How to Disable PXE Boot in Hyper-V VMs: A Complete Technical Guide


2 views

When working with Hyper-V virtual machines (especially on Windows Server 2012 R2), you might notice that network adapters always appear in the boot order list - even when you don't want PXE boot capability. The Hyper-V Manager interface (Settings > Firmware > Boot Order) only lets you rearrange boot priorities rather than completely removing network boot options.

PXE boot presents several security considerations:

  • Potential exposure to network-based attacks during the boot process
  • Unauthorized OS installations via network boot
  • Increased attack surface for virtual infrastructure

Here are effective methods to prevent PXE boot in Hyper-V VMs:

Method 1: Using PowerShell to Modify VM Settings


# First, get your VM's current settings
$vm = Get-VM -Name "YourVMName"

# Disable PXE boot by setting the NIC to disabled state
Set-VMFirmware -VMName $vm.Name -EnableSecureBoot Off -BootOrder (Get-VMHardDiskDrive -VMName $vm.Name)

# Alternative approach for Generation 2 VMs
Set-VMFirmware -VMName $vm.Name -FirstBootDevice $(Get-VMHardDiskDrive -VMName $vm.Name)

Method 2: Direct Configuration via VM Configuration File

For advanced users, you can edit the VM's configuration XML (located in the Virtual Machines directory):




    1
    hdd


    2
    network

Method 3: Network Adapter Configuration


# This completely removes the network adapter from boot considerations
Set-VMNetworkAdapter -VMName "YourVMName" -BootPriority 0

The persistent PXE boot capability stems from Hyper-V's design philosophy:

  • Maintaining flexibility for dynamic provisioning scenarios
  • Supporting common virtualization workflows
  • Backward compatibility with legacy systems

After making changes, verify your configuration:


# Check current boot order
Get-VMFirmware -VMName "YourVMName" | Select-Object -ExpandProperty BootOrder

# Ensure network boot is not in the priority list

For Generation 2 VMs, enabling Secure Boot can help mitigate PXE-related risks:


Set-VMFirmware -VMName "YourVMName" -EnableSecureBoot On

This forces the VM to only boot from trusted sources, effectively nullifying any PXE boot attempts unless explicitly authorized.

  • Test changes in a non-production environment first
  • Document your configuration changes for audit purposes
  • Consider network-level controls if VM-level restrictions aren't sufficient

While working with Hyper-V on Windows Server 2012 R2, you might notice virtual machines retain their PXE boot capability even when you've configured other boot priorities. Unlike physical hardware where BIOS/UEFI settings offer clear PXE boot disable options, Hyper-V presents unique challenges.

PXE boot introduces potential security vulnerabilities including:

  • Unauthorized network boot attempts
  • Potential exposure to rogue DHCP servers
  • Information disclosure through boot logs
  • Possible attack vector for network-based exploits

While Hyper-V Manager's UI doesn't provide a direct PXE disable option, these methods work:

Method 1: Using PowerShell to Modify VM Configuration

# Get current VM configuration
$vm = Get-VM -Name "YourVMName"

# Disable PXE boot for all network adapters
Get-VMNetworkAdapter -VM $vm | Set-VMNetworkAdapter -AllowTeaming On -DhcpGuard On -RouterGuard On -MacAddressSpoofing Off -PortMirroring None -VlanId 0 -DeviceNaming On -TestReplicaServerName "" -TestReplicaSwitchName "" -NotMonitoredInCluster $false -StaticMacAddress ""

Method 2: Network Adapter Removal from Boot Order via WMI

$vmName = "YourVMName"
$vm = Get-WmiObject -Namespace "root\virtualization\v2" -Class "Msvm_ComputerSystem" | Where-Object { $_.ElementName -eq $vmName }
$vmSettings = $vm.GetRelated("Msvm_VirtualSystemSettingData") | Where-Object { $_.VirtualSystemType -eq "Microsoft:Hyper-V:System:Realized" }
$bootOrder = $vmSettings.GetRelated("Msvm_BootSourceSetting")

foreach ($bootDevice in $bootOrder) {
    if ($bootDevice.BootSourceDescription -like "*Network*") {
        $bootDevice.EnabledState = 3 # Disabled state
        $vmSettings.ModifySystemSettings($bootDevice.GetText(1))
    }
}

Method 3: Using SCVMM (System Center Virtual Machine Manager)

If available in your environment:

  1. Open SCVMM console
  2. Right-click the VM and select Properties
  3. Navigate to Hardware Configuration > Network Adapter
  4. Check "This network adapter does not participate in PXE"

The inability to completely remove network boot from the boot order stems from Hyper-V's architecture. The synthetic network adapter emulates physical hardware that inherently supports PXE. Microsoft likely preserved this capability for:

  • Consistency with physical hardware behavior
  • Emergency recovery scenarios
  • Support for network-based deployment systems

Beyond disabling PXE boot, consider these additional measures:

# Example: Configure VM Network Isolation
Set-VMNetworkAdapter -VMName "YourVMName" -MacAddressSpoofing Off
Set-VMNetworkAdapterVlan -VMName "YourVMName" -Access -VlanId 100
Set-VMNetworkAdapter -VMName "YourVMName" -DhcpGuard On -RouterGuard On

After implementing changes:

# Verify PXE boot status
Get-VMFirmware -VMName "YourVMName" | Select-Object -ExpandProperty BootOrder

# Check network adapter configuration
Get-VMNetworkAdapter -VMName "YourVMName" | Format-List *

If you encounter problems:

  • Ensure VM is powered off when making configuration changes
  • Check Hyper-V integration services version
  • Verify you have proper administrative privileges
  • Consider recreating the VM network adapter if issues persist