Nested Virtualization in Windows Server 2016


Hello guys,

If you read my post what’s new in Hyper-V Windows Server 2016 you may know about a long-awaited feature called as nested virtualization  .

In Windows Server 2012/2012 R2 we could install Hyper-V role inside a virtual machine, create VM (to test hyper-v replica, for example) but it was impossible to run VMs.

Since Technical Preview 4 and Windows 10 Build 10565 have been announced, Microsoft has added ability to run VMs inside virtualized environment

Nested Virtualization lets you run VMs inside the guest OS. In other words, It allows you to run Hyper-V Server inside a virtual machine.

When nested is not supported or not enabled, Hyper-V has privileged access to the hardware virtualization extensions (lower level) and does not expose them to the guest operating system. Once nested virtualization is enabled (ExposeVirtualizationExtensions = True) for VM Hyper-V exposes required extensions to guest VMs and then we have an ability to install Hyper-V and run guest’s own VMs.

You can set and check ExposeVirtualizationExtensions value by using PS:windows server 2016 enable nested virtialization_6

Nested virtualization is especially useful for development, demo labs, training labs and other test environments (It’s not recommended to use in production). MCTs should be happy.

There is no information about changes in Windows Server 2016 licensing program yet. I hope  we won’t have to buy additional licenses to cover nested Hyper-V VMs

VMware: Customers running nested VMware ESXi/ESX will need to obtain additional licenses for the nested ESXi/ESX.


If you are interested in tasting nested virtualization you have to firstly check host requirements:

  • 4 GB RAM available minimum (we need to create a VM with 4 Gb static RAM. It will be our nested Hyper-V)
  • At least Windows Server 2016 TP4 or Windows 10 Build 10565 on both physical host and virtualized host. It’s highly recommended to have same builds in all environments.
  • This feature is currently Intel-only. Intel VT-x is required. There is no support for AMV-V yet

To enable nested virtualization:

1. Create virtual machine running the same build as host(TP4-Child, 2016 TP4, in my case)

  1. Run this script on your host or you use the following lines:
#Download and run
Invoke-WebRequest -OutFile ~/Enable-NestedVm.ps1
~/Enable-NestedVm.ps1 -VmName "TP4-Child"

#If you don't have internet connection, download and copy script to host and run then
.\Enable-NestedVm.ps1 -VmName "TP4-Child"

Script does the following:

  • disables dynamic memory on VM
  • shutdowns VM
  • enables virtualization extensions
  • enables MAC Address Spoofing (for network connectivity inside the guests)
  • sets minimum required 4 Gb static memory to VM


  1. Install Hyper-V on guest VM (do you know about PowerShell Direct?)
#Type credential for admin user on VM

#Invoke remote command
Invoke-Command -VMName TP4-Root { Enable-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V -Online; Restart-Computer} -Credential $credential

windows server 2016 enable nested virtialization

  1. Install Hyper-V Management Tools
ICM -VMName TP4-Root {Add-WindowsFeature RSAT-Hyper-V-Tool -IncludeAllSubFeature} -Credential $credential

windows server 2016 enable nested virtialization_2

  1. I copied Windows Server 2016 TP4 ISO (read my post about guest services in Hyper-V)  to VM on which  I have just installed the Hyper-V role
Copy-VMFile -SourcePath "unc or local path to ISO" -DestinationPath c:\iso\nameofiso.iso -CreateFullPath -FileSource Host -VMName TP4-Root

windows server 2016 enable nested virtialization_36. Create VM (I named it as “TP4-Child”) inside VM (sounds weird Улыбка), attach ISO that we copied earlier and install OS as server 2016 enable nested virtialization_47.  Homer – is my Hyper-V (virtualized) running on Hyper-V HV02 (physical host) , Bart – Homer’s child (I guess you knowУлыбка)

windows server 2016 enable nested virtialization_5

Please keep in mind some known issues and limitations:

