Red Hat SummitChapter 4. Optimizing Windows virtual machines
When using Microsoft Windows as a guest operating system in a virtual machine (VM) hosted in RHEL 10, the performance of the guest might be negatively impacted.
To optimize the performance of your Windows VMs, you can use a variety of strategies, including paravirtualized drivers, Hyper-V enlightenments, and disabling Windows background processes.
4.1. Installing KVM paravirtualized drivers for Windows virtual machines
The primary method of improving the performance of your Windows virtual machines (VMs) is to install KVM paravirtualized (virtio) drivers for Windows on the guest operating system.
The virtio-win drivers are certified (WHQL) against the latest releases of Windows 10 and 11, available at the time of the respective virtio-win release. However, virtio-win drivers are generally tested and expected to function correctly on previous builds of Windows 10 and 11 as well.
4.1.1. How Windows virtio drivers work
Paravirtualized drivers enhance the performance of virtual machines (VMs) by decreasing I/O latency and increasing throughput to almost bare metal levels. You can use paravirtualized drivers for VMs that run I/O-heavy tasks and applications.
virtio drivers are KVM’s paravirtualized device drivers, available for Windows VMs running on KVM hosts. These drivers are provided by the virtio-win package, which includes drivers for:
- Block (storage) devices
- Network interface controllers
- Video controllers
- Memory ballooning device
- Paravirtualized memory device
- Paravirtual serial port device
- Entropy source device
- Paravirtual panic device
- Input devices, such as mice, keyboards, or tablets
- VirtIO FS Device
- QEMU FwCfg Device
- A small set of emulated devices
By using KVM virtio drivers, the following Microsoft Windows versions are expected to run similarly to physical systems:
- Windows Server versions: See Certified guest operating systems for Red Hat Enterprise Linux with KVM in the Red Hat Knowledgebase.
Windows Desktop (non-server) versions:
- Windows 10 (32-bit and 64-bit versions)
- Windows 11 (64-bit)
4.1.2. Preparing virtio driver installation media on a host machine
To install or update KVM virtio drivers on a Windows virtual machine (VM), you must first prepare the virtio driver installation media on the host machine. To do so, attach the .iso file, provided by the virtio-win package, as a storage device to the Windows VM.
Prerequisites
- Ensure that virtualization is enabled in your RHEL 10 host system. For more information, see Preparing RHEL to host virtual machines.
- Ensure that you have root access privileges to the VM.
Procedure
Refresh your subscription data:
# subscription-manager refresh All local data refreshedGet the latest version of the
virtio-winpackage.If
virtio-winis not installed:# dnf install -y virtio-winIf
virtio-winis installed:# dnf upgrade -y virtio-winIf the installation succeeds, the
virtio-windriver files are available in the/usr/share/virtio-win/directory. These includeISOfiles and adriversdirectory with the driver files in directories, one for each architecture and supported Windows version.# ls /usr/share/virtio-win/ agents.json drivers/ guest-agent/ info.json /installer /qxl-wddm-dod release-drivers-versions.txt /spice-vdagent /tools virtio-win-1.9.45.iso virtio-win.iso
Attach the
virtio-win.isofile as a storage device to the Windows VM.-
When creating a new Windows VM, attach the file by using the
virt-installcommand options. When installing the drivers on an existing Windows VM, attach the file as a CD-ROM by using the
virt-xmlutility:# virt-xml WindowsVM --add-device --disk virtio-win.iso,device=cdrom Domain 'WindowsVM' defined successfully.
-
When creating a new Windows VM, attach the file by using the
4.1.3. Installing virtio drivers on a Windows guest
To install KVM virtio drivers on a Windows guest operating system, you must add a storage device that contains the drivers (either when creating the virtual machine (VM) or afterwards) and install the drivers in the Windows guest operating system.
This procedure provides instructions to install the drivers by using the graphical interface. You can also use the Microsoft Windows Installer (MSI) command-line interface.
Prerequisites
-
An installation medium with the KVM
virtiodrivers must be attached to the VM. For instructions on preparing the medium, see Preparing virtio driver installation media on a host machine.
Procedure
-
In the Windows guest operating system, open the
File Explorerapplication. -
Click
This PC. -
In the
Devices and drivespane, open thevirtio-winmedium. Based on the operating system installed on the VM, run one of the installers:
-
If using a 32-bit operating system, run the
virtio-win-gt-x86.msiinstaller. -
If using a 64-bit operating system, run the
virtio-win-gt-x64.msiinstaller.
-
If using a 32-bit operating system, run the
In the
Virtio-win-driver-installersetup wizard that opens, follow the displayed instructions until you reach theCustom Setupstep.
- In the Custom Setup window, select the device drivers you want to install. The recommended driver set is selected automatically, and the descriptions of the drivers are displayed on the right of the list.
- Click , then click .
- After the installation completes, click .
- Reboot the VM to complete the driver installation.
Verification
On your Windows VM, navigate to the Device Manager:
- Click Start
- Search for Device Manager
Ensure that the devices are using the correct drivers:
- Click a device to open the Driver Properties window.
- Navigate to the Driver tab.
- Click Driver Details.
Next steps
- If you installed the NetKVM driver, you might also need to configure the Windows guest’s networking parameters. For more information, see Configuring NetKVM driver parameters.
4.1.4. Updating virtio drivers on a Windows guest
To update KVM virtio drivers on a Windows guest operating system (OS), you can use the Windows Update service.
If the OS version does not support Windows Update, you can reinstall the drivers from virtio driver installation media attached to the Windows virtual machine (VM).
Prerequisites
- A Windows guest OS with virtio drivers installed.
-
If not using
Windows Update, an installation medium with up-to-date KVMvirtiodrivers must be attached to the Windows VM. For instructions on preparing the medium, see Preparing virtio driver installation media on a host machine.
Procedure
On Windows 10, Windows Server 2016 and later operating systems, check if the driver updates are available by using the
Windows Updategraphical interface:- Start the Windows VM and log in to its guest OS.
Navigate to the Optional updates page:
Settings
Windows Update Advanced options Optional updates - Install all updates from Red Hat, Inc.
On operating systems that preceed Windows 10 and Windows Server 2016, or if the OS does not have access to
Windows Update, reinstall the drivers.This restores the Windows guest OS network configuration to default (DHCP). If you want to preserve a customized network configuration, you also need to create a backup and restore it by using the
netshutility:- Start the Windows VM and log in to its guest OS.
Open the Windows Command Prompt:
- Use the Super+R keyboard shortcut.
-
In the window that is displayed, type
cmdand press Ctrl+Shift+Enter to run as administrator.
Back up the OS network configuration by using the Windows Command Prompt:
C:\WINDOWS\system32\netsh dump > backup.txtReinstall KVM
virtiodrivers from the attached installation media. Do one of the following:Reinstall the drivers by using the Windows Command Prompt, where X is the installation media drive letter. The following commands install all
virtiodrivers.If using a 64-bit vCPU:
C:\WINDOWS\system32\msiexec.exe /i X:\virtio-win-gt-x64.msi /passive /norestartIf using a 32-bit vCPU:
C:\WINDOWS\system32\msiexec.exe /i X:\virtio-win-gt-x86.msi /passive /norestart
- Reinstall the drivers using the graphical interface without rebooting the VM.
Restore the OS network configuration using the Windows Command Prompt:
C:\WINDOWS\system32\netsh -f backup.txt- Reboot the VM to complete the driver installation.
Optional: If you use a centralized update or configuration management system, such as Windows Server Update Services (WSUS), configure the system to allow drivers published by Red Hat, Inc.
Some enterprise management services require specific vendors or drivers to be added to a trust-list. If Red Hat is not explicitly permitted, the system blocks
virtio-winupdates.+
NoteApproving Red Hat driver updates in WSUS is not sufficient. To receive regular driver updates, ensure that your management policy specifically permits the Red Hat vendor.
4.2. Enabling Hyper-V enlightenments
Hyper-V enlightenments provide a method for KVM to emulate the Microsoft Hyper-V hypervisor, which improves the performance of Windows virtual machines.
4.2.1. Enabling Hyper-V enlightenments on a Windows virtual machine
To improve the performance of a Windows virtual machine (VM) running in a RHEL 10 host, you can use Hyper-V enlightenments.
Procedure
Use the
virsh editcommand to open the XML configuration of the VM. For example:# virsh edit windows-vmAdd the following
<hyperv>sub-section to the<features>section of the XML:<features> [...] <hyperv> <relaxed state='on'/> <vapic state='on'/> <spinlocks state='on' retries='8191'/> <vendor_id state='on' value='KVM Hv'/> <vpindex state='on'/> <runtime state='on' /> <synic state='on'/> <stimer state='on'> <direct state='on'/> </stimer> <frequencies state='on'/> <reset state='on'/> <tlbflush state='on'/> <reenlightenment state='on'/> <ipi state='on'/> <evmcs state='on'/> </hyperv> [...] </features>If the XML already contains a
<hyperv>sub-section, modify it as shown above.Change the
clocksection of the configuration as follows:<clock offset='localtime'> ... <timer name='hypervclock' present='yes'/> </clock>- Save and exit the XML configuration.
- If the VM is running, restart it.
Verification
Use the
virsh dumpxmlcommand to display the XML configuration of the running VM. If it includes the following segments, the Hyper-V enlightenments are enabled on the VM.<hyperv> <relaxed state='on'/> <vapic state='on'/> <spinlocks state='on' retries='8191'/> <vendor_id state='on' value='KVM Hv'/> <vpindex state='on'/> <runtime state='on' /> <synic state='on'/> <frequencies state='on'/> <reset state='on'/> <tlbflush state='on'/> <reenlightenment state='on'/> <stimer state='on'> <direct state='on'/> </stimer> <ipi state='on'/> <evmcs state='on'/> </hyperv> <clock offset='localtime'> ... <timer name='hypervclock' present='yes'/> </clock>
4.2.2. Configurable Hyper-V enlightenments
You can configure certain Hyper-V features to optimize Windows VMs. For details on the configurable Hyper-V features and their values, see the following table.
| Enlightenment | Description | Values |
|---|---|---|
| evmcs | Implements paravirtualized protocol between L0 (KVM) and L1 (Hyper-V) hypervisors, which enables faster L2 exits to the hypervisor. Note This feature is exclusive to Intel processors. | on, off |
| frequencies | Enables Hyper-V frequency Machine Specific Registers (MSRs). | on, off |
| ipi | Enables paravirtualized inter processor interrupts (IPI) support. | on, off |
| reenlightenment | Notifies when there is a time stamp counter (TSC) frequency change which only occurs during migration. It also allows the guest to keep using the old frequency until it is ready to switch to the new one. | on, off |
| relaxed | Disables a Windows sanity check that commonly results in a BSOD when the VM is running on a heavily loaded host. This is similar to the Linux kernel option no_timer_check, which is automatically enabled when Linux is running on KVM. | on, off |
| runtime | Sets processor time spent on running the guest code, and on behalf of the guest code. | on, off |
| spinlocks |
| on, off |
| stimer | Enables synthetic timers for virtual processors. Note that certain Windows versions revert to using HPET (or even RTC when HPET is unavailable) when this enlightenment is not provided, which can lead to significant CPU consumption, even when the virtual CPU is idle. | on, off |
| stimer-direct | Enables synthetic timers when an expiration event is delivered through a normal interrupt. | on, off. |
| synic | Together with stimer, activates the synthetic timer. Windows 8 uses this feature in periodic mode. | on, off |
| time | Enables the following Hyper-V-specific clock sources available to the VM,
| on, off |
| tlbflush | Flushes the TLB of the virtual processors. | on, off |
| vapic | Enables virtual APIC, which provides accelerated MSR access to the high-usage, memory-mapped Advanced Programmable Interrupt Controller (APIC) registers. | on, off |
| vendor_id | Sets the Hyper-V vendor id. |
|
| vpindex | Enables virtual processor index. | on, off |
4.3. Configuring NetKVM driver parameters
After the NetKVM driver is installed, you can configure it to better suit your environment. You can configure the driver parameters by using the Windows Device Manager (devmgmt.msc).
