Boot integrity monitoring overview
To help Trusted Launch better prevent malicious rootkit attacks on virtual machines, guest attestation through Azure Attestation (MAA) endpoint is used to monitor the boot sequence integrity. This attestation is critical to provide validity of a platform’s states. If your Azure Trusted Virtual Machines has Secure Boot and vTPM enabled and attestation extensions installed, Microsoft Defender for Cloud verifies that the status and boot integrity of your VM is set up correctly. To learn more about MDC integration, see the trusted launch integration with Microsoft Defender for Cloud.
Prerequisites
An Active Azure Subscription + Trusted Launch Virtual Machine
Enable integrity monitoring
Sign in to the Azure portal.
Select the resource (Virtual Machines).
Under Settings, select configuration. In the security type panel, select integrity monitoring.
Save the changes.
Now, under the virtual machines overview page, security type for integrity monitoring should state enabled.
This installs the guest attestation extension, which can be referred through settings within the extensions + applications tab.
Troubleshooting guide for guest attestation extension installation
Symptoms
The Azure Attestation extensions won't properly work when customers set up a network security group or proxy. An error that looks similar to (Microsoft.Azure.Security.WindowsAttestation.GuestAttestation provisioning failed.)
Solutions
In Azure, Network Security Groups (NSG) are used to help filter network traffic between Azure resources. NSGs contains security rules that either allow or deny inbound network traffic, or outbound network traffic from several types of Azure resources. For the Azure Attestation endpoint, it should be able to communicate with the guest attestation extension. Without this endpoint, Trusted Launch can’t access guest attestation, which allows Microsoft Defender for Cloud to monitor the integrity of the boot sequence of your virtual machines.
To unblock traffic using an NSG with service tags, set allow rules for Azure Attestation.
- Navigate to the virtual machine that you want to allow outbound traffic.
- Under "Networking" in the left-hand sidebar, select the networking settings tab.
- Then select create port rule, and Add outbound port rule.
- To allow Azure Attestation, make the destination a service tag. This allows for the range of IP addresses to update and automatically set allow rules for Azure Attestation. The destination service tag is AzureAttestation and action is set to Allow.
Note
Users can configure their source type, service, destination port ranges, protocol, priority, and name.
This service tag is a global endpoint that unblocks Azure Attestation traffic in any region.
Next steps
Learn more about trusted launch and deploying a trusted virtual machine.