Leveraging Generation 2 virtual machines
A new feature of Hyper-V in the 2012 R2 series is Generation 2 virtual machines. While the traditional virtual machine uses an emulated BIOS, these make use of the newer, more efficient and robust Unified Extensible Firmware Interface (UEFI) model. The greatest benefit of using these virtual machines is quicker boot up times. They don't offer a great deal more than that and almost nothing in terms of security. A Generation 2 virtual machine doesn't use emulated hardware, so a compromise of vmwp.exe
would theoretically have less impact on a Generation 2 guest. However, the likelihood of such a compromise is so low that this is of little concern.
What the Generation 2 VM does offer in terms of security is Secure Boot. Secure Boot is an agreement between the firmware and the boot image whether it is a DVD, hard drive file, or PXE image. This is handled by a PKI configuration in which the firmware can recognize the digital signatures presented...