Blog Post

Azure Compute Blog
5 MIN READ

Increase security for Azure VMs: Trusted launch in-place upgrade support now available!

AjKundnani's avatar
AjKundnani
Icon for Microsoft rankMicrosoft
Sep 04, 2025

Security upgrades shouldn’t be complicated. With in-place upgrade for Trusted Launch now available, you can instantly boost the protection of your Azure Virtual Machines and Scale Sets—without downtime or complex migrations. Whether you're running Gen1 (BIOS) or Gen2 (UEFI) resources, this upgrade helps you stay ahead of modern threats by enabling foundational security features like Secure boot with minimal effort.

Introduction

We’re excited to announce that Trusted Launch in-place upgrade support is now available to help you strengthen the security of your Azure virtual machines and scale set resources—without the need for complex migrations or rebuilds.

  • Generally available for existing Gen1 & Gen2 virtual machines (VMs), and for Gen1 & Gen2 VM Uniform scale sets
  • In private preview for Gen1 & Gen2 VM Flex scale sets

Trusted launch is strongly recommended by Microsoft as the secure path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel Trusted Boot sequence. It helps prevent bootkit malware in the boot process, ensuring your workloads start in a verified and uncompromised state. Disabling Trusted launch puts your infrastructure at risk of bootkit infections, making this upgrade not just beneficial—but essential.

By leveraging in-place upgrade support, you can seamlessly enhance foundational security for your existing virtual machine and scale set resources with Trusted launch at no additional cost, ensuring protection against modern threats and readiness for future compliance needs.

What is Trusted launch?

Trusted Launch is a built-in Azure virtual machine and scale set capability that helps protect your virtual machines from advanced threats—right from the moment they start.

It adds a layer of foundational security to your VMs by enabling:

  • Secure Boot: Prevents unauthorized code like rootkits and bootkits from loading during startup.
  • vTPM: Acts as a secure vault for encryption keys and boot measurements, enabling attestation of your VM’s integrity.
  • Boot Integrity Monitoring: Guest attestation extension continuously checks that your VM boots into a trusted, uncompromised state.
Trusted launch security features.

 

Trusted Launch enhances the security posture of a VM through cryptographic verification and ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defense-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others.

It’s a simple yet powerful way to enhance foundational security of your virtual machine and scale set resources—without changing how you deploy or manage your workloads.

Upgrade security of existing VMs and Scale sets to Trusted launch

Following table summarizes high level steps associated with Trusted launch upgrade of Gen1 and Gen2 VMs and Scale set including link to public documentation which contains detailed steps.

Resource type

High level steps

Gen1 virtual machine

 

Learn more: Upgrade existing Azure Gen1 VMs to Trusted launch

Gen2 virtual machine

 

Learn more: Enable Trusted launch on existing Azure Gen2 VMs

Virtual machine scale set

 

Learn more: Upgrade existing Azure Scale set to Trusted launch

Conclusion

We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services.

Upgrading your Azure VMs and Scale Sets to Trusted Launch is a simple yet powerful way to strengthen foundational infrastructure security—without disrupting your existing workloads.

With in-place upgrade support now available, you can take advantage of foundational security features like Secure Boot and vTPM to protect against modern threats and meet compliance requirements—all at no additional cost.

Next steps

Whether you're running Gen1 (BIOS) or Gen2 (UEFI) VM resources, don’t wait to secure your infrastructure—upgrade your VMs and Scale-sets to Trusted Launch today. This upgrade can be completed with minimal effort and downtime.

  • Upgrade your Gen1 VMs to Trusted Launch using generally available upgrade support with step-by-step guide.
  • Upgrade your Gen2 VMs to Trusted Launch using generally available upgrade support with step-by-step guide.
  • Upgrade your Gen1 or Gen2 Uniform Scale sets to Trusted launch using generally available upgrade support with step-by-step guide
  • For Gen1 or Gen2 Flex Scale sets, private preview access is now open – sign-up for preview and get early access to Trusted launch upgrade experience for Flex scale sets.

Trusted launch is your first line of defence against bootkit malware, and upgrading ensures your VMs meet modern security and compliance standards. Act now to protect your workloads and make them resilient against future threats.

Frequently Asked Questions

Are all upgrade features generally available?

Following table summarizes the status of each upgrade feature:

Trusted launch upgrade support for resource typeStatusLearn more
Gen1 virtual machineGenerally availableUpgrade existing Azure Gen1 VMs to Trusted launch
Gen2-only virtual machineGenerally availableEnable Trusted launch on existing Azure Gen2 VMs
Scale set (Uniform)Generally availableUpgrade existing Azure Scale set to Trusted launch
Scale set (Flex)Private previewSign-up for preview at Enable Trusted Launch on Existing Flex Scale Sets (PREVIEW)

What are the pre-requisites to enable Trusted launch?

Before planning to upgrade of existing VM or Scale set to Trusted launch, ensure that:

What are the best practices to consider before upgrade?

We recommend following certain best practices before you execute the upgrade to Trusted launch for VMs and Scale set hosting production workloads:

  • Review the step-by-step guide published for Gen1 and Gen2 VM and Scale set including known limitations, issues, roll-back steps.
  • Enable Trusted launch on a test VM or Scale set and determine if any changes are required to meet the prerequisites.
  • Create restore points for VMs associated with production workloads before you enable the Trusted launch security type. You can use the restore points to re-create the disks and VM with the previous well-known state.

 Can I enable Trusted launch without changing OS from Gen1 (BIOS) to Gen2 (UEFI)?

Trusted launch security capabilities (Secure boot, vTPM) can be enabled for Gen2 UEFI-based operating system only, it cannot be enabled for Gen1 BIOS-based operating system.

How will my new or other VMs or Scale set be affected?

The upgrade is executed on specific VM or Scale set resource only. It does not impact new or other existing Azure VMs, Scale set clusters already running in your environment.

Can I roll back Trusted launch upgrade to Gen1 (BIOS) configuration?

For virtual machines, you can roll back the Trusted launch upgrade to Gen2 VM without Trusted launch. You cannot in-place roll back from Trusted launch to Gen1 VM.

  • For restoring Gen1 configuration, you’ll need to restore entire VM and disks from the backup or restore point of VM taken prior to upgrade.
  • For scale sets, you can roll back the changes made to previous known good configuration including Gen1 configuration.
Updated Sep 04, 2025
Version 1.0
No CommentsBe the first to comment