be connected directly through to virtual machines. This can be useful in certain
scenarios. For example, certain types of storage (especially NVMe devices) and even
graphics adapters may not typically work with applications via RemoteFX, because of
unrecognized drivers for applications or because of the limited features exposed via
RemoteFX that are limited historically to DirectX primitives (although this improves
with Windows Server 2016 with OpenCL and OpenGL support). When using DDA, the
hardware is passed through directly to the VM, and therefore the hardware’s IHV
drivers are used instead of generic virtual device drivers. The decision to use
RemoteFX vs. DDA really comes down to using DDA when you need native drivers
and the best possible performance, and using RemoteFX vGPU when you need scale.
To use DDA, the system must support Access Control Service, which enables the
secure pass-through of a PCI Express device. Additionally, the host must support
SLAT (a base requirement for Hyper-V 2016) and interrupt remapping (Intel VT-d2 or
AMD I/O MMU).
To test whether your machine supports DDA, execute the following PowerShell, which
will also identify all hardware that could be used with DDA and therefore assigned to a
VM:
wget https://raw.githubusercontent.com/Microsoft/Virtualization-
Documentation/master/hyperv-samples/benarm-powershell/DDA/survey-dda.ps1
-OutFile survey-dda.ps1
.\survey-dda.ps1
Microsoft has an excellent article that walks through the output of this script in great
detail:
https://blogs.technet.microsoft.com/virtualization/2015/11/20/
discrete-device-assignment-machines-and-devices/
Note that when using DDA, the devices cannot also be used in the host or shared
between VMs. The devices are directly passed through to a VM. This also means Live
Migration of the VM would not be possible, because the VM is directly bound to
hardware in a specific host. This is different from SR-IOV, which does not block Live
Migration. The lack of Live Migration is a major concession, and this functionality will
be used in only very specific scenarios. However, in those scenarios, the ability to
directly map PCIe devices is a huge benefit. Additionally, a critical point: it’s really
difficult to pass an entire device through to a guest without exposing the whole
machine to denial-of-service attacks. Almost every device can be tricked into
generating errors on the bus that will bring the entire machine down with odd
messages about hardware failure. So DDA should be used only for VMs that the
administrator has complete trust in. In practice, the DDA-enabled VMs should
probably be part of the hoster’s infrastructure, not something that the tenant gets to
use. Note that this may give you pause, because Azure uses this exact functionality