Ways to simplify your data ingestion pipeline with Azure AI Search
May 29, 2025Check out the latest security skill-building resources on Microsoft Learn
May 29, 2025
Introduction
Today, we are announcing public preview for upcoming Trusted Launch as default (TLaD) change that will affect new deployments of Gen2 Virtual Machines (VMs), Virtual Machine Scale Sets (Scale set), Azure Compute Gallery (ACG) and OS disk resources in Azure. The change will:
- Set security type as “TrustedLaunch” by default for new Gen2 VM & Scale set deployments.
- Set security type as “TrustedLaunchSupported” by default for new Gen2 ACG image definitions.
- Introduce new property in disk named “SupportedSecurityOption” and inherit the security type value of image using which disk is created.
This change is a major step and result of our ongoing efforts to improve the foundational security of our cloud computing platform.
The public preview release allows you to validate these changes in your respective environment for all new Azure Gen2 VM, Scale set, ACG, Disks deployments and prepare for this upcoming change which will be announced soon.
What is Trusted launch?
Trusted Launch VMs provide you with foundational compute security and a robust shield against modern threats by enabling the following capabilities:
- Secure Boot: Protects OS against rootkits and boot kits.
- vTPM: It serves as a dedicated secure vault for keys and measurements, enabling attestation by measuring the entire boot chain of your VM.
- Boot Integrity Monitoring: Guest attestation extension enables proactive attestation and monitoring the boot integrity of your VMs.
Trusted Launch enhances the security posture of a VM through cryptographic verification and ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defence-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others.
How do I on-board to preview?
You can enable the preview feature by registering feature flag TrustedLaunchByDefaultPreview under Microsoft.Compute namespace on given subscription.
Refer to Set up preview features in Azure subscription for steps to register the required feature flag.
What does this mean for Azure Users?
All new Gen2 VM, Scale set, ACG & Disks deployments using any client tool (ARM template, Bicep, Terraform, etc.) will default to Trusted launch post on-boarding to preview. This change will NOT override inputs provided by you as part of the deployment code.
VM & scale set deployments
Existing Behaviour
To create Trusted launch VM & Scale set, you need to add following securityProfile element in deployment:
“securityProfile”: {
“securityType”: “TrustedLaunch”,
“uefiSettings”: {
“secureBootEnabled”: true,
“vTpmEnabled”: true,
}
}
Absence of securityProfile element in deployment code will deploy VM & Scale set without enabling Trusted launch.
Example ARM template without securityProfile: vm-windows-admincenter – This will deploy Gen2 VM without enabling Trusted launch.
Example ARM template with securityProfile: vm-simple-windows – This will deploy Trusted launch VM (without default as securityProfile has been explicitly added to deployment)
New Behaviour
By using API version 2021-11-01 or higher AND on-boarding to preview, absence of securityProfile element from deployment will enable Trusted launch by default to new VM & Scale set deployed if following conditions are met:
- Source Marketplace OS image supports Trusted launch.
- Source ACG OS image supports and has been validated for Trusted launch. Refer to Azure Compute Gallery deployments for more details on validation.
- Source disk supports Trusted launch. Refer to managed disk deployments for more details.
- VM size supports Trusted launch. Refer to Trusted launch supported VM sizes.
The deployment will not default to Trusted launch if any of the listed condition(s) are not met and complete successfully to create new Gen2 VM & Scale set without Trusted launch.
You can choose to explicitly bypass default for VM & Scale set deployment by setting Standard as value of parameter securityType. Refer to Can I disable Trusted Launch for a new VM deployment for more details.
Azure compute gallery (ACG) deployments
Existing Behaviour
To create Trusted launch supported Gen2 ACG OS image definition, you need to add following features element in deployment:
“features”: [
{
“name”: “SecurityType”,
“value”: “TrustedLaunchSupported”
}
],
“hyperVGeneration”: “V2”
Absence of securityType feature in deployment code will deploy Azure compute gallery image definition without enabling Trusted launch.
Trusted launch security type cannot be enabled for VM & Scale set resource deployed using image which is not marked as TrustedLaunchSupported.
