Learning Resource: VDI Windows
Hyper-V vs VMware: Compared on Features, Pricing and Security
What is Hyper-V?
Hyper-V is a bare-metal (type 1) hypervisor, created by Microsoft in 2016. It is built into most versions of Windows.
Hyper-V can be used to virtualize hardware components and operating systems. It enables running guest operating systems on servers and regular Windows workstations. Hyper-V is commonly used to run Windows VDI workloads. It is also the hypervisor that powers Azure VMs.
There are three consumer versions of Hyper-V:
- Hyper-V Server, a standalone virtualization solution
- Hyper-V for Windows Server
- Hyper-V for Windows 10
What is VMware ESXi?
VMware pioneered virtualization technology in the 1990s. Its virtualization solutions are based on the ESX/ESXi bare metal hypervisor, for x86 architecture. The hypervisor can be used to run multiple virtual machines (VMs), sharing resources from the same physical server, such as CPU, network interfaces and RAM.
VMware products enable virtualization, software-defined data centers, and management of cloud infrastructure. VMware vSphere is its main server virtualization platform, which enables deployment and management of VMs at large scale.
Related content: read our guide to Hyper-V on Windows 10
VMware vs Hyper-V: Technical Characteristics
When comparing VMware and Hyper-V, we’ll focus on ESXi, the hypervisor powering VMware’s virtualization stack. The following table compares the key technical characteristics of ESXi as compared to Hyper-V.
VMware Pricing vs Hyper-V Pricing
Both ESXi and Hyper-V are free to download, and can be used for free without limitation on the CPUs, RAM or storage on the host. But while the hypervisor itself is free, the management layer is provided at extra charge.
The prices below are correct as of the time of this writing—please consult vendor websites for up to date pricing.
VMware pricing for virtualization management
VMware vSphere is the basic virtualization management product used with ESXi. The entry level editions are:
- VMware vSphere Essentials—supports 3 servers with 2 processors each, priced at $510 per year
- VMware vSphere Essentials Plus—same as Essentials, with additional features, priced at $5,596 per year
- VMware vSphere Standard—requires vCenter, priced at $1,268 per physical processor per year
Hyper-V pricing for virtualization management
Microsoft recommends that users upgrade to Windows Server and pay for Windows System Center for virtualization management. However, basic features like creating a VM, snapshots and resource allocation are free.
- Windows System Center license costs start from $1,323 per year
- Windows Server 2019 license costs are $501 per year for the Essentials edition, $972 for the Standard edition and $6,155 for the Datacenter edition with full virtualization features
VMware NSX vs Microsoft Hyper-V Networking
VMware provides NSX-T for virtualized networking, which supports the following features:
- Layer 2, Layer 3, and isolated virtual networks
- L2VPNs enable extending on-premises subnets to the virtualized environment without changing IP addresses
- IPsec VPNs, either route-based with BGP, or policy based, make it possible to connect on-premises networks and VPCs
- Support for AWS Direct Connect (DX) for high speed connectivity between on-premise data centers and AWS
- Native DHCP capabilities, with the ability to connect to on-premises IPAM devices
- Create multiple DNS zones, allowing use of different DNS servers for network subdomains.
- Take advantage of distributed routing, managed by an NSX kernel module running on the host where the workload resides, so workloads can efficiently communicate with each other.
Microsoft Hyper-V provides networking via Windows Server. Windows Server virtualized networking features include:
- Virtualized Layer 2 networks
- Traffic routed between virtual networks or between physical and virtual networks via gateways
- Virtual Extensible LAN (VLAN) and Generic Routing Encapsulation (NVGRE)
- Software defined networking (SDN)
VMware Security vs Hyper-V Security
VMware is an enterprise-grade virtualization solution, and naturally, its security features are more robust. However, Hyper-V also provides robust security features.
The ESXi hypervisor is protected by the following security features:
- Host-level security capabilities—ESXi supports CPU isolation, memory isolation, device isolation, lockdown mode, certificate replacement, and smart card authentication.
- Host firewall—ESXi hosts are protected by a firewall, which denies access to services and ports by default, except for a limited number of essential ports.
- Host Certificates—the VMware certificate infrastructure grants each ESXi host a certificate signed by the VMware Certificate Authority (VMCA).
- Secure defaults—VMware places controls on several configuration parameters that can enable intrusion or misuse. Users can change these parameters, at their own risk, ensuring they are operating in a secured environment.
- Strong encryption—all communication between ESXi and clients is secured using SSL, by default, with the strong SHA-256 RSA algorithm.
- UEFI Secure Boot—you can run VMs in secure boot mode to prevent them from loading any application that is not verified via certificate.
Hyper-V security features include:
- Encrypted networks—new in Windows Server 2019, performs encryption for all traffic on an entire subnet. Does not require any configuration or changes to virtual machines or network equipment.
- Guarded Fabric – a security model that protects hosts and their VMs from malicious software. Guarded fabrics can run three normal VMs with no protection, encryption-supported VMs, and shielded VMs with protection that cannot be disabled.
- Host Guardian Service (HGS) – a component in the Guarded Fabric framework, ensures that Hyper0V hosts are known to the organization, healthy, and running trusted software. It does this using an Attestation Service and a Key Protection Service (KPS).
- Shielded VMs – generation 2 VMs that have a virtual trusted platform module (vTPM), are encrypted with BitLocker, and can only be run on hosts attested and approved by HGS.
Windows Hyper-V with Hysolate
Hysolate Workspace leverages the latest Microsoft Hyper-V virtualization technology, and combines this VM based isolation technology with patented IP and domain expertise for making isolated workspaces that are secure, and easy to use.
Hysolate doesn’t just isolate Windows applications, it isolates your entire Operating System, so you can access any untrusted website, application, document or peripheral, including USBs or printer applications. The Workspace sits on user endpoints and looks like a regular Windows desktop, but is fully managed from the cloud via the Hysolate Management Console, giving admins granular policies for deploying, scaling and even wiping end user devices in minutes.
Want to try out Hysolate for yourself? Click here to get started with Hysolate Free.
Hyper-V on Windows 10: An In-Depth Look
What is Hyper-V on Windows 10?
Hyper-V is a virtualization platform that lets you virtualize operating systems and hardware components, such as hard drives and network switches. Hyper-V can be used to enable virtualization on end-user devices, and also for server virtualization.
There are three versions of Hyper-V:
- Hyper-V for Windows 10—enables virtualization on a Windows 10 operating system
- Hyper-V for Windows Server—enables virtualization on a Windows Server system
- Hyper-V Server—a standalone virtualization solution
Hyper-V for Windows 10 is provided for free with most versions of Windows 10. It is also easy to use, letting you quickly spin up virtualized operating systems on any Windows 10 machine. Hyper-V for Windows Server comes at additional cost, and allows you to leverage Windows Server capabilities like failover clustering.
This is part of our series of articles on Windows virtual desktop infrastructure (VDI).
Related content: read our guide to virtualization for windows 10
Microsoft Hyper-V Architecture
Hyper-V is a hypervisor that lets you run several, isolated guest operating systems on a hardware platform. Hyper-V is a Type 1 hypervisor which is installed on bare-metal servers, or on the Windows 10 operating system, but then boots up before the operating system does and runs it as a guest OS. In both cases, Hyper-V interacts directly with the CPU, without going through the host operating system.
Hyper-V creates isolated partitions in which operating systems can operate. There are two types of partitions:
- A root partition that runs Windows and the hypervisor
- Child partitions that can run additional guest operating systems, which do not have direct hardware access. Hyper-V provides the hypercall API, which is used to create child partitions.
Here is how Hyper-V partitions get access to resources on the host machine:
- CPU access—each partition has partial access to the CPU. The hypervisor handles interrupts to the processor, rerouting them to the relevant partition. Hyper-V uses the concept of virtual CPUs (vCPUs), which represent the maximum number of threads each VM can run at a given time.
