- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Windows 10 includes a number of improvements to Client Hyper-V and Microsoft is adding more new features to Hyper-V in the Fall Update. First included as part of the Windows Insider build 10565, Client Hyper-V on Windows 10 now supports virtual Trusted Platform Module (TPM) chips as well as nested virtualization for running Hyper-V inside a VM.
The virtual TPM is included as part of Generation 2 VMs in Windows 10 if the Fall Update is installed. Because the virtual TPM isn’t emulated in software, a physical TPM must be present in the computer. If your computer doesn’t have a TPM or if the TPM is disabled in the BIOS, you will be missing the Trusted Platform Module section in your VM settings under Security.
VM settings for a Windows 10 PC without a physical TPM
VM settings for a Windows 10 PC with a physical TPM
To use the virtual TPM in a VM, you’ll first need to enable Isolated User Mode on your computer. To do that, go to the Cortana search box and search for Turn Windows Features on or off. Check Isolated User Mode, click OK, and then reboot when prompted.
Installing Isolated User Mode in the GUI
Next, you’ll need to run the Local Group Policy Editor by running gpedit.msc. In the Group Policy Editor, go to Computer Configuration, Administrative Templates, System, Device Guard. Double-click Turn On Virtualization Based Security. Set the policy to Enabled, click OK, and then reboot again.
Turning on Virtualization Based Security
As a last step, WinRM needs to be configured on your computer. If it hasn’t been configured, run winrm quickconfig to get it up and running at a command prompt with Admin rights. You should now be able to enable the TPM in your Generation 2 VMs.
Trusted Platform Module in Device Manager on a Windows 10 VM
One of the new options, Shielding, allows you to create a VM that is only accessible via the network and not the console. When setting the Shielding option for the VM, you’ll need to ensure that the VM is BitLocker-encrypted and accessible via RDP for management as well as PowerShell Remoting. After the VM is encrypted and Shielding is enabled, the VM is secured against attacks by users who are Admins on the host system.
If a local user does try to access the VM’s console, the user will receive the error, “You cannot connect to a shielded virtual machine using a Virtual Machine Connection. Use a Remote Desktop Connection instead.”
Error indicating that you cannot connect to a shielded virtual machine using a Virtual Machine Connection
For more information, please read Paul Schnackenburg’s article about shielded VMs.
Nested virtualization allows a user to run Hyper-V inside of Hyper-V. This functionality is eventually intended for Hyper-V Container support, but IT admins can definitely benefit from the feature by running Hyper-V inside of a VM for testing complex infrastructure scenarios.
Before you get started, you’ll need to make sure that your system meets the minimum requirements:
- Supported build. Your computer will need to be running the Windows 10 Pro x64 Insider Build 10565 or higher.
- Supported hypervisor. Nested virtualization currently only supports Hyper-V. I am hopeful that VMware and Xen support will be added at some future date.
- RAM, and lots of it. Hyper-V already requires a lot of RAM as you add VMs. If you’re going to be using nested virtualization, you’ll need a lot more of it. An absolute bare minimum starting amount is probably 8GB. My lab systems all start at 16GB… you’ll probably want even more than that if you’ll be running a lot of nested VMs.
- Intel VT-x. You’ll need to be running an Intel processor that supports VT-x; AMD processors are not currently supported.
- Isolated User Mode/Virtualization Based Security disabled. I covered how to enable this feature earlier in this article. Isolated User Mode/Virtualization Based Security must be disabled for nested virtualization to be enabled.
- No other unsupported features. A number of other Hyper-V features cannot be used with nested virtualization:checkpoints, Live Migration (which you’re probably only using on servers anyway), Save/Restore, Dynamic Memory, and hot-adding memory. These features aren’t supported with nested virtualization.
- MAC spoofing enabled. You’ll need to enable MAC spoofing for any VMs that will be running nested virtualization. To do this, go into the VM settings and go to the Network adapter. Expand the options to show Hardware Acceleration and Advanced Features. Click Advanced Features and select the check box next to Enable MAC address spoofing.Alternatively, you can run the following PowerShell command:
Set-VMNetworkAdapter –VMName $Nested_Virtualization_VM –MacAddressSpoofing on
Enabling MAC address spoofing on a Windows 10 VM
To enable nested virtualization, run the following PowerShell commands while your VM is not running:
Invoke-WebRequest https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Enable-NestedVm.ps1 -OutFile ~/Enable-NestedVm.ps1 ~/Enable-NestedVm.ps1 -VmName $Nested_Virtualization_VM
After you run the commands, you’ll be able to install Hyper-V inside the VM and run nested VMs. Just remember that this is still a Preview feature and may still have some bugs in it.
A Windows 10 VM running inside a Windows 10 VM
Want to write for 4sysops? We are looking for new authors.
everything worked, however the TPM chip in the VM is not active, and when I select prepare TPM I receive error that hardware is not ready, turn on TPM chip in the BIOS
It would be very helpful to have the full text of the error message. You may also want to check the Event Log to see if any additional error messages or codes were logged.
Thanks for the review. Why does virtualization-based security need to be disabled in order to run Nested VMs?
It’s an either/or thing… you can’t run both at the same time. My understanding is that the virtualization-based security is launching processes inside the virtualization layer that the nested virtulization needs to use. If I had to guess, this will probably end up being a temporary limitation as the hardware improves over time.
Getting : The virtual machine ‘test’
cannot start because Isolated User Mode is Off
But Isolated User Mode is enabled in Turn Windows Feature ….
Isolated Usermode cannot be enabled on Windows Server 2016 TP5. Can anybody advise how to do it?
Was Larent’s question ever answered?, I’ve been through the confirmation of isolated user mode is turned on, winrm on, and virtual based security policy enabled, for sometime now and get the same error message when starting Virtual machine, Isolated user mode is not enabled.
I understand the Windows10 anniversary edition is due out soon which is supposed to not need it turned on in the same fashion, so I’m wondering if this will finally bring a fix. Still curious on what I’m missing to get it to recognized that isolated user mode is indeed turned on.
Need to make sure that UEFI and Secure boot is enabled.
Check on msinfo32.exe
These powershell scripts fixed issue of isolated user mode not working.