Deploy a VM with trusted launch enabled

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

Trusted launch is a way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques by combining infrastructure technologies like vTPM and secure boot.

Prerequisites

  • You need to onboard your subscription to Microsoft Defender for Cloud if it isn't already. Microsoft Defender for Cloud has a free tier, which offers very useful insights for various Azure and Hybrid resources. Trusted launch leverages Defender for Cloud to surface multiple recommendations regarding VM health.

  • Assign Azure policies initiatives to your subscription. These policy initiatives need to be assigned only once per subscription. This will automatically install all required extensions on all supported VMs.

    • Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs.

    • Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines.

  • Allow service tag AzureAttestation in NSG Outbound rules to allow traffic for Microsoft Azure Attestation. Refer to Virtual network service tags.

  • Make sure that the firewall policies are allowing access to *.attest.azure.net.

Note

If you are using a Linux image and anticipate the VM may have kernel drivers either unsigned or not signed by the Linux distro vendor, then you may want to consider turning off secure boot. In the Azure portal, in the ‘Create a virtual machine’ page for ‘Security type’ parameter with ‘Trusted Launch Virtual Machines’ selected, click on ‘Configure security features’ and uncheck the ‘Enable secure boot’ checkbox. In CLI, PowerShell, or SDK, set secure boot parameter to false.

Deploy a trusted launch VM

Create a virtual machine with trusted launch enabled. Choose an option below:

  1. Sign in to the Azure portal.
  2. Search for Virtual Machines.
  3. Under Services, select Virtual machines.
  4. In the Virtual machines page, select Add, and then select Virtual machine.
  5. Under Project details, make sure the correct subscription is selected.
  6. Under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.
  7. Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.
  8. For Security type select Trusted launch virtual machines. This will make three more options appear - Secure boot, vTPM, and Integrity Monitoring . Select the appropriate options for your deployment. To learn more about Trusted Launch Enabled Security Features. Screenshot showing the options for Trusted Launch.
  9. Under Image, select an image from the Recommended Gen 2 images compatible with Trusted launch. For a list, see trusted launch.

    Tip

    If you don't see the Gen 2 version of the image you want in the drop-down, select See all images and then change the Security type filter to Trusted Launch.

  10. Select a VM size that supports trusted launch. See the list of supported sizes.
  11. Fill in the Administrator account information and then Inbound port rules.
  12. At the bottom of the page, select Review + Create
  13. On the Create a virtual machine page, you can see the details about the VM you are about to deploy. Once validation shows as passed, select Create.

Sceenshot of the validation page, showing the trusted launch options are included.

It will take a few minutes for your VM to be deployed.

Azure trusted launch virtual machines supports the creation and sharing of custom images using Azure Compute Gallery. There are two types of images that you can create, based on the security types of the image:

Trusted launch VM supported images

For the following image sources, the security type on the image definition should be set to TrustedLaunchsupported:

  • Gen2 OS Disk VHD
  • Gen2 Managed Image
  • Gen2 Gallery Image Version

No VM Guest State information shall be included in the image source.

The resulting image version can be used to create either Azure Gen2 VMs or Trusted launch VMs.

These images can be shared using Azure Compute Gallery - Direct Shared Gallery and Azure Compute Gallery - Community Gallery

Note

The OS disk VHD, Managed Image or Gallery Image Version should be created from a Gen2 image that is compatible with Trusted launch VMs.

  1. Sign in to the Azure portal.
  2. Search for and select VM image versions in the search bar
  3. On the VM image versions page, select Create.
  4. On the Create VM image version page, on the Basics tab:
    1. Select the Azure subscription.
    2. Select an existing resource group or create a new resource group.
    3. Select the Azure region.
    4. Enter an image version number.
    5. For Source, select either Storage Blobs (VHD) or Managed Image or another VM Image Version
    6. If you selected Storage Blobs (VHD), enter an OS disk VHD (without the VM Guest state). Make sure to use a Gen 2 VHD.
    7. If you selected Managed Image, select an existing managed image of a Gen 2 VM.
    8. If you selected VM Image Version, select an existing Gallery Image Version of a Gen2 VM.
    9. For Target Azure compute gallery, select or create a gallery to share the image.
    10. For Operating system state, select either Generalized or Specialized depending on your use case. If you're using a managed image as the source, always select Generalized. If you're using a storage blob (VHD) and want to select Generalized, follow the steps to generalize a Linux VHD or generalize a Windows VHD before you continue. If you're using an existing VM Image Version, select either Generalized or Specialized based on what is used in the source VM image definition.
    11. For Target VM Image Definition, select Create new.
    12. In the Create a VM image definition pane, enter a name for the definition. Make sure the security type is set to Trustedlaunch Supported. Enter publisher, offer, and SKU information. Then, select Ok.
  5. On the Replication tab, enter the replica count and target regions for image replication, if required.
  6. On the Encryption tab, enter SSE encryption-related information, if required.
  7. Select Review + Create.
  8. After the configuration is successfully validated, select Create to finish creating the image.
  9. After the image version is created, select Create VM.
  10. In the Create a virtual machine page, under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.
  11. Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.
  12. Select Trusted launch virtual machines as the security type. The Secure Boot and vTPM checkboxes are enabled by default.
  13. Fill in the Administrator account information and then Inbound port rules.
  14. On the validation page, review the details of the VM.
  15. After the validation succeeds, select Create to finish creating the VM.

Trusted launch VM Images

For the following image sources, the security type on the image definition should be set to TrustedLaunch:

  • Trusted launch VM capture
  • Managed OS disk
  • Managed OS disk snapshot

The resulting image version can be used only to create Azure Trusted launch VMs.

  1. Sign in to the Azure portal.
  2. To create an Azure Compute Gallery Image from a VM, open an existing Trusted launch VM and select Capture.
  3. In the Create an Image page that follows, allow the image to be shared to the gallery as a VM image version. Creation of Managed Images is not supported for Trusted Launch VMs.
  4. Create a new target Azure Compute Gallery or select an existing gallery.
  5. Select the Operating system state as either Generalized or Specialized. If you want to create a generalized image, ensure that you generalize the VM to remove machine specific information before selecting this option. If Bitlocker based encryption is enabled on your Trusted launch Windows VM, you may not be able to generalize the same.
  6. Create a new image definition by providing a name, publisher, offer and SKU details. The Security Type of the image definition should already be set to Trusted launch.
  7. Provide a version number for the image version.
  8. Modify replication options if required.
  9. At the bottom of the Create an Image page, select Review + Create and when validation shows as passed, select Create.
  10. Once the image version is created, go the image version directly. Alternatively, you can navigate to the required image version through the image definition.
  11. On the VM image version page, select the + Create VM to land on the Create a virtual machine page.
  12. In the Create a virtual machine page, under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.
  13. Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.
  14. The image and the security type are already populated based on the selected image version. The Secure Boot and vTPM checkboxes are enabled by default.
  15. Fill in the Administrator account information and then Inbound port rules.
  16. At the bottom of the page, select Review + Create
  17. On the validation page, review the details of the VM.
  18. After the validation succeeds, select Create to finish creating the VM.

In case you want to use either a managed disk or a managed disk snapshot as a source of the image version (instead of a trusted launch VM), then use the following steps

  1. Sign in to the portal
  2. Search for VM Image Versions and select Create
  3. Provide the subscription, resource group, region and image version number
  4. Select the source as Disks and/or Snapshots
  5. Select the OS disk as a managed disk or a managed disk snapshot from the dropdown list
  6. Select a Target Azure Compute Gallery to create and share the image. If no gallery exists, create a new gallery.
  7. Select the Operating system state as either Generalized or Specialized. If you want to create a generalized image, ensure that you generalize the disk or snapshot to remove machine specific information.
  8. For the Target VM Image Definition select Create new. In the window that opens, select an image definition name and ensure that the Security type is set to Trusted launch. Provide the publisher, offer and SKU information and select OK.
  9. The Replication tab can be used to set the replica count and target regions for image replication, if required.
  10. The Encryption tab can also be used to provide SSE encryption related information, if required.
  11. Select Create in the Review + create tab to create the image
  12. Once the image version is successfully created, select the + Create VM to land on the Create a virtual machine page.
  13. Follow steps 12 to 18 as mentioned earlier to create a trusted launch VM using this image version

Verify or update your settings

For VMs created with trusted launch enabled, you can view the trusted launch configuration by visiting the Overview page for the VM in the Azure portal. The Properties tab will show the status of Trusted Launch features:

Screenshot of the Trusted Launch properties of the VM.

To change the trusted launch configuration, in the left menu, under the Settings section, select Configuration. You can enable or disable Secure Boot, vTPM, and Integrity Monitoring from the Security type section. Select Save at the top of the page when you are done.

Screenshot showing check boxes to change the Trusted Launch settings.

If the VM is running, you will receive a message that the VM will be restarted. Select Yes then wait for the VM to restart for changes to take effect.

Next steps

Learn more about trusted launch and Boot integrity monitoring VMs.