Q: In Windows Server 2012 Hyper-V, Microsoft introduced Generation 2 virtual machines to better take advantage of new underlying hardware features. Do Generation 2 virtual machines also bring security benefits?
A: Yes, Generation 2 virtual machines (VMs) bring important security benefits because they're based on the Unified Extensible Firmware Interface (UEFI) and they support Secure Boot. UEFI is the next-generation firmware interface for virtual and physical computers. Thanks to Secure Boot, malware—including unauthorized OS files, drivers, and firmware—will be prevented from running when the VM boots.
Under the hood, Secure Boot leverages a public key infrastructure (PKI)-based key hierarchy and digital signature technology to verify the integrity of the software (such as the OS loader) underlying the VM startup. As such, Secure Boot can ensure that only trustworthy software components are allowed to run.
Secure Boot is enabled by default when you create a new Generation 2 VM. You can enable or disable Secure Boot when the Generation 2 VM isn't running by opening the VM Settings in Hyper-V Manager, selecting Firmware under Hardware, then selecting or clearing the Enable Secure Boot check box. Alternatively, you enable or disable this option from the command line with Windows PowerShell. For example, if you want to enable Secure Boot, you use the Set-VMFirmware cmdlet, like this:
Set-VMFirmware -EnableSecureBoot On
To disable Secure Boot, you use the same command, except you replace On with Off.
The MSDN Blogs entry "Protecting the pre-OS environment with UEFI" provides a good introduction to UEFI and Secure Boot. You can find more technical details on how Generation 2 VMs support Secure Boot in the TechNet Blogs entry "Hyper-V generation 2 virtual machines - part 6."