Modifying the driver’s parameters causes Windows to reload that driver. This interrupts existing network activity.
Prerequisites
The NetKVM driver is installed on the virtual machine.
For instructions, see Installing KVM paravirtualized drivers for Windows virtual machines.
Procedure
- In the Windows guest operating system, open the Windows Device Manager application.
Locate the Red Hat VirtIO Ethernet Adapter.
- In the Device Manager window, click next to Network adapters.
Under the list of network adapters, double-click Red Hat VirtIO Ethernet Adapter.
The Properties window for the device opens.
View the device parameters.
In the Properties window, click the Advanced tab.
Modify the device parameters.
Click the parameter you want to modify.
Options for that parameter are displayed.
Modify the options as needed.
For information about the NetKVM parameter options, refer to NetKVM driver parameters.
- Click to save the changes.
4.4. NetKVM driver parameters
When configuring NetKVM drivers to optimize your Windows guest operating system, adjusting the individual parameters can significantly change how the virtual machine works.
For details on the configurable NetKVM driver logging parameters, see the following table.
| Parameter | Description 2 |
|---|---|
| Logging.Enable | A Boolean value that determines whether logging is enabled. The default value is Enabled. |
| Logging.Level | An integer that defines the logging level. As the integer increases, so does the verbosity of the log.
Note High logging levels might slow down your virtual machine. |
For details on the configurable NetKVM driver initial parameters, see the following table.
| Parameter | Description |
|---|---|
| Assign MAC | A string that defines the locally-administered MAC address for the paravirtualized NIC. This is not set by default. |
| Init.Do802.1PQ | A Boolean value that enables Priority/VLAN tag population and removal support. The default value is Enabled. |
| Init.MaxTxBuffers | An integer that represents the number of TX ring descriptors that are allocated. The value is limited by the size of Tx queue of QEMU. The default value is 1024. Valid values are: 16, 32, 64, 128, 256, 512, and 1024. |
| Init.MaxRxBuffers | An integer that represents the number of RX ring descriptors that are allocated. The value is limited by the size of Tx queue of QEMU. The default value is 1024. Valid values are: 16, 32, 64, 128, 256, 512, 1024, 2048, and 4096. |
| Offload.Tx.Checksum | Specifies the TX checksum offloading capability. In Red Hat Enterprise Linux 10, the valid values for this parameter are:
|
| Offload.Rx.Checksum | Specifies the RX checksum offloading capability. In Red Hat Enterprise Linux 10, the valid values for this parameter are:
|
| Offload.Tx.LSO | Specifies the TX large segments offloading (LSO) capability. In Red Hat Enterprise Linux 10, the valid values for this parameter are:
|
| MinRxBufferPercent | Specifies minimal amount of available buffers in RX queue in percent of total amount of RX buffers. If the actual number of available buffers is lower than that value, the NetKVM driver indicates low resources condition to the operating system (requesting it to return the RX buffers as soon as possible)
Minimum value (default) -
Maximum value - |
4.5. Optimizing background processes on Windows virtual machines
To optimize the performance of a virtual machine (VM) running a Windows OS, you can configure or disable a variety of Windows processes.
Certain processes might not work as expected if you change their configuration. Disabling security features such as antivirus software might compromise the security of the VM.
Procedure
Minimize hardware and interface overhead:
- Remove unused virtual devices, such as USB controllers or CD-ROM drives, and disable the associated ports in the VM configuration.
- Disable the screen saver to prevent unnecessary CPU cycles.
- Keep the Windows OS on the sign-in screen when the VM is not in active use.
Optimize system services and clock settings:
- Disable background services that perform frequent indexing or caching, such as SuperFetch and Windows Search. For more information, see Disabling system services.
Disable the
useplatformclocksetting to improve timing performance. Run the following command in a Windows command prompt with administrative privileges:C:\> bcdedit /set useplatformclock No
Manage scheduled tasks and applications:
- Review and disable unnecessary scheduled tasks, such as scheduled disk defragmentation. For more information, see Disable Scheduled Tasks.
