Microsoft Enables In-Place Trusted Launch Upgrades to Boost Azure VM Security

Microsoft has rolled out in-place upgrade support for Trusted Launch on existing Azure Virtual Machines (VMs) and Virtual Machine Scale Sets (VMSS). This capability lets organizations boost security with features like Secure Boot and vTPM, without downtime, redeployment, or complex migration steps.

What is Trusted Launch in Azure?

Trusted Launch is a security feature in Microsoft Azure that enhances the protection of virtual machines (VMs) by ensuring they start in a secure and verified state. It combines technologies like Secure Boot, virtual Trusted Platform Module (vTPM), and boot integrity monitoring to protect against sophisticated threats such as rootkits and bootkits. Trusted Launch validates the integrity of the VM during startup to help organizations meet compliance standards and maintain a strong security posture without requiring major changes to their existing infrastructure.

Microsoft notes that Trusted launch in-place upgrade support is generally available for existing Gen1 and Gen2 VMs and Uniform scale sets. However, this feature is currently available in private preview for Flex scale sets.

How does the upgrade process work?

The upgrade process to enable Trusted Launch on existing Azure VMs and VM Scale Sets is simple, and it doesn’t require customers to rebuild or redeploy the virtual machines. Before starting the upgrade, users must ensure that their VM size and operating system are supported, and if Azure Backup is enabled, it should follow an enhanced policy. Moreover, Azure Site Recovery (ASR) must be disabled to proceed with the upgrade successfully.

Best practices before enabling Trusted Launch

Microsoft recommends that IT admins start by testing the upgrade on non-production virtual machines to identify any potential issues without affecting critical workloads. Moreover, they must review known limitations and rollback steps. For production environments, administrators should create restore points to protect data and configurations.

According to Microsoft, existing Azure virtual machines are not impacted by the Trusted Launch upgrade. However, for new VM and VMSS deployments, Trusted Launch is now the default security setting unless users choose to override it. To ensure a smooth deployment, users must verify that their selected VM sizes and operating system images are compatible with Trusted Launch features.

Overall, Microsoft is reinforcing its commitment to cloud security by making Trusted Launch the default for new Azure VM deployments. This move is aimed at helping customers build more resilient workloads that are better protected against evolving cyber threats.