Hyper-V - DeveloPassion

# Hyper-V Hyper-V is Microsoft's type-1 (bare-metal) hypervisor, built into Windows Server (since 2008) and Windows client editions Pro / Enterprise / Education / Pro for Workstations. It runs **directly on the hardware**, not on top of Windows — which is the single most counterintuitive thing about it on the desktop: when you "enable Hyper-V" on your Windows 11 machine, your Windows installation stops being the OS-on-the-metal and becomes a guest in its own *root partition*. Every other VM (and feature like [[Windows Sandbox]], WSL2, [[Docker Desktop]]'s Linux backend, Defender Application Guard, virtualization-based security) is a sibling child partition under the same hypervisor. This single design choice is what unifies Microsoft's otherwise-disjoint isolation stack: Sandbox, [[Windows Subsystem for Linux (WSL)|WSL2]], Windows containers (Hyper-V isolation mode), Credential Guard, and Application Guard are all *the same primitive* underneath. ## Architecture - **Hypervisor** runs on the bare metal at Ring -1, mediating CPU/memory access for all partitions - **Root (parent) partition** = your host Windows. Owns physical device drivers and brokers I/O for child partitions via VMBus. When Hyper-V is enabled on a desktop, this is what your "host" becomes - **Child partitions** = guest VMs. No direct hardware access; they talk to the root partition through the hypercall API and synthetic device drivers (Integration Services / Linux Integration Services) - **VMBus** = high-speed inter-partition communication channel, replacing emulated devices for performance ## Requirements - 64-bit CPU with **SLAT** (Second-Level Address Translation): Intel EPT or AMD RVI - **VT-x / AMD-V** hardware virtualization, enabled in firmware - DEP (NX/XD bit) - Minimum 4 GB RAM (practically much more) Without SLAT, you cannot run Hyper-V on Windows client at all. ## Key features - **Generation 2 VMs** — UEFI firmware, Secure Boot, vTPM 2.0, BitLocker inside the guest, no legacy BIOS/IDE - **Dynamic Memory** — guests get a min/max range; the hypervisor reallocates RAM between guests based on actual demand instead of statically pinning it - **Checkpoints (snapshots)** — point-in-time captures, including memory state, with branching trees for rollback during testing - **Live Migration** (Server) — move a running VM between hosts with no downtime; **Shared Nothing Live Migration** does this without shared storage - **Hyper-V Replica** (Server) — async replication to a secondary site for DR; RPO down to 30 seconds - **Nested virtualization** — run Hyper-V inside a Hyper-V VM; required for WSL2-in-a-VM, Azure Local dev, and CI of hypervisor-dependent workloads - **GPU Partitioning (GPU-P)** — slice a single GPU across multiple VMs; the modern replacement for DDA/RemoteFX vGPU - **SR-IOV / RDMA** — bypass the hypervisor for near-native network performance - **Virtual switches** — external (bridged to NIC), internal (host ↔ guests only), private (guests only) - **PowerShell Direct** — `Invoke-Command -VMName` runs commands inside a guest with no network needed - **Shielded VMs + Host Guardian Service** (Server) — protects guest disks/state from a compromised admin ## Editions and surfaces - **Hyper-V on Windows client** (Pro/Enterprise/Education) — desktop dev/test focus; Hyper-V Manager + Quick Create + PowerShell module. No clustering, no live migration, no Replica - **Hyper-V on Windows Server** — full enterprise feature set: Failover Clustering, CSV, Live Migration, Replica, Shielded VMs - **Azure Hypervisor** — Hyper-V is the foundation of Azure compute; Azure Local (formerly Azure Stack HCI) is Hyper-V + Storage Spaces Direct + SDN packaged as on-prem hyperconverged infrastructure - Hyper-V Server (the standalone free SKU) was discontinued; Azure Local is the successor for bare-metal deployments ## What it underpins on Windows desktop Once Hyper-V is enabled on a Windows 11 client, several seemingly unrelated features start using it as their isolation primitive: - [[Windows Sandbox]] — disposable VM via Dynamic Base Image - [[Windows Subsystem for Linux (WSL)|WSL2]] — Linux kernel running in a lightweight utility VM - [[Docker Desktop]] — Linux containers via a hidden WSL2 / Hyper-V utility VM - Windows containers in Hyper-V isolation mode (vs process isolation) - Defender Application Guard — Edge tabs for untrusted sites in a throwaway VM - Virtualization-Based Security (VBS), Credential Guard, HVCI — secure kernel runs in an isolated child partition the host kernel cannot read ## Trade-offs vs other hypervisors - **Type-1, free, integrated** — no extra licensing if you already run Windows; comparable to ESXi or KVM in architectural class, ahead of VirtualBox/VMware Workstation (type-2) for production density and isolation - **Cost of enabling it** — once on, the host is itself virtualized; some Intel features (older VirtualBox, some emulators, some anti-cheat) refuse to run because they expect to be the only hypervisor. Mostly resolved via Windows Hypervisor Platform (WHPX) shim, but historically a friction point - **Ecosystem** — first-class on Windows + Azure; weak on Linux/macOS. For cross-platform homelabs, [[Proxmox]] (KVM-based) is more common - **Tooling** — Hyper-V Manager is functional but dated; Windows Admin Center and PowerShell are where modern management actually lives ## When to reach for it - You're already on Windows and need a real VM (not just a container) - You want [[Windows Subsystem for Linux (WSL)|WSL2]] / [[Windows Sandbox]] / [[Docker Desktop]], all of which require it anyway - You're running Windows Server consolidation or VDI - You need nested virtualization for CI of hypervisor-bound workloads ## When not to - Cross-platform / Linux-first homelab → [[Proxmox]] or plain KVM - Lightweight throwaway environments → [[Containerization|containers]] / [[Docker]] are dramatically lighter - macOS hosts → Hyper-V doesn't exist there ## References - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/ - https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/overview ## Related - [[Windows Sandbox]] - [[Windows Subsystem for Linux (WSL)]] - [[Containerization]] - [[Docker]] - [[Docker Desktop]] - [[Proxmox]] - [[WSL2 Distro Manager]] - [[Self-hosting]]