I am running Windows Server 2012 R2 Essentials as a VM on Hyper-V Server 2012 R2 (server core). In checking MSINFO32 I see "Secure Boot State" is "On" for Essentials, but given my current configuration I believe this should be "Off?"
I setup a new Hyper-V Server 2012 R2 (server core) using an Areca ARC-1224-8i RAID controller. It was unclear to me whether or not the Areca RAID controller would support UEFI or not, but since Secure Boot was desirable I decided to try a UEFI installation. I created two volumes on the RAID controller. C drive of 80 Gb and D drive of the remainder (about 9 Tb). I checked the file C:\Windows\Panther\setupact.log and saw the message which told me this was an EFI installation/boot.
After Hyper-V was installed I then setup Essentials as a VM on the D drive.
When I ran MSINFO32 in both Hyper-V and Essentials and I saw the Secure Boot State was On which was expected (and desired) for both OS levels.
Several days later I started having problems. The system seemed to have crashed and during multiple attempts to reboot the Hyper-V server couldn't seem to detect the RAID controller. If I tried a new Hyper-V installation and loaded the RAID driver the RAID controller was seen, but when Hyper-V itself tried to boot it seemed as though the RAID driver was not being loaded and thus the RAID controller could not be found (and along with it my C boot drive was missing)?
Since I had some suspicion that the RAID controller might not support UEFI I decided to re-install Hyper-V, but this time using the Legacy BIOS. After the installation was completed I again verified the setupact.log and saw BIOS rather than EFI (as expected).
I then re-attached my Essentials VM (which was left untouched on the D drive) and got everything running again.
But now when I check MSINFO32 within Hyper-V it showed Secure Boot State Off (expected given that UEFI was not used). But when checking MSINFO32 within Essentials it showed Secure Boot State On.
I thought one purpose of Secure Boot was to create a chain of trust. Given that Hyper-V can no longer verify this chain (since UEFI is not used) I would have expected any VM running above Hyper-V to be in the same state, i.e., Secure Boot State Off? When the underlying Hyper-V layer changed I would have expected that to change Essentials view of the world? So it looks to me as though this is not being handled correctly?
Thanks for any assistance you can provide.
P.S. In case this makes any difference I am using a motherboard with a TPM and both the C and D drives were encrypted with BitLocker. The C drive used a TPM key and the D drive had a password and was setup to autounlock.
After I re-installed Hyper-V on the C drive I then manually entered the BitLocker password in order to access the Essentials VM on the D drive.
Theokrat