  • Hosts with Device Guard enabled cannot expose virtualization extensions to guests.Hosts with Virtualization Based Security (VBS) enabled cannot expose virtualization extensions to guests. You must first disable VBS in order to preview nested virtualization.
  • Once nested virtualization is enabled in a virtual machine, the following features are no longer compatible with that VM (Homer)
    • Dynamic memory must be disabled
    • Runtime memory resize does not work
    • You cannot apply checkpoint to a running VM
    • VM which hosts other VMs cannot be live migrated.
    • You cannot save or restore VM
  • VM connection keeps being lost : if you are using blank password, change it and check connection again

I’d like to thank you for reading and have a nice virtualization! …and NESTED VIRTUALIZATION!

MultiPoint Services Role in Windows Server 2016



MultiPoint Server (MPS) is a technology and solution based on Windows Server and Remote Desktop Services. MPS was originally built for use in the classrooms and educational institutions and It allows you to provide low-cost sharing between MPS and user stations. User stations can be consist of only monitor, keyboard, mouse (zero clients) and be connected to MPS through USB (usb hubs), video cables or through LAN (RDP-over-LAN, if clients are not zero. for example, laptops, thin clients and etc..).  MPS uses some of the RDS services (by default): RD Session Host and RD Licensing Server.

First version of MPS was released in February, 2010 . In MPS 2010 you can connect stations and host only through USB hubs and video ports.

Ability to use LAN between user stations and MPS was added only to the next version – MPS 2011 released in March, 2011.

Some of the main features of MPS 2011:

  • RDP-over-LAN
  • RemoteFX support
  • Virtualization Support
  • Single administration console to manage multiple MPS
  • Projecting desktop from one stations to another
  • Filtering and blocking internet browsing on stations
  • Ability to open and close applications remotely, lock keyboard and mouse on stations
  • Standard and Premium Editions

MPS 2012 (next generation of MPS based on Windows Server 2012) has been updated with the following new features:

  • MultiPoint Dashboard, new management console to monitor and interact user desktops
  • Disk protection (system volume protection from unwanted changes)
  • Windows 8 desktop experience for users, including access to the Windows Store
  • MultiPoint Server Connector to monitor and manage PCs and Tablets (you need to install manually one on each rich/thin clients)

Differences between Standard and Premium editions :

Name Standard Premium
Maximum simultaneously connected stations up to 10 up to 20
Virtualization No Yes (1+1 licensing model)
Maximum x64 sockets 1 2
Maximum memory 32 Gb Unlimited
Domain joining No Yes

MultiPoint Server 2010-2012 requires license that can be purchased from OEM/VL channels.

Additionally, all MPS user stations require CALs.

MPS 2012 supports the following user stations (endpoints):

  • Direct-video-connected stations (also supported by MPS2010/2011)
  • USB-zero-client-connected
  • USB-Over-Ethernet
  • RDP-over-LAN connected stations (rich clients/thin clients/tablets connected through RDP protocol)

Direct-Video-Connected stations:

MPS host with many video cards –> stations connected to MPS video cards (VGA, for example) –> keyboard and mouse and other devices connected through personal USB hubs

Example (stations and hosts are in close proximity):

  • VGA port on MPS <> VGA port on station’s monitor
  • USB port on MPS <> Station USB hub
  • Peripheral devices on station <> Station USB hub

USB-zero-client-connected stations:

MPS host  with one video card –> stations are connected through specialized USB hubs with video ports

Example (stations and hosts are in close proximity):

  • VGA, USB ports on station <> station USB+VGA hub (all in one)
  • station USB hub <> USB port on MSP


Works  similarly as USB-zero-Client-connected stations but can be connected to LAN and send/receive all data through existing LAN. More flexible but it’s a little bit more expensive.

This type of stations appears as virtual devices in MultiPoint Server. Please refer manufacturer’s documentation before deployment.

