This week Microsoft announced the public preview of support to deploy gen2 VMs in Azure. Gen2 VMs have been around since Windows Server 2012 R2 for on-premises Hyper-V deployments. However, there are some serious limitations during the Azure preview. Let’s look at the benefits first.
For security purposes. Gen2 VMs will offer the following features in Azure during the preview:
If you’re considering deploying Windows Virtual Desktop in Azure, then SecureBoot in generation 2 VMs should allow you to enable Device Guard and Credential Guard to block credential-theft attacks. I’ll update this post after I deploy credential guard in WVD. (WVD is currently not supported in the gen2 preview. Neither is VBS.)
Also for security purposes. And budgetary reasons. Let’s start with the primary reason why I’m not converting all of my Azure VMs to generation 2 right now.
As far as your budget goes, the preview does not support A or B series VMs. Which means you’ll have to deploy using a more expensive Dsv2/3, Esv3, Fsv2, GS, Ls/v2, or Mv2 series VM.
To deploy a generation 2 VM in Azure, just navigate to the Azure Marketplace and search for:
Select Windows Server 2019 Datacenter (Gen2) and then proceed to create your VM as normal.
If you prefer to use PowerShell to deploy your VMs, our DevSecOps team suggests running something similar to the following using the Az module.
Install-Module Az Import-Module Az $VMLocalAdminUser = "SecqurAdmin" $VMLocalAdminSecurePassword = ConvertTo-SecureString 'Long!Passwords?Are#More*Secure%2019' -AsPlainText -Force $LocationName = "eastus2" $ResourceGroupName = "MyResourceGroup" $ComputerName = "Thor-Gen2" $VMName = "Thor-Gen2" $VMSize = "Standard_D4s_v3" $NetworkName = "Ragnarök" $NICName = "Thor-Gen2-Nic" $SubnetName = "ThroneRoom" $SubnetAddressPrefix = "10.0.0.0/24" $VnetAddressPrefix = "10.0.0.0/16" $SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix $Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $ResourceGroupName -Location $LocationName -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet $NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -SubnetId $Vnet.Subnets.Id $Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword); $VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $VMSize $VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate $VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id $VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus 'windowsserver-gen2preview' -Version latest New-AzVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine -Verbose
I’m optimistic about using virtualization-based security in Azure, especially for Windows Virtual Desktop. But until there is support for VBS and BitLocker, I won’t be deploying any generation 2 VMs soon. Right now the main reason to deploy a generation 2 VM is for REALLY BIG servers where you need more than 12 TB of data. (Only if you use a tool other than Azure Backup to protect your data.)
Head on over to the official Azure Support page for Gen2 VMs to see the latest updates.
If you run a business that relies on customer loyalty, you know how important your…
The events of the past several days have made us at Infused Innovations question whether…