Enable Trusted launch on existing Azure VMs

Applies to: ✔️ Linux VM ✔️ Windows VM ✔️ Generation 2 VM

Azure Virtual Machines supports enabling Trusted launch on existing Azure Generation 2 VMs by upgrading to Trusted launch security type.

Trusted launch is a way to enable foundational compute security on Azure Generation 2 VMs. Trusted launch protects your Virtual Machines against advanced and persistent attack techniques like boot kits and rootkits by combining infrastructure technologies like Secure Boot, vTPM and Boot Integrity Monitoring on your VM.

Important

• If enabled for Generation 2 VM, Server-side encryption with customer-managed keys (SSE-CMK) should be disabled before executing Trusted launch upgrade. SSE-CMK encryption should be re-enabled after completion of Trusted launch upgrade.
• Support for enabling Trusted launch on existing Azure Generation 1 VMs is currently in private preview. You can gain access to preview using registration link https://aka.ms/Gen1ToTLUpgrade.
• Enabling Trusted launch on existing Azure virtual machine scale sets (VMSS) Uniform & Flex are currently not supported.

Prerequisites

• Azure Generation 2 VM(s) is configured with:
  • Trusted launch supported size family
  • Trusted launch supported OS Image. For custom OS image or disks, the base image should be Trusted launch capable.
• Azure Generation 2 VM(s) is not using features currently not supported with Trusted launch.
• Azure Generation 2 VM(s) should be stopped and deallocated before enabling Trusted launch security type.
• Azure Backup if enabled for VM(s) should be configured with Enhanced Backup Policy. Trusted launch security type cannot be enabled for Generation 2 VM(s) configured with Standard Policy backup protection.
  • Existing Azure VM backup can be migrated from Standard to Enhanced policy using private preview migration feature. Submit on-boarding request to preview using link https://aka.ms/formBackupPolicyMigration.

Best practices

• Enable Trusted launch on a test Generation 2 VM and ensure if any changes are required to meet the prerequisites before enabling Trusted launch on Generation 2 VMs associated with production workloads.
• Create restore point for Azure Generation 2 VM(s) associated with production workloads before enabling Trusted launch security type. You can use the Restore Point to re-create the disks and Generation 2 VM with the previous well-known state.

Enable Trusted launch on existing VM

Note

• After enabling Trusted launch, currently virtual machines cannot be rolled back to security type Standard (Non-Trusted launch configuration).
• vTPM is enabled by default.
• Secure Boot is recommended to be enabled (not enabled by default) if you are not using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

Portal

This section steps through using the Azure portal to enable Trusted launch on existing Azure Generation 2 VM.

1. Log in to Azure portal
2. Validate virtual machine generation is V2 and Stop VM.

3. On Overview page in VM Properties, Select Standard under Security type. This navigates to Configuration page for VM.

4. Select drop-down Security type under Security type section of Configuration page.

5. Select Trusted launch under drop-down and select check-boxes to enable Secure Boot and vTPM. Click Save after making required changes.

Note

• Generation 2 VMs created using Azure Compute Gallery (ACG), Managed Image, OS Disk cannot be upgraded to Trusted launch using Portal. Please ensure OS Version is supported for Trusted launch and use PowerShell, CLI or ARM template to execute upgrade.

6. Close the Configuration page once the update is successfully complete and validate Security type under VM properties on Overview page.

7. Start the upgraded Trusted launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

CLI

This section steps through using the Azure CLI to enable Trusted launch on existing Azure Generation 2 VM.

Make sure that you've installed the latest Azure CLI and are logged in to an Azure account with az login.

