News

Azure Virtual Desktop Service Gets Trusted Launch Protections

• By Kurt Mackie
• 01/07/2022

Microsoft on Friday announced Azure Virtual Desktop support for virtual machines with "Trusted Launch" protections.

Trusted Launch support for Azure virtual machines actually reached the "general availability" (commercial-release) stage on Nov. 2, but Microsoft is now "officially" announcing Trusted Launch support for its Azure Virtual Desktop service. The Azure Virtual Desktop service (formerly known as "Windows Virtual Desktop") is Microsoft's virtual desktop infrastructure service that lets organizations access apps and desktops remotely from Microsoft's servers.

Trusted Launch Protections
Trusted Launch is Microsoft's phrase for technologies that add protections at the operating system boot-up level to block malware, known as bootkits. Also blocked are firmware, driver and kernel rootkits that may be present.

Specifically, Trusted Launch users get virtual Trusted Platform Module (vTPM) and Secure Boot assurances, plus Virtualization-Based Security protections.

Secure Boot establishes a "root of trust" for software on virtual machines and "works to ensure that only signed operating systems and drivers can boot," per Microsoft's "Trusted Launch for Azure Virtual Machines" document.

The vTPM element in Trusted Launch was described as being compliant with the TPM 2.0 chip specification. It keeps security keys separate from the virtual machine. A cloud-based service is used to attest the boot chain, Microsoft's document explained:

Trusted launch uses the vTPM to perform remote attestation by the cloud. This is used for platform health checks and for making trust-based decisions. As a health check, trusted launch can cryptographically certify that your VM booted correctly.

The third prong of Trusted Launch is Virtualization-Based Security, which creates a "secure and isolated region of memory" to run security solutions. It enables the Hypervisor Code Integrity security solution, which is used to protect the Windows kernel against code injection and the running of unsigned files. It also enables Windows Defender Credential Guard, which "isolates and protects secrets so that only privileged system software can access them," the document explained.

Trusted Launch Limitations
Trusted Launch for Azure Virtual Desktop includes support for Windows systems and multiple Linux systems. However, one big catch for current users of the Azure Virtual Desktop service is that Trusted Launch use depends on also using Generation-2 Azure virtual machines. Moreover, these virtual machines need to be newly created to be afforded Trusted Launch protections.

Here's Microsoft's caveat to that effect, per the document:

Trusted launch requires the creation of new virtual machines. You can't enable trusted launch on existing virtual machines that were initially created without it.

The document also listed a few other limitations for Trusted Launch. It requires using certain Azure virtual machine sizes. It also doesn't currently work with the Azure Site Recovery service. You can't use nested virtualization with it. Azure Dedicated Host isn't supported, and more.

Microsoft also is touting the use of the Microsoft Defender for Cloud service with Trusted Launch, as those users get alerts when issues protected by Trusted Launch arise. However, Microsoft noted that these "alerts are only available in the Standard Tier of Azure Defender for Cloud."

Microsoft Defender for Cloud is a newly renamed product. It's a combination of the Azure Security Center and Azure Defender products.