Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

Enable Trusted launch on existing Uniform scale set

Applies to: ✔️ Uniform scale set ✔️ Flex scale set ❌ Service fabric

Azure Virtual machine Scale sets supports enabling Trusted launch on existing Uniform Scale sets virtual machine (VM) by upgrading to Trusted launch security type.

Trusted launch enables foundational compute security on Azure Generation 2 virtual machines & scale sets and protects them against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, vTPM, and Boot Integrity Monitoring on your Scale set.

Limitations

Enabling Trusted launch on existing virtual machine Scale sets with data disks attached requires upgrade mode set to Rolling upgrade with max surge
- To validate if scale set is configured with data disk, navigate to scale set -> Disks under Settings menu -> check under heading Data disks 👁 Screenshot of the scale set with data disks.
Enabling Trusted launch on existing virtual machine Scale sets Flex is currently in preview. Register for preview of enabling Trusted launch on existing Flex scale set preview
Enabling Trusted launch on existing Service fabric clusters and Service fabric managed clusters is currently not supported.

Prerequisites

Scale set isn't dependent on features currently not supported with Trusted launch.
Scale set should be configured with Trusted launch supported size family
Note
- Virtual machine size can be changed along with Trusted launch upgrade. Ensure quota for new VM Size is in-place to avoid upgrade failures. Refer to Check vCPU quotas.
- Change to Virtual machine size re-creates the Virtual machine instance with new size and requires downtime of individual Virtual machine instance. It can be done in a Rolling Upgrade fashion to avoid Scale set downtime.
Scale set should be configured with Trusted launch supported OS Image. For Azure compute gallery OS image, ensure image definition is marked as TrustedLaunchSupported

Important

Changing the OS image of a scale set recreates the OS disks for all VM instances using the new image. This change means any data or custom configurations stored on the current OS disks is lost post upgrade. Ensure back up of any important information before proceeding.

Enable Trusted launch on existing Scale set Uniform

Following steps details how to enable Trusted launch on existing uniform scale set using Azure portal.

(Optional) Scale set Size: Navigate to Size under Availability + scale -> Modify the Scale set size if current size family isn't supported with Trusted launch security configuration -> Click Apply. 👁 Screenshot of the scale set size change.
OS Image: Navigate to Operating system under Settings -> Click on Change image reference. 👁 Screenshot of the scale set OS image change.
Update the OS Image reference to Gen2-Trusted launch supported OS image. Make sure the source Gen2 image has TrustedLaunchSupported security type if using Azure Compute Gallery OS image -> Click Apply. 👁 Screenshot of the OS image change options.
Security type: Click on Standard Security type on Overview page of scale set OR navigate to Configuration under Settings.

👁 Screenshot of the overview page.
Update the security type drop-down on Configuration page from Standard to Trusted launch with Enable secure boot and Enable vTPM checked to enable Trusted Launch security configuration. Click Yes to confirm changes.
Note
- vTPM is enabled by default.
- Secure Boot should be enabled (not enabled by default) if you aren't using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.
👁 Screenshot of the Trusted launch security type drop-down.
Validate the changes on the Overview page of scale set. 👁 Screenshot of the validation on overview page.
(Recommended) Guest Attestation Extension: Add Guest Attestation (GA) extension for Scale set resource, which enables Boot integrity monitoring for Scale set.
Update the VM instances manually if Scale set uniform upgrade mode is set to Manual. 👁 Screenshot of the scale set instance update.

Following steps details using an ARM template to enable Trusted launch on existing uniform scale set.

Make the following modifications to enable Trusted launch using existing ARM template deployment code. For complete template, refer to Quickstart Trusted launch Scale set ARM template.

Important

Trusted launch security type is available with Scale set apiVersion 2020-12-01 or higher. Ensure API version is set correctly before upgrade.

OS Image: Update the OS Image reference to Gen2-Trusted launch supported OS image. Make sure the source Gen2 image has TrustedLaunchSupported security type if using Azure Compute Gallery OS image.

"storageProfile": { 
    "osDisk": { 
         "createOption": "FromImage", 
        "caching": "ReadWrite" 
    }, 
     "imageReference": { 
         "publisher": "MicrosoftWindowsServer", 
         "offer": "WindowsServer", 
         "sku": "2022-datacenter-azure-edition", 
        "version": "latest" 
    } 
}

(Optional) Scale set Size: Modify the Scale set size if current size family isn't supported with Trusted launch security configuration.

