Trusted Launch Default – PowerShell & CLI
Introduction
We would like to inform you the upcoming default security type change to Trusted Launch that will affect new virtual machines (VMs), virtual machine scale sets (VMSS), and OS Disk resource deployment in Azure. The change will set OS image to Trusted Launch (TL) compatible image and set security type as Trusted Launch by default. This change is a result of our ongoing efforts to improve the foundational security of our cloud computing platform.
This change will take effect in Azure PowerShell (PS) & command-line interface (CLI) with the November 2023 release, and will affect all new Azure VMs, VMSS and Managed OS Disks deployments.
What is Trusted Launch?
Trusted Launch VMs provide you with foundational compute security by enabling the following capabilities:
- Secure Boot: Protects OS against rootkits and boot kits.
- vTPM: It serves as a dedicated secure vault for keys and measurements, enabling attestation by measuring the entire boot chain of your VM.
- Boot Integrity Monitoring: Guest attestation extension enables proactive attestation and monitoring the boot integrity of your VMs.
Trusted Launch enhances the security posture of a VM through cryptographic verification ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defence-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others.
What does this mean for Azure PS & CLI Users?
Azure PowerShell module & Azure CLI client tools (including Cloud Shell) will default new VM, and VMSS deployments to Trusted Launch. The PS & CLI client tools will not override inputs provided by you in deployment commands.
Existing behavior
Before November 2023, the following command will create new VM/VMSS without Trusted Launch.
PowerShell
To create VM / VMSS with TrustedLaunch security type, you need to run PowerShell commands with additional parameters:
CLI
To create VM / VMSS with TrustedLaunch security type, you need to run CLI commands with additional parameters:
New behavior
Starting November 2023, the following command will create new VM/VMSS with Trusted Launch.
PowerShell
To continue deploying VM / VMSS without Trusted Launch, you need to run PowerShell commands with additional parameter SecurityType = “Standard” supported with Azure PowerShell version 10.3.0+:
CLI
To continue deploying VM / VMSS without Trusted Launch, you need to run CLI commands with additional parameter --security-type = “Standard” supported with Azure CLI version 2.51.0+:
What do I need to do?
Our goal is to make this transition as seamless for you as possible. However, you need to act before implementation (November 2023) if VM/VMSS is deployed using Azure PowerShell or CLI and:
- Deployment is referencing VM Size with planned support for Trusted Launch. OR,
- Backup for newly deployed VMs is enabled using Standard Policy. OR,
- Deployment is dependent on feature with planned support Trusted Launch.
VM Size with planned support for Trusted Launch.
You need to update the VM Size to Trusted Launch Supported VM Size in VM, VMSS deployment code. Alternatively, you need to target Standard Security type (described above) if the given VM Size is a must have for your application functionality.
Refer to list of VM Size families with Trusted Launch support planned for more details.
Enabling Backup for new VMs.
You need to update the Policy Name and target policy of type Enhanced Policy. Alternatively, you need to target Standard Security type (described above) if Standard Backup policy must have for your application backup/restore requirements.
PowerShell:
Enable backup for Azure VM using PS.
CLI
Enable backup for Azure VM using CLI.
Feature with planned support Trusted Launch.
You need to update the VM, VMSS deployment code to target Standard Security type (described above) if the given feature is a must have for your application functionality.
Refer to list of features with Trusted Launch support planned for more details.
How Azure PS & CLI Trusted Launch defaults are implemented?
Azure PowerShell & CLI client tools will implement Trusted Launch default using the following parameters & scenarios.
VM/VMSS Parameter – OS Image
Trusted Launch security configuration will be applied on Gen2-OS Images.
Post implementation all Image aliases listed below will redirect to Gen2-Trusted Launch equivalent OS image.
| Image Alias | Current Image URN | Post Implementation image URN |
| CentOS | OpenLogic:CentOS:7.5 |
OpenLogic:CentOS:7_5-gen2 |
| Debian |
Debian:debian-10:10 |
Debian:debian-10:10-gen2 |
| Flatcar |
Kinvolk:flatcar-container-linux-free:stable |
Kinvolk:flatcar-container-linux-free:stable-gen2 |
| RHEL |
RedHat:RHEL:7-LVM |
RedHat:RHEL:7lvm-gen2 |
| UbuntuLTS |
Canonical: UbuntuServer:18.04-LTS |
Canonical: UbuntuServer:18_04-LTS-gen2 |
| Win2019Datacenter |
MicrosoftWindowsServer:WindowsServer:2019-Datacenter |
MicrosoftWindowsServer:WindowsServer:2019-datacenter-gensecond |
| Win2016Datacenter |
MicrosoftWindowsServer:WindowsServer:2016-Datacenter |
MicrosoftWindowsServer:WindowsServer:2016-datacenter-gensecond |
No redirection applicable to Azure Compute Gallery OS Image, Managed Image or if you’re using resource ID of Marketplace OS Image.
Disk CreateOption Parameter – FromImage
Trusted Launch security configuration will be applied if the disk resource created is of type OS (Windows | Linux) and CreateOption is FromImage. Source OS Image will be validated for Trusted Launch Support as described with VM/VMSS Parameter 1 – OS Image above.
How will my existing VMs be affected?
This change will not impact existing Azure VMs, VMSS clusters already running in your environment.
Frequently Asked Questions
I am currently using VM/VMSS without Trusted Launch and would like to start using Trusted Launch for new deployments.
Please update your PowerShell or CLI deployment scripts to specify “Trusted Launch” security type. Refer to Deploy a VM with Trusted Launch enabled for more details.
I am already using VM/VMSS with Trusted Launch.
No action is required, your VM/VMSS deployments will continue with defined Trusted Launch configuration.
I am currently using VM/VMSS without Trusted Launch and would like to continue using Non-Trusted Launch configuration after November 2023
Please update your PowerShell or CLI deployment scripts to specify “Standard” security type to maintain the existing behavior of your VM/VMSS. This update is recommended to be done as soon as possible to avoid any unintended behavior after the change.
My VM/VMSS are deployed using Azure Compute Gallery and would like to start using Trusted Launch for new deployments.
You need to create new Gen2 (UEFI) ACG OS Image Definition with SecurityType TrustedLaunchSupported and use the new image definition with securityType “TrustedLaunch” for new VM/VMSS deployments.
My VM/VMSS are deployed using Managed Image and would like to start using Trusted Launch for new deployments.
For the most current technology, you are encouraged to use Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image. For more information, see Create an image definition and image version.
Conclusion
We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services. We encourage you to take the necessary steps to prepare for this change.
If you have any questions or concerns about this change, please do not hesitate to reach out to our support team for assistance.