Windows Server 2016 Hyper-V: More secure, but not faster

With Windows Server 2016, Microsoft has introduced a lengthy list of improvements to Hyper-V. Along with functional additions like container support, nested virtualization, and increased memory and vCPU limits, you’ll find a number of new features, including production-grade checkpoints and the ability to hot-add memory and network adapters, that ease administration.

But Microsoft’s primary goal in the 2016 Hyper-V release seems to have been to improve security. In fact, I would go so far as to say that Hyper-V’s new killer feature is shielded VMs, which work with BitLocker encryption and a guardian service to ensure that virtual machines run only on authorized hosts.

If one Hyper-V 2016 feature would push me to upgrade, it would be the shielded VM feature. But the ability to allocate more memory to Generation 2 VMs, and the ability to hot-add memory and network adapters to virtualization hosts, are also big draws.

One area Hyper-V 2016 may not improve is VM performance. In fact, my Sandra benchmark tests of a Windows Server 2012 R2 virtual machine on Hyper-V 2012 R2 versus Hyper-V 2016 indicate a step backward. I wouldn’t call these results definitive by any means, but keep it in mind as you begin evaluating Windows Server 2016 Hyper-V for your own workloads.

The Hyper-V setup process

For the purposes of this review, I upgraded an existing Windows Server 2012 R2 server to Windows Server 2016. For the most part, the upgrade process was almost identical to that of installing Windows Server 2012 R2. The difference was that the Setup Wizard displays a warning message telling you Windows Server upgrades are not recommended, and you should perform a clean installation. The Setup Wizard won’t stop you from performing an in-place upgrade, but you have to click on a Confirm button to acknowledge the warning message.

I moved forward with the upgrade process (although I have since performed several clean installations) because I wanted to see what would happen. Besides, the server that I upgraded was running a clean installation of Windows Server 2012 R2. I had installed the Hyper-V role and created some virtual machines, but I had not installed any additional software (aside from Microsoft patches) or enabled any abnormal configuration settings.

The Windows Server upgrade process went very smoothly. All of my existing operating system settings were preserved, and my virtual machines remained functional following the upgrade. Furthermore, the Hyper-V Manager still felt completely familiar. Although Microsoft has introduced a number of new Hyper-V features in Windows Server 2016, the Hyper-V Manager has changed very little. Administrators with prior Hyper-V experience are sure to feel right at home when using the new version.

Rolling Hyper-V cluster upgrades

Although I initially performed an in-place upgrade of a single Hyper-V host, Microsoft also supports rolling upgrades of clustered Hyper-V deployments. This means that servers running Windows Server 2016 Hyper-V can be added to existing Windows Server 2012 R2 Hyper-V clusters and essentially emulate Windows Server 2012 R2 Hyper-V hosts, thereby allowing them to fully participate in the cluster. Windows Server 2012 R2 Hyper-V virtual machines can be live migrated to Windows Server 2016 Hyper-V nodes, thereby enabling a cluster operating system upgrade without taking any of the virtual machines offline.

In the process of writing this review, I deployed a three-node cluster of Windows Server 2012 Hyper-V servers, then added a Windows Server 2016 Hyper-V node. I was able to successfully join the node to the cluster and live migrate VMs back and forth between the two different Hyper-V versions. In short, the rolling cluster upgrade process worked flawlessly.

I completed my cluster upgrade in the course of an afternoon, but Microsoft does allow for long-term coexistence between Hyper-V versions within a cluster. Long-term coexistence will surely be easier now that Microsoft has revamped the Hyper-V Manager, so it can be used simultaneously with multiple Hyper-V versions. From Hyper-V Manager in Windows Server 2016, you can manage Hyper-V on Windows Server 2012 and Windows Server 2012 R2 as well.

One downside to the new Hyper-V Manager: Because Microsoft is now delivering updates to the Hyper-V Integration Services through the normal patch management process, the option to deploy the integration services seems to have been removed. Installing integration services through Windows Update sounds like progress, but it wouldn’t hurt to have the old method available as a fallback.

Note that once all of your cluster nodes are running Windows Server 2016 Hyper-V, and you have updated the cluster’s functional level (a deliberate administrative action you execute through PowerShell), you will lose the ability to add Windows Server 2012 R2 nodes to the cluster. After you update the cluster’s functional level, there’s no turning back.

Shielded virtual machines

While plenty of work has been done over the years to protect VMs against outside threats, virtual machines (including those on competing platforms such as VMware, Xen, and KVM) have remained vulnerable to compromise by a rogue administrator. Nothing's stopping an admin from copying an entire VM to a USB flash drive and walking out the door with it. Sure, it was previously possible to encrypt virtual hard disks, but an authorized administrator can easily undo any VM-level encryption.

In Windows Server 2016 Hyper-V, the shielded VM feature encrypts a virtual machine’s disks and state in a way that prevents anyone other than VM or tenant admins from booting the VM or accessing its contents. The feature works by taking advantage of a new Windows Server feature called the Host Guardian Service, which holds the keys to encrypting and decrypting shielded VMs.

The Host Guardian Service checks to see if the Hyper-V host is authorized or “attested” to run the virtual machine. That’s right—admins are able to restrict shielded VMs, so they will only run on specific hosts that pass the attestation test. This means that if a rogue admin were to copy a shielded VM to a flash drive, the VM copy would be useless to the admin. The VM would not be able to run outside of the organization, and its contents would be inaccessible because the keys needed to decrypt the VM are protected by the Host Guardian Service.

