Microsoft has revealed that its Azure IaaS platform now offers free a virtual trusted platform module.
Dubbed “Azure Trusted Launch for virtual machines” and launched as a preview on March 8th, Microsoft’s CTO for Azure Mark Russinovich said the new offering “allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module (vTPM) to measure and attest to whether the boot was compromised.”
All of which is pretty familiar stuff on-prem, as TPM has been around for over a decade and is just-about standard issue on modern servers. Google brought virtual TPM to its cloud in mid-2018 and made it the default server configuration in April 2020.
VMware very strongly suggests TPM for all servers in tightened vSphere security guideREAD MORE
Microsoft’s introduced it to make life hard for bootkits, rootkits, and other nasties that try to compromise a server during its boot process rather than having a crack at the operating system.
For now, only freshly-created VMs can use Trusted Launch. Microsoft’s product documentation says it’s targeted general availability of the service to make it applicable to existing VMs.
If the service detects suspicious activity during boot, users will see medium-severity alert in the standard tier Azure Security Center.
The service is not for everyone: the HBv3, Lsv2-series, M-series, Mv2-series, NDv4 series and NVv4-series can’t put it to work. You’ll also need to be running RHEL 8.3, SUSE 15 SP2, Ubuntu 20.04 or 18.04 LTS, Windows Server 2019 or 2016, and Windows 10 Pro or Enterprise to take advantage of the new security feature.
The Register fancies that the inclusion of the desktop OSes will make it more practical to use BitLocker in virtual desktops. ®