- Memory access—each partition runs in its own, private virtual memory address space. Hyper-V provides an Input Output Memory Management Unit (IOMMU) that is used to map physical memory to the addresses used by partitions. Since Windows Server 2012, Hyper-V supports Dynamic Memory, which makes it possible to allocate more memory to VMs during startup, then reclaim the memory for use by other VMs.
- Devices—Child partitions do not have direct access to hardware, and view all devices on the machine as virtual devices (VDev). A VMBus routes requests to devices to child partitions.
All routing processes that distribute hardware resources between partitions are completely transparent to guest operating systems.
Hyper-V Virtualization Features and Hyper-V Editions
The following features are provided in all editions of Hyper-V:
Default switch—Microsoft provides default virtual switches so you can easily provide connectivity to a VM without having to manually create virtual switches.
- Virtual fiber channel—lets VMs directly connect to a physical host bus adapter, for better performance.
- Discrete Device Assignments—allows VMs to directly access a physical PCIe device. This feature can be made available to Windows 10 guest operating systems running on a Windows Server host.
Only available in Windows 10:
- Quick create—allows Windows 10 users to select an operating system image from the “Quick Create” library and rapidly spin up a virtual machine.
Only available in Windows Server:
- SR-IOV networking—Hyper-V provides a single root I/O virtualization (SR-IOV) interface, which lets you access physical network adapters as a virtual function (VF) directly within a virtual machine.
- Hyper-V Replica—lets you perform synchronous replication of individual VMs and virtual hard disks with other Hyper-V hosts.
- Shared VHDX—makes it easier to create guest operating system clusters, by providing a shared operating system image.
Hyper-V on Windows 10 Q&A
Is Hyper-V Free with Windows 10?
Yes, Hyper-V is free on 64-bit versions of Windows 10 Pro, Enterprise and Education. However it is not available in the home version of Windows 10.
When running virtualized operating systems, Hyper-V supports multiple versions of Windows, Linux, FreeBSD, and more. If you run a commercial operating system, you must provide a valid license.
How Do I Enable Hyper-V in Windows 10?
You can enable Hyper-V in Windows 10 using the Windows 10 Control Panel, PowerShell commands, or the Deployment Imaging Servicing and Management Tool (DISM).
Enable a Hyper-V role in the Windows 10 Control Panel:
- Right-click on the Windows button and select Applications and Features.
- Click Programs and Features.
- Click Turn Windows Features On or Off, ensure Hyper-V is set to on, and click OK.
This will trigger an installation of Hyper-V. When it is complete, you will be asked to restart the machine.
Windows Virtualization with Hysolate
Hysolate leverages the latest Microsoft Hyper-V virtualization technology to build Workspace, then combines this virtualization based isolation technology with our patented IP and domain expertise for making virtualization practical to users, IT, and security teams.
Hysolate doesn’t just isolate Windows applications, it isolates your entire OS, so you can separate any risky application, website, document or peripheral like USBs or printer applications from your sensitive corporate data. Hysolate sits on user endpoints and looks like a regular Windows desktop, but is fully managed from the cloud via the Hysolate Management Console. This means administrators can set granular policies, and deploy, scale and wipe devices in minutes.
Want to try out Hysolate for yourself? Click here to get started with Hysolate Free.
VDI Windows: 5 Software Solutions and 6 Image Tuning Tips
What is VDI on Windows?
Virtual Desktop Infrastructure (VDI) enables you to remotely provision and manage desktop operating systems (OS). The virtual desktop is hosted in a data center and admins can deliver it over the network to endpoint devices, such as PCs, thin clients, or mobile devices. Users can then interact with the OS and applications from their devices without local installation.
Windows is a common workload for VDI systems. Windows operating systems can be centrally managed and delivered to users. It is also common to deliver Microsoft applications, such as Office 365, as virtualized applications over a VDI infrastructure.
A key concept in Windows-based VDI is the “golden image”—an optimized version of the operating system, which includes only the features and services needed for VDI users.
What is a Windows VDI Golden Image?
The Windows golden image is the base standard of the operating system users will gain access to through VDI. Admins must carefully manage, update, and optimize their Windows golden images to ensure the VDI environment is scalable, stable, secure and fast.
This is also one of the main operating costs of running a VDI environment. Images need to be updated and optimized frequently to ensure the environment is running in an optimal manner to get the most out of the hardware and support as many users as possible with one server.
The desktop Windows operating system was not planned to be used for virtualization, and contains features that are not required for a VDI environment. By removing these features, you can improve both server utilization and user experience.
An important note is that Microsoft recently released Windows 10 Enterprise Multisession, a specially-designed operating system intended for use with its desktop as a service (DaaS) offering, Windows Virtual Desktop (WVD). Learn more in our guide to Windows Virtual Desktop vs Citrix.
Six Windows 10 Golden Image Tuning Tips
Here are a few ways you can optimize a Windows 10 golden image.
As a general rule, any Windows feature that is not absolutely necessary in a VDI environment, and has low value to users, should be disabled. Specifically, make sure to disable:
- Features that perform telemetry (collection of metrics) or reporting
- Boot logging
Disabling features is an easy way to improve virtualized desktop performance, and also contributes to security.
Windows runs many system services by default. Most of them are not relevant in a data center setting, or when a desktop is virtualized and not really running on a user’s PC.
At least the following services should be disabled:
- Connection Sharing
Windows runs system tasks automatically on a regular basis. These tasks have value for desktop deployments or Windows, but in a VDI setting, they can have a detrimental effect on the entire environment.
The core issue is that these tasks are typically scheduled to run when the system is idle. In a data center, even if one desktop is idle, resources must be used to serve active users. Any automated task that starts running in the background across hundreds or thousands of desktops will drain resources from VDI servers, and may cause a slowdown for users.
Disable at least the following scheduled Windows tasks:
- Optimization and maintenance services
- Scanning for bluetooth connections
OneDrive is Microsoft’s cloud store and synchronization solution. This service too is not designed for a VDI environment, because it synchronizes all cloud content locally. If you are running non-persistent desktops, this synchronization will repeat itself every time the users logs into the system, which will be very annoying for users and use up huge amounts of bandwidth.
You can remove OneDrive from your golden image, to conserve disk space and prevent the unneeded synchronizations.
Note that some desktop as a service (DaaS) providers, including AWS and Azure, support OneDrive as part of their cloud-based VDI service.
Microsoft has built hardware acceleration technology into newer versions of Microsoft Office (since Office 2010). The operating system uses a graphical processing unit (GPU), if available, to improve performance of Office applications, and if there is no GPU, passes rendering to the CPU.
If virtualized desktops do not have access to GPUs, this feature can needlessly drain system resources on VDI servers. You can enable rendering for Internet Explorer, but disable it for Microsoft Office.
Image Optimizer Tools
Microsoft is releasing minor versions of Windows 10 more frequently than Windows 7, and with every minor release, you will need to update your golden image. It is very important to stay up to date to ensure the environment is secure. You will need to evaluate existing optimizations to see if they are still valid, and add new optimizations (for example, disable a new service added in the latest version which is not suitable for VDI).
It is very difficult to gather best practices, test and apply optimizations, and administrators find themselves spending much more time on golden images for Windows 10 virtualized desktops. This raises the need for an automated optimization tool.
There are several tools and scripts available to help you apply optimizations to Windows 10. The most commonly used tools are the Citrix Optimizer and VMware Operating System Optimization Tool (OSOT) (both available for free from the vendors). Both tools provide a user interface where you can apply specific optimizations to your golden image.
Image optimization tools provide templates for various operating systems (e.g. Windows 7, 8 and 10) and server operating systems (e.g. Windows Server 2008, 2012 and 2016). You can use these templates, customize them, or create your own.
