You dont have javascript enabled! Please enable it! What's New In PowerShell For Hyper-V In Windows Server? - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

What’s New in PowerShell For Hyper-V In Windows Server?

5 Min. Read

In today’s blog post, we will look at what’s new in PowerShell for Hyper-V in Windows Server 2016 and later.


The Hyper-V PowerShell module includes several significant features that extend its use, improve its usability, and allow you to control, automate, and manage your Hyper-V environment entirely.

The PowerShell module in Windows Server 2016 TP1 Hyper-V ships with 186 PowerShell cmdlets.

The PowerShell module in Windows Server 2016 TP2 Hyper-V ships with 204 PowerShell cmdlets.

The PowerShell module in Windows Server 2016 TP3 Hyper-V and TP4 ships with 217 PowerShell cmdlets.

As you can see, the Hyper-V team is constantly adding new cmdlets in every release.

If we look into the PowerShell module in Windows Server 2016 TP5 and count the Hyper-V cmdlets that are available at our disposal.


We have now 221 cmdlets in TP5 versus 217 in Hyper-V 2016 TP4, so we have 4 new cmdlets so far…

One important note to mention is that starting with Windows Server 2016 TP2 and Windows 10, Microsoft added two PowerShell modules in-box Version 1.1 and Version 2.0 to help you manage cross-versions down-level Hyper-V hosts (Windows Server 2012, 2012 R2, and 2016).


At the time of writing, you need to have a separate PowerShell session if you want to manage down-level hosts and Server 2016, in other words, every time you want to manage Server 2012 R2 or below, you want to remove the default PowerShell module V2.0 and load PowerShell module V1.1 as shown in the following screenshot.


Alternatively, you can open two PowerShell sessions and load the desired PowerShell module. I know this is not efficient at the moment, hopefully, this will change in the future.

So what are those 4 new cmdlets? Let’s compare Hyper-V 2016 TP4 and TP5 modules side by side and explore the difference.

I will use the Compare-Object cmdlet, but before doing that, you need to capture the XML file with all Hyper-V PowerShell cmdlets from Windows Server 2016 TP4 and TP5 hosts respectively.

On TP4 Host run the following command:

Get-Command -Module Hyper-V | Export-Clixml C:\HyperV-TP4-Compare.xml

On TP5 Host run the following command:

Get-Command -Module Hyper-V | Export-Clixml C:\HyperV-TP5-Compare.xml


The result above will be a table telling you what is different. Every PowerShell cmdlet that’s in the reference set (HyperV-TP4-Compare.xml), but not in the difference set (HyperV-TP5-Compare.xml), will have a <= indicator (which in this case Set-VMSecurityProfile). However, If a cmdlet is on the different right side but not on the reference left side, it will have a => indicator which is our case here with 5 new cmdlets. Finally, PowerShell cmdlets that match across both sets won’t be included in the difference output.

All the previous PowerShell cmdlets that are available in Windows Server 2016 TP4 Hyper-V are available as well in Windows Server 2016 Technical Preview 5 in addition to the following:


As you can see in the above screenshot, Set-VMSecurityProfile is not available anymore in WS2016 TP5, Set-VMSecurityProfile is being deprecated, you should either use Set-VMSecurity or Set-VMSecurityPolicy instead.                    

Let’s dive in and discover what those new cmdlets bring to Hyper-V in Windows Server 2016.


Trust is the biggest blocker to cloud computing adaption. Microsoft in Windows Server 2016 is investing a lot in the Hyper-V core platform to start providing these guarantees, and even if you trust or you don’t trust your administrators and service providers, no one can access your data!

Set-VMSecurity with –EncryptStateAndVmMigrationTraffic parameter determines whether the VM’s memory is supposed to be encrypted when saved to disk or when live migrated to another Hyper-V host.

If we look at Windows Server 2016 Technical Preview 4 Hyper-V and open any Generation 2 VM settings, the Encrypt State and Virtual Machine migration traffic option was not included in the UI.