To fully understand zero clients (with/-out LAN) please review :

Wyse Zero Clients for Microsoft MultiPoint Server Interactive Brochure

With the Windows Server 2016 Technical Preview release (at the end of 2014) , Microsoft announced that MultiPoint Server will be added as a new server role called MultiPoint Services.

So after WS 2016 RTM MultiPoint Server might be discontinued.


There is no any information about MPS licensing and limitations in Windows Server 2016 either. I’ll keep this post up-to-date.

Update: MultiPoint Premium Server 2016 is a new SKU and it requires Windows Server CALs and RDS CALs. This Windows Server edition is available only for academic licensing. More details are in the licensing datasheet

Deployment steps

We’ll walk through the MPS deployment (rdp-over-lan) in Windows Server 2016 TP4 (domain joined)

  1. Open “Add roles and features” wizard and select MultiPoint Services. You may notice there are some additional features are required for MPS such as File And Storage Services, Print and Document Services and etc. Just click on “Add features” and click Next


  1. Read a great explanation from Microsoft “what is MPS?”.

Remote Desktop Licensing needs to be activated or use trial period (120 days)


  1. Read and click next


  1. I leave default settings and click Next.
  • Print Server is needed to manage multiple printers
  • Distributed Scan Server – enables you to manage and share networks scanners that support Distributed Scan Management
  • Internet Printing creates a web site where users can manage printer jobs on the server .
    If you have installed Internet Printing client on stations you can connect and print to shared printers using Web Browser and Internet Printing Protocol
  • LPD service – Line Printer Daemon Service enables UNIX-based computers using the Line Printer Remote service to print to shared printers on MPS


  1. Leave default settings.
  • RD Gateway – to publish RDS (not suitable for MPS)
  • RD Connection Broker – to distribute connections  (not suitable for MPS)
  • RD Virtualization Host – for VDI
  • RD Web Access – web access to RD session/vdi/remoteapp collections (not suitable for MPS)


  1. After server restart press “B” to identify primary station and wait while remote desktop services complete configuration*


  • To install MultiPoint Services you can use PowerShell (server restarts automatically by default):


TIP: MultiPoint Services add built-in account named as “WmsShell” to support multi-station mode and create group WMSOperators for allowing access to Dashboard functionality

  1. Press Start button and open MultiPoint Manager


  1. Add MultiPoint Servers or personal computers (optional)


  1. Go to Users tab and click “Add user account”, click Next and select user type


10.  Connect to MultiPoint Server from the user connection using RDP.

When user firstly log on to MPS he receives privacy notification “To assist you with your usage of this computer, your activities may be monitored by your system administrator”

Click on “Accept and continue using this computer” and go back to MPS server.


  1. On MPS server run MultiPoint Dashboard. All screens from user stations are being added and updated to dashboard.

You can see what happens on user’s station, block this desktop, set message for blocked users, take control, write IM to user, block USB storage or limit web access on selected desktops.


  1. You can also project your desktop to all or selected user desktops.

It’s really needed when trainer or teacher does not have projector so he or she shares screen to all user’s station.

If you are familiar with Lync/Skype there is a similar feature called as “desktop sharing”


  1. If you want to block selected or all desktops use Block/Unblock options. It’s recommended to set message for blocked users as well.

multipoint_services_windows_server_2016_19 multipoint_services_windows_server_2016_20

  1. To limit web access you need to define list of sites that you are going to “hide” from users


  1. If you open MultiPoint Manager you can notice that list of stations has been updated with rlevchenko’s station


  1. To configure MPS server go back to Home tab and click on “Edit Server Settings

You can disable privacy notification at first user logon or assign a unique IP to each station.


  1. To enable disk protection (recommended) click on “Enable Disk protection”.


18.If you have application requires its own instance of a client operating system for each user you can create Virtual Desktop based on Windows 7 or later.



How to uninstall MultiPoint Services in Windows Server 2016 TP?

Use Remove Roles and Features , restart server and run this script


Where is the powershell module for MultiPoint Services?

At the time of writing, there is no PS module for MultiPoint Services