Addressing VDI Windows Challenges with Hysolate
Choosing, creating, managing and optimizing a VDI solution running Windows, is a large project and a huge undertaking for an organization. Creating, planning the infrastructure, making sure everything is tested, and has the proper sizing to support the target population, requires thousands of hours of work and a huge investment.
In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OPEX and CAPEX costs.
DaaS solutions such as WVD or Amazon Workspaces are a great solution for delivering a desktop experience in the cloud, but are far from perfect. User experience is lacking, especially when working remotely, running intensive workloads, or in low bandwidth environments. Users cannot use desktops offline and the management overhead of WVD and especially RDS is high.
In today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.
Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud.
Isolated workspaces enable:
- A higher level of freedom on employees corporate devices
- Ability to receive 3rd party generated content in an isolated zone
- Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
- Access to employees from personal, unmanaged devices
The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.
This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.
Virtualization for Windows 10: A Practical Guide
What is Virtualization for Windows 10?
One of the features included in Windows 10 is the ability to create virtual machines. A virtual machine is a packaged operating system that can run on top of a “host” operating system. Virtualization allows the same host to run multiple “guest” operating systems, and easily move virtual machines between hosts.
Windows 10 virtualization is managed by Microsoft’s own hypervisor, called Hyper-V. This is the hypervisor used to run the entire Azure cloud stack, so it is robust and secure enough for even the largest enterprise deployments. Hyper-V Windows virtualization enables:
- Running software that requires an earlier version of Windows or a non-Windows operating system, on top of a Windows machine.
- Testing software with several operating systems, without having access to a device that has them installed.
- Export virtual machines and import them into any Hyper-V based system, including the Microsoft Azure cloud.
- Running virtual desktop infrastructure (VDI) Windows workloads on Windows 10 machines.
Hyper-V on Windows 10
Hyper-V performs hardware virtualization. This means that all virtual machines typically run on virtual hardware—you can define virtual disks, virtual switches, and other virtual devices and add them to virtual machines.
Hyper-V is a Type 1 hypervisor, which runs directly on physical hardware. It differs from other virtualization solutions like VMware vSphere and VirtualBox, which are Type 2 hypervisors that run on top of an operating system.
Hyper-V is available for 64-bit editions of Windows 10 Pro, Enterprise and Education (not the Home version).
Here is a list of important hardware considerations related to implementing Hyper-V on computers running Windows 10:
- Processor—each virtual machine is assigned up to 240 virtual processors per virtual machine. The main factor in this case is the active operating system. To use CPU resources efficiently, you need to determine how many virtual processors (processor cores) each virtual machine needs.
- Memory—to ensure high performance, you need to allocate enough RAM resources for Hyper-V hosts and virtual machines. You can use the Dynamic Memory feature to resize virtual machine memory automatically. You must have at least 4 GB of RAM available for the Hyper-V host and the virtual machines running on it (more RAM is required the more VMs you run, or the more intensive your workloads).
- Storage—adequate I/O bandwidth is required to run virtualized workloads without interruption. This requires high performance storage controllers and hard drives. In addition, to optimize I/O between multiple disk drives, RAID should be configured correctly.
- CPU cache—a large CPU cache is very useful when running virtual environments with heavy workloads. The processor cache is very fast, virtual machines can access critical data or applications more quickly than from main memory.
When planning your Windows 10 virtualized deployment, consider the following limitations of Hyper-V:
- Applications—Applications strongly dependent on specific hardware may not run properly on virtual machines. In addition, latency-sensitive applications may have issues when running in a virtualized environment.
- Complexity—running Hyper-V requires expertise, and involves advanced tasks like enabling Intel VTx, managing networks and vSwitches, and tuning the resources allocated to each VM (cores, memory, and dynamic memory allocation).
- Management—there is no central management interface to create and manage Windows 10 virtual machines. Users have to do this manually, or admins can automate creation of VMs using scripting.
