Deploy a VM with trusted launch enabled
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
Trusted launch is a way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques by combining infrastructure technologies like vTPM and secure boot.
You need to onboard your subscription to Microsoft Defender for Cloud if it isn't already. Microsoft Defender for Cloud has a free tier, which offers very useful insights for various Azure and Hybrid resources. Trusted launch leverages Defender for Cloud to surface multiple recommendations regarding VM health.
Assign Azure policies initiatives to your subscription. These policy initiatives need to be assigned only once per subscription. This will automatically install all required extensions on all supported VMs.
Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs
Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines
Deploy a trusted launch VM
Create a virtual machine with trusted launch enabled. Choose an option below:
Sign in to the Azure portal.
Search for Virtual Machines.
Under Services, select Virtual machines.
In the Virtual machines page, select Add, and then select Virtual machine.
Under Project details, make sure the correct subscription is selected.
Under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.
Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.
For Security type select Trusted launch virtual machines. This will make two more options appear - Secure boot and vTPM. Select the appropriate options for your deployment.
Under Image, select an image from the Recommended Gen 2 images compatible with Trusted launch. For a list, see images that supports trusted launch.
If you don't see the Gen 2 version of the image you want in the drop-down, select See all images and then change the Security type filter to Trusted Launch.
Select a VM size that supports trusted launch. See the list of supported sizes.
Fill in the Administrator account information and then Inbound port rules.
At the bottom of the page, select Review + Create
On the Create a virtual machine page, you can see the details about the VM you are about to deploy. Once validation shows as passed, select Create.
It will take a few minutes for your VM to be deployed.
Deploy a trusted launch VM from an Azure Compute Gallery image
- Sign in to the Azure portal.
- To create an Azure Compute Gallery Image from a VM, open an existing Trusted launch VM and select Capture.
- In the Create an Image page that follows, allow the image to be shared to the gallery as a VM image version. Creation of Managed Images is not supported for Trusted Launch VMs.
- Create a new target Azure Compute Gallery or select an existing gallery.
- Select the Operating system state as either Generalized or Specialized. If you want to create a generalized image, ensure that you generalize the VM to remove machine specific information before selecting this option. If Bitlocker based encryption is enabled on your Trusted launch Windows VM, you may not be able to generalize the same.
- Create a new image definition by providing a name, publisher, offer and SKU details. The Security Type of the image definition should already be set to Trusted launch.
- Provide a version number for the image version.
- Modify replication options if required.
- At the bottom of the Create an Image page, select Review + Create and when validation shows as passed, select Create.
- Once the image version is created, go the image version directly. Alternatively, you can navigate to the required image version through the image definition.
- On the VM image version page, select the + Create VM to land on the Create a virtual machine page.
- In the Create a virtual machine page, under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.
- Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.
- The image and the security type are already populated based on the selected image version. The Secure Boot and vTPM checkboxes are enabled by default.
- Fill in the Administrator account information and then Inbound port rules.
- At the bottom of the page, select Review + Create
- On the Create a virtual machine page, you can see the details about the VM you are about to deploy. Once validation shows as passed, select Create.
In case you want to use either a managed disk or a managed disk snapshot as a source of the image version (instead of a trusted launch VM), then use the following steps
- Sign in to the portal
- Search for VM Image Versions and select Create
- Provide the subscription, resource group, region and image version number
- Select the source as Disks and/or Snapshots
- Select the OS disk as a managed disk or a managed disk snapshot from the dropdown list
- Select a Target Azure Compute Gallery to create and share the image. If no gallery exists, create a new gallery.
- Select the Operating system state as either Generalized or Specialized. If you want to create a generalized image, ensure that you generalize the disk or snapshot to remove machine specific information.
- For the Target VM Image Definition select Create new. In the window that opens, select an image definition name and ensure that the Security type is set to Trusted launch. Provide the publisher, offer and SKU information and select OK.
- The Replication tab can be used to set the replica count and target regions for image replication, if required.
- The Encryption tab can also be used to provide SSE encryption related information, if required.
- Select Create in the Review + create tab to create the image
- Once the image version is successfully created, select the + Create VM to land on the Create a virtual machine page.
- Please follow steps 12 to 17 as mentioned earlier to create a trusted launch VM using this image version
Verify or update your settings
For VMs created with trusted launch enabled, you can view the trusted launch configuration by visiting the Overview page for the VM in the portal. The Properties tab will show the status of Trusted Launch features:
To change the trusted launch configuration, in the left menu, under the Settings section, select Configuration. You can enable or disable Secure Boot and vTPM from the Security type section. Select Save at the top of the page when you are done.
If the VM is running, you will receive a message that the VM will be restarted. Select Yes then wait for the VM to restart for changes to take effect.