Azure Virtual Desktop Service gets reliable launch protections –


Azure Virtual Desktop Service gets reliable launch protections

Microsoft on Friday announced Azure Virtual Desktop support for virtual machines with “Trusted Launch” protections.

Trusted Launch support for Azure virtual machines has reached “general availability” (retail version) November 2, but Microsoft is now “officially” announcing support for Trusted Launch for its Azure Virtual Desktop service. The Azure Virtual Desktop service (formerly known as “Windows Virtual Desktop”) is Microsoft’s virtual desktop infrastructure service that enables organizations to remotely access applications and desktops from Microsoft’s servers.

Reliable launch guards
Trusted Launch is Microsoft’s term for technologies that add boot-level protections to the operating system to block malware, called bootkits. Firmware, driver, and kernel rootkits that may be present are also blocked.

Specifically, Trusted Launch users benefit from Virtual Trusted Platform Module (vTPM) and Secure Boot assurances, as well as virtualization-based security protections.

Secure Boot establishes a “root of trust” for software on virtual machines and “works to ensure that only operating systems and signed drivers can boot,” according to Microsoft “Trusted Launch for Azure Virtual Machines” document.

The vTPM element in Trusted Launch has been described as conforming to the TPM 2.0 chip specification. It keeps the security keys separate from the virtual machine. A cloud-based service is used to certify the boot chain, the Microsoft document explains:

Secure launch uses vTPM to perform remote cloud attestation. This is used for platform health checks and for making decisions based on trust. As a health check, Trusted Launch can cryptographically certify that your virtual machine has started correctly.

The third component of Trusted Launch is virtualization-based security, which creates a “secure and isolated region of memory” to run security solutions. It enables the Hypervisor Code Integrity security solution, which is used to protect the Windows kernel against code injection and the execution of unsigned files. It also enables Windows Defender Credential Guard, which “isolates and protects secrets so that only privileged system software can access them,” the document explains.

Trusted Launch Limitations
Trusted Launch for Azure Virtual Desktop includes support for Windows systems and multiple Linux systems. However, a big problem for current users of the Azure Virtual Desktop service is that using Trusted Launch is also dependent on usage. Generation 2 Azure virtual machines. In addition, these virtual machines must be newly created to benefit from Trusted Launch protections.

Here is Microsoft’s warning to this effect, according to the document:

Safe launch requires the creation of new virtual machines. You cannot enable Secure Launch on existing virtual machines that were originally created without it.

The document also listed some other limitations for Trusted Launch. This requires the use of certain sizes of Azure VMs. It also does not currently work with the Azure Site Recovery service. You cannot use nested virtualization with. Azure Dedicated Host is not supported, and more.

Microsoft is also touting the use of the Microsoft Defender for Cloud service with Trusted Launch, as these users receive alerts when Trusted Launch-protected issues arise. However, Microsoft noted that these “alerts are only available in the Standard level Azure Defender for the Cloud. ”

Microsoft Defender for Cloud is a recently renamed product. It is a combination of Azure Security Center and Azure Defender products.

About the Author

Kurt Mackie is Senior News Producer for 1105 Media’s Converge360 Group.

About Jon Moses

Check Also

Intel promises “substantial contributions” to the growth of RISC-V • The Register

Analysis Here’s something that would have seemed odd just a few years ago: to help …