Modern malware is crafted to hide on a virtual machine and has the potential to remain in place for a long time if it's undetected. These persistent malwares such as boot kits and rootkits are so sophisticated that they can run with the same kernel-mode privileges as the operating system they infect. With malware intercepting and modifying operating system processes, information and resources can be easily stolen, undermining trust in information on your virtual machines.
Earlier this year, we introduced Trusted Launch for public preview. Several customers have tried Trusted Launch for a variety of workloads and love the improved security posture of virtual machines. Today, we are excited to announce general availability of Trusted Launch that customers can leverage for their virtual machines to help prevent boot kit and rootkit infections.
Trusted Launch, which is available for all Azure Generation 2 VM hardens your Azure workloads with security features that allow administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy. This is accomplished via Trusted Launch features: secure boot, vTPM, and boot integrity monitoring that protect against boot kits, rootkits, and kernel-level malware.
- Secure Boot protects against the installation of malware-based rootkits and boot kits and only allows signed OSes and drivers to boot.
- Virtual TPM (vTPM) allows customers to protect keys, certificates, and secrets in the virtual machine.
- Measured Boot examines and verifies the authenticity of bootloader’s signature and performs integrity measurement of the entire boot chain.
- Boot integrity monitoring via Microsoft Azure Attestation and Azure Security Center generates integrity alerts, recommendations, and remediations if remote attestation fails.
Trusted Launch is a foundational offering of Azure Confidential Computing (ACC) family. In the spectrum of ACC offerings, Trusted Launch provides a simple and easy way to improve VM security posture and confidentiality with no modification to your workload. To learn how to incorporate the full range of ACC offerings more information can be found on ACC documentation.
Mediterranean Shipping Company (MSC), one of the largest shipping companies in the world, runs its global compute infrastructure on Trusted Launch.
“As UEFI boot kits and rootkits are increasingly becoming the tools for cybersecurity attacks, Azure Trusted Launch VM provides our administrators confidence and ability to securely migrate to Azure while ensuring the integrity of our kernel level components. Azure Trusted Launch comes with comprehensive features of secure boot, measured boot, and remote attestation as well as seamless user experience.” – Aaron Shvarts, CISO, MSC Technology (NA)
Windows 365 CloudPC is a ‘Windows in the Cloud’ service available exclusively in Azure Cloud that allows business and enterprise users a personalized PC in the cloud.
“Trusted Launch has been instrumental for Windows 365 Cloud PC (a new simplified Cloud service to use Windows in the Cloud, on any device) in order to support Windows 11 and Windows 10 upgrades to Windows 11 across all Azure regions we support. Adding more baseline security capabilities for our customer has been one of the reasons why we decided to be one of the first adopters of this service.” – Christiaan Brinkhoff, Principal Program Manager, Windows 365 Engineering
Trusted Launch is available in all Azure public cloud regions with no additional cost and supports the most commonly used operating systems images.
To learn more and get started with Trusted Launch and ACC offerings, visit the following documentation pages:
If you’d like to engage further with the ACC team, please contact us at Azure Confidential PMs.