none
Hyper-V Server 2012 - Does Not Allow for Secure Boot?

    질문

  • Hyper-V Server 2012 (server core) does not appear to support Secure Boot?  Is this true?

    Various webpages imply that Windows Server 2012 (and Windows 8) both support Secure Boot which would imply Secure Boot ought to also work on Hyper-V Server 2012?  (I was unable to locate any definitive answer to that question.)

    I am using an Intel DQ77MK motherboard.  I am able to successfully install Hyper-V Server 2012 using UEFI.  (I confirmed UEFI by opening C:\windows\panther\setupact.log and looking for "Detected boot environment: EFI.")

    But if I setup the motherboard BIOS to enable SecureBoot, prior to re-installing Hyper-V Server 2012, I don't get anything on my screen.  It is unclear if the system hung, but I don't get any error message and am unable to install the OS.  So there seems to be some compatibility problem between enabling Secure Boot and Hyper-V Server 2012?  (In case you're wondering.  I have the latest Intel BIOS installed on my motherboard.)

    In doing some research I came across the Powershell command - Get-SecureBootPolicy

    But when I try and execute that command on Hyper-V Server 2012 I get the following error message -

    The term 'Get-SecureBootPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program.

    I came across the get-module command.  I noticed different results on my Windows 8 PC -

    PS C:\> get-module

    ModuleType Name                                ExportedCommands
    ---------- ----                                ----------------
    Manifest   Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-...
    Binary     SecureBoot                          {Confirm-SecureBootUEFI, Form...

    versus my Hyper-V Server 2012

    PS C:\> get-module

    ModuleType Name                                ExportedCommands
    ---------- ----                                ----------------
    Manifest   Microsoft.PowerShell.Management     {Add-Computer, Add-Content, C...
    Manifest   Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-...

    It looked as though I might need to install something in order to get Get-SecureBootPolicy to run on Hyper-V Server 2012?  I tried running Import-Module SecureBoot but got this error message -

    The specified module 'SecureBoot' was not loaded because no valid module file was found in any module directory.

    So unless a different module name is required there does not appear to be any way for me to install the cmdlet on Hyper-V Server 2012?

    The list of PowerShell 3 Cmdlets, as found here -

    http://social.technet.microsoft.com/wiki/contents/articles/4694.powershell-3-cmdlets.aspx?Sort=MostRecent&PageIndex=1

    looked as though it ought to be possible to perform a UEFI install and then setup the BIOS to enable Secure Boot.  I had trouble getting the system to boot, but after several attempts I finally got it to come up.  But given none of the other cmdlets I tried worked I cannot tell if Secure Boot is really enabled.  I thought that after several failed boot attempts perhaps the BIOS reverted/regressed some configuration that allowed me to boot the system, but which effectively disabled Secure Boot?

    All of which leads me to believe that Hyper-V Server 2012 (server core) does not support Secure Boot?

    Thanks for any insight you can provide.


    Theokrat

    2013년 7월 23일 화요일 오전 5:22

모든 응답

  • After posting this I setup a chat with Intel.  The tech support person referred me to this webpage -

    http://www.intel.com/support/motherboards/desktop/sb/cs-008326.htm

    Intel's public comment is that they don't recommend installing a Server OS on a Desktop motherboard.

    I'm not sure if that is really a factor in my problem or not?  Given the various issues I had with cmdlets it appears to me that Hyper-V Server 2012 does not support Secure Boot at all?  So even if I were to get an Intel Server motherboard (and associated parts) that would not make any difference, i.e., Secure Boot would still not function?


    Theokrat

    2013년 7월 23일 화요일 오전 5:51
  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2013년 7월 24일 수요일 오전 5:53
  • Clarence,

    I've done some additional testing.  I tried installing Hyper-V Server 2012 R2 Preview.  I was able to get a UEFI install to complete, but I have most of the exact same symptoms as before. The get-module cmdlet doesn't give me any response at all, but other cmdlets give the same error messages as before.

    I noticed in this webpage it says with R2 you should be able to perform a SecureBoot of the VM.

    http://www.infoworld.com/slideshow/104337/10-great-new-features-in-windows-server-2012-r2-hyper-v-220067#slide2

    But if I can't even get the base OS into SecureBoot I'm sure that won't work for the VM either.