The Host Guardian Service supports two different attestation modes, called admin-trusted attestation and TPM-trusted attestation. Admin-trusted attestation is the easier of the two modes to deploy, but not nearly as secure as TPM-trusted attestation. Admin-trusted hosts are based on Active Directory security group membership, whereas TPM-trusted hosts are based on TPM identity and even boot and code integrity checks.

In addition to its more complex configuration process, TPM-trusted attestation has some hardware requirements. Guarded hosts must support TPM 2.0 and UEFI 2.3.1 or higher. In contrast, admin-trusted attestation does not have any significant hardware requirements beyond those needed for running Hyper-V.

Although most of the media coverage pertaining to Hyper-V 2016 security has focused on shielded VMs, Microsoft has introduced other security enhancements. For example, Hyper-V now supports Secure Boot for some Linux VMs. According to Microsoft, the supported Linux versions include Ubuntu 14.04 and later, Suse Linux Enterprise Server 12 and later, Red Hat Enterprise Linux 7.0 and later, and CentOS 7.0 and later.

Another significant security enhancement is support of BitLocker-based OS disk encryption in Generation 1 virtual machines. This particular security enhancement hasn’t gained much attention from the press, but it is significant because of the number of Generation 1 VMs running in production environments. After all, Generation 2 VMs are supported only for use with specific guest operating systems. Although the list of supported guest operating systems has grown over the years, some Linux deployments that could conceivably run on Generation 2 VMs continue to operate on Generation 1 VMs, simply because of the inability to change the VM’s version.

Windows containers

One of the primary features introduced in Windows Server 2016 is containers, of which there are two types. Windows Server containers share an OS kernel with the host (and any other containers that might be running on the host), while Hyper-V containers use the hypervisor and a lightweight guest OS (Windows Server Core or Nano Server) to provide a greater level of isolation. Think of Hyper-V containers as lightweight virtual machines.

To date, I have spent some time experimenting with both types of containers. My assessment: Although containers seem to work as advertised, there is a steep learning curve associated with using them. Containers must be created and managed at the command line (as opposed to using the Hyper-V Manager) via the Docker command syntax, which is very different from other command-line environments such as PowerShell.

I think containers will prove to be relevant to Windows admins, but I strongly recommend spending time in a lab environment getting used to Docker and its many nuances before deploying containers in production.

Performance questions

In an effort to test the performance of Windows Server 2016, I brought a new server online, running a clean installation of Windows Server 2012 R2 Hyper-V. This server was equipped with low-end, aging hardware, but given the goal was to check relative performance, state-of-the-art hardware wasn’t really necessary.

With the new Windows Server 2012 R2 Hyper-V server online, I created a Generation 2 virtual machine running Windows Server 2012 R2. Both the host and the guest operating systems were fully patched, and my test VM was the only virtual machine present on the host.

Once the new guest OS was up and running, I installed Sandra 2016 in the virtual machine to benchmark the virtual machine’s performance. I was primarily interested in CPU, storage, memory, and network performance. 

With a baseline set of metrics in hand, I upgraded the Hyper-V host to Windows Server 2016. Microsoft discourages in-place upgrades, but I opted to perform one rather than a clean installation for the sake of keeping my test environment as consistent as possible across all of the tests.

When the upgrade completed, I booted the VM, which was still running Windows Server 2012 R2. Next, I attempted to upgrade the Hyper-V Integration Services on the VM, but Microsoft has removed the option to do this manually. The Integration Services are now delivered through Windows Update.

After fully patching the Windows Server 2016 Hyper-V Host, I repeated the benchmark tests in an effort to see whether the new version of Hyper-V would yield any performance gains. In fact, the opposite proved to be true. My VM saw a significant decrease in performance.

For my final test, I performed an in-place upgrade of the guest operating system to Windows Server 2016. I fully patched the new guest OS and repeated my benchmark tests one last time. This time, my VM performance largely improved, but not quite to the level of the original Windows Server 2012 R2 VM running on a Windows Server 2012 R2 host, and a few tests saw performance further diminished.

I’ve listed the metrics that I benchmarked and the results below.

As you can see, according to my Sandra tests, the Windows Server 2012 R2 VM did not perform as well on Windows Server 2016 Hyper-V as it did on the previous Hyper-V version. I ran each benchmark several times (while the host was idle) in an effort to make sure my metrics were accurate. The virtual machine performance improved when the guest OS was upgraded to Windows Server 2016, but not to the level of the Windows Server 2012 R2 guest running on Windows Server 2012 R2 Hyper-V.

Naturally, you should take these (and any other) benchmark results with a grain of salt. Benchmarks don’t always reflect reality, and these findings represent only one set of tests on one hardware configuration. Furthermore, I'm willing to give Microsoft the benefit of a doubt because the metrics were captured on a host that had been upgraded from a previous Windows Server version, rather than a host running a clean installation.

Your only meaningful test of Windows Server 2016 Hyper-V performance will be your actual workloads on your actual hardware. Given the results of the Sandra tests, you'll want to watch the performance of Hyper-V 2016 closely.