Enable Trusted Launch for Virtual Machines

Risk Level: Medium (should be achieved)

Rule ID: VirtualMachines-040

Ensure that the Trusted Launch security feature is enabled for Gen 2 virtual machines (VMs) in order to protect against persistent and advanced attacks with configurable capabilities such as Secure Boot and virtual Trusted Platform Module (vTPM).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Protect your Gen 2 Azure virtual machines (VMs) against boot-level threats by enabling Trusted Launch. This security feature combines Secure Boot and vTPM to create a more secure boot process, reducing the risk of:

Malicious code: Bootkits and rootkits can be blocked, safeguarding your VM from these common attacks.
Unauthorized modifications: Early detection of unauthorized changes to the boot process helps prevent system compromise.
Data breaches: Enhanced system integrity strengthens data security on your VMs.

By enabling the Trusted Launch feature, you can significantly improve the security posture of your Azure virtual machines.

Secure Boot and vTPM are not currently supported by the Gen 1 virtual machines.

Audit

To determine if your Azure virtual machines (VMs) are configured to use Trusted Launch, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to examine from the Subscription filter box.

04 From the Type filter box, select Virtual machine, and choose Apply to list only the virtual machines (VMs) deployed for the selected subscription.

05 Click on the name (link) of the virtual machine (VM) instance that you want to examine.

06 Choose Overview from the resource navigation panel and select the Properties tab to view the configuration information available for the selected VM.

07 Under Virtual machine, check the VM generation attribute value to determine the virtual machine generation. If the VM generation value is set to V2, the selected resource is a Gen 2 virtual machine, therefore, you can continue the Audit process with the next step.

08 Under Security type, check the Security type attribute value to determine the security level configured for your virtual machine. If the Security type value is not Trusted launch, the Trusted Launch security feature is not enabled for selected VM. If Security type is set to Trusted launch but Enable secure boot and/or Enable vTPM settings are Disabled, Trusted Launch is disabled for selected Azure virtual machine.

09 Repeat steps no. 5 - 8 for each Azure virtual machine (VM) provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) with custom query filters to list the ID of each virtual machine (VM) provisioned in the current subscription:

az vm list
  --query '[*].id'

02 The command output should return the requested virtual machine identifiers (IDs):

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"
]

03 Use the vm show command (Windows/macOS/Linux) to describe the security profile configured for the virtual machine (VM) instance identified by the --ids parameter:

az vm show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"
  --query '{"securityProfile": securityProfile}'

04 The command output should return the requested configuration information:

{
	"securityProfile": {
		"encryptionAtHost": null,
		"encryptionIdentity": null,
		"proxyAgentSettings": null,
		"securityType": "TrustedLaunch",
		"uefiSettings": {
			"secureBootEnabled": false,
			"vTpmEnabled": false
		}
	}
}

If the vm show command output returns null for the "securityProfile" attribute value, the security profile used is the standard one, therefore, the Trusted Launch security feature is not enabled for selected VM. If the command output returns TrustedLaunch for the "securityType" attribute value under "securityProfile", as shown in the example above, check the "secureBootEnabled" and "vTpmEnabled" attributes under "uefiSettings" to determine if the Secure Boot and vTPM settings are enabled. If "secureBootEnabled" and/or "vTpmEnabled" are set to false, the Trusted Launch feature is disabled for selected Azure virtual machine.

05 Repeat steps no. 3 and 4 for each Azure virtual machine (VM) provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Trusted Launch security feature for your Gen 2 Azure virtual machines (VMs), perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine, and choose Apply to list only the virtual machines (VMs) deployed for the selected subscription.

05 Click on the name (link) of the virtual machine (VM) that you want to examine.

06 Select Overview from the resource navigation panel and choose Stop from the top menu to stop the selected VM instance. Select Yes to confirm the VM instance deallocation.

07 Once the instance is stopped, select the Properties tab, and click on the Security type link to access the security settings available for the instance.

08 On the configuration page, select Trusted launch virtual machines from the Security type dropdown list and check both Enable secure boot and Enable vTPM checkboxes. Choose Apply to save the configuration changes. This will enable the Trusted Launch security feature for the selected Gen 2 virtual machine (VM).

09 Select Overview from the resource navigation panel and choose Start from the top menu to start the upgraded VM instance.

10 Repeat steps no. 5 - 9 for each Azure virtual machine (VM) that you want to configure, provisioned in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Use the vm deallocate command (Windows/macOS/Linux) to stop (deallocate) the Gen 2 virtual machine (VM) instance identified by the --ids parameter (the command does not produce an output):

az vm deallocate
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"

02 Run vm update command (Windows/macOS/Linux) with the ID of the virtual machine (VM) that you want to configure as the identifier parameter, to enable the Trusted Launch security feature for the selected VM instance by setting the --security-type parameter to TrustedLaunch, and --enable-secure-boot and --enable-vtpm to true:

az vm update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"
  --security-type TrustedLaunch
  --enable-secure-boot true
  --enable-vtpm true
  --query '{"securityProfile": securityProfile}'

03 The command output should return the security profile for the upgraded VM instance:

{
	"securityProfile": {
		"encryptionAtHost": null,
		"encryptionIdentity": null,
		"proxyAgentSettings": null,
		"securityType": "TrustedLaunch",
		"uefiSettings": {
			"secureBootEnabled": false,
			"vTpmEnabled": false
		}
	}
  }

04 Use the vm start command (Windows/macOS/Linux) to start the virtual machine (VM) instance identified by the --ids parameter (the command does not produce an output):

az vm start
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-prod-app-server"

05 Repeat steps no. 1 - 4 for each Azure virtual machine (VM) that you want to configure, provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

References

Azure Official Documentation
Trusted launch for Azure virtual machines
Enable Trusted launch on existing Azure VMs
Trusted Launch FAQ

Azure Command Line Interface (CLI) Documentation
az vm list
az vm show
az vm deallocate
az vm update
az vm start

Publication date May 27, 2024

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Trusted Launch for Virtual Machines

Risk Level: Medium

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related VirtualMachines rules