How to Configure Hyper-V Generation 2 Virtual Machines on Windows Server 2019

Hyper-V Generation 2 virtual machines represent a significant architectural advancement over Generation 1 VMs in Windows Server 2019. Generation 2 VMs use a purely UEFI-based firmware, remove legacy virtual hardware devices, and support modern features such as Secure Boot, shielded VMs, and faster boot times. Understanding when to use Generation 2 and how to configure its unique features correctly is essential for building a modern Hyper-V infrastructure.

Generation 1 vs Generation 2 Differences

Generation 1 VMs emulate legacy BIOS and include emulated IDE controllers, legacy network adapters, and an emulated COM port. This makes them compatible with a very wide range of operating systems including older Windows and Linux versions. Generation 2 VMs remove all emulated hardware and use synthetic (virtualised) devices exclusively. They boot via UEFI rather than BIOS, support Secure Boot to prevent boot-level malware, use SCSI for all disk I/O including the boot volume, require modern network adapters rather than legacy ones, and support PXE boot using synthetic adapters.

Generation 2 VMs are supported for Windows Server 2012 and later, Windows 8 and later, and select 64-bit Linux distributions including RHEL, CentOS, Debian, Ubuntu, SUSE, and Oracle Linux with appropriate integration services. You cannot change the generation of an existing VM — it must be specified at creation time.

Creating a Generation 2 Virtual Machine

When creating a VM through Hyper-V Manager, the New Virtual Machine Wizard prompts you to select generation. In PowerShell, use the -Generation parameter with New-VM.

# Create a Generation 2 VM with 4 GB RAM and a new 60 GB VHDX
New-VM -Name "Gen2WebServer" `
    -Generation 2 `
    -MemoryStartupBytes 4GB `
    -NewVHDPath "D:VMsGen2WebServerGen2WebServer.vhdx" `
    -NewVHDSizeBytes 60GB `
    -SwitchName "ExternalSwitch"

# Verify the generation
Get-VM -Name "Gen2WebServer" | Select-Object Name, Generation

After creation, configure processor count and other settings before installing the OS.

Set-VMProcessor -VMName "Gen2WebServer" -Count 4
Set-VMMemory -VMName "Gen2WebServer" -DynamicMemoryEnabled $true -MinimumBytes 1GB -StartupBytes 4GB -MaximumBytes 8GB

Configuring Secure Boot on Generation 2 VMs

Secure Boot is enabled by default on Generation 2 VMs and prevents the VM from booting unauthorised bootloaders. Windows Server 2019 guests use the Microsoft Windows certificate template. Linux guests require the Microsoft UEFI Certificate Authority template or Secure Boot must be disabled for the installation phase.

# Check current Secure Boot configuration
Get-VMFirmware -VMName "Gen2WebServer" | Select-Object SecureBootEnabled, SecureBootTemplate

# Change template for Windows (default)
Set-VMFirmware -VMName "Gen2WebServer" -SecureBootTemplate "MicrosoftWindows"

# Change template for Linux guests
Set-VMFirmware -VMName "Gen2WebServer" -SecureBootTemplate "MicrosoftUEFICertificateAuthority"

# Disable Secure Boot for legacy Linux installs
Set-VMFirmware -VMName "Gen2WebServer" -EnableSecureBoot Off

Configuring Boot Order on Generation 2 VMs

Generation 2 VMs use UEFI firmware and support multiple boot entries. You can configure the boot order to prioritise the network adapter for PXE deployment or the DVD drive for OS installation. Use Get-VMFirmware to see current boot order and Set-VMFirmware to modify it.

# View current firmware boot order
$Firmware = Get-VMFirmware -VMName "Gen2WebServer"
$Firmware.BootOrder | Select-Object BootType, Description, FirmwarePath

# Set boot order: DVD first, then hard disk, then network
$DVD = $Firmware.BootOrder | Where-Object { $_.BootType -eq "File" -and $_.Description -like "*DVD*" }
$HDD = $Firmware.BootOrder | Where-Object { $_.BootType -eq "Drive" }
$NIC = $Firmware.BootOrder | Where-Object { $_.BootType -eq "Network" }

Set-VMFirmware -VMName "Gen2WebServer" -BootOrder $DVD, $HDD, $NIC

Adding a DVD Drive for OS Installation

Generation 2 VMs use SCSI-attached DVD drives rather than IDE. Add a DVD drive and attach an ISO image for OS installation.