    I did run across a webpage that mentioned this Intel motherboard has some problems with USB 3.0.

    https://communities.intel.com/thread/38705

    I have had sporadic problems getting the system to boot at all.  I didn't specifically notice whether I had anything plugged into a USB 3.0 port or not.

    But given I have been able to get both Hyper-V Server 2012 and Hyper-V Server 2012 R2 Preview to install and perform a UEFI boot I wouldn't think any possible problems with USB 3.0 would affect whether or not I can get SecureBoot to function?

    I tried installing Windows Server 2012, but I am having trouble even getting the installation to complete.  I'm getting an 0x80070750 error which seems to be a complaint about my installation media?  I've tried several different methods to install and get this error each time.  

    I also have an AMD motherboard that I believe has the option for SecureBoot?  I may try to install on that to see if there are any differences in OS behavior.

    Thanks for your assistance.


    Theokrat


    • 편집됨 Theokrat 2013년 7월 24일 수요일 오후 10:55 Corrected grammar
    2013년 7월 24일 수요일 오후 10:53
  • Clarence,

    I was finally able to get Windows Server 2012 (Standard Edition with GUI) evaluation version installed.

    When I first ran Get-SecureBootPolicy it came back with a message to the effect that SecureBoot was not enabled.  But at least I got a response to the cmdlet (unlike Hyper-V Server 2012).

    I went into the BIOS to double check.  SecureBoot was enabled, but there were four related options that seemed to have something to do with keys.  I checked an option in the BIOS to force defaults for SecureBoot and after a reboot this time I got a response to the command.

    Windows PowerShell
    Copyright (C) 2012 Microsoft Corporation. All rights reserved.

    PS C:\Users\Administrator> Get-SecureBootPolicy

    Publisher                                                                                                       Version
    ---------                                                                                                       -------
    77fa9abd-0359-4d32-bd60-28f4e78f784b                                                                                  1

    The response looks a bit odd, but I assume that must be telling me that SecureBoot is enabled?

    I ran Confirm-SecureBootUEFI and that came back with the result - True

    These results also indicate to me that the Intel DQ77MK motherboard does support SecureBoot and thus it is Hyper-V Server 2012 that is at fault?  Unless I have somehow done something wrong in the installation/configuration of Hyper-V Server 2012, but I don't think I missed anything.

    Thanks again for your assistance.


    Theokrat


    • 편집됨 Theokrat 2013년 7월 25일 목요일 오전 6:05 Added additional info
    2013년 7월 25일 목요일 오전 5:58
  • Clarence,

    I was mistaken.  The AMD motherboard I have does not support Secure Boot.

    So I've tested everything I can and the problem certainly looks to me like it must be that Hyper-V Server 2012 does not actually support Secure Boot.  But I am waiting to hear what you find out.

    Thanks again for your assistance.


    Theokrat

    2013년 7월 25일 목요일 오후 7:50
  • Hi,

    When Secure Boot is activated on a PC, the PC checks each piece of software, including the UEFI drivers (also known as Option ROMs) and the operating system, against databases of known-good signatures maintained in the firmware. If each piece of software is valid, the firmware runs the software and the operating system.

    For more information, please refer to link: http://technet.microsoft.com/en-us/library/hh824987.aspx

    Thanks,

    Kevin Ni


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2013년 8월 17일 토요일 오후 3:48
  • Kevin,

    I believe you're telling me that something is missing from the Motherboard ROM that would allow it to validate the OS (Hyper-V Server 2012)?  It seems a bit odd that Server 2012 will work, but Hyper-V Server 2012 will not work - using the exact same hardware. Wouldn't both OS be using the same drivers that are validated by Secure Boot?

    In my case I assembled this PC from parts I purchased.  The link you mentioned says, "Before the PC is deployed, the OEM stores the Secure Boot databases onto the PC."  In my case is the OEM considered to be Intel (since they manufactured the motherboard)?  Normally I would think the OEM refers to the company selling the PC, but it doesn't make any sense to me to say that I should be the one installing the Secure Boot database on this PC.  How would it even be possible for me to do that?

    Thanks.


    Theokrat

    2013년 8월 18일 일요일 오후 4:19
  • Clarence,

    Is Kevin Ni the person you were trying to involve?  I wasn't sure if that was going to be my only answer, since it doesn't look like what he's suggesting will get me to a resolution (at least not with my current motherboard), or if I should be looking for something else?

    Thanks.


    Theokrat

    2013년 8월 18일 일요일 오후 4:22