Enable Trusted launch on existing Azure VMs
Applies to: ✔️ Linux VM ✔️ Windows VM ✔️ Generation 2 VM
Trusted launch is a way to enable foundational compute security on Azure Generation 2 VMs. Trusted launch protects your Virtual Machines against advanced and persistent attack techniques like boot kits and rootkits by combining infrastructure technologies like Secure Boot, vTPM and Boot Integrity Monitoring on your VM.
- If enabled for Generation 2 VM, Server-side encryption with customer-managed keys (SSE-CMK) should be disabled before executing Trusted launch upgrade. SSE-CMK encryption should be re-enabled after completion of Trusted launch upgrade.
- Support for enabling Trusted launch on existing Azure Generation 1 VMs is currently in private preview. You can gain access to preview using registration link https://aka.ms/Gen1ToTLUpgrade.
- Enabling Trusted launch on existing Azure virtual machine scale sets (VMSS) Uniform & Flex are currently not supported.
- Azure Generation 2 VM(s) is configured with:
- Azure Generation 2 VM(s) is not using features currently not supported with Trusted launch.
- Azure Generation 2 VM(s) should be stopped and deallocated before enabling Trusted launch security type.
- Azure Backup if enabled for VM(s) should be configured with Enhanced Backup Policy. Trusted launch security type cannot be enabled for Generation 2 VM(s) configured with Standard Policy backup protection.
- Existing Azure VM backup can be migrated from Standard to Enhanced policy using private preview migration feature. Submit on-boarding request to preview using link https://aka.ms/formBackupPolicyMigration.
- Enable Trusted launch on a test Generation 2 VM and ensure if any changes are required to meet the prerequisites before enabling Trusted launch on Generation 2 VMs associated with production workloads.
- Create restore point for Azure Generation 2 VM(s) associated with production workloads before enabling Trusted launch security type. You can use the Restore Point to re-create the disks and Generation 2 VM with the previous well-known state.
Enable Trusted launch on existing VM
- After enabling Trusted launch, currently virtual machines cannot be rolled back to security type Standard (Non-Trusted launch configuration).
- vTPM is enabled by default.
- Secure Boot is recommended to be enabled (not enabled by default) if you are not using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.
This section steps through using the Azure portal to enable Trusted launch on existing Azure Generation 2 VM.
- Log in to Azure portal
- Validate virtual machine generation is V2 and Stop VM.
- On Overview page in VM Properties, Select Standard under Security type. This navigates to Configuration page for VM.
- Select drop-down Security type under Security type section of Configuration page.
- Select Trusted launch under drop-down and select check-boxes to enable Secure Boot and vTPM. Click Save after making required changes.
- Close the Configuration page once the update is successfully complete and validate Security type under VM properties on Overview page.
- Start the upgraded Trusted launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).
(Recommended) Post-Upgrades enable Boot integrity monitoring to monitor the health of the VM using Microsoft Defender for Cloud.