# Add a DVD drive to SCSI controller 0
Add-VMDvdDrive -VMName "Gen2WebServer" -ControllerNumber 0 -ControllerLocation 1

# Attach the Windows Server 2019 ISO
Set-VMDvdDrive -VMName "Gen2WebServer" -ControllerNumber 0 -ControllerLocation 1 `
    -Path "D:ISOsWindowsServer2019.iso"

# Set the DVD as first boot device
$Firmware = Get-VMFirmware -VMName "Gen2WebServer"
$DVD = $Firmware.BootOrder | Where-Object { $_.BootType -eq "File" }
Set-VMFirmware -VMName "Gen2WebServer" -FirstBootDevice $DVD

Configuring SCSI Storage for Generation 2 VMs

All storage in Generation 2 VMs is attached via SCSI controllers, eliminating the IDE bottleneck. Generation 2 VMs support up to four SCSI controllers, each with up to 64 devices, for a total of 256 storage devices per VM.

# View existing SCSI controllers
Get-VMScsiController -VMName "Gen2WebServer"

# Add an additional SCSI controller
Add-VMScsiController -VMName "Gen2WebServer"

# Add a new data disk to SCSI controller 1
New-VHD -Path "D:VMsGen2WebServerData01.vhdx" -SizeBytes 100GB -Dynamic
Add-VMHardDiskDrive -VMName "Gen2WebServer" -ControllerType SCSI -ControllerNumber 1 -ControllerLocation 0 `
    -Path "D:VMsGen2WebServerData01.vhdx"

Virtual Network Adapters on Generation 2 VMs

Generation 2 VMs only support synthetic network adapters — the legacy emulated adapter is not available. The synthetic adapter has significantly better performance than the legacy adapter in Generation 1 VMs. PXE boot is also supported on synthetic adapters in Generation 2 without requiring a legacy adapter.

# Add a second network adapter to a Generation 2 VM
Add-VMNetworkAdapter -VMName "Gen2WebServer" -Name "StorageNetwork" -SwitchName "StorageSwitch"

# List all network adapters
Get-VMNetworkAdapter -VMName "Gen2WebServer" | Select-Object Name, SwitchName, MacAddress

Enabling TPM for Generation 2 VMs

Generation 2 VMs support a virtual Trusted Platform Module (vTPM), which is required for BitLocker disk encryption within the VM and for Windows 11 guest compatibility. The vTPM requires a Key Protector to be configured, which ties the VM to a Host Guardian Service or a local self-signed guardian.

# Create a self-signed guardian for local vTPM (test/lab only)
$Owner = Get-HgsGuardian -Name "LocalOwner" -ErrorAction SilentlyContinue
if (-not $Owner) {
    $Owner = New-HgsGuardian -Name "LocalOwner" -GenerateCertificates
}

# Create a Key Protector for the VM
$KP = New-HgsKeyProtector -Owner $Owner -AllowUntrustedRoot

# Apply the Key Protector to enable vTPM
Set-VMKeyProtector -VMName "Gen2WebServer" -KeyProtector $KP.RawData
Enable-VMTPM -VMName "Gen2WebServer"

# Verify TPM is enabled
Get-VMSecurity -VMName "Gen2WebServer" | Select-Object VMName, TpmEnabled, KsdEnabled

Enabling Shielded VM Features

Generation 2 VMs with Secure Boot and vTPM enabled can be deployed as Shielded VMs, providing protection against malicious fabric administrators. Shielding encrypts the VM’s disks and restricts which Hyper-V hosts can run the VM.

# Enable Shielding (requires HGS infrastructure)
Set-VMSecurityPolicy -VMName "Gen2WebServer" -Shielded $true

# Check VM security settings
Get-VMSecurity -VMName "Gen2WebServer"

Converting Generation 1 to Generation 2

Hyper-V does not support in-place generation conversion. To migrate a Gen 1 VM to Gen 2, you must create a new Gen 2 VM and migrate the workload. The typical approach involves installing the OS fresh on a Gen 2 VM and migrating application data, or using third-party tools for P2V/V2V conversion that handle the BIOS-to-UEFI transition including MBR-to-GPT disk conversion.

If converting a Windows VM manually, ensure the system disk uses GPT partition layout before moving it to a Gen 2 VM. Use the MBR2GPT.exe tool inside the Gen 1 VM before creating the Gen 2 target.

# Inside the Gen 1 source VM - validate disk can be converted
MBR2GPT.exe /validate /allowFullOS

# Perform the conversion
MBR2GPT.exe /convert /allowFullOS

Conclusion

Hyper-V Generation 2 virtual machines in Windows Server 2019 deliver faster boot times, Secure Boot support, virtual TPM, and higher storage performance through SCSI controllers. New Windows and modern Linux deployments should always use Generation 2. The PowerShell cmdlets for firmware, security, and device configuration provide full programmatic control over all Generation 2-specific features, enabling automated deployment of secure, modern VM workloads.