Applies to: ✔️ Linux VM ✔️ Windows VM
Azure Virtual Machines supports enabling Azure Trusted launch on existing Azure Generation 2 virtual machines (VM) by upgrading to the Trusted launch security type.
Trusted launch is a way to enable foundational compute security on Azure Generation 2 VMs and protects against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, virtual Trusted Platform Module (vTPM), and boot integrity monitoring on your VM.
Prerequisites
Azure VM is configured with:
Best practices
- Enable Trusted launch on a test Generation 2 VM and determine if any changes are required to meet the prerequisites before you enable Trusted launch on Generation 2 VMs associated with production workloads.
- Create restore points for Azure Generation 2 VMs associated with production workloads before you enable the Trusted launch security type. You can use the restore points to re-create the disks and Generation 2 VM with the previous well-known state.
- For Linux VMs, validate secure boot compatibility using
SBInfo tool. Refer to Linux Trusted launch secure boot validation for distribution-based SBInfo installation commands.
Enable Trusted launch on an existing VM
The following steps apply to both x64 and Arm64-based Generation 2 VMs when using Trusted launch-capable images.
Note
- These steps apply equally to x64 and Arm64 Gen2 VMs.
- vTPM is enabled by default.
- Secure boot isn't enabled by default. We strongly recommend that you enable Secure Boot, if you aren't using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VMs.
Enable Trusted launch on an existing Azure Generation 2 VM by using the Azure portal.
Sign in to the Azure portal.
Confirm that the VM generation is V2 and select Stop for the VM.
On the Overview page in the VM properties, under Security type, select Standard. The Configuration page for the VM opens.
On the Configuration page, under the Security type section, select the Security type dropdown list.
Under the dropdown list, select Trusted launch. Select checkboxes to enable Secure Boot and vTPM. After you make the changes, select Save.
After the update successfully finishes, close the Configuration page. On the Overview page in the VM properties, confirm the Security type settings.
Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either the Remote Desktop Protocol (RDP) for Windows VMs or the Secure Shell Protocol (SSH) for Linux VMs.
Follow the steps to enable Trusted launch on an existing Azure Generation 2 VM by using the Azure CLI.
Make sure that you install the latest Azure CLI and are signed in to an Azure account with az login.
Sign in to the VM Azure subscription.
az cloud set -n AzureChinaCloud
az login
az account set --subscription 00000000-0000-0000-0000-000000000000
Deallocate the VM.
az vm deallocate \
--resource-group myResourceGroup --name myVm
Enable Trusted launch by setting --security-type to TrustedLaunch.
az vm update \
--resource-group myResourceGroup --name myVm \
--security-type TrustedLaunch \
--enable-secure-boot true --enable-vtpm true
Validate the output of the previous command. Ensure that the securityProfile configuration is returned with the command output.
{
"securityProfile": {
"securityType": "TrustedLaunch",
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
}
}
}
Start the VM.
az vm start \
--resource-group myResourceGroup --name myVm
Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
Follow the steps to enable Trusted launch on an existing Azure Generation 2 VM by using Azure PowerShell.
Make sure that you install the latest Azure PowerShell and are signed in to an Azure account with Connect-AzAccount.
Sign in to the VM Azure subscription.
Connect-AzAccount -Environment AzureChinaCloud -SubscriptionId 00000000-0000-0000-0000-000000000000
Deallocate the VM.
Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm
Enable Trusted launch by setting -SecurityType to TrustedLaunch.
Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
| Update-AzVM -SecurityType TrustedLaunch `
-EnableSecureBoot $true -EnableVtpm $true
Validate securityProfile in the updated VM configuration.
# Following command output should be `TrustedLaunch`
(Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
| Select-Object -Property SecurityProfile `
-ExpandProperty SecurityProfile).SecurityProfile.SecurityType
# Following command output should return `SecureBoot` and `vTPM` settings
(Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
| Select-Object -Property SecurityProfile `
-ExpandProperty SecurityProfile).SecurityProfile.Uefisettings
Start the VM.
Start-AzVM -ResourceGroupName myResourceGroup -Name myVm
Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
Follow the steps to enable Trusted launch on an existing Azure Generation 2 VM by using an ARM template.
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.
Review the template.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmsToUpgrade": {
"type": "object",
"metadata": {
"description": "Specifies the list of Azure virtual machines to be upgraded to Trusted launch."
}
},
"vTpmEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Specifies whether vTPM should be enabled on the virtual machine."
}
}
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"name": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].vmName]",
"location": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].location]",
"properties": {
"securityProfile": {
"uefiSettings": {
"secureBootEnabled": "[parameters('vmsToUpgrade').virtualMachines[copyIndex()].secureBootEnabled]",
"vTpmEnabled": "[parameters('vTpmEnabled')]"
},
"securityType": "TrustedLaunch"
}
},
"copy": {
"name": "vmCopy",
"count": "[length(parameters('vmsToUpgrade').virtualMachines)]"
}
}
]
}
Edit the parameters JSON file with VMs to be updated with the TrustedLaunch security type.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmsToUpgrade": {
"value": {
"virtualMachines": [
{
"vmName": "myVm01",
"location": "chinanorth2",
"secureBootEnabled": true
},
{
"vmName": "myVm02",
"location": "chinanorth2",
"secureBootEnabled": true
}
]
}
}
}
}
Parameter file definition
| Property |
Description of property |
Example template value |
| vmName |
Name of Azure Generation 2 VM. |
myVm |
| location |
Location of Azure Generation 2 VM. |
chinanorth2 |
| secureBootEnabled |
Enable Secure Boot with the Trusted launch security type. |
true |
Deallocate all Azure Generation 2 VMs to be updated.
Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm01
Run the ARM template deployment.
$resourceGroupName = "myResourceGroup"
$parameterFile = "folderPathToFile\parameters.json"
$templateFile = "folderPathToFile\template.json"
New-AzResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateFile $templateFile -TemplateParameterFile $parameterFile
Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
Roll back
To roll-back changes from Trusted launch to previous Gen2 known good configuration, you need to set securityType of VM to Standard.
Important
Rolling back Trusted launch to Gen2 (Non-Trusted launch) configuration is a one-way operation. After you roll back to Gen2 (Non-Trusted launch) configuration, you can't re-enable Trusted launch on the same VM.
Roll-back of Trusted launch to Gen2 (Non-Trusted launch) configuration is currently not supported in Azure portal.
To roll-back changes from Trusted launch to previous known good configuration, set securityProfile to Standard as shown in the sample template used for executing Trusted launch upgrade.
Note
Use Microsoft.Compute API version 2025-11-01+ to roll back changes from Trusted launch to Gen2 (Non-Trusted launch) configuration.
"securityProfile": {
"securityType": "Standard",
"uefiSettings": "[null()]"
}
Follow the steps to disable Trusted launch on an existing Azure Generation 2 VM by using the Azure CLI.
Make sure that you install the latest Azure CLI and are signed in to an Azure account with az login.
Note
Use Azure CLI version 2.86.0 or later to roll back changes from Trusted launch to Gen2 (Non-Trusted launch) configuration.
Sign in to the VM Azure subscription.
az cloud set -n AzureChinaCloud
az login
az account set --subscription 00000000-0000-0000-0000-000000000000
Deallocate the VM.
az vm deallocate \
--resource-group myResourceGroup --name myVm
Disable Trusted launch by setting --security-type to Standard.
az vm update \
--resource-group myResourceGroup --name myVm \
--security-type Standard
Validate the output of the previous command. Ensure that the securityProfile configuration is returned with the command output.
{
"securityProfile": {
"securityType": null,
"uefiSettings": null
}
}
Start the VM.
az vm start \
--resource-group myResourceGroup --name myVm
To roll-back changes from Trusted launch to previous known good configuration, set -SecurityType to Standard as shown.
Note
Use Azure PowerShell version 15.6.1 or later to roll back changes from Trusted launch to Gen2 (Non-Trusted launch) configuration.
Sign in to the VM Azure subscription.
Connect-AzAccount -Environment AzureChinaCloud -SubscriptionId 00000000-0000-0000-0000-000000000000
Deallocate the VM.
Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm
Disable Trusted launch by setting -SecurityType to Standard.
Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
| Update-AzVM -SecurityType Standard
Validate securityProfile in the updated VM configuration.
# Following command output should be `null`
(Get-AzVM -ResourceGroupName myVm -VMName myResourceGroup `
| Select-Object -Property SecurityProfile `
-ExpandProperty SecurityProfile).SecurityProfile.SecurityType
Start the VM.
Start-AzVM -ResourceGroupName myResourceGroup -Name myVm
Azure Advisor Recommendation
Azure Advisor populates an Enable Trusted launch foundational excellence, and modern security for Existing Generation 2 VM(s) operational excellence recommendation for existing Generation 2 VMs to adopt Trusted launch, a higher security posture for Azure VMs at no extra cost to you. Ensure Generation 2 VM has all prerequisites to migrate to Trusted launch, follow all the best practices including validation of OS image, VM Size, and creating restore points. For the Advisor recommendation to be considered complete, follow the steps outlined in the Enable Trusted launch on an existing VM to upgrade the virtual machines security type and enable Trusted launch.
What if there is Generation 2 VMs, that doesn't fit the prerequisites for Trusted launch?
For a Generation 2 VM that doesn't meet the prerequisites to upgrade to Trusted launch, look how to fulfill the prerequisites. For example, If using a virtual machine size not supported, look for an equivalent Trusted launch supported size that supports Trusted launch.
Note
Dismiss the recommendation if Gen2 virtual machine is configured with VM size families that are currently not supported with Trusted launch like MSv2-series.
Related content