Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 17. Installing and managing Windows virtual machines

To use Microsoft Windows as the guest operating system in your virtual machines (VMs) on a RHEL 8 host, Red Hat recommends taking extra steps to ensure these VMs run correctly.

For this purpose, the following sections provide information on installing and optimizing Windows VMs on the host, as well as installing and configuring drivers in these VMs.

17.1. Installing Windows virtual machines

You can create a fully-virtualized Windows machine on a RHEL 8 host, launch the graphical Windows installer inside the virtual machine (VM), and optimize the installed Windows guest operating system (OS).

To create the VM and to install the Windows guest OS, use the virt-install command or the RHEL 8 web console.

Prerequisites

  • A Windows OS installation source, which can be one of the following, and be available locally or on a network:

    • An ISO image of an installation medium
    • A disk image of an existing VM installation
  • A storage medium with the KVM virtio drivers.

    To create this medium, see Preparing virtio driver installation media on a host machine.

  • If you are installing Windows 11, the edk2-ovmf, swtpm and libtpms packages must be installed on the host.

Procedure

  1. Create the VM. For instructions, see Creating virtual machines, but keep in mind the following specifics.

    • If using the virt-install utility to create the VM, add the following options to the command:

      • The storage medium with the KVM virtio drivers. For example:

        --disk path=/usr/share/virtio-win/virtio-win.iso,device=cdrom
      • The Windows version you will install. For example, for Windows 10 and 11:

        --os-variant win10

        For a list of available Windows versions and the appropriate option, use the following command:

        # osinfo-query os
      • If you are installing Windows 11, enable Unified Extensible Firmware Interface (UEFI) and virtual Trusted Platform Module (vTPM):

        --boot uefi --tpm model=tpm-crb,backend.type=emulator,backend.version=2.0
    • If using the web console to create the VM, specify your version of Windows in the Operating system field of the Create new virtual machine window.

      • If you are installing Windows versions prior to Windows 11 and Windows Server 2022, start the installation by clicking Create and run.
      • If you are installing Windows 11, or you want to use additional Windows Server 2022 features, confirm by clicking Create and edit and enable UEFI and vTPM using the CLI:

        1. Open the VM’s XML configuration:

          # virsh edit windows-vm
        2. Add the firmware='efi' option to the os element:

          <os firmware='efi'>
            <type arch='x86_64' machine='pc-q35-6.2'>hvm</type>
            <boot dev='hd'/>
          </os>
        3. Add the tpm device inside the devices element:

          <devices>
            <tpm model='tpm-crb'>
              <backend type='emulator' version='2.0'/>
            </tpm>
          </devices>
        4. Start the Windows installation by clicking Install in the Virtual machines table.
  2. Install the Windows OS in the VM.

    For information on how to install a Windows operating system, refer to the relevant Microsoft installation documentation.

  3. If using the web console to create the VM, attach the storage medium with virtio drivers to the VM using the Disks interface. For instructions, see Attaching existing disks to virtual machines using the web console.
  4. Configure KVM virtio drivers in the Windows guest OS. For details, see Installing KVM paravirtualized drivers for Windows virtual machines.

17.2. Optimizing Windows virtual machines

When using Microsoft Windows as a guest operating system in a virtual machine (VM) hosted in RHEL 8, the performance of the guest may be negatively impacted.

Therefore, Red Hat recommends optimizing your Windows VMs by doing any combination of the following:

17.2.1. Installing KVM paravirtualized drivers for Windows virtual machines

The primary method of improving the performance of your Windows virtual machines (VMs) is to install KVM paravirtualized (virtio) drivers for Windows on the guest operating system (OS).

To do so:

  1. Prepare the install media on the host machine. For more information, see Preparing virtio driver installation media on a host machine.
  2. Attach the install media to an existing Windows VM, or attach it when creating a new Windows VM.
  3. Install the virtio drivers on the Windows guest OS. For more information, see Installing virtio drivers on a Windows guest.

