Announcing: Microsoft transforms Licensing with Cloud Security and Confidential Computing
Microsoft is proud to announce the successful migration of its Windows Licensing Service to Azure, leveraging cutting-edge Confidential Computing and Managed Hardware Security Modules (mHSM) technology. This marks a significant breakthrough in the cloud adoption journey for workloads operating in highly secure environments, reshaping the way Microsoft’s licensing services operate securely at scale. But what did it really take to move one of Microsoft’s most security-critical services to the cloud? Read on to uncover how the team enabled the largest cryptographic workload ever run in Azure—built on high-assurance infrastructure designed for secure, high-throughput operations. Migrating highly secure workloads is made possible with the help of Confidential computing and Managed HSM empowering organizations handling highly secure, high-throughput, and confidential workloads to operate with greater confidence, flexibility, and value. Advancing Security and Throughput The Microsoft Windows Key Management Licensing Service (MKMS) is built around the protection and management of high-value cryptographic keys, which are central to its security model. This service processes billions of licensing requests and related cryptographic operations each day, using these keys to ensure that only authorized individuals have access to their Windows operating systems, desktop applications, and games. Through its focus on secure key management, MKMS supports the authenticity of software licenses and the protection of sensitive data, making secure Windows licensing possible on a global scale. With the integration of Confidential Virtual Machines (CVM) and Managed Hardware Security Modules, the service now meets modern high-security requirements by extending this rigorous protection into the cloud environment. This evolution not only reinforces Microsoft's dedication to safeguarding sensitive cryptographic operations but also ensures that customers can trust the reliability and security of their licensing experience. Building Trust by Moving to Azure Transitioning from multiple highly secure on-prem datacenters to strategically selected Azure regions has enabled greater reliability, stronger security, and a seamless customer experience for the service. This migration not only aligns with Microsoft’s Secure Future Initiative and delivers CAPEX savings by eliminating the need for hardware refreshes but also unlocks the benefits of cloud-native solutions powered by Confidential Computing and Azure Key Vault Managed HSM. Migrating MKMS licensing service from on-premises infrastructure to Azure has delivered significant operational benefits. Azure’s elastic cloud resources allow us to scale efficiently, adapting to changing workload demands and supporting future growth while optimizing costs by paying only for the resources we use. Distributing services across multiple geographic regions in Azure has substantially improved our service availability, minimizing downtime and maintaining consistent delivery even during unexpected events. This geographic redundancy ensures our customers experience fewer disruptions. By utilizing Azure’s performance-driven infrastructure, we have reduced upfront hardware investments and ongoing maintenance costs, while still meeting the high throughput, speed, and reliability necessary for large-scale cryptographic operations—achieving results on par with or better than our previous on-premises environment. Enabling Security with Azure Confidential Computing At the heart of this transformation lies Azure Confidential Computing based on 4th generation AMD EPYC™ CPUs with SEV-SNP, which safeguards sensitive data during processing through hardware-based Trusted Execution Environments (TEEs). This technology prevents unauthorized access, including by cloud administrators and datacenter operators, ensuring robust confidentiality for cryptographic operations that are central to the authenticity of software licenses. Azure encrypts data at rest and in transit, while confidential computing further secures data in use. This added layer of protection addressed essential security requirements for migrating secure workloads to Azure, supporting the safety and integrity of customer data. The migration also incorporated Azure Managed HSM to provide enhanced security and tighter control over cryptographic keys. Complemented by Confidential Virtual Machines and securely attested OS images, the service now operates in a trusted and isolated environment, delivering a resilient and scalable cryptographic foundation —crucial for managing high value cryptographic keys required for Windows licensing. Setting a Benchmark for High-Scale Cryptographic Services Microsoft’s Key Management Licensing Service, leveraging Azure Confidential Computing and the specially engineered high-throughput Managed HSM capabilities, delivers advanced performance for securely hosting confidential, high-scale workloads in the cloud. These enhanced MHSM features were designed and built to meet the immense demand of this service, enabling it to support the highest throughput cryptographic workload ever run on Azure to date. MKMS is deployed on Azure using a purpose-built, internally attested secure image to ensure a trusted baseline. The deployment leverages Azure confidential VMs, and managed hardware security modules to protect data: all data at rest