Enable Trusted launch on existing Azure VMs

Applies to: ✔️ Linux VM ✔️ Windows VM ✔️ Generation 2 VM

Azure Virtual Machines supports enabling Trusted launch on existing Azure Generation 2 VMs by upgrading to Trusted launch security type.

Trusted launch is a way to enable foundational compute security on Azure Generation 2 VMs. Trusted launch protects your Virtual Machines against advanced and persistent attack techniques like boot kits and rootkits by combining infrastructure technologies like Secure Boot, vTPM and Boot Integrity Monitoring on your VM.


  • Support for enabling Trusted launch on existing Azure Generation 1 VMs is currently in private preview. You can gain access to preview using registration link https://aka.ms/Gen1ToTLUpgrade.
  • Enabling Trusted launch on existing Azure virtual machine scale sets (VMSS) Uniform & Flex are currently not supported.


Best practices

  • Enable Trusted launch on a test Generation 2 VM and ensure if any changes are required to meet the prerequisites before enabling Trusted launch on Generation 2 VMs associated with production workloads.
  • Create restore point for Azure Generation 2 VM(s) associated with production workloads before enabling Trusted launch security type. You can use the Restore Point to re-create the disks and Generation 2 VM with the previous well-known state.

Enable Trusted launch on existing VM


  • After enabling Trusted launch, currently virtual machines cannot be rolled back to security type Standard (Non-Trusted launch configuration).
  • vTPM is enabled by default.
  • Secure Boot is recommended to be enabled (not enabled by default) if you are not using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

This section steps through using the Azure portal to enable Trusted launch on existing Azure Generation 2 VM.

  1. Log in to Azure portal
  2. Validate virtual machine generation is V2 and Stop VM.

Screenshot of the Gen2 VM to be deallocated.

  1. On Overview page in VM Properties, Select Standard under Security type. This navigates to Configuration page for VM.

Screenshot of the Security type Standard.

  1. Select drop-down Security type under Security type section of Configuration page.

Screenshot of the Security type drop-down.

  1. Select Trusted launch under drop-down and select check-boxes to enable Secure Boot and vTPM. Click Save after making required changes.


Screenshot of the Secure boot and vTPM settings.

  1. Close the Configuration page once the update is successfully complete and validate Security type under VM properties on Overview page.

Screenshot of the Trusted launch upgraded VM.

  1. Start the upgraded Trusted launch VM and ensure that it has started successfully and verify that you are able to log in to the VM using either RDP (for Windows VM) or SSH (for Linux VM).

Next steps

(Recommended) Post-Upgrades enable Boot integrity monitoring to monitor the health of the VM using Microsoft Defender for Cloud.

Learn more about Trusted launch and review frequently asked questions