17.2.1.1. How Windows virtio drivers work

Paravirtualized drivers enhance the performance of virtual machines (VMs) by decreasing I/O latency and increasing throughput to almost bare-metal levels. Red Hat recommends that you use paravirtualized drivers for VMs that run I/O-heavy tasks and applications.

virtio drivers are KVM’s paravirtualized device drivers, available for Windows VMs running on KVM hosts. These drivers are provided by the virtio-win package, which includes drivers for:

  • Block (storage) devices
  • Network interface controllers
  • Video controllers
  • Memory ballooning device
  • Paravirtual serial port device
  • Entropy source device
  • Paravirtual panic device
  • Input devices, such as mice, keyboards, or tablets
  • A small set of emulated devices
Note

For additional information about emulated, virtio, and assigned devices, refer to Managing virtual devices.

Using KVM virtio drivers, the following Microsoft Windows versions are expected to run similarly to physical systems:

17.2.1.2. Preparing virtio driver installation media on a host machine

To install KVM virtio drivers on a Windows virtual machine (VM), you must first prepare the installation media for the virtio driver on the host machine. To do so, install the virtio-win package on the host machine and use the .iso file it provides as storage for the VM.

Prerequisites

  • Ensure that virtualization is enabled in your RHEL 8 host system. For more information, see Enabling virtualization.
  • Ensure that you have root access privileges to the VM.

Procedure

  1. Refresh your subscription data:

    # subscription-manager refresh
    All local data refreshed
  2. Install the virtio-win package:

    # yum install virtio-win
    Updating Subscription Management repositories.
    ...
    Installing:
     virtio-win  noarch  1.9.24-2.el8_5     rhel-8-for-x86_64-appstream-rpms  219 M
    ...

    If the installation succeeds, the virtio-win driver files are available in the /usr/share/virtio-win/ directory. These include ISO files and a drivers directory with the driver files in directories, one for each architecture and supported Windows version.

    # ls /usr/share/virtio-win/
    drivers/  guest-agent/  virtio-win-1.9.9.iso  virtio-win.iso
  3. Attach the virtio-win.iso file to the Windows VM. To do so, do one of the following:

    • Use the file as a disk when creating a new Windows VM.
    • Add the file as a CD-ROM to an existing Windows VM. For example:

      # virt-xml WindowsVM --add-device --disk virtio-win.iso,device=cdrom
      Domain 'WindowsVM' defined successfully.

17.2.1.3. Installing virtio drivers on a Windows guest

To install KVM virtio drivers on a Windows guest operating system (OS), you must add a storage device that contains the drivers - either when creating the virtual machine (VM) or afterwards - and install the drivers in the Windows guest OS.

This example shows how to install the drivers using the graphical interface. You can also use the Microsoft Windows Installer (MSI) command line interface.

Prerequisites

Procedure

  1. In the Windows guest OS, open the File Explorer application.
  2. Click This PC.
  3. In the Devices and drives pane, open the virtio-win medium.
  4. Based on the architecture of the VM’s vCPU, run one of the installers on the medium.

    • If using a 32-bit vCPU, run the virtio-win-gt-x86 installer.
    • If using a 64-bit vCPU, run the virtio-win-gt-x64 installer.
    Image displaying the Windows File Explorer.
  5. In the Virtio-win-guest-tools setup wizard that opens, follow the displayed instructions until you reach the Custom Setup step.

    Image displaying the Virtio-win-guest-tools setup wizard.
  6. In the Custom Setup window, select the device drivers you want to install. The recommended driver set is selected automatically, and the descriptions of the drivers are displayed on the right of the list.
  7. Click next, then click Install.
  8. After the installation completes, click Finish.
  9. Reboot the VM to complete the driver installation.

Verification

  1. In This PC, open the system disk. This is typically (C:).
  2. In the Program Files directory, open the Virtio-Win directory.

    If the Virtio-Win directory is present and contains a sub-directory for each of the selected drivers, the installation was successful.

    Image displaying the Virtio-Win directory in the Windows File Explorer.

Next steps

17.2.2. Enabling Hyper-V enlightenments

Hyper-V enlightenments provide a method for KVM to emulate the Microsoft Hyper-V hypervisor. This improves the performance of Windows virtual machines.

The following sections provide information about the supported Hyper-V enlightenments and how to enable them.