New Behaviour
By using API version 2025-03-03 or above for Microsoft.Compute/galleries resource, absence of securityType feature from deployment, i.e., securityType = null or absent will enable TrustedLaunchSupported by default on new ACG image definitions.
Additionally, platform will trigger validation for the OS image to ensure it supports Trusted launch capabilities. The validation will take minimum 1 hour and results will be available as image version property:
“validationsProfile”: {
“executedValidations”: [
{
“type”: “TrustedLaunch”,
“status”: “Succeeded”,
“version”: “0.0.2”,
“executionTime”: “2024-09-30T20:28:38.0129775+00:00”
}
],
}
Note: Validation of Azure compute gallery images will soon be in preview. You’ll need to register feature flag GalleryImageTrustedLaunchValidation under Microsoft.Compute namespace AND set resource tag TrustedLaunchValidation on Azure compute gallery with value true.
Any new VM & Scale set created using image versions which have been validated successfully will default to Trusted launch security type as described in VM & Scale set section. You can try out the VM & Scale set default using ACG experience in preview starting June 2025.
You can choose to explicitly bypass default for new ACG image definitions by setting Standard as value of parameter securityType under features:
“features”: [
{
“name”: “SecurityType”,
“value”: “Standard”
}
],
“hyperVGeneration”: “V2”
Managed disk deployments
Existing Behaviour
To create Trusted launch managed disk using a Gen2 OS image as source, you need to add following securityProfile element in deployment:
“securityProfile”: {
“securityType”: “TrustedLaunch”
}
Absence of securityProfile in deployment code will deploy managed disk without enabling Trusted launch.
Trusted launch security type cannot be enabled for VM resource deployed using disk without Trusted launch, vice-versa, you can only deploy Trusted launch VM using disk with Trusted launch enabled.
New Behaviour
Trusted launch as default for disks and VMs created using disk attach is currently not available in Preview. Request to check back again on same blog post in July 2025 for more details on new behaviour.
Known limitations
Unable to bypass Trusted launch default and create Gen2 (Non-Trusted launch) VM using Azure portal after registering to preview.
After registering subscription to preview, setting security type to “Standard” in Azure portal will deploy the VM or Scale set as “Trusted launch”. This limitation will be addressed prior to the upcoming Trusted launch default change.
To mitigate this limitation, you can un-register the preview feature by removing feature flag TrustedLaunchByDefaultPreview under Microsoft.Compute namespace on given subscription.
Refer to Un-register preview features in Azure subscription for steps to remove the required feature flag.
Unable to re-size VM or Scale set to un-supported Trusted launch VM size family (like M-Series) post default to Trusted launch.
Re-sizing Trusted launch VM to VM size family not supported with Trusted launch will not be supported. As mitigation, please register feature flag UseStandardSecurityType under Microsoft.Compute namespace AND roll-back VM from Trusted launch to Gen2-only (Non-Trusted launch) by setting securityType = Standard using available client tools (except Azure portal).
What do I need to do?
Goal for the preview is to make upcoming change in default as seamless for you as possible. Hence, we strongly recommend to onboard subscription for public preview and validate this change with your existing deployments.
You can enable the preview feature by registering feature flag TrustedLaunchByDefaultPreview under Microsoft.Compute namespace on given subscription.
Refer to Set up preview features in Azure subscription for steps to register the required feature flag.
Conclusion
We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services. We encourage you to take the necessary steps to prepare for this change.
If you have any feedback, questions or concerns about this upcoming change, please reach out to us at https://aka.ms/TrustedLaunchDefault/Feedback
Our team will actively track your submissions and promptly respond to same.
Frequently asked questions
When is the upcoming change planned?
We are doing our due diligence before scheduling the change. You will receive communication via service notification and blog posts prior to implementation of the change.
Will upcoming change impact all my new VM/Scale set deployments?
Upcoming change will be implemented on new API version for Microsoft.ComputevirtualMachines & Microsoft.ComputevirtualMachineScaleSets and will only default Gen2 (UEFI) OS image based VM/Scale set deployments to Trusted launch provided conditions described earlier in this post meets Trusted launch default requirements.
It does not apply to VM & Scale set deployments referencing Gen1 (BIOS) OS image.
How will my existing VMs be affected?