 "sku": { 
    "name": "Standard_D2s_v3", 
     "tier": "Standard", 
     "capacity": "[parameters('instanceCount')]" 
 }

Security Profile: Add securityProfile block under virtualMachineProfile to enable Trusted Launch security configuration.

Note

Recommended settings: vTPM: true and secureBoot: true secureBoot should be set to false if you're using any unsigned custom driver or kernel on OS.
```
"securityProfile": { 
    "securityType": "TrustedLaunch", 
    "uefiSettings": { 
      "secureBootEnabled": true, 
      "vTpmEnabled": true
    } 
}
```

(Recommended) Guest Attestation Extension: Add Guest Attestation (GA) extension for Scale set resource, which enables Boot integrity monitoring for Scale set.

Important

Guest attestation extension requires secureBoot and vTPM set to true.

{ 
    "condition": "[and(parameters('vTPM'), parameters('secureBoot'))]", 
    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", 
    "apiVersion": "2022-03-01", 
    "name": "[format('{0}/{1}', parameters('vmssName'), GuestAttestation)]", 
    "location": "[parameters('location')]", 
    "properties": { 
      "publisher": "Microsoft.Azure.Security.WindowsAttestation", 
      "type": "GuestAttestation", 
      "typeHandlerVersion": "1.0", 
      "autoUpgradeMinorVersion": true, 
      "enableAutomaticUpgrade": true, 
      "settings": { 
        "AttestationConfig": { 
          "MaaSettings": { 
            "maaEndpoint": "[substring('emptystring', 0, 0)]", 
            "maaTenantName": "GuestAttestation" 
          } 
        } 
      } 
    }, 
    "dependsOn": [ 
      "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" 
    ] 
}

Name of extension publisher:

OS Type	Extension publisher name
Windows	Microsoft.Azure.Security.WindowsAttestation
Linux	Microsoft.Azure.Security.LinuxAttestation

Review the changes made to template.

Execute the ARM template deployment.

$resourceGroupName = "myResourceGroup"
$parameterFile = "folderPathToFile\parameters.json"
$templateFile = "folderPathToFile\template.json"

New-AzResourceGroupDeployment `
 -ResourceGroupName $resourceGroupName `
 -TemplateFile $templateFile -TemplateParameterFile $parameterFile

Verify that the deployment is successful. Check for the security type and UEFI settings of the Scale set uniform using Azure portal. Check the Security type section in the Overview page.

👁 Screenshot of the validation on overview page.

Update the VM instances manually if Scale set uniform upgrade mode is set to Manual.

$resourceGroupName = "myResourceGroup"
$vmssName = "VMScaleSet001"
Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "0"

This section steps through using the Azure CLI to enable Trusted launch on existing Azure Scale set Uniform resource.

Make sure latest version of Azure CLI is installed and logged in to an Azure account with az login.

Note

vTPM is enabled by default.
Secure Boot should be enabled (not enabled by default) if you aren't using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

az login

az account set --subscription 00000000-0000-0000-0000-000000000000

Enable Trusted launch using command az vmss update by setting --security-type: TrustedLaunch, virtualMachineProfile.storageProfile.imageReference.sku: Gen2-Trusted launch supported OS image, --vm-sku: Gen2-Trusted launch supported VM size.
```
az vmss update --name MyScaleSet `
 --resource-group MyResourceGroup `
 --set virtualMachineProfile.storageProfile.imageReference.sku='2022-datacenter-azure-edition' `
 --security-type TrustedLaunch --enable-secure-boot $true --enable-vtpm $true
```
Note

OS Image SKU used in the az vmss update should be from same OS Image Publisher and Offer.

Validate output of previous command. securityProfile configuration is returned with command output.

{
 "securityProfile": {
 "securityType": "TrustedLaunch",
 "uefiSettings": {
 "secureBootEnabled": true,
 "vTpmEnabled": true
 }
 }
}

Update the VM instances manually if Scale set uniform upgrade mode is set to Manual.

az vmss update-instances --instance-ids 1 --name MyScaleSet --resource-group MyResourceGroup

Start rolling upgrade if Scale set uniform upgrade mode is set to RollingUpgrade.

az vmss rolling-upgrade start --name MyScaleSet --resource-group MyResourceGroup

This section steps through using the Azure PowerShell to enable Trusted launch on existing Azure Virtual machine Scale set Uniform.

Make sure the latest Azure PowerShell is installed and logged in to an Azure account with Connect-AzAccount.

Note

vTPM is enabled by default.
Secure Boot should be enabled (not enabled by default) if you aren't using custom unsigned kernel or drivers. Secure Boot preserves boot integrity and enables foundational security for VM.

