Fully Upgrading Azure VMs to Trusted Launch
I had a client call me needing to upgrade all their supported virtual machines from Gen 1(Think BIOS/MBR) to Gen 2 which are Trusted Launch Virtual Machines (Think UEFI and virtual TPMs). All their servers are supported and rather up to date Server 2022+ and he wanted to secure them. I also updated their Bicep Templates to reflect these changes.
TL;DR: Enable Trusted Launch to harden the earliest stages of VM startup. For Gen1, convert the OS disk to GPT and add an EFI partition first; then deallocate, switch security type, enable Secure Boot + vTPM, start, validate, and re-enable ASR/Backup.
- Confirm size + OS support and take a recovery point
- (Gen1) Convert MBR → GPT and add EFI
- Deallocate, toggle Trusted Launch, enable Secure Boot & vTPM
- Start, test access, re-protect with ASR/Backup
What is Trusted Launch (and why you want it)
Trusted Launch adds Secure Boot, a virtual TPM, and boot integrity monitoring so rootkits/bootkits can’t hijack the VM before your OS is awake enough to fight back. It’s foundational security that doesn’t demand an application redesign.
Cloudy thought: if you’re already patching, scanning, and segmenting, boot security is the missing leg on the stool.
So…. What do I need?
- Support matrix: Make sure your VM size and image support Trusted Launch.
- Backups: Create a fresh restore point; if using Azure Backup, use the Enhanced policy.
- ASR: If Azure Site Recovery is enabled, plan to disable it pre-upgrade and re-enable post-validation.
- (Gen1 only) Disk layout: Convert OS disk MBR → GPT and add an EFI system partition. Windows has
MBR2GPT.exe; verify GPT/EFI on Linux. - Encryption: Suspend BitLocker/guest encryption if needed; resume after validation.
- Change window: You’ll deallocate and restart the VM—plan a small outage.
- Rollback reality: Gen1 → UEFI is not a toggle you can undo—use backups for rollback.
Upgrade paths
PowerShell
Connect-AzAccount -SubscriptionId <your-subscription-id>
# Stop before we change security settings
Stop-AzVM -ResourceGroupName <rg> -Name <vmName>
# (Gen1 only) Inside the guest:
# Convert OS disk MBR → GPT and add an EFI system partition.
# Windows: mbr2gpt /validate then mbr2gpt /convert
# Update security profile
$vm = Get-AzVM -ResourceGroupName <rg> -VMName <vmName>
$vm.SecurityProfile.SecurityType = "TrustedLaunch"
$vm.SecurityProfile.UefiSettings.SecureBootEnabled = $true
$vm.SecurityProfile.UefiSettings.VTpmEnabled = $true
Update-AzVM -ResourceGroupName <rg> -VM $vm
# Power back on
Start-AzVM -ResourceGroupName <rg> -Name <vmName>Azure CLI
az login
az vm deallocate --resource-group <rg> --name <vmName>
# (Gen1) Convert MBR → GPT + add EFI inside the guest
az vm update \
--resource-group <rg> --name <vmName> \
--security-type TrustedLaunch \
--enable-secure-boot true \
--enable-vtpm true
az vm start --resource-group <rg> --name <vmName>Azure Portal (fastest for Gen2)
- Deallocate the VM
- Configuration → Security type: choose Trusted launch
- Enable Secure Boot and vTPM
- Save and start
ARM/Bicep (great for Scale Sets and repeatability)
"securityProfile": {
"securityType": "TrustedLaunch",
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
}
}Validate & post-steps
- RDP/SSH works, apps start cleanly.
- VM shows
securityProfile.securityType=TrustedLaunch,secureBootEnabled=true,vTpmEnabled=true. - Re-enable ASR and ensure Backup protection is healthy (Enhanced policy).
- Resume BitLocker/guest encryption as appropriate.
Pro-tip: Capture a new image/SIG version with Trusted Launch baked in so future deployments start secure.
Troubleshooting quick hits
- Boot failure after MBR→GPT: Confirm EFI system partition exists and UEFI boot entry is present.
- Can’t toggle in Portal: Deallocate first; verify size/image support; check policy/locks.
- ASR/Backup gripes: Re-protect after upgrade; Enhanced policy for Backup.
- Linux + Secure Boot: Ensure distro’s shim/kernel support Azure UEFI Secure Boot.
May your clouds stay fluffy and secure. If this helped, share it with your team—your future self will thank you.
