Path> -Generation <Generation> -Switch <SwitchName>

For example:

New-VM -Name Win10VM -MemoryStartupBytes 4GB -BootDevice VHD -VHDPath .\VMs\Win10.vhdx -

Path .\VMData -Generation 2 -Switch ExternalSwitch

This creates a generation 2 virtual machine named Win10VM with 4GB of memory. It boots
from the folder VMs\Win10.vhdx in the current directory and uses the virtual switch named
ExternalSwitch. The virtual machine configuration files are stored in the folder VMData.
New virtual hard disk - To create a virtual machine with a new virtual hard disk, replace the -
VHDPath parameter from the example above with -NewVHDPath and add the -
NewVHDSizeBytes parameter. For example,

New-VM -Name Win10VM -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\Win10.vhdx -Path
.\VMData -NewVHDSizeBytes 20GB -Generation 2 -Switch ExternalSwitch

New virtual hard disk that boots to operating system image - To create a virtual machine with a
new virtual disk that boots to an operating system image, see the PowerShell example in Create
virtual machine walkthrough for Hyper-V on Windows 10.
5. Start the virtual machine by using the Start-VM cmdlet. Run the following cmdlet where Name is the name
of the virtual machine you created.

Start-VM -Name <Name>

For example:

Start-VM -Name Win10VM

6. Connect to the virtual machine by using Virtual Machine Connection (VMConnect).

VMConnect.exe
Options in Hyper-V Manager New Virtual Machine Wizard
The following table lists the options you can pick when you create a virtual machine in Hyper-V Manager and the
defaults for each.

DEFAULT FOR WINDOWS SERVER 2016

PAGE AND WINDOWS 10 OTHER OPTIONS

Specify Name and Location Name: New Virtual Machine. You can also enter your own name and
choose another location for the virtual
Location: machine.
C:\ProgramData\Microsoft\Windows
\Hyper-V\. This is where the virtual machine
configuration files will be stored.

Specify Generation Generation 1 You can also choose to create a

Generation 2 virtual machine. For more
information, see Should I create a
generation 1 or 2 virtual machine in
Hyper-V?.

Assign Memory Startup memory: 1024 MB You can set the startup memory from
32MB to 5902MB.
Dynamic memory: not selected
You can also choose to use Dynamic
Memory. For more information, see
Hyper-V Dynamic Memory Overview.

Configure Networking Not connected You can select a network connection for
the virtual machine to use from a list of
existing virtual switches. See Create a
virtual switch for Hyper-V virtual
machines.

Connect Virtual Hard Disk Create a virtual hard disk You can also choose to use an existing
virtual hard disk or wait and attach a
Name: <vmname>.vhdx virtual hard disk later.

Location:
C:\Users\Public\Documents\Hyper-
V\Virtual Hard Disks\

Size: 127GB

Installation Options Install an operating system later These options change the boot order of
the virtual machine so that you can
install from an .iso file, bootable floppy
disk or a network installation service,
like Windows Deployment Services
(WDS).
 DEFAULT FOR WINDOWS SERVER 2016
PAGE AND WINDOWS 10 OTHER OPTIONS

Summary Displays the options that you have Tip: You can copy the summary from
chosen, so that you can verify they are the page and paste it into e-mail or
correct. somewhere else to help you keep track
of your virtual machines.
- Name
- Generation
- Memory
- Network
- Hard Disk
- Operating System

See also
New -VM
Supported virtual machine configuration versions
Should I create a generation 1 or 2 virtual machine in Hyper-V?
Create a virtual switch for Hyper-V virtual machines
 Plan for Hyper-V on Windows Server
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2019

Use these resources to help you plan your Hyper-V deployment.

Hyper-V scalability in Windows Server
Hyper-V security in Windows Server
Networking in Windows Server
Should I create a generation 1 or 2 virtual machine?
Plan for deploying devices using Discrete Device Assignment
 Should I create a generation 1 or 2 virtual machine in
Hyper-V?
6/7/2019 • 9 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019,
Microsoft Hyper-V Server 2019

NOTE
If you plan to ever upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, generation 1 and
generation 2 VMs in the VHD file format and have a fixed sized disk are supported. See Generation 2 VMs on Azure to learn
more about generation 2 capabilities supported on Azure. For more information on uploading a Windows VHD or VHDX, see
Prepare a Windows VHD or VHDX to upload to Azure.

Your choice to create a generation 1 or generation 2 virtual machine depends on which guest operating system you
want to install and the boot method you want to use to deploy the virtual machine. We recommend that you create
a generation 2 virtual machine to take advantage of features like Secure Boot unless one of the following
statements is true:
The VHD you want to boot from is not UEFI-compatible.
Generation 2 doesn't support the operating system you want to run on the virtual machine.
Generation 2 doesn't support the boot method you want to use.
For more information about what features are available with generation 2 virtual machines, see Hyper-V feature
compatibility by generation and guest.
You can't change a virtual machine's generation after you've created it. So, we recommend that you review the
considerations here, as well as choose the operating system, boot method, and features you want to use before you
choose a generation.

Which guest operating systems are supported?

Generation 1 virtual machines support most guest operating systems. Generation 2 virtual machines support most
64-bit versions of Windows and more current versions of Linux and FreeBSD operating systems. Use the following
sections to see which generation of virtual machine supports the guest operating system you want to install.
Windows guest operating system support
CentOS and Red Hat Enterprise Linux guest operating system support
Debian guest operating system support
FreeBSD guest operating system support
Oracle Linux guest operating system support
SUSE guest operating system support
Ubuntu guest operating system support
Windows guest operating system support
The following table shows which 64-bit versions of Windows you can use as a guest operating system for
generation 1 and generation 2 virtual machines.

64-BIT VERSIONS OF WINDOWS GENERATION 1 GENERATION 2

Windows Server 2019 ✔ ✔

Windows Server 2016 ✔ ✔

Windows Server 2012 R2 ✔ ✔

Windows Server 2012 ✔ ✔

Windows Server 2008 R2 ✔ ✖

Windows Server 2008 ✔ ✖

Windows 10 ✔ ✔

Windows 8.1 ✔ ✔

Windows 8 ✔ ✔

Windows 7 ✔ ✖

The following table shows which 32-bit versions of Windows you can use as a guest operating system for
generation 1 and generation 2 virtual machines.

32-BIT VERSIONS OF WINDOWS GENERATION 1 GENERATION 2

Windows 10 ✔ ✖

Windows 8.1 ✔ ✖

Windows 8 ✔ ✖

Windows 7 ✔ ✖

CentOS and Red Hat Enterprise Linux guest operating system support
The following table shows which versions of Red Hat Enterprise Linux (RHEL ) and CentOS you can use as a guest
operating system for generation 1 and generation 2 virtual machines.

OPERATING SYSTEM VERSIONS GENERATION 1 GENERATION 2

RHEL/CentOS 7.x series ✔ ✔

RHEL/CentOS 6.x series ✔ ✔

Note: Only supported on Windows
Server 2016 and above.

RHEL/CentOS 5.x series ✔ ✖

For more information, see CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V.
Debian guest operating system support
The following table shows which versions of Debian you can use as a guest operating system for generation 1 and
generation 2 virtual machines.

OPERATING SYSTEM VERSIONS GENERATION 1 GENERATION 2

Debian 7.x series ✔ ✖

Debian 8.x series ✔ ✔

For more information, see Debian virtual machines on Hyper-V.

FreeBSD guest operating system support
The following table shows which versions of FreeBSD you can use as a guest operating system for generation 1
and generation 2 virtual machines.

OPERATING SYSTEM VERSIONS GENERATION 1 GENERATION 2

FreeBSD 10 and 10.1 ✔ ✖

FreeBSD 9.1 and 9.3 ✔ ✖

FreeBSD 8.4 ✔ ✖

For more information, see FreeBSD virtual machines on Hyper-V.

Oracle Linux guest operating system support
The following table shows which versions of Red Hat Compatible Kernel Series you can use as a guest operating
system for generation 1 and generation 2 virtual machines.

RED HAT COMPATIBLE KERNEL SERIES

VERSIONS GENERATION 1 GENERATION 2

Oracle Linux 7.x series ✔ ✔

Oracle Linux 6.x series ✔ ✖

The following table shows which versions of Unbreakable Enterprise Kernel you can use as a guest operating
system for generation 1 and generation 2 virtual machines.

UNBREAKABLE ENTERPRISE KERNEL (UEK)

VERSIONS GENERATION 1 GENERATION 2

Oracle Linux UEK R3 QU3 ✔ ✖

Oracle Linux UEK R3 QU2 ✔ ✖

Oracle Linux UEK R3 QU1 ✔ ✖

For more information, see Oracle Linux virtual machines on Hyper-V.

SUSE guest operating system support
The following table shows which versions of SUSE you can use as a guest operating system for generation 1 and
generation 2 virtual machines.
 OPERATING SYSTEM VERSIONS GENERATION 1 GENERATION 2

SUSE Linux Enterprise Server 12 series ✔ ✔

SUSE Linux Enterprise Server 11 series ✔ ✖

Open SUSE 12.3 ✔ ✖

For more information, see SUSE virtual machines on Hyper-V.

Ubuntu guest operating system support
The following table shows which versions of Ubuntu you can use as a guest operating system for generation 1 and
generation 2 virtual machines.

OPERATING SYSTEM VERSIONS GENERATION 1 GENERATION 2

Ubuntu 14.04 and later versions ✔ ✔

Ubuntu 12.04 ✔ ✖

For more information, see Ubuntu virtual machines on Hyper-V.

How can I boot the virtual machine?

The following table shows which boot methods are supported by generation 1 and generation 2 virtual machines.

BOOT METHOD GENERATION 1 GENERATION 2

PXE boot by using a standard network ✖ ✔

adapter

PXE boot by using a legacy network ✔ ✖

adapter

Boot from a SCSI virtual hard disk ✖ ✔

(.VHDX) or virtual DVD (.ISO)

Boot from IDE Controller virtual hard ✔ ✖

disk (.VHD) or virtual DVD (.ISO)

Boot from floppy (.VFD) ✔ ✖

What are the advantages of using generation 2 virtual machines?

Here are some of the advantages you get when you use a generation 2 virtual machine:
Secure Boot This is a feature that verifies the boot loader is signed by a trusted authority in the UEFI
database to help prevent unauthorized firmware, operating systems, or UEFI drivers from running at boot
time. Secure Boot is enabled by default for generation 2 virtual machines. If you need to run a guest
operating system that's not supported by Secure Boot, you can disable it after the virtual machine's created.
For more information, see Secure Boot.
To Secure Boot generation 2 Linux virtual machines, you need to choose the UEFI CA Secure Boot template
when you create the virtual machine.
 Larger boot volume The maximum boot volume for generation 2 virtual machines is 64 TB. This is the
maximum disk size supported by a .VHDX. For generation 1 virtual machines, the maximum boot volume is
2TB for a .VHDX and 2040GB for a .VHD. For more information, see Hyper-V Virtual Hard Disk Format
Overview.
You may also see a slight improvement in virtual machine boot and installation times with generation 2
virtual machines.

What's the difference in device support?

The following table compares the devices available between generation 1 and generation 2 virtual machines.

GENERATION 1 DEVICE GENERATION 2 REPLACEMENT GENERATION 2 ENHANCEMENTS

IDE controller Virtual SCSI controller Boot from .vhdx (64 TB maximum size,
and online resize capability)

IDE CD-ROM Virtual SCSI CD-ROM Support for up to 64 SCSI DVD devices
per SCSI controller.

Legacy BIOS UEFI firmware Secure Boot

Legacy network adapter Synthetic network adapter Network boot with IPv4 and IPv6

Floppy controller and DMA controller No floppy controller support N/A

Universal asynchronous Optional UART for debugging Faster and more reliable
receiver/transmitter (UART) for COM
ports

i8042 keyboard controller Software-based input Uses fewer resources because there is
no emulation. Also reduces the attack
surface from the guest operating
system.

PS/2 keyboard Software-based keyboard Uses fewer resources because there is

no emulation. Also reduces the attack
surface from the guest operating
system.

PS/2 mouse Software-based mouse Uses fewer resources because there is

no emulation. Also reduces the attack
surface from the guest operating
system.

S3 video Software-based video Uses fewer resources because there is

no emulation. Also reduces the attack
surface from the guest operating
system.

PCI bus No longer required N/A

Programmable interrupt controller (PIC) No longer required N/A

Programmable interval timer (PIT) No longer required N/A

 GENERATION 1 DEVICE GENERATION 2 REPLACEMENT GENERATION 2 ENHANCEMENTS

Super I/O device No longer required N/A

More about generation 2 virtual machines

Here are some additional tips about using generation 2 virtual machines.
Attach or add a DVD drive
You can't attach a physical CD or DVD drive to a generation 2 virtual machine. The virtual DVD drive in
generation 2 virtual machines only supports ISO image files. To create an ISO image file of a Windows
environment, you can use the Oscdimg command line tool. For more information, see Oscdimg Command-Line
Options.
When you create a new virtual machine with the New -VM Windows PowerShell cmdlet, the generation 2
virtual machine doesn't have a DVD drive. You can add a DVD drive while the virtual machine is running.
Use UEFI firmware
Secure Boot or UEFI firmware isn't required on the physical Hyper-V host. Hyper-V provides virtual firmware to
virtual machines that is independent of what's on the Hyper-V host.
UEFI firmware in a generation 2 virtual machine doesn't support setup mode for Secure Boot.
We don't support running a UEFI shell or other UEFI applications in a generation 2 virtual machine. Using a
non-Microsoft UEFI shell or UEFI applications is technically possible if they are compiled directly from the
sources. If these applications are not appropriately digitally signed, you must disable Secure Boot for the virtual
machine.
Work with VHDX files
You can resize a VHDX file that contains the boot volume for a generation 2 virtual machine while the virtual
machine is running.
We don't support or recommend that you create a VHDX file that is bootable to both generation 1 and
generation 2 virtual machines.
The virtual machine generation is a property of the virtual machine, not a property of the virtual hard disk. So
you can't tell if a VHDX file was created by a generation 1 or a generation 2 virtual machine.
A VHDX file created with a generation 2 virtual machine can be attached to the IDE controller or the SCSI
controller of a generation 1 virtual machine. However, if this is a bootable VHDX file, the generation 1 virtual
machine won't boot.
Use IPv6 instead of IPv4
By default, generation 2 virtual machines use IPv4. To use IPv6 instead, run the Set-VMFirmware Windows
PowerShell cmdlet. For example, the following command sets the preferred protocol to IPv6 for a virtual machine
named TestVM:

Set-VMFirmware -VMName TestVM -IPProtocolPreference IPv6

Add a COM port for kernel debugging

COM ports aren't available in generation 2 virtual machines until you add them. You can do this with Windows
PowerShell or Windows Management Instrumentation (WMI). These steps show you how to do it with Windows
PowerShell.
To add a COM port:
1. Disable Secure Boot. Kernel debugging isn't compatible with Secure Boot. Make sure the virtual machine is
 in an Off state, then use the Set-VMFirmware cmdlet. For example, the following command disables Secure
Boot on virtual machine TestVM:

Set-VMFirmware -Vmname TestVM -EnableSecureBoot Off

2. Add a COM port. Use the Set-VMComPort cmdlet to do this. For example, the following command
configures the first COM port on virtual machine, TestVM, to connect to the named pipe, TestPipe, on the
local computer:

Set-VMComPort -VMName TestVM 1 \\.\pipe\TestPipe

NOTE
Configured COM ports aren't listed in the settings of a virtual machine in Hyper-V Manager.

See Also
Linux and FreeBSD Virtual Machines on Hyper-V
Use local resources on Hyper-V virtual machine with VMConnect
Plan for Hyper-V scalability in Windows Server 2016
 Plan for Hyper-V networking in Windows Server
3/12/2019 • 4 minutes to read • Edit Online

Applies To: Microsoft Hyper-V Server 2016, Windows Server 2016, Microsoft Hyper-V Server 2019, Windows
Server 2019

A basic understanding of networking in Hyper-V helps you plan networking for virtual machines. This article also
covers some networking considerations when using live migration and when using Hyper-V with other server
features and roles.

Hyper-V networking basics

Basic networking in Hyper-V is fairly simple. It uses two parts - a virtual switch and a virtual networking adapter.
You'll need at least one of each to establish networking for a virtual machine. The virtual switch connects to any
Ethernet-based network. The virtual network adapter connects to a port on the virtual switch, which makes it
possible for a virtual machine to use a network.
The easiest way to establish basic networking is to create a virtual switch when you install Hyper-V. Then, when
you create a virtual machine, you can connect it to the switch. Connecting to the switch automatically adds a
virtual network adapter to the virtual machine. For instructions, see Create a virtual switch for Hyper-V virtual
machines.
To handle different types of networking, you can add virtual switches and virtual network adapters. All switches
are part of the Hyper-V host, but each virtual network adapter belongs to only one virtual machine.
The virtual switch is a software-based layer-2 Ethernet network switch. It provides built-in features for monitoring,
controlling, and segmenting traffic, as well as security, and diagnostics. You can add to the set of built-in features
by installing plug-ins, also called extensions. These are available from independent software vendors. For more
information about the switch and extensions, see Hyper-V Virtual Switch.
Switch and network adapter choices
Hyper-V offers three types of virtual switches and two types of virtual network adapters. You'll choose which one
of each you want when you create it. You can use Hyper-V Manager or the Hyper-V module for Windows
PowerShell to create and manage virtual switches and virtual network adapters. Some advanced networking
capabilities, such as extended port access control lists (ACLs), can only be managed by using cmdlets in the Hyper-
V module.
You can make some changes to a virtual switch or virtual network adapter after you create it. For example, it's
possible to change an existing switch to a different type, but doing that affects the networking capabilities of all the
virtual machines connected to that switch. So, you probably won't do this unless you made a mistake or need to
test something. As another example, you can connect a virtual network adapter to a different switch, which you
might do if you want to connect to a different network. But, you can't change a virtual network adapter from one
type to another. Instead of changing the type, you'd add another virtual network adapter and choose the
appropriate type.
Virtual switch types are:
External virtual switch - Connects to a wired, physical network by binding to a physical network adapter.
Internal virtual switch - Connects to a network that can be used only by the virtual machines running on
the host that has the virtual switch, and between the host and the virtual machines.
 Private virtual switch - Connects to a network that can be used only by the virtual machines running on
the host that has the virtual switch, but doesn't provide networking between the host and the virtual
machines.
Virtual network adapter types are:
Hyper-V specific network adapter - Available for both generation 1 and generation 2 virtual machines.
It's designed specifically for Hyper-V and requires a driver that's included in Hyper-V integration services.
This type of network adapter faster and is the recommended choice unless you need to boot to the network
or are running an unsupported guest operating system. The required driver is provided only for supported
guest operating systems. Note that in Hyper-V Manager and the networking cmdlets, this type is just
referred to as a network adapter.
Legacy network adapter - Available only in generation 1 virtual machines. Emulates an Intel 21140-
based PCI Fast Ethernet Adapter and can be used to boot to a network so you can install an operating
system from a service such as Windows Deployment Services.

Hyper-V networking and related technologies

Recent Windows Server releases introduced improvements that give you more options for configuring
networking for Hyper-V. For example, Windows Server 2012 introduced support for converged networking. This
lets you route network traffic through one external virtual switch. Windows Server 2016 builds on this by allowing
Remote Direct Memory Access (RDMA) on network adapters bound to a Hyper-V virtual switch. You can use this
configuration either with or without Switch Embedded Teaming (SET). For details, see Remote Direct Memory
Access (RDMA) and Switch Embedded Teaming (SET)
Some features rely on specific networking configurations or do better under certain configurations. Consider
these when planning or updating your network infrastructure.
Failover clustering - It's a best practice to isolate cluster traffic and use Hyper-V Quality of Service (QoS ) on the
virtual switch. For details, see Network Recommendations for a Hyper-V Cluster
Live migration - Use performance options to reduce network and CPU usage and the time it takes to complete a
live migration. For instructions, see Set up hosts for live migration without Failover Clustering.
Storage Spaces Direct - This feature relies on the SMB3.0 network protocol and RDMA. For details, see Storage
Spaces Direct in Windows Server 2016.
 Plan for Hyper-V scalability in Windows Server 2016
7/26/2019 • 5 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2019

This article gives you details about the maximum configuration for components you can add and remove on a
Hyper-V host or its virtual machines, such as virtual processors or checkpoints. As you plan your deployment,
consider the maximums that apply to each virtual machine, as well as those that apply to the Hyper-V host.
Maximums for memory and logical processors are the biggest increases from Windows Server 2012, in response
to requests to support newer scenarios such as machine learning and data analytics. The Windows Server blog
recently published the performance results of a virtual machine with 5.5 terabytes of memory and 128 virtual
processors running 4 TB in-memory database. Performance was greater than 95% of the performance of a
physical server. For details, see Windows Server 2016 Hyper-V large-scale VM performance for in-memory
transaction processing. Other numbers are similar to those that apply to Windows Server 2012. (Maximums for
Windows Server 2012 R2 were the same as Windows Server 2012.)

NOTE
For information about System Center Virtual Machine Manager (VMM), see Virtual Machine Manager. VMM is a Microsoft
product for managing a virtualized data center that is sold separately.

Maximums for virtual machines

These maximums apply to each virtual machine. Not all components are available in both generations of virtual
machines. For a comparison of the generations, see Should I create a generation 1 or 2 virtual machine in Hyper-
V?

COMPONENT MAXIMUM NOTES

Checkpoints 50 The actual number may be lower,

depending on the available storage.
Each checkpoint is stored as an .avhd
file that uses physical storage.

Memory 12 TB for generation 2; Review the requirements for the specific

1 TB for generation 1 operating system to determine the
minimum and recommended amounts.

Serial (COM) ports 2 None.

Size of physical disks attached directly Varies Maximum size is determined by the
to a virtual machine guest operating system.

Virtual Fibre Channel adapters 4 As a best practice, we recommended

that you connect each virtual Fibre
Channel Adapter to a different virtual
SAN.

Virtual floppy devices 1 virtual floppy drive None.

 COMPONENT MAXIMUM NOTES

Virtual hard disk capacity 64 TB for VHDX format; Each virtual hard disk is stored on
2040 GB for VHD format physical media as either a .vhdx or a
.vhd file, depending on the format used
by the virtual hard disk.

Virtual IDE disks 4 The startup disk (sometimes called the

boot disk) must be attached to one of
the IDE devices. The startup disk can be
either a virtual hard disk or a physical
disk attached directly to a virtual
machine.

Virtual processors 240 for generation 2; The number of virtual processors

64 for generation 1; supported by a guest operating system
320 available to the host OS (root might be lower. For details, see the
partition) information published for the specific
operating system.

Virtual SCSI controllers 4 Use of virtual SCSI devices requires

integration services, which are available
for supported guest operating systems.
For details on which operating systems
are supported, see Supported Linux
and FreeBSD virtual machines and
Supported Windows guest operating
systems.

Virtual SCSI disks 256 Each SCSI controller supports up to 64

disks, which means that each virtual
machine can be configured with as
many as 256 virtual SCSI disks. (4
controllers x 64 disks per controller)

Virtual network adapters Windows Server 2016 supports 12 The Hyper-V specific network adapter
total: provides better performance and
- 8 Hyper-V specific network adapters requires a driver included in integration
- 4 legacy network adapters services. For more information, see Plan
Windows Server 2019 supports 72 for Hyper-V networking in Windows
total: Server.
- 64 Hyper-V specific network adapters
- 4 legacy network adapters

Maximums for Hyper-V hosts

These maximums apply to each Hyper-V host.

COMPONENT MAXIMUM NOTES

 COMPONENT MAXIMUM NOTES

Logical processors 512 Both of these must be

enabled in the firmware:

- Hardware-assisted
virtualization
- Hardware-enforced Data
Execution Prevention (DEP)

The host OS (root partition)

will only see maximum 320
logical processors

Memory 24 TB None.

Network adapter teams (NIC No limits imposed by Hyper- For details, see NIC Teaming.
Teaming) V.

Physical network adapters No limits imposed by Hyper- None.

V.

Running virtual machines 1024 None.

per server

Storage Limited by what is Note: Microsoft supports

supported by the host network-attached storage
operating system. No limits (NAS) when using SMB 3.0.
imposed by Hyper-V. NFS-based storage is not
supported.

Virtual network switch ports Varies; no limits imposed by The practical limit depends
per server Hyper-V. on the available computing
resources.

Virtual processors per logical No ratio imposed by Hyper- None.

processor V.

Virtual processors per server 2048 None.

Virtual storage area No limits imposed by Hyper- None.

networks (SANs) V.

Virtual switches Varies; no limits imposed by The practical limit depends

Hyper-V. on the available computing
resources.

Failover Clusters and Hyper-V

This table lists the maximums that apply when using Hyper-V and Failover Clustering. It's important to do
capacity planning to ensure that there will be enough hardware resources to run all the virtual machines in a
clustered environment.
To learn about updates to Failover Clustering, including new features for virtual machines, see What's New in
Failover Clustering in Windows Server 2016.
COMPONENT MAXIMUM NOTES

Nodes per cluster 64 Consider the number of nodes you

want to reserve for failover, as well as
maintenance tasks such as applying
updates. We recommend that you plan
for enough resources to allow for 1
node to be reserved for failover, which
means it remains idle until another
node is failed over to it. (This is
sometimes referred to as a passive
node.) You can increase this number if
you want to reserve additional nodes.
There is no recommended ratio or
multiplier of reserved nodes to active
nodes; the only requirement is that the
total number of nodes in a cluster can't
exceed the maximum of 64.

Running virtual machines per cluster 8,000 per cluster Several factors can affect the real
and per node number of virtual machines you can
run at the same time on one node,
such as:
- Amount of physical memory being
used by each virtual machine.
- Networking and storage bandwidth.
- Number of disk spindles, which affects
disk I/O performance.
 Plan for Hyper-V security in Windows Server
3/12/2019 • 3 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Secure the Hyper-V host operating system, the virtual machines, configuration files, and virtual machine data. Use
the following list of recommended practices as a checklist to help you secure your Hyper-V environment.

Secure the Hyper-V host

Keep the host OS secure.
Minimize the attack surface by using the minimum Windows Server installation option that you need for
the management operating system. For more information, see the Installation Options section of the
Windows Server technical content library. We don't recommend that you run production workloads on
Hyper-V on Windows 10.
Keep the Hyper-V host operating system, firmware, and device drivers up to date with the latest security
updates. Check your vendor's recommendations to update firmware and drivers.
Don't use the Hyper-V host as a workstation or install any unnecessary software.
Remotely manage the Hyper-V host. If you must manage the Hyper-V host locally, use Credential
Guard. For more information, see Protect derived domain credentials with Credential Guard.
Enable code integrity policies. Use virtualization-based security protected Code Integrity services. For
more information, see Device Guard Deployment Guide.
Use a secure network.
Use a separate network with a dedicated network adapter for the physical Hyper-V computer.
Use a private or secure network to access VM configurations and virtual hard disk files.
Use a private/dedicated network for your live migration traffic. Consider enabling IPSec on this network
to use encryption and secure your VM's data going over the network during migration. For more
information, see Set up hosts for live migration without Failover Clustering.
Secure storage migration traffic.
Use SMB 3.0 for end-to-end encryption of SMB data and data protection tampering or eavesdropping on
untrusted networks. Use a private network to access the SMB share contents to prevent man-in-the-middle
attacks. For more information, see SMB Security Enhancements.
Configure hosts to be part of a guarded fabric.
For more information, see Guarded fabric.
Secure devices.
Secure the storage devices where you keep virtual machine resource files.
Secure the hard drive.
Use BitLocker Drive Encryption to protect resources.
Harden the Hyper-V host operating system.
Use the baseline security setting recommendations described in the Windows Server Security Baseline.
 Grant appropriate permissions.
Add users that need to manage the Hyper-V host to the Hyper-V administrators group.
Don't grant virtual machine administrators permissions on the Hyper-V host operating system.
Configure anti-virus exclusions and options for Hyper-V.
Windows Defender already has automatic exclusions configured. For more information about exclusions,
see Recommended antivirus exclusions for Hyper-V hosts.
Don't mount unknown VHDs. This can expose the host to file system level attacks.
Don't enable nesting in your production environment unless it's required.
If you enable nesting, don't run unsupported hypervisors on a virtual machine.
For more secure environments:
Use hardware with a Trusted Platform Module (TPM ) 2.0 chip to set up a guarded fabric.
For more information, see System requirements for Hyper-V on Windows Server 2016.

Secure virtual machines

Create generation 2 virtual machines for supported guest operating systems.
For more information, see Generation 2 security settings.
Enable Secure Boot.
For more information, see Generation 2 security settings.
Keep the guest OS secure.
Install the latest security updates before you turn on a virtual machine in a production environment.
Install integration services for the supported guest operating systems that need it and keep it up to date.
Integration service updates for guests that run supported Windows versions are available through
Windows Update.
Harden the operating system that runs in each virtual machine based on the role it performs. Use the
baseline security setting recommendations that are described in the Windows Security Baseline.
Use a secure network.
Make sure virtual network adapters connect to the correct virtual switch and have the appropriate security
setting and limits applied.
Store virtual hard disks and snapshot files in a secure location.
Secure devices.
Configure only required devices for a virtual machine. Don't enable discrete device assignment in your
production environment unless you need it for a specific scenario. If you do enable it, make sure to only
expose devices from trusted vendors.
Configure antivirus, firewall, and intrusion detection software within virtual machines as appropriate
based on the virtual machine role.
Enable virtualization based security for guests that run Windows 10 or Windows Server 2016 or
later.
For more information, see the Device Guard Deployment Guide.
Only enable Discrete Device Assignment if needed for a specific workload.
 Due to the nature of passing through a physical device, work with the device manufacturer to understand if
it should be used in a secure environment.
For more secure environments:
Deploy virtual machines with shielding enabled and deploy them to a guarded fabric.
For more information, see Generation 2 security settings and Guarded fabric.
 Plan for Deploying Devices using Discrete Device
Assignment
7/24/2019 • 9 minutes to read • Edit Online

Applies To: Microsoft Hyper-V Server 2016, Windows Server 2016, Microsoft Hyper-V Server 2019, Windows
Server 2019

Discrete Device Assignment allows physical PCIe hardware to be directly accessible from within a virtual machine.
This guide will discuss the type of devices that can use Discrete Device Assignment, host system requirements,
limitations imposed on the virtual machines as well as security implications of Discrete Device Assignment.
For Discrete Device Assignment's initial release, we have focused on two device classes to be formally supported
by Microsoft: Graphics Adapters and NVMe Storage devices. Other devices are likely to work and hardware
vendors are able to offer statements of support for those devices. For these other devices, please reach out to those
hardware vendors for support.
If you are ready to try out Discrete Device Assignment, you can jump over to Deploying Graphics Devices Using
Discrete Device Assignment or Deploying Storage Devices using Discrete Device Assignment to get started!

Supported Virtual Machines and Guest Operating Systems

Discrete Device Assignment is supported for Generation 1 or 2 VMs. Additionally, the guests supported include
Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2012r2 with KB 3133690 applied,
and various distributions of the Linux OS.

System Requirements
In addition to the System Requirements for Windows Server and the System Requirements for Hyper-V, Discrete
Device Assignment requires server class hardware that is capable of granting the operating system control over
configuring the PCIe fabric (Native PCI Express Control). In addition, the PCIe Root Complex has to support
"Access Control Services" (ACS ), which enables Hyper-V to force all PCIe traffic through the I/O MMU.
These capabilities usually aren't exposed directly in the BIOS of the server and are often hidden behind other
settings. For example, the same capabilities are required for SR -IOV support and in the BIOS you may need to set
"Enable SR -IOV." Please reach out to your system vendor if you are unable to identify the correct setting in your
BIOS.
To help ensure hardware the hardware is capable of Discrete Device Assignment, our engineers have put together a
Machine Profile Script that you can run on an Hyper-V enabled host to test if your server is correctly setup and
what devices are capable of Discrete Device Assignment.

Device Requirements
Not every PCIe device can be used with Discrete Device Assignment. For example, older devices that leverage
legacy (INTx) PCI Interrupts are not supported. Jake Oshin's blog posts go into more detail - however, for the
consumer, running the Machine Profile Script will display which devices are capable of being used for Discrete
Device Assignment.
Device manufactures can reach out to their Microsoft representative for more details.
Device Driver
As Discrete Device Assignment passes the entire PCIe device into the Guest VM, a host driver is not required to be
installed prior to the device being mounted within the VM. The only requirement on the host is that the device's
PCIe Location Path can be determined. The device's driver can optionally be installed if this helps in identifying the
device. For example, a GPU without its device driver installed on the host may appear as a Microsoft Basic Render
Device. If the device driver is installed, its manufacturer and model will likely be displayed.
Once the device is mounted inside the guest, the Manufacturer's device driver can now be installed like normal
inside the guest virtual machine.

Virtual Machine Limitations

Due to the nature of how Discrete Device Assignment is implemented, some features of a virtual machine are
restricted while a device is attached. The following features are not available:
VM Save/Restore
Live migration of a VM
The use of dynamic memory
Adding the VM to a high availability (HA) cluster

Security
Discrete Device Assignment passes the entire device into the VM. This means all capabilities of that device are
accessible from the guest operating system. Some capabilities, like firmware updating, may adversely impact the
stability of the system. As such, numerous warnings are presented to the admin when dismounting the device from
the host. We highly recommend that Discrete Device Assignment is only used where the tenants of the VMs are
trusted.
If the admin desires to use a device with an untrusted tenant, we have provided device manufactures with the
ability to create a Device Mitigation driver that can be installed on the host. Please contact the device manufacturer
for details on whether they provide a Device Mitigation Driver.
If you would like to bypass the security checks for a device that does not have a Device Mitigation Driver, you will
have to pass the -Force parameter to the Dismount-VMHostAssignableDevice cmdlet. Understand that by doing so,
you have changed the security profile of that system and this is only recommended during prototyping or trusted
environments.

PCIe Location Path

The PCIe Location path is required to dismount and mount the device from the Host. An example location path
looks like the following: "PCIROOT(20)#PCI(0300)#PCI(0000)#PCI(0800)#PCI(0000)" . The Machine Profile Script will
also return the Location Path of the PCIe device.
Getting the Location Path by Using Device Manager
 Open Device Manager and locate the device.
Right click the device and select “Properties.”
Navigate to the Details tab and select “Location Paths” in the Property drop down.
Right click the entry that begins with “PCIROOT” and select "Copy." You now have the location path for that
device.

MMIO Space
Some devices, especially GPUs, require additional MMIO space to be allocated to the VM for the memory of that
device to be accessible. By default, each VM starts off with 128MB of low MMIO space and 512MB of high MMIO
space allocated to it. However, a device might require more MMIO space, or multiple devices may be passed
through such that the combined requirements exceed these values. Changing MMIO Space is straight forward and
can be performed in PowerShell using the following commands:

Set-VM -LowMemoryMappedIoSpace 3Gb -VMName $vm

Set-VM -HighMemoryMappedIoSpace 33280Mb -VMName $vm

The easiest way to determine how much MMIO space to allocate is to use the Machine Profile Script. To download
and run the machine profile script, run the following commands in a PowerShell console:

curl -o SurveyDDA.ps1 https://raw.githubusercontent.com/MicrosoftDocs/Virtualization-Documentation/live/hyperv-

tools/DiscreteDeviceAssignment/SurveyDDA.ps1
.\SurveyDDA.ps1

For devices that are able to be assigned, the script will display the MMIO requirements of a given device like the
example below:
 NVIDIA GRID K520
Express Endpoint -- more secure.
...
And it requires at least: 176 MB of MMIO gap space
...

The low MMIO space is used only by 32-bit operating systems and devices that use 32-bit addresses. In most
circumstances, setting the high MMIO space of a VM will be enough since 32-bit configurations aren't very
common.

IMPORTANT
When assigning MMIO space to a VM, the user needs to be sure set the MMIO space to the sum of the requested MMIO
space for all desired assigned devices plus an additional buffer if there are other virtual devices that require a few MB of
MMIO space. Use the default MMIO values described above as the buffer for low and high MMIO (128 MB and 512 MB,
respectively).

If a user were to assign a single K520 GPU as in the example above, they must set the MMIO space of the VM to
the value outputted by the machine profile script plus a buffer--176 MB + 512 MB. If a user were to assign three
K520 GPUs, they must set the MMIO space to three times 176 MB plus a buffer, or 528 MB + 512 MB.
For a more in-depth look at MMIO space, see Discrete Device Assignment - GPUs on the TechCommunity blog.

Machine Profile Script

In order to simplify identifying if the server is configured correctly and what devices are available to be passed
through using Discrete Device Assignment, one of our engineers put together the following PowerShell script:
SurveyDDA.ps1.
Before using the script, please ensure you have the Hyper-V role installed and you run the script from a PowerShell
command window that has Administrator privileges.
If the system is incorrectly configured to support Discrete Device Assignment, the tool will display an error
message as to what is wrong. If the tool finds the system configured correctly, it will enumerate all the devices it can
find on the PCIe Bus.
For each device it finds, the tool will display whether it is able to be used with Discrete Device Assignment. If a
device is identified as being compatible with Discrete Device Assignment, the script will provide a reason. When a
device is successfully identified as being compatible, the device's Location Path will be displayed. Additionally, if that
device requires MMIO space, it will be displayed as well.

Frequently Asked Questions

How does Remote Desktop's RemoteFX vGPU technology relate to Discrete Device Assignment?
They are completely separate technologies. RemoteFX vGPU does not need to be installed for Discrete Device
Assignment to work. Additionally, no additional roles are required to be installed. RemoteFX vGPU requires the
RDVH role to be installed in order for the RemoteFX vGPU driver to be present in the VM. For Discrete Device
Assignment, since you will be installing the Hardware Vendor's driver into the virtual machine, no additional roles
need to be present.
I've passed a GPU into a VM but Remote Desktop or an application isn't recognizing the GPU
There are a number of reasons this could happen, but several common issues are listed below.
Ensure the latest GPU vendor's driver is installed and is not reporting an error by checking the device state in
the Device Manager.
Ensure that device has enough MMIO space allocated for it within the VM.
Ensure you're using a GPU that the vendor supports being used in this configuration. For example, some
vendors prevent their consumer cards from working when passed through to a VM.
Ensure the application being run supports running inside a VM, and that both the GPU and its associated
drivers are supported by the application. Some applications have whitelists of GPUs and environments.
If you're using the Remote Desktop Session Host role or Windows Multipoint Services on the guest, you will
need to ensure that a specific Group Policy entry is set to allow use of the default GPU. Using a Group Policy
Object applied to the guest (or the Local Group Policy Editor on the guest), navigate to the following Group
Policy item:
Computer Configuration
Administrator Templates
Windows Components
Remote Desktop Services
Remote Desktop Session Host
Remote Session Environment
Use the hardware default graphics adapter for all Remote Desktop Services sessions
Set this value to Enabled, then reboot the VM once the policy has been applied.
Can Discrete Device Assignment take advantage of Remote Desktop's AVC444 codec?
Yes, visit this blog post for more information: Remote Desktop Protocol (RDP ) 10 AVC/H.264 improvements in
Windows 10 and Windows Server 2016 Technical Preview.
Can I use PowerShell to get the Location Path?
Yes, there are various ways to do this. Here is one example:

#Enumerate all PNP Devices on the system

$pnpdevs = Get-PnpDevice -presentOnly
#Select only those devices that are Display devices manufactured by NVIDIA
$gpudevs = $pnpdevs |where-object {$_.Class -like "Display" -and $_.Manufacturer -like "NVIDIA"}
#Select the location path of the first device that's available to be dismounted by the host.
$locationPath = ($gpudevs | Get-PnpDeviceProperty DEVPKEY_Device_LocationPaths).data[0]

Can Discrete Device Assignment be used to pass a USB device into a VM?
Although not officially supported, our customers have used Discrete Device Assignment to do this by passing the
entire USB3 controller into a VM. As the whole controller is being passed in, each USB device plugged into that
controller will also be accessible in the VM. Note that only some USB3 controllers may work, and USB2 controllers
cannot be used with Discrete Device Assignment.
 Deploy Hyper-V on Windows Server
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Use these resources to help you deploy Hyper-V on Windows Server 2016.
Configure virtual local area networks for Hyper-V
Set up hosts for live migration without Failover Clustering
Upgrade virtual machine version in Hyper-V on Windows 10 or Windows Server 2016
Deploy graphics devices using Discrete Device Assignment
Deploy storage devices using Discrete Device Assignment
 3/12/2019 • 3 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019,
Microsoft Hyper-V Server 2019

Export and Import virtual machines

This article shows you how to export and import a virtual machine, which is a quick way to move or copy them.
This article also discusses some of the choices to make when doing an export or import.

Export a Virtual Machine

An export gathers all required files into one unit--virtual hard disk files, virtual machine configuration files, and any
checkpoint files. You can do this on a virtual machine that is in either a started or stopped state.
Using Hyper-V Manager
To create a virtual machine export:
1. In Hyper-V Manager, right-click the virtual machine and select Export.
2. Choose where to store the exported files, and click Export.
When the export is done, you can see all exported files under the export location.
Using PowerShell
Open a session as Administrator and run a command like the following, after replacing <vm name> and <path>:

Export-VM -Name \<vm name\> -Path \<path\>

For details, see Export-VM.

Import a Virtual Machine

Importing a virtual machine registers the virtual machine with the Hyper-V host. You can import back into the host,
or new host. If you're importing to the same host, you don't need to export the virtual machine first, because
Hyper-V tries to recreate the virtual machine from available files. Importing a virtual machine registers it so it can
be used on the Hyper-V host.
The Import Virtual Machine wizard also helps you fix incompatibilities that can exist when moving from one host to
another. This is commonly differences in physical hardware, such as memory, virtual switches, and virtual
processors.
Import using Hyper-V Manager
To import a virtual machine:
1. From the Actions menu in Hyper-V Manager, click Import Virtual Machine.
2. Click Next.
3. Select the folder that contains the exported files, and click Next.
4. Select the virtual machine to import.
5. Choose the import type, and click Next. (For descriptions, see Import types, below.)
6. Click Finish.
Import using PowerShell
Use the Import-VM cmdlet, following the example for the type of import you want. For descriptions of the types,
see Import types, below.
Register in place
This type of import uses the files where they are stored at the time of import and retains the virtual machine's ID.
The following command shows an example of an import file. Run a similar command with your own values.

Import-VM -Path 'C:\<vm export path>\2B91FEB3-F1E0-4FFF-B8BE-29CED892A95A.vmcx'

Restore
To import the virtual machine specifying your own path for the virtual machine files, run a command like this,
replacing the examples with your values:

Import-VM -Path 'C:\<vm export path>\2B91FEB3-F1E0-4FFF-B8BE-29CED892A95A.vmcx' -Copy -VhdDestinationPath

'D:\Virtual Machines\WIN10DOC' -VirtualMachinePath 'D:\Virtual Machines\WIN10DOC'

Import as a copy
To complete a copy import and move the virtual machine files to the default Hyper-V location, run a command like
this, replacing the examples with your values:

Import-VM -Path 'C:\<vm export path>\2B91FEB3-F1E0-4FFF-B8BE-29CED892A95A.vmcx' -Copy -GenerateNewId

For details, see Import-VM.

Import types
Hyper-V offers three import types:
Register in-place – This type assumes export files are in the location where you'll store and run the virtual
machine. The imported virtual machine has the same ID as it did at the time of export. Because of this, if the
virtual machine is already registered with Hyper-V, it needs to be deleted before the import works. When
the import has completed, the export files become the running state files and can't be removed.
Restore the virtual machine – Restore the virtual machine to a location you choose, or use the default to
Hyper-V. This import type creates a copy of the exported files and moves them to the selected location.
When imported, the virtual machine has the same ID as it did at the time of export. Because of this, if the
virtual machine is already running in Hyper-V, it needs to be deleted before the import can be completed.
When the import has completed, the exported files remain intact and can be removed or imported again.
Copy the virtual machine – This is similar to the Restore type in that you select a location for the files. The
difference is that the imported virtual machine has a new unique ID, which means you can import the virtual
machine to the same host multiple times.
 Set up hosts for live migration without Failover
Clustering
3/12/2019 • 7 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

This article shows you how to set up hosts that aren't clustered so you can do live migrations between them. Use
these instructions if you didn't set up live migration when you installed Hyper-V, or if you want to change the
settings. To set up clustered hosts, use tools for Failover Clustering.

Requirements for setting up live migration

To set up non-clustered hosts for live migration, you'll need:
A user account with permission to perform the various steps. Membership in the local Hyper-V
Administrators group or the Administrators group on both the source and destination computers meets this
requirement, unless you're configuring constrained delegation. Membership in the Domain Administrators
group is required to configure constrained delegation.
The Hyper-V role in Windows Server 2016 or Windows Server 2012 R2 installed on the source and
destination servers. You can do a live migration between hosts running Windows Server 2016 and Windows
Server 2012 R2 if the virtual machine is at least version 5.
For version upgrade instructions, see Upgrade virtual machine version in Hyper-V on Windows 10 or
Windows Server 2016. For installation instructions, see Install the Hyper-V role on Windows Server.
Source and destination computers that either belong to the same Active Directory domain, or belong to
domains that trust each other.
The Hyper-V management tools installed on a computer running Windows Server 2016 or Windows 10,
unless the tools are installed on the source or destination server and you'll run the tools from the server.

Consider options for authentication and networking

Consider how you want to set up the following:
Authentication: Which protocol will be used to authenticate live migration traffic between the source and
destination servers? The choice determines whether you'll need to sign on to the source server before
starting a live migration:
Kerberos lets you avoid having to sign in to the server, but requires constrained delegation to be set
up. See below for instructions.
CredSSP lets you avoid configuring constrained delegation, but requires you sign in to the source
server. You can do this through a local console session, a Remote Desktop session, or a remote
Windows PowerShell session.
CredSPP requires signing in for situations that might not be obvious. For example, if you sign in to
TestServer01 to move a virtual machine to TestServer02, and then want to move the virtual machine
back to TestServer01, you'll need to sign in to TestServer02 before you try to move the virtual
machine back to TestServer01. If you don't do this, the authentication attempt fails, an error occurs,
 and the following message is displayed:
"Virtual machine migration operation failed at migration Source.
Failed to establish a connection with host computer name: No credentials are available in the security
package 0x8009030E."
Performance: Does it makes sense to configure performance options? These options can reduce network
and CPU usage, as well as make live migrations go faster. Consider your requirements and your
infrastructure, and test different configurations to help you decide. The options are described at the end of
step 2.
Network preference: Will you allow live migration traffic through any available network, or isolate the
traffic to specific networks? As a security best practice, we recommend that you isolate the traffic onto
trusted, private networks because live migration traffic is not encrypted when it is sent over the network.
Network isolation can be achieved through a physically isolated network or through another trusted
networking technology such as VLANs.

Step 1: Configure constrained delegation (optional)

If you have decided to use Kerberos to authenticate live migration traffic, configure constrained delegation using an
account that is a member of the Domain Administrators group.
Use the Users and Computers snap-in to configure constrained delegation
1. Open the Active Directory Users and Computers snap-in. (From Server Manager, select the server if it's not
selected, click Tools >> Active Directory Users and Computers).
2. From the navigation pane in Active Directory Users and Computers, select the domain and double-click
the Computers folder.
3. From the Computers folder, right-click the computer account of the source server and then click
Properties.
4. From Properties, click the Delegation tab.
5. On the delegation tab, select Trust this computer for delegation to the specified services only and then
select Use any authentication protocol.
6. Click Add.
7. From Add Services, click Users or Computers.
8. From Select Users or Computers, type the name of the destination server. Click Check Names to verify it,
and then click OK.
9. From Add Services, in the list of available services, do the following and then click OK:
To move virtual machine storage, select cifs. This is required if you want to move the storage along
with the virtual machine, as well as if you want to move only a virtual machine's storage. If the server
is configured to use SMB storage for Hyper-V, this should already be selected.
To move virtual machines, select Microsoft Virtual System Migration Service.
10. On the Delegation tab of the Properties dialog box, verify that the services you selected in the previous
step are listed as the services to which the destination computer can present delegated credentials. Click OK.
11. From the Computers folder, select the computer account of the destination server and repeat the process. In
the Select Users or Computers dialog box, be sure to specify the name of the source server.
The configuration changes take effect after both of the following happen:
 The changes are replicated to the domain controllers that the servers running Hyper-V are logged into.
The domain controller issues a new Kerberos ticket.

Step 2: Set up the source and destination computers for live migration
This step includes choosing options for authentication and networking. As a security best practice, we recommend
that you select specific networks to use for live migration traffic, as discussed above. This step also shows you how
to choose the performance option.
Use Hyper-V Manager to set up the source and destination computers for live migration
1. Open Hyper-V Manager. (From Server Manager, click Tools >>Hyper-V Manager.)
2. In the navigation pane, select one of the servers. (If it isn't listed, right-click Hyper-V Manager, click
Connect to Server, type the server name, and click OK. Repeat to add more servers.)
3. In the Action pane, click Hyper-V Settings >>Live Migrations.
4. In the Live Migrations pane, check Enable incoming and outgoing live migrations.
5. Under Simultaneous live migrations, specify a different number if you don't want to use the default of 2.
6. Under Incoming live migrations, if you want to use specific network connections to accept live migration
traffic, click Add to type the IP address information. Otherwise, click Use any available network for live
migration. Click OK.
7. To choose Kerberos and performance options, expand Live Migrations and then select Advanced
Features.
If you have configured constrained delegation, under Authentication protocol, select Kerberos.
Under Performance options, review the details and choose a different option if it's appropriate for your
environment.
8. Click OK.
9. Select the other server in Hyper-V Manager and repeat the steps.
Use Windows PowerShell to set up the source and destination computers for live migration
Three cmdlets are available for configuring live migration on non-clustered hosts: Enable-VMMigration, Set-
VMMigrationNetwork, and Set-VMHost. This example uses all three and does the following:
Configures live migration on the local host
Allows incoming migration traffic only on a specific network
Chooses Kerberos as the authentication protocol
Each line represents a separate command.

PS C:\> Enable-VMMigration

PS C:\> Set-VMMigrationNetwork 192.168.10.1

PS C:\> Set-VMHost -VirtualMachineMigrationAuthenticationType Kerberos

Set-VMHost also lets you choose a performance option (and many other host settings). For example, to choose
SMB but leave the authentication protocol set to the default of CredSSP, type:
 PS C:\> Set-VMHost -VirtualMachineMigrationPerformanceOption SMBTransport

This table describes how the performance options work.

OPTION DESCRIPTION

TCP/IP Copies the memory of the virtual machine to the destination

server over a TCP/IP connection.

Compression Compresses the memory content of the virtual machine

before copying it to the destination server over a TCP/IP
connection. Note: This is the default setting.

SMB Copies the memory of the virtual machine to the destination

server over a SMB 3.0 connection.

- SMB Direct is used when the network adapters on the source

and destination servers have Remote Direct Memory Access
(RDMA) capabilities enabled.
- SMB Multichannel automatically detects and uses multiple
connections when a proper SMB Multichannel configuration is
identified.

For more information, see Improve Performance of a File

Server with SMB Direct.

Next steps
After you set up the hosts, you're ready to do a live migration. For instructions, see Use live migration without
Failover Clustering to move a virtual machine.
 Upgrade virtual machine version in Hyper-V on
Windows 10 or Windows Server
6/7/2019 • 6 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2019, Windows Server 2016, Windows Server (Semi-Annual
Channel)

Make the latest Hyper-V features available on your virtual machines by upgrading the configuration version. Don't
do this until:
You upgrade your Hyper-V hosts to the latest version of Windows or Windows Server.
You upgrade the cluster functional level.
You're sure that you won't need to move the virtual machine back to a Hyper-V host that runs a previous
version of Windows or Windows Server.
For more information, see Cluster Operating System Rolling Upgrade and Perform a rolling upgrade of a Hyper-V
host cluster in VMM.

Step 1: Check the virtual machine configuration versions

1. On the Windows desktop, click the Start button and type any part of the name Windows PowerShell.
2. Right-click Windows PowerShell and select Run as Administrator.
3. Use the Get-VMcmdlet. Run the following command to get the versions of your virtual machines.

Get-VM * | Format-Table Name, Version

You can also see the configuration version in Hyper-V Manager by selecting the virtual machine and looking at the
Summary tab.

Step 2: Upgrade the virtual machine configuration version

1. Shut down the virtual machine in Hyper-V Manager.
2. Select Action > Upgrade Configuration Version. If this option isn't available for the virtual machine, then it's
already at the highest configuration version supported by the Hyper-V host.
To upgrade the virtual machine configuration version by using Windows PowerShell, use the Update-VMVersion
cmdlet. Run the following command where vmname is the name of the virtual machine.

Update-VMVersion <vmname>

Supported virtual machine configuration versions

Run the PowerShell cmdlet Get-VMHostSupportedVersion to see what virtual machine configuration versions
your Hyper-V Host supports. When you create a virtual machine, it's created with the default configuration version.
To see what the default is, run the following command.
 Get-VMHostSupportedVersion -Default

If you need to create a virtual machine that you can move to a Hyper-V Host that runs an older version of
Windows, use the New -VM cmdlet with the -version parameter. For example, to create a virtual machine that you
can move to a Hyper-V host that runs Windows Server 2012 R2 , run the following command. This command will
create a virtual machine named "WindowsCV5" with a configuration version 5.0.

New-VM -Name "WindowsCV5" -Version 5.0

NOTE
You can import virtual machines that have been created for a Hyper-V host running an older version of Windows or restore
them from backup. If the VM's configuration version is not listed as supported for your Hyper-V host OS in the table below,
you have to update the VM configuration version before you can start the VM.

Supported VM configuration versions for long-term servicing hosts

The following table lists the VM configuration versions that are supported on hosts running a long-term servicing
version of Windows.

HYPER-
V HOST
WINDO
WS
VERSIO
N 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0

Windo ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws
Server
2019

Windo ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws 10
Enterpr
ise
LTSC
2019

Windo ✖ ✖ ✖ ✖ ✖ ✔ ✔ ✔ ✔ ✔
ws
Server
2016

Windo ✖ ✖ ✖ ✖ ✖ ✔ ✔ ✔ ✔ ✔
ws 10
Enterpr
ise
2016
LTSB

Windo ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✔ ✔
ws 10
Enterpr
ise
2015
LTSB
 HYPER-
V HOST
WINDO
WS
VERSIO
N 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0

Windo ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✔
ws
Server
2012
R2

Windo ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✖ ✔
ws 8.1

Supported VM configuration versions for semi-annual channel hosts

The following table lists the VM configuration versions for hosts running a currently supported semi-annual
channel version of Windows. To get more information on semi-annual channel versions of Windows, visit the
following pages for Windows Server and Windows 10

HYPER-
V HOST
WINDO
WS
VERSIO
N 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0

Windo ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws 10
May
2019
Update
(versio
n
1903)

Windo ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws
Server,
version
1903

Windo ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws
Server,
version
1809

Windo ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws 10
Octobe
r 2018
Update
(versio
n
1809)
 HYPER-
V HOST
WINDO
WS
VERSIO
N 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0

Windo ✖ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws
Server,
version
1803

Windo ✖ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws 10
April
2018
Update
(versio
n
1803)

Windo ✖ ✖ ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ws 10
Fall
Creator
s
Update
(versio
n
1709)

Windo ✖ ✖ ✖ ✖ ✔ ✔ ✔ ✔ ✔ ✔
ws 10
Creator
s
Update
(versio
n
1703)

Windo ✖ ✖ ✖ ✖ ✖ ✔ ✔ ✔ ✔ ✔
ws 10
Annive
rsary
Update
(versio
n
1607)

Why should I upgrade the virtual machine configuration version?

When you move or import a virtual machine to a computer that runs Hyper-V on Windows Server 2019, Windows
Server 2016, or Windows 10, the virtual machine"s configuration isn't automatically updated. This means that you
can move the virtual machine back to a Hyper-V host that runs a previous version of Windows or Windows Server.
But, this also means that you can't use some of the new virtual machine features until you manually update the
configuration version. You can't downgrade the virtual machine configuration version after you've upgraded it.
The virtual machine configuration version represents the compatibility of the virtual machine's configuration, saved
state, and snapshot files with the version of Hyper-V. When you update the configuration version, you change the
file structure that is used to store the virtual machines configuration and the checkpoint files. You also update the
configuration version to the latest version supported by that Hyper-V host. Upgraded virtual machines use a new
configuration file format, which is designed to increase the efficiency of reading and writing virtual machine
configuration data. The upgrade also reduces the potential for data corruption in the event of a storage failure.
The following table lists descriptions, file name extensions, and default locations for each type of file that's used for
new or upgraded virtual machines.

VIRTUAL MACHINE FILE TYPES DESCRIPTION

Configuration Virtual machine configuration information that is stored in

binary file format.
File name extension: .vmcx
Default location: C:\ProgramData\Microsoft\Windows\Hyper-
V\Virtual Machines

Runtime state Virtual machine runtime state information that is stored in

binary file format.
File name extension: .vmrs and .vmgs
Default location: C:\ProgramData\Microsoft\Windows\Hyper-
V\Virtual Machines

Virtual hard disk Stores virtual hard disks for the virtual machine.
File name extension: .vhd or .vhdx
Default location: C:\ProgramData\Microsoft\Windows\Hyper-
V\Virtual Hard Disks

Automatic virtual hard disk Differencing disk files used for virtual machine checkpoints.
File name extension: .avhdx
Default location: C:\ProgramData\Microsoft\Windows\Hyper-
V\Virtual Hard Disks

Checkpoint Checkpoints are stored in multiple checkpoint files. Each

checkpoint creates a configuration file and runtime state file.
File name extensions: .vmrs and .vmcx
Default location:
C:\ProgramData\Microsoft\Windows\Snapshots

What happens if I don't upgrade the virtual machine configuration

version?
If you have virtual machines that you created with an earlier version of Hyper-V, some features that are available
on the newer host OS may not work with those virtual machines until you update the configuration version.
As a general guidance, we recommend updating the configuration version once you have successfully upgraded the
virtualization hosts to a newer version of Windows and feel confident that you do not need to roll back. When you
are using the cluster OS rolling upgrade feature, this would typically be after updating the cluster functional level.
This way, you will benefit from new features and internal changes and optimizations as well.

NOTE
Once the VM configuration version is updated, the VM won't be able to start on hosts that do not support the updated
configuration version.

The following table shows the minimum virtual machine configuration version required to use some Hyper-V
features.
 FEATURE MINIMUM VM CONFIGURATION VERSION

Hot Add/Remove Memory 6.2

Secure Boot for Linux VMs 6.2

Production Checkpoints 6.2

PowerShell Direct 6.2

Virtual Machine Grouping 6.2

Virtual Trusted Platform Module (vTPM) 7.0

Virtual machine multi queues (VMMQ) 7.1

XSAVE support 8.0

Key storage drive 8.0

Guest virtualization-based security support (VBS) 8.0

Nested virtualization 8.0

Virtual processor count 8.0

Large memory VMs 8.0

Increase the default maximum number for virtual devices to 8.3

64 per device (e.g. networking and assigned devices)

Allow additional processor features for Perfmon 9.0

Automatically expose simultaneous multithreading 9.0

configuration for VMs running on hosts using the Core
Scheduler

Hibernation support 9.0

For more information about these features, see What's new in Hyper-V on Windows Server.
 Deploy graphics devices using Discrete Device
Assignment
7/24/2019 • 4 minutes to read • Edit Online

Applies To: Microsoft Hyper-V Server 2016, Windows Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Starting with Windows Server 2016, you can use Discrete Device Assignment, or DDA, to pass an entire PCIe
Device into a VM. This will allow high performance access to devices like NVMe storage or Graphics Cards from
within a VM while being able to leverage the devices native drivers. Please visit the Plan for Deploying Devices
using Discrete Device Assignment for more details on which devices work, what are the possible security
implications, etc.
There are three steps to using a device with Discrete Device Assignment:
Configure the VM for Discrete Device Assignment
Dismount the Device from the Host Partition
Assigning the Device to the Guest VM
All command can be executed on the Host on a Windows PowerShell console as an Administrator.

Configure the VM for DDA

Discrete Device Assignment imposes some restrictions to the VMs and the following step needs to be taken.
1. Configure the “Automatic Stop Action” of a VM to TurnOff by executing

Set-VM -Name VMName -AutomaticStopAction TurnOff

Some Additional VM preparation is required for Graphics Devices

Some hardware performs better if the VM in configured in a certain way. For details on whether or not you need
the following configurations for your hardware, please reach out to the hardware vendor. Additional details can be
found on Plan for Deploying Devices using Discrete Device Assignment and on this blog post.
1. Enable Write-Combining on the CPU

Set-VM -GuestControlledCacheTypes $true -VMName VMName

2. Configure the 32 bit MMIO space

Set-VM -LowMemoryMappedIoSpace 3Gb -VMName VMName

3. Configure greater than 32 bit MMIO space

Set-VM -HighMemoryMappedIoSpace 33280Mb -VMName VMName

 TIP
The MMIO space values above are reasonable values to set for experimenting with a single GPU. If after starting the
VM, the device is reporting an error relating to not enough resources, you'll likely need to modify these values.
Consult Plan for Deploying Devices using Discrete Device Assignment to learn how to precisely calculate MMIO
requirements.

Dismount the Device from the Host Partition

Optional - Install the Partitioning Driver
Discrete Device Assignment provide hardware venders the ability to provide a security mitigation driver with their
devices. Note that this driver is not the same as the device driver that will be installed in the guest VM. It’s up to the
hardware vendor’s discretion to provide this driver, however, if they do provide it, please install it prior to
dismounting the device from the host partition. Please reach out to the hardware vendor for more information on if
they have a mitigation driver

If no Partitioning driver is provided, during dismount you must use the -force option to bypass the security
warning. Please read more about the security implications of doing this on Plan for Deploying Devices using
Discrete Device Assignment.

Locating the Device’s Location Path

The PCI Location path is required to dismount and mount the device from the Host. An example location path
looks like the following: "PCIROOT(20)#PCI(0300)#PCI(0000)#PCI(0800)#PCI(0000)" . More details on located the
Location Path can be found here: Plan for Deploying Devices using Discrete Device Assignment.
Disable the Device
Using Device Manager or PowerShell, ensure the device is “disabled.”
Dismount the Device
Depending on if the vendor provided a mitigation driver, you’ll either need to use the “-force” option or not.
If a Mitigation Driver was installed

Dismount-VMHostAssignableDevice -LocationPath $locationPath

If a Mitigation Driver was not installed

Dismount-VMHostAssignableDevice -force -LocationPath $locationPath

Assigning the Device to the Guest VM

The final step is to tell Hyper-V that a VM should have access to the device. In addition to the location path found
above, you'll need to know the name of the vm.

Add-VMAssignableDevice -LocationPath $locationPath -VMName VMName

What’s Next
After a device is successfully mounted in a VM, you’re now able to start that VM and interact with the device as you
normally would if you were running on a bare metal system. This means that you’re now able to install the
Hardware Vendor’s drivers in the VM and applications will be able to see that hardware present. You can verify this
by opening device manager in the Guest VM and seeing that the hardware now shows up.

Removing a Device and Returning it to the Host

If you want to return he device back to its original state, you will need to stop the VM and issue the following:

#Remove the device from the VM

Remove-VMAssignableDevice -LocationPath $locationPath -VMName VMName
#Mount the device back in the host
Mount-VMHostAssignableDevice -LocationPath $locationPath

You can then re-enable the device in device manager and the host operating system will be able to interact with the
device again.

Examples
Mounting a GPU to a VM
In this example we use PowerShell to configure a VM named “ddatest1” to take the first GPU available by the
manufacturer NVIDIA and assign it into the VM.

#Configure the VM for a Discrete Device Assignment

$vm = "ddatest1"
#Set automatic stop action to TurnOff
Set-VM -Name $vm -AutomaticStopAction TurnOff
#Enable Write-Combining on the CPU
Set-VM -GuestControlledCacheTypes $true -VMName $vm
#Configure 32 bit MMIO space
Set-VM -LowMemoryMappedIoSpace 3Gb -VMName $vm
#Configure Greater than 32 bit MMIO space
Set-VM -HighMemoryMappedIoSpace 33280Mb -VMName $vm

#Find the Location Path and disable the Device

#Enumerate all PNP Devices on the system
$pnpdevs = Get-PnpDevice -presentOnly
#Select only those devices that are Display devices manufactured by NVIDIA
$gpudevs = $pnpdevs |where-object {$_.Class -like "Display" -and $_.Manufacturer -like "NVIDIA"}
#Select the location path of the first device that's available to be dismounted by the host.
$locationPath = ($gpudevs | Get-PnpDeviceProperty DEVPKEY_Device_LocationPaths).data[0]
#Disable the PNP Device
Disable-PnpDevice -InstanceId $gpudevs[0].InstanceId

#Dismount the Device from the Host

Dismount-VMHostAssignableDevice -force -LocationPath $locationPath

#Assign the device to the guest VM.

Add-VMAssignableDevice -LocationPath $locationPath -VMName $vm
 Deploy NVMe Storage Devices using Discrete Device
Assignment
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Microsoft Hyper-V Server 2016, Windows Server 2016

Starting with Windows Server 2016, you can use Discrete Device Assignment, or DDA, to pass an entire PCIe
Device into a VM. This will allow high performance access to devices like NVMe storage or Graphics Cards from
within a VM while being able to leverage the devices native drivers. Please visit the Plan for Deploying Devices
using Discrete Device Assignment for more details on which devices work, what are the possible security
implications, etc. There are three steps to using a device with DDA:
Configure the VM for DDA
Dismount the Device from the Host Partition
Assigning the Device to the Guest VM
All command can be executed on the Host on a Windows PowerShell console as an Administrator.

Configure the VM for DDA

Discrete Device Assignment imposes some restrictions to the VMs and the following step needs to be taken.
1. Configure the “Automatic Stop Action” of a VM to TurnOff by executing

Set-VM -Name VMName -AutomaticStopAction TurnOff

Dismount the Device from the Host Partition

Locating the Device’s Location Path
The PCI Location path is required to dismount and mount the device from the Host. An example location path
looks like the following: "PCIROOT(20)#PCI(0300)#PCI(0000)#PCI(0800)#PCI(0000)" . More details on located the
Location Path can be found here: Plan for Deploying Devices using Discrete Device Assignment.
Disable the Device
Using Device Manager or PowerShell, ensure the device is “disabled.”
Dismount the Device

Dismount-VMHostAssignableDevice -LocationPath $locationPath

Assigning the Device to the Guest VM

The final step is to tell Hyper-V that a VM should have access to the device. In addition to the location path found
above, you'll need to know the name of the vm.

Add-VMAssignableDevice -LocationPath $locationPath -VMName VMName

What’s Next
After a device is successfully mounted in a VM, you’re now able to start that VM and interact with the device as you
normally would if you were running on a bare metal system. You can verify this by opening device manager in the
Guest VM and seeing that the hardware now shows up.

Removing a Device and Returning it to the Host

If you want to return he device back to its original state, you will need to stop the VM and issue the following:

#Remove the device from the VM

Remove-VMAssignableDevice -LocationPath $locationPath -VMName VMName
#Mount the device back in the host
Mount-VMHostAssignableDevice -LocationPath $locationPath

You can then re-enable the device in device manager and the host operating system will be able to interact with the
device again.
 Manage Hyper-V on Windows Server
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2019

Use the resources in this section to help you manage Hyper-V on Windows Server 2016.
Choose between standard or production checkpoints
Enable or disable checkpoints
Manage hosts with Hyper-V Manager
Manage host CPU resource controls
Using VM CPU Groups
Manage Windows virtual machines with PowerShell Direct
Set up Hyper-V Replica
Use live migration without Failover Clustering to move a virtual machine
 Cmdlets for configuring persistent memory devices
for Hyper-V VMs
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2019

This article provides system administrators and IT Pros with information about configuring Hyper-V VMs with
persistent memory (aka storage class memory or NVDIMM ). JDEC -compliant NVDIMM -N persistent memory
devices are supported in Windows Server 2016 and Windows 10 and provide byte-level access to very low latency
non-volatile devices. VM persistent memory devices are supported in Windows Server 2019.

Create a persistent memory device for a VM

Use the New-VHD cmdlet to create a persistent memory device for a VM. The device must be created on an
existing NTFS DAX volume. The new filename extension (.vhdpmem) is used to specify that the device is a
persistent memory device. Only the fixed VHD file format is supported.
Example: New-VHD d:\VMPMEMDevice1.vhdpmem -Fixed -SizeBytes 4GB

Create a VM with a persistent memory controller

Use the New-VM cmdlet to create a Generation 2 VM with specified memory size and path to a VHDX image.
Then, use Add-VMPmemController to add a persistent memory controller to a VM.
Example:

New-VM -Name "ProductionVM1" -MemoryStartupBytes 1GB -VHDPath c:\vhd\BaseImage.vhdx

Add-VMPmemController ProductionVM1x

Attach a persistent memory device to a VM

Use Add-VMHardDiskDrive to attach a persistent memory device to a VM
Example: Add-VMHardDiskDrive ProductionVM1 PMEM -ControllerLocation 1 -Path D:\VPMEMDevice1.vhdpmem

Persistent memory devices within a Hyper-V VM appear as a persistent memory device to be consumed and
managed by the guest operating system. Guest operating systems can use the device as a block or DAX volume.
When persistent memory devices within a VM are used as a DAX volume, they benefit from low latency byte-level
address-ability of the host device (no I/O virtualization on the code path).

NOTE
Persistent memory is only supported for Hyper-V Gen2 VMs. Live Migration and Storage Migration are not supported for
VMs with persistent memory. Production checkpoints of VMs do not include persistent memory state.
 Choose between standard or production checkpoints
in Hyper-V
6/14/2019 • 2 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019,
Microsoft Hyper-V Server 2019

Starting with Windows Server 2016 and Windows 10, you can choose between standard and production
checkpoints for each virtual machine. Production checkpoints are the default for new virtual machines.
Production checkpoints are "point in time" images of a virtual machine, which can be restored later on in a
way that is completely supported for all production workloads. This is achieved by using backup technology
inside the guest to create the checkpoint, instead of using saved state technology.
Standard checkpoints capture the state, data, and hardware configuration of a running virtual machine and
are intended for use in development and test scenarios. Standard checkpoints can be useful if you need to
recreate a specific state or condition of a running virtual machine so that you can troubleshoot a problem.

Change checkpoints to production or standard checkpoints

1. In Hyper-V Manager, right-click the virtual machine and click Settings.
2. Under the Management section, select Checkpoints.
3. Select either production checkpoints or standard checkpoints.
If you choose production checkpoints, you can also specify whether the host should take a standard
checkpoint if a production checkpoint can't be taken. If you clear this checkbox and a production checkpoint
can't be taken, then no checkpoint is taken.
4. If you want to store the checkpoint configuration files in a different place, change it in the Checkpoint File
Location section.
5. Click Apply to save your changes. If you're done, click OK to close the dialog box.

NOTE
Only Production Checkpoints are supported on guests that run Active Directory Domain Services role (Domain Controller)
or Active Directory Lightweight Directory Services role.

See also
Production checkpoints
Enable or disable checkpoints
 Create Hyper-V VHD Set files
5/31/2019 • 2 minutes to read • Edit Online

VHD Set files are a new shared Virtual Disk model for guest clusters in Windows Server 2016. VHD Set files
support online resizing of shared virtual disks, support Hyper-V Replica, and can be included in application-
consistent checkpoints.
VHD Set files use a new VHD file type, .VHDS. VHD Set files store checkpoint information about the group virtual
disk used in guest clusters, in the form of metadata.
Hyper-V handles all aspects of managing the checkpoint chains and merging the shared VHD set. Management
software can run disk operations like online resizing on VHD Set files in the same way it does for .VHDX files. This
means that management software doesn't need to know about the VHD Set file format.

Create a VHD Set file from Hyper-V Manager

1. Open Hyper-V Manager. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In the Action pane, click New, and then click Hard Disk.
3. On the Choose Disk Format page, select VHD Set as the format of the virtual hard disk.
4. Continue through the pages of the wizard to customize the virtual hard disk. You can click Next to move
through each page of the wizard, or you can click the name of a page in the left pane to move directly to that
page.
5. After you have finished configuring the virtual hard disk, click Finish.

Create a VHD Set file from Windows PowerShell

Use the New -VHD cmdlet, with the file type .VHDS in the file path. This example creates a VHD Set file named
base.vhds that is 10 Gigabytes in size.

PS c:\>New-VHD -Path c:\base.vhds -SizeBytes 10GB

Migrate a shared VHDX file to a VHD Set file

Migrating an existing shared VHDX to a VHDS requires taking the VM offline. This is the recommended process
using Windows PowerShell:
1. Remove the VHDX from the VM. For example, run:

PS c:\>Remove-VMHardDiskDrive existing.vhdx

2. Convert the VHDX to a VHDS. For example, run:

PS c:\>Convert-VHD existing.vhdx new.vhds

3. Add the VHDS to the VM. For example, run:

PS c:\>Add-VMHardDiskDrive new.vhds
 Enable or disable checkpoints in Hyper-V
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019,
Microsoft Hyper-V Server 2019

You can choose to enable or disable checkpoints for each virtual machine.
1. In Hyper-V Manager, right-click the virtual machine and click Settings.
2. Under the Management section, select Checkpoints.
3. To allow checkpoints to be taken of this virtual machine, make sure Enable checkpoints is selected. To
disable checkpoints, clear the Enable checkpoints check box.
4. Click Apply to apply your changes. If you are done, click OK to close the dialog box.

See also
Choose between standard or production checkpoints in Hyper-V
 Remotely manage Hyper-V hosts with Hyper-V
Manager
5/31/2019 • 6 minutes to read • Edit Online

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows 10, Windows 8.1

This article lists the supported combinations of Hyper-V hosts and Hyper-V Manager versions and describes how
to connect to remote and local Hyper-V hosts so you can manage them.
Hyper-V Manager lets you manage a small number of Hyper-V hosts, both remote and local. It's installed when
you install the Hyper-V Management Tools, which you can do either through a full Hyper-V installation or a tools-
only installation. Doing a tools-only installation means you can use the tools on computers that don't meet the
hardware requirements to host Hyper-V. For details about hardware for Hyper-V hosts, see System requirements.
If Hyper-V Manager isn't installed, see the instructions below.

Supported combinations of Hyper-V Manager and Hyper-V host

versions
In some cases you can use a different version of Hyper-V Manager than the Hyper-V version on the host, as shown
in the table. When you do this, Hyper-V Manager provides the features available for the version of Hyper-V on the
host you're managing. For example, if you use the version of Hyper-V Manager in Windows Server 2012 R2 to
remotely manage a host running Hyper-V in Windows Server 2012, you won't be able to use features available in
Windows Server 2012 R2 on that Hyper-V host.
The following table shows which versions of a Hyper-V host you can manage from a particular version of Hyper-V
Manager. Only supported operating system versions are listed. For details about the support status of a particular
operating system version, use the Search product lifecyle button on the Microsoft Lifecycle Policy page. In
general, older versions of Hyper-V Manager can only manage a Hyper-V host running the same version or the
comparable Windows Server version.

HYPER-V MANAGER VERSION HYPER-V HOST VERSION

Windows 2016, Windows 10 - Windows Server 2016—all editions and installation options,
including Nano Server, and corresponding version of Hyper-V
Server
- Windows Server 2012 R2—all editions and installation
options, and corresponding version of Hyper-V Server
- Windows Server 2012—all editions and installation options,
and corresponding version of Hyper-V Server
- Windows 10
- Windows 8.1

Windows Server 2012 R2, Windows 8.1 - Windows Server 2012 R2—all editions and installation
options, and corresponding version of Hyper-V Server
- Windows Server 2012—all editions and installation options,
and corresponding version of Hyper-V Server
- Windows 8.1

Windows Server 2012 - Windows Server 2012—all editions and installation options,
and corresponding version of Hyper-V Server
 HYPER-V MANAGER VERSION HYPER-V HOST VERSION

Windows Server 2008 R2 Service Pack 1, Windows 7 Service - Windows Server 2008 R2—all editions and installation
Pack 1 options, and corresponding version of Hyper-V Server

Windows Server 2008, Windows Vista Service Pack 2 - Windows Server 2008—all editions and installation options,
and corresponding version of Hyper-V Server

NOTE
Service pack support ended for Windows 8 on January 12, 2016. For more information, see the Windows 8.1 FAQ.

Connect to a Hyper-V host

To connect to a Hyper-V host from Hyper-V Manager, right-click Hyper-V Manager in the left pane, and then click
Connect to Server.

Manage Hyper-V on a local computer

Hyper-V Manager doesn't list any computers that host Hyper-V until you add the computer, including a local
computer. To do this:
1. In the left pane, right-click Hyper-V Manager.
2. Click Connect to Server.
3. From Select Computer, click Local computer and then click OK.
If you can't connect:
It's possible that only the Hyper-V tools are installed. To check that Hyper-V platform is installed, look for the
Virtual Machine Management service. /(Open the Services desktop app: click Start, click the Start Search box,
type services.msc, and then press Enter. If the Virtual Machine Management service isn't listed, install the
Hyper-V platform by following the instructions in Install Hyper-V.
Check that your hardware meets the requirements. See System requirements.
Check that your user account belongs to the Administrators group or the Hyper-V Administrators group.

Manage Hyper-V hosts remotely

To manage remote Hyper-V hosts, enable remote management on both the local computer and remote host.
On Windows Server, open Server Manager >Local Server >Remote management and then click Allow remote
connections to this computer.
Or, from either operating system, open Windows PowerShell as Administrator and run:

Enable-PSRemoting

Connect to hosts in the same domain

For Windows 8.1 and earlier, remote management works only when the host is in the same domain and your local
user account is also on the remote host.
To add a remote Hyper-V host to Hyper-V Manager, select Another computer in the Select Computer dialogue
box and type the remote host's hostname, NetBIOS name, or fully qualified domain name (FQDN ).
Hyper-V Manager in Windows Server 2016 and Windows 10 offers more types of remote connection than
previous versions, described in the following sections.
Connect to a Windows 2016 or Windows 10 remote host as a different user
This lets you connect to the Hyper-V host when you're not running on the local computer as a user that's a member
of either the Hyper-V Administrators group or the Administrators group on the Hyper-V host. To do this:
1. In the left pane, right-click Hyper-V Manager.
2. Click Connect to Server.
3. Select Connect as another user in the Select Computer dialogue box.
4. Select Set User.

NOTE
This will only work for Windows Server 2016 or Windows 10 remote hosts.

Connect to a Windows 2016 or Windows 10 remote host using IP address

To do this:
1. In the left pane, right-click Hyper-V Manager.
2. Click Connect to Server.
3. Type the IP address into the Another Computer text field.

NOTE
This will only work for Windows Server 2016 or Windows 10 remote hosts.

Connect to a Windows 2016 or Windows 10 remote host outside your domain, or with no domain
To do this:
1. On the Hyper-V host to be managed, open a Windows PowerShell session as Administrator.
2. Create the necessary firewall rules for private network zones:

Enable-PSRemoting

3. To allow remote access on public zones, enable firewall rules for CredSSP and WinRM:

Enable-WSManCredSSP -Role server

For details, see Enable-PSRemoting and Enable-WSManCredSSP.

Next, configure the computer you'll use to manage the Hyper-V host.
1. Open a Windows PowerShell session as Administrator.
2. Run these commands:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "fqdn-of-hyper-v-host"

Enable-WSManCredSSP -Role client -DelegateComputer "fqdn-of-hyper-v-host"

3. You might also need to configure the following group policy:

 Computer Configuration > Administrative Templates > System > Credentials Delegation >
Allow delegating fresh credentials with NTLM -only server authentication
Click Enable and add wsman/fqdn-of-hyper-v -host.
4. Open Hyper-V Manager.
5. In the left pane, right-click Hyper-V Manager.
6. Click Connect to Server.

NOTE
This will only work for Windows Server 2016 or Windows 10 remote hosts.

For cmdlet details, see Set-Item and Enable-WSManCredSSP.

Install Hyper-V Manager

To use a UI tool, choose the one appropriate for the operating system on the computer where you'll run Hyper-V
Manager:
On Windows Server, open Server Manager > Manage > Add roles and features. Move to the Features page
and expand Remote server administration tools > Role administration tools > Hyper-V management tools.
On Windows, Hyper-V Manager is available on any Windows operating system that includes Hyper-V.
1. On the Windows desktop, click the Start button and begin typing Programs and features.
2. In search results, click Programs and Features.
3. In the left pane, click Turn Windows features on or off.
4. Expand the Hyper-V folder, and click Hyper-V Management Tools.
5. To install Hyper-V Manager, click Hyper-V Management Tools. If you want to also install the Hyper-V
module, click that option.
To use Windows PowerShell, run the following command as Administrator:

add-windowsfeature rsat-hyper-v-tools

See also
Install Hyper-V
 Hyper-V Host CPU Resource Management
3/12/2019 • 4 minutes to read • Edit Online

Hyper-V host CPU resource controls introduced in Windows Server 2016 or later allow Hyper-V administrators to
better manage and allocate host server CPU resources between the “root”, or management partition, and guest
VMs. Using these controls, administrators can dedicate a subset of the processors of a host system to the root
partition. This can segregate the work done in a Hyper-V host from the workloads running in guest virtual
machines by running them on separate subsets of the system processors.
For details about hardware for Hyper-V hosts, see Windows 10 Hyper-V System Requirements.

Background
Before setting controls for Hyper-V host CPU resources, it’s helpful to review the basics of the Hyper-V
architecture.
You can find a general summary in the Hyper-V Architecture section. These are important concepts for this article:
Hyper-V creates and manages virtual machine partitions, across which compute resources are allocated and
shared, under control of the hypervisor. Partitions provide strong isolation boundaries between all guest
virtual machines, and between guest VMs and the root partition.
The root partition is itself a virtual machine partition, although it has unique properties and much greater
privileges than guest virtual machines. The root partition provides the management services that control all
guest virtual machines, provides virtual device support for guests, and manages all device I/O for guest
virtual machines. Microsoft strongly recommends not running any application workloads in a host partition.
Each virtual processor (VP ) of the root partition is mapped 1:1 to an underlying logical processor (LP ). A
host VP will always run on the same underlying LP – there is no migration of the root partition’s VPs.
By default, the LPs on which host VPs run can also run guest VPs.
A guest VP may be scheduled by the hypervisor to run on any available logical processor. While the
hypervisor scheduler takes care to consider temporal cache locality, NUMA topology, and many other
factors when scheduling a guest VP, ultimately the VP could be scheduled on any host LP.

The Minimum Root, or “Minroot” Configuration

Early versions of Hyper-V had an architectural maximum limit of 64 VPs per partition. This applied to both the
root and guest partitions. As systems with more than 64 logical processors appeared on high-end servers, Hyper-
V also evolved its host scale limits to support these larger systems, at one point supporting a host with up to 320
LPs. However, breaking the 64 VP per partition limit at that time presented several challenges and introduced
complexities that made supporting more than 64 VPs per partition prohibitive. To address this, Hyper-V limited
the number of VPs given to the root partition to 64, even if the underlying machine had many more logical
processors available. The hypervisor would continue to utilize all available LPs for running guest VPs, but
artificially capped the root partition at 64. This configuration became known as the “minimum root”, or “minroot”
configuration. Performance testing confirmed that, even on large scale systems with more than 64 LPs, the root did
not need more than 64 root VPs to provide sufficient support to a large number of guest VMs and guest VPs – in
fact, much less than 64 root VPs was often adequate, depending of course on the number and size of the guest
VMs, the specific workloads being run, etc.
This “minroot” concept continues to be utilized today. In fact, even as Windows Server 2016 Hyper-V increased its
maximum architectural support limit for host LPs to 512 LPs, the root partition will still be limited to a maximum
of 320 LPs.

Using Minroot to Constrain and Isolate Host Compute Resources

With the high default threshold of 320 LPs in Windows Server 2016 Hyper-V, the minroot configuration will only
be utilized on the very largest server systems. However, this capability can be configured to a much lower
threshold by the Hyper-V host administrator, and thus leveraged to greatly restrict the amount of host CPU
resources available to the root partition. The specific number of root LPs to utilize must of course be chosen
carefully to support the maximum demands of the VMs and workloads allocated to the host. However, reasonable
values for the number of host LPs can be determined through careful assessment and monitoring of production
workloads, and validated in non-production environments before broad deployment.

Enabling and Configuring Minroot

The minroot configuration is controlled via hypervisor BCD entries. To enable minroot, from a cmd prompt with
administrator privileges:

bcdedit /set hypervisorrootproc n

Where n is the number of root VPs.

The system must be rebooted, and the new number of root processors will persist for the lifetime of the OS boot.
The minroot configuration cannot be changed dynamically at runtime.
If there are multiple NUMA nodes, each node will get n/NumaNodeCount processors.
Note that with multiple NUMA nodes, you must ensure the VM’s topology is such that there are enough free LPs
(i.e., LPs without root VPs) on each NUMA node to run the corresponding VM’s NUMA node VPs.

Verifying the Minroot Configuration

You can verify the host’s minroot configuration using Task Manager, as shown below.

When Minroot is active, Task Manager will display the number of logical processors currently allotted to the host,
in addition to the total number of logical processors in the system.
 3/12/2019 • 11 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

Virtual Machine Resource Controls

This article describes Hyper-V resource and isolation controls for virtual machines. These capabilities, which we’ll
refer to as Virtual Machine CPU Groups, or just “CPU groups”, were introduced in Windows Server 2016. CPU
groups allow Hyper-V administrators to better manage and allocate the host’s CPU resources across guest virtual
machines. Using CPU groups, Hyper-V administrators can:
Create groups of virtual machines, with each group having different allocations of the virtualization host’s
total CPU resources, shared across the entire group. This allows the host administrator to implement classes
of service for different types of VMs.
Set CPU resource limits to specific groups. This “group cap” sets the upper bound for host CPU resources
that the entire group may consume, effectively enforcing the desired class of service for that group.
Constrain a CPU group to run only on a specific set of the host system’s processors. This can be used to
isolate VMs belonging to different CPU groups from each other.

Managing CPU Groups

CPU groups are managed through the Hyper-V Host Compute Service, or HCS. A great description of the HCS, its
genesis, links to the HCS APIs, and more is available on the Microsoft Virtualization team’s blog in the posting
Introducing the Host Compute Service (HCS ).

NOTE
Only the HCS may be used to create and manage CPU groups; the Hyper-V Manager applet, WMI and PowerShell
management interfaces don’t support CPU groups.

Microsoft provides a command line utility, cpugroups.exe, on the Microsoft Download Center which uses the HCS
interface to manage CPU groups. This utility can also display the CPU topology of a host.

How CPU Groups Work

Allocation of host compute resources across CPU groups is enforced by the Hyper-V hypervisor, using a computed
CPU group cap. The CPU group cap is a fraction of the total CPU capacity for a CPU group. The value of the group
cap depends on the group class, or priority level assigned. The computed group cap can be thought of as “a
number of LP’s worth of CPU time”. This group budget is shared, so if only a single VM were active, it could use
the entire group’s CPU allocation for itself.
The CPU group cap is calculated as G = n x C, where:
 *G* is the amount of host LP we'd like to assign to the group
*n* is the total number of logical processors (LPs) in the group
*C* is the maximum CPU allocation — that is, the class of service desired for the group, expressed as a
percentage of the system’s total compute capacity

For example, consider a CPU group configured with 4 logical processors (LPs), and a cap of 50%.

G = n * C
G = 4 * 50%
G = 2 LP's worth of CPU time for the entire group

In this example, the CPU group G is allocated 2 LP's worth of CPU time.
Note that the group cap applies regardless of the number of virtual machines or virtual processors bound to the
group, and regardless of the state (e.g., shutdown or started) of the virtual machines assigned to the CPU group.
Therefore, each VM bound to the same CPU group will receive a fraction of the group's total CPU allocation, and
this will change with the number of VMs bound to the CPU group. Therefore, as VMs are bound or unbound VMs
from a CPU group, the overall CPU group cap must be readjusted and set to maintain the resulting per-VM cap
desired. The VM host administrator or virtualization management software layer is responsible for managing
group caps as necessary to achieve the desired per-VM CPU resource allocation.

Example Classes of Service

Let’s look at some simple examples. To start with, assume the Hyper-V host administrator would like to support
two tiers of service for guest VMs:
1. A low -end “C” tier. We’ll give this tier 10% of the entire host’s compute resources.
2. A mid-range “B” tier. This tier is allocated 50% of the entire host’s compute resources.
At this point in our example we’ll assert that no other CPU resource controls are in use, such as individual VM
caps, weights, and reserves. However, individual VM caps are important, as we’ll see a bit later.
For simplicity’s sake, let’s assume each VM has 1 VP, and that our host has 8 LPs. We’ll start with an empty host.
To create the "B" tier, the host adminstartor sets the group cap to 50%:

G = n * C
G = 8 * 50%
G = 4 LP's worth of CPU time for the entire group

The host administrator adds a single “B” tier VM. At this point, our “B” tier VM can use at most 50% worth of the
host's CPU, or the equivalent of 4 LPs in our example system.
Now, the admin adds a second “Tier B” VM. The CPU group’s allocation—is divided evenly among all the VMs.
We’ve got a total of 2 VMs in Group B, so each VM now gets half of Group B's total of 50%, 25% each, or the
equivalent of 2 LPs worth of compute time.

Setting CPU Caps on Individual VMs

In addition to the group cap, each VM can also have an individual “VM cap”. Per-VM CPU resource controls,
including a CPU cap, weight, and reserve, have been a part of Hyper-V since its introduction. When combined with
a group cap, a VM cap specifies the maximum amount of CPU that each VP can get, even if the group has CPU
resources available.
For example, the host administrator might want to place a 10% VM cap on “C” VMs. That way, even if most “C”
VPs are idle, each VP could never get more than 10%. Without a VM cap, “C” VMs could opportunistically achieve
performance beyond levels allowed by their tier.

Isolating VM Groups to Specific Host Processors

Hyper-V host administrators may also want the ability to dedicate compute resources to a VM. For example,
imagine the administrator wanted to offer a premium “A” VM that has a class cap of 100%. These premium VMs
also require the lowest scheduling latency and jitter possible; that is, they may not be de-scheduled by any other
VM. To achieve this separation, a CPU group can also be configured with a specific LP affinity mapping.
For example, to fit an “A” VM on the host in our example, the administrator would create a new CPU group, and
set the group’s processor affinity to a subset of the host’s LPs. Groups B and C would be affinitized to the
remaining LPs. The administrator could create a single VM in Group A, which would then have exclusive access to
all LPs in Group A, while the presumably lower tier groups B and C would share the remaining LPs.

Segregating Root VPs from Guest VPs

By default, Hyper-V will create a root VP on each underlying physical LP. These root VPs are strictly mapped 1:1
with the system LPs, and do not migrate — that is, each root VP will always execute on the same physical LP.
Guest VPs may be run on any available LP, and will share execution with root VPs.
However, it may be desirable to completely separate root VP activity from guest VPs. Consider our example above
where we implement a premium “A” tier VM. To ensure our “A” VM’s VPs have the lowest possible latency and
“jitter”, or scheduling variation, we’d like to run them on a dedicated set of LPs and ensure the root does not run on
these LPs.
This can be accomplished using a combination of the “minroot” configuration, which limits the host OS partition to
running on a subset of the total system logical processors, along with one or more affinitized CPU groups.
The virtualization host can be configured to restrict the host partition to specific LPs, with one or more CPU
groups affinitized to the remaining LPs. In this manner, the root and guest partitions can run on dedicated CPU
resources, and completely isolated, with no CPU sharing.
For more information about the "minroot" configuration, see Hyper-V Host CPU Resource Management.

Using the CpuGroups Tool

Let’s look at some examples of how to use the CpuGroups tool.

NOTE
Command line parameters for the CpuGroups tool are passed using only spaces as delimiters. No ‘/’ or ‘-‘ characters should
proceed the desired command line switch.

Discovering the CPU Topology

Executing CpuGroups with the GetCpuTopology returns information about the current system, as shown below,
including the LP Index, the NUMA node to which the LP belongs, the Package and Core IDs, and the ROOT VP
index.
The following example shows a system with 2 CPU sockets and NUMA nodes, a total of 32 LPs, and multi
threading enabled, and configured to enable Minroot with 8 root VPs, 4 from each NUMA node. The LPs that have
root VPs have a RootVpIndex >= 0; LPs with a RootVpIndex of -1 are not available to the root partition, but are
still managed by the hypervisor and will run guest VPs as allowed by other configuration settings.
 C:\vm\tools>CpuGroups.exe GetCpuTopology

LpIndex NodeNumber PackageId CoreId RootVpIndex

------- ---------- --------- ------ -----------
0 0 0 0 0
1 0 0 0 1
2 0 0 1 2
3 0 0 1 3
4 0 0 2 -1
5 0 0 2 -1
6 0 0 3 -1
7 0 0 3 -1
8 0 0 4 -1
9 0 0 4 -1
10 0 0 5 -1
11 0 0 5 -1
12 0 0 6 -1
13 0 0 6 -1
14 0 0 7 -1
15 0 0 7 -1
16 1 1 16 4
17 1 1 16 5
18 1 1 17 6
19 1 1 17 7
20 1 1 18 -1
21 1 1 18 -1
22 1 1 19 -1
23 1 1 19 -1
24 1 1 20 -1
25 1 1 20 -1
26 1 1 21 -1
27 1 1 21 -1
28 1 1 22 -1
29 1 1 22 -1
30 1 1 23 -1
31 1 1 23 -1

Example 2 – Print all CPU groups on the host

Here, we'll list all CPU groups on the current host, their GroupId, the group's CPU cap, and the indicies of LPs
assigned to that group.
Note that valid CPU cap values are in the range [0, 65536], and these values express the group cap in percent (e.g.,
32768 = 50%).

C:\vm\tools>CpuGroups.exe GetGroups

CpuGroupId CpuCap LpIndexes

------------------------------------ ------ --------
36AB08CB-3A76-4B38-992E-000000000002 32768 4,5,6,7,8,9,10,11,20,21,22,23
36AB08CB-3A76-4B38-992E-000000000003 65536 12,13,14,15
36AB08CB-3A76-4B38-992E-000000000004 65536 24,25,26,27,28,29,30,31

Example 3 – Print a single CPU group

In this example, we'll query a single CPU Group using the GroupId as a filter.

C:\vm\tools>CpuGroups.exe GetGroups /GroupId:36AB08CB-3A76-4B38-992E-000000000003

CpuGroupId CpuCap LpIndexes
------------------------------------ ------ ----------
36AB08CB-3A76-4B38-992E-000000000003 65536 12,13,14,15

Example 4 – Create a new CPU group

Here, we'll create a new CPU group, specifying the Group ID and the set of LPs to assign to the group.

C:\vm\tools>CpuGroups.exe CreateGroup /GroupId:36AB08CB-3A76-4B38-992E-000000000001 /GroupAffinity:0,1,16,17

Now display our newly added group.

C:\vm\tools>CpuGroups.exe GetGroups
CpuGroupId CpuCap LpIndexes
------------------------------------ ------ ---------
36AB08CB-3A76-4B38-992E-000000000001 65536 0,1,16,17
36AB08CB-3A76-4B38-992E-000000000002 32768 4,5,6,7,8,9,10,11,20,21,22,23
36AB08CB-3A76-4B38-992E-000000000003 65536 12,13,14,15
36AB08CB-3A76-4B38-992E-000000000004 65536 24,25,26,27,28,29,30,31

Example 5 – Set the CPU group cap to 50%

Here, we'll set the CPU group cap to 50%.

C:\vm\tools>CpuGroups.exe SetGroupProperty /GroupId:36AB08CB-3A76-4B38-992E-000000000001 /CpuCap:32768

Now let's confirm our setting by displaying the group we just updated.

C:\vm\tools>CpuGroups.exe GetGroups /GroupId:36AB08CB-3A76-4B38-992E-000000000001

CpuGroupId CpuCap LpIndexes

------------------------------------ ------ ---------
36AB08CB-3A76-4B38-992E-000000000001 32768 0,1,16,17

Example 6 – Print CPU group ids for all VMs on the host

C:\vm\tools>CpuGroups.exe GetVmGroup

VmName VmId CpuGroupId

------ ------------------------------------ ------------------------------------
G2 4ABCFC2F-6C22-498C-BB38-7151CE678758 36ab08cb-3a76-4b38-992e-000000000002
P1 973B9426-0711-4742-AD3B-D8C39D6A0DEC 36ab08cb-3a76-4b38-992e-000000000003
P2 A593D93A-3A5F-48AB-8862-A4350E3459E8 36ab08cb-3a76-4b38-992e-000000000004
G3 B0F3FCD5-FECF-4A21-A4A2-DE4102787200 36ab08cb-3a76-4b38-992e-000000000002
G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC 36ab08cb-3a76-4b38-992e-000000000002

Example 7 – Unbind a VM from the CPU group

To remove a VM from a CPU group, set to VM's CpuGroupId to the NULL GUID. This unbinds the VM from the
CPU group.

C:\vm\tools>CpuGroups.exe SetVmGroup /VmName:g1 /GroupId:00000000-0000-0000-0000-000000000000

C:\vm\tools>CpuGroups.exe GetVmGroup
VmName VmId CpuGroupId
------ ------------------------------------ ------------------------------------
G2 4ABCFC2F-6C22-498C-BB38-7151CE678758 36ab08cb-3a76-4b38-992e-000000000002
P1 973B9426-0711-4742-AD3B-D8C39D6A0DEC 36ab08cb-3a76-4b38-992e-000000000003
P2 A593D93A-3A5F-48AB-8862-A4350E3459E8 36ab08cb-3a76-4b38-992e-000000000004
G3 B0F3FCD5-FECF-4A21-A4A2-DE4102787200 36ab08cb-3a76-4b38-992e-000000000002
G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC 00000000-0000-0000-0000-000000000000

Example 8 – Bind a VM to an existing CPU group

Here, we'll add a VM to an existing CPU group. Note that the VM must not be bound to any existing CPU group,
or setting CPU group id will fail.

C:\vm\tools>CpuGroups.exe SetVmGroup /VmName:g1 /GroupId:36AB08CB-3A76-4B38-992E-000000000001

Now, confirm the VM G1 is in the desired CPU group.

C:\vm\tools>CpuGroups.exe GetVmGroup
VmName VmId CpuGroupId
------ ------------------------------------ ------------------------------------
G2 4ABCFC2F-6C22-498C-BB38-7151CE678758 36ab08cb-3a76-4b38-992e-000000000002
P1 973B9426-0711-4742-AD3B-D8C39D6A0DEC 36ab08cb-3a76-4b38-992e-000000000003
P2 A593D93A-3A5F-48AB-8862-A4350E3459E8 36ab08cb-3a76-4b38-992e-000000000004
G3 B0F3FCD5-FECF-4A21-A4A2-DE4102787200 36ab08cb-3a76-4b38-992e-000000000002
G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC 36AB08CB-3A76-4B38-992E-000000000001

Example 9 – Print all VMs grouped by CPU group id

C:\vm\tools>CpuGroups.exe GetGroupVms
CpuGroupId VmName VmId
------------------------------------ ------ ------------------------------------
36AB08CB-3A76-4B38-992E-000000000001 G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC
36ab08cb-3a76-4b38-992e-000000000002 G2 4ABCFC2F-6C22-498C-BB38-7151CE678758
36ab08cb-3a76-4b38-992e-000000000002 G3 B0F3FCD5-FECF-4A21-A4A2-DE4102787200
36ab08cb-3a76-4b38-992e-000000000003 P1 973B9426-0711-4742-AD3B-D8C39D6A0DEC
36ab08cb-3a76-4b38-992e-000000000004 P2 A593D93A-3A5F-48AB-8862-A4350E3459E8

Example 10 – Print all VMs for a single CPU group

C:\vm\tools>CpuGroups.exe GetGroupVms /GroupId:36ab08cb-3a76-4b38-992e-000000000002

CpuGroupId VmName VmId

------------------------------------ ------ ------------------------------------
36ab08cb-3a76-4b38-992e-000000000002 G2 4ABCFC2F-6C22-498C-BB38-7151CE678758
36ab08cb-3a76-4b38-992e-000000000002 G3 B0F3FCD5-FECF-4A21-A4A2-DE4102787200

Example 11 – Attempting to delete a non-empty CPU Group

Only empty CPU groups—that is, CPU groups with no bound VMs—can be deleted. Attempting to delete a non-
empty CPU group will fail.

C:\vm\tools>CpuGroups.exe DeleteGroup /GroupId:36ab08cb-3a76-4b38-992e-000000000001

(null)
Failed with error 0xc0350070

Example 12 – Unbind the only VM from a CPU group and delete the group
In this example, we'll use several commands to examine a CPU group, remove the single VM belonging to that
group, then delete the group.
First, let's enumerate the VMs in our group.

C:\vm\tools>CpuGroups.exe GetGroupVms /GroupId:36AB08CB-3A76-4B38-992E-000000000001

CpuGroupId VmName VmId
------------------------------------ ------ ------------------------------------
36AB08CB-3A76-4B38-992E-000000000001 G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC
We see that only a single VM, named G1, belongs to this group. Let's remove the G1 VM from our group by
setting the VM's group ID to NULL.

C:\vm\tools>CpuGroups.exe SetVmGroup /VmName:g1 /GroupId:00000000-0000-0000-0000-000000000000

And verify our change...

C:\vm\tools>CpuGroups.exe GetVmGroup /VmName:g1

VmName VmId CpuGroupId
------ ------------------------------------ ------------------------------------
G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC 00000000-0000-0000-0000-000000000000

Now that the group is empty, we can safely delete it.

C:\vm\tools>CpuGroups.exe DeleteGroup /GroupId:36ab08cb-3a76-4b38-992e-000000000001

And confirm our group is gone.

C:\vm\tools>CpuGroups.exe GetGroups
CpuGroupId CpuCap LpIndexes
------------------------------------ ------ -----------------------------
36AB08CB-3A76-4B38-992E-000000000002 32768 4,5,6,7,8,9,10,11,20,21,22,23
36AB08CB-3A76-4B38-992E-000000000003 65536 12,13,14,15
36AB08CB-3A76-4B38-992E-000000000004 65536 24,25,26,27,28,29,30,31

Example 13 – Bind a VM back to its original CPU group

C:\vm\tools>CpuGroups.exe SetVmGroup /VmName:g1 /GroupId:36AB08CB-3A76-4B38-992E-000000000002

C:\vm\tools>CpuGroups.exe GetGroupVms
CpuGroupId VmName VmId
------------------------------------ -------------------------------- ------------------------------------
36ab08cb-3a76-4b38-992e-000000000002 G2 4ABCFC2F-6C22-498C-BB38-7151CE678758
36ab08cb-3a76-4b38-992e-000000000002 G3 B0F3FCD5-FECF-4A21-A4A2-DE4102787200
36AB08CB-3A76-4B38-992E-000000000002 G1 F699B50F-86F2-4E48-8BA5-EB06883C1FDC
36ab08cb-3a76-4b38-992e-000000000003 P1 973B9426-0711-4742-AD3B-D8C39D6A0DEC
36ab08cb-3a76-4b38-992e-000000000004 P2 A593D93A-3A5F-48AB-8862-A4350E3459E8
 Managing Hyper-V hypervisor scheduler types
6/4/2019 • 10 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Windows Server, version 1709, Windows Server, version
1803,Windows Server 2019

This article describes new modes of virtual processor scheduling logic first introduced in Windows Server 2016.
These modes, or scheduler types, determine how the Hyper-V hypervisor allocates and manages work across guest
virtual processors. A Hyper-V host administrator can select hypervisor scheduler types that are best suited for the
guest virtual machines (VMs) and configure the VMs to take advantage of the scheduling logic.

NOTE
Updates are required to use the hypervisor scheduler features described in this document. For details, see Required updates.

Background
Before discussing the logic and controls behind Hyper-V virtual processor scheduling, it’s helpful to review the
basic concepts covered in this article.
Understanding SMT
Simultaneous multithreading, or SMT, is a technique utilized in modern processor designs that allows the
processor’s resources to be shared by separate, independent execution threads. SMT generally offers a modest
performance boost to most workloads by parallelizing computations when possible, increasing instruction
throughput, though no performance gain or even a slight loss in performance may occur when contention between
threads for shared processor resources occurs. Processors supporting SMT are available from both Intel and AMD.
Intel refers to their SMT offerings as Intel Hyper Threading Technology, or Intel HT.
For the purposes of this article, the descriptions of SMT and how it is utilized by Hyper-V apply equally to both
Intel and AMD systems.
For more information on Intel HT Technology, refer to Intel Hyper-Threading Technology
For more information on AMD SMT, refer to The "Zen" Core Architecture

Understanding how Hyper-V virtualizes processors

Before considering hypervisor scheduler types, it’s also helpful to understand the Hyper-V architecture. You can
find a general summary in Hyper-V Technology Overview. These are important concepts for this article:
Hyper-V creates and manages virtual machine partitions, across which compute resources are allocated and
shared, under control of the hypervisor. Partitions provide strong isolation boundaries between all guest
virtual machines, and between guest VMs and the root partition.
The root partition is itself a virtual machine partition, although it has unique properties and much greater
privileges than guest virtual machines. The root partition provides the management services that control all
guest virtual machines, provides virtual device support for guests, and manages all device I/O for guest
virtual machines. Microsoft strongly recommends not running any application workloads in the root
partition.
Each virtual processor (VP ) of the root partition is mapped 1:1 to an underlying logical processor (LP ). A
 host VP will always run on the same underlying LP – there is no migration of the root partition’s VPs.
By default, the LPs on which host VPs run can also run guest VPs.
A guest VP may be scheduled by the hypervisor to run on any available logical processor. While the
hypervisor scheduler takes care to consider temporal cache locality, NUMA topology, and many other
factors when scheduling a guest VP, ultimately the VP could be scheduled on any host LP.

Hypervisor scheduler types

Starting with Windows Server 2016, the Hyper-V hypervisor supports several modes of scheduler logic, which
determine how the hypervisor schedules virtual processors on the underlying logical processors. These scheduler
types are:
The classic, fair-share scheduler
The core scheduler
The root scheduler
The classic scheduler
The classic scheduler has been the default for all versions of the Windows Hyper-V hypervisor since its inception,
including Windows Server 2016 Hyper-V. The classic scheduler provides a fair share, preemptive round- robin
scheduling model for guest virtual processors.
The classic scheduler type is the most appropriate for the vast majority of traditional Hyper-V uses – for private
clouds, hosting providers, and so on. The performance characteristics are well understood and are best optimized
to support a wide range of virtualization scenarios, such as over-subscription of VPs to LPs, running many
heterogenous VMs and workloads simultaneously, running larger scale high performance VMs, supporting the full
feature set of Hyper-V without restrictions, and more.
The core scheduler
The hypervisor core scheduler is a new alternative to the classic scheduler logic, introduced in Windows Server
2016 and Windows 10 version 1607. The core scheduler offers a strong security boundary for guest workload
isolation, and reduced performance variability for workloads inside of VMs that are running on an SMT-enabled
virtualization host. The core scheduler allows running both SMT and non-SMT virtual machines simultaneously on
the same SMT-enabled virtualization host.
The core scheduler utilizes the virtualization host’s SMT topology, and optionally exposes SMT pairs to guest
virtual machines, and schedules groups of guest virtual processors from the same virtual machine onto groups of
SMT logical processors. This is done symmetrically so that if LPs are in groups of two, VPs are scheduled in groups
of two, and a core is never shared between VMs. When the VP is scheduled for a virtual machine without SMT
enabled, that VP will consume the entire core when it runs.
The overall result of the core scheduler is that:
Guest VPs are constrained to run on underlying physical core pairs, isolating a VM to processor core
boundaries, thus reducing vulnerability to side-channel snooping attacks from malicious VMs.
Variability in throughput is significantly reduced.
Performance is potentially reduced, because if only one of a group of VPs can run, only one of the
instruction streams in the core executes while the other is left idle.
The OS and applications running in the guest virtual machine can utilize SMT behavior and programming
interfaces (APIs) to control and distribute work across SMT threads, just as they would when run non-
virtualized.
A strong security boundary for guest workload isolation - Guest VPs are constrained to run on underlying
 physical core pairs, reducing vulnerability to side-channel snooping attacks.
The core scheduler will be used by default starting in Windows Server 2019. On Windows Server 2016, the core
scheduler is optional and must be explicitly enabled by the Hyper-V host administrator, and the classic scheduler is
the default.
Core scheduler behavior with host SMT disabled
If the hypervisor is configured to use the core scheduler type but the SMT capability is disabled or not present on
the virtualization host, then the hypervisor will use the classic scheduler behavior, regardless of the hypervisor
scheduler type setting.
The root scheduler
The root scheduler was introduced with Windows 10 version 1803. When the root scheduler type is enabled, the
hypervisor cedes control of work scheduling to the root partition. The NT scheduler in the root partition’s OS
instance manages all aspects of scheduling work to system LPs.
The root scheduler addresses the unique requirements inherent with supporting a utility partition to provide
strong workload isolation, as used with Windows Defender Application Guard (WDAG ). In this scenario, leaving
scheduling responsibilities to the root OS offers several advantages. For example, CPU resource controls
applicable to container scenarios may be used with the utility partition, simplifying management and deployment.
In addition, the root OS scheduler can readily gather metrics about workload CPU utilization inside the container
and use this data as input to the same scheduling policy applicable to all other workloads in the system. These
same metrics also help clearly attribute work done in an application container to the host system. Tracking these
metrics is more difficult with traditional virtual machine workloads, where some work on all running VM’s behalf
takes place in the root partition.
Root scheduler use on client systems
Starting with Windows 10 version 1803, the root scheduler is used by default on client systems only, where the
hypervisor may be enabled in support of virtualization-based security and WDAG workload isolation, and for
proper operation of future systems with heterogeneous core architectures. This is the only supported hypervisor
scheduler configuration for client systems. Administrators should not attempt to override the default hypervisor
scheduler type on Windows 10 client systems.
Virtual Machine CPU resource controls and the root scheduler
The virtual machine processor resource controls provided by Hyper-V are not supported when the hypervisor root
scheduler is enabled as the root operating system’s scheduler logic is managing host resources on a global basis
and does not have knowledge of a VM’s specific configuration settings. The Hyper-V per-VM processor resource
controls, such as caps, weights, and reserves, are only applicable where the hypervisor directly controls VP
scheduling, such as with the classic and core scheduler types.
Root scheduler use on server systems
The root scheduler is not recommended for use with Hyper-V on servers at this time, as its performance
characteristics have not yet been fully characterized and tuned to accommodate the wide range of workloads
typical of many server virtualization deployments.

Enabling SMT in guest virtual machines

Once the virtualization host’s hypervisor is configured to use the core scheduler type, guest virtual machines may
be configured to utilize SMT if desired. Exposing the fact that VPs are hyperthreaded to a guest virtual machine
allows the scheduler in the guest operating system and workloads running in the VM to detect and utilize the SMT
topology in their own work scheduling. On Windows Server 2016, guest SMT is not configured by default and
must be explicitly enabled by the Hyper-V host administrator. Starting with Windows Server 2019, new VMs
created on the host will inherit the host's SMT topology by default. That is, a version 9.0 VM created on a host with
2 SMT threads per core would also see 2 SMT threads per core.
PowerShell must be used to enable SMT in a guest virtual machine; there is no user interface provided in Hyper-V
Manager. To enable SMT in a guest virtual machine, open a PowerShell window with sufficient permissions, and
type:

Set-VMProcessor -VMName <VMName> -HwThreadCountPerCore <n>

Where is the number of SMT threads per core the guest VM will see.
Note that = 0 will set the HwThreadCountPerCore value to match the host's SMT thread count per core value.

NOTE
Setting HwThreadCountPerCore = 0 is supported beginning with Windows Server 2019.

Below is an example of System Information taken from the guest operating system running in a virtual machine
with 2 virtual processors and SMT enabled. The guest operating system is detecting 2 logical processors belonging
to the same core.

Configuring the hypervisor scheduler type on Windows Server 2016

Hyper-V
Windows Server 2016 Hyper-V uses the classic hypervisor scheduler model by default. The hypervisor can be
optionally configured to use the core scheduler, to increase security by restricting guest VPs to run on
corresponding physical SMT pairs, and to support the use of virtual machines with SMT scheduling for their guest
VPs.

NOTE
Microsoft recommends that all customers running Windows Server 2016 Hyper-V select the core scheduler to ensure their
virtualization hosts are optimally protected against potentially malicious guest VMs.

Windows Server 2019 Hyper-V defaults to using the core scheduler

To help ensure Hyper-V hosts are deployed in the optimal security configuration, Windows Server 2019 Hyper-V
will now use the core hypervisor scheduler model by default. The host administrator may optionally configure the
host to use the legacy classic scheduler. Administrators should carefully read, understand and consider the impacts
each scheduler type has on the security and performance of virtualization hosts prior to overriding the scheduler
type default settings. See Understanding Hyper-V scheduler type selection for more information.
Required updates

NOTE
The following updates are required to use the hypervisor scheduler features described in this document. These updates
include changes to support the new 'hypervisorschedulertype' BCD option, which is necessary for host configuration.

VERSION RELEASE UPDATE REQUIRED KB ARTICLE

Windows Server 2016 1607 2018.07 C KB4338822

Windows Server 2016 1703 2018.07 C KB4338827

Windows Server 2016 1709 2018.07 C KB4338817

Windows Server 2019 1804 None None

Selecting the hypervisor scheduler type on Windows Server

The hypervisor scheduler configuration is controlled via the hypervisorschedulertype BCD entry.
To select a scheduler type, open a command prompt with administrator privileges:

bcdedit /set hypervisorschedulertype type

Where type is one of:

Classic
Core
Root
The system must be rebooted for any changes to the hypervisor scheduler type to take effect.

NOTE
The hypervisor root scheduler is not supported on Windows Server Hyper-V at this time. Hyper-V administrators should not
attempt to configure the root scheduler for use with server virtualization scenarios.

Determining the current scheduler type

You can determine the current hypervisor scheduler type in use by examining the System log in Event Viewer for
the most recent hypervisor launch event ID 2, which reports the hypervisor scheduler type configured at
hypervisor launch. Hypervisor launch events can be obtained from the Windows Event Viewer, or via PowerShell.
Hypervisor launch event ID 2 denotes the hypervisor scheduler type, where:
1 = Classic scheduler, SMT disabled

2 = Classic scheduler

3 = Core scheduler

4 = Root scheduler
Querying the Hyper-V hypervisor scheduler type launch event using PowerShell
To query for hypervisor event ID 2 using PowerShell, enter the following commands from a PowerShell prompt.

Get-WinEvent -FilterHashTable @{ProviderName="Microsoft-Windows-Hyper-V-Hypervisor"; ID=2} -MaxEvents 1

 About Hyper-V hypervisor scheduler type selection
3/12/2019 • 13 minutes to read • Edit Online

Applies To:
Windows Server 2016
Windows Server, version 1709
Windows Server, version 1803
Windows Server 2019
This document describes important changes to Hyper-V's default and recommended use of hypervisor scheduler
types. These changes impact both system security and virtualization performance. Virtualization host
administrators should review and understand the changes and implications described in this document, and
carefully evaluate the impacts, suggested deployment guidance and risk factors involved to best understand how to
deploy and manage Hyper-V hosts in the face of the rapidly changing security landscape.

IMPORTANT
Currently known side-channel security vulnerabilities sighted in multiple processor architectures could be exploited by a
malicious guest VM through the scheduling behavior of the legacy hypervisor classic scheduler type when run on hosts with
Simultaneous Multithreading (SMT) enabled. If successfully exploited, a malicious workload could observe data outside its
partition boundary. This class of attacks can be mitigated by configuring the Hyper-V hypervisor to utilize the hypervisor
core scheduler type and reconfiguring guest VMs. With the core scheduler, the hypervisor restricts a guest VM's VPs to run
on the same physical processor core, therefore strongly isolating the VM's ability to access data to the boundaries of the
physical core on which it runs. This is a highly effective mitigation against these side-channel attacks, which prevents the VM
from observing any artifacts from other partitions, whether the root or another guest partition. Therefore, Microsoft is
changing the default and recommended configuration settings for virtualization hosts and guest VMs.

Background
Starting with Windows Server 2016, Hyper-V supports several methods of scheduling and managing virtual
processors, referred to as hypervisor scheduler types. A detailed description of all hypervisor scheduler types can
be found in Understanding and using Hyper-V hypervisor scheduler types.

NOTE
New hypervisor scheduler types were first introduced with Windows Server 2016, and are not available in prior releases. All
versions of Hyper-V prior to Windows Server 2016 support only the classic scheduler. Support for the core scheduler was
only recently published.

About hypervisor scheduler types

This article focuses specifically on the use of the new hypervisor core scheduler type versus the legacy "classic"
scheduler, and how these scheduler types intersect with the use of Symmetric Multi-Threading, or SMT. It is
important to understand the differences between the core and classic schedulers and how each places work from
guest VMs on the underlying system processors.
The classic scheduler
The classic scheduler refers to the fair-share, round robin method of scheduling work on virtual processors (VPs)
across the system - including root VPs as well as VPs belonging to guest VMs. The classic scheduler has been the
default scheduler type used on all versions of Hyper-V (until Windows Server 2019, as described herein). The
performance characteristics of the classic scheduler are well understood, and the classic scheduler is demonstrated
to ably support over-subscription of workloads - that is, over-subscription of the host's VP:LP ratio by a reasonable
margin (depending on the types of workloads being virtualized, overall resource utilization, etc.).
When run on a virtualization host with SMT enabled, the classic scheduler will schedule guest VPs from any VM
on each SMT thread belonging to a core independently. Therefore, different VMs can be running on the same core
at the same time (one VM running on one thread of a core while another VM is running on the other thread).
The core scheduler
The core scheduler leverages the properties of SMT to provide isolation of guest workloads, which impacts both
security and system performance. The core scheduler ensures that VPs from a VM are scheduled on sibling SMT
threads. This is done symmetrically so that if LPs are in groups of two, VPs are scheduled in groups of two, and a
system CPU core is never shared between VMs.
By scheduling guest VPs on underlying SMT pairs, the core scheduler offers a strong security boundary for
workload isolation, and can also be used to reduce performance variability for latency sensitive workloads.
Note that when the VP is scheduled for a virtual machine without SMT enabled, that VP will consume the entire
core when it runs, and the core's sibling SMT thread will be left idle. This is necessary to provide the correct
workload isolation, but impacts overall system performance, especially as the system LPs become over-subscribed
- that is, when total VP:LP ratio exceeds 1:1. Therefore, running guest VMs configured without multiple threads per
core is a sub-optimal configuration.
Benefits of the using the core scheduler
The core scheduler offers the following benefits:
A strong security boundary for guest workload isolation - Guest VPs are constrained to run on underlying
physical core pairs, reducing vulnerability to side-channel snooping attacks.
Reduced workload variability - Guest workload throughput variability is significantly reduced, offering
greater workload consistency.
Use of SMT in guest VMs - The OS and applications running in the guest virtual machine can utilize SMT
behavior and programming interfaces (APIs) to control and distribute work across SMT threads, just as they
would when run non-virtualized.
The core scheduler is currently used on Azure virtualization hosts, specifically to take advantage of the strong
security boundary and low workload variabilty. Microsoft believes that the core scheduler type should be and will
continue to be the default hypervisor scheduling type for the majority of virtualization scenarios. Therefore, to
ensure our customers are secure by default, Microsoft is making this change for Windows Server 2019 now.
Core scheduler performance impacts on guest workloads
While required to effectively mitigate certain classes of vulnerabilities, the core scheduler may also potentially
reduce performance. Customers may see a difference in the performance characteristics with their VMs and
impacts to the overall workload capacity of their virtualization hosts. In cases where the core scheduler must run a
non-SMT VP, only one of the instruction streams in the underlying logical core executes while the other must be
left idle. This will limit the total host capacity for guest workloads.
These performance impacts can be minimized by following the deployment guidance in this document. Host
administrators must carefully consider their specific virtualization deployment scenarios and balance their
tolerance for security risk against the need for maximum workload density, over-consolidation of virtualization
hosts, etc.

Changes to the default and recommended configurations for Windows

Server 2016 and Windows Server 2019
Deploying Hyper-V hosts with the maximum security posture requires use of the hypervisor core scheduler type.
To ensure our customers are secure by default, Microsoft is changing the following default and recommended
settings.

NOTE
While the hypervisor's internal support for the scheduler types was included in the initial release of Windows Server 2016,
Windows Server 1709, and Windows Server 1803, updates are required in order to access the configuration control which
allows selecting the hypervisor scheduler type. Please refer to Understanding and using Hyper-V hypervisor scheduler types
for details on these updates.

Virtualization host changes

The hypervisor will use the core scheduler by default beginning with Windows Server 2019.
Microsoft reccommends configuring the core scheduler on Windows Server 2016. The hypervisor core
scheduler type is supported in Windows Server 2016, however the default is the classic scheduler. The core
scheduler is optional and must be explicitly enabled by the Hyper-V host administrator.
Virtual machine configuration changes
On Windows Server 2019, new virtual machines created using the default VM version 9.0 will automatically
inherit the SMT properties (enabled or disabled) of the virtualization host. That is, if SMT is enabled on the
physical host, newly created VMs will also have SMT enabled, and will inherit the SMT topology of the host
by default, with the VM having the same number of hardware threads per core as the underlying system.
This will be reflected in the VM's configuration with HwThreadCountPerCore = 0, where 0 indicates the VM
should inherit the host's SMT settings.
Existing virtual machines with a VM version of 8.2 or earlier will retain their original VM processor setting
for HwThreadCountPerCore, and the default for 8.2 VM version guests is HwThreadCountPerCore = 1.
When these guests run on a Windows Server 2019 host, they will be treated as follows:
1. If the VM has a VP count that is less than or equal to the count of LP cores, the VM will be treated as
a non-SMT VM by the core scheduler. When the guest VP runs on a single SMT thread, the core's
sibling SMT thread will be idled. This is non-optimal, and will result in overall loss of performance.
2. If the VM has more VPs than LP cores, the VM will be treated as an SMT VM by the core scheduler.
However, the VM will not observe other indications that it is an SMT VM. For example, use of the
CPUID instruction or Windows APIs to query CPU toplogy by the OS or applications will not
indicate that SMT is enabled.
When an existing VM is explicitly updated from eariler VM versions to version 9.0 through the Update-VM
operation, the VM will retain its current value for HwThreadCountPerCore. The VM will not have SMT
force-enabled.
On Windows Server 2016, Microsoft recommends enabling SMT for guest VMs. By default, VMs created on
Windows Server 2016 would have SMT disabled, that is HwThreadCountPerCore is set to 1, unless
explicitly changed.

NOTE
Windows Server 2016 does not support setting HwThreadCountPerCore to 0.

Managing virtual machine SMT configuration

The guest virtual machine SMT configuration is set on a per-VM basis. The host administrator can inspect and
configure a VM's SMT configuration to select from the following options:

1. Configure VMs to run as SMT-enabled, optionally inheriting the host SMT topology automatically

2. Configure VMs to run as non-SMT

The SMT configuaration for a VM is displayed in the Summary panes in the Hyper-V Manager console.
Configuring a VM's SMT settings may be done by using the VM Settings or PowerShell.
Configuring VM SMT settings using PowerShell
To configure the SMT settings for a guest virtual machine, open a PowerShell window with sufficient permissions,
and type:

Set-VMProcessor -VMName <VMName> -HwThreadCountPerCore <0, 1, 2>

Where:

0 = Inherit SMT topology from the host (this setting of HwThreadCountPerCore=0 is not supported on Windows
Server 2016)

1 = Non-SMT

Values > 1 = the desired number of SMT threads per core. May not exceed the number of physical SMT threads per
core.

To read the SMT settings for a guest virtual machine, open a PowerShell window with sufficient permissions, and
type:

(Get-VMProcessor -VMName <VMName>).HwThreadCountPerCore

Note that guest VMs configured with HwThreadCountPerCore = 0 indicates that SMT will be enabled for the
guest, and will expose the same number of SMT threads to the guest as they are on the underlying virtualization
host, typically 2.
Guest VMs may observe changes to CPU topology across VM mobility scenarios
The OS and applications in a VM may see changes to both host and VM settings before and after VM lifecycle
events such as live migration or save and restore operations. During an operation in which VM state is saved and
restored, both the VM's HwThreadCountPerCore setting and the realized value (that is, the computed combination
of the VM's setting and source host’s configuration) are migrated. The VM will continue running with these
settings on the destination host. At the point the VM is shutdown and re-started, it’s possible that the realized value
observed by the VM will change. This should be benign, as OS and application layer software should look for CPU
topology information as part of their normal startup and initialization code flows. However, because these boot
time initialization sequences are skipped during live migration or save/restore operations, VMs that undergo these
state transitions could observe the originally computed realized value until they are shut down and re-started.
Alerts regarding non-optimal VM configurations
Virtual machines configured with more VPs than there are physical cores on the host result in a non-optimal
configuration. The hypervisor scheduler will treat these VMs as if they are SMT-aware. However, OS and
application software in the VM will be presented a CPU topology showing SMT is disabled. When this condition is
detected, the Hyper-V Worker Process will log an event on the virtualization host warning the host administrator
that the VM's configuration is non-optimal, and recommending SMT be enabled for the VM.
How to identify non-optimally configured VMs
You can identify non-SMT VMs by examining the System Log in Event Viewer for Hyper-V Worker Process event
ID 3498, which will be triggered for a VM whenever the number of VPs in the VM is greater than the physical core
count. Worker process events can be obtained from Event Viewer, or via PowerShell.
Querying the Hyper-V worker process VM event using PowerShell
To query for Hyper-V worker process event ID 3498 using PowerShell, enter the following commands from a
PowerShell prompt.

Get-WinEvent -FilterHashTable @{ProviderName="Microsoft-Windows-Hyper-V-Worker"; ID=3498}

Impacts of guest SMT configuaration on the use of hypervisor enlightenments for guest operating systems
The Microsoft hypervisor offers multiple enlightenments, or hints, which the OS running in a guest VM may query
and use to trigger optimizations, such as those that might benefit performance or otherwise improve handling of
various conditions when running virtualized. One recently introduced enlightenment concerns the handling of
virtual processor scheduling and the use of OS mitigations for side-channel attacks that exploit SMT.

NOTE
Microsoft recommends that host administrators enable SMT for guest VMs to optimize workload performance.

The details of this guest enlightenment are provided below, however the key takeaway for virtualization host
administrators is that virtual machines should have HwThreadCountPerCore configured to match the host’s
physical SMT configuration. This allows the hypervisor to report that there is no non-architectural core sharing.
Therefore, any guest OS supporting optimizations that require the enlightenment may be enabled. On Windows
Server 2019, create new VMs and leave the default value of HwThreadCountPerCore (0). Older VMs migrated
from Windows Server 2016 hosts can be updated to the Windows Server 2019 configuration version. After doing
so, Microsoft recommends setting HwThreadCountPerCore = 0. On Windows Server 2016, Microsoft
recommends setting HwThreadCountPerCore to match the host configuration (typically 2).
NoNonArchitecturalCoreSharing enlightenment details
Starting in Windows Server 2016, the hypervisor defines a new enlightenment to describe its handling of VP
scheduling and placement to the guest OS. This enlightenment is defined in the Hypervisor Top Level Functional
Specification v5.0c.
Hypervisor synthetic CPUID leaf CPUID.0x40000004.EAX:18[NoNonArchitecturalCoreSharing = 1] indicates that
a virtual processor will never share a physical core with another virtual processor, except for virtual processors that
are reported as sibling SMT threads. For example, a guest VP will never run on an SMT thread alongside a root VP
running simultaneously on a sibling SMT thread on the same processor core. This condition is only possible when
running virtualized, and so represents a non-architectural SMT behavior that also has serious security implications.
The guest OS can use NoNonArchitecturalCoreSharing = 1 as an indication that it is safe to enable optimizations,
which may help it avoid the performance overhead of setting STIBP.
In certain configurations, the hypervisor will not indicate that NoNonArchitecturalCoreSharing = 1. As an example,
if a host has SMT enabled and is configured to use the hypervisor classic scheduler,
NoNonArchitecturalCoreSharing will be 0. This may prevent enlightened guests from enabling certain
optimizations. Therefore, Microsoft recommends that host administrators using SMT rely on the hypervisor core
scheduler and ensure that virtual machines are configured to inherit their SMT configuration from the host to
ensure optimal workload performance.

Summary
The security threat landscape continues to evolve. To ensure our customers are secure by default, Microsoft is
changing the default configuration for the hypervisor and virtual machines starting in Windows Server 2019
Hyper-V, and providing updated guidance and recommendations for customers running Windows Server 2016
Hyper-V. Virtualization host administrators should:
Read and understand the guidance provided in this document
Carefully evaluate and adjust their virtualization deployments to ensure they meet the security, performance,
virtualization density, and workload responsiveness goals for their unique requirements
Consider re-configuring existing Windows Server 2016 Hyper-V hosts to leverage the strong security
benefits offered by the hypervisor core scheduler
Update existing non-SMT VMs to reduce the performance impacts from scheduling constraints imposed by
VP isolation that addresses hardware security vulnerabilities
 6/7/2019 • 9 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Windows Server 2019

Manage Hyper-V Integration Services

Hyper-V Integration Services enhance virtual machine performance and provide convenience features by
leveraging two-way communication with the Hyper-V host. Many of these services are conveniences, such as guest
file copy, while others are important to the virtual machine's functionality, such as synthetic device drivers. This set
of services and drivers are sometimes referred to as "integration components". You can control whether or not
individual convenience services operate for any given virtual machine. The driver components are not intended to
be serviced manually.
For details about each integration service, see Hyper-V Integration Services.

IMPORTANT
Each service you want to use must be enabled in both the host and guest in order to function. All integration services except
"Hyper-V Guest Service Interface" are on by default on Windows guest operating systems. The services can be turned on and
off individually. The next sections show you how.

Turn an integration service on or off using Hyper-V Manager

1. From the center pane, right-click the virtual machine and click Settings.
2. From the left pane of the Settings window, under Management, click Integration Services.
The Integration Services pane lists all integration services available on the Hyper-V host, and whether the host has
enabled the virtual machine to use them.
Turn an integration service on or off using PowerShell
To do this in PowerShell, use Enable-VMIntegrationService and Disable-VMIntegrationService.
The following examples demonstrate turning the guest file copy integration service on and off for a virtual machine
named "demovm".
1. Get a list of running integration services:

Get-VMIntegrationService -VMName "DemoVM"

2. The output should look like this:

VMName Name Enabled PrimaryStatusDescription SecondaryStatusDescription

------ ---- ------- ------------------------ --------------------------
DemoVM Guest Service Interface False OK
DemoVM Heartbeat True OK OK
DemoVM Key-Value Pair Exchange True OK
DemoVM Shutdown True OK
DemoVM Time Synchronization True OK
DemoVM VSS True OK
3. Turn on Guest Service Interface:

Enable-VMIntegrationService -VMName "DemoVM" -Name "Guest Service Interface"

4. Verify that Guest Service Interface is enabled:

Get-VMIntegrationService -VMName "DemoVM"

5. Turn off Guest Service Interface:

Disable-VMIntegrationService -VMName "DemoVM" -Name "Guest Service Interface"

Checking the guest's integration services version

Some features may not work correctly or at all if the guest's integration services are not current. To get the version
information for a Windows, log on to the guest operating system, open a command prompt, and run this
command:

REG QUERY "HKLM\Software\Microsoft\Virtual Machine\Auto" /v IntegrationServicesVersion

Earlier guest operating systems will not have all available services. For example, Windows Server 2008 R2 guests
cannot have the "Hyper-V Guest Service Interface".

Start and stop an integration service from a Windows Guest

In order for an integration service to be fully functional, its corresponding service must be running within the guest
in addition to being enabled on the host. In Windows guests, each integration service is listed as a standard
Windows service. You can use the Services applet in Control Panel or PowerShell to stop and start these services.

IMPORTANT
Stopping an integration service may severely affect the host's ability to manage your virtual machine. To work correctly, each
integration service you want to use must be enabled on both the host and guest. As a best practice, you should only control
integration services from Hyper-V using the instructions above. The matching service in the guest operating system will stop
or start automatically when you change its status in Hyper-V. If you start a service in the guest operating system but it is
disabled in Hyper-V, the service will stop. If you stop a service in the guest operating system that is enabled in Hyper-V,
Hyper-V will eventually start it again. If you disable the service in the guest, Hyper-V will be unable to start it.

Use Windows Services to start or stop an integration service within a Windows guest
1. Open Services manager by running services.msc as an Administrator or by double-clicking the Services
icon in Control Panel.
2. Find the services that start with "Hyper-V".
3. Right-click the service you want start or stop. Click the desired action.
Use Windows PowerShell to start or stop an integration service within a Windows guest
1. To get a list of integration services, run:

Get-Service -Name vm*

2. The output should look similar to this:

Status Name DisplayName

------ ---- -----------
Running vmicguestinterface Hyper-V Guest Service Interface
Running vmicheartbeat Hyper-V Heartbeat Service
Running vmickvpexchange Hyper-V Data Exchange Service
Running vmicrdv Hyper-V Remote Desktop Virtualizati...
Running vmicshutdown Hyper-V Guest Shutdown Service
Running vmictimesync Hyper-V Time Synchronization Service
Stopped vmicvmsession Hyper-V VM Session Service
Running vmicvss Hyper-V Volume Shadow Copy Requestor

3. Run either Start-Service or Stop-Service. For example, to turn off Windows PowerShell Direct, run:

Stop-Service -Name vmicvmsession

Start and stop an integration service from a Linux guest

Linux integration services are generally provided through the Linux kernel. The Linux integration services driver is
named hv_utils.
1. To find out if hv_utils is loaded, use this command:

lsmod | grep hv_utils

2. The output should look similar to this:

 Module Size Used by
hv_utils 20480 0
hv_vmbus 61440 8
hv_balloon,hyperv_keyboard,hv_netvsc,hid_hyperv,hv_utils,hyperv_fb,hv_storvsc

3. To find out if the required daemons are running, use this command.

ps -ef | grep hv

4. The output should look similar to this:

root 236 2 0 Jul11 ? 00:00:00 [hv_vmbus_con]

root 237 2 0 Jul11 ? 00:00:00 [hv_vmbus_ctl]
...
root 252 2 0 Jul11 ? 00:00:00 [hv_vmbus_ctl]
root 1286 1 0 Jul11 ? 00:01:11 /usr/lib/linux-tools/3.13.0-32-generic/hv_kvp_daemon
root 9333 1 0 Oct12 ? 00:00:00 /usr/lib/linux-tools/3.13.0-32-generic/hv_kvp_daemon
root 9365 1 0 Oct12 ? 00:00:00 /usr/lib/linux-tools/3.13.0-32-generic/hv_vss_daemon
scooley 43774 43755 0 21:20 pts/0 00:00:00 grep --color=auto hv

5. To see what daemons are available, run:

compgen -c hv_

6. The output should look similar to this:

hv_vss_daemon
hv_get_dhcp_info
hv_get_dns_info
hv_set_ifconfig
hv_kvp_daemon
hv_fcopy_daemon

Integration service daemons that might be listed include the following. If any are missing, they might not be
supported on your system or they might not be installed. Find details, see Supported Linux and FreeBSD
virtual machines for Hyper-V on Windows.
hv_vss_daemon: This daemon is required to create live Linux virtual machine backups.
hv_kvp_daemon: This daemon allows setting and querying intrinsic and extrinsic key value pairs.
hv_fcopy_daemon: This daemon implements a file copying service between the host and guest.
Examples
These examples demonstrate stopping and starting the KVP daemon, named hv_kvp_daemon .
1. Use the process ID (PID ) to stop the daemon's process. To find the PID, look at the second column of the
output, or use pidof . Hyper-V daemons run as root, so you'll need root permissions.

sudo kill -15 `pidof hv_kvp_daemon`

2. To verify that all hv_kvp_daemon process are gone, run:

ps -ef | hv
3. To start the daemon again, run the daemon as root:

sudo hv_kvp_daemon

4. To verify that the hv_kvp_daemon process is listed with a new process ID, run:

ps -ef | hv

Keep integration services up to date

We recommend that you keep integration services up to date to get the best performance and most recent features
for your virtual machines. This happens for most Windows guests by default if they are set up to get important
updates from Windows Update. Linux guests using current kernels will receive the latest integration components
when you update the kernel.
For virtual machines running on Windows 10 hosts:

NOTE
The image file vmguest.iso isn't included with Hyper-V on Windows 10 because it's no longer needed.

GUEST UPDATE MECHANISM NOTES

Windows 10 Windows Update

Windows 8.1 Windows Update

Windows 8 Windows Update Requires the Data Exchange integration

service.*

Windows 7 Windows Update Requires the Data Exchange integration

service.*

Windows Vista (SP 2) Windows Update Requires the Data Exchange integration
service.*

Windows Server 2016 Windows Update

Windows Server, Semi-Annual Channel Windows Update

Windows Server 2012 R2 Windows Update

Windows Server 2012 Windows Update Requires the Data Exchange integration
service.*

Windows Server 2008 R2 (SP 1) Windows Update Requires the Data Exchange integration
service.*

Windows Server 2008 (SP 2) Windows Update Extended support only in Windows
Server 2016 (read more).
 GUEST UPDATE MECHANISM NOTES

Windows Home Server 2011 Windows Update Will not be supported in Windows
Server 2016 (read more).

Windows Small Business Server 2011 Windows Update Not under mainstream support ( read
more).

Linux guests package manager Integration services for Linux are built
into the distro but there may be
optional updates available. ********

* If the Data Exchange integration service can't be enabled, the integration services for these guests are available
from the Download Center as a cabinet (cab) file. Instructions for applying a cab are available in this blog post.
For virtual machines running on Windows 8.1 hosts:

GUEST UPDATE MECHANISM NOTES

Windows 10 Windows Update

Windows 8.1 Windows Update

Windows 8 Integration Services disk See instructions, below.

Windows 7 Integration Services disk See instructions, below.

Windows Vista (SP 2) Integration Services disk See instructions, below.

Windows XP (SP 2, SP 3) Integration Services disk See instructions, below.

Windows Server 2016 Windows Update

Windows Server, Semi-Annual Channel Windows Update

Windows Server 2012 R2 Windows Update

Windows Server 2012 Integration Services disk See instructions, below.

Windows Server 2008 R2 Integration Services disk See instructions, below.

Windows Server 2008 (SP 2) Integration Services disk See instructions, below.

Windows Home Server 2011 Integration Services disk See instructions, below.

Windows Small Business Server 2011 Integration Services disk See instructions, below.

Windows Server 2003 R2 (SP 2) Integration Services disk See instructions, below.
 GUEST UPDATE MECHANISM NOTES

Windows Server 2003 (SP 2) Integration Services disk See instructions, below.

Linux guests package manager Integration services for Linux are built
into the distro but there may be
optional updates available. **

For virtual machines running on Windows 8 hosts:

GUEST UPDATE MECHANISM NOTES

Windows 8.1 Windows Update

Windows 8 Integration Services disk See instructions, below.

Windows 7 Integration Services disk See instructions, below.

Windows Vista (SP 2) Integration Services disk See instructions, below.

Windows XP (SP 2, SP 3) Integration Services disk See instructions, below.

Windows Server 2012 R2 Windows Update

Windows Server 2012 Integration Services disk See instructions, below.

Windows Server 2008 R2 Integration Services disk See instructions, below.

Windows Server 2008 (SP 2) Integration Services disk See instructions, below.

Windows Home Server 2011 Integration Services disk See instructions, below.

Windows Small Business Server 2011 Integration Services disk See instructions, below.

Windows Server 2003 R2 (SP 2) Integration Services disk See instructions, below.

Windows Server 2003 (SP 2) Integration Services disk See instructions, below.

Linux guests package manager Integration services for Linux are built
into the distro but there may be
optional updates available. **

For more details about Linux guests, see Supported Linux and FreeBSD virtual machines for Hyper-V on Windows.

Install or update integration services

For hosts earlier than Windows Server 2016 and Windows 10, you'll need to manually install or update the
integration services in the guest operating systems.
1. Open Hyper-V Manager. From the Tools menu of Server Manager, click Hyper-V Manager.
2. Connect to the virtual machine. Right-click the virtual machine and click Connect.
3. From the Action menu of Virtual Machine Connection, click Insert Integration Services Setup Disk. This
action loads the setup disk in the virtual DVD drive. Depending on the guest operating system, you might
need to start the installation manually.
4. After the installation finishes, all integration services are available for use.
These steps can't be automated or done within a Windows PowerShell session for online virtual machines. You can
apply them to offline VHDX images; see this blog post.
 Manage Windows virtual machines with PowerShell
Direct
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows 10, Windows Server 2016, Windows Server 2019

You can use PowerShell Direct to remotely manage a Windows 10, Windows Server 2016, or Windows Server
2019 virtual machine from a Windows 10, Windows Server 2016, or Windows Server 2019 Hyper-V host.
PowerShell Direct allows Windows PowerShell management inside a virtual machine regardless of the network
configuration or remote management settings on either the Hyper-V host or the virtual machine. This makes it
easier for Hyper-V Administrators to automate and script virtual machine management and configuration.
There are two ways to run PowerShell Direct:
Create and exit a PowerShell Direct session using PSSession cmdlets
Run script or command with the Invoke-Command cmdlet
If you're managing older virtual machines, use Virtual Machine Connection (VMConnect) or configure a virtual
network for the virtual machine.

Create and exit a PowerShell Direct session using PSSession cmdlets

1. On the Hyper-V host, open Windows PowerShell as Administrator.
2. Use the Enter-PSSession cmdlet to connect to the virtual machine. Run one of the following commands to
create a session by using the virtual machine name or GUID:

Enter-PSSession -VMName <VMName>

Enter-PSSession -VMGUID <VMGUID>

3. Type your credentials for the virtual machine.

4. Run whatever commands you need to. These commands run on the virtual machine that you created the
session with.
5. When you're done, use the Exit-PSSession to close the session.

Exit-PSSession

Run script or command with Invoke-Command cmdlet

You can use the Invoke-Command cmdlet to run a pre-determined set of commands on the virtual machine. Here
is an example of how you can use the Invoke-Command cmdlet where PSTest is the virtual machine name and the
script to run (foo.ps1) is in the script folder on the C:/ drive:

Invoke-Command -VMName PSTest -FilePath C:\script\foo.ps1

To run a single command, use the -ScriptBlock parameter:

Invoke-Command -VMName PSTest -ScriptBlock { cmdlet }

What's required to use PowerShell Direct?

To create a PowerShell Direct session on a virtual machine,
The virtual machine must be running locally on the host and booted.
You must be logged into the host computer as a Hyper-V administrator.
You must supply valid user credentials for the virtual machine.
The host operating system must run at least Windows 10 or Windows Server 2016.
The virtual machine must run at least Windows 10 or Windows Server 2016.
You can use the Get-VM cmdlet to check that the credentials you're using have the Hyper-V administrator role and
to get a list of the virtual machines running locally on the host and booted.

See Also
Enter-PSSession
Exit-PSSession
Invoke-Command
 Set up Hyper-V Replica
6/20/2019 • 11 minutes to read • Edit Online

Applies To: Windows Server 2016

Hyper-V Replica is an integral part of the Hyper-V role. It contributes to your disaster recovery strategy by
replicating virtual machines from one Hyper-V host server to another to keep your workloads available. Hyper-V
Replica creates a copy of a live virtual machine to a replica offline virtual machine. Note the following:
Hyper-V hosts: Primary and secondary host servers can be physically co-located or in separate
geographical locations with replication over a WAN link. Hyper-V hosts can be standalone, clustered, or a
mixture of both. There's no Active Directory dependency between the servers and they don't need to be
domain members.
Replication and change tracking: When you enable Hyper-V Replica for a specific virtual machine, initial
replication creates an identical replica virtual machine on a secondary host server. After that happens,
Hyper-V Replica change tracking creates and maintains a log file that captures changes on a virtual machine
VHD. The log file is played in reverse order to the replica VHD based on replication frequency settings. This
means that the latest changes are stored and replicated asynchronously. Replication can be over HTTP or
HTTPS.
Extended (chained) replication: This lets you replicate a virtual machine from a primary host to a
secondary host, and then replicate the secondary host to a third host. Note that you can't replicate from the
primary host directly to the second and the third.
This feature makes Hyper-V Replica more robust for disaster recovery because if an outage occurs you can
recover from both the primary and extended replica. You can fail over to the extended replica if your primary
and secondary locations go down. Note that the extended replica doesn't support application-consistent
replication and must use the same VHDs that the secondary replica is using.
Failover: If an outage occurs in your primary (or secondary in case of extended) location you can manually
initiate a test, planned, or unplanned failover.

TEST PLANNED UNPLANNED

When should I run? Verify that a virtual During planned downtime During unexpected events
machine can fail over and and outages
start in the secondary site

Useful for testing and

training

Is a duplicate virtual Yes No No

machine created?

Where is it initiated? On the replica virtual Initiated on primary and On the replica virtual
machine completed on secondary machine

How often should I run? We recommend once a Once every six months or Only in case of disaster
month for testing in accordance with when the primary virtual
compliance requirements machine is unavailable
 TEST PLANNED UNPLANNED

Does the primary virtual Yes Yes. When the outage is No

machine continue to resolve reverse replication
replicate? replicates the changes
back to the primary site so
that primary and
secondary are
synchronized.

Is there any data loss? None None. After failover Hyper- Depends on the event and
V Replica replicates the last recovery points
set of tracked changes
back to the primary to
ensure zero data loss.

Is there any downtime? None. It doesn't impact The duration of the The duration of the
your production planned outage unplanned outage
environment. It creates a
duplicate test virtual
machine during failover.
After failover finishes you
select Failover on the
replica virtual machine and
it's automatically cleaned
up and deleted.

Recovery points: When you configure replication settings for a virtual machine, you specify the recovery
points you want to store from it. Recovery points represent a snapshot in time from which you can recover a
virtual machine. Obviously less data is lost if you recover from a very recent recovery point. You can access
recovery points up to 24 hours ago.

Deployment prerequisites
Here's what you should verify before you begin:
Figure out which VHDs need to be replicated. In particular, VHDs that contain data that is rapidly
changing and not used by the Replica server after failover, such as page file disks, should be excluded from
replication to conserve network bandwidth. Make a note of which VHDs can be excluded.
Decide how often you need to synchronize data: The data on the Replica server is synchronized
updated according to the replication frequency you configure (30 seconds, 5 minutes, or 15 minutes). The
frequency you choose should consider the following: Are the virtual machines running critical data with a
low RPO? What are you bandwidth considerations? Your highly-critical virtual machines will obviously need
more frequent replication.
Decide how to recover data: By default Hyper-V Replica only stores a single recovery point that will be
the latest replication sent from the primary to the secondary. However if you want the option to recover data
to an earlier point in time you can specify that additional recovery points should be stored (to a maximum of
24 hourly points). If you do need additional recovery points you should note that this requires more
overhead on processing and storage resources.
Figure out which workloads you'll replicate: Standard Hyper-V Replica replication maintains consistency
in the state of the virtual machine operating system after a failover, but not the state of applications that
running on the virtual machine. If you want to be able to recovery your workload state you can create app-
consistent recovery points. Note that app-consistent recovery isn't available on the extended replica site if
you're using extended (chained) replication.
 Decide how to do the initial replication of virtual machine data: Replication starts by transferring the
needs to transfer the current state of the virtual machines. This initial state can be transmitted directly over
the existing network, either immediately or at a later time that you configure. You can also use a pre-existing
restored virtual machine (for example, if you have restored an earlier backup of the virtual machine on the
Replica server) as the initial copy. Or, you can save network bandwidth by copying the initial copy to external
media and then physically delivering the media to the Replica site. If you want to use a preexisting virtual
machine delete all previous snapshots associated with it.

Deployment steps
Step 1: Set up the Hyper-V hosts
You'll need at least two Hyper-V hosts with one or more virtual machines on each server. Get started with Hyper-V.
The host server that you'll replicate virtual machines to will need to be set up as the replica server.
1. In the Hyper-V settings for the server you'll replicate virtual machines to, in Replication Configuration,
select Enable this computer as a Replica server.
2. You can replicate over HTTP or encrypted HTTPS. Select Use Kerberos (HTTP ) or Use certificate-based
Authentication (HTTPS ). By default HTTP 80 and HTTPS 443 are enabled as firewall exceptions on the
replica Hyper-V server. If you change the default port settings you'll need to also change the firewall
exception. If you're replicating over HTTPS, you'll need to select a certificate and you should have certificate
authentication set up.
3. For authorization, select Allow replication from any authenticated server to allow the replica server to
accept virtual machine replication traffic from any primary server that authenticates successfully. Select
Allow replication from the specified servers to accept traffic only from the primary servers you
specifically select.
For both options you can specify where the replicated VHDs should be stored on the replica Hyper-V server.
4. Click OK or Apply.
Step 2: Set up the firewall
To allow replication between the primary and secondary servers, traffic must get through the Windows firewall (or
any other third-party firewalls). When you installed the Hyper-V role on the servers by default exceptions for HTTP
(80) and HTTPS (443) are created. If you're using these standard ports, you'll just need to enable the rules:
To enable the rules on a standalone host server:
1. Open Windows Firewall with Advance Security and click Inbound Rules.
2. To enable HTTP (Kerberos) authentication, right-click Hyper-V Replica HTTP Listener (TCP -In)
>Enable Rule. To enable HTTPS certificate-based authentication, right-click Hyper-V Replica
HTTPS Listener (TCP -In) > Enable Rule.
To enable rules on a Hyper-V cluster, open a Windows PowerShell session using Run as Administrator,
then run one of these commands:
For HTTP:
get-clusternode | ForEach-Object {Invoke-command -computername $_.name -scriptblock {Enable-
Netfirewallrule -displayname "Hyper-V Replica HTTP Listener (TCP-In)"}}

For HTTPS:
get-clusternode | ForEach-Object {Invoke-command -computername $_.name -scriptblock {Enable-
Netfirewallrule -displayname "Hyper-V Replica HTTPS Listener (TCP-In)"}}

Enable virtual machine replication

Do the following on each virtual machine you want to replicate:
 1. In the Details pane of Hyper-V Manager, select a virtual machine by clicking it.
Right-click the selected virtual machine and click Enable Replication to open the Enable Replication wizard.
2. On the Before you Begin page, click Next.
3. On the Specify Replica Server page, in the Replica Server box, enter either the NetBIOS or FQDN of the
Replica server. If the Replica server is part of a failover cluster, enter the name of the Hyper-V Replica Broker.
Click Next.
4. On the Specify Connection Parameters page, Hyper-V Replica automatically retrieves the authentication
and port settings you configured for the replica server. If values aren't being retrieved check that the server
is configured as a replica server, and that it's registered in DNS. If required type in the setting manually.
5. On the Choose Replication VHDs page, make sure the VHDs you want to replicate are selected, and clear
the checkboxes for any VHDs that you want to exclude from replication. Then click Next.
6. On the Configure Replication Frequency page, specify how often changes should be synchronized from
primary to secondary. Then click Next.
7. On the Configure Additional Recovery Points page, select whether you want to maintain only the latest
recovery point or to create additional points. If you want to consistently recover applications and workloads
that have their own VSS writers we recommend you select Volume Shadow Copy Service (VSS )
frequency and specify how often to create app-consistent snapshots. Note that the Hyper-V VMM
Requestor Service must be running on both the primary and secondary Hyper-V servers. Then click Next.
8. On the Choose Initial Replication page, select the initial replication method to use. The default setting to
send initial copy over the network will copy the primary virtual machine configuration file (VMCX) and the
virtual hard disk files (VHDX and VHD ) you selected over your network connection. Verify network
bandwidth availability if you're going to use this option. If the primary virtual machine is already configured
on the secondary site as a replicate virtual machine it can be useful to select Use an existing virtual
machine on the replication server as the initial copy. You can use Hyper-V export to export the primary
virtual machine and import it as a replica virtual machine on the secondary server. For larger virtual
machines or limited bandwidth you can it choose to have initial replication over the network occur at a later
time, and then configure off-peak hours, or to send the initial replication information as offline media.
If you do offline replication you'll transport the initial copy to the secondary server using an external storage
medium such as a hard disk or USB drive. To do this you'll need to connect the external storage to the
primary server (or owner node in a cluster) and then when you select Send initial copy using external media
you can specify a location locally or on your external media where the initial copy can be stored. A
placeholder virtual machine is created on the replica site. After initial replication completes the external
storage can be shipped to the replica site. There you'll connect the external media to the secondary server or
to the owner node of the secondary cluster. Then you'll import the initial replica to a specified location and
merge it into the placeholder virtual machine.
9. On the Completing the Enable Replication page, review the information in the Summary and then click
Finish.. The virtual machine data will be transferred in accordance with your chosen settings. and a dialog
box appears indicating that replication was successfully enabled.
10. If you want to configure extended (chained) replication, open the replica server, and right-click the virtual
machine you want to replicate. Click Replication > Extend Replication and specify the replication settings.

Run a failover
After completing these deployment steps your replicated environment is up and running. Now you can run
failovers as needed.
Test failover: If you want to run a test failover right-click the primary virtual machine and select Replication >
Test Failover. Pick the latest or other recovery point if configured. A new test virtual machine will be created and
started on the secondary site. After you've finished testing, select Stop Test Failover on the replica virtual machine
to clean it up. Note that for a virtual machine you can only run one test failover at a time. Read more.
Planned failover: To run a planned failover right-click the primary virtual machine and select Replication >
Planned Failover. Planned failover performs prerequisites checks to ensure zero data loss. It checks that the
primary virtual machine is shut down before beginning the failover. After the virtual machine is failed over, it starts
replicating the changes back to the primary site when it's available. Note that for this to work the primary server
should be configured to recive replication from the secondary server or from the Hyper-V Replica Broker in the
case of a primary cluster. Planned failover sends the last set of tracked changes. Read more.
Unplanned failover: To run an unplanned failover, right-click on the replica virtual machine and select
Replication > Unplanned Failover from Hyper-V Manager or Failover Clustering Manager. You can recover
from the latest recovery point or from previous recovery points if this option is enabled. After failover, check that
everything is working as expected on the failed over virtual machine, then click Complete on the replica virtual
machine. Read more.
 Live Migration Overview
3/12/2019 • 2 minutes to read • Edit Online

Live migration is a Hyper-V feature in Windows Server. It allows you to transparently move running Virtual
Machines from one Hyper-V host to another without perceived downtime. The primary benefit of live migration is
flexibility; running Virtual Machines are not tied to a single host machine. This allows actions like draining a specific
host of Virtual Machines before decommissioning or upgrading it. When paired with Windows Failover Clustering,
live migration allows the creation of highly available and fault tolerant systems.

Related Technologies and Documentation

Live migration is often used in conjunction with a few related technologies like Failover Clustering and System
Center Virtual Machine Manager. If you’re using Live Migration via these technologies, here are pointers to their
latest documentation:
Failover Clustering (Windows Server 2016)
System Center Virtual Machine Manager (System Center 2016)
If you’re using older versions of Windows Server, or need details on features introduced in older versions of
Windows Server, here are pointers to historical documentation:
Live Migration (Windows Server 2008 R2)
Live Migration (Windows Server 2012 R2)
Failover Clustering (Windows Server 2012 R2)
Failover Clustering (Windows Server 2008 R2)
System Center Virtual Machine Manager (System Center 2012 R2)
System Center Virtual Machine Manager (System Center 2008 R2)

Live Migration in Windows Server 2016

In Windows Server 2016, there are fewer restrictions on live migration deployment. It now works without Failover
Clustering. Other functionality remains unchanged from previous releases of Live Migration. For more details on
configuring and using live migration without Failover Clustering:
Set up hosts for live migration without Failover Clustering
Use live migration without Failover Clustering to move a virtual machine
 Live Migration Overview
3/12/2019 • 2 minutes to read • Edit Online

Live migration is a Hyper-V feature in Windows Server. It allows you to transparently move running Virtual
Machines from one Hyper-V host to another without perceived downtime. The primary benefit of live migration is
flexibility; running Virtual Machines are not tied to a single host machine. This allows actions like draining a specific
host of Virtual Machines before decommissioning or upgrading it. When paired with Windows Failover Clustering,
live migration allows the creation of highly available and fault tolerant systems.

Related Technologies and Documentation

Live migration is often used in conjunction with a few related technologies like Failover Clustering and System
Center Virtual Machine Manager. If you’re using Live Migration via these technologies, here are pointers to their
latest documentation:
Failover Clustering (Windows Server 2016)
System Center Virtual Machine Manager (System Center 2016)
If you’re using older versions of Windows Server, or need details on features introduced in older versions of
Windows Server, here are pointers to historical documentation:
Live Migration (Windows Server 2008 R2)
Live Migration (Windows Server 2012 R2)
Failover Clustering (Windows Server 2012 R2)
Failover Clustering (Windows Server 2008 R2)
System Center Virtual Machine Manager (System Center 2012 R2)
System Center Virtual Machine Manager (System Center 2008 R2)

Live Migration in Windows Server 2016

In Windows Server 2016, there are fewer restrictions on live migration deployment. It now works without Failover
Clustering. Other functionality remains unchanged from previous releases of Live Migration. For more details on
configuring and using live migration without Failover Clustering:
Set up hosts for live migration without Failover Clustering
Use live migration without Failover Clustering to move a virtual machine
 Set up hosts for live migration without Failover
Clustering
3/12/2019 • 7 minutes to read • Edit Online

Applies To: Windows Server 2016, Microsoft Hyper-V Server 2016, Windows Server 2019, Microsoft Hyper-V
Server 2019

This article shows you how to set up hosts that aren't clustered so you can do live migrations between them. Use
these instructions if you didn't set up live migration when you installed Hyper-V, or if you want to change the
settings. To set up clustered hosts, use tools for Failover Clustering.

Requirements for setting up live migration

To set up non-clustered hosts for live migration, you'll need:
A user account with permission to perform the various steps. Membership in the local Hyper-V
Administrators group or the Administrators group on both the source and destination computers meets this
requirement, unless you're configuring constrained delegation. Membership in the Domain Administrators
group is required to configure constrained delegation.
The Hyper-V role in Windows Server 2016 or Windows Server 2012 R2 installed on the source and
destination servers. You can do a live migration between hosts running Windows Server 2016 and Windows
Server 2012 R2 if the virtual machine is at least version 5.
For version upgrade instructions, see Upgrade virtual machine version in Hyper-V on Windows 10 or
Windows Server 2016. For installation instructions, see Install the Hyper-V role on Windows Server.
Source and destination computers that either belong to the same Active Directory domain, or belong to
domains that trust each other.
The Hyper-V management tools installed on a computer running Windows Server 2016 or Windows 10,
unless the tools are installed on the source or destination server and you'll run the tools from the server.

Consider options for authentication and networking

Consider how you want to set up the following:
Authentication: Which protocol will be used to authenticate live migration traffic between the source and
destination servers? The choice determines whether you'll need to sign on to the source server before
starting a live migration:
Kerberos lets you avoid having to sign in to the server, but requires constrained delegation to be set
up. See below for instructions.
CredSSP lets you avoid configuring constrained delegation, but requires you sign in to the source
server. You can do this through a local console session, a Remote Desktop session, or a remote
Windows PowerShell session.
CredSPP requires signing in for situations that might not be obvious. For example, if you sign in to
TestServer01 to move a virtual machine to TestServer02, and then want to move the virtual machine
back to TestServer01, you'll need to sign in to TestServer02 before you try to move the virtual
machine back to TestServer01. If you don't do this, the authentication attempt fails, an error occurs,
 and the following message is displayed:
"Virtual machine migration operation failed at migration Source.
Failed to establish a connection with host computer name: No credentials are available in the security
package 0x8009030E."
Performance: Does it makes sense to configure performance options? These options can reduce network
and CPU usage, as well as make live migrations go faster. Consider your requirements and your
infrastructure, and test different configurations to help you decide. The options are described at the end of
step 2.
Network preference: Will you allow live migration traffic through any available network, or isolate the
traffic to specific networks? As a security best practice, we recommend that you isolate the traffic onto
trusted, private networks because live migration traffic is not encrypted when it is sent over the network.
Network isolation can be achieved through a physically isolated network or through another trusted
networking technology such as VLANs.

Step 1: Configure constrained delegation (optional)

If you have decided to use Kerberos to authenticate live migration traffic, configure constrained delegation using an
account that is a member of the Domain Administrators group.
Use the Users and Computers snap-in to configure constrained delegation
1. Open the Active Directory Users and Computers snap-in. (From Server Manager, select the server if it's not
selected, click Tools >> Active Directory Users and Computers).
2. From the navigation pane in Active Directory Users and Computers, select the domain and double-click
the Computers folder.
3. From the Computers folder, right-click the computer account of the source server and then click
Properties.
4. From Properties, click the Delegation tab.
5. On the delegation tab, select Trust this computer for delegation to the specified services only and then
select Use any authentication protocol.
6. Click Add.
7. From Add Services, click Users or Computers.
8. From Select Users or Computers, type the name of the destination server. Click Check Names to verify it,
and then click OK.
9. From Add Services, in the list of available services, do the following and then click OK:
To move virtual machine storage, select cifs. This is required if you want to move the storage along
with the virtual machine, as well as if you want to move only a virtual machine's storage. If the server
is configured to use SMB storage for Hyper-V, this should already be selected.
To move virtual machines, select Microsoft Virtual System Migration Service.
10. On the Delegation tab of the Properties dialog box, verify that the services you selected in the previous
step are listed as the services to which the destination computer can present delegated credentials. Click OK.
11. From the Computers folder, select the computer account of the destination server and repeat the process. In
the Select Users or Computers dialog box, be sure to specify the name of the source server.
The configuration changes take effect after both of the following happen:
 The changes are replicated to the domain controllers that the servers running Hyper-V are logged into.
The domain controller issues a new Kerberos ticket.

Step 2: Set up the source and destination computers for live migration
This step includes choosing options for authentication and networking. As a security best practice, we recommend
that you select specific networks to use for live migration traffic, as discussed above. This step also shows you how
to choose the performance option.
Use Hyper-V Manager to set up the source and destination computers for live migration
1. Open Hyper-V Manager. (From Server Manager, click Tools >>Hyper-V Manager.)
2. In the navigation pane, select one of the servers. (If it isn't listed, right-click Hyper-V Manager, click
Connect to Server, type the server name, and click OK. Repeat to add more servers.)
3. In the Action pane, click Hyper-V Settings >>Live Migrations.
4. In the Live Migrations pane, check Enable incoming and outgoing live migrations.
5. Under Simultaneous live migrations, specify a different number if you don't want to use the default of 2.
6. Under Incoming live migrations, if you want to use specific network connections to accept live migration
traffic, click Add to type the IP address information. Otherwise, click Use any available network for live
migration. Click OK.
7. To choose Kerberos and performance options, expand Live Migrations and then select Advanced
Features.
If you have configured constrained delegation, under Authentication protocol, select Kerberos.
Under Performance options, review the details and choose a different option if it's appropriate for your
environment.
8. Click OK.
9. Select the other server in Hyper-V Manager and repeat the steps.
Use Windows PowerShell to set up the source and destination computers for live migration
Three cmdlets are available for configuring live migration on non-clustered hosts: Enable-VMMigration, Set-
VMMigrationNetwork, and Set-VMHost. This example uses all three and does the following:
Configures live migration on the local host
Allows incoming migration traffic only on a specific network
Chooses Kerberos as the authentication protocol
Each line represents a separate command.

PS C:\> Enable-VMMigration

PS C:\> Set-VMMigrationNetwork 192.168.10.1

PS C:\> Set-VMHost -VirtualMachineMigrationAuthenticationType Kerberos

Set-VMHost also lets you choose a performance option (and many other host settings). For example, to choose
SMB but leave the authentication protocol set to the default of CredSSP, type:
 PS C:\> Set-VMHost -VirtualMachineMigrationPerformanceOption SMBTransport

This table describes how the performance options work.

OPTION DESCRIPTION

TCP/IP Copies the memory of the virtual machine to the destination

server over a TCP/IP connection.

Compression Compresses the memory content of the virtual machine

before copying it to the destination server over a TCP/IP
connection. Note: This is the default setting.

SMB Copies the memory of the virtual machine to the destination

server over a SMB 3.0 connection.

- SMB Direct is used when the network adapters on the source

and destination servers have Remote Direct Memory Access
(RDMA) capabilities enabled.
- SMB Multichannel automatically detects and uses multiple
connections when a proper SMB Multichannel configuration is
identified.

For more information, see Improve Performance of a File

Server with SMB Direct.

Next steps
After you set up the hosts, you're ready to do a live migration. For instructions, see Use live migration without
Failover Clustering to move a virtual machine.
 Use live migration without Failover Clustering to
move a virtual machine
6/7/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server 2016

This article shows you how to move a virtual machine by doing a live migration without using Failover Clustering.
A live migration moves running virtual machines between Hyper-V hosts without any noticeable downtime.
To be able to do this, you'll need:
A user account that's a member of the local Hyper-V Administrators group or the Administrators group on
both the source and destination computers.
The Hyper-V role in Windows Server 2016 or Windows Server 2012 R2 installed on the source and
destination servers and set up for live migrations. You can do a live migration between hosts running
Windows Server 2016 and Windows Server 2012 R2 if the virtual machine is at least version 5.
For version upgrade instructions, see Upgrade virtual machine version in Hyper-V on Windows 10 or
Windows Server 2016. For installation instructions, see Set up hosts for live migration.
The Hyper-V management tools installed on a computer running Windows Server 2016 or Windows 10,
unless the tools are installed on the source or destination server and you'll run them from there.

Use Hyper-V Manager to move a running virtual machine

1. Open Hyper-V Manager. (From Server Manager, click Tools >>Hyper-V Manager.)
2. In the navigation pane, select one of the servers. (If it isn't listed, right-click Hyper-V Manager, click
Connect to Server, type the server name, and click OK. Repeat to add more servers.)
3. From the Virtual Machines pane, right-click the virtual machine and then click Move. This opens the Move
Wizard.
4. Use the wizard pages to choose the type of move, destination server, and options.
5. On the Summary page, review your choices and then click Finish.

Use Windows PowerShell to move a running virtual machine

The following example uses the Move-VM cmdlet to move a virtual machine named LMTest to a destination server
named TestServer02 and moves the virtual hard disks and other file, such checkpoints and Smart Paging files, to
the D:\LMTest directory on the destination server.

PS C:\> Move-VM LMTest TestServer02 -IncludeStorage -DestinationStoragePath D:\LMTest

Troubleshooting
Failed to establish a connection
If you haven't set up constrained delegation, you must sign in to source server before you can move a virtual
machine. If you don't do this, the authentication attempt fails, an error occurs, and this message is displayed:
"Virtual machine migration operation failed at migration Source.
Failed to establish a connection with host computer name: No credentials are available in the security package
0x8009030E."
To fix this problem, sign in to the source server and try the move again. To avoid having to sign in to a source
server before doing a live migration, set up constrained delegation. You'll need domain administrator credentials to
set up constrained delegation. For instructions, see Set up hosts for live migration.
Failed because the host hardware isn't compatible
If a virtual machine doesn't have processor compatibility turned on and has one or more snapshots, the move fails
if the hosts have different processor versions. An error occurs and this message is displayed:
The virtual machine cannot be moved to the destination computer. The hardware on the destination
computer is not compatible with the hardware requirements of this virtual machine.
To fix this problem, shut down the virtual machine and turn on the processor compatibility setting.
1. From Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine and click Settings.
2. In the navigation pane, expand Processors and click Compatibility.
3. Check Migrate to a computer with a different processor version.
4. Click OK.
To use Windows PowerShell, use the Set-VMProcessor cmdlet:

PS C:\> Set-VMProcessor TestVM -CompatibilityForMigrationEnabled $true

 Performance Tuning Hyper-V Servers
3/12/2019 • 2 minutes to read • Edit Online

Hyper-V is the virtualization server role in Windows Server 2016. Virtualization servers can host multiple virtual
machines that are isolated from each other but share the underlying hardware resources by virtualizing the
processors, memory, and I/O devices. By consolidating servers onto a single machine, virtualization can improve
resource usage and energy efficiency and reduce the operational and maintenance costs of servers. In addition,
virtual machines and the management APIs offer more flexibility for managing resources, balancing load, and
provisioning systems.

See also
Hyper-V terminology
Hyper-V architecture
Hyper-V server configuration
Hyper-V processor performance
Hyper-V memory performance
Hyper-V storage I/O performance
Hyper-V network I/O performance
Detecting bottlenecks in a virtualized environment
Linux Virtual Machines
 Hyper-V Virtual Switch
3/12/2019 • 4 minutes to read • Edit Online

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

This topic provides an overview of Hyper-V Virtual Switch, which provides you with the ability to connect virtual
machines (VMs) to networks that are external to the Hyper-V host, including your organization's intranet and the
Internet.
You can also connect to virtual networks on the server that is running Hyper-V when you deploy Software Defined
Networking (SDN ).

NOTE
In addition to this topic, the following Hyper-V Virtual Switch documentation is available.
Manage Hyper-V Virtual Switch
Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)
Network Switch Team Cmdlets in Windows PowerShell
What's New in VMM 2016
Set up the VMM networking fabric
Create networks with VMM 2012
Hyper-V: Configure VLANs and VLAN Tagging
Hyper-V: The WFP virtual switch extension should be enabled if it is required by third party extensions
For more information about other networking technologies, see Networking in Windows Server 2016.

Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is available in Hyper-V Manager
when you install the Hyper-V server role.
Hyper-V Virtual Switch includes programmatically managed and extensible capabilities to connect VMs to both
virtual networks and the physical network. In addition, Hyper-V Virtual Switch provides policy enforcement for
security, isolation, and service levels.

NOTE
Hyper-V Virtual Switch only supports Ethernet, and does not support any other wired local area network (LAN) technologies,
such as Infiniband and Fibre Channel.

Hyper-V Virtual Switch includes tenant isolation capabilities, traffic shaping, protection against malicious virtual
machines, and simplified troubleshooting.
With built-in support for Network Device Interface Specification (NDIS ) filter drivers and Windows Filtering
Platform (WFP ) callout drivers, the Hyper-V Virtual Switch enables independent software vendors (ISVs) to create
extensible plug-ins, called Virtual Switch Extensions, that can provide enhanced networking and security
capabilities. Virtual Switch Extensions that you add to the Hyper-V Virtual Switch are listed in the Virtual Switch
Manager feature of Hyper-V Manager.
In the following illustration, a VM has a virtual NIC that is connected to the Hyper-V Virtual Switch through a
switch port.
Hyper-V Virtual Switch capabilities provide you with more options for enforcing tenant isolation, shaping and
controlling network traffic, and employing protective measures against malicious VMs.

NOTE
In Windows Server 2016, a VM with a virtual NIC accurately displays the maximum throughput for the virtual NIC. To view
the virtual NIC speed in Network Connections, right-click the desired virtual NIC icon and then click Status. The virtual NIC
Status dialog box opens. In Connection, the value of Speed matches the speed of the physical NIC installed in the server.

Uses for Hyper-V Virtual Switch

Following are some use case scenarios for Hyper-V Virtual Switch.
Displaying statistics: A developer at a hosted cloud vendor implements a management package that displays the
current state of the Hyper-V virtual switch. The management package can query switch-wide current capabilities,
configuration settings, and individual port network statistics using WMI. The status of the switch is then displayed
to give administrators a quick view of the state of the switch.
Resource tracking: A hosting company is selling hosting services priced according to the level of membership.
Various membership levels include different network performance levels. The administrator allocates resources to
meet the SLAs in a manner that balances network availability. The administrator programmatically tracks
information such as the current usage of bandwidth assigned, and the number of virtual machine (VM ) assigned
virtual machine queue (VMQ ) or IOV channels. The same program also periodically logs the resources in use in
addition to the per-VM resources assigned for double entry tracking or resources.
Managing the order of switch extensions: An enterprise has installed extensions on their Hyper-V host to both
monitor traffic and report intrusion detection. During maintenance, some extensions may be updated causing the
order of extensions to change. A simple script program is run to reorder the extensions after updates.
Forwarding extension manages VLAN ID: A major switch company is building a forwarding extension that
applies all policies for networking. One element that is managed is virtual local area network (VLAN ) IDs. The
virtual switch cedes control of the VLAN to a forwarding extension. The switch company's installation
programmatically call a Windows Management Instrumentation (WMI) application programming interface (API)
that turns on the transparency, telling the Hyper-V Virtual Switch to pass and take no action on VLAN tags.

Hyper-V Virtual Switch Functionality

Some of the principal features that are included in the Hyper-V Virtual Switch are:
ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address
Resolution Protocol (ARP ) spoofing to steal IP addresses from other VMs. Provides protection against
attacks that can be launched for IPv6 using Neighbor Discovery (ND ) spoofing.
DHCP Guard protection: Protects against a malicious VM representing itself as a Dynamic Host
 Configuration Protocol (DHCP ) server for man-in-the-middle attacks.
Port ACLs: Provides traffic filtering based on Media Access Control (MAC ) or Internet Protocol (IP )
addresses/ranges, which enables you to set up virtual network isolation.
Trunk mode to a VM: Enables administrators to set up a specific VM as a virtual appliance, and then direct
traffic from various VLANs to that VM.
Network traffic monitoring: Enables administrators to review traffic that is traversing the network switch.
Isolated (private) VLAN: Enables administrators to segregate traffic on multiple vlans, to more easily
establish isolated tenant communities.
Following is a list of capabilities that enhance Hyper-V Virtual Switch usability:
Bandwidth limit and burst support: Bandwidth minimum guarantees amount of bandwidth reserved.
Bandwidth maximum caps the amount of bandwidth a VM can consume.
Explicit Congestion Notification (ECN ) marking support: ECN marking, also known as Data
CenterTCP (DCTCP ), enables the physical switch and operating system to regulate traffic flow such that the
buffer resources of the switch are not flooded, which results in increased traffic throughput.
Diagnostics: Diagnostics allow easy tracing and monitoring of events and packets through the virtual
switch.
 Remote Direct Memory Access (RDMA) and Switch
Embedded Teaming (SET)
5/24/2019 • 15 minutes to read • Edit Online

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

This topic provides information on configuring Remote Direct Memory Access (RDMA) interfaces with Hyper-V in
Windows Server 2016, in addition to information about Switch Embedded Teaming (SET).

NOTE
In addition to this topic, the following Switch Embedded Teaming content is available.
TechNet Gallery Download: Windows Server 2016 NIC and Switch Embedded Teaming User Guide

Configuring RDMA Interfaces with Hyper-V

In Windows Server 2012 R2, using both RDMA and Hyper-V on the same computer as the network adapters that
provide RDMA services can not be bound to a Hyper-V Virtual Switch. This increases the number of physical
network adapters that are required to be installed in the Hyper-V host.

TIP
In editions of Windows Server previous to Windows Server 2016, it is not possible to configure RDMA on network adapters
that are bound to a NIC Team or to a Hyper-V Virtual Switch. In Windows Server 2016, you can enable RDMA on network
adapters that are bound to a Hyper-V Virtual Switch with or without SET.

In Windows Server 2016, you can use fewer network adapters while using RDMA with or without SET.
The image below illustrates the software architecture changes between Windows Server 2012 R2 and Windows
Server 2016.

The following sections provide instructions on how to use Windows PowerShell commands to enable Data Center
Bridging (DCB ), create a Hyper-V Virtual Switch with an RDMA virtual NIC (vNIC ), and create a Hyper-V Virtual
Switch with SET and RDMA vNICs.
Enable Data Center Bridging (DCB )
Before using any RDMA over Converged Ethernet (RoCE ) version of RDMA, you must enable DCB. While not
required for Internet Wide Area RDMA Protocol (iWARP ) networks, testing has determined that all Ethernet-based
RDMA technologies work better with DCB. Because of this, you should consider using DCB even for iWARP
RDMA deployments.
The following Windows PowerShell example commands demonstrate how to enable and configure DCB for SMB
Direct.
Turn on DCB

Install-WindowsFeature Data-Center-Bridging

Set a policy for SMB -Direct:

New-NetQosPolicy "SMB" -NetDirectPortMatchCondition 445 -PriorityValue8021Action 3

Turn on Flow Control for SMB:

Enable-NetQosFlowControl -Priority 3

Make sure flow control is off for other traffic:

Disable-NetQosFlowControl -Priority 0,1,2,4,5,6,7

Apply policy to the target adapters:

Enable-NetAdapterQos -Name "SLOT 2"

Give SMB Direct 30% of the bandwidth minimum:

New-NetQosTrafficClass "SMB" -Priority 3 -BandwidthPercentage 30 -Algorithm ETS

If you have a kernel debugger installed in the system, you must configure the debugger to allow QoS to be set by
running the following command.
Override the Debugger - by default the debugger blocks NetQos:

Set-ItemProperty HKLM:"\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" AllowFlowControlUnderDebugger -type

DWORD -Value 1 -Force

Create a Hyper-V Virtual Switch with an RDMA vNIC

If SET is not required for your deployment, you can use the following Windows PowerShell commands to create a
Hyper-V Virtual Switch with an RDMA vNIC.

NOTE
Using SET teams with RDMA-capable physical NICs provides more RDMA resources for the vNICs to consume.
 New-VMSwitch -Name RDMAswitch -NetAdapterName "SLOT 2"

Add host vNICs and make them RDMA capable:

Add-VMNetworkAdapter -SwitchName RDMAswitch -Name SMB_1

Enable-NetAdapterRDMA "vEthernet (SMB_1)" "SLOT 2"

Verify RDMA capabilities:

Get-NetAdapterRdma

Create a Hyper-V Virtual Switch with SET and RDMA vNICs

To make use of RDMA capabilies on Hyper-V host virtual network adapters (vNICs) on a Hyper-V Virtual Switch
that supports RDMA teaming, you can use these example Windows PowerShell commands.

New-VMSwitch -Name SETswitch -NetAdapterName "SLOT 2","SLOT 3" -EnableEmbeddedTeaming $true

Add host vNICs:

Add-VMNetworkAdapter -SwitchName SETswitch -Name SMB_1 -managementOS

Add-VMNetworkAdapter -SwitchName SETswitch -Name SMB_2 -managementOS

Many switches won't pass traffic class information on untagged VLAN traffic, so make sure that the host adapters
for RDMA are on VLANs. This example assigns the two SMB_* host virtual adapters to VLAN 42.

Set-VMNetworkAdapterIsolation -ManagementOS -VMNetworkAdapterName SMB_1 -IsolationMode VLAN -

DefaultIsolationID 42
Set-VMNetworkAdapterIsolation -ManagementOS -VMNetworkAdapterName SMB_2 -IsolationMode VLAN -
DefaultIsolationID 42

Enable RDMA on Host vNICs:

Enable-NetAdapterRDMA "vEthernet (SMB_1)","vEthernet (SMB_2)" "SLOT 2", "SLOT 3"

Verify RDMA capabilities; ensure that the capabilities are non-zero:

Get-NetAdapterRdma | fl *

Switch Embedded Teaming (SET)

This section provides an overview of Switch Embedded Teaming (SET) in Windows Server 2016, and contains the
following sections.
SET Overview
SET Availability
Supported and Unsupported NICs for SET
SET Compatibility with Windows Server Networking Technologies
 SET Modes and Settings
SET and Virtual Machine Queues (VMQs)
SET and Hyper-V Network Virtualization (HNV )
SET and Live Migration
MAC Address Use on Transmitted Packets
Managing a SET team

SET Overview
SET is an alternative NIC Teaming solution that you can use in environments that include Hyper-V and the
Software Defined Networking (SDN ) stack in Windows Server 2016. SET integrates some NIC Teaming
functionality into the Hyper-V Virtual Switch.
SET allows you to group between one and eight physical Ethernet network adapters into one or more software-
based virtual network adapters. These virtual network adapters provide fast performance and fault tolerance in the
event of a network adapter failure.
SET member network adapters must all be installed in the same physical Hyper-V host to be placed in a team.

NOTE
The use of SET is only supported in Hyper-V Virtual Switch in Windows Server 2016. You cannot deploy SET in Windows
Server 2012 R2 .

You can connect your teamed NICs to the same physical switch or to different physical switches. If you connect
NICs to different switches, both switches must be on the same subnet.
The following illustration depicts SET architecture.

Because SET is integrated into the Hyper-V Virtual Switch, you cannot use SET inside of a virtual machine (VM ).
You can, however use NIC Teaming within VMs.
For more information, see NIC Teaming in Virtual Machines (VMs).
In addition, SET architecture does not expose team interfaces. Instead, you must configure Hyper-V Virtual Switch
ports.

SET Availability
SET is available in all versions of Windows Server 2016 that include Hyper-V and the SDN stack. In addition, you
can use Windows PowerShell commands and Remote Desktop connections to manage SET from remote
computers that are running a client operating system upon which the tools are supported.

Supported NICs for SET

You can use any Ethernet NIC that has passed the Windows Hardware Qualification and Logo (WHQL ) test in a
SET team in Windows Server 2016. SET requires that all network adapters that are members of a SET team must
be identical (i.e., same manufacturer, same model, same firmware and driver). SET supports between one and eight
network adapters in a team.

SET Compatibility with Windows Server Networking Technologies

SET is compatible with the following networking technologies in Windows Server 2016.
Datacenter bridging (DCB )
Hyper-V Network Virtualization - NV -GRE and VxLAN are both supported in Windows Server 2016.
Receive-side Checksum offloads (IPv4, IPv6, TCP ) - These are supported if any of the SET team members
support them.
Remote Direct Memory Access (RDMA)
Single root I/O virtualization (SR -IOV )
Transmit-side Checksum offloads (IPv4, IPv6, TCP ) - These are supported if all of the SET team members
support them.
Virtual Machine Queues (VMQ )
Virtual Receive Side Scaling (RSS )
SET is not compatible with the following networking technologies in Windows Server 2016.
802.1X authentication. 802.1X Extensible Authentication Protocol (EAP ) packets are automatically dropped
by Hyper-V Virtual Switch in SET scenarios.
IPsec Task Offload (IPsecTO ). This is a legacy technology that is not supported by most network adapters,
and where it does exist, it is disabled by default.
Using QoS (pacer.exe) in host or native operating systems. These QoS scenarios are not Hyper-V scenarios,
so the technologies do not intersect. In addition, QoS is available but not enabled by default - you must
intentionally enable QoS.
Receive side coalescing (RSC ). RSC is automatically disabled by Hyper-V Virtual Switch.
Receive side scaling (RSS ). Because Hyper-V uses the queues for VMQ and VMMQ, RSS is always disabled
when you create a virtual switch.
TCP Chimney Offload. This technology is disabled by default.
Virtual Machine QoS (VM -QoS ). VM QoS is available but disabled by default. If you configure VM QoS in a
SET environment, the QoS settings will cause unpredictable results.

SET Modes and Settings

Unlike NIC Teaming, when you create a SET team, you cannot configure a team name. In addition, using a standby
adapter is supported in NIC Teaming, but it is not supported in SET. When you deploy SET, all network adapters
are active and none are in standby mode.
Another key difference between NIC Teaming and SET is that NIC Teaming provides the choice of three different
teaming modes, while SET supports only Switch Independent mode. With Switch Independent mode, the switch
or switches to which the SET Team members are connected are unaware of the presence of the SET team and do
not determine how to distribute network traffic to SET team members - instead, the SET team distributes inbound
network traffic across the SET team members.
When you create a new SET team, you must configure the following team properties.
Member adapters
Load balancing mode
Member adapters
When you create a SET team, you must specify up to eight identical network adapters that are bound to the Hyper-
V Virtual Switch as SET team member adapters.
Load Balancing mode
The options for SET team Load Balancing distribution mode are Hyper-V Port and Dynamic.
Hyper-V Port
VMs are connected to a port on the Hyper-V Virtual Switch. When using Hyper-V Port mode for SET teams, the
Hyper-V Virtual Switch port and the associated MAC address are used to divide network traffic between SET team
members.

NOTE
When you use SET in conjunction with Packet Direct, the teaming mode Switch Independent and the load balancing mode
Hyper-V Port are required.

Because the adjacent switch always sees a particular MAC address on a given port, the switch distributes the
ingress load (the traffic from the switch to the host) to the port where the MAC address is located. This is
particularly useful when Virtual Machine Queues (VMQs) are used, because a queue can be placed on the specific
NIC where the traffic is expected to arrive.
However, if the host has only a few VMs, this mode might not be granular enough to achieve a well-balanced
distribution. This mode will also always limit a single VM (i.e., the traffic from a single switch port) to the bandwidth
that is available on a single interface.
Dynamic
This load balancing mode provides the following advantages.
Outbound loads are distributed based on a hash of the TCP Ports and IP addresses. Dynamic mode also re-
balances loads in real time so that a given outbound flow can move back and forth between SET team
members.
Inbound loads are distributed in the same manner as the Hyper-V port mode.
The outbound loads in this mode are dynamically balanced based on the concept of flowlets. Just as human speech
has natural breaks at the ends of words and sentences, TCP flows (TCP communication streams) also have naturally
occurring breaks. The portion of a TCP flow between two such breaks is referred to as a flowlet.
When the dynamic mode algorithm detects that a flowlet boundary has been encountered - for example when a
break of sufficient length has occurred in the TCP flow - the algorithm automatically rebalances the flow to another
team member if appropriate. In some uncommon circumstances, the algorithm might also periodically rebalance
flows that do not contain any flowlets. Because of this, the affinity between TCP flow and team member can change
at any time as the dynamic balancing algorithm works to balance the workload of the team members.

SET and Virtual Machine Queues (VMQs)

VMQ and SET work well together, and you should enable VMQ whenever you are using Hyper-V and SET.

NOTE
SET always presents the total number of queues that are available across all SET team members. In NIC Teaming, this is called
Sum-of-Queues mode.

Most network adapters have queues that can be used for either Receive Side Scaling (RSS ) or VMQ, but not both
at the same time.
Some VMQ settings appear to be settings for RSS queues but are really settings on the generic queues that both
RSS and VMQ use depending on which feature is presently in use. Each NIC has, in its advanced properties, values
for *RssBaseProcNumber and *MaxRssProcessors .
Following are a few VMQ settings that provide better system performance.
Ideally each NIC should have the *RssBaseProcNumber set to an even number greater than or equal to two (2).
This is because the first physical processor, Core 0 (logical processors 0 and 1), typically does most of the system
processing so the network processing should be steered away from this physical processor.

NOTE
Some machine architectures don't have two logical processors per physical processor, so for such machines the base processor
should be greater than or equal to 1. If in doubt, assume your host is using a 2 logical processor per physical processor
architecture.

The team members' processors should be, to the extent that it's practical, non-overlapping. For example, in a 4-
core host (8 logical processors) with a team of 2 10Gbps NICs, you could set the first one to use base processor
of 2 and to use 4 cores; the second would be set to use base processor 6 and use 2 cores.

SET and Hyper-V Network Virtualization (HNV)

SET is fully compatible with Hyper-V Network Virtualization in Windows Server 2016. The HNV management
system provides information to the SET driver that allows SET to distribute the network traffic load in a manner
that is optimized for the HNV traffic.

SET and Live Migration

Live Migration is supported in Windows Server 2016.

MAC Address Use on Transmitted Packets

When you configure a SET team with dynamic load distribution, the packets from a single source (such as a single
VM ) are simultaneously distributed across multiple team members.
To prevent the switches from getting confused and to prevent MAC flapping alarms, SET replaces the source MAC
address with a different MAC address on the frames that are transmitted on team members other than the
affinitized team member. Because of this, each team member uses a different MAC address, and MAC address
conflicts are prevented unless and until failure occurs.
When a failure is detected on the primary NIC, the SET teaming software starts using the VM's MAC address on
the team member that is chosen to serve as the temporary affinitized team member (i.e., the one that will now
appear to the switch as the VM's interface).
This change only applies to traffic that was going to be sent on the VM's affinitized team member with the VM's
own MAC address as its source MAC address. Other traffic continues to be sent with whatever source MAC
address it would have used prior to the failure.
Following are lists that describe SET teaming MAC address replacement behavior, based on how the team is
configured:
In Switch Independent mode with Hyper-V Port distribution
Every vmSwitch port is affinitized to a team member
Every packet is sent on the team member to which the port is affinitized
No source MAC replacement is done
In Switch Independent mode with Dynamic distribution
Every vmSwitch port is affinitized to a team member
All ARP/NS packets are sent on the team member to which the port is affinitized
Packets sent on the team member that is the affinitized team member have no source MAC address
replacement done
Packets sent on a team member other than the affinitized team member will have source MAC
address replacement done

Managing a SET team

It is recommended that you use System Center Virtual Machine Manager (VMM ) to manage SET teams, however
you can also use Windows PowerShell to manage SET. The following sections provide the Windows PowerShell
commands that you can use to manage SET.
For information on how to create a SET team using VMM, see the section "Set up a logical switch" in the System
Center VMM library topic Create logical switches.
Create a SET team
You must create a SET team at the same time that you create the Hyper-V Virtual Switch by using the New-
VMSwitch Windows PowerShell command.
When you create the Hyper-V Virtual Switch, you must include the new EnableEmbeddedTeaming parameter in
your command syntax. In the following example, a Hyper-V switch named TeamedvSwitch with embedded
teaming and two initial team members is created.

New-VMSwitch -Name TeamedvSwitch -NetAdapterName "NIC 1","NIC 2" -EnableEmbeddedTeaming $true

The EnableEmbeddedTeaming parameter is assumed by Windows PowerShell when the argument to

NetAdapterName is an array of NICs instead of a single NIC. As a result, you could revise the previous command
in the following way.

New-VMSwitch -Name TeamedvSwitch -NetAdapterName "NIC 1","NIC 2"

If you want to create a SET-capable switch with a single team member so that you can add a team member at a
later time, then you must use the EnableEmbeddedTeaming parameter.

New-VMSwitch -Name TeamedvSwitch -NetAdapterName "NIC 1" -EnableEmbeddedTeaming $true

Adding or removing a SET team member

The Set-VMSwitchTeam command includes the NetAdapterName option. To change the team members in a
SET team, enter the desired list of team members after the NetAdapterName option. If TeamedvSwitch was
originally created with NIC 1 and NIC 2, then the following example command deletes SET team member "NIC 2"
and adds new SET team member "NIC 3".

Set-VMSwitchTeam -Name TeamedvSwitch -NetAdapterName "NIC 1","NIC 3"

Removing a SET team

You can remove a SET team only by removing the Hyper-V Virtual Switch that contains the SET team. Use the topic
Remove-VMSwitch for information on how to remove the Hyper-V Virtual Switch. The following example removes
a Virtual Switch named SETvSwitch.

Remove-VMSwitch "SETvSwitch"

Changing the load distribution algorithm for a SET team

The Set-VMSwitchTeam cmdlet has a LoadBalancingAlgorithm option. This option takes one of two possible
values: HyperVPort or Dynamic. To set or change the load distribution algorithm for a switch-embedded team,
use this option.
In the following example, the VMSwitchTeam named TeamedvSwitch uses the Dynamic load balancing
algorithm.

Set-VMSwitchTeam -Name TeamedvSwitch -LoadBalancingAlgorithm Dynamic

Affinitizing virtual interfaces to physical team members

SET allows you to create an affinity between a virtual interface (i.e., Hyper-V Virtual Switch port) and one of the
physical NICs in the team.
For example, if you create two host vNICs for SMB -Direct, as in the section Create a Hyper-V Virtual Switch with
SET and RDMA vNICs, you can ensure that the two vNICs use different team members.
Adding to the script in that section, you can use the following Windows PowerShell commands.

Set-VMNetworkAdapterTeamMapping -VMNetworkAdapterName SMB_1 –ManagementOS –PhysicalNetAdapterName “SLOT 2”

Set-VMNetworkAdapterTeamMapping -VMNetworkAdapterName SMB_2 –ManagementOS –PhysicalNetAdapterName “SLOT 3”

This topic is examined in more depth in section 4.2.5 of the Windows Server 2016 NIC and Switch Embedded
Teaming User Guide.
 Manage Hyper-V Virtual Switch
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

You can use this topic to access Hyper-V Virtual Switch management content.
This section contains the following topics.
Configure VLANs on Hyper-V Virtual Switch Ports
Create Security Policies with Extended Port Access Control Lists
 Configure and View VLAN Settings on Hyper-V
Virtual Switch Ports
3/12/2019 • 2 minutes to read • Edit Online

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

You can use this topic to learn best practices for configuring and viewing virtual Local Area Network (VLAN )
settings on a Hyper-V Virtual Switch port.
When you want to configure VLAN settings on Hyper-V Virtual Switch ports, you can use either Windows® Server
2016 Hyper-V Manager or System Center Virtual Machine Manager (VMM ).
If you are using VMM, VMM uses the following Windows PowerShell command to configure the switch port.

Set-VMNetworkAdapterIsolation <VM-name|-managementOS> -IsolationMode VLAN -DefaultIsolationID <vlan-value> -

AllowUntaggedTraffic $True

If you are not using VMM and are configuring the switch port in Windows Server, you can use the Hyper-V
Manager console or the following Windows PowerShell command.

Set-VMNetworkAdapterVlan <VM-name|-managementOS> -Access -VlanID <vlan-value>

Because of these two methods for configuring VLAN settings on Hyper-V Virtual Switch ports, it is possible that
when you attempt to view the switch port settings, it appears to you that the VLAN settings are not configured -
even when they are configured.

Use the same method to configure and view switch port VLAN settings
To ensure that you do not encounter these issues, you must use the same method to view your switch port VLAN
settings that you used to configure the switch port VLAN settings.
To configure and view VLAN switch port settings, you must do the following:
If you are using VMM or Network Controller to set up and manage your network, and you have deployed
Software Defined Networking (SDN ), you must use the VMNetworkAdapterIsolation cmdlets.
If you are using Windows Server 2016 Hyper-V Manager or Windows PowerShell cmdlets, and you have not
deployed Software Defined Networking (SDN ), you must use the VMNetworkAdapterVlan cmdlets.
Possible issues
If you do not follow these guidelines you might encounter the following issues.
In circumstances where you have deployed SDN and use VMM, Network Controller, or the
VMNetworkAdapterIsolation cmdlets to configure VLAN settings on a Hyper-V Virtual Switch port: If you
use Hyper-V Manager or Get VMNetworkAdapterVlan to view the configuration settings, the command
output will not display your VLAN settings. Instead you must use the Get-VMNetworkIsolation cmdlet to
view the VLAN settings.
In circumstances where you have not deployed SDN, and instead use Hyper-V Manager or the
VMNetworkAdapterVlan cmdlets to configure VLAN settings on a Hyper-V Virtual Switch port: If you use
the Get-VMNetworkIsolation cmdlet to view the configuration settings, the command output will not display
 your VLAN settings. Instead you must use the Get VMNetworkAdapterVlan cmdlet to view the VLAN
settings.
It is also important not to attempt to configure the same switch port VLAN settings by using both of these
configuration methods. If you do this, the switch port is incorrectly configured, and the result might be a failure in
network communication.
Resources
For more information on the Windows PowerShell commands that are mentioned in this topic, see the following:
Set-VmNetworkAdapterIsolation
Get-VmNetworkAdapterIsolation
Set-VMNetworkAdapterVlan
Get-VMNetworkAdapterVlan
 Create Security Policies with Extended Port Access
Control Lists
3/12/2019 • 9 minutes to read • Edit Online

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

This topic provides information about extended port Access Control Lists (ACLs) in Windows Server 2016. You can
configure extended ACLs on the Hyper-V Virtual Switch to allow and block network traffic to and from the virtual
machines (VMs) that are connected to the switch via virtual network adapters.
This topic contains the following sections.
Detailed ACL rules
Stateful ACL rules

Detailed ACL rules

Hyper-V Virtual Switch extended ACLs allow you to create detailed rules that you can apply to individual VM
network adapters that are connected to the Hyper-V Virtual Switch. The ability to create detailed rules allows
Enterprises and Cloud Service Providers (CSPs) to address network-based security threats in a multitenant shared
server environment.
With extended ACLs, rather than having to create broad rules that block or allow all traffic from all protocols to or
from a VM, you can now block or allow the network traffic of individual protocols that are running on VMs. You can
create extended ACL rules in Windows Server 2016 that include the following 5-tuple set of parameters: source IP
address, destination IP address, protocol, source port, and destination port. In addition, each rule can specify
network traffic direction (in or out), and the action the rule supports (block or allow traffic).
For example, you can configure port ACLs for a VM to allow all incoming and outgoing HTTP and HTTPS traffic on
port 80, while blocking the network traffic of all other protocols on all ports.
This ability to designate the protocol traffic that can or cannot be received by tenant VMs provides flexibility when
you configure security policies.
Configuring ACL rules with Windows PowerShell
To configure an extended ACL, you must use the Windows PowerShell command Add-
VMNetworkAdapterExtendedAcl. This command has four different syntaxes, with a distinct use for each syntax:
1. Add an extended ACL to all of the network adapters of a named VM - which is specified by the first
parameter, -VMName. Syntax:

NOTE
If you want to add an extended ACL to one network adapter rather than all, you can specify the network adapter with
the parameter -VMNetworkAdapterName.
 Add-VMNetworkAdapterExtendedAcl [-VMName] <string[]> [-Action] <VMNetworkAdapterExtendedAclAction>
{Allow | Deny}
[-Direction] <VMNetworkAdapterExtendedAclDirection> {Inbound | Outbound} [[-LocalIPAddress]
<string>]
[[-RemoteIPAddress] <string>] [[-LocalPort] <string>] [[-RemotePort] <string>] [[-Protocol]
<string>] [-Weight]
<int> [-Stateful <bool>] [-IdleSessionTimeout <int>] [-IsolationID <int>] [-Passthru] [-
VMNetworkAdapterName
<string>] [-ComputerName <string[]>] [-WhatIf] [-Confirm] [<CommonParameters>]

2. Add an extended ACL to a specific virtual network adapter on a specific VM. Syntax:

Add-VMNetworkAdapterExtendedAcl [-VMNetworkAdapter] <VMNetworkAdapterBase[]> [-Action]

<VMNetworkAdapterExtendedAclAction> {Allow | Deny} [-Direction]
<VMNetworkAdapterExtendedAclDirection> {Inbound |
Outbound} [[-LocalIPAddress] <string>] [[-RemoteIPAddress] <string>] [[-LocalPort] <string>] [[-
RemotePort]
<string>] [[-Protocol] <string>] [-Weight] <int> [-Stateful <bool>] [-IdleSessionTimeout <int>] [-
IsolationID
<int>] [-Passthru] [-WhatIf] [-Confirm] [<CommonParameters>]

3. Add an extended ACL to all virtual network adapters that are reserved for use by the Hyper-V host
management operating system.

NOTE
If you want to add an extended ACL to one network adapter rather than all, you can specify the network adapter with
the parameter -VMNetworkAdapterName.

Add-VMNetworkAdapterExtendedAcl [-Action] <VMNetworkAdapterExtendedAclAction> {Allow | Deny} [-

Direction]
<VMNetworkAdapterExtendedAclDirection> {Inbound | Outbound} [[-LocalIPAddress] <string>] [[-
RemoteIPAddress]
<string>] [[-LocalPort] <string>] [[-RemotePort] <string>] [[-Protocol] <string>] [-Weight] <int> -
ManagementOS
[-Stateful <bool>] [-IdleSessionTimeout <int>] [-IsolationID <int>] [-Passthru] [-
VMNetworkAdapterName <string>]
[-ComputerName <string[]>] [-WhatIf] [-Confirm] [<CommonParameters>]

4. Add an extended ACL to a VM object that you have created in Windows PowerShell, such as $vm = get-vm
"my_vm". In the next line of code you can run this command to create an extended ACL with the following
syntax:

Add-VMNetworkAdapterExtendedAcl [-VM] <VirtualMachine[]> [-Action] <VMNetworkAdapterExtendedAclAction>

{Allow |
Deny} [-Direction] <VMNetworkAdapterExtendedAclDirection> {Inbound | Outbound} [[-LocalIPAddress]
<string>]
[[-RemoteIPAddress] <string>] [[-LocalPort] <string>] [[-RemotePort] <string>] [[-Protocol]
<string>] [-Weight]
<int> [-Stateful <bool>] [-IdleSessionTimeout <int>] [-IsolationID <int>] [-Passthru] [-
VMNetworkAdapterName
<string>] [-WhatIf] [-Confirm] [<CommonParameters>]

Detailed ACL rule examples

Following are several examples of how you can use the Add-VMNetworkAdapterExtendedAcl command to
configure extended port ACLs and to create security policies for VMs.
 Enforce application-level security
Enforce both user-level and application-level security
Provide security support to a non-TCP/UDP application

NOTE
The values for the rule parameter Direction in the tables below are based on traffic flow to or from the VM for which you are
creating the rule. If the VM is receiving traffic, the traffic is inbound; if the VM is sending traffic, the traffic is outbound. For
example, if you apply a rule to a VM that blocks inbound traffic, the direction of inbound traffic is from external resources to
the VM. If you apply a rule that blocks outbound traffic, the direction of outbound traffic is from the local VM to external
resources.

Enforce application-level security

Because many application servers use standardized TCP/UDP ports to communicate with client computers, it is
easy to create rules that block or allow access to an application server by filtering traffic going to and coming from
the port designated to the application.
For example, you might want to allow a user to login to an application server in your datacenter by using Remote
Desktop Connection (RDP ). Because RDP uses TCP port 3389, you can quickly set up the following rule:

DESTINATION DESTINATION
SOURCE IP IP PROTOCOL SOURCE PORT PORT DIRECTION ACTION

* * TCP * 3389 In Allow

Following are two examples of how you can create rules with Windows PowerShell commands. The first example
rule blocks all traffic to the VM named "ApplicationServer." The second example rule, which is applied to the
network adapter of the VM named "ApplicationServer," allows only inbound RDP traffic to the VM.

NOTE
When you create rules, you can use the -Weight parameter to determine the order in which the Hyper-V Virtual Switch
processes the rules. Values for -Weight are expressed as integers; rules with a higher integer are processed before rules with
lower integers. For example, if you have applied two rules to a VM network adapter, one with a weight of 1 and one with a
weight of 10, the rule with the weight of 10 is applied first.

Add-VMNetworkAdapterExtendedAcl -VMName "ApplicationServer" -Action "Deny" -Direction "Inbound" -Weight 1

Add-VMNetworkAdapterExtendedAcl -VMName "ApplicationServer" -Action "Allow" -Direction "Inbound" -LocalPort
3389 -Protocol "TCP" -Weight 10

Enforce both user-level and application-level security

Because a rule can match a 5-tuple IP packet (Source IP, Destination IP, Protocol, Source Port, and Destination
Port), the rule can enforce a more detailed security policy than a Port ACL.
For example, if you want to provide DHCP service to a limited number of client computers using a specific set of
DHCP servers, you can configure the following rules on the Windows Server 2016 computer that is running
Hyper-V, where the user VMs are hosted:

DESTINATION DESTINATION
SOURCE IP IP PROTOCOL SOURCE PORT PORT DIRECTION ACTION
 DESTINATION DESTINATION
SOURCE IP IP PROTOCOL SOURCE PORT PORT DIRECTION ACTION

* 255.255.255.2 UDP * 67 Out Allow

55

* 10.175.124.0/ UDP * 67 Out Allow

25

10.175.124.0/ * UDP * 68 In Allow

25

Following are examples of how you can create these rules with Windows PowerShell commands.

Add-VMNetworkAdapterExtendedAcl -VMName "ServerName" -Action "Deny" -Direction "Outbound" -Weight 1

Add-VMNetworkAdapterExtendedAcl -VMName "ServerName" -Action "Allow" -Direction "Outbound" -RemoteIPAddress
255.255.255.255 -RemotePort 67 -Protocol "UDP"-Weight 10
Add-VMNetworkAdapterExtendedAcl -VMName "ServerName" -Action "Allow" -Direction "Outbound" -RemoteIPAddress
10.175.124.0/25 -RemotePort 67 -Protocol "UDP"-Weight 20
Add-VMNetworkAdapterExtendedAcl -VMName "ServerName" -Action "Allow" -Direction "Inbound" -RemoteIPAddress
10.175.124.0/25 -RemotePort 68 -Protocol "UDP"-Weight 20

Provide security support to a non-TCP/UDP application

While most network traffic in a datacenter is TCP and UDP, there is still some traffic that utilizes other protocols.
For example, if you want to permit a group of servers to run an IP -multicast application that relies on Internet
Group Management Protocol (IGMP ), you can create the following rule.

NOTE
IGMP has a designated IP protocol number of 0x02.

DESTINATION DESTINATION
SOURCE IP IP PROTOCOL SOURCE PORT PORT DIRECTION ACTION

* * 0x02 * * In Allow

* * 0x02 * * Out Allow

Following is an example of how you can create these rules with Windows PowerShell commands.

Add-VMNetworkAdapterExtendedAcl -VMName "ServerName" -Action "Allow" -Direction "Inbound" -Protocol 2 -Weight

20
Add-VMNetworkAdapterExtendedAcl -VMName "ServerName" -Action "Allow" -Direction "Outbound" -Protocol 2 -Weight
20

Stateful ACL rules

Another new capability of extended ACLs allows you to configure stateful rules. A stateful rule filters packets based
on five attributes in a packet - Source IP, Destination IP, Protocol, Source Port, and Destination Port.
Stateful rules have the following capabilities:
They always allow traffic and are not used to block traffic.
If you specify that the value for the parameter Direction is inbound and traffic matches the rule, Hyper-V
 Virtual Switch dynamically creates a matching rule that allows the VM to send outbound traffic in response
to the external resource.
If you specify that the value for the parameter Direction is outbound and traffic matches the rule, Hyper-V
Virtual Switch dynamically creates a matching rule that allows the external resource inbound traffic to be
received by the VM.
They include a timeout attribute that is measured in seconds. When a network packet arrives at the switch
and the packet matches a stateful rule, Hyper-V Virtual Switch creates a state so that all subsequent packets
in both directions of the same flow are allowed. The state expires if there is no traffic in either direction in the
period of time that is specified by the timeout value.
Following is an example of how you can use stateful rules.
Allow inbound remote server traffic only after it is contacted by the local server
In some cases, a stateful rule must be employed because only a stateful rule can keep track of a known, established
connection, and distinguish the connection from other connections.
For example, if you want to allow a VM application server to initiate connections on port 80 to web services on the
Internet, and you want the remote Web servers to be able to respond to the VM traffic, you can configure a stateful
rule that allows initial outbound traffic from the VM to the Web services; because the rule is stateful, return traffic
to the VM from the Web servers is also allowed. For security reasons, you can block all other inbound network
traffic to the VM.
To achieve this rule configuration, you can use the settings in the table below.

NOTE
Due to formatting restrictions and the amount of information in the table below, the information is displayed differently than
in previous tables in this document.

PARAMETER RULE 1 RULE 2 RULE 3

Source IP * * *

Destination IP * * *

Protocol * * TCP

Source Port * * *

Destination Port * * 80

Direction In Out Out

Action Deny Deny Allow

Stateful No No Yes

Timeout (in seconds) N/A N/A 3600

The stateful rule allows the VM application server to connect to a remote Web server. When the first packet is sent
out, Hyper-V Virtual switch dynamically creates two flow states to allow all packets sent to and all returning packets
from the remote Web server. When the flow of packets between the servers stops, the flow states time out in the
designated timeout value of 3600 seconds, or one hour.
Following is an example of how you can create these rules with Windows PowerShell commands.

Add-VMNetworkAdapterExtendedAcl -VMName "ApplicationServer" -Action "Deny" -Direction "Inbound" -Weight 1

Add-VMNetworkAdapterExtendedAcl -VMName "ApplicationServer" -Action "Deny" -Direction "Outbound" -Weight 1
Add-VMNetworkAdapterExtendedAcl -VMName "ApplicationServer" -Action "Allow" -Direction "Outbound" 80 "TCP" -
Weight 100 -Stateful -Timeout 3600