However, in Windows Server 2016 Technical Preview 5 Hyper-V, the UI has been updated to reflect those changes around shielded VMs…


If you connect to the VM and open the Device Manager, you can see vTPM 2.0 listed under Security devices, then you can install BitLocker and Turn it on.



Set-VMSecurityPolicy can be used to configure the virtual machine’s policy. However, this is only possible in “Local HGS Mode” or until the virtual machine has been started for the first time.

As a side note, shielded VMs can be deployed using Active Directory Attestation or using TPM Attestation, the TPM Attestation requires TPM V2.0 chip to be installed on the physical host.

For demo purposes, you can create a shielded VM based on a local host certificate (untrusted guardian).

# Install Host Guardian Hyper-V Support Feature
Install-WindowsFeature -Name HostGuardian -Restart –Verbose

$VM = new-vm -Name ShieldedDemo -Generation 2
$owner = Get-HgsGuardian UntrustedGuardian -ErrorAction SilentlyContinue
if (!$owner) {
 $owner = New-HgsGuardian -Name UntrustedGuardian –GenerateCertificates

$owner = Get-HgsGuardian UntrustedGuardian
$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot
Set-VMKeyProtector -VM $vm -KeyProtector $kp.RawData
Set-VMSecurityPolicy -VM $vm -Shielded $true
Start-VM $vm

Note: The VM console access is not available for shielded VMs, therefore you need to access it through RDP only.


If you don’t install the HostGuardian feature for Hyper-V support and then reboot your host, you won’t be able to start the virtual machine because the host’s Isolated User Mode is off.



In Windows Server 2016, Microsoft is adding a new feature to force a host vNIC or a virtual machine vmNIC to be affinitized to a particular team member. The reason behind this can be used in many scenarios, for example in converged network deployment, you want to ensure that traffic from a given vNIC on the host, e.g. a storage vNIC, uses a particular pNIC (physical NIC) to send traffic so that it passes through a shorter path to the backend storage.

Please note that setting an affinity will not prevent failover to another physical NIC if the selected NIC encounters failures, in other words, if the physical NIC encounters any issue, the affinitized vNIC or vmNIC will failover to another team member. The affinity will be restored when the selected pNIC is restored to operation.

Please note that vNICs/vmNICs affinitized to team members are available only with Switch Embedded Teaming (SET) mode and not with LBFO (Stand-alone NIC Teaming).

The PowerShell cmdlet Set-VMNetworkAdapterTeamMapping will establish an affinity between a virtual NIC (vNIC or vmNIC) and a team member.

As an example:

Set-VMNetworkAdapterTeamMapping –VMNetworkAdapterName vNIC-SMB01 –ManagementOS –PhysicalNetAdapterName PNIC-01

The traffic from the vNIC (vNIC-SMB01) on the host will be forced to be sent and received on a physical adapter (PNIC-01).

The same affinitize rule will apply to virtual machines as well.

In the following example, we have a virtual machine with 3 vmNICs.


We will force the traffic for a specific vmNIC named “Storage1” from the VM named “WS-DC” to be sent and received on a physical adapter named “Ethernet”. 

Set-VMNetworkAdapterTeamMapping -VMName $VM.VMName –PhysicalNetAdapterName Ethernet -VMNetworkAdapterName Storage1



You can check and see what affinities have been established. Checking the current affinities can be accomplished using the Get‑VMNetworkAdapterTeamMapping PowerShell cmdlet.

Get-VMNetworkAdapterTeamMapping -VMName $VM.VMName



Last but not least, If an affinity is no longer needed it can be removed from the virtual machine (vmNIC) or from the host (vNIC) using the Remove‑VMNetworkAdapterTeamMapping PowerShell cmdlet.

Remove-VMNetworkAdapterTeamMapping -VMName $VM.VMName -VMNetworkAdapterName Storage1


We will update this blog post when the next milestone is publicly available.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Update Rollup 10 for System Center 2012 R2 is Now Available #SysCtr #SystemCenter #SCVMM

Free eBook and Free Webinar: Hyper-V First Aid Kit – What’s New in Windows Server 2016 Hyper-V? #HyperV @AltaroSoftware


Let us know what you think, or ask a question...