1.    25 Mar 2015 #1

    One for Kari - Secure boot with HYPER-V question


    Hi there

    I see that although VMware and VBOX can't do it (they can use UEFI) it seems HYPER-V CAN create a level 2 (type 2) VM which can enable secure boot.

    I want to have a go with this on a W2012 Server HOST. Anything special needed for setting up the VM -- want to run a W10 VM where I have the serial number - and I've got a W8 enterprise system too I can use.

    Will the same HYPER-V system work on a W10 Host.

    Cheers
    jimbo
      My ComputerSystem Spec
  2.    25 Mar 2015 #2
    Join Date : Nov 2013
    Posts : 804
    10 Pro Preview x64

    If you set up a type 2 machine you tick Enable secure boot in the firmware tab of settings.

    Works on Windows 10 also.

    In case you are interested (I was looking at your other posts) in Hyper-V the firmware is always user mode so you can add whatever keys you want to allow VM to boot in secure mode (assuming it supports it). TechNet Blogs
    Attached Thumbnails Attached Thumbnails Capture.PNG  
      My ComputerSystem Spec
  3.    25 Mar 2015 #3

    Quote Originally Posted by adamf View Post
    If you set up a type 2 machine you tick Enable secure boot in the firmware tab of settings.

    Works on Windows 10 also.

    In case you are interested (I was looking at your other posts) in Hyper-V the firmware is always user mode so you can add whatever keys you want to allow VM to boot in secure mode (assuming it supports it). TechNet Blogs
    Hi there

    Thanks for the info.

    However if one can enter any key it rather IMO defeats the whole process !!!!. Presumably IMO the whole point of protected boot is to ONLY allow the OS'es with the requisite key to boot. Otherwise it's a waste of time !!!.

    Seems also Guest non Windows OS'es won't work either then as part of the security is maintained on the HOST.

    Cheers
    jimbo
      My ComputerSystem Spec
  4.    25 Mar 2015 #4
    Join Date : Nov 2013
    Posts : 804
    10 Pro Preview x64

    It depends whether you are talking about booting a VM or not.

    What MS has suggested recently (although details are still unclear) is to remove the restriction that OEMs must deliver the ability to turn off secure boot on new devices if they want the "designed for Windows" logo. This would mean that if you bought such hardware you could be tied into whatever operating systems they see fit (if and only if the OEM decided to do that). Previously MS said the ability to turn off secure boot was required. That is your host.

    With a VM there are 2 layers - your host and the guest. Assuming you have booted your host you can then define valid keys to allow your guest to run (assuming your guest supports secure boot) as the firmware (seen by the guest) is in user space on the host. By default the host keys will be passed to the guest but you can add more if you want.

    Long and short, for VM's it doesn't (currently) make any difference. For bare metal it is only interesting if you were to buy a new Windows 10 machine where the OEM has decided to restrict secure boot (as is currently the case if you buy a phone) and you wanted to boot something not on the their list. As such devices don't exist yet and MS may change their mind it is a little pointless to discuss that side of it.
      My ComputerSystem Spec
  5.    26 Mar 2015 #5
    Join Date : Oct 2013
    A Finnish expat in Germany
    Posts : 13,115
    Windows 10 Pro

    I have never tried Secure Boot on Hyper-V. Theoretically it should work with Windows 8 and later or Windows Server 2012 and later guests. I have and have had a lot of 2nd generation virtual machines which makes secure boot possible, but as normal Windows 8 or 10 second generation vm fails to boot when the option is selected ("EFI SCSI Device failed secure boot verification"), I always untick the box in vm settings.

    This is one Hyper-V guestion I am totally unable to answer due lack of experience. I read what Adam already posted and have unfortunately nothing to add. Please post about your findings, I at least would be very interested to hear how it went.
      My ComputerSystem Spec
  6.    26 Mar 2015 #6

    Hi there

    Am travelling tomorrow (Brussels ==>home) but when I get back I'll have a play with it over the weekend if I have enough time.

    Seems an interesting concept of "securing" a VM - however I really want to try if any old key will work and if it's simple to change these. If the user can change these then as I said before it seems a waste of time. By user in this case I mean someone who has access to the HOST HYPER-V machine not the VM.

    I'll probably create a Vanilla VM -- with nothing apart from the default Ms applications and have a play. I think I'll run it first on a W2012 server Host as I know that system is working correctly. W10 might just be to "new" to play with this.

    Cheers
    jimbo
      My ComputerSystem Spec
  7.    26 Mar 2015 #7
    Join Date : Nov 2013
    Posts : 804
    10 Pro Preview x64

    If you create a new type 2 VM in Hyper-V then secure boot is the default. I just installed 9841 Server (latest version I could find) and it works fine (my host is 10041 Pro).

    I also migrated an Arch installation from VBox (converted the disk to vhdx) and it will not boot with secure boot but whether this is because of the migration or the secure boot I don't know yet. According to their Wiki you can self-sign certificates for secure boot but I've not tried yet as it seems a lot of effort for no benefit I can think of to be honest.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved Turning off secure boot/fast boot required?
As I get ready to do a clean install of 10074 I am curious about the need to disable secure boot and fast boot options. If I do disable secure boot do I need to enable legacy boot? I have had limited success with previous installs to a 2nd hard...
Installation and Upgrade
Question about Windows 10 UEFI BIOS with Secure Boot
So, basically if we have a computer that doesn't have a UEFI BIOS with Secure Boot, then we can't upgrade to Windows 10? Am I right or wrong here?
General Support
Windows 10 to make the Secure Boot alt-OS lock out a reality
Source
Windows 10 News
Review: Younited by F-Secure, free secure cloud storage
Kim Dotcom & downfall of Megaupload, Edward Snowden & NSA leaks and many other recent news have accelerated the discussion about privacy concerns regarding online communications and services. Giant US companies like Microsoft and Google are...
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:01.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums