Enable Trusted Launch on existing Azure VMs

Applies to: ✔️ Linux VM ✔️ Windows VM ✔️ Generation 2 VM

Azure Virtual Machines supports enabling Azure Trusted Launch on existing Azure Generation 2 virtual machines (VMs) by upgrading to the Trusted Launch security type.

Trusted Launch is a way to enable foundational compute security on Azure Generation 2 VMs VMs and protects against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, virtual Trusted Platform Module (vTPM), and boot integrity monitoring on your VM.

Important

Support for enabling Trusted Launch on existing Azure Generation 1 VMs is currently in private preview. You can gain access to preview by using the registration form.

Prerequisites

• Azure Generation 2 VM is configured with:
  • Trusted Launch supported size family.
  • Trusted Launch supported operating system (OS) image. For custom OS images or disks, the base image should be Trusted Launch capable.
• Azure Generation 2 VM isn't using features currently not supported with Trusted Launch.
• Azure Generation 2 VMs should be stopped and deallocated before you enable the Trusted Launch security type.
• Azure Backup, if enabled, for VMs should be configured with the Enhanced Backup policy. The Trusted Launch security type can't be enabled for Generation 2 VMs configured with Standard policy backup protection.
  • Existing Azure VM backup can be migrated from the Standard to the Enhanced policy. Follow the steps in Migrate Azure VM backups from Standard to Enhanced policy (preview).

Best practices

• Enable Trusted Launch on a test Generation 2 VM and determine if any changes are required to meet the prerequisites before you enable Trusted Launch on Generation 2 VMs associated with production workloads.
• Create restore points for Azure Generation 2 VMs associated with production workloads before you enable the Trusted Launch security type. You can use the restore points to re-create the disks and Generation 2 VM with the previous well-known state.

Enable Trusted Launch on an existing VM

Note

• After you enable Trusted Launch, currently VMs can't be rolled back to the Standard security type (non-Trusted Launch configuration).
• vTPM is enabled by default.
• We recommend that you enable Secure Boot, if you aren't using custom unsigned kernel or drivers. It's not enabled by default. Secure Boot preserves boot integrity and enables foundational security for VMs.

Portal

Enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure portal.

1. Sign in to the Azure portal.

2. Confirm that the VM generation is V2 and select Stop for the VM.

   

3. On the Overview page in the VM properties, under Security type, select Standard. The Configuration page for the VM opens.

   

4. On the Configuration page, under the Security type section, select the Security type dropdown list.

   

5. Under the dropdown list, select Trusted launch. Select checkboxes to enable Secure Boot and vTPM. After you make the changes, select Save.

   Note

   • Generation 2 VMs created by using Azure Compute Gallery (ACG), Managed image, or an OS disk can't be upgraded to Trusted Launch by using the portal. Ensure that the OS version is supported for Trusted Launch. Use PowerShell, the Azure CLI, or an Azure Resource Manager template (ARM template) to run the upgrade.

   

6. After the update successfully finishes, close the Configuration page. On the Overview page in the VM properties, confirm the Security type settings.

   

7. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either the Remote Desktop Protocol (RDP) for Windows VMs or the Secure Shell Protocol (SSH) for Linux VMs.

CLI

Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure CLI.

Make sure that you install the latest Azure CLI and are signed in to an Azure account with az login.

1. Sign in to the VM Azure subscription.

   az login
   
   az account set --subscription 00000000-0000-0000-0000-000000000000
   

2. Deallocate the VM.

3. Enable Trusted Launch by setting --security-type to TrustedLaunch.

   az vm deallocate \
       --resource-group myResourceGroup --name myVm
   

4. Validate the output of the previous command. Ensure that the securityProfile configuration is returned with the command output.

   az vm update \
       --resource-group myResourceGroup --name myVm \
       --security-type TrustedLaunch \
       --enable-secure-boot true --enable-vtpm true
   

5. Validate the output of the previous command. Ensure that the securityProfile configuration is returned with the command output.

   {
     "securityProfile": {
       "securityType": "TrustedLaunch",
       "uefiSettings": {
         "secureBootEnabled": true,
         "vTpmEnabled": true
       }
     }
   }
   

6. Start the VM.

   az vm start \
       --resource-group myResourceGroup --name myVm
   

7. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).

PowerShell

Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using Azure PowerShell.

Make sure that you install the latest Azure PowerShell and are signed in to an Azure account with Connect-AzAccount.

1. Sign in to the VM Azure subscription.

   Connect-AzAccount -SubscriptionId 00000000-0000-0000-0000-000000000000
   

2. Deallocate the VM.

   Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm
   

3. Enable Trusted Launch by setting -SecurityType to TrustedLaunch.

   Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
       | Update-AzVM -SecurityType TrustedLaunch `
           -EnableSecureBoot $true -EnableVtpm $true
   

4. Validate securityProfile in the updated VM configuration.

   # Following command output should be `TrustedLaunch`
   
   (Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
       | Select-Object -Property SecurityProfile `
           -ExpandProperty SecurityProfile).SecurityProfile.SecurityType
   
   # Following command output should return `SecureBoot` and `vTPM` settings
   (Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
       | Select-Object -Property SecurityProfile `
           -ExpandProperty SecurityProfile).SecurityProfile.Uefisettings
   
   

5. Start the VM.

   Start-AzVM -ResourceGroupName myResourceGroup -Name myVm
   

6. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).

Template

Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using an ARM template.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

1. Review the template.

   {
       "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
       "contentVersion": "1.0.0.0",
       "parameters": {
           "vmsToUpgrade": {
               "type": "object",
               "metadata": {
                   "description": "Specifies the list of Gen2 virtual machines to be upgraded to Trusted launch."
               }
           },
           "vTpmEnabled": {
               "type": "bool",
               "defaultValue": true,
               "metadata": {
                   "description": "Specifies whether vTPM should be enabled on the virtual machine."
               }
           }
       },
       "resources": [
           {
               "type": "Microsoft.Compute/virtualMachines",
               "apiVersion": "2022-11-01",
               "name": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].vmName]",
               "location": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].location]",
               "properties": {
                   "securityProfile": {
                       "uefiSettings": {
                           "secureBootEnabled": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].secureBootEnabled]",
                           "vTpmEnabled": "[parameters('vTpmEnabled')]"
                       },
                       "securityType": "TrustedLaunch"
                   }
               },
               "copy": {
                   "name": "vmCopy",
                   "count": "[length(parameters('vmsToUpgrade').virtualMachines)]"
               }
           }
       ]
   }
   

2. Edit the parameters JSON file with VMs to be updated with the TrustedLaunch security type.

   {
       "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
       "contentVersion": "1.0.0.0",
       "parameters": {
           "vmsToUpgrade": {
               "value": {
                   "virtualMachines": [
                       {
                           "vmName": "myVm01",
                           "location": "westus3",
                           "secureBootEnabled": true
                       },
                       {
                           "vmName": "myVm02",
                           "location": "westus3",
                           "secureBootEnabled": true
                       }
                   ]
               }
           }
       }
   }
   

   Parameter file definition

   Property	Description of property	Example template value
   vmName	Name of Azure Generation 2 VM.	myVm
   location	Location of Azure Generation 2 VM.	westus3
   secureBootEnabled	Enable Secure Boot with the Trusted Launch security type.	true

3. Deallocate all Azure Generation 2 VMs to be updated.

   Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm01
   

4. Run the ARM template deployment.

   $resourceGroupName = "myResourceGroup"
   $parameterFile = "folderPathToFile\parameters.json"
   $templateFile = "folderPathToFile\template.json"
   
   New-AzResourceGroupDeployment `
       -ResourceGroupName $resourceGroupName `
       -TemplateFile $templateFile -TemplateParameterFile $parameterFile
   

   

   

5. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).

Related content

• After the upgrades, we recommend that you enable boot integrity monitoring to monitor the health of the VM by using Microsoft Defender for Cloud.
• Learn more about Trusted Launch and review frequently asked questions.