Introduction
As organizations strive to enhance their cloud security posture, Trusted Launch for Azure virtual machines (VMs) has become an essential part of their virtual infrastructure. Trusted Launch protects against rootkits, bootkits, and other sophisticated malware by enabling Secure Boot, vTPM (virtual Trusted Platform Module), and measured boot for Gen2 VMs. However, until recently, customers faced a significant limitation—Trusted Launch VMs weren’t compatible with Azure Site Recovery (ASR), Microsoft’s built-in disaster recovery solution.
That limitation is now a thing of the past.
With recent platform updates, Microsoft has announced general availability of Azure Site Recovery support for Trusted Launch VMs. This enhancement allows organizations to secure their virtual machines and protect them with a robust business continuity plan. Let’s break down what this means, how it works, and what you need to consider.
What is Trusted Launch?
Trusted Launch is a security enhancement for Gen2 Azure VMs that adds multiple hardware-based protections during the boot process, ensuring that the VM starts in a known secure state. It includes:
- Secure Boot: Prevents unauthorized firmware and software from loading during the boot process.
- vTPM (Virtual Trusted Platform Module): Encrypts disk volumes and stores cryptographic keys in a secure location.
- Measured Boot: Logs every boot event, allowing you to detect tampering.
Together, these features help harden your VMs against kernel-level malware and other boot-time attacks.
Azure Site Recovery + Trusted Launch: A Big Step Forward
Previously, when customers tried to enable ASR on Trusted Launch VMs, they encountered errors and compatibility roadblocks. This was a major challenge for enterprises wanting both high security and high availability.
As of now, Azure Site Recovery fully supports replication, failover, and failback for both Windows and Linux Trusted Launch VMs under specific conditions. This means you can now enjoy the benefits of advanced security features without sacrificing disaster recovery capabilities.
Supported Scenarios and Requirements
Supported VM Types
- Windows Trusted Launch VMs
- Fully supported across all Azure regions where ASR is available.
- Works with Secure Boot and vTPM enabled.
- Compatible with shared disk configurations and private endpoint vaults.
- Linux Trusted Launch VMs
- Supported only for VMs created on or after April 1, 2024.
- Requires Gen2 Linux images configured for Secure Boot and vTPM.
- Supported distributions include:
- Ubuntu: 18.04, 20.04, 22.04, 24.04
- RHEL: 8.3 through 9.5
- SUSE Linux Enterprise Server (SLES): 15 SP3 to SP6
- AlmaLinux: 8.10 to 9.5
- Debian: 12
- SUSE kernels must be version 5.3.18 or later.
- Shared disks are currently not supported on Linux TL VMs.
Key Considerations Before You Enable Replication
- VM Generation: Your VM must be a Gen2 VM, as Trusted Launch is only available for Gen2.
- OS Disk Type: Managed OS disks are required.
- vTPM and Secure Boot must be explicitly enabled on the VM for it to be considered “Trusted.”
- Linux VM Date Check: Only VMs created after April 1, 2024 are eligible for ASR with Trusted Launch.
- Boot Integrity Monitoring is not replicated. After failover, you must manually re-enable this setting on the target VM.
- Pre-Migration Conversion: If you’re converting an existing non-TL VM to Trusted Launch, you must disable replication, perform the conversion, then re-enable ASR.
How ASR Works with Trusted Launch
Step-by-Step Workflow:
- Enable Trusted Launch: This can be done during VM creation or by converting existing Gen2 VMs. Secure Boot and vTPM should be enabled.
- Enable Replication via ASR:
- Navigate to Azure Site Recovery and select the Trusted Launch VM.
- Configure the replication settings, such as target region, replication policy, and storage.
- Monitor Health: ASR dashboard provides status on replication health and recovery point objectives.
- Test Failover:
- You can conduct test failovers to ensure everything operates smoothly in a DR event.
- Post-failover, re-enable Boot Integrity Monitoring to restore full Trusted Launch protections.
- Failback:
- When the primary region is restored, failback works like any other VM scenario, maintaining disk consistency and ASR history.
Migration Scenarios
You can convert existing Gen2 VMs (non-Trusted) into Trusted Launch VMs, but you need to:
- Deactivate ASR replication temporarily.
- Perform the conversion (enable Secure Boot and vTPM).
- Resume or re-enable ASR replication.
This is necessary because VM configuration changes (especially related to hardware profile) can break ASR dependencies if done live.
Limitations and Known Issues
| Feature/Scenario | Support Level |
|---|---|
| Azure-to-Azure replication | ✅ Supported |
| On-premises-to-Azure replication | ❌ Not supported yet |
| Shared Disks on Linux TL VMs | ❌ Not supported |
| Private endpoint vaults | ✅ Windows only |
| Boot Integrity Monitoring | ❌ Must be re-enabled post-failover |
| Trusted Launch VMs (pre-April 2024) | ❌ Not supported for Linux |
Conclusion
This update is a game changer for customers who want maximum security and business continuity in their Azure environments. Azure Site Recovery’s support for Trusted Launch VMs eliminates a long-standing gap in Microsoft’s security and disaster recovery stack.
Now, enterprises can confidently protect their mission-critical workloads using Secure Boot, vTPM, and measured boot, all while ensuring cross-region failover capabilities through ASR.
If you’re currently using Trusted Launch VMs, make sure your VMs meet the eligibility criteria and start configuring replication with ASR today. And if you’re not yet on Trusted Launch, now is the perfect time to modernize your virtual infrastructure for both security and resilience.
P.S. Modern AI tool has been used for creating some of the content. Technical validation and proofing are done by the author.