Microsoft Azure Virtual Desktop Service Adds Trusted Launch Virtual Machines Support

Microsoft has announced that it is bringing Trusted Launch support to the Azure Virtual Desktop service. The company says this new capability aims to protect virtual machines in enterprise environments from advanced and persistent attacks.

Microsoft Azure Virtual Desktop is a cloud-based solution that enables end-users to access their desktop and applications virtually from any device. This new Trusted launch support brings several new configurable security features such as Secure Boot, virtual Trusted Platform Module (vTPM), as well as Virtualization-based security (VBS) capabilities.

The Secure Boot feature offers protection at the operating system boot-up level by preventing the installation of malware (boot kits) and driver, firmware, and OS kernel-based rootkits. The feature has been designed to ensure that the computer system can only boot with trusted operating systems and drivers from the Original Equipment Manufacturer (OEM).

Trusted Platform Module (vTPM) and Virtualization-based security protections

In addition to Secure Boot, the Trusted launch service introduces virtual Trusted Platform Module (vTPM) support for the Azure Virtual Desktop. It allows the guest operating system to create and store private security keys that helps to reduce the attack surface.

“Trusted launch provides your VM with its own dedicated TPM instance, running in a secure environment outside the reach of any VM,” the company explained. “Trusted launch uses the vTPM to perform remote attestation by the cloud. This is used for platform health checks and for making trust-based decisions. As a health check, trusted launch can cryptographically certify that your VM booted correctly.”

The Virtualization-Based Security (VBS) feature enhances system security by virtually isolating a segment of main memory from the rest of the operating system. Trusted launch lets users enable Hypervisor Code Integrity (HVCI) to protect the Windows kernel protection against malicious exploits and vulnerabilities. Microsoft Defender for Cloud service provides integration with Trusted Launch that periodically detects and alerts users about VM health problems.

Microsoft has also acknowledged a couple of limitations as well. Currently, the feature doesn’t support Azure Site Recovery, Azure Dedicated Host, nested virtualization, and other security capabilities. The company added that the Trusted Launch functionality in Azure Virtual Desktop currently supports various Linux and Windows systems, and you can find the full list on this support page.