Skip to content

VMSS Secure Boot is not enabled#

Security · Virtual Machine Scale Set · Rule · 2026_06 · Important

Operating systems or drivers may be maliciously modified or injected if an actor gains access to VM/ OS storage or build media.

Description#

Azure Virtual Machine Scale Sets (VMSS) are able to run a wide range of operating systems including many distributions of Windows and Linux. A malicious actor may attempt to tamper or inject operating system and driver components to gain access to resources and persist between reboots.

When a VMSS instance is started, Azure is able to verify if:

  1. The operating system and drivers are originate from a trusted source.
  2. These components are in their original unaltered state.

Azure is able to perform this verification by Secure Boot and Trusted Launch features. These features verify the cryptographic signatures of early boot components before they start.

Secure Boot and Trusted Launch are on by default for many configurations. However, if you are running an older configuration these features may need to be enabled.

Recommendation#

Consider enabling Trusted Launch or Confidential VM with Secure Boot for virtual machine scale sets to protect against boot-level attacks.

Examples#

Configure with Bicep#

To deploy virtual machine scale sets that pass this rule:

  • Set the properties.virtualMachineProfile.securityProfile.securityType property to TrustedLaunch or ConfidentialVM.
  • Set the properties.virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled property to true.

For example:

Azure Bicep snippet
resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-03-01' = {
  name: name
  location: location
  properties: {
    virtualMachineProfile: {
      securityProfile: {
        securityType: 'TrustedLaunch'
        uefiSettings: {
          secureBootEnabled: true
          vTpmEnabled: true
        }
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/compute/virtual-machine-scale-set:<version>

To use the latest version:

br/public:avm/res/compute/virtual-machine-scale-set:0.9.0

Configure with Azure template#

To deploy virtual machine scale sets that pass this rule:

  • Set the properties.virtualMachineProfile.securityProfile.securityType property to TrustedLaunch or ConfidentialVM.
  • Set the properties.virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "virtualMachineProfile": {
      "securityProfile": {
        "securityType": "TrustedLaunch",
        "uefiSettings": {
          "secureBootEnabled": true,
          "vTpmEnabled": true
        }
      }
    }
  }
}

Notes#

Currently there are a few limitations (see documentation for up to date details), including:

  • A supported VMSS SKU and operating system is required.
  • SecureBoot and Trusted Launch is only supported on Generation 2 VM images.
  • Upgrading an existing VMSS is not generally available in all configurations.
  • The following VM features aren't supported with Trusted Launch:
    • Managed Image (use an image from an Azure Compute Gallery instead).
    • Linux VM Hibernation.

Comments