Understanding Secure Boot and Trusted Launch


What is Secure Boot?




Secure Boot is a feature designed to prevent malware and corrupted components from loading when a Win11 device is starting. So, Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Window kernel's Trusted Boot sequence. This is done through signature-enforcement handshakes throughout the entire boot sequence to block malware attacks during this process.

As the PC/Cloud PC begins the boot process, Secure Boot will:

  1. Verify if the firmware is digitally signed (reducing firmware rootkit risks).
  2. Check all code that runs before the OS.
  3. Check the OS bootloader's digital signature. 
    1. Secure Boot is checking whether this signature is trusted by the Secure Boot policy and hasn't been tampered with

Therefore, it is used to ensure that only signed OS and drivers can boot.


What is the chronological flow of the Windows boot sequence?


When you apply power on a Windows device, here are the sequence of steps to effectively boot the device:

  1. Power on self-test (POST): initial diagnostic test performed by PC when it's switched on prior to OS loading.
  2. Find a boot device that contains the OS.
  3. If Secure Boot is enabled:
    1. Verify if the firmware is digitally signed (reducing firmware rootkit risks).
    2. Check all code that runs before the OS.
    3. Check the OS bootloader's digital signature. 
  4. Load the OS into memory and start it up.
  5. UEFI firmware initializes the hardware and starts the bootloader.
  6. Bootloader then loads the kernel into memory and starts it up.
    1. Bootloader's main function is to load the OS into memory and start it up.
    2. Kernel is the core component of the OS that manages system resources and provides services to applications. 
  7. Kernel initializes the drivers and services that are required for the OS to function properly.
  8. The application environments are loaded.


As you can see from the section “What is Secure Boot?”, in the Windows boot sequence flow steps, Secure Boot is enabled right before Step 4.  Without Secure Boot, Windows will automatically load the OS into memory and start it up, without verifying if the firmware or OS bootloader is digitally signed. If Secure Boot is enabled, then Trusted Boot is automatically enabled as well, where it works in conjunction with Secure Boot to help prevent malware and corrupted components from loading.


What is Trusted Launch then? How is that related to Secure Boot?


Trusted Launch is a feature that serves to improve security of Gen2 VMs and protect against advanced & persistent attack techniques. However, Trusted Launch is not just one standalone feature, instead it composed of a collection of several, coordinated infrastructure technologies that can be enabled independently.  Do note that Trusted Launch is an Azure-specific term.


The way Trusted Launch relates to Secure Boot is that Secure Boot is one of the infrastructure technologies that composes it.

Trusted Launch is composed of three main technologies:

  1. Secure Boot
  2. vTPM
    1. This is the virtualized version of the Trusted Platform Module hardware that is compliant with the TPM2.0 specs to run Win11. It serves as a dedicated secure vault for keys and measurements. 
  3. Integrity Monitoring 
    1. This uses Microsoft Defender for Cloud integration to help validate that one's VM is booted in a healthy way. It issues an assessment and indicates to you the status of remote attestation.

How do you enable Secure Boot on W365?


Nothing unique, just assign and provision a Cloud PC!


How do I enable Secure Boot on an existing Cloud PC?


Any new Cloud PC has two default properties: it is a Gen 2 VM and Secure Boot is enabled by default (users cannot opt-out). However, if someone does have an existing Cloud PC but does not have Secure Boot enabled, then the only way for them to get Secure Boot enabled is to re-provision their Cloud PCs


0 Replies