Language and Page Formatting Options
Chapter 17. Installing and managing Windows virtual machines
To use Microsoft Windows as the guest operating system in your virtual machines (VMs) on a RHEL 8 host, Red Hat recommends taking extra steps to ensure these VMs run correctly.
For this purpose, the following sections provide information on installing and optimizing Windows VMs on the host, as well as installing and configuring drivers in these VMs.
17.1. Installing Windows virtual machines
You can create a fully-virtualized Windows machine on a RHEL 8 host, launch the graphical Windows installer inside the virtual machine (VM), and optimize the installed Windows guest operating system (OS).
To create the VM and to install the Windows guest OS, use the
virt-install command or the RHEL 8 web console.
A Windows OS installation source, which can be one of the following, and be available locally or on a network:
- An ISO image of an installation medium
- A disk image of an existing VM installation
A storage medium with the KVM
To create this medium, see Preparing virtio driver installation media on a host machine.
If you are installing Windows 11, the
libtpmspackages must be installed on the host.
Create the VM. For instructions, see Creating virtual machines, but keep in mind the following specifics.
If using the
virt-installutility to create the VM, add the following options to the command:
The storage medium with the KVM
virtiodrivers. For example:
The Windows version you will install. For example, for Windows 10 and 11:
For a list of available Windows versions and the appropriate option, use the following command:
# osinfo-query os
If you are installing Windows 11, enable Unified Extensible Firmware Interface (UEFI) and virtual Trusted Platform Module (vTPM):
--boot uefi --tpm model=tpm-crb,backend.type=emulator,backend.version=2.0
If using the web console to create the VM, specify your version of Windows in the Operating system field of the Create new virtual machine window.
- If you are installing Windows versions prior to Windows 11 and Windows Server 2022, start the installation by clicking Create and run.
If you are installing Windows 11, or you want to use additional Windows Server 2022 features, confirm by clicking Create and edit and enable UEFI and vTPM using the CLI:
Open the VM’s XML configuration:
# virsh edit windows-vm
firmware='efi'option to the
<os firmware='efi'> <type arch='x86_64' machine='pc-q35-6.2'>hvm</type> <boot dev='hd'/> </os>
tpmdevice inside the
<devices> <tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm> </devices>
- Start the Windows installation by clicking Install in the Virtual machines table.
Install the Windows OS in the VM.
For information on how to install a Windows operating system, refer to the relevant Microsoft installation documentation.
- If using the web console to create the VM, attach the storage medium with virtio drivers to the VM using the Disks interface. For instructions, see Attaching existing disks to virtual machines using the web console.
virtiodrivers in the Windows guest OS. For details, see Installing KVM paravirtualized drivers for Windows virtual machines.
17.2. Optimizing Windows virtual machines
When using Microsoft Windows as a guest operating system in a virtual machine (VM) hosted in RHEL 8, the performance of the guest may be negatively impacted.
Therefore, Red Hat recommends optimizing your Windows VMs by doing any combination of the following:
- Using paravirtualized drivers. For more information, see Installing KVM paravirtualized drivers for Windows virtual machines.
- Enabling Hyper-V enlightenments. For more information, see Enabling Hyper-V enlightenments.
- Configuring NetKVM driver parameters. For more information, see Configuring NetKVM driver parameters.
- Optimizing or disabling Windows background processes. For more information, see Optimizing background processes on Windows virtual machines.
17.2.1. Installing KVM paravirtualized drivers for Windows virtual machines
The primary method of improving the performance of your Windows virtual machines (VMs) is to install KVM paravirtualized (
virtio) drivers for Windows on the guest operating system (OS).
To do so:
- Prepare the install media on the host machine. For more information, see Preparing virtio driver installation media on a host machine.
- Attach the install media to an existing Windows VM, or attach it when creating a new Windows VM.
virtiodrivers on the Windows guest OS. For more information, see Installing virtio drivers on a Windows guest.
22.214.171.124. How Windows virtio drivers work
Paravirtualized drivers enhance the performance of virtual machines (VMs) by decreasing I/O latency and increasing throughput to almost bare-metal levels. Red Hat recommends that you use paravirtualized drivers for VMs that run I/O-heavy tasks and applications.
virtio drivers are KVM’s paravirtualized device drivers, available for Windows VMs running on KVM hosts. These drivers are provided by the
virtio-win package, which includes drivers for:
- Block (storage) devices
- Network interface controllers
- Video controllers
- Memory ballooning device
- Paravirtual serial port device
- Entropy source device
- Paravirtual panic device
- Input devices, such as mice, keyboards, or tablets
- A small set of emulated devices
For additional information about emulated,
virtio, and assigned devices, refer to Managing virtual devices.
