Deploy a VM with trusted launch enabled (preview)
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets
Trusted launch is a way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques by combining infrastructure technologies like vTPM and secure boot.
Trusted launch is currently in public preview.
This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
Deploy using the portal
Create a virtual machine with trusted launch enabled.
Sign in to the Azure portal.
The Portal link is unique to trusted launch preview.
Search for Virtual Machines.
Under Services, select Virtual machines.
In the Virtual machines page, select Add, and then select Virtual machine.
Under Project details, make sure the correct subscription is selected.
Under Resource group, select Create new and type a name for your resource group or select an existing resource group from the dropdown.
Under Instance details, type a name for the virtual machine name and choose a region that supports trusted launch.
Under Image, select a Gen 2 image that supports trusted launch. Make sure you see the following message: This image supports trusted launch preview. Configure in the Advanced tab.
If you don't see the Gen 2 version of the image you want in the drop-down, select See all images and then change the VM Generation filter to only show Gen 2 images. Find the image in the list, then use the Select drop-down to select the Gen 2 version.
Select a VM size that supports trusted launch. See the list of supported sizes.
Fill in the Administrator account information and then Inbound port rules.
Switch over to the Advanced tab by selecting it at the top of the page.
Scroll down to the VM generation section. Make sure Gen 2 is selected.
While still on the Advanced tab, scroll down to Trusted launch, and then select the Trusted launch checkbox. This will make two more options appear - Secure boot and vTPM. Select the appropriate options for your deployment.
At the bottom of the page, select Review + Create
On the Create a virtual machine page, you can see the details about the VM you are about to deploy. When you are ready, select Create.
It will take a few minutes for your VM to be deployed.
Deploy using a template
You can deploy trusted launch VMs using a quickstart template:
View and update
You can view the trusted launch configuration for an existing VM by visiting the Overview page for the VM in the portal.
To change the trusted launch configuration, in the left menu, select Configuration under the Settings section. You can enable or disable Secure Boot and vTPM from the Trusted Launch section. Select Save at the top of the page when you are done.
If the VM is running, you will receive a message that the VM will be restarted to apply the modified trusted launch configuration. Select Yes then wait for the VM to restart for changes to take effect.
Verify secure boot and vTPM
You can validate that secure boot and vTPM are enabled on the virtual machine.
Linux: validate if secure boot is running
SSH to the VM and then run the following command:
If secure boot is enable, the command will return:
Linux: validate if vTPM is enabled
SSH into your VM. Check if tpm0 device is present:
If vTPM is enabled, the command will return:
If vTPM is disabled, the command will return:
ls: cannot access '/dev/tpm0': No such file or directory
Windows: validate that secure boot is running
Connect to the VM using remote desktop and then run
In the right pane, check that the Secure Boot State is ON.
Enable the Azure Security Center experience
To enable Azure Security Center to display information about your trusted launch VMs, you need to enable several policies. The easiest way to enable the policies is by deploying this Resource Manager template to your subscription.
Select the button below to deploy the policies to your subscription:
The template needs to be deployed only once per subscription. It automatically installs
AzureSecurity extensions on all supported VMs. If you get errors, try redeploying the template again.
To get vTPM and secure boot recommendations for trusted launch VMs, see Add a custom initiative to your subscription.
Sign things for Secure Boot on Linux
In some cases, you might need to sign things for UEFI Secure Boot. For example, you might need to go through How to sign things for Secure Boot for Ubuntu. In these cases, you need to enter the MOK utility enroll keys for your VM. To do this, you need to use the Azure Serial Console to access the MOK utility.
Enable Azure Serial Console for Linux. For more information, see Serial Console for Linux.
Log in to the Azure portal.
Search for Virtual machines and select your VM from the list.
In the left menu, under Support + troubleshooting, select Serial console. A page will open to the right, with the serial console.
Log on to the VM using Azure Serial Console. For login, enter the username you used when you created the VM. For example, azureuser. When prompted, enter the password associated with the username.
Once you are logged in, use
mokutilto import the public key
sudo mokutil –import <path to public key.der>
Reboot the machine from Azure Serial Console by typing
sudo reboot. A 10 second countdown will begin.
Press up or down key to interrupt the countdown and wait in UEFI console mode. If the timer is not interrupted, the boot process continues and all of the MOK changes are lost.
Select the appropriate action from the MOK utility menu.