Microsoft has removed a major barrier to Linux and Windows server security in Azure by enabling in-place upgrades to Trusted Launch for existing Generation 2 virtual machines. The change, which arrived as a quiet but significant update to Azure’s documentation and platform capabilities, means organizations can now add Secure Boot, virtual TPM 2.0, and boot integrity monitoring to their VMs without redeploying workloads or rebuilding images.
The in-place upgrade path is generally available for Gen2 VMs and Uniform virtual machine scale sets, with preview support for Gen1-to-Gen2 conversions and Flex scale sets. It’s a pragmatic move that acknowledges the reality of production environments: few teams can afford the downtime or engineering effort of a lift-and-shift migration just to turn on a security feature. By reducing the friction to a stop-deallocate-update-start cycle—or a rolling upgrade for scale sets—Microsoft makes Trusted Launch adoptable at scale.
Trusted Launch 101: The Three Pillars
Trusted Launch is Azure’s platform-level suite of boot protections that together create a cryptographic root of trust for virtual machines. It’s designed to thwart bootkits, rootkits, and other low-level persistence techniques by ensuring only signed, approved code executes during startup. The service is built on three integrated components:
- Secure Boot – cryptographically verifies the bootloader, OS kernel, and signed drivers, blocking unauthorized code at boot time.
- vTPM (virtual TPM 2.0) – a secure key store and measured-boot artifact repository that enables both in-guest and remote attestation workflows.
- Boot Integrity Monitoring – continuous checks, typically surfaced through Microsoft Defender for Cloud, that alert when measured boot values deviate from expected baselines.
These controls raise the bar against kernel-level persistence and advanced firmware attacks, and they feed directly into Defender for Cloud, allowing centralized security tools to detect and flag integrity anomalies. Microsoft maps these protections to Azure Security Benchmark recommendations and related compliance frameworks, making Trusted Launch a foundational element of a secure cloud posture.
The Rollout Map: GA vs. Preview
Microsoft’s update isn’t a single toggle—it’s a set of capabilities with varying maturity levels that any adoption plan must account for:
- Gen2 VMs (GA): Enabling Trusted Launch on existing Generation 2 VMs is fully supported via the Azure portal, PowerShell, and CLI. This covers the majority of modern VM deployments. The process requires stopping and deallocating the VM, updating the security type, and restarting.
- Uniform scale sets (GA): Upgrades for Uniform orchestration mode scale sets are documented, with guidance on using rolling upgrades and surge settings to minimize downtime.
- Gen1-to-Gen2 upgrade (preview): Converting a Gen1 VM to Gen2 and then enabling Trusted Launch is available as a preview, with explicit prerequisites and irreversible steps, including MBR-to-GPT disk conversion and EFI partition creation.
- Flex scale sets (preview): Support for Flexible orchestration scale sets is in preview and requires registration; behavior may differ from Uniform scale sets.
This graduated rollout means most organizations can immediately begin securing their Gen2 estate, while older Gen1 workloads and more complex scale-set configurations require additional validation and planning.
How to Upgrade: A Pragmatic Roadmap
Based on Microsoft’s guidance and real-world enterprise practices, a typical adoption journey follows five stages:
- Inventory and eligibility check: Identify candidate VMs by generation, size family, OS version, attached data disks, and backup policy. Azure Advisor and Defender for Cloud can surface upgrade recommendations.
- Pilot on non-production Gen2 VMs: Pick a small ring of Gen2 VMs and Uniform scale sets. Test driver compatibility (especially GPU and third-party kernel modules), application behavior, and backup/restore processes. Run Defender for Cloud Guest Attestation checks post-upgrade to verify boot integrity telemetry.
- Prepare backups and restore points: Before any upgrade, create full backups or platform restore points. For Gen1 conversions, the disk layout changes are irreversible; Microsoft warns that rolling back requires restoring from pre-upgrade backups. Always validate recovery on a test VM.
- Apply changes with low-downtime patterns: For single VMs, stop/deallocate, update
securityTypetoTrustedLaunch, enable Secure Boot and vTPM as desired, then start. For scale sets, use rolling upgrades with controlled surge. Example PowerShell sequence (conceptual):
-Stop-AzVM -ResourceGroupName "RG" -Name "VM"
- Update the VM’s security profile toTrustedLaunch
-Start-AzVM -ResourceGroupName "RG" -Name "VM" - Validate and monitor post-upgrade: Confirm vTPM and Secure Boot are enabled, verify sign-in, check Defender for Cloud alerts and the Guest Attestation extension, and run application-level smoke tests.
Why This Matters: Security and Compliance Wins
The in-place upgrade delivers four concrete benefits that make Trusted Launch a high-priority task:
- Lower friction security uplift. Converting Gen2 VMs without redeploying images eliminates the classic “security vs. uptime” tradeoff. Teams can raise the security baseline during routine maintenance windows.
