Virtual Machine has Trusted Launch with Secure Boot and vTPM enabled
vm_trusted_launch_enabled
Azure VMs are evaluated for Trusted Launch with both Secure Boot and vTPM enabled.
Identifies VMs not set to TrustedLaunch or missing secureBootEnabled and vTpmEnabled together.
Risk
Missing Trusted Launch weakens boot-chain integrity. Attackers can persist via bootkits/rootkits, bypass OS controls, steal secrets, and tamper with drivers. Loss of attestation reduces detection, risking integrity, confidentiality, and availability through stealthy, hard-to-remediate compromises.
prowler azure --checks vm_trusted_launch_enabled
Recommendation
Adopt defense in depth: enable Trusted Launch with Secure Boot and vTPM on Gen2 VMs. Standardize on images with signed boot components and use supported sizes/OS. Enforce least privilege for administrators and enable attestation monitoring to prevent and detect boot-level tampering.
Remediation
az vm update --resource-group <RESOURCE_GROUP> --name <VM_NAME> --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true
- In Azure Portal, open the VM and click Stop to deallocate it
- Go to Settings > Configuration
- Under Security type, select Trusted launch
- Check Secure Boot and vTPM
- Click Save
- Start the VM from the Overview page
Source Code
Resource Type
microsoft.compute/virtualmachines