Using KVM virtio drivers, the following Microsoft Windows versions are expected to run similarly to physical systems:
- Windows Server versions: See Certified guest operating systems for Red Hat Enterprise Linux with KVM in the Red Hat Knowledgebase.
Windows Desktop (non-server) versions:
- Windows 7 (32-bit and 64-bit versions)
- Windows 8 (32-bit and 64-bit versions)
- Windows 8.1 (32-bit and 64-bit versions)
- Windows 10 (32-bit and 64-bit versions)
126.96.36.199. Preparing virtio driver installation media on a host machine
To install KVM virtio drivers on a Windows virtual machine (VM), you must first prepare the installation media for the virtio driver on the host machine. To do so, install the
virtio-win package on the host machine and use the
.iso file it provides as storage for the VM.
- Ensure that virtualization is enabled in your RHEL 8 host system. For more information, see Enabling virtualization.
- Ensure that you have root access privileges to the VM.
Refresh your subscription data:
# subscription-manager refresh All local data refreshed
# yum install virtio-win Updating Subscription Management repositories. ... Installing: virtio-win noarch 1.9.24-2.el8_5 rhel-8-for-x86_64-appstream-rpms 219 M ...
If the installation succeeds, the
virtio-windriver files are available in the
/usr/share/virtio-win/directory. These include
ISOfiles and a
driversdirectory with the driver files in directories, one for each architecture and supported Windows version.
# ls /usr/share/virtio-win/ drivers/ guest-agent/ virtio-win-1.9.9.iso virtio-win.iso
virtio-win.isofile to the Windows VM. To do so, do one of the following:
- Use the file as a disk when creating a new Windows VM.
Add the file as a CD-ROM to an existing Windows VM. For example:
# virt-xml WindowsVM --add-device --disk virtio-win.iso,device=cdrom Domain 'WindowsVM' defined successfully.
188.8.131.52. Installing virtio drivers on a Windows guest
To install KVM
virtio drivers on a Windows guest operating system (OS), you must add a storage device that contains the drivers - either when creating the virtual machine (VM) or afterwards - and install the drivers in the Windows guest OS.
This example shows how to install the drivers using the graphical interface. You can also use the Microsoft Windows Installer (MSI) command line interface.
An installation medium with the KVM
virtiodrivers must be attached to the VM. For instructions on preparing the medium, see Preparing virtio driver installation media on a host machine.
In the Windows guest OS, open the
Devices and drivespane, open the
Based on the architecture of the VM’s vCPU, run one of the installers on the medium.
If using a 32-bit vCPU, run the
If using a 64-bit vCPU, run the
- If using a 32-bit vCPU, run the
Virtio-win-guest-toolssetup wizard that opens, follow the displayed instructions until you reach the
- In the Custom Setup window, select the device drivers you want to install. The recommended driver set is selected automatically, and the descriptions of the drivers are displayed on the right of the list.
- Click next, then click Install.
- After the installation completes, click Finish.
- Reboot the VM to complete the driver installation.
This PC, open the system disk. This is typically
Program Filesdirectory, open the
Virtio-Windirectory is present and contains a sub-directory for each of the selected drivers, the installation was successful.
- If you install the NetKVM driver, you may also need to configure the Windows guest’s networking parameters.
17.2.2. Enabling Hyper-V enlightenments
Hyper-V enlightenments provide a method for KVM to emulate the Microsoft Hyper-V hypervisor. This improves the performance of Windows virtual machines.
The following sections provide information about the supported Hyper-V enlightenments and how to enable them.
184.108.40.206. Enabling Hyper-V enlightenments on a Windows virtual machine
Hyper-V enlightenments provide better performance in a Windows virtual machine (VM) running in a RHEL 8 host. For instructions on how to enable them, see the following.
virsh editcommand to open the XML configuration of the VM. For example:
# virsh edit windows-vm
Add the following
<hyperv>sub-section to the
<features>section of the XML:
<features> [...] <hyperv> <relaxed state='on'/> <vapic state='on'/> <spinlocks state='on' retries='8191'/> <vpindex state='on'/> <runtime state='on' /> <synic state='on'/> <stimer state='on'> <direct state='on'/> </stimer> <frequencies state='on'/> </hyperv> [...] </features>
If the XML already contains a
<hyperv>sub-section, modify it as shown above.
clocksection of the configuration as follows:
<clock offset='localtime'> ... <timer name='hypervclock' present='yes'/> </clock>
- Save and exit the XML configuration.
- If the VM is running, restart it.
virsh dumpxmlcommand to display the XML configuration of the running VM. If it includes the following segments, the Hyper-V enlightenments are enabled on the VM.