and in transit is encrypted, with encryption keys secured by FIPS-validated HSMs. In addition, CVM guarantees our service that all data in-use is encrypted and secure as an additional layer of security. Comprehensive logging and monitoring are enabled across the stack: control-plane operations, host OS events, and network traffic are all recorded and analyzed for auditing and threat detection. This defense-in-depth design layers protection from the hardware and hypervisor up through network firewalls and application-level safeguards, ensuring comprehensive resilience against both volumetric and application-targeted attacks. Summary In summary, migration of Windows Licensing to Azure signifies Microsoft’s commitment to driving innovation and security in the cloud. By leveraging Confidential Computing and Managed HSMs, Microsoft is delivering value to billions of users worldwide while reinforcing the trust placed in its services. This achievement highlights the potential of cloud-native technologies to transform traditional mission-critical systems, offering a glimpse into the future of secure and scalable computing.Announcing: Microsoft moves $25 Billion in credit card transactions to Azure confidential computing
Microsoft is proud to showcase that customers in the financial sector can rely on public Azure to add confidentiality to provide secure and compliant payment solutions that meet or exceed industry standards. Microsoft is committed to hosting 100% of our payment services on Azure, just as we would expect our customers to do. Microsoft’s Commerce Financial Services (CFS) has completed a critical milestone by deploying a level 1 Payment Card Industry Data Security Standard (PCI-DSS) compliant credit card processing and vaulting solution, moving $25 Billion in annual credit card transactions to the public Azure cloud.Private Preview: Introducing DCesv5 and ECesv5-series Confidential VMs with Intel TDX
Featuring 4th Gen Intel® Xeon® Scalable processors, these VMs are backed by an all-new hardware-based Trusted Execution Environment called Intel® Trust Domain Extensions (TDX). Organizations can use these VMs to seamlessly bring confidential workloads to the cloud without any code changes to their applications.Announcing preview for the next generation of Azure Intel® TDX Confidential VMs
Today, we are excited to announce the preview of Azure’s next generation of Confidential Virtual Machines powered by the 5 th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). This will help to enable organizations to bring confidential workloads to the cloud without code changes to applications. The supported SKUs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. Confidential VMs are designed for tenants with high security and confidentiality requirements, providing a strong, attestable, hardware-enforced boundary. They ensure that your data and applications stay private and encrypted even while in use, keeping your sensitive code and other data encrypted in memory during processing. Improvements Azure’s next generation of confidential VMs will bring improvements and new features compared to our previous generation. These VMs are our first offering to utilize our open-source paravisor, OpenHCL. This innovation allows us to enhance transparency with our customers, reinforcing our commitment to the "trust but verify" model. Additionally, our new confidential VMs support Azure Boost, enabling up to 205k IOPS and 4 GB/s throughput of remote storage along with 54 GBps VM network bandwidth. We are expanding the capabilities of our Intel® TDX powered confidential VMs by incorporating features from our general purpose and other confidential VMs. These enhancements include Guest Attestation support, and support of Intel® Tiber™ Trust Authority for enterprises seeking operator independent attestation. Offerings The DCesv6-series VMs are designed to offer a balance of memory to vCPU ratio, with up to 128 vCPUs, and up to 512 GiB of memory. The ECesv6-series VMs are designed to offer an even higher memory to vCPU ratio, with up to 64 vCPUs, and 512 GiB of memory. Availability The DCesv6-series and ECesv6-series preview is available now in the East US, West US, West US 3 and West Europe regions. Supported OS images include Windows Server 2025, Windows Server 2022, Ubuntu 22.04, and Ubuntu 24.04. Please sign up at aka.ms/acc/v6preview and we will reach out to you.GA: DCasv6 and ECasv6 confidential VMs based on 4th Generation AMD EPYC™ processors
Today, Azure has expanded its confidential computing offerings with the general availability of the DCasv6 and ECasv6 confidential VM series in regions UAE North and Korea Central. These VMs are powered by 4th generation AMD EPYC™ processors and feature advanced Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technology. These confidential VMs offer: Hardware-rooted attestation Memory encryption in multi-tenant environments Enhanced data confidentiality Protection against cloud operators, administrators, and insider threats You can get started today by creating confidential VMs in the Azure portal as explained here. Highlights: 4th generation AMD EPYC processors with SEV-SNP 25% performance improvement over previous generation Ability to rotate keys online AES-256 memory encryption enabled by default Up to 96 vCPUs and 672 GiB RAM for demanding workloads Streamlined Security Organizations in certain regulated industries and sovereign customers migrating to Microsoft