Security upgrades shouldn’t be complicated. With in-place upgrade for Trusted Launch now available, you can instantly boost the protection of your Azure Virtual Machines and Scale Sets—without downtime or complex migrations. Whether you're running Gen1 (BIOS) or Gen2 (UEFI) resources, this upgrade helps you stay ahead of modern threats by enabling foundational security features like Secure boot with minimal effort.
Introduction
We’re excited to announce that Trusted Launch in-place upgrade support is now available to help you strengthen the security of your Azure virtual machines and scale set resources—without the need for complex migrations or rebuilds.
- Generally available for existing Gen1 & Gen2 virtual machines (VMs), and for Gen1 & Gen2 VM Uniform scale sets
- In private preview for Gen1 & Gen2 VM Flex scale sets
Trusted launch is strongly recommended by Microsoft as the secure path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel Trusted Boot sequence. It helps prevent bootkit malware in the boot process, ensuring your workloads start in a verified and uncompromised state. Disabling Trusted launch puts your infrastructure at risk of bootkit infections, making this upgrade not just beneficial—but essential.
By leveraging in-place upgrade support, you can seamlessly enhance foundational security for your existing virtual machine and scale set resources with Trusted launch at no additional cost, ensuring protection against modern threats and readiness for future compliance needs.
What is Trusted launch?
Trusted Launch is a built-in Azure virtual machine and scale set capability that helps protect your virtual machines from advanced threats—right from the moment they start.
It adds a layer of foundational security to your VMs by enabling:
- Secure Boot: Prevents unauthorized code like rootkits and bootkits from loading during startup.
- vTPM: Acts as a secure vault for encryption keys and boot measurements, enabling attestation of your VM’s integrity.
- Boot Integrity Monitoring: Guest attestation extension continuously checks that your VM boots into a trusted, uncompromised state.
Trusted Launch enhances the security posture of a VM through cryptographic verification and ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defense-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others.
It’s a simple yet powerful way to enhance foundational security of your virtual machine and scale set resources—without changing how you deploy or manage your workloads.
Upgrade security of existing VMs and Scale sets to Trusted launch
Following table summarizes high level steps associated with Trusted launch upgrade of Gen1 and Gen2 VMs and Scale set including link to public documentation which contains detailed steps.
Resource type |
High level steps |
Gen1 virtual machine |
Learn more: Upgrade existing Azure Gen1 VMs to Trusted launch |
Gen2 virtual machine |
Learn more: Enable Trusted launch on existing Azure Gen2 VMs |
Virtual machine scale set |
Learn more: Upgrade existing Azure Scale set to Trusted launch |
Conclusion
We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services.
Upgrading your Azure VMs and Scale Sets to Trusted Launch is a simple yet powerful way to strengthen foundational infrastructure security—without disrupting your existing workloads.
With in-place upgrade support now available, you can take advantage of foundational security features like Secure Boot and vTPM to protect against modern threats and meet compliance requirements—all at no additional cost.
Next steps
Whether you're running Gen1 (BIOS) or Gen2 (UEFI) VM resources, don’t wait to secure your infrastructure—upgrade your VMs and Scale-sets to Trusted Launch today. This upgrade can be completed with minimal effort and downtime.
- Upgrade your Gen1 VMs to Trusted Launch using generally available upgrade support with step-by-step guide.
- Upgrade your Gen2 VMs to Trusted Launch using generally available upgrade support with step-by-step guide.
- Upgrade your Gen1 or Gen2 Uniform Scale sets to Trusted launch using generally available upgrade support with step-by-step guide.
- For Gen1 or Gen2 Flex Scale sets, private preview access is now open – sign-up for preview and get early access to Trusted launch upgrade experience for Flex scale sets.
Trusted launch is your first line of defence against bootkit malware, and upgrading ensures your VMs meet modern security and compliance standards. Act now to protect your workloads and make them resilient against future threats.
Frequently Asked Questions
Are all upgrade features generally available?
Following table summarizes the status of each upgrade feature:
Trusted launch upgrade support for resource type | Status | Learn more |
Gen1 virtual machine | Generally available | Upgrade existing Azure Gen1 VMs to Trusted launch |
Gen2-only virtual machine | Generally available | Enable Trusted launch on existing Azure Gen2 VMs |
Scale set (Uniform) | Generally available | Upgrade existing Azure Scale set to Trusted launch |
Scale set (Flex) | Private preview | Sign-up for preview at Enable Trusted Launch on Existing Flex Scale Sets (PREVIEW) |
What are the pre-requisites to enable Trusted launch?
Before planning to upgrade of existing VM or Scale set to Trusted launch, ensure that:
- VM size of given VM or Scale set is supported for Trusted launch. Change the VM size to Trusted launch supported VM size if needed to support the upgrade.
- VM or Scale set is running operating system supported with Trusted launch. For Scale set resources, you can change the OS image reference to supported OS version along with Trusted launch upgrade.
- VM or Scale set is not dependent on Azure features currently not supported with Trusted launch.
- Azure Backup, if enabled for VMs, should be configured with the Enhanced Backup policy. Existing Azure VM backup can be migrated from the Standard to the Enhanced policy.
- Azure site recovery (ASR), if enabled for VMs, should be disabled prior to upgrade. You can re-enable ASR replication post completion of Trusted launch upgrade.
What are the best practices to consider before upgrade?
We recommend following certain best practices before you execute the upgrade to Trusted launch for VMs and Scale set hosting production workloads:
- Review the step-by-step guide published for Gen1 and Gen2 VM and Scale set including known limitations, issues, roll-back steps.
- Enable Trusted launch on a test VM or Scale set and determine if any changes are required to meet the prerequisites.
- Create restore points for VMs associated with production workloads before you enable the Trusted launch security type. You can use the restore points to re-create the disks and VM with the previous well-known state.
Can I enable Trusted launch without changing OS from Gen1 (BIOS) to Gen2 (UEFI)?
Trusted launch security capabilities (Secure boot, vTPM) can be enabled for Gen2 UEFI-based operating system only, it cannot be enabled for Gen1 BIOS-based operating system.
How will my new or other VMs or Scale set be affected?
The upgrade is executed on specific VM or Scale set resource only. It does not impact new or other existing Azure VMs, Scale set clusters already running in your environment.
Can I roll back Trusted launch upgrade to Gen1 (BIOS) configuration?
For virtual machines, you can roll back the Trusted launch upgrade to Gen2 VM without Trusted launch. You cannot in-place roll back from Trusted launch to Gen1 VM.
- For restoring Gen1 configuration, you’ll need to restore entire VM and disks from the backup or restore point of VM taken prior to upgrade.
- For scale sets, you can roll back the changes made to previous known good configuration including Gen1 configuration.