17.2.2.1. Enabling Hyper-V enlightenments on a Windows virtual machine

Hyper-V enlightenments provide better performance in a Windows virtual machine (VM) running in a RHEL 8 host. For instructions on how to enable them, see the following.

Procedure

  1. Use the virsh edit command to open the XML configuration of the VM. For example:

    # virsh edit windows-vm
  2. Add the following <hyperv> sub-section to the <features> section of the XML:

    <features>
      [...]
      <hyperv>
        <relaxed state='on'/>
        <vapic state='on'/>
        <spinlocks state='on' retries='8191'/>
        <vpindex state='on'/>
        <runtime state='on' />
        <synic state='on'/>
        <stimer state='on'>
          <direct state='on'/>
        </stimer>
        <frequencies state='on'/>
      </hyperv>
      [...]
    </features>

    If the XML already contains a <hyperv> sub-section, modify it as shown above.

  3. Change the clock section of the configuration as follows:

    <clock offset='localtime'>
      ...
      <timer name='hypervclock' present='yes'/>
    </clock>
  4. Save and exit the XML configuration.
  5. If the VM is running, restart it.

Verification

  • Use the virsh dumpxml command to display the XML configuration of the running VM. If it includes the following segments, the Hyper-V enlightenments are enabled on the VM.

    <hyperv>
      <relaxed state='on'/>
      <vapic state='on'/>
      <spinlocks state='on' retries='8191'/>
      <vpindex state='on'/>
      <runtime state='on' />
      <synic state='on'/>
      <stimer state='on'>
        <direct state='on'/>
      </stimer>
      <frequencies state='on'/>
    </hyperv>
    
    <clock offset='localtime'>
      ...
      <timer name='hypervclock' present='yes'/>
    </clock>

17.2.2.2. Configurable Hyper-V enlightenments

You can configure certain Hyper-V features to optimize Windows VMs. The following table provides information about these configurable Hyper-V features and their values.

Table 17.1. Configurable Hyper-V features

EnlightenmentDescriptionValues

crash

Provides MSRs to the VMs that can be used to store information and logs if a VM crashes. The information in available in the QEMU log.

Note

If hv_crash is enabled, Windows crash dumps are not created.

on, off

evmcs

Implements paravirtualized protocol between L0 (KVM) and L1 (Hyper-V) hypervisors, which enables faster L2 exits to the hypervisor.

Note

This feature is exclusive to Intel processors.

on, off

frequencies

Enables Hyper-V frequency Machine Specific Registers (MSRs).

on, off

ipi

Enables paravirtualized inter processor interrupts (IPI) support.

on, off

no-nonarch-coresharing

Notifies the guest OS that virtual processors will never share a physical core unless they are reported as sibling SMT threads. This information is required by Windows and Hyper-V guests to properly mitigate simultaneous multithreading (SMT) related CPU vulnerabilities.

on, off, auto

reenlightenment

Notifies when there is a time stamp counter (TSC) frequency change which only occurs during migration. It also allows the guest to keep using the old frequency until it is ready to switch to the new one.

on, off

relaxed

Disables a Windows sanity check that commonly results in a BSOD when the VM is running on a heavily loaded host. This is similar to the Linux kernel option no_timer_check, which is automatically enabled when Linux is running on KVM.

on, off

runtime

Sets processor time spent on running the guest code, and on behalf of the guest code.

on, off

spinlocks

  • Used by a VM’s operating system to notify Hyper-V that the calling virtual processor is attempting to acquire a resource that is potentially held by another virtual processor within the same partition.
  • Used by Hyper-V to indicate to the virtual machine’s operating system the number of times a spinlock acquisition should be attempted before indicating an excessive spin situation to Hyper-V.

on, off

stimer

Enables synthetic timers for virtual processors. Note that certain Windows versions revert to using HPET (or even RTC when HPET is unavailable) when this enlightenment is not provided, which can lead to significant CPU consumption, even when the virtual CPU is idle.

on, off

stimer-direct

Enables synthetic timers when an expiration event is delivered via a normal interrupt.

on, off.

