The latest release from Citrix can now work in Microsoft Hyper-V environments where the Secure Boot feature for Generation 2 VMs is enabled.
Citrix XenApp 7.12 support in Secure Boot environments represents a move to further enhanced security at the foundation of the system. With this feature enabled, IT can be more confident that only boot time sanctioned code is running while the operating system loads, and that Citrix XenApp has met the requirements for such a secure environment.
Secure Boot is a foundational requirement for a great catalog of additional security enhancements within Windows Server 2016 Hyper-V. This blog post – the seventh in our “Getting Ready for Windows Server 2016” Blog series – provides a quick overview of these Hyper-V features and our initial guidance on what XenApp/XenDesktop administrators and IT test teams should really start investigating for their Windows Server 2016 Hyper-V based implementations.
With Windows Server 2016 Hyper-V Secure Boot enabled, Gen2 VMs are endowed with a set of platform-level security features not previously available. These features work to block various attack vectors, from authentication and run-time compute to potential VM disk manipulation by bad actors. Employing as many of these Hyper-V enabled features as is reasonable within your particular environment should be seriously considered in virtualization designs as we move forward.
Once Secure Boot has been enabled, only properly signed and certified device drivers can load within the Microsoft Windows environment during boot time. With Citrix XenApp 7.12 all drivers have now completed the required certifications to load within a Secure Boot VM.
The additional security features mentioned in the previous section; vTPM, VM Encryption, BitLocker, Credential Guard, Device Guard Improved Security, and Shielded VMs, are supported only for investigations at this time (such as the case with my explorations of the OS in this series). We are encouraging our partners, customer and prospects to evaluate these features with XenApp and XenDesktop 7.12. Please provide us with feedback through your regular support channels, however critical support for production environments is not yet available for these additional features at this time. Please consider them in a Technical Preview state as part of the 7.12 release.
How it works:
Secure Boot support was originally introduced in Windows 8 and required UEFI 2.3.1 or later support in the underlying computer hardware. Support for Hyper-V Gen2 VMs, UEFI, and Secure Boot of those VMs was first introduced in Microsoft Windows Server 2012 R2 Hyper-V. Neither the Windows Client, Server or Gen2 VMs require a Trusted Platform Module (TPM) to be installed in the base hardware in order for Secure Boot to be enabled.