News

Azure Virtual Desktop Now Supports Trusted Launch Virtual Machines

• By David Ramel
• 01/11/2022

Microsoft's cloud-based virtual desktop infrastructure (VDI) offering, Azure Virtual Desktop, now supports Trust Launch virtual machines (VMs).

The two-year-old Azure Virtual Desktop, which used to be called Windows Virtual Desktop, enables a secure remote desktop experience from virtually anywhere, the company says. It's primarily aimed at enterprises rather than personal users, debuting just in time for the huge COVID-19-driven work-from-home push.

Trusted Launch, meanwhile, appeared as a preview offering during the Build 2021 conference, covered for Virtualization & Cloud Review by Paul Schnackenburg, who said it will "stop boot and root kits on your VMs in Azure -- it relies on a virtual TPM chip and integrates with Azure Security Center and Azure Defender."

According to documentation: "Azure offers trusted launch as a seamless way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats."

Generation 2 VMs, meanwhile, "support key features that aren't supported in generation 1 VMs. These features include increased memory, Intel Software Guard Extensions (Intel SGX), and virtualized persistent memory (vPMEM). Generation 2 VMs running on-premises, have some features that aren't supported in Azure yet. For more information, see the Features and capabilities section."

In announcing the new support, Microsoft said deploying Trusted Launch virtual machines in an Azure Virtual Desktop environment helps organizations improve the security posture of VMs, protecting against advanced and persistent attack techniques. This capability assumes even more importance as many in the industry have been sounding a death knell for virtual private networks (VPNs) because of security considerations.

Microsoft listed these benefits of the new support:

• Protect against the installation of malware-based rootkits and boot kits with Secure Boot.
• Provide your VM with its own dedicated Trusted Platform Module instance with a vTPM.
• Protect Windows kernel-mode processes against injection and execution of malicious or unverified code with Hypervisor Code Integrity.
• Isolate and protect secrets so that only privileged system software can access them with Windows Defender Credential Guard.
• Ability to perform feature updates when using Windows 11 Enterprise or Windows 11 Enterprise multi-session.

With the new support, users will now see a Trusted launch VM option under Security type when adding VMs in the host pool UI:

and after it's selected users will also have the option to enable secure boot and vTPM: