Question of the Day…
Q: I just bought a new server and it appears to have a multitude of BIOS options for virtualization. Which BIOS options should be enabled and/or disabled to use with Hyper-V?
A: Great question. Let’s break this down into what features are required, what is recommended and what should be disabled.
Hyper-V RTM/R2 Hardware Requirements
When it comes to hardware requirements for Hyper-V, the hardware requirements are relatively straightforward and have been mainstream for many years and many generations of systems.
1. Hyper-V is 64-bit only and thus requires a 64-bit (x64) processor
o Windows Server 2008 was the final 32-bit (x86) Windows Server release and Windows Server 2008 32-bit version does not include Hyper-V
2. Hardware Virtualization Assists* in the form of:
o Intel VT-x (initially codenamed Vanderpool)
o AMD AMD-V (also called SVM and initially codename Pacifica)
3. Hyper-V requires Hardware Data Execution Prevention:
o Intel refers to it as Execute Disable (XD). This feature must be enabled in the system BIOS.
o AMD refers to it as No Execute (NX). This feature must be enabled in the system BIOS.
Again, these are Hyper-V requirements and Hyper-V will not run without these capabilities.
*Note: When you enable hardware assisted virtualization (Intel VT or AMD AMD-V) in the BIOS, you must TURN THE SYSTEM OFF. NOT REBOOT. OFF. If you don’t power cycle the system completely, you will not enable hardware assisted virtualization on the majority of systems in the market.
Hyper-V R2* & SLAT Hardware
For traditional server virtualization or virtualization desktops without RemoteFX, SLAT hardware is not required, but HIGHLY RECOMMENDED. The use of SLAT capable hardware offers significant performance improvements across the board.
· Intel refers to this a Extended Page Tables (EPT)
· AMD refers to this as Nested Page Tables (NPT) or Rapid Virtualization Indexing (RVI)
If there are BIOS option to enable these features (they’re usually on by default), these options should be enabled.
For virtualizing desktops using RemoteFX, SLAT hardware is REQUIRED. The use of SLAT capable hardware offers significant performance improvements across the board and is especially important when using RemoteFX. These technologies are an extension to the traditional TLB that allow Hyper-V to use the hardware to handle multiple TLBs – one for each virtual machine. This is fundamental requirement for RemoteFX.
· Intel refers to this a Extended Page Tables (EPT).
· AMD refers to this as Nested Page Tables (NPT) or Rapid Virtualization Indexing (RVI).
Personally, I wouldn’t purchase any system for virtualization that is not SLAT capable.
*Note: To take advantage of SLAT hardware, you must be running Windows Server 2008 R2 or later or Microsoft Hyper-V Server 2008 R2 or later. Previous versions (Windows Server 2008/2008 SP2 & Microsoft Hyper-V Server 2008/2008 SP2) do not support SLAT hardware and will simply ignore these hardware capabilities.
Hyper-V : What to Disable in the BIOS
There are some hardware features that Hyper-V does not utilize and enabling them will prevent Hyper-V from loading. Specifically, please be sure that:
· Intel VT-d is disabled
· Trusted Execution is disabled
If either of these options is enabled, Hyper-V won’t launch and errors will be posted to the Event Log.
Q: I’m trying to run Hyper-V on my system and Hyper-V won’t launch. When I look in the event log I see events such as:
· Event ID 41: Hyper-V Launch failed; Either VMX not present or not enabled in the BIOS
· Event ID 32: Hyper-V Launch failed; At least one of the processors in this system does not appear to provide a virtualization platform supported by Hyper-V
I’ve ensured that both:
1. Hardware Assists are enabled (Intel VT or AMD-V)
2. Data Execution Prevention is enabled (Intel XD or AMD NX)
What am I doing wrong?
A: It sounds like you’re doing a lot right, but there are a few additional BIOS settings you should check. Please be sure that:
Hyper-V does not utilize these hardware features and enabling them will prevent Hyper-V from loading.
Q: I see that Hyper-V requires hardware Data Execution Prevention. What does that mean? What does DEP do?
A: For more information on DEP, check out this article Data Execution Prevention on MSDN and a useful KB here.
More on DEP:
Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns.
DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools. If an application attempts to run code from a data page that is protected, a memory access violation exception occurs, and if the exception is not handled, the calling process is terminated.
DEP is not intended to be a comprehensive defense against all exploits; it is intended to be another tool that you can use to secure your application.