The Windows 10 Fall Update (released November 2015) includes two big new features for Hyper-V: support for nested virtualization and support for virtual Trusted Platform Module (TPM). These features were first made available in Windows Insider Builds 10565 and 10576. In this article, I’ll show you how you can use both. 

Windows 10 includes a number of improvements to Client Hyper-V and Microsoft is adding more new features to Hyper-V in the Fall Update. First included as part of the Windows Insider build 10565, Client Hyper-V on Windows 10 now supports virtual Trusted Platform Module (TPM) chips as well as nested virtualization for running Hyper-V inside a VM.

Virtual TPM ^

The virtual TPM is included as part of Generation 2 VMs in Windows 10 if the Fall Update is installed. Because the virtual TPM isn’t emulated in software, a physical TPM must be present in the computer. If your computer doesn’t have a TPM or if the TPM is disabled in the BIOS, you will be missing the Trusted Platform Module section in your VM settings under Security.

VM settings for a Windows 10 PC without a physical TPM
VM settings for a Windows 10 PC without a physical TPM

VM settings for a Windows 10 PC with a physical TPM
VM settings for a Windows 10 PC with a physical TPM

To use the virtual TPM in a VM, you’ll first need to enable Isolated User Mode on your computer. To do that, go to the Cortana search box and search for Turn Windows Features on or off. Check Isolated User Mode, click OK, and then reboot when prompted.

Installing Isolated User Mode in the GUI
Installing Isolated User Mode in the GUI

Next, you’ll need to run the Local Group Policy Editor by running gpedit.msc. In the Group Policy Editor, go to Computer Configuration, Administrative Templates, System, Device Guard. Double-click Turn On Virtualization Based Security. Set the policy to Enabled, click OK, and then reboot again.

Turning on Virtualization Based Security
Turning on Virtualization Based Security

As a last step, WinRM needs to be configured on your computer. If it hasn’t been configured, run winrm quickconfig to get it up and running at a command prompt with Admin rights. You should now be able to enable the TPM in your Generation 2 VMs.

Trusted Platform Module in Device Manager on a Windows 10 VM

Trusted Platform Module in Device Manager on a Windows 10 VM

Shielded VMs ^

One of the new options, Shielding, allows you to create a VM that is only accessible via the network and not the console. When setting the Shielding option for the VM, you’ll need to ensure that the VM is BitLocker-encrypted and accessible via RDP for management as well as PowerShell Remoting. After the VM is encrypted and Shielding is enabled, the VM is secured against attacks by users who are Admins on the host system.

If a local user does try to access the VM’s console, the user will receive the error, “You cannot connect to a shielded virtual machine using a Virtual Machine Connection. Use a Remote Desktop Connection instead.”

Error indicating that you cannot connect to a shielded virtual machine using a Virtual Machine Connection
Error indicating that you cannot connect to a shielded virtual machine using a Virtual Machine Connection

For more information, please read Paul Schnackenburg’s article about shielded VMs.

Nested virtualization ^

Nested virtualization allows a user to run Hyper-V inside of Hyper-V. This functionality is eventually intended for Hyper-V Container support, but IT admins can definitely benefit from the feature by running Hyper-V inside of a VM for testing complex infrastructure scenarios.

Before you get started, you’ll need to make sure that your system meets the minimum requirements:

  • Supported build. Your computer will need to be running the Windows 10 Pro x64 Insider Build 10565 or higher.
  • Supported hypervisor. Nested virtualization currently only supports Hyper-V. I am hopeful that VMware and Xen support will be added at some future date.
  • RAM, and lots of it. Hyper-V already requires a lot of RAM as you add VMs. If you’re going to be using nested virtualization, you’ll need a lot more of it. An absolute bare minimum starting amount is probably 8GB. My lab systems all start at 16GB… you’ll probably want even more than that if you’ll be running a lot of nested VMs.
  • Intel VT-x. You’ll need to be running an Intel processor that supports VT-x; AMD processors are not currently supported.
  • Isolated User Mode/Virtualization Based Security disabled. I covered how to enable this feature earlier in this article. Isolated User Mode/Virtualization Based Security must be disabled for nested virtualization to be enabled.
  • No other unsupported features.  A number of other Hyper-V features cannot be used with nested virtualization:checkpoints, Live Migration (which you’re probably only using on servers anyway), Save/Restore, Dynamic Memory, and hot-adding memory. These features aren’t supported with nested virtualization.
  • MAC spoofing enabled. You’ll need to enable MAC spoofing for any VMs that will be running nested virtualization. To do this, go into the VM settings and go to the Network adapter. Expand the options to show Hardware Acceleration and Advanced Features. Click Advanced Features and select the check box next to Enable MAC address spoofing.Alternatively, you can run the following PowerShell command:
    Set-VMNetworkAdapter –VMName $Nested_Virtualization_VM –MacAddressSpoofing on

Enabling MAC address spoofing on a Windows 10 VM

Enabling MAC address spoofing on a Windows 10 VM

To enable nested virtualization, run the following PowerShell commands while your VM is not running:

Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Enable-NestedVm.ps1 -OutFile ~/Enable-NestedVm.ps1
~/Enable-NestedVm.ps1 -VmName $Nested_Virtualization_VM

After you run the commands, you’ll be able to install Hyper-V inside the VM and run nested VMs. Just remember that this is still a Preview feature and may still have some bugs in it.

A Windows 10 VM running inside a Windows 10 VM
A Windows 10 VM running inside a Windows 10 VM

0
9 Comments
  1. Pietro 6 years ago

    everything worked, however the TPM chip in the VM is not active, and when I select prepare TPM I receive error that hardware is not ready, turn on TPM chip in the BIOS

    Any idea?

    Pietro

    0

    • Author

      It would be very helpful to have the full text of the error message. You may also want to check the Event Log to see if any additional error messages or codes were logged.

      0

  2. Vince 6 years ago

    Thanks for the review. Why does virtualization-based security need to be disabled in order to run Nested VMs?

    0

    • Author

      It's an either/or thing... you can't run both at the same time. My understanding is that the virtualization-based security is launching processes inside the virtualization layer that the nested virtulization needs to use. If I had to guess, this will probably end up being a temporary limitation as the hardware improves over time.

      0

  3. Laurent 5 years ago

    Getting : The virtual machine 'test'
    cannot start because Isolated User Mode is Off

    But Isolated User Mode is enabled in Turn Windows Feature ....

    0

  4. jc777 5 years ago

    Isolated Usermode cannot be enabled on Windows Server 2016 TP5. Can anybody advise how to do it?

    0

  5. Troy 5 years ago

    Was Larent's question ever answered?, I've been through the confirmation of isolated user mode is turned on, winrm on, and virtual based security policy enabled, for sometime now and get the same error message when starting Virtual machine, Isolated user mode is not enabled.
    I understand the Windows10 anniversary edition is due out soon which is supposed to not need it turned on in the same fashion, so I'm wondering if this will finally bring a fix. Still curious on what I'm missing to get it to recognized that isolated user mode is indeed turned on.

    0

  6. Laurent 5 years ago

    Need to make sure that UEFI and Secure boot is enabled.

    Check on msinfo32.exe

     

    0

  7. Troy 5 years ago

    These powershell scripts fixed issue of isolated user mode not working.

    http://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx

     

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account