Azure – You can now enable Trusted Launch on Azure Virtual Machines (preview)

As you know, recent physical devices come with embedded security feature to help protect the operating system; features like TPM chipset or secure boot.

Well, unfortunately until now these features were not available when running virtual machines on Azure.

Good news, this now possible to turn on these security feature on Azure Virtual Machine.

To be able to turn on these features, you need to deploy Azure Virtual Machine Gen 2.

The below list details the supported virtual machine SKU’s and operating systems across all public regions:

  • Virtual Machine Type (SKU)
    • B-series
    • Dav4-series
    • Dasv4-series
    • DCsv2-series
    • Dv4-series
    • Dsv4-series
    • Dsv3-series
    • Dsv2-series
    • Ddv4-series
    • Ddsv4-series
    • Fsv2-series
    • Eav4-series
    • Easv4-series
    • Ev4-series
    • Esv4-series
    • Esv3-series
    • Edv4-series
    • Edsv4-series
    • Lsv2-series
  • Operating System
    • Redhat Enterprise Linux 8.3
    • SUSE 15 SP2
    • Ubuntu 20.04 LTS
    • Ubuntu 18.04 LTS
    • Debian 11
    • CentOS 8.4
    • Oracle Linux 8.3
    • Windows Server 2019
    • Windows Server 2016
    • Windows 11 Pro
    • Windows 11 Enterprise
    • Windows 11 Enterprise multi-session
    • Windows 10 Pro
    • Windows 10 Enterprise
    • Windows 10 Enterprise multi-session

Please note there are some additional limitations (at least during the preview) as the below lists services or features not supported during the preview:

  • Backup – this option will not be available during the VM creation process
  • Azure Site Recovery – this option will not be available during the VM creation process
  • Shared Image Gallery
  • Ephemeral OS disk
  • Shared disk
  • Managed image
  • Azure Dedicated Host

When creating the virtual machine, select Trusted launch virtual machine as Security Type – by selecting this option, you will get the options Secure boot (disabled by default) and vTPM (enabled by default) available for configuration.

If you have selected an unsupported series and/or operating system you will be notified.


You can update the configuration (Secure Boot and/or vTPM) after the virtual machine has been created by accessing the Configuration blade of the virtual machine


A migration path to enable the Trusted launch virtual machine option will be available when the feature reaches the general availability.