AjKundnani introduces the new in-place upgrade support for Trusted Launch in Azure Virtual Machines and Scale Sets, helping administrators strengthen security without complex migrations.

Upgrade Azure VMs with Trusted Launch: In-Place Security Enhancement Now Available

Introduction

Trusted Launch in-place upgrade support is now available for Azure Virtual Machines (VMs) and Scale Sets, enabling organizations to enhance the foundational security of their cloud infrastructure without complex migrations, downtime, or service interruption. This capability is generally available for existing Gen1 (BIOS) and Gen2 (UEFI) VMs and Uniform Scale Sets and in private preview for Flex Scale Sets.

What Is Trusted Launch?

Trusted Launch is an Azure native capability that provides multiple foundational security features to virtual machines and scale sets:

  • Secure Boot: Ensures only signed, trusted code runs during system startup, protecting against rootkits and bootkits.
  • vTPM (virtual Trusted Platform Module): Acts as a secure vault for encryption keys and boot measurement, supporting attestation of system integrity.
  • Boot Integrity Monitoring: Uses guest attestation extensions to continuously verify that VMs boot into an uncompromised state.

Utilizing Trusted Launch adds cryptographic verification to your VM’s boot process, maintaining the trustworthiness of guest operating systems and supporting regulatory compliance with standards such as Azure Security Benchmark, FedRAMP, HIPAA, and PCI-DSS.

Benefits of In-Place Upgrade Support

  • No Downtime or Migration: Instantly enable foundational security features for existing resources—no complex rebuilds required.
  • Comprehensive Coverage: Support is available for Gen1 and Gen2 VMs, Uniform Scale Sets, and Flex Scale Sets (in private preview).
  • Compliance Readiness: Helps meet industry and regulatory security requirements.
  • No Additional Cost: These enhanced security features are offered at no extra charge.

How to Upgrade: Steps & Resources

The upgrade process varies based on your VM or Scale Set type. Find the correct documentation for your scenario:

Pre-Requisites

Before upgrading, verify:

Best Practices

  • Review all documentation and known issues for your VM/Scale Set type.
  • Test the Trusted Launch upgrade on a non-production resource to check for prerequisite or functionality issues.
  • Create restore points for critical VMs before starting the upgrade.

Limitations

  • Secure Boot and vTPM can only be enabled for Gen2 (UEFI) operating systems.
  • In-place roll-back from Trusted Launch to Gen1 (BIOS) is not supported. You must restore from backup if full rollback is required.

Compliance & Regulatory Coverage

Trusted Launch helps organizations maintain compliance with standards such as Azure Security Benchmark, FedRAMP, HIPAA, PCI-DSS, and others by ensuring secure configurations and verified boot sequences.

FAQs and Support

  • Upgrade support is generally available for Gen1 and Gen2 VMs and Uniform Scale Sets; private preview for Flex scale sets.
  • Upgrades do not affect unrelated VMs or scale set clusters.
  • Detailed instructions, limits, and rollback steps are available in the official documentation for each resource type (see links above).

Conclusion

Trusted Launch is a foundational Azure security capability that is now easier to adopt with the in-place upgrade option. Strengthen your cloud infrastructure security, improve compliance, and minimize operational disruption by upgrading your Azure VMs and Scale Sets today.

For further details, step-by-step guides, and known limitations, refer to:

Authored by AjKundnani

This post appeared first on “Microsoft Tech Community”. Read the entire article here