Skip to main content

🛡️ Azure Virtual Machine Trusted Launch is not enabled🟢

Logic

Description

Open File

Description

When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.

Rationale

Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.

Impact

Secure Boot and vTPM are not currently supported for Azure Generation 1 VMs.

IMPORTANT: Before enabling Secure Boot and vTPM on a Generation 2 VM which does not already have both enabled, it is highly recommended to create a restore point of the VM prior to remediation.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Virtual Machines.
  2. For each VM, under Settings, click on Configuration on the left blade.
  3. Under Security Type, select Trusted Launch Virtual Machines.
  4. Make sure Enable Secure Boot & Enable vTPM are checked.
  5. Click on Apply.

Note: Trusted launch on existing virtual machines (VMs) is currently not supported for Azure Generation 1 VMs.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v2.1.0 → 💼 7.9 Ensure Trusted Launch is enabled on Virtual Machines - Level 1 (Automated)1no data
💼 CIS Azure v3.0.0 → 💼 8.11 Ensure Trusted Launch is enabled on Virtual Machines (Automated)1no data
💼 Cloudaware Framework → 💼 Threat Protection31no data