The Register is reporting that future versions of Windows Server OS is going to require the TPM 2.0 chip and Secure boot enabled by default. Secure boot is quite helpful to validate that servers boot into trusted environments. It sounds basic and straightforward, but if your VM administrators are not preparing for this change now, a much-overlooked setting in the hypervisor might backfire and you might not be able to enable this setting. That scenario would be a disaster if your security team suddenly issued a decree stating that you must enable this setting by some date.

If your VMs are built on Hyper-V, the Gen1 virtual machine uses the BIOS type firmware and not the UEFI firmware. The UEFI firmware allows for the emulation of the TPM mainboard chip.

Use Generation 2 for all new Hyper-V VMs if possible

The VM might need to be recreated with the Gen2 option after converting the virtual disk to the VHDX format. I personally would not feel comfortable going through this process with your critical SQL Server VMs, so a migration might need to be considered here.

The same goes for VMware with the default BIOS type firmware for most VMs instead of the EFI firmware. This setting cannot be changed after the VM’s OS is installed unless you want to really hack together a solution, and again I don’t recommend this for your production servers, so make sure this is set prior to the OS being installed.

VMware Firmware settings should be set prior to OS installation

So, build a new VM template with these settings configured properly, or confirm that the templates you currently use have these values set appropriately. If your security team needs these enabled at some point, or if you determine that your workloads can benefit from these settings, you’re then set to just flip the switch. Otherwise, you’re looking at a new VM deployment and a migration, which is just painful for most systems.