- No extra cost. Microsoft documents that Trusted Launch adds no additional VM pricing, removing a common financial objection. The only investment is the operational effort of the upgrade.
- Defender for Cloud integration. Automated recommendations, attestation telemetry, and continuous boot integrity monitoring turn Trusted Launch into a measurable, auditable security improvement that plugs directly into compliance tooling.
- Compliance alignment. Trusted Launch helps satisfy technical controls referenced by Azure Security Benchmark, Azure CIS, FedRAMP, HIPAA, and other frameworks. While it doesn’t guarantee certification, it materially supports measured-boot and key-protection requirements.
The Fine Print: Risks and Gotchas
Despite its promise, Trusted Launch isn’t a zero-risk toggle. Several operational pitfalls demand attention:
- Gen1→Gen2 irreversibility. The conversion involves disk layout changes that cannot be undone. A rollback requires full restoration from a pre-upgrade backup; there’s no “undo” button.
- Driver and OS compatibility. Secure Boot blocks unsigned kernel drivers. Many third-party kernel modules and older GPU drivers (particularly on Linux) may require Secure Boot to be disabled during installation or handled via signed shim bootloaders. Validate all drivers in the pilot.
- Scale set upgrade constraints. Instances with data disks require specific upgrade modes (rolling upgrade with surge) and may need instance recreation for size changes. Flex scale sets are still in preview—don’t assume parity with Uniform behavior.
- Unexpected boot failures after unrelated updates. Recent real-world incidents have shown that interactions between OS patches, Virtualization-Based Security (VBS), and Trusted Launch can cause boot issues. For example, a 2025 Windows security update triggered VM boot failures when VBS was enabled but Trusted Launch was disabled, forcing Microsoft to issue an emergency fix. Validate update/patch cycles in your pilot ring.
- Managed image limitations. Some custom managed images and Azure Compute Gallery configurations may not be eligible for portal-based upgrades, requiring scripted or template-based approaches.
Treat Trusted Launch adoption as a platform change program: plan for rollback, test patches and drivers, and include security telemetry validation in deployment checklists.
A Pre-Flight Checklist for Production Upgrades
Before touching production workloads, run through this checklist:
- Inventory: OS build, VM generation (Gen1/Gen2), size family, attached data disks, boot configuration, backup policy.
- Backup/Restore: Create full VM backups or platform restore points; test restoration on a sample VM in a separate resource group.
- Pilot: Select representative Windows Server, Linux, and GPU workloads for compatibility testing.
- Drivers & Agents: Validate endpoint detection and response (EDR) agents, backup agents, and kernel drivers for Secure Boot compatibility.
- Scale set planning: For Uniform scale sets, configure rolling upgrade with controlled surge; for Flex scale sets, register for preview only if you intend to test.
- Automation: Prepare PowerShell, CLI, ARM, or Bicep templates for batch upgrades and logging.
- Monitoring: Ensure Defender for Cloud and Azure Monitor have guest attestation and boot integrity telemetry configured post-upgrade.
- Timeline: Schedule upgrades during maintenance windows, staged in rings (pilot → early adopter → broad rollout).
What’s Next for Trusted Launch
Keep an eye on three moving parts:
- Default for new Gen2 deployments is moving through public preview. Teams using infrastructure-as-code should validate CI/CD scripts to explicitly set
securityProfilefields if they need to preserve non-Trusted behavior for backward compatibility. - Flex scale set support remains in preview; enterprises relying on flexible orchestration should monitor preview updates and breaking-change advisories.
- Patching interactions will continue to be a variable. Monitor Azure and Windows update advisories for kernel and hypervisor patches that could affect Secure Boot, VBS, and boot integrity monitoring.
Final Verdict: Who Should Move Now
For organizations running Gen2 Azure VMs and Uniform scale sets, Trusted Launch is an immediate, high-value security upgrade with minimal friction. Pilot quickly, validate, and roll out in waves. The lack of additional cost makes the decision largely operational rather than financial.
If you operate older Gen1 workloads, custom managed images, or unsigned kernel-mode drivers, don’t rush. The Gen1-to-Gen2 conversion is invasive and irreversible; the Flex scale set path is still in preview. Plan a deliberate remediation program with thorough testing and robust backup strategies.
Microsoft’s in-place Trusted Launch upgrade doesn’t just enable stronger boot security—it reflects a maturing cloud security paradigm where foundational protections can be layered onto existing footprints without disruptive migrations. For cloud and security teams, the path forward is clear: inventory your Gen2 VMs today, run a fast pilot with Defender for Cloud attestation checks, and systematically raise the security baseline of your Azure estate.