Trusted launch, hardens your Azure virtual machines with security features that allow administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy. This is accomplished via trusted launch features: secure boot, vTPM, and boot integrity monitoring that protect against boot kits, rootkits, and kernel-level malware. With this announcement trusted launch is enabled by default.
- Secure Boot protects against the installation of malware-based rootkits and boot kits and only allows signed OSes and drivers to boot.
- Virtual TPM (vTPM) allows customers to protect keys, certificates, and secrets in the virtual machine.
- Measured Boot examines and verifies the authenticity of bootloader’s signature and performs integrity measurement of the entire boot chain.
- Boot integrity monitoring via Microsoft Azure Attestation and Azure Security Center generates integrity alerts, recommendations, and remediations if remote attestation fails.
As of this announcement, trusted launch is enabled by default for VMs when deployed through the Azure portal.
For more information, read the blog post.