Site icon Infused Innovations

Guide to Deploy Gen2 VMs in Azure

Guide to Deploy Gen2 VMs in Azure 1

This week Microsoft announced the public preview of support to deploy gen2 VMs in Azure. Gen2 VMs have been around since Windows Server 2012 R2 for on-premises Hyper-V deployments. However, there are some serious limitations during the Azure preview. Let’s look at the benefits first.

Why Should I Deploy Gen2 VMs in Azure?

For security purposes. Gen2 VMs will offer the following features in Azure during the preview:

If you’re considering deploying Windows Virtual Desktop in Azure, then SecureBoot in generation 2 VMs should allow you to enable Device Guard and Credential Guard to block credential-theft attacks. I’ll update this post after I deploy credential guard in WVD. (WVD is currently not supported in the gen2 preview. Neither is VBS.)

Why Shouldn’t I Deploy Gen2 VMs in Azure?

Also for security purposes. And budgetary reasons. Let’s start with the primary reason why I’m not converting all of my Azure VMs to generation 2 right now.

As far as your budget goes, the preview does not support A or B series VMs. Which means you’ll have to deploy using a more expensive Dsv2/3, Esv3, Fsv2, GS, Ls/v2, or Mv2 series VM.

Deploying Windows Server 2019 Generation 2 in Azure

Deploy Gen2 VMs Using the Azure Portal

To deploy a generation 2 VM in Azure, just navigate to the Azure Marketplace and search for:



Select Windows Server 2019 Datacenter (Gen2) and then proceed to create your VM as normal.

Deploy Gen2 VMs Using PowerShell and the Az Module

If you prefer to use PowerShell to deploy your VMs, our DevSecOps team suggests running something similar to the following using the Az module.

Install-Module Az
Import-Module Az
$VMLocalAdminUser = "SecqurAdmin"
$VMLocalAdminSecurePassword = ConvertTo-SecureString 'Long!Passwords?Are#More*Secure%2019' -AsPlainText -Force
$LocationName = "eastus2"
$ResourceGroupName = "MyResourceGroup"
$ComputerName = "Thor-Gen2"
$VMName = "Thor-Gen2"
$VMSize = "Standard_D4s_v3"

$NetworkName = "Ragnarök"
$NICName = "Thor-Gen2-Nic"
$SubnetName = "ThroneRoom"
$SubnetAddressPrefix = ""
$VnetAddressPrefix = ""

$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $ResourceGroupName -Location $LocationName -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -SubnetId $Vnet.Subnets[0].Id

$Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);

$VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $VMSize
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus 'windowsserver-gen2preview' -Version latest

New-AzVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine -Verbose


I’m optimistic about using virtualization-based security in Azure, especially for Windows Virtual Desktop. But until there is support for VBS and BitLocker, I won’t be deploying any generation 2 VMs soon. Right now the main reason to deploy a generation 2 VM is for REALLY BIG servers where you need more than 12 TB of data. (Only if you use a tool other than Azure Backup to protect your data.)

Head on over to the official Azure Support page for Gen2 VMs to see the latest updates.

Exit mobile version