Oct 27 2023 02:49 PM
Oct 27 2023 02:49 PM
Secure Boot is a feature designed to prevent malware and corrupted components from loading when a Win11 device is starting. So, Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Window kernel's Trusted Boot sequence. This is done through signature-enforcement handshakes throughout the entire boot sequence to block malware attacks during this process.
As the PC/Cloud PC begins the boot process, Secure Boot will:
Therefore, it is used to ensure that only signed OS and drivers can boot.
When you apply power on a Windows device, here are the sequence of steps to effectively boot the device:
As you can see from the section “What is Secure Boot?”, in the Windows boot sequence flow steps, Secure Boot is enabled right before Step 4. Without Secure Boot, Windows will automatically load the OS into memory and start it up, without verifying if the firmware or OS bootloader is digitally signed. If Secure Boot is enabled, then Trusted Boot is automatically enabled as well, where it works in conjunction with Secure Boot to help prevent malware and corrupted components from loading.
Trusted Launch is a feature that serves to improve security of Gen2 VMs and protect against advanced & persistent attack techniques. However, Trusted Launch is not just one standalone feature, instead it composed of a collection of several, coordinated infrastructure technologies that can be enabled independently. Do note that Trusted Launch is an Azure-specific term.
The way Trusted Launch relates to Secure Boot is that Secure Boot is one of the infrastructure technologies that composes it.
Trusted Launch is composed of three main technologies:
Nothing unique, just assign and provision a Cloud PC!
Any new Cloud PC has two default properties: it is a Gen 2 VM and Secure Boot is enabled by default (users cannot opt-out). However, if someone does have an existing Cloud PC but does not have Secure Boot enabled, then the only way for them to get Secure Boot enabled is to re-provision their Cloud PCs.