Connect-AzAccount -SubscriptionId 00000000-0000-0000-0000-000000000000

Enable Trusted launch using command Update-AzVMSS by setting -SecurityType: TrustedLaunch, ImageReferenceSku: Gen2-Trusted launch supported OS image, -SkuName: Gen2-Trusted launch supported VM size.

$vmss = Get-AzVmss -VMScaleSetName MyVmssName -ResourceGroupName MyResourceGroup

# Enable Trusted Launch
$vmss = Set-AzVmssSecurityProfile -virtualMachineScaleSet $vmss -SecurityType TrustedLaunch

# Enable Trusted Launch settings
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $vmss -EnableVtpm $true -EnableSecureBoot $true

Update-AzVmss -ResourceGroupName $vmss.ResourceGroupName `
 -VMScaleSetName $vmss.Name -VirtualMachineScaleSet $vmss `
 -SecurityType TrustedLaunch -EnableVtpm $true -EnableSecureBoot $true `
 -ImageReferenceSku 2022-datacenter-azure-edition

Note

OS Image SKU used in Update-AzVMSS command should be from same OS Image Publisher and Offer.

Validate securityProfile configuration is returned with Get-AzVMSS command output.

{
 "securityProfile": {
 "securityType": "TrustedLaunch",
 "uefiSettings": {
 "secureBootEnabled": true,
 "vTpmEnabled": true
 }
 }
}

Update the VM instances manually if Scale set uniform upgrade mode is set to Manual.

Update-AzVmssInstance -ResourceGroupName "MyResourceGroup" -VMScaleSetName "MyScaleSet" -InstanceId "0"

Start rolling upgrade if Scale set uniform upgrade mode is set to RollingUpgrade.

Start-AzVmssRollingOSUpgrade -ResourceGroupName "MyResourceGroup" -VMScaleSetName "MyScaleSet"

Roll back

To roll back changes from Trusted launch to previous known good configuration, you need to set securityType of Scale set to Standard.

OS Image: Navigate to Operating system under Settings. Click on Change image reference. 👁 Screenshot of the scale set OS image change.
Update the OS Image reference to last known good configuration -> Click Apply. 👁 Screenshot of the OS image change options.
Security type: Navigate to Configuration page under Settings -> Update the security type drop-down on Configuration page from Trusted launch to Standard for disabling Trusted Launch security configuration. Click Yes to confirm changes. 👁 Screenshot of the Standard security type drop-down.
Validate the changes on the Overview page of scale set. 👁 Screenshot of the validation of rollback on overview page.
Update the VM instances manually if Scale set uniform upgrade mode is set to Manual. 👁 Screenshot of the scale set instance update.

To roll back changes from Trusted launch to previous known good configuration, set securityProfile to Standard as shown. Optionally, you can also revert other parameter changes - OS image, VM size, and repeat steps 5-8 described with Enable Trusted launch on existing scale set

"securityProfile": {
 "securityType": "Standard",
 "uefiSettings": "[null()]"
}

Note

Required Azure CLI version 2.62.0 or above for roll back of uniform scale set from Trusted launch to Non-Trusted launch configuration.

To roll back changes from Trusted launch to previous known good configuration, set --security-type to Standard as shown. Optionally, you can also revert other parameter changes - OS image, virtual machine size, and repeat steps 2-5 described with Enable Trusted launch on existing scale set

az vmss update --name MyScaleSet `
 --resource-group MyResourceGroup `
 --security-type Standard

To roll back changes from Trusted launch to previous known good configuration, set -SecurityType to Standard as shown. Optionally, you can also revert other parameter changes - OS image, virtual machine size, and repeat steps 2-5 described with Enable Trusted launch on existing scale set

$vmss = Get-AzVmss -VMScaleSetName MyVmssName -ResourceGroupName MyResourceGroup

# roll back Trusted Launch
Set-AzVmssSecurityProfile -virtualMachineScaleSet $vmss -SecurityType Standard

Update-AzVmss -ResourceGroupName $vmss.ResourceGroupName `
 -VMScaleSetName $vmss.Name -VirtualMachineScaleSet $vmss `
 -SecurityType Standard `
 -ImageReferenceSku 2022-datacenter-azure-edition

Next steps

(Recommended) Post-Upgrades enable Boot integrity monitoring to monitor the health of the VM using Microsoft Defender for Cloud.

Learn more about Trusted launch and review frequently asked questions.

Feedback

Was this page helpful?

Additional resources

Last updated on

URL: https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vmss