- Reduce periodic activity of server applications by editing the respective timers. For more information, see Multimedia Timers.
- Close the Server Manager application when it is not needed.
Adjust storage and security settings:
- Ensure that the virtual disks are not encrypted, as encryption can add significant I/O overhead.
- If the environment allows, disable antivirus software to reduce background scanning activity.
4.6. Enabling Hotpatch on Windows Server 2025 virtual machines
To minimize the downtime when updating a virtual machine (VM) with a Windows Server 2025 guest operating system, you can configure the VM to use the Hotpatch functionality. Hotpatch uses the Azure Arc service to provide in-memory security updates for Windows VMs on a RHEL host. As a result, the VM does not have to be rebooted after updating.
Prerequisites
- You have an active subscription to Microsoft Azure.
The host supports Virtualization-Based Security (VBS) feature.
To verify, ensure that your CPU has the required feature flags. For Intel, these are VT-x and EPT, and for AMD, these are SVM and NPT:
# lscpu | grep -E 'vt-x|svm|ept|npt'In addition, ensure that the host supports the input/output memory management unit (IOMMU).
# virt-host-validate | grep IOMMUThe packages required for Secure Boot configuration have been installed on your host:
# dnf install swtpm swtpm-tools edk2-ovmfYou have an installed VM with one of the following guest operating systems:
- Windows Server 2025 Standard
- Windows Server 2025 Datacenter
- The Windows Server 2025 VM has been configured with the Secure Boot feature. For instructions, see Creating a Secure Boot Windows virtual machine.
Procedure
Adjust the configuration of the Windows Server 2025 VM to be compatible with Hotpatch:
Open the configuration of the VM:
# virsh edit <vm_name>Ensure that the VM is defined as a KVM domain:
<domain type='kvm'>In the
<devices>section of the configuration, configure TPM 2.0 emulation:<devices> <tpm model='tpm-tis'> <backend type='emulator' version='2.0'/> </tpm> </devices>Expose host CPU features to the VM to ensure it can use VBS:
<cpu mode='host-passthrough' check='none'> <feature policy='require' name='vmx'/> </cpu>- Save the configuration.
Enable VBS on the VM.
Start the VM.
# virsh start <vm_name>- In the Windows guest operating system, click Start and search for Core isolation.
- Open the system settings page.
- Toggle Memory Integrity to On.
- Restart the VM for the changes to take effect.
Optional: Verify that VBS has been enabled.
-
Run the
msinfo32.exeprogram. Locate Virtualization-based security.
If the status displays as Running, VBS has been enabled successfully.
-
Run the
Connect the VM to Azure Arc.
- Log in to the Azure Portal.
-
Navigate to Azure Arc
Machines. -
Select Add/Create
Add a machine. - Select Generate script (onboarding an existing machine).
- Download the generated script to the Windows VM.
- In the guest operating system, open PowerShell as an administrator.
Run the downloaded onboarding script.
./OnboardingScript.ps1Optional: Verify that the connection to Azure Arc has been established.
-
In the Azure portal, navigate to the Azure Arc
Machines page. - Check that your VM appears in the list with Status: Connected.
-
In the Azure portal, navigate to the Azure Arc
Enable hotpatching for the VM.
-
In the Azure Arc
Machines page of the Azure portal, select the VM that you want to modify. - On the Server Management (Overview) page, scroll to the bottom to locate the Hotpatch (preview) card.
- Click the card to open the activation pane.
- Set the Enable hotpatching toggle to On.
- Click Confirm.
- Optional: In the Capabilities tab of the VM overview, check that the Hotpatch tile shows Enabled.
-
In the Azure Arc
In the guest operating system, install the baseline security update. This ensures the system is on the correct baseline for future hotpatches.
- In the Windows Update interface, install the latest Cumulative Update (Security Update).
- Reboot the VM.
- Optional: In the Update History tab, check that the update appears under Quality Updates.
Verification
On a monthly basis, check in the Available updates window of Azure Arc that the following message displays:
The latest security update was installed without a restart.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}