synic

Together with stimer, activates the synthetic timer. Windows 8 uses this feature in periodic mode.

on, off

time

Enables the following Hyper-V-specific clock sources available to the VM,

  • MSR-based 82 Hyper-V clock source (HV_X64_MSR_TIME_REF_COUNT, 0x40000020)
  • Reference TSC 83 page which is enabled via MSR (HV_X64_MSR_REFERENCE_TSC, 0x40000021)

on, off

tlbflush

Flushes the TLB of the virtual processors.

on, off

vapic

Enables virtual APIC, which provides accelerated MSR access to the high-usage, memory-mapped Advanced Programmable Interrupt Controller (APIC) registers.

on, off

vendor_id

Sets the Hyper-V vendor id.

  • on, off
  • Id value - string of up to 12 characters

vpindex

Enables virtual processor index.

on, off

17.2.3. Configuring NetKVM driver parameters

After the NetKVM driver is installed, you can configure it to better suit your environment. The parameters listed in this section can be configured using the Windows Device Manager (devmgmt.msc).

Important

Modifying the driver’s parameters causes Windows to reload that driver. This interrupts existing network activity.

Prerequisites

Procedure

  1. Open Windows Device Manager.

    For information on opening Device Manager, refer to the Windows documentation.

  2. Locate the Red Hat VirtIO Ethernet Adapter.

    1. In the Device Manager window, click + next to Network adapters.
    2. Under the list of network adapters, double-click Red Hat VirtIO Ethernet Adapter.

      The Properties window for the device opens.

  3. View the device parameters.

    In the Properties window, click the Advanced tab.

  4. Modify the device parameters.

    1. Click the parameter you want to modify.

      Options for that parameter are displayed.

    2. Modify the options as needed.

      For information on the NetKVM parameter options, refer to NetKVM driver parameters.

    3. Click OK to save the changes.

17.2.4. NetKVM driver parameters

The following table provides information on the configurable NetKVM driver logging parameters.

Table 17.2. Logging parameters

ParameterDescription 2

Logging.Enable

A Boolean value that determines whether logging is enabled. The default value is Enabled.

Logging.Level

An integer that defines the logging level. As the integer increases, so does the verbosity of the log.

  • The default value is 0 (errors only).
  • 1-2 adds configuration messages.
  • 3-4 adds packet flow information.
  • 5-6 adds interrupt and DPC level trace information.
Note

High logging levels will slow down your virtual machine.

The following table provides information on the configurable NetKVM driver initial parameters.

Table 17.3. Initial parameters

ParameterDescription

Assign MAC

A string that defines the locally-administered MAC address for the paravirtualized NIC. This is not set by default.

Init.ConnectionRate(Mb)

An integer that represents the connection rate in megabits per second. The default value for Windows 2008 and later is 10G (10,000 megabits per second).

Init.Do802.1PQ

A Boolean value that enables Priority/VLAN tag population and removal support. The default value is Enabled.

Init.MTUSize

An integer that defines the maximum transmission unit (MTU). The default value is 1500. Any value from 500 to 65500 is acceptable.

Init.MaxTxBuffers

An integer that represents the number of TX ring descriptors that will be allocated.

The default value is 1024.

Valid values are: 16, 32, 64, 128, 256, 512, and 1024.

Init.MaxRxBuffers

An integer that represents the number of RX ring descriptors that will be allocated.

The default value is 256.

Valid values are: 16, 32, 64, 128, 256, 512, and 1024.

Offload.Tx.Checksum

Specifies the TX checksum offloading mode.

In Red Hat Enterprise Linux 8, the valid values for this parameter are:

* All (the default) which enables IP, TCP, and UDP checksum offloading for both IPv4 and IPv6

* TCP/UDP(v4,v6) which enables TCP and UDP checksum offloading for both IPv4 and IPv6

* TCP/UDP(v4) which enables TCP and UDP checksum offloading for IPv4 only

* TCP(v4) which enables only TCP checksum offloading for IPv4 only

17.2.5. Optimizing background processes on Windows virtual machines

To optimize the performance of a virtual machine (VM) running a Windows OS, you can configure or disable a variety of Windows processes.