<hyperv> <relaxed state='on'/> <vapic state='on'/> <spinlocks state='on' retries='8191'/> <vpindex state='on'/> <runtime state='on' /> <synic state='on'/> <stimer state='on'> <direct state='on'/> </stimer> <frequencies state='on'/> </hyperv> <clock offset='localtime'> ... <timer name='hypervclock' present='yes'/> </clock>
220.127.116.11. Configurable Hyper-V enlightenments
You can configure certain Hyper-V features to optimize Windows VMs. The following table provides information about these configurable Hyper-V features and their values.
Table 17.1. Configurable Hyper-V features
Provides MSRs to the VMs that can be used to store information and logs if a VM crashes. The information in available in the QEMU log.
If hv_crash is enabled, Windows crash dumps are not created.
Implements paravirtualized protocol between L0 (KVM) and L1 (Hyper-V) hypervisors, which enables faster L2 exits to the hypervisor.
This feature is exclusive to Intel processors.
Enables Hyper-V frequency Machine Specific Registers (MSRs).
Enables paravirtualized inter processor interrupts (IPI) support.
Notifies the guest OS that virtual processors will never share a physical core unless they are reported as sibling SMT threads. This information is required by Windows and Hyper-V guests to properly mitigate simultaneous multithreading (SMT) related CPU vulnerabilities.
on, off, auto
Notifies when there is a time stamp counter (TSC) frequency change which only occurs during migration. It also allows the guest to keep using the old frequency until it is ready to switch to the new one.
Disables a Windows sanity check that commonly results in a BSOD when the VM is running on a heavily loaded host. This is similar to the Linux kernel option no_timer_check, which is automatically enabled when Linux is running on KVM.
Sets processor time spent on running the guest code, and on behalf of the guest code.
| || |
Enables synthetic timers for virtual processors. Note that certain Windows versions revert to using HPET (or even RTC when HPET is unavailable) when this enlightenment is not provided, which can lead to significant CPU consumption, even when the virtual CPU is idle.
Enables synthetic timers when an expiration event is delivered via a normal interrupt.
Together with stimer, activates the synthetic timer. Windows 8 uses this feature in periodic mode.
Enables the following Hyper-V-specific clock sources available to the VM,
Flushes the TLB of the virtual processors.
Enables virtual APIC, which provides accelerated MSR access to the high-usage, memory-mapped Advanced Programmable Interrupt Controller (APIC) registers.
Sets the Hyper-V vendor id.
Enables virtual processor index.
17.2.3. Configuring NetKVM driver parameters
After the NetKVM driver is installed, you can configure it to better suit your environment. The parameters listed in this section can be configured using the Windows Device Manager (devmgmt.msc).
Modifying the driver’s parameters causes Windows to reload that driver. This interrupts existing network activity.
The NetKVM driver is installed on the virtual machine.
For more information, see Installing KVM paravirtualized drivers for Windows virtual machines.
Open Windows Device Manager.
For information on opening Device Manager, refer to the Windows documentation.
Locate the Red Hat VirtIO Ethernet Adapter.
- In the Device Manager window, click + next to Network adapters.
Under the list of network adapters, double-click Red Hat VirtIO Ethernet Adapter.
The Properties window for the device opens.
View the device parameters.
In the Properties window, click the Advanced tab.
Modify the device parameters.
Click the parameter you want to modify.
Options for that parameter are displayed.
Modify the options as needed.
For information on the NetKVM parameter options, refer to NetKVM driver parameters.
- Click OK to save the changes.
17.2.4. NetKVM driver parameters
The following table provides information on the configurable NetKVM driver logging parameters.
Table 17.2. Logging parameters
A Boolean value that determines whether logging is enabled. The default value is Enabled.
An integer that defines the logging level. As the integer increases, so does the verbosity of the log.
High logging levels will slow down your virtual machine.
The following table provides information on the configurable NetKVM driver initial parameters.
Table 17.3. Initial parameters
A string that defines the locally-administered MAC address for the paravirtualized NIC. This is not set by default.
An integer that represents the connection rate in megabits per second. The default value for Windows 2008 and later is 10G (10,000 megabits per second).
A Boolean value that enables Priority/VLAN tag population and removal support. The default value is Enabled.
An integer that defines the maximum transmission unit (MTU). The default value is 1500. Any value from 500 to 65500 is acceptable.
An integer that represents the number of TX ring descriptors that will be allocated.
The default value is 1024.
Valid values are: 16, 32, 64, 128, 256, 512, and 1024.
An integer that represents the number of RX ring descriptors that will be allocated.
