Secure Your Azure VMs with Trusted Launch just went GA: What You Need To Know

Trusted Launch is a security feature for Gen2 Azure VMs that protects against boot-level attacks. It adds Secure Boot, a virtual TPM (vTPM), and boot integrity monitoring to your virtual machines.

What It Actually Does

Trusted Launch has three components that work together:

Secure Boot verifies that only signed boot loaders and OS kernels are allowed to run. This prevents rootkits and bootkits from loading before the OS starts.

vTPM (Virtual Trusted Platform Module) provides a hardware-backed store for keys, certificates, and secrets. It also measures the boot process, creating a chain of trust from firmware through the OS kernel.

Boot Integrity Monitoring uses Microsoft Defender for Cloud to validate that your VM's boot sequence hasn't been tampered with. If a boot component fails attestation, you get an alert.

Which VMs Support It

Trusted Launch works with most Gen2 VM sizes, including:

• D-series, E-series, F-series, M-series
• Both Linux (Ubuntu, RHEL, SLES, Debian) and Windows Server
• Flexible and Uniform scale sets

The main requirement: the VM must be created as Gen2. You cannot retrofit Trusted Launch onto an existing Gen1 VM.

Check Your Existing VMs

Before planning any changes, see what you're working with:

VMs without securityProfile or with securityType: null are standard VMs. They need to be recreated to get Trusted Launch.

Deploying a New VM with Trusted Launch

Azure CLI

Bicep

Migration Path for Existing VMs

Since Trusted Launch requires Gen2 VMs and can't be enabled retroactively, migrating existing VMs involves:

1. Snapshot the current OS and data disks
2. Create a new Gen2 VM with Trusted Launch enabled
3. Attach the snapshotted disks (they must be compatible with Gen2)
4. Verify the VM boots correctly and passes attestation

For VMs running Gen1 images, you may need to convert the disk to Gen2 format first, which isn't always straightforward depending on the OS and boot configuration.

Enable Boot Integrity Monitoring

After deploying Trusted Launch VMs, install the Guest Attestation extension to enable boot integrity monitoring in Defender for Cloud:

This reports boot integrity status to Defender for Cloud, where you can set up alerts for failed attestation.

If you're planning to roll out Trusted Launch across your Azure estate or need help with the Gen1-to-Gen2 migration strategy, our consultants at MADIT work with this regularly. Contact us to discuss your environment.