Ensure that the Trusted Launch security feature is enabled for Gen 2 virtual machines (VMs) in order to protect against persistent and advanced attacks with configurable capabilities such as Secure Boot and virtual Trusted Platform Module (vTPM).
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Protect your Gen 2 Azure virtual machines (VMs) against boot-level threats by enabling Trusted Launch. This security feature combines Secure Boot and vTPM to create a more secure boot process, reducing the risk of:
- Malicious code: Bootkits and rootkits can be blocked, safeguarding your VM from these common attacks.
- Unauthorized modifications: Early detection of unauthorized changes to the boot process helps prevent system compromise.
- Data breaches: Enhanced system integrity strengthens data security on your VMs.
By enabling the Trusted Launch feature, you can significantly improve the security posture of your Azure virtual machines.
Secure Boot and vTPM are not currently supported by the Gen 1 virtual machines.
Audit
To determine if your Azure virtual machines (VMs) are configured to use Trusted Launch, perform the following operations:
Remediation / Resolution
To enable the Trusted Launch security feature for your Gen 2 Azure virtual machines (VMs), perform the following operations:
References
- Azure Official Documentation
- Trusted launch for Azure virtual machines
- Enable Trusted launch on existing Azure VMs
- Trusted Launch FAQ
- Azure Command Line Interface (CLI) Documentation
- az vm list
- az vm show
- az vm deallocate
- az vm update
- az vm start