Azure need strict security and compliance across all layers of the stack. With Azure Confidential VMs, organizations can ensure the integrity of the boot sequence and the OS kernel while helping administrators safeguard sensitive data against advanced and persistent threats. The DCasv6 and ECasv6 family of confidential VMs support online key rotation to give organizations the ability to dynamically adapt their defenses to rapidly evolving threats. Additionally, these new VMs include AES-256 memory encryption as a default feature. Customers have the option to use Virtualization-Based Security (VBS) in Windows, which is currently in preview to protect private keys from exfiltration via the Guest OS or applications. With VBS enabled, keys are isolated within a secure process, allowing key operations to be carried out without exposing them outside this environment. Faster Performance In addition to the newly announced security upgrades, the new DCasv6 and ECasv6 family of confidential VMs have demonstrated up to 25% improvement in various benchmarks compared to our previous generation of confidential VMs powered by AMD. Organizations that need to run complex workflows like combining multiple private data sets to perform joint analysis, medical research or Confidential AI services can use these new VMs to accelerate their sensitive workload faster than ever before. "While we began our journey with v5 confidential VMs, now we’re seeing noticeable performance improvements with the new v6 confidential VMs based on 4th Gen AMD EPYC “Genoa” processors. These latest confidential VMs are being rolled out across many Azure regions worldwide, including the UAE. So as v6 becomes available in more regions, we can deploy AMD based confidential computing wherever we need, with the same consistency and higher performance." — Mohammed Retmi, Vice President - Sovereign Public Cloud, at Core42, a G42 company. "KT is leveraging Azure confidential computing to secure sensitive and regulated data from its telco business in the cloud. With new V6 CVM offerings in Korea Central Region, KT extends its use to help Korean customers with enhanced security requirements, including regulated industries, benefit from the highest data protection as well as the fastest performance by the latest AMD SEV-SNP technology through its Secure Public Cloud built with Azure confidential computing." — Woojin Jung, EVP, KT Corporation Kubernetes support Deploy resilient, globally available applications on confidential VMs with our managed Kubernetes experience - Azure Kubernetes Service (AKS). AKS now supports the new DCasv6 and ECasv6 family of confidential VMs, enabling organizations to easily deploy, scale and manage confidential Kubernetes clusters on Azure, streamlining developer workflows and reducing manual tasks with integrated continuous integration and continuous delivery (CI/CD) pipelines. AKS brings integrated monitoring and logging to confidential VM node pools with in-depth performance and health insights, the clusters and containerized applications. Azure Linux 3.0 and Ubuntu 24.04 support are now in preview. AKS integration in this generation of confidential VMs also brings support for Azure Linux 3.0, that contains the most essential packages to be resource efficient and contains a secure, hardened Linux kernel specifically tuned for Azure cloud deployments. Ubuntu 24.04 clusters are also supported in addition to Azure Linux 3.0. Organizations wanting to ease the orchestration issues associated with deploying, scaling and managing hundreds of confidential VM node pools can now choose from either of these two for their node pools. General purpose & Memory-intensive workloads Featuring general purpose optimized memory-to-vCPU ratios and support for up to 96 vCPUs and 384 GiB RAM, the DCasv6-series delivers enterprise-grade performance. The DCasv6-series enables organizations to run sensitive workloads with hardware-based security guarantees, making them ideal for applications processing regulated or confidential data. For more memory demanding workloads that exceed even the capabilities of the DCasv6 series, the new ECasv6-series offer high memory-to-vCPU ratios with increased scalability up to 96 vCPUs and 672 GiB of RAM, nearly doubling the memory capacity of DCasv6. You can get started today by creating confidential VMs in the Azure portal as explained here. Additional Resources: Quickstart: Create confidential VM with Azure portal Quickstart: Create confidential VM with ARM template Azure confidential virtual machines FAQ
Azure confidential ledger is now Generally Available!
I am pleased to announce that Azure confidential ledger is now generally available! Azure confidential ledger is an unstructured, trusted data store for important identifiers of sensitive data that require high integrity. Data records stored on Azure confidential ledger remain immutable (i.e. Write Once, Read Many) and can be cryptographically verified. It offers a simple experience with REST APIs that can be easily integrated into the application architecture.
Announcing Trusted Launch as default in Azure Portal
In the spirit of ‘Secure-by-default’, today, we are announcing Trusted Launch virtual machines as default in Azure Portal. With Trusted Launch as default, the security settings in Portal are pre-set for you and no special attention is required. Any new VM created on Azure Portal will have Trusted Launch capabilities turned on by default.