Warning

Certain processes might not work as expected if you change their configuration.

Procedure

You can optimize your Windows VMs by performing any combination of the following:

  • Remove unused devices, such as USBs or CD-ROMs, and disable the ports.
  • Disable background services, such as SuperFetch and Windows Search. For more information about stopping services, see Disabling system services or Stop-Service.
  • Disable useplatformclock. To do so, run the following command,

    # bcdedit /set useplatformclock No
  • Review and disable unnecessary scheduled tasks, such as scheduled disk defragmentation. For more information on how to do so, see Disable Scheduled Tasks.
  • Make sure the disks are not encrypted.
  • Reduce periodic activity of server applications. You can do so by editing the respective timers. For more information, see Multimedia Timers.
  • Close the Server Manager application on the VM.
  • Disable the antivirus software. Note that disabling the antivirus might compromise the security of the VM.
  • Disable the screen saver.
  • Keep the Windows OS on the sign-in screen when not in use.

17.3. Enabling standard hardware security on Windows virtual machines

To secure Windows virtual machines (VMs), you can enable basic level security using the standard hardware capabilities of the Windows device.

Prerequisites

  • Make sure you have installed the latest WHQL certified VirtIO drivers.
  • Make sure the VM’s firmware supports UEFI boot.
  • Install the edk2-OVMF package on your host machine.

    # yum install edk2-ovmf
  • Install the vTPM packages on your host machine.

    # yum install swtpm libtpms
  • Make sure the VM is using the Q35 machine architecture.
  • Make sure you have the Windows installation media.

Procedure

  1. Enable TPM 2.0 by adding the following parameters to the <devices> section in the VM’s XML configuration.

    <devices>
    [...]
      <tpm model='tpm-crb'>
        <backend type='emulator' version='2.0'/>
      </tpm>
    [...]
    </devices>
  2. Install Windows in UEFI mode. For more information on how to do so, see Creating a SecureBoot virtual machine.
  3. Install the VirtIO drivers on the Windows VM. For more information on how to do so, see Installing virtio drivers on a Windows guest.
  4. In UEFI, enable Secure Boot. For more information on how to do so, see Secure Boot.

Verification

  • Ensure that the Device Security page on your Windows machine displays the following message:

    Settings > Update & Security > Windows Security > Device Security

    Your device meets the requirements for standard hardware security.

17.4. Enabling enhanced hardware security on Windows virtual machines

To further secure Windows virtual machines (VMs), you can enable virtualization-based protection of code integrity, also known as Hypervisor-Protected Code Integrity (HVCI).

Prerequisites

Procedure

  1. Open the XML configuration of the Windows VM. The following example opens the configuration of the Example-L1 VM:

    # virsh edit Example-L1
  2. Under the <cpu> section, specify the CPU mode and add the policy flag.

    Important
    • For Intel CPUs, enable the vmx policy flag.
    • For AMD CPUs, enable the svm policy flag.
    • If you do not wish to specify a custom CPU, you can set the <cpu mode> as host-passthrough.
    <cpu mode='custom' match='exact' check='partial'>
        <model fallback='allow'>Skylake-Client-IBRS</model>
        <topology sockets='1' dies='1' cores='4' threads='1'/>
        <feature policy='require' name='vmx'/>
    </cpu>
  3. Save the XML configuration and reboot the VM.
  4. On the VMs operating system, navigate to the Core isolation details page:

    Settings > Update & Security > Windows Security > Device Security > Core isolation details

  5. Toggle the switch to enable Memory Integrity.
  6. Reboot the VM.
Note

For other methods of enabling HVCI, see the relevant Microsoft documentation.

Verification

  • Ensure that the Device Security page on your Windows VM displays the following message:

    Settings > Update & Security > Windows Security > Device Security

    Your device meets the requirements for enhanced hardware security.
  • Alternatively, check System Information on the Windows VM:

    1. Run msinfo32.exe in a command prompt.
    2. Check if Credential Guard, Hypervisor enforced Code Integrity is listed under Virtualization-based security Services Running.

17.5. Next steps

  • To share files between your RHEL 8 host and its Windows VMs, you can use Samba.