Today we are announcing the General Availability of several confidential VM and Trusted Launch security features via AVD Host Pool Provisioning.
What are Confidential VMs?
The AMD Azure EPYC SEV-SNP DCasV5 and ECasv5-series confidential VM series provides a hardware-based Trusted Execution Environment (TEE) with attestation capability by leveraging AMD SEV-SNP security features. Azure confidential VMs (CVMs) offer VM memory encryption with integrity protection, which strengthens guest protections to deny the hypervisor and other host management components code access to the VM memory and state. For additional CVM security benefits, please see the CVM documentation for more information.
With this general availability, Windows 11 22H1 is now also supported in CVMs, adding to the list of already supported versions of 22H2 and other future versions of Windows 11. In addition, confidential OS Disk Encryption is available for confidential VMs, and Integrity monitoring is available during AVD Host Pool provisioning for both confidential VMs and Trusted Launch VMs.
Trusted Launch (TL) protects against advanced and persistent attack techniques. They allow for secure deployment of VMs with verified boot loaders, OS kernels, and drivers. In addition, they protect keys, certificates, and secrets in VMs. For more information about TL benefits, please see the Trusted Launch documentation.
Therefore, we are pleased to announce that Trusted Launch is now enabled by default for all Windows images.
How to deploy CVMs in AVD Host Pool Provisioning with these settings
Select Confidential Virtual Machines from the Security Type dropdown in the AVD Host Pool Virtual Machine blade.
Once Security Type is set to Confidential Virtual Machines, you will see the option to select Integrity Monitoring.
Select any CVM compatible Windows 11 images from the Image dropdown. Scroll to Confidential compute encryption and select it for enabling OS Disk Encryption for your CVM.
How Trusted Launch is enabled by default for non-Confidential Virtual Machines for any images.
By default, the Security type will automatically change to Trusted Virtual Machines. This was done to meet the mandatory hardware requirements of Windows 11. For further information about this requirement, please see this reference on Windows 11 requirements.