Are there any risks with enabling Secure Boot on Azure Windows Server VMs? (Gen1 and Gen2)

Question

Are there any risks with enabling Secure Boot on Azure Windows Server VMs? (Gen1 and Gen2)

Hamish Patel (Cloud Admin) 20

One of our security guys has told us to enable Secure Boot on our Windows Server VMs. We want to be sure there'll be no issues with our VMs after enabling secure boot before we go ahead. Could we please get a few pros/cons on enabling Secure Boot on Azure VMs.

Also noticed that you can't easily enable Secure Boot on Gen1 VMs - Requires Powershell converting it to Gen2.

Hania Lian - MSFT 22,306 Reputation points Microsoft External Staff

2024-09-09T02:54:02.1666667+00:00

Hello,

Enabling Secure Boot on your Azure VMs can offer several benefits, but there are also some considerations to keep in mind. Here are a few pros and cons:

Pros:

Enhanced Security: Secure Boot helps protect against malware-based rootkits and bootkits by ensuring that only signed operating systems and drivers can boot.

Integrity Verification: It provides insights and confidence in the integrity of the entire boot chain, ensuring that workloads are trusted and verifiable.

Protection of Keys and Certificates: Secure Boot helps securely protect keys, certificates, and secrets within the VMs.

Cons:

Compatibility Issues: Some older or custom drivers and operating systems may not be compatible with Secure Boot, potentially causing boot failures.

Configuration Complexity: Enabling Secure Boot on Generation 1 VMs requires converting them to Generation 2, which involves additional steps and potential downtime.

Limited Support for Certain VM Sizes: Not all VM sizes and series support Secure Boot, so you need to ensure your VM configuration is compatible.

Best Regards,

Hania Lian

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Accepted answer

0 additional answers

Your answer

Hania Lian - MSFT 22,306 Reputation points Microsoft External Staff

2024-09-09T02:54:02.1666667+00:00

Hello,

Enabling Secure Boot on your Azure VMs can offer several benefits, but there are also some considerations to keep in mind. Here are a few pros and cons:

Pros:

Enhanced Security: Secure Boot helps protect against malware-based rootkits and bootkits by ensuring that only signed operating systems and drivers can boot.

Integrity Verification: It provides insights and confidence in the integrity of the entire boot chain, ensuring that workloads are trusted and verifiable.

Protection of Keys and Certificates: Secure Boot helps securely protect keys, certificates, and secrets within the VMs.

Cons:

Compatibility Issues: Some older or custom drivers and operating systems may not be compatible with Secure Boot, potentially causing boot failures.

Configuration Complexity: Enabling Secure Boot on Generation 1 VMs requires converting them to Generation 2, which involves additional steps and potential downtime.

Limited Support for Certain VM Sizes: Not all VM sizes and series support Secure Boot, so you need to ensure your VM configuration is compatible.

Best Regards,

Hania Lian

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 1

Hello @Hamish Patel (Cloud Admin)

Enabling Secure Boot on your Windows Server VMs can provide additional security by ensuring that only trusted bootloaders, kernels, and drivers are allowed to run. Secure Boot is a feature of trusted launch for generation 2 VMs in Azure.

Regarding your note about enabling Secure Boot on Gen1 VMs, you are correct that it is not supported on Gen1 VMs in Azure. To enable Secure Boot, you would need to convert the VM to a Gen2 VM using PowerShell. This process involves creating a new Gen2 VM and migrating the data and configuration from the old Gen1 VM to the new Gen2 VM.

This can be a complex process and may require additional configuration or troubleshooting to ensure that all drivers and software are properly signed and compatible with Secure Boot. Before enabling Secure Boot on your Azure VMs, it is recommended that you test the configuration in a non-production environment to ensure that there are no compatibility issues or unexpected behavior. You should also make sure that you have a backup or a copy of the data, and that you have a plan to recover from any issues that may arise.Here are some pros and cons of enabling Secure Boot on Azure VMs

Pros: - Provides additional security by ensuring that only trusted bootloaders, kernels, and drivers are allowed to run. - Helps protect against malicious and unauthorized changes to the boot chain. - Can help meet compliance requirements for secure boot.

Cons: - May cause compatibility issues with some drivers or software that are not signed by a trusted certificate authority. - May cause issues with some legacy hardware or firmware that does not support Secure Boot. - May require additional configuration or troubleshooting to ensure that all drivers and software are properly signed and compatible with Secure Boot.
Hope this helps!

If I have answered your query, please click "Accept as answer" as a token of appreciation

Share via

Are there any risks with enabling Secure Boot on Azure Windows Server VMs? (Gen1 and Gen2)

0 additional answers

Your answer