Deploy a VM with trusted launch enabled (preview)

Trusted launch is a way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques by combining infrastructure technologies like vTPM and secure boot.

Important

Trusted launch is currently in public preview.

This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Deploy using the portal

Create a virtual machine with trusted launch enabled.

  1. Sign in to the Azure portal.

    Note

    The Portal link is unique to trusted launch preview.

  2. Search for Virtual Machines.

  3. Under Services, select Virtual machines.

  4. In the Virtual machines page, select Add, and then select Virtual machine.

  5. Under Project details, make sure the correct subscription is selected.

  6. Under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.

  7. Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.

  8. Under Image, select a Gen 2 image that supports trusted launch. Make sure you see the following message: This image supports trusted launch preview. Configure in the Advanced tab.

    Tip

    If you don't see the Gen 2 version of the image you want in the drop-down, select See all images and then change the VM Generation filter to only show Gen 2 images. Find the image in the list, then use the Select drop-down to select the Gen 2 version.

    Screenshot showing the message confirming that this is a gen2 image that supports trusted launch.

  9. Select a VM size that supports trusted launch. See the list of supported sizes.

  10. Fill in the Administrator account information and then Inbound port rules.

  11. Switch over to the Advanced tab by selecting it at the top of the page.

  12. Scroll down to the VM generation section. Make sure Gen 2 is selected.

  13. While still on the Advanced tab, scroll down to Trusted launch, and then select the Trusted launch checkbox. This will make two more options appear - Secure boot and vTPM. Select the appropriate options for your deployment.

    Screenshot showing the options for trusted launch.

  14. At the bottom of the page, select Review + Create

  15. On the Create a virtual machine page, you can see the details about the VM you are about to deploy. When you are ready, select Create.

    Sceenshot of the validation page, showing the trusted launch options are included.

It will take a few minutes for your VM to be deployed.

Deploy using a template

You can deploy trusted launch VMs using a quickstart template:

Linux:
Deploy To Azure

Windows:
Deploy To Azure

View and update

You can view the trusted launch configuration for an existing VM by visiting the Overview page for the VM in the portal.

To change the trusted launch configuration, in the left menu, select Configuration under the Settings section. You can enable or disable Secure Boot and vTPM from the Trusted Launch section. Select Save at the top of the page when you are done.

Screenshot of how to change the trusted launch configuration.

If the VM is running, you will receive a message that the VM will be restarted to apply the modified trusted launch configuration. Select Yes then wait for the VM to restart for changes to take effect.

Verify secure boot and vTPM

You can validate that secure boot and vTPM are enabled on the virtual machine.

Linux: validate if secure boot is running

SSH to the VM and then run the following command:

mokutil --sb-state

If secure boot is enable, the command will return:

SecureBoot enabled 

Linux: validate if vTPM is enabled

SSH into your VM. Check if tpm0 device is present:

ls /dev/tpm0

If vTPM is enabled, the command will return:

/dev/tpm0

If vTPM is disabled, the command will return:

ls: cannot access '/dev/tpm0': No such file or directory

Windows: validate that secure boot is running

Connect to the VM using remote desktop and then run msinfo32.exe.

In the right pane, check that the Secure Boot State is ON.

Enable the Azure Security Center experience

To enable Azure Security Center to display information about your trusted launch VMs, you need to enable several policies. The easiest way to enable the policies is by deploying this Resource Manager template to your subscription.

Select the button below to deploy the policies to your subscription:

Deploy To Azure

The template needs to be deployed only once per subscription. It automatically installs GuestAttestation and AzureSecurity extensions on all supported VMs. If you get errors, try redeploying the template again.

To get vTPM and secure boot recommendations for trusted launch VMs, see Add a custom initiative to your subscription.

Sign things for Secure Boot on Linux

In some cases, you might need to sign things for UEFI Secure Boot. For example, you might need to go through How to sign things for Secure Boot for Ubuntu. In these cases, you need to enter the MOK utility enroll keys for your VM. To do this, you need to use the Azure Serial Console to access the MOK utility.

  1. Enable Azure Serial Console for Linux. For more information, see Serial Console for Linux.

  2. Log in to the Azure portal.

  3. Search for Virtual machines and select your VM from the list.

  4. In the left menu, under Support + troubleshooting, select Serial console. A page will open to the right, with the serial console.

  5. Log on to the VM using Azure Serial Console. For login, enter the username you used when you created the VM. For example, azureuser. When prompted, enter the password associated with the username.

  6. Once you are logged in, use mokutil to import the public key .der file.

    sudo mokutil –import <path to public key.der> 
    
  7. Reboot the machine from Azure Serial Console by typing sudo reboot. A 10 second countdown will begin.

  8. Press up or down key to interrupt the countdown and wait in UEFI console mode. If the timer is not interrupted, the boot process continues and all of the MOK changes are lost.

  9. Select the appropriate action from the MOK utility menu.

    Screenshot showing the available options on the MOK management menu in the serial console.

Next steps

Learn more about trusted launch and Generation 2 VMs.