Introduction to Trusted launch for Azure Arc VMs on Azure Local, version 23H2
Applies to: Azure Local, version 23H2
This article introduces Trusted launch for Azure Arc virtual machines (VMs) on Azure Local, version 23H2. You can create a Trusted launch Arc VM using Azure portal or by using Azure Command-Line Interface (CLI).
Introduction
Trusted launch for Azure Arc VMs supports secure boot, virtual Trusted Platform Module (vTPM), and vTPM state transfer when a VM migrates or fails over within a cluster.
Trusted launch is a security type that can be specified when creating Arc VMs on Azure Local. For more information, see Trusted launch for Azure Arc VMs on Azure Local.
Capabilities and benefits
Capability | Benefit |
---|---|
Secure boot | Helps reduce risk of malware (rootkits) during boot by verifying that boot components are signed by trusted publishers. |
vTPM | Virtualized version of a hardware TPM that serves as a dedicated vault for keys, certificates, and secrets. |
vTPM state transfer | Preserves vTPM when the VM migrates or fails over within a cluster. |
Virtualization-based security (VBS) | Guest in the VM can create isolated regions of memory using VBS support. |
Note
VM guest boot integrity verification is not available.
Guidance
IgvmAgent is a component that is installed on all nodes in the Azure Local system. It enables support for isolated VMs such as Trusted launch Arc VMs for example.
As part of Trusted launch Arc VM creation, Hyper-V creates VM files on disk to store the VM state. By default, access to those VM files is restricted to host server administrators. Host administrators must ensure that the location where those VM files are stored always remains appropriately access-restricted.
VM live migration network traffic is not encrypted. We strongly recommend that you enable a network layer encryption technology such as IPsec to protect live migration network traffic.
Guest operating system images
The following VM guest OS images from Azure Marketplace are supported. The VM image can be created using Azure portal or Azure CLI.
For more information, see Create Azure Local VM image using Azure Marketplace.
Name | Publisher | Offer | SKU | Version number |
---|---|---|---|---|
Windows 11 Enterprise multi-session, version 22H2 - Gen2 | microsoftwindowsdesktop | windows-11 | win11-22h2-avd | 22621.2428.231001 |
Windows 11 Enterprise multi-session, version 22H2 + Microsoft 365 Apps (preview) - Gen2 | microsoftwindowsdesktop | windows11preview | win11-22h2-avd-m365 | 22621.382.220810 |
Windows 11 Enterprise multi-session, version 21H2 - Gen2 | microsoftwindowsdesktop | windows-11 | win11-21h2-avd | 22000.2538.231001 |
Windows 11 Enterprise multi-session, version 21H2 + Microsoft 365 Apps - Gen2 | microsoftwindowsdesktop | office-365 | win10-21h2-avd-m365-g2 | 19044.3570.231010 |
Note
VM guest images obtained outside of Azure Marketplace are not supported.