1. Log in to Azure Subscription

az login

az account set --subscription 00000000-0000-0000-0000-000000000000

2. Deallocate VM

az vm deallocate \
    --resource-group myResourceGroup --name myVm

3. Enable Trusted launch by setting --security-type to TrustedLaunch.

az vm update \
    --resource-group myResourceGroup --name myVm \
    --security-type TrustedLaunch \
    --enable-secure-boot true --enable-vtpm true

4. Validate output of previous command. securityProfile configuration is returned with command output.

{
  "securityProfile": {
    "securityType": "TrustedLaunch",
    "uefiSettings": {
      "secureBootEnabled": true,
      "vTpmEnabled": true
    }
  }
}

5. Start the VM.

az vm start \
    --resource-group myResourceGroup --name myVm

6. Start the upgraded Trusted launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

PowerShell

This section steps through using the Azure PowerShell to enable Trusted launch on existing Azure Generation 2 VM.

Make sure that you've installed the latest Azure PowerShell and are logged in to an Azure account with Connect-AzAccount.

1. Log in to Azure Subscription

Connect-AzAccount -SubscriptionId 00000000-0000-0000-0000-000000000000

2. Deallocate VM

Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm

3. Enable Trusted launch by setting --security-type to TrustedLaunch.

Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
    | Update-AzVM -SecurityType TrustedLaunch `
        -EnableSecureBoot $true -EnableVtpm $true

4. Validate securityProfile in updated VM configuration.

# Following command output should be `TrustedLaunch`

(Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
    | Select-Object -Property SecurityProfile `
        -ExpandProperty SecurityProfile).SecurityProfile.SecurityType

# Following command output should return `SecureBoot` and `vTPM` settings
(Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
    | Select-Object -Property SecurityProfile `
        -ExpandProperty SecurityProfile).SecurityProfile.Uefisettings

5. Start the VM.

Start-AzVM -ResourceGroupName myResourceGroup -Name myVm

6. Start the upgraded Trusted launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

Template

This section steps through using an ARM template to enable Trusted launch on existing Azure Generation 2 VM.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

1. Review the template.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vmsToUpgrade": {
            "type": "object",
            "metadata": {
                "description": "Specifies the list of Gen2 virtual machines to be upgraded to Trusted launch."
            }
        },
        "vTpmEnabled": {
            "type": "bool",
            "defaultValue": true,
            "metadata": {
                "description": "Specifies whether vTPM should be enabled on the virtual machine."
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2022-11-01",
            "name": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].vmName]",
            "location": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].location]",
            "properties": {
                "securityProfile": {
                    "uefiSettings": {
                        "secureBootEnabled": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].secureBootEnabled]",
                        "vTpmEnabled": "[parameters('vTpmEnabled')]"
                    },
                    "securityType": "TrustedLaunch"
                }
            },
            "copy": {
                "name": "vmCopy",
                "count": "[length(parameters('vmsToUpgrade').virtualMachines)]"
            }
        }
    ]
}

2. Edit the parameters json file with virtual machines to be updated with TrustedLaunch security type.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vmsToUpgrade": {
            "value": {
                "virtualMachines": [
                    {
                        "vmName": "myVm01",
                        "location": "westus3",
						            "secureBootEnabled": true
                    },
                    {
                        "vmName": "myVm02",
                        "location": "westus3",
						            "secureBootEnabled": true
                    }
                ]
            }
        }
    }
}

Parameter file definition

Property	Description of Property	Example template value
vmName	Name of Azure Generation 2 VM	"myVm"
location	Location of Azure Generation 2 VM	"westus3"
secureBootEnabled	Enable secure boot with Trusted launch security type	true

3. Deallocate all Azure Generation 2 VM(s) to be updated.

Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm01

4. Execute the ARM template deployment.

$resourceGroupName = "myResourceGroup"
$parameterFile = "folderPathToFile\parameters.json"
$templateFile = "folderPathToFile\template.json"

New-AzResourceGroupDeployment `
    -ResourceGroupName $resourceGroupName `
    -TemplateFile $templateFile -TemplateParameterFile $parameterFile

5. Verify that the deployment is successful. Check for the security type and UEFI settings of the VM using Azure portal. Check the Security type section in the Overview page.

6. Start the upgraded Trusted launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

Next steps

(Recommended) Post-Upgrades enable Boot integrity monitoring to monitor the health of the VM using Microsoft Defender for Cloud.

Learn more about Trusted launch and review frequently asked questions