Windows 10 Hyper-V Fall Update adds virtual TPM and nested virtualization

• Author
• Recent Posts

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

• Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

Windows 10 includes a number of improvements to Client Hyper-V and Microsoft is adding more new features to Hyper-V in the Fall Update. First included as part of the Windows Insider build 10565, Client Hyper-V on Windows 10 now supports virtual Trusted Platform Module (TPM) chips as well as nested virtualization for running Hyper-V inside a VM.

Virtual TPM

The virtual TPM is included as part of Generation 2 VMs in Windows 10 if the Fall Update is installed. Because the virtual TPM isn’t emulated in software, a physical TPM must be present in the computer. If your computer doesn’t have a TPM or if the TPM is disabled in the BIOS, you will be missing the Trusted Platform Module section in your VM settings under Security.

VM settings for a Windows 10 PC without a physical TPM

VM settings for a Windows 10 PC with a physical TPM

To use the virtual TPM in a VM, you’ll first need to enable Isolated User Mode on your computer. To do that, go to the Cortana search box and search for Turn Windows Features on or off. Check Isolated User Mode, click OK, and then reboot when prompted.

Installing Isolated User Mode in the GUI

Next, you’ll need to run the Local Group Policy Editor by running gpedit.msc. In the Group Policy Editor, go to Computer Configuration, Administrative Templates, System, Device Guard. Double-click Turn On Virtualization Based Security. Set the policy to Enabled, click OK, and then reboot again.

Turning on Virtualization Based Security

As a last step, WinRM needs to be configured on your computer. If it hasn’t been configured, run winrm quickconfig to get it up and running at a command prompt with Admin rights. You should now be able to enable the TPM in your Generation 2 VMs.

Trusted Platform Module in Device Manager on a Windows 10 VM

Shielded VMs

One of the new options, Shielding, allows you to create a VM that is only accessible via the network and not the console. When setting the Shielding option for the VM, you’ll need to ensure that the VM is BitLocker-encrypted and accessible via RDP for management as well as PowerShell Remoting. After the VM is encrypted and Shielding is enabled, the VM is secured against attacks by users who are Admins on the host system.

If a local user does try to access the VM’s console, the user will receive the error, “You cannot connect to a shielded virtual machine using a Virtual Machine Connection. Use a Remote Desktop Connection instead.”

Error indicating that you cannot connect to a shielded virtual machine using a Virtual Machine Connection

For more information, please read Paul Schnackenburg’s article about shielded VMs.

Nested virtualization

Nested virtualization allows a user to run Hyper-V inside of Hyper-V. This functionality is eventually intended for Hyper-V Container support, but IT admins can definitely benefit from the feature by running Hyper-V inside of a VM for testing complex infrastructure scenarios.

Before you get started, you’ll need to make sure that your system meets the minimum requirements:

• Supported build. Your computer will need to be running the Windows 10 Pro x64 Insider Build 10565 or higher.
• Supported hypervisor. Nested virtualization currently only supports Hyper-V. I am hopeful that VMware and Xen support will be added at some future date.
• RAM, and lots of it. Hyper-V already requires a lot of RAM as you add VMs. If you’re going to be using nested virtualization, you’ll need a lot more of it. An absolute bare minimum starting amount is probably 8GB. My lab systems all start at 16GB… you’ll probably want even more than that if you’ll be running a lot of nested VMs.
• Intel VT-x. You’ll need to be running an Intel processor that supports VT-x; AMD processors are not currently supported.
• Isolated User Mode/Virtualization Based Security disabled. I covered how to enable this feature earlier in this article. Isolated User Mode/Virtualization Based Security must be disabled for nested virtualization to be enabled.
• No other unsupported features.  A number of other Hyper-V features cannot be used with nested virtualization:checkpoints, Live Migration (which you’re probably only using on servers anyway), Save/Restore, Dynamic Memory, and hot-adding memory. These features aren’t supported with nested virtualization.
• MAC spoofing enabled. You’ll need to enable MAC spoofing for any VMs that will be running nested virtualization. To do this, go into the VM settings and go to the Network adapter. Expand the options to show Hardware Acceleration and Advanced Features. Click Advanced Features and select the check box next to Enable MAC address spoofing.Alternatively, you can run the following PowerShell command:

  Set-VMNetworkAdapter –VMName $Nested_Virtualization_VM –MacAddressSpoofing on

Enabling MAC address spoofing on a Windows 10 VM

To enable nested virtualization, run the following PowerShell commands while your VM is not running:

Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Enable-NestedVm.ps1 -OutFile ~/Enable-NestedVm.ps1
~/Enable-NestedVm.ps1 -VmName $Nested_Virtualization_VM

After you run the commands, you’ll be able to install Hyper-V inside the VM and run nested VMs. Just remember that this is still a Preview feature and may still have some bugs in it.

A Windows 10 VM running inside a Windows 10 VM