Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Trusted Launch for Virtual Machines

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-040

Ensure that the Trusted Launch security feature is enabled for Gen 2 virtual machines (VMs) in order to protect against persistent and advanced attacks with configurable capabilities such as Secure Boot and virtual Trusted Platform Module (vTPM).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Protect your Gen 2 Azure virtual machines (VMs) against boot-level threats by enabling Trusted Launch. This security feature combines Secure Boot and vTPM to create a more secure boot process, reducing the risk of:


By enabling the Trusted Launch feature, you can significantly improve the security posture of your Azure virtual machines.

Secure Boot and vTPM are not currently supported by the Gen 1 virtual machines.


Audit

To determine if your Azure virtual machines (VMs) are configured to use Trusted Launch, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to examine from the Subscription filter box.

04 From the Type filter box, select Virtual machine, and choose Apply to list only the virtual machines (VMs) deployed for the selected subscription.

05 Click on the name (link) of the virtual machine (VM) instance that you want to examine.

06 Choose Overview from the resource navigation panel and select the Properties tab to view the configuration information available for the selected VM.

07 Under Virtual machine, check the VM generation attribute value to determine the virtual machine generation. If the VM generation value is set to V2, the selected resource is a Gen 2 virtual machine, therefore, you can continue the Audit process with the next step.

08 Under Security type, check the Security type attribute value to determine the security level configured for your virtual machine. If the Security type value is not Trusted launch, the Trusted Launch security feature is not enabled for selected VM. If Security type is set to Trusted launch but Enable secure boot and/or Enable vTPM settings are Disabled, Trusted Launch is disabled for selected Azure virtual machine.

09 Repeat steps no. 5 - 8 for each Azure virtual machine (VM) provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) with custom query filters to list the ID of each virtual machine (VM) provisioned in the current subscription:

az vm list
  --query '[*].id'

02 The command output should return the requested virtual machine identifiers (IDs):

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"
]

03 Use the vm show command (Windows/macOS/Linux) to describe the security profile configured for the virtual machine (VM) instance identified by the --ids parameter:

az vm show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"
  --query '{"securityProfile": securityProfile}'

04 The command output should return the requested configuration information:

{
	"securityProfile": {
		"encryptionAtHost": null,
		"encryptionIdentity": null,
		"proxyAgentSettings": null,
		"securityType": "TrustedLaunch",
		"uefiSettings": {
			"secureBootEnabled": false,
			"vTpmEnabled": false
		}
	}
}

If the vm show command output returns null for the "securityProfile" attribute value, the security profile used is the standard one, therefore, the Trusted Launch security feature is not enabled for selected VM. If the command output returns TrustedLaunch for the "securityType" attribute value under "securityProfile", as shown in the example above, check the "secureBootEnabled" and "vTpmEnabled" attributes under "uefiSettings" to determine if the Secure Boot and vTPM settings are enabled. If "secureBootEnabled" and/or "vTpmEnabled" are set to false, the Trusted Launch feature is disabled for selected Azure virtual machine.

05 Repeat steps no. 3 and 4 for each Azure virtual machine (VM) provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Trusted Launch security feature for your Gen 2 Azure virtual machines (VMs), perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine, and choose Apply to list only the virtual machines (VMs) deployed for the selected subscription.

05 Click on the name (link) of the virtual machine (VM) that you want to examine.

06 Select Overview from the resource navigation panel and choose Stop from the top menu to stop the selected VM instance. Select Yes to confirm the VM instance deallocation.

07 Once the instance is stopped, select the Properties tab, and click on the Security type link to access the security settings available for the instance.

08 On the configuration page, select Trusted launch virtual machines from the Security type dropdown list and check both Enable secure boot and Enable vTPM checkboxes. Choose Apply to save the configuration changes. This will enable the Trusted Launch security feature for the selected Gen 2 virtual machine (VM).

09 Select Overview from the resource navigation panel and choose Start from the top menu to start the upgraded VM instance.

10 Repeat steps no. 5 - 9 for each Azure virtual machine (VM) that you want to configure, provisioned in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Use the vm deallocate command (Windows/macOS/Linux) to stop (deallocate) the Gen 2 virtual machine (VM) instance identified by the --ids parameter (the command does not produce an output):

az vm deallocate
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"

02 Run vm update command (Windows/macOS/Linux) with the ID of the virtual machine (VM) that you want to configure as the identifier parameter, to enable the Trusted Launch security feature for the selected VM instance by setting the --security-type parameter to TrustedLaunch, and --enable-secure-boot and --enable-vtpm to true:

az vm update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"
  --security-type TrustedLaunch
  --enable-secure-boot true
  --enable-vtpm true
  --query '{"securityProfile": securityProfile}'

03 The command output should return the security profile for the upgraded VM instance:

{
	"securityProfile": {
		"encryptionAtHost": null,
		"encryptionIdentity": null,
		"proxyAgentSettings": null,
		"securityType": "TrustedLaunch",
		"uefiSettings": {
			"secureBootEnabled": false,
			"vTpmEnabled": false
		}
	}
  }

04 Use the vm start command (Windows/macOS/Linux) to start the virtual machine (VM) instance identified by the --ids parameter (the command does not produce an output):

az vm start
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"

05 Repeat steps no. 1 - 4 for each Azure virtual machine (VM) that you want to configure, provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

References

Publication date May 27, 2024