How to Configure Windows Server 2016 Hyper-V Containers

Hyper-V Containers are a container isolation mode introduced in Windows Server 2016 that provides hardware-level isolation by running each container inside a highly optimized, lightweight virtual machine with its own dedicated kernel instance. Unlike Windows Server Containers (process-isolated), Hyper-V Containers do not share the host kernel with other containers, making them suitable for multi-tenant workloads, untrusted code execution, and scenarios where strong security boundaries are required between containerized applications.

Despite the VM-based isolation, Hyper-V Containers use the same Docker management interface and container image format as process-isolated Windows Server Containers. The only difference from an operational perspective is the addition of the –isolation=hyperv flag when running containers. This means you can use the same Dockerfiles and container images for both isolation modes without modification.

Hyper-V Containers are also used in Windows 10 when running Windows Containers, since Windows 10 does not support process-isolated containers. The Windows Server 2016 Hyper-V Containers feature is critical for cloud providers and enterprises hosting containers for multiple tenants on shared physical infrastructure.

Prerequisites

To configure Hyper-V Containers on Windows Server 2016, you need: Windows Server 2016 with Hyper-V and Containers features installed, virtualization extensions enabled in BIOS/UEFI on the host (Intel VT-x or AMD-V), Docker Engine installed, and sufficient RAM (each Hyper-V Container has its own memory allocation). Nested virtualization must be enabled if the host itself is running as a VM in Hyper-V.

Step 1: Install Required Features

Install both the Containers and Hyper-V features simultaneously:

Install-WindowsFeature -Name Containers, Hyper-V, Hyper-V-Tools, Hyper-V-PowerShell -Restart

Step 2: Enable Nested Virtualization (If Host is a VM)

If your Windows Server 2016 host is itself running as a Hyper-V VM, you must enable nested virtualization on the parent host. Run the following on the parent Hyper-V host, specifying the nested VM name:

Set-VMProcessor -VMName "WS2016-ContainerHost" -ExposeVirtualizationExtensions $true

Also ensure the VM has sufficient memory and is not using dynamic memory, as Hyper-V Containers require memory to be statically allocated:

Set-VMMemory -VMName "WS2016-ContainerHost" -DynamicMemoryEnabled $false -StartupBytes 8GB

Step 3: Install Docker Engine

Install Docker using the DockerMsftProvider:

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name Docker -ProviderName DockerMsftProvider -Force
Restart-Computer

After restart, verify Docker and Hyper-V isolation are available:

docker info

Look for “Isolation: hyperv” in the output to confirm Hyper-V Container support is available.

Step 4: Pull a Windows Container Base Image

Pull the Windows Server Core image that will be used as the base for Hyper-V Containers:

docker pull mcr.microsoft.com/windows/servercore:ltsc2016

Step 5: Run a Hyper-V Container

Start a Hyper-V Container by specifying the hyperv isolation flag:

docker run -it --isolation=hyperv mcr.microsoft.com/windows/servercore:ltsc2016 powershell

You will be in a PowerShell session inside the container. Unlike a process-isolated container, this container has its own kernel. Verify the isolation from inside the container:

[System.Environment]::OSVersion.Version

Run a detached Hyper-V Container hosting IIS:

docker run -d --isolation=hyperv -p 8080:80 mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2016

Step 6: Set Hyper-V as the Default Isolation Mode

To make hyperv isolation the default for all containers on this host, modify the Docker daemon configuration. Create or edit the Docker daemon.json file:

notepad C:ProgramDataDockerconfigdaemon.json

Add the following content to set hyperv as the default isolation:

{
  "exec-opts": ["isolation=hyperv"]
}

Restart the Docker service to apply the change:

Restart-Service Docker

Step 7: Inspect and Monitor Hyper-V Containers

Hyper-V Containers appear as lightweight VMs in Hyper-V Manager. You can view them using the Hyper-V Manager GUI or PowerShell. On the host, list all VMs including container VMs:

Get-VM | Where-Object {$_.Name -like "Container_*"}

Check Docker container statistics for CPU and memory usage:

docker stats

Step 8: Configure Resource Limits

Control the resources available to a Hyper-V Container. Limit CPU and memory at container start:

docker run -d --isolation=hyperv --cpus=2 --memory=2g mcr.microsoft.com/windows/servercore:ltsc2016

Troubleshooting Hyper-V Containers

If Hyper-V Containers fail to start, check that hardware virtualization extensions are enabled. Verify the Hyper-V service is running:

Get-Service vmms

Check Docker event logs for errors:

docker events

Hyper-V Containers in Windows Server 2016 provide the security and isolation guarantees of virtual machines with the operational simplicity and image portability of containers, making them ideal for enterprise multi-tenant deployments.