Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 03:30 PM (PDT)
Microsoft Tech Community
Hyper-V Powering Windows Features
Published Dec 12 2019 02:28 PM 31.1K Views
Microsoft

December 2019

Hyper-V is Microsoft’s hardware virtualization technology that initially released with Windows Server 2008 to support server virtualization and has since become a core component of many Microsoft products and features. These features range from enhancing security to empowering developers to enabling the most compatible gaming console. Recent additions to this list include Windows Sandbox, Windows Defender Application Guard, System Guard and Advanced Threat Detection, Hyper-V Isolated-Containers, Windows Hypervisor Platform and Windows Subsystem for Linux 2. Additionally, applications using Hyper-V, such as Kubernetes for Windows and Docker Desktop, are also being introduced and improved.

 

As the scope of Windows virtualization has expanded to become an integral part of the operating system, many new OS capabilities have taken a dependency on Hyper-V. Consequently, this created compatibility issues with many popular third-party products that provide their own virtualization solutions, forcing users to choose between applications or losing OS functionality. Therefore, Microsoft has partnered extensively with key software vendors such as VMware, VirtualBox, and BlueStacks to provide updated solutions that directly leverage Microsoft virtualization technologies, eliminating the need for customers to make this trade-off.

 

Windows Sandbox

Windows Sandbox is an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC.  Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, the entire state, including files, registry changes and the installed software, are permanently deleted. Windows Sandbox is built using the same technology we developed to securely operate multi-tenant Azure services like Azure Functions and provides integration with Windows 10 and support for UI based applications.

 

Windows Defender Application Guard

Windows Defender Application Guard (WDAG) is a Windows 10 security feature introduced in the Fall Creators Update (Version 1709 aka RS3) that protects against targeted threats using Microsoft’s Hyper-V virtualization technology. WDAG augments Windows virtualization based security capabilities to prevent zero-day kernel vulnerabilities from compromising the host operating system. WDAG also enables enterprise users of Microsoft Edge and Internet Explorer (IE) protection from zero-day kernel vulnerabilities by isolating a user’s untrusted browser sessions from the host operating system. Security conscious enterprises use WDAG to lock down their enterprise host while allowing their users to browse non-enterprise content.

clipboard_image_4.png

Application Guard isolates untrusted sites using a new instance of Windows at the hardware layer.

 

Windows Defender System Guard

In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:

  • To protect and maintain the integrity of the system as it starts up
  • To validate that system integrity has truly been maintained through local and remote attestation

 

Windows Defender Advanced Threat Detection

Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). It’s not without challenges, but the deep integration of Windows Defender Antivirus with hardware-based isolation capabilities allows the detection of artifacts of such attacks.

 

Hyper-V Isolated Containers

Hyper-V plays an important role in the container development experience on Windows 10. Since Windows containers require a tight coupling between its OS version and the host that it runs on, Hyper-V is used to encapsulate containers on Windows 10 in a transparent, lightweight virtual machine. Colloquially, we call these "Hyper-V Isolated Containers". These containers are run in VMs that have been specifically optimized for speed and efficiency when it comes to host resource usage. Hyper-V Isolated Containers most notably allow developers to develop for multiple Linux distros and Windows at the same time and are managed just like any container developer would expect as they integrate with all the same tooling (e.g. Docker).

 

Windows Hypervisor Platform

The Windows Hypervisor Platform (WHP) adds an extended user-mode API for third-party virtualization stacks and applications to create and manage partitions at the hypervisor level, configure memory mappings for the partition, and create and control execution of virtual processors. The primary value here is that third-party virtualization software (such as VMware) can co-exist with Hyper-V and other Hyper-V based features. Virtualization-Based Security (VBS) is a recent technology that has enabled this co-existence.

WHP provides an API similar to that of Linux's KVM and macOS's Hypervisor Framework, and is currently leveraged on projects by QEMU and VMware.

 

clipboard_image_5.png

This diagram provides a high-level overview of a third-party architecture.

 

Windows Subsystem for Linux 2

WSL 2 is the newest version of the architecture that powers the Windows Subsystem for Linux to run ELF64 Linux binaries on Windows. Its feature updates include increased file system performance as well as added full system call compatibility. This new architecture changes how these Linux binaries interact with Windows and your computer’s hardware, but still provides the same user experience as in WSL 1 (the current widely available version). The main difference being that WSL 2 uses a new architecture, which is primarily running a true Linux kernel inside a virtual machine. Individual Linux distros can be run either as a WSL 1 distro, or as a WSL 2 distro, can be upgraded or downgraded at any time, and can run WSL 1 and WSL 2 distros side by side.

 

Kubernetes Support for Windows

Kubernetes started officially supporting Windows Server in production with the release of Kubernetes version 1.14 (in March 2019). Windows-based applications constitute a large portion of the workloads in many organizations. Windows containers provide a modern way for these Windows applications to use DevOps processes and cloud native patterns. Kubernetes has become the de facto standard for container orchestration; hence this support enables a vast ecosystem of Windows applications to not only leverage the power of Kubernetes, but also to leverage the robust and growing ecosystem surrounding it. Organizations with investments in both Windows-based applications and Linux-based applications no longer need to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments. The engineering that supported this release relied upon open source and community led approaches that originally brought Windows Server containers to Windows Server 2016.

 

These components and tools have allowed Microsoft’s Hyper-V technology to introduce new ways of enabling customer experiences. Windows Sandbox, Windows Defender Application Guard, System Guard and Advanced Threat Detection, Hyper-V Isolated-Containers, Windows Hypervisor Platform and Windows Subsystem for Linux 2 are all new Hyper-V components that ensure the security and flexibility customers should expect from Windows. The coordination of applications using Hyper-V, such as Kubernetes for Windows and Docker Desktop also represent Microsoft’s dedication to customer needs, which will continue to stand for our main sentiment going forward.

37 Comments

Hyper-V has always been the best choice for me, installing VMware workstation pro 15.5 requires too much compromise in terms of security as it is not compatible with any virtual security features of Windows 10

Brass Contributor
Hi, definitely, all mentioned features are very valuable and appreciated. However, I'm still awaiting for a couple more: 1) Support for GPU paravirtualization (similar to what's implemented for Sandbox) for regular windows virtual machines. You took away support for RemoteFX and gave nothing to replace it with :( Now days, VMs are used not only for server scenarios, but also for isolated work (development environment in my case), so great UI experience and performance are very important. 2) Support for DDA (Discrete Device Assignment) on client version of Windows 10 (again, would be very useful for scenarios like described above). Any hope to see any of these implemented in the nearest future?

@andsav totally agree with you, mentioned important points there

Microsoft

@andsav Hey, thanks for the feedback. What applications are you interested in running in your dev VM that requires GPU acceleration? Likewise, what types of devices are you interested in using DDA to inject into your VMs on Windows 10 Pro/Enterprise?

Brass Contributor
@Craig Really, all sort of apps. I'm constantly observing low rendering speed in my VM, and the more apps I run, the worse UI performance is. Primarily, I use Visual Studio 2019, which seems to significantly affect all other apps rendering (I even reported an issue about that here https://developercommunity.visualstudio.com/content/problem/799943/visual-studio-noticeably-slows-do...). Even when VS performs well, its not enough for many scenarios like working with UI designers. Some debugging experiences are super slow, like opening a Concurrent Stacks view or TPL Tasks list - it can redraw for tens of seconds in some heavy cases. Also, there are many apps which render far not that fast as on the local host, like Outlook, Teams, Skype, Edge (sometimes super slow) and many others. Even windows explorer often renders very slowly. Web UI stands separately, since it can contain some effects, animations etc, which are bad during viewing as well as developing. The same is for developing desktop apps with rich UI and animations. (And there is no point to even mention working with 3D) How can you estimate your "Fluent UI" if it's jut cant be fluent without real GPU. I should note that I have a pretty powerful PC meaning there is always enough physical memory, CPU and SSD throughput for a VM to be superfast, and it is, except for UI. And it makes no difference if I use regular localhost RDP connection, use the Hyper-V console rdp, if I do tweaks to VNet settings like VNet queue etc. Regarding DDA, I'm considering just what currently exists for windows server - injecting an NMVE SSD (I have two and one is dedicated to the VM and both are installed directly in the PCIe through an adapter), and injecting a dedicated GPU card. I consider the latter as an alternative to GPU paravirtualization, though I would prefer to share my host GPU. However, I can imaging many people who would be really happy to be able to use dedicated GPU in their VM for more GPU-intensive tasks, e.g. machine learning and other computations (though I'm not sure that some kind of artist would work with Photoshop or Maya in a VM), This can be not extra expensive if you have an integrated GPU, which can be left to the host, and a discrete GPU, which can be injected into a VM.

@Craig Wilhite Hi,

I want to use consumer graphic cards from AMD/Nvidia in Hyper-V VMs, to not necessarily need to buy server graphic cards for GPU virtualization in Hyper-V.

 

 

Iron Contributor

eliminating the need for customers to make this trade-off.

One trade-off never mentioned is that for the situation of when you want to deploy any of this cool new functionality in a VM, you are required to have an Intel CPU.  The uservoice feedback for Nested virtualization for AMD Epyc and Ryzen will hit #1 most voted entry in the General feedback section sometime in 2020, and yet there's been total radio silence on if this will ever happen or even is being worked on.  Meanwhile, more and more Windows functionality requires Hyper-V virtualization.

Oh i didn't know nested Virtualization requires only Intel CPUs.

 

Brass Contributor
@Craig Wilhite I shot a sample video showing how just a Windows Explorer window redraws when minimizing/restoring in a VM, the link will be active for one week: https://1drv.ms/v/s!AuaAKPMkiTEAxu0lAp7cXijMGkQdfw?e=GQKiiY . I put the Task Manager side by side to show how much free resources the VM has (refresh rate is set to Low to not add to the rendering work too much) . Note, that this is far not the worst case.
Bronze Contributor

"Microsoft has partnered extensively with key software vendors such as VMware, VirtualBox, and BlueStacks to provide updated solutions that directly leverage Microsoft virtualization technologies, eliminating the need for customers to make this trade-off" makes it sound like it's all done, problem solved.

 

Unless I missed something, it isn't. If you enable even Sandbox (which uses only one Hyper-V service), for example, Virtualbox doesn't run. I think VMware is in the same boat. So, you have to something like this, which involves a reboot.

Iron Contributor

@Brian .wrote
for example, Virtualbox doesn't run

The reason for the confusion over this is that it did work, but only for a small period of time.  1809 Hyper-V and Virtualbox 6.0 do work together.  The problem is that during the insider builds of 1903, then 1903 release, 1909 release, and up to and including this weeks insider build, it doesn't work anymore.   You can see screenshots and the death of the feature on the Virtualbox forum.

 

 

Copper Contributor

sorry dear Microsoft, but Windows Hyper-V is a joke about the Enterprise capabilities compared to VMware ESXi.

@areyou1o0 

Care to explain more? because I'm interested to know more

 

by the way,

Hyper-V inside Windows 10 = VMware workstation pro

Hyper-V server = VMware ESXI

I hope you were comparing the right product together. anyway i wanna know why you say it's a joke, I had my fair share of experience with all of them.

 

Copper Contributor

@HotCakeX Greenshot 2019-12-16 14.45.03.png

 

This article is about the servers and not about the PC (Desktop/Notebook/Tablet) OS. I don't know why everyone here is talking about the PC(Desktop/Notebook/Tablet) OS and compare apples with oranges.

 

I'm happy for any Microsoft Hyper-V solution that can replace a decent HyperVisor.

 

As a virtualization visor, Microsoft has lost nothing. No decent HA, no decent RDS, from the unusable network configuration when it comes to network segmentation. The 10GB or 100GB network is a joke in the implementation of the Microsoft Hyper-V.

 

ESXi, vSAN, vSphere, NSX-T and all that smoothly without problems with 10GB, 100GB, and extremely complex networks.

 

Copper Contributor

Hyper-V has always been the best choice for me, installing VMware workstation pro 15.5 requires too much compromise in terms of security as it is not compatible with any virtual security features of Windows 10

what security compromises does VMware Workstation Pro require? That would interest me a lot.

@areyou1o0 

It needs to disable all the virtual security features of Windows 10 and Windows Defender. 

Brass Contributor
@areyou1o0 everyone here is talking about the PC because the article is exactly about PC in most parts: Sandbox is a PC interactive desktop feature, WDAG and Windows Defender Advanced Threat Detection are a pretty desktop features, "Hyper-V Isolated Containers most notably allow *developers* to develop for multiple Linux distros and Windows at the same time and are managed just like any container developer would expect as they integrate with all the same tooling (e.g. Docker)" - developers work on desktop PCs, Windows Hypervisor Platform again allows many developer things to work on a PC (e.g. Android emulator), Windows Subsystem for Linux 2 - is a 100% desktop feature for developers. And only "Kubernetes Support for Windows" is about server scenario.

@areyou1o0 

I didn't confuse the two, I actually explained them so you won't confuse them with each other.

 

so, you are saying that networking in Hyper-V is a joke because it can't handle 10Gbit and 100Gbit connections?

you said no decent HA, but there is DDA (Discrete Device Assignment).

 

"no decent RDS" what does that even mean exactly? that's so broad and unclear 

Copper Contributor

@andsav 

you're in the wrong place because this is about servers.

Greenshot 2019-12-16 15.31.33.png

@areyou1o0 is Windows Sandbox available in Windows server? nope.

Copper Contributor

@HotCakeX

It needs to disable all the virtual security features of Windows 10 and Windows Defender.

I use VMware Workstation Pro on my Windows 10 1909 Enterprise Notebook and have never had to disable or customize anything to make VMware Workstation run.

Copper Contributor

funny Microsoft forum, Either it is the Server or desktop OS.

@areyou1o0 

I use Windows 10 pro 1909 x64 and VMware workstation pro 15.5 and the experience was awful.

it is NECESSARY for Core Isolation inside Windows Defender and Windows Defender Application Guard to be turned off in order to launch a VM inside VMware Workstation pro 15.5.

it doesn't matter if you didn't have to turn off anything, it could be that you weren't using any of those security features in the first place or you were using a 3rd party AV solution.

either way, the fact is VMware does Not work with the security features i mentioned above.

 

Copper Contributor

@HotCakeX 

sorry a typo DRS not RDS

vSphere DRS = https://www.vmware.com/ch/products/vsphere/drs-dpm.html

vSphere HA = https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.avail.doc/GUID-33A65FF7-DA22-4DC5-8...

 

Yes, exactly the Hyper-V no complex networks can be is exactly the killer criterion in the enterprise environment.

"funny Microsoft forum, Either it is the Server or desktop OS."

 

Not really, the majority of the communities are dedicated to online apps and web apps.

@areyou1o0 DRS (Distributed Resource Scheduler) is also available in Hyper-V, using SCVMM (System Center Virtual Machine Manager)

and that is OK because on VMware products, you need to install lots of other components, vmotion, vcenter, ESXI etc

 

Copper Contributor

@HotCakeX 

I manage my desktop like 10'000 others with VMware Workspace One by AirWatch. The security policies come from there and the Active Directory GPO.

I use VMware Workstation to test machines before I publish them to the VMware Horizon VDI infrastructure.

Copper Contributor

@HotCakeX 

I install ESXi and vCenter everything else is unlocked with the license and does not require an extra server
ESXi on the hosts and vCenter as appliance and well it is. 

 

I don't need SCCM or anything else for that.

I use the SCCM only for a few things, everything else I do with the Horizon or the Workspace ONE by AirWatch environment.

