Updated 27/10/2017: [Windows Defender Application Guard (WDAG) for Microsoft Edge. Check Windows 10 Fall Creators Update for Hyper-V section at the end of this post].
Contents of this Article
This week, Microsoft released Windows Server, version 1709 (known as RS3), it’s available for download for customers with Software Assurance and with Visual Studio subscription.
Windows Server, version 1709, is the first release of Windows Server that delivers innovation for your applications and infrastructure faster. As part of the new Semi-annual Channel (SAC) cadence, this release is designed to help modernize your applications, bring new levels of efficiency to your datacenter and streamline your transition to the cloud. Advancements include a dramatically smaller Nano Server container image optimized for .NET Core, the Windows Subsystem for Linux (WSL), support for new hardware innovations like Storage-Class Memory (SCM), encrypted network segments, Linux Shielded VMs, and many more.
It’s very important to understand the difference between a Semi-annual Channel (SAC) release and Long-Term Servicing Channel (LTSC).
- SAC is supported for 18 months, LTSC is supported for at least 5 years – and then you can extend the support if needed.
- Some features may appear in the SAC releases that are not available in the LTSC releases.
- There will be at least one more SAC release (RS4) before there is another LTSC release.
- You should not assume that Windows Server, version 1709 is some sort of “service pack” or something that you should wait for, in order to deploy.
- The current SAC release, Windows Server, version 1709 is available only as a Server Core installation type – two SKUs are available: Standard and Datacenter.
- You cannot upgrade a Windows Server 2016 (RS1) server in-place-upgrade to Windows Server, version 1709 (RS3) – only a clean-OS install is supported.
- The main focus of Windows Server, version 1709 is containers.
- You can use Cluster OS Rolling Upgrade to upgrade a Windows Server 2016 (RS1) cluster to Windows Server, version 1709 (RS3) cluster.
- If you want to use Storage Spaces Direct (S2D) clusters, you should remain on Windows Server 2016 (RS1) release. Stay tuned for Storage Spaces Direct in RS4 (April 2018 time frame) for new features and additional enhancements (rock solid). The sky is the limit.
In this blog post, I will share with you on what’s new in Hyper-V in Windows Server 1709 including Windows 10, Version 1709, RS3. If you want to know more about the new features that were introduced in Windows Server 2016 Hyper-V, please check my previous article here.
Modern Windows Server Management Experience
Microsoft introduced project ‘Honolulu’ which is the future of remote server management, designed to modernize and simplify the IT administrator experience. If you want to know more about Microsoft Project ‘Honolulu’ and how to kick the tires, check out my blog post here:
Persistent Memory in Hyper-V Virtual Machines
Support for virtual PMEM devices, backed by physical PMEM devices Storage-Class Memory (SCM).
Persistent Memory (PMEM) Type
- NVDIMM-N (DRAM + NAND + Battery)
- 8GB or 16GB per NVDIMM (as of today)
- DDR4 DRAM speeds
Why does Persistent Memory (PMEM) matter for Hyper-V?
The first one is the raw throughput difference between PMEM and traditional storage, the second one is the latency difference which is the most important factor, and that is how long does it take from the time the OS request data of the disk to the time that it returns. The latency of the PMEM that are available in the market today is around half-dozen of Microseconds which is amazing.
Here is the performance comparison between NVMe SSD, Block Mode NVDIMM and DAX Mode NVDIMM:
|IOPS||Avg Latency (ns)||MB / Sec|
|Block Mode NVDIMM||148,567||6,418||580.34|
|DAX Mode NVDIMM||1,112,007||828||4,343.78|
With the Persistent Memory support, you can project PMEM directly into VMs which is known as Virtualized Persistent Memory (vPMEM). As of this writing, managing vPMEM is only supported through Windows PowerShell.
vPMEM allocation is host file based, and managed through familiar VM disk constructs. vPMEM used VHDX format file with a new VHD file extension (.VHDPMEM) to back a vPMEM device.
The sample PowerShell example below illustrates how to create a VM with 4GB vPMEM device, and then allocating the vPMEM device to a virtual machine:
New-VM -Name VPMEM-VM01 Add-VMPmemController VPMEM-VM01 # The D drive is a host with Direct Access Storage (DAX) Volume New-VHD D:\vPMEM-Disk.vhdpmem -Fixed -SizeBytes 4GB Add-VMHardDiskDrive VPMEM-VM01 PMEM -ControllerLocation 1 -Path D:\vPMEM-Disk.vhdpmem
The DAX volumes are currently supported by NTFS. To create a DAX volume, you can use the following PowerShell commands:
Format d: /dax /q Format-Volume -DriveLetter d -IsDAX $true
Hardware Virtualization (GPU Partitioning)
GPU partitioning is a new feature that will be fully stood up in Windows Server Hyper-V moving forward.
Without a driver from a hardware vendor, GPU partitioning is meaningless to us, and not usable; however, Microsoft is planning on supporting GPU partitioning.
So, what is GPU partitioning? It is a technology that Microsoft have developed for hardware vendors such as NVIDIA, Intel, and AMD to take a full physical GPU and partition it into smaller, virtual GPUs. NVIDIA calls this their GRID vGPU technology, AMD calls it MxGPU, and Intel calls it GVT-g. They each have a different term, but they’re really just product names.
This is essentially the GPU version of Single-Root Input / Output Virtualization (SR-IOV) for networking. The biggest difference here is the complexity of the GPU and how each vendor has implemented it. Some vendors support it by leveraging parts of the SR-IOV PCIe specifications, while others have a more custom solution. Microsoft have abstracted that idea away, allowing each vendor to support GPU partitioning on how their hardware is designed, so the current in-market hardware and solutions could work.
Linux Containers with Hyper-V Isolation
Linux Containers uses Hyper-V Isolation to run a Linux kernel with just enough OS to support containers. The changes to Windows and Hyper-V to build this started in the Windows 10 Fall Creators Update and Windows Server, version 1709, but bringing this together also required work with the open source Moby project on which Docker technology is built, as well as the Linux kernel.
Hyper-V Linux containers give you the isolation of Hyper-V with the flexibility of Docker containers and you can manage them with Linux tools now that Windows Subsystem for Linux (WSL) is included in Windows Server 1709 (image credit Microsoft).
In Windows Server, version 1709, Microsoft have added support for containers to access persistent data volumes located on CSVs, including CSVs on Storage Spaces Direct. They have also included support for mapping an SMB file share to a drive letter inside a container (known as SMB global mapping). This gives the application container persistent access to the volume no matter where the container instance is running on.
To map an SMB share for a container, you can run the following command:
docker run -v \\fileserver\share\<path>:C:\<container path>
Container Optimized Nano Server Image
First and foremost, the current SAC release, Windows Server 1709 is about driving application innovation. Nano Server (Nano as Host) is deprecated and replaced by Nano Container, which is Nano running as a container image.
Microsoft is optimizing Nano Server image for containers. The uncompressed Nano container image in Windows Server 2016 is about 1 GB in size, this includes components not relevant for containers such as components needed for physical and virtual machines. Microsoft is significantly working on reducing the size of the image on disk by 70% and even more. This has two benefits: First, it will speed up the start-up time of containers, and secondly, it will minimize the bandwidth needed when you pull the image from Docker Hub. All the components not relevant for containers and modern application development will be removed from the image. The optional components will be delivered as layers. Let’s say, you need to pull a Nano optimized container image, and if you want .NET Core, you need to pull .NET as a layer on top of the image, and if you want PowerShell, you need to pull PowerShell as layer on top as well, so on and so forth.
Linux Shielded VM Support
Security, Security, Security…
Microsoft is extending their shielded virtual machines story to also includes Linux virtual machines. When Microsoft released shielded VMs in October 2016, Windows virtual machines was only supported.