This change will not impact existing Azure VMs, Scale set clusters already running in your environment.
Do I need to update my automation scripts or deployment templates?
You need to update the API versions for following resource providers to validate the Trusted launch default end to end experience as part of the preview:
- Microsoft.Compute/virtualMachines – API version 2021-11-01 or higher.
- Microsoft.Compute/virtualMachineScaleSets – API version 2021-11-01 or higher.
- Microsoft.Compute/galleries – API version 2025-03-03
- Microsoft.Compute/disks – (API version details will be added in July 2025 to same blog post).
I am currently using VM/Scale set without Trusted Launch and would like to start using Trusted Launch for new deployments.
Please update your deployment to specify “TrustedLaunch” security type. Refer to Deploy a VM with Trusted Launch enabled for more details.
I am already using VM/Scale set with Trusted Launch.
No action is required, your VM/Scale set deployments will continue with defined Trusted Launch configuration.
I am currently using Gen2 VM/Scale set without Trusted Launch and would like to continue using Non-Trusted Launch configuration after the upcoming change.
Trusted Launch VMs provide you with foundational compute security. We strongly recommend that you don’t disable them for new VM or scale set deployments. Please reach out to us at https://aka.ms/TrustedLaunchDefault/Feedback if you still wish to continue without Trusted launch configuration.
You can bypass upcoming Trusted launch default behaviour or change by either:
- continue using existing API versions for deployments OR,
- please register feature flag UseStandardSecurityType under Microsoft.Compute namespace during public preview AND update your deployment code to specify “Standard” security type to maintain the existing behaviour of your Gen2 VM/Scale set if you need to use latest API version for deployments. Update to deployment code by specifying securityType = Standard is recommended to be done prior to upcoming change to avoid any unintended behaviour after the change.
“securityProfile”: {
“securityType”: “Standard”,
“uefiSettings”: “[null()]”
}
Note:
- You need not bypass Trusted launch default for Gen1 VM/Scale set deployments as Trusted launch default only applies to Gen2 OS image based VM & Scale set deployments.
- The feature flag UseStandardSecurityType is required only during preview. This feature flag will not be required once upcoming change is generally available.
What could be possible situations where I must bypass Trusted launch defaults for VM/Scale set?
You need to explicitly bypass Trusted launch default if one of the following scenarios applies to your Gen2 VM/Scale setdeployments:
- Gen2 VM is used to generate “TrustedLaunchSupported” or “TrustedLaunchAndConfidentialVMSupported” or “ConfidentialVMSupported” Azure compute gallery images via Azure image builder (AIB) or Packer. OR,
- Gen2 VM is used to create managed images*. OR,
- Gen2 Linux VM requires Hibernation enabled.
*Note: Recommendation is to move from managed images to Azure compute gallery.
My VM/Scale set are deployed using Managed Image and would like to start using Trusted Launch for new deployments.
For the most current technology, you are encouraged to use Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image. For more information, see Create an image definition and image version.
Will Azure Site Recovery (ASR) support be generally available for Trusted launch before this change?
Yes, ASR support will be generally available for Trusted launch Windows & Linux VMs before implementation of Trusted launch as default for Gen2 VM/Scale set deployments.
Do I need to update backup properties for new VMs which will default to Trusted launch?
Starting API version 2025-01-01 for Microsoft.RecoveryServices, Azure Backup supports Trusted Launch VM backup with both Standard & Enhanced Policy. i.e., you need not update the policy name and target policy for backup of new Gen2 VM/Scale set deployments.
You need to update the Policy Name and target policy of type Enhanced Policy if updating API version for Microsoft.RecoveryServices is not feasible.
Does using Trusted launch VMs increase my cost?
Trusted Launch VMs provide you with foundational compute security at no extra cost to VM billing.
Trusted launch VM backup may result in higher storage costs because backup for trusted launch VMs using the standard policy uses Managed Disk snapshots for storage instead of Blob snapshots. For more details, refer to our Azure pricing page
Preview feedback
Please reach out to us with any feedback, queries or concerns regarding this upcoming change at https://aka.ms/TrustedLaunchDefault/Feedback
Our team will actively track your submissions and promptly respond to same.