- Security—virtual storage is not encrypted out-of-the-box, meaning that attackers who compromise the host can access the content of any virtual machines. The Windows Remote Desktop Protocol (RDP) is not protected against screen/keyboard capturing or injecting. Hyper-V does not provide network segregation or any firewall capabilities out of the box.
- Patching—users and administrators now have to manage multiple operating systems, including patching and maintenance.
- Automation—Hyper-V does not automate virtual desktop processes such as automatically joining a user to Azure Active Directory (Azure AD).
Hyper-V on Windows 10 Windows Server
Some features of Hyper-V are different in Windows 10 compared to Windows Server.
Hyper-V on Windows 10 does not support live migration of VMs between hosts, replicas, Virtual Fiber Channel, shared virtual hard disk files (VHDX), and SR-IOV networking. These features are only supported on Windows Server.
Hyper-V on Windows Server does not support Quick Create, NAT switches and VM gallery.
In addition, the Hyper-V memory management model is different on each system. On Windows Server, Hyper-V allocates all memory to virtualized workloads. On Windows 10, Hyper-V assumes the machine is running other software in addition to the virtual machine, and allows memory to be allocated to non-virtualized workloads.
Running Containers on Windows with Hyper-V Virtualization
Microsoft recently introduced container technology, allowing developers to create and run Windows and Linux containers on Windows 10 devices.
Containers can run as a separate process in Windows (just like traditional Linux containers). However, the limitation is that the containerized application shares the operating system kernel. This means the container must run the same operating system as the host.
Hyper-V provides a feature called container isolation, which lets you run each container in a customized virtual machine, and get access to any operating system kernel, even Linux. This allows Windows and Linux containers to run simultaneously in the same machine.
These isolated containers are similar to traditional virtual machines. However, they are optimized to conserve resources. For example, Linux Containers on Windows 10 (LCOW) runs a virtual machine with a minimal Linux kernel that has just enough capabilities to support the container. Isolated containers can also dramatically improve security, because they offer hardware-level isolation between containers.
For more details, read on in-depth blog post on Windows Containers
How to Enable Virtualization on Windows 10
To enable Hyper-V virtualization on a Windows 10 machine, follow these steps:
- Make sure Intel VT-x is enabled in your BIOS settings. This enables your CPU to function as multiple virtual cores.
- In the Windows command line, run systeminfo in CMD and ensure that Hyper-V Requirements are all set to Yes. If not, ensure the machine meets all the system requirements.
- Install Hyper-V by opening PowerShell and running the following command (all in one line). Ensure you are logged in as administrator of the machine. Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
- Reboot the machine, and from the start menu, select Hyper-V Quick Create.
- Select an operating system, or provide your own operating system image by clicking Local Installation Source, and selecting a VHDX or other image file.
- Make sure to deselect Secure Boot if you are running a Linux VM.
- Click Create Virtual Machine.
Manage Virtual Machines in Windows 10
There are two main features you should be aware of to manage Windows 10 VMs in Hyper-V.
Enhanced Session Mode
You can enable Enhanced Session Mode in Hyper-V to allow the hypervisor to connect to virtual machines using the remote desktop protocol (RDP). This provides the following benefits:
- Lets you resize a VM screen and make use of high DPI monitors.
- Allow VMs to use a shared clipboard, and transfer files from the local system with drag and drop.
- Allows local devices to be shared with the VM, including audio devices, USB storage, printers, and disk drives.
Hyper-V lets you create a snapshot of your virtual machine, called a checkpoint. Make sure to create checkpoints before changing configurations, performing an update, or installing software applications. This will allow you to revert to a known good state before you made the change.
Hyper-V supports two types of checkpoints:
- Standard—copies the entire VM with its current memory state. This is not a complete backup, and may cause consistency issues, especially in Active Directory.
- Production—uses Windows Volume Shadow Copy Service (VSS), or on Linux VMs, File System Freeze (FSF), to create a snapshot that is data consistent. This type of checkpoint does not capture the memory state of the virtual machine.