This week Microsoft announced the public preview of support to deploy gen2 VMs in Azure. Gen2 VMs have been around since Windows Server 2012 R2 for on-premises Hyper-V deployments. However, there are some serious limitations during the Azure preview. Let’s look at the benefits first.

Why Should I Deploy Gen2 VMs in Azure?

For security purposes. Gen2 VMs will offer the following features in Azure during the preview:

  • Operating System (OS) disks that exceed 2 TB
  • Future support for SecureBoot to block rootkits
  • UEFI-based boot architecture vs. legacy BIOS architecture
  • Future support for Virtual Trusted Platform Module (vTPM)
  • SCSI Disk Controllers (instead of IDE) but only for Premium Storage
  • Support for Accelerated Networking (This isn’t new, it’s just not broken.)

If you’re considering deploying Windows Virtual Desktop in Azure, then SecureBoot in generation 2 VMs should allow you to enable Device Guard and Credential Guard to block credential-theft attacks. I’ll update this post after I deploy credential guard in WVD. (WVD is currently not supported in the gen2 preview. Neither is VBS.)

Why Shouldn’t I Deploy Gen2 VMs in Azure?

Also for security purposes. And budgetary reasons. Let’s start with the primary reason why I’m not converting all of my Azure VMs to generation 2 right now.

  • Not compatible with Azure Site Recovery or Azure Backup. I avoid using Veeam, Zerto, or third-party backups for Azure VMs because the seamless integration of ASR and Azure Backup make automation and orchestration significantly easier.
  • No support for Azure Disk Encryption. That means no BitLocker.
  • Virtualization-Based Security is not supported. (Yet.)
  • Shielded VMs are missing.
  • No VHDX support.
  • Currently only Windows Server 2012 through 2019 is supported.

As far as your budget goes, the preview does not support A or B series VMs. Which means you’ll have to deploy using a more expensive Dsv2/3, Esv3, Fsv2, GS, Ls/v2, or Mv2 series VM.

Deploying Windows Server 2019 Generation 2 in Azure

Deploy Gen2 VMs Using the Azure Portal

To deploy a generation 2 VM in Azure, just navigate to the Azure Marketplace and search for:

windowsserver-gen2preview

Select Windows Server 2019 Datacenter (Gen2) and then proceed to create your VM as normal.


Deploy Gen2 VMs Using PowerShell and the Az Module

If you prefer to use PowerShell to deploy your VMs, our DevSecOps team suggests running something similar to the following using the Az module.

Install-Module Az
Import-Module Az
$VMLocalAdminUser = "SecqurAdmin"
$VMLocalAdminSecurePassword = ConvertTo-SecureString 'Long!Passwords?Are#More*Secure%2019' -AsPlainText -Force
$LocationName = "eastus2"
$ResourceGroupName = "MyResourceGroup"
$ComputerName = "Thor-Gen2"
$VMName = "Thor-Gen2"
$VMSize = "Standard_D4s_v3"

$NetworkName = "Ragnarök"
$NICName = "Thor-Gen2-Nic"
$SubnetName = "ThroneRoom"
$SubnetAddressPrefix = "10.0.0.0/24"
$VnetAddressPrefix = "10.0.0.0/16"

$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $ResourceGroupName -Location $LocationName -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -SubnetId $Vnet.Subnets[0].Id

$Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);

$VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $VMSize
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus 'windowsserver-gen2preview' -Version latest

New-AzVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine -Verbose

Conclusion

I’m optimistic about using virtualization-based security in Azure, especially for Windows Virtual Desktop. But until there is support for VBS and BitLocker, I won’t be deploying any generation 2 VMs soon. Right now the main reason to deploy a generation 2 VM is for REALLY BIG servers where you need more than 12 TB of data. (Only if you use a tool other than Azure Backup to protect your data.)

Head on over to the official Azure Support page for Gen2 VMs to see the latest updates.

Dan Chemistruck

Recent Posts

Telephone Plans in Microsoft Teams

If you're familiar with Microsoft Teams, you probably know it as a hub for communication…

2 days ago

Responsible AI for Responsible Democracy

Imagine for a moment, as you may have already done at some point, this scenario:…

1 week ago

Using Power BI to Analyze COVID-19

Microsoft's Power BI---short for Business Intelligence---is often used to drive business decisions and strategies through…

2 weeks ago

Microsoft Tools Every Intern Should Know About

Here at Infused Innovations we have a couple new interns, and...well, they've got a lot…

3 weeks ago

How Well Do You Know Your Customers? Gain a 360-Degree Customer View

If you run a business that relies on customer loyalty, you know how important your…

1 month ago

Statement from our CEO: We Stand With Those Calling for Justice, Equality, and True Democracy

The events of the past several days have made us at Infused Innovations question whether…

1 month ago