The default value is 256.
Valid values are: 16, 32, 64, 128, 256, 512, and 1024.
Specifies the TX checksum offloading mode.
In Red Hat Enterprise Linux 8, the valid values for this parameter are:
* All (the default) which enables IP, TCP, and UDP checksum offloading for both IPv4 and IPv6
* TCP/UDP(v4,v6) which enables TCP and UDP checksum offloading for both IPv4 and IPv6
* TCP/UDP(v4) which enables TCP and UDP checksum offloading for IPv4 only
* TCP(v4) which enables only TCP checksum offloading for IPv4 only
17.2.5. Optimizing background processes on Windows virtual machines
To optimize the performance of a virtual machine (VM) running a Windows OS, you can configure or disable a variety of Windows processes.
Certain processes might not work as expected if you change their configuration.
You can optimize your Windows VMs by performing any combination of the following:
- Remove unused devices, such as USBs or CD-ROMs, and disable the ports.
- Disable background services, such as SuperFetch and Windows Search. For more information about stopping services, see Disabling system services or Stop-Service.
useplatformclock. To do so, run the following command,
# bcdedit /set useplatformclock No
- Review and disable unnecessary scheduled tasks, such as scheduled disk defragmentation. For more information on how to do so, see Disable Scheduled Tasks.
- Make sure the disks are not encrypted.
- Reduce periodic activity of server applications. You can do so by editing the respective timers. For more information, see Multimedia Timers.
- Close the Server Manager application on the VM.
- Disable the antivirus software. Note that disabling the antivirus might compromise the security of the VM.
- Disable the screen saver.
- Keep the Windows OS on the sign-in screen when not in use.
17.3. Enabling standard hardware security on Windows virtual machines
To secure Windows virtual machines (VMs), you can enable basic level security using the standard hardware capabilities of the Windows device.
- Make sure you have installed the latest WHQL certified VirtIO drivers.
- Make sure the VM’s firmware supports UEFI boot.
edk2-OVMFpackage on your host machine.
# yum install edk2-ovmf
vTPMpackages on your host machine.
# yum install swtpm libtpms
- Make sure the VM is using the Q35 machine architecture.
- Make sure you have the Windows installation media.
Enable TPM 2.0 by adding the following parameters to the
<devices>section in the VM’s XML configuration.
<devices> [...] <tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm> [...] </devices>
- Install Windows in UEFI mode. For more information on how to do so, see Creating a SecureBoot virtual machine.
- Install the VirtIO drivers on the Windows VM. For more information on how to do so, see Installing virtio drivers on a Windows guest.
- In UEFI, enable Secure Boot. For more information on how to do so, see Secure Boot.
Ensure that the Device Security page on your Windows machine displays the following message:
Settings > Update & Security > Windows Security > Device Security
Your device meets the requirements for standard hardware security.
17.4. Enabling enhanced hardware security on Windows virtual machines
To further secure Windows virtual machines (VMs), you can enable virtualization-based protection of code integrity, also known as Hypervisor-Protected Code Integrity (HVCI).
- Ensure that standard hardware security is enabled. For more information, see Enabling standard hardware security on Windows virtual machines.
- Ensure you have enabled Hyper-V enlightenments. For more information, see Enabling Hyper-V enlightenments.
Open the XML configuration of the Windows VM. The following example opens the configuration of the Example-L1 VM:
# virsh edit Example-L1
<cpu>section, specify the CPU mode and add the policy flag.Important
For Intel CPUs, enable the
For AMD CPUs, enable the
If you do not wish to specify a custom CPU, you can set the
<cpu mode='custom' match='exact' check='partial'> <model fallback='allow'>Skylake-Client-IBRS</model> <topology sockets='1' dies='1' cores='4' threads='1'/> <feature policy='require' name='vmx'/> </cpu>
- For Intel CPUs, enable the
- Save the XML configuration and reboot the VM.
On the VMs operating system, navigate to the Core isolation details page:
Settings > Update & Security > Windows Security > Device Security > Core isolation details
- Toggle the switch to enable Memory Integrity.
- Reboot the VM.
For other methods of enabling HVCI, see the relevant Microsoft documentation.
Ensure that the Device Security page on your Windows VM displays the following message:
Settings > Update & Security > Windows Security > Device Security
Your device meets the requirements for enhanced hardware security.
Alternatively, check System Information on the Windows VM:
msinfo32.exein a command prompt.
- Check if Credential Guard, Hypervisor enforced Code Integrity is listed under Virtualization-based security Services Running.
17.5. Next steps
- To share files between your RHEL 8 host and its Windows VMs, you can use Samba.