Support for running Linux inside a shielded VM include the following:
- Leverages native LUKS/dm-crypt encryption for the root and boot volumes.
- Encryption passwords are protected by the virtual TPM, sealed to boot measurements.
- Full secure provisioning stack implemented to deliver secrets and specialization files into the VM at deployment time.
The Hosting infrastructure requirements remain the same as for Windows shielded VMs:
- Linux Shielded VM runs in a Gen 2 VMs with Secure Boot and vTPM enabled.
- Same vTPM as Windows shielded VMs – works with your existing HGS infrastructure (and local keys for test scenarios)
For more information about shielded VMs, please see Guarded fabric and shielded VMs overview.
Windows 10 Fall Creators Update for Hyper-V
The following Hyper-V features are introduced in Windows 10 Version 1709 and targeting developer experiences:
- Built-in support for NAT networking: Hyper-V will create a NAT based virtual switch by default named (Default Switch) and will connect virtual machines to that switch by default. However, you can still use the old way and set networking the way you do for traditional virtual machines.
- Improved VM sharing experience: Microsoft also added a button to share (export) the Virtual Machine in Windows 10 Version 1709. This does not only export the virtual machine but it also create a compressed VM export file (.vmcz). Then you can copy that file into another machine and finally import it.
- Expose physical battery state into a virtual machine: A lot of developers run a virtual machine in full screen mode on their laptops, one of the big complain was, while doing the work inside the virtual machine in full screen mode, and then suddenly the laptop turns off because the battery was running out and did not get any notification. Microsoft is creating a virtual battery inside the virtual machine, they just mirror the state of the physical battery, so that as you are working on the laptop, you see and you will get notifications and warnings.
- Automatic Checkpoint Experience: This is a feature if a user hasn’t created a checkpoint, Hyper-V will create automatic checkpoint when they start the virtual machine and then they merge it when they stop the virtual machine. Please note that this feature is enabled by default on Windows 10 and NOT enabled by default on Windows Server 1709 and later, because you want to be super careful on server. This feature is convenient for developers who run Hyper-V on Windows 10.
- Windows Defender Application Guard (WDAG) for Microsoft Edge: WDAG introduces a slimmed down version of the Hyper-V technology to add isolation and security segmentation to Windows applications with Microsoft Edge. WDAG for Microsoft Edge is the strongest form of isolation today, and now with the recently release of Windows 10 version 1709, also known as the Fall Creators Update or RS3, users of Windows 10 Enterprise SKU only can run the Microsoft Edge browser in a fully isolated hardware environment. This will provide the highest level of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware. The WDAG container provides a temporary, contained environment for users to experience the Internet. The ability to refresh the container when a user logs off means malware does not have a place to persist. Leveraging the power of hardware-supported virtualization technology and Hyper-V, Windows Defender Application Guard creates what can be thought of a Hypervisor isolated partition with a trim down read-only copy of Windows in it just enough to run Edge when browsing untrusted sites. In the event that a user clicks a link or visits an untrusted site, the container “guest” kernel is fully isolated from the host machine that contains the sensitive data and enterprise credentials. This is so powerful feature!
Windows Defender Application Guard is Off by default, it must be enabled manually or by group policy. You can turn on Windows Defender Application Guard using the Turn Windows features on or off dialog, or you can use Windows PowerShell to enable it as shown below for Windows Defender Application Guard, and then restart your computer.
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -Verbose
Once your computer is restarted, open Microsoft Edge and click on the menu in the top right corner. Click on “New Application Guard window” as shown below: You will see the following splash screen after which a new instance of Edge with shielded grey icon will open with Windows Defender Application Guard enabled. A new instance of Edge will open with Application Guard enabled as shown in below screenshot. What does Task Manager shows when using Edge with Windows Defender Application Guard. If you go to Task Manager under Apps, you will see Windows Defender Application Guard Manager RDP Client, and underneath it you will see the sites that you are currently browsing.
Thanks for reading!