Trusted launch is now enabled by default for VMs deployed through PowerShell and CLI. Trusted launch hardens your Azure virtual machines with security features that allow administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy. This is accomplished via trusted launch features: secure boot, vTPM, and boot integrity monitoring that protect against boot kits, rootkits, and kernel-level malware.
-
Secure Boot protects against the installation of malware-based rootkits and boot kits and only allows signed OSes and drivers to boot.
-
Virtual TPM (vTPM) allows customers to protect keys, certificates, and secrets in the virtual machine.
-
Measured Boot examines and verifies the authenticity of bootloader’s signature and performs integrity measurement of the entire boot chain.
-
Boot integrity monitoring via Microsoft Azure Attestation and Azure Security Center generates integrity alerts, recommendations, and remediations if remote attestation fails.
For more information, read the blog post.