@areyou1o0 

"I manage my desktop like 10'000 others with VMware Workspace One by AirWatch. The security policies come from there and the Active Directory GPO. I use VMware Workstation to test machines before I publish them to the VMware Horizon VDI infrastructure."

 

Okay good for you

@areyou1o0 

"I install ESXi and vCenter everything else is unlocked with the license and does not require an extra server
ESXi on the hosts and vCenter as appliance and well it is. 

I don't need SCCM or anything else for that.

I use the SCCM only for a few things, everything else I do with the Horizon or the Workspace ONE by AirWatch environment."

 

Not the SCCM but SCVMM (virtual machine manager).

and I didn't say you need to use it, i said that Hyper-V also has DRS and it is done through SCVMM which not only supports Hyper-V but also supports others hypervisors from other brands.

 

cool, there are many solutions out there to use.

 

Copper Contributor

@HotCakeX 

for what it must be a separate server (SCVMM) for such banalities as HA and DRS then. If you can have it in one pour.

 

For this reason alone, the Fortune 500 probably only has VMware ESXi and Co. in use.

 

Microsoft's Hyper-V only plays a minor role as a niche player. I am speaking here from decades of experience as a Senior Systems Engineer. Here in Switzerland, Hyper-V only occurs in companies that do not attach importance to a highly available infrastructure. Because these have only 1 or 2 hosts and no more.

 

Especially since the license costs at Microsoft are already overstated and you can save money if you use VMware ESXi. Then the sinfully expensive Windows licenses are better bearable.

 

Just last month I negotiated a new Enterprise contract with Microsoft and now we can save a lot of money. Many unnecessary server license costs could be saved. I'm glad when we get rid of the SCCM then we can save a lot of money again. 

@areyou1o0 

VMware needs separate servers and very strong ones for each one of their components too, I've had my fair share of experience with VMware products too. 

https://serverfault.com/questions/385105/how-does-vmware-vcenter-server-work-and-what-are-the-benefi...

 

so it's not like Microsoft needs a separate server for each component but VMware components can be installed all on the same server because that's risky and impractical.

 

vCenter from VMware = SCVMM (System Center Virtual Machine Manager) so I don't know why you try to get rid of SCVMM but love to use vCenter.

 

vCenter Server requires a separate license.

 

Comparison:

https://blog.heroix.com/blog/virtualization-licensing

 

 

Copper Contributor

You're assuming totally outdated data.


vCenter / vSphere is a Linux appliance and not a Windows server anymore and this since version 6.x. So VMware no longer needs a single Windows server to manage the vSphere environment.

 

You only pay for the vCenter and what you want in addition, vSAN, NSX-T. These are all Linux appliances and therefore no Windows servers.

@areyou1o0 

"You're assuming totally outdated data.vCenter / vSphere is a Linux appliance and not a Windows server anymore and this since version 6.x. So VMware no longer needs a single Windows server to manage the vSphere environment.

You only pay for the vCenter and what you want in addition, vSAN, NSX-T. These are all Linux appliances and therefore no Windows servers."

 

When did I say that you need Windows server? or vCenter/ vSphere are based on windows server? nowhere.

so who is assuming wrong?

Copper Contributor
@Craig Wilhite would be great if Hyper-V could add COM port passthrough from host to VMs. Would make a huge difference for those working with microcontrollers or other serial and USB-to-serial adapters.
Copper Contributor
@silviuk I've had COM port passthough working, via a super obscure `Set-VMComPort` powershell call. There's a small writeup here: https://github.com/peterwishart/StreamConnect. These appear as standard ports in the VM but are actually named pipes on the host.
Copper Contributor

Every Good IT person needs every tool available to make there life easier.  Hyper-V has come along way and a lot cheaper than VMWare ESXi!  VMware is nice but it gets expensive fast!!  Hyper-V is a lot more tightly integrated to work with Microsoft Cluster Services than VMWare.  However with the future release of Windows 11 you can have it all!!  Say good-by to dual boot and do all from one!!

Version history
Last update:
‎Dec 12 2019 02:31 PM
Updated by: