Merge pull request #281750 from AjKundnani/main

v-shils · web-flow · commit 5346307885f7 · 2024-07-24T11:59:58.000-07:00
Updated content per requirement
diff --git a/articles/virtual-machines/trusted-launch-existing-vm.md b/articles/virtual-machines/trusted-launch-existing-vm.md
@@ -1,6 +1,6 @@
 ---
-title: Enable Trusted Launch on existing VMs
-description: Learn how to enable Trusted Launch on existing Azure virtual machines (VMs).
+title: Enable Trusted launch on existing VMs
+description: Learn how to enable Trusted launch on existing Azure virtual machines (VMs).
 author: AjKundnani
 ms.author: ajkundna
 ms.reviewer: cynthn
@@ -11,42 +11,43 @@ ms.date: 08/13/2023
 ms.custom: template-how-to, devx-track-azurepowershell
 ---
 
-# Enable Trusted Launch on existing Azure VMs
+# Enable Trusted launch on existing Azure VMs
 
 **Applies to:** :heavy_check_mark: Linux VM :heavy_check_mark: Windows VM :heavy_check_mark: Generation 2 VM
 
-Azure Virtual Machines supports enabling Azure Trusted Launch on existing [Azure Generation 2](generation-2.md) virtual machines (VMs) by upgrading to the [Trusted Launch](trusted-launch.md) security type.
+Azure Virtual Machines supports enabling Azure Trusted launch on existing [Azure Generation 2](generation-2.md) virtual machines (VMs) by upgrading to the [Trusted launch](trusted-launch.md) security type.
 
-[Trusted Launch](trusted-launch.md) is a way to enable foundational compute security on [Azure Generation 2 VMs](generation-2.md) VMs and protects against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, virtual Trusted Platform Module (vTPM), and boot integrity monitoring on your VM.
+[Trusted launch](trusted-launch.md) is a way to enable foundational compute security on [Azure Generation 2 VMs](generation-2.md) VMs and protects against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, virtual Trusted Platform Module (vTPM), and boot integrity monitoring on your VM.
 
 > [!IMPORTANT]
-> Support for *enabling Trusted Launch on existing Azure Generation 1 VMs* is currently in private preview. You can gain access to preview by using the [registration form](https://aka.ms/Gen1ToTLUpgrade).
+> Support for *enabling Trusted launch on existing Azure Generation 1 VMs* is currently in private preview. You can gain access to preview by using the [registration form](https://aka.ms/Gen1ToTLUpgrade).
 
 ## Prerequisites
 
 - Azure Generation 2 VM is configured with:
-  - [Trusted Launch supported size family](trusted-launch.md#virtual-machines-sizes).
-  - [Trusted Launch supported operating system (OS) image](trusted-launch.md#operating-systems-supported). For custom OS images or disks, the base image should be *Trusted Launch capable*.
-- Azure Generation 2 VM isn't using [features currently not supported with Trusted Launch](trusted-launch.md#unsupported-features).
-- Azure Generation 2 VMs should be *stopped and deallocated* before you enable the Trusted Launch security type.
-- Azure Backup, if enabled, for VMs should be configured with the [Enhanced Backup policy](../backup/backup-azure-vms-enhanced-policy.md). The Trusted Launch security type can't be enabled for Generation 2 VMs configured with *Standard policy* backup protection.
+  - [Trusted launch supported size family](trusted-launch.md#virtual-machines-sizes).
+  - [Trusted launch supported operating system (OS) image](trusted-launch.md#operating-systems-supported). For custom OS images or disks, the base image should be *Trusted launch capable*.
+- Azure Generation 2 VM isn't using [features currently not supported with Trusted launch](trusted-launch.md#unsupported-features).
+- Azure Generation 2 VMs should be *stopped and deallocated* before you enable the Trusted launch security type.
+- Azure Backup, if enabled, for VMs should be configured with the [Enhanced Backup policy](../backup/backup-azure-vms-enhanced-policy.md). The Trusted launch security type can't be enabled for Generation 2 VMs configured with *Standard policy* backup protection.
   - Existing Azure VM backup can be migrated from the *Standard* to the *Enhanced* policy. Follow the steps in [Migrate Azure VM backups from Standard to Enhanced policy (preview)](../backup/backup-azure-vm-migrate-enhanced-policy.md).
 
 ## Best practices
-- Enable Trusted Launch on a test Generation 2 VM and determine if any changes are required to meet the prerequisites before you enable Trusted Launch on Generation 2 VMs associated with production workloads.
-- [Create restore points](create-restore-points.md) for Azure Generation 2 VMs associated with production workloads before you enable the Trusted Launch security type. You can use the restore points to re-create the disks and Generation 2 VM with the previous well-known state.
 
-## Enable Trusted Launch on an existing VM
+- Enable Trusted launch on a test Generation 2 VM and determine if any changes are required to meet the prerequisites before you enable Trusted launch on Generation 2 VMs associated with production workloads.
+- [Create restore points](create-restore-points.md) for Azure Generation 2 VMs associated with production workloads before you enable the Trusted launch security type. You can use the restore points to re-create the disks and Generation 2 VM with the previous well-known state.
+
+## Enable Trusted launch on an existing VM
 
 > [!NOTE]
 >
-> - After you enable Trusted Launch, currently VMs can't be rolled back to the Standard security type (non-Trusted Launch configuration).
+> - After you enable Trusted launch, currently VMs can't be rolled back to the Standard security type (non-Trusted launch configuration).
 > - vTPM is enabled by default.
 > - We recommend that you enable Secure Boot, if you aren't using custom unsigned kernel or drivers. It's not enabled by default. Secure Boot preserves boot integrity and enables foundational security for VMs.
 
 ### [Portal](#tab/portal)
 
-Enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure portal.
+Enable Trusted launch on an existing Azure Generation 2 VM by using the Azure portal.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Confirm that the VM generation is **V2** and select **Stop** for the VM.
@@ -65,19 +66,19 @@ Enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure po
 
     > [!NOTE]
     >
-    > - Generation 2 VMs created by using [Azure Compute Gallery (ACG)](azure-compute-gallery.md), [Managed image](capture-image-resource.yml), or an [OS disk](./scripts/create-vm-from-managed-os-disks.md) can't be upgraded to Trusted Launch by using the portal. Ensure that the [OS version is supported for Trusted Launch](trusted-launch.md#operating-systems-supported). Use PowerShell, the Azure CLI, or an Azure Resource Manager template (ARM template) to run the upgrade.
+    > - Generation 2 VMs created by using [Azure Compute Gallery (ACG)](azure-compute-gallery.md), [Managed image](capture-image-resource.yml), or an [OS disk](./scripts/create-vm-from-managed-os-disks.md) can't be upgraded to Trusted launch by using the portal. Ensure that the [OS version is supported for Trusted launch](trusted-launch.md#operating-systems-supported). Use PowerShell, the Azure CLI, or an Azure Resource Manager template (ARM template) to run the upgrade.
 
     :::image type="content" source="./media/trusted-launch/05-generation-2-to-trusted-launch-select-uefi-settings.png" alt-text="Screenshot that shows the Secure Boot and vTPM settings.":::
 
 1. After the update successfully finishes, close the **Configuration** page. On the **Overview** page in the VM properties, confirm the **Security type** settings.
 
-    :::image type="content" source="./media/trusted-launch/06-generation-2-to-trusted-launch-validate-uefi.png" alt-text="Screenshot that shows the Trusted Launch upgraded VM.":::
+    :::image type="content" source="./media/trusted-launch/06-generation-2-to-trusted-launch-validate-uefi.png" alt-text="Screenshot that shows the Trusted launch upgraded VM.":::
 
-1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either the Remote Desktop Protocol (RDP) for Windows VMs or the Secure Shell Protocol (SSH) for Linux VMs.
+1. Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either the Remote Desktop Protocol (RDP) for Windows VMs or the Secure Shell Protocol (SSH) for Linux VMs.
 
 ### [CLI](#tab/cli)
 
-Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure CLI.
+Follow the steps to enable Trusted launch on an existing Azure Generation 2 VM by using the Azure CLI.
 
 Make sure that you install the latest [Azure CLI](/cli/azure/install-az-cli2) and are signed in to an Azure account with [az login](/cli/azure/reference-index).
 
@@ -89,16 +90,16 @@ Make sure that you install the latest [Azure CLI](/cli/azure/install-az-cli2) an
     az account set --subscription 00000000-0000-0000-0000-000000000000
     ```
 
-1. Deallocate the VM.
+2. Deallocate the VM.
 
-1. Enable Trusted Launch by setting `--security-type` to `TrustedLaunch`.
+3. Enable Trusted launch by setting `--security-type` to `TrustedLaunch`.
 
     ```azurecli-interactive
     az vm deallocate \
         --resource-group myResourceGroup --name myVm
     ```
 
-1. Validate the output of the previous command. Ensure that the `securityProfile` configuration is returned with the command output.
+4. Validate the output of the previous command. Ensure that the `securityProfile` configuration is returned with the command output.
 
     ```azurecli-interactive
     az vm update \
@@ -107,7 +108,7 @@ Make sure that you install the latest [Azure CLI](/cli/azure/install-az-cli2) an
         --enable-secure-boot true --enable-vtpm true
     ```
 
-1. Validate the output of the previous command. Ensure that the `securityProfile` configuration is returned with the command output.
+5. Validate the output of the previous command. Ensure that the `securityProfile` configuration is returned with the command output.
 
     ```json
     {
@@ -121,18 +122,18 @@ Make sure that you install the latest [Azure CLI](/cli/azure/install-az-cli2) an
     }
     ```
 
-1. Start the VM.
+6. Start the VM.
 
     ```azurecli-interactive
     az vm start \
         --resource-group myResourceGroup --name myVm
     ```
 
-1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
+7. Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
 
 ### [PowerShell](#tab/powershell)
 
-Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using Azure PowerShell.
+Follow the steps to enable Trusted launch on an existing Azure Generation 2 VM by using Azure PowerShell.
 
 Make sure that you install the latest [Azure PowerShell](/powershell/azure/install-azps-windows) and are signed in to an Azure account with [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount).
 
@@ -142,21 +143,21 @@ Make sure that you install the latest [Azure PowerShell](/powershell/azure/insta
     Connect-AzAccount -SubscriptionId 00000000-0000-0000-0000-000000000000
     ```
 
-1. Deallocate the VM.
+2. Deallocate the VM.
 
     ```azurepowershell-interactive
     Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm
     ```
 
-1. Enable Trusted Launch by setting `-SecurityType` to `TrustedLaunch`.
+3. Enable Trusted launch by setting `-SecurityType` to `TrustedLaunch`.
 
     ```azurepowershell-interactive
     Get-AzVM -ResourceGroupName myResourceGroup -VMName myVm `
         | Update-AzVM -SecurityType TrustedLaunch `
             -EnableSecureBoot $true -EnableVtpm $true
     ```
 
-1. Validate `securityProfile` in the updated VM configuration.
+4. Validate `securityProfile` in the updated VM configuration.
 
     ```azurepowershell-interactive
     # Following command output should be `TrustedLaunch`
@@ -172,20 +173,17 @@ Make sure that you install the latest [Azure PowerShell](/powershell/azure/insta
     
     ```
 
-1. Start the VM.
+5. Start the VM.
 
     ```azurepowershell-interactive
     Start-AzVM -ResourceGroupName myResourceGroup -Name myVm
     ```
 
-1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
-
->[!NOTE]
-> Make sure to change the `-SecurityType` to `TrustedLaunch`, for all deployment scripts this will ensure when virtual machines are provisioned, they will be automatically Trusted Launch. 
+6. Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
 
 ### [Template](#tab/template)
 
-Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using an ARM template.
+Follow the steps to enable Trusted launch on an existing Azure Generation 2 VM by using an ARM template.
 
 [!INCLUDE [About Azure Resource Manager](~/reusable-content/ce-skilling/azure/includes/resource-manager-quickstart-introduction.md)]
 
@@ -234,7 +232,7 @@ Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM b
     }
     ```
 
-1. Edit the `parameters` JSON file with VMs to be updated with the `TrustedLaunch` security type.
+2. Edit the `parameters` JSON file with VMs to be updated with the `TrustedLaunch` security type.
 
     ```json
     {
@@ -267,15 +265,15 @@ Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM b
     -|-|-
     vmName    |    Name of Azure Generation 2 VM.    |    `myVm`
     location    |    Location of Azure Generation 2 VM.    |    `westus3`
-    secureBootEnabled    |    Enable Secure Boot with the Trusted Launch security type.    |    `true`
+    secureBootEnabled    |    Enable Secure Boot with the Trusted launch security type.    |    `true`
 
-1. Deallocate all Azure Generation 2 VMs to be updated.
+3. Deallocate all Azure Generation 2 VMs to be updated.
 
     ```azurepowershell-interactive
     Stop-AzVM -ResourceGroupName myResourceGroup -Name myVm01
     ```
 
-1. Run the ARM template deployment.
+4. Run the ARM template deployment.
 
     ```azurepowershell-interactive
     $resourceGroupName = "myResourceGroup"
@@ -287,28 +285,28 @@ Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM b
         -TemplateFile $templateFile -TemplateParameterFile $parameterFile
     ```
 
-   :::image type="content" source="./media/trusted-launch/generation-2-trusted-launch-settings.png" alt-text="Screenshot that shows the Trusted Launch properties of the VM.":::
+   :::image type="content" source="./media/trusted-launch/generation-2-trusted-launch-settings.png" alt-text="Screenshot that shows the Trusted launch properties of the VM.":::
 
-    :::image type="content" source="./media/trusted-launch/generation-2-trusted-launch-settings.png" alt-text="Screenshot that shows the Trusted Launch properties of the VM.":::
+    :::image type="content" source="./media/trusted-launch/generation-2-trusted-launch-settings.png" alt-text="Screenshot that shows the Trusted launch properties of the VM.":::
 
-1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
+5. Start the upgraded Trusted launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).
 
 ---
 
 ## Azure Advisor Recommendation
 
-Azure Advisor populates an **Enable Trusted Launch Compatible Images and VM Sizes for Existing Generation 2 VMs** operational excellence recommendation for existing Generation 2 VMs to adopt [Trusted Launch](trusted-launch.md), a higher security posture for Azure VMs at no additional cost to you. Ensure Generation 2 VM has all prerequisites to migrate to Trusted Launch, follow all the best practices including validation of OS image, VM Size, and creating restore points. For the Advisor recommendation to be considered complete, follow the steps outlined in the [**Enable Trusted Launch on an existing VM**](trusted-launch-existing-vm.md) to upgrade the virtual machines security type and enable Trusted Launch. 
+Azure Advisor populates an **Enable Trusted launch foundational excellence, and modern security for Existing Generation 2 VM(s)** operational excellence recommendation for existing Generation 2 VMs to adopt [Trusted launch](trusted-launch.md), a higher security posture for Azure VMs at no additional cost to you. Ensure Generation 2 VM has all prerequisites to migrate to Trusted launch, follow all the best practices including validation of OS image, VM Size, and creating restore points. For the Advisor recommendation to be considered complete, follow the steps outlined in the [**Enable Trusted launch on an existing VM**](trusted-launch-existing-vm.md#enable-trusted-launch-on-an-existing-vm) to upgrade the virtual machines security type and enable Trusted launch.
 
-### What if there is Generation 2 VMs, that doesn't fit the prerequistes for Trusted Launch ? 
+**What if there is Generation 2 VMs, that doesn't fit the prerequisites for Trusted launch?**
 
-For a Generation 2 VM, that has not met the prerequistes to upgrade to Trusted Launch, look how to fulfill the prerequistes. 
-1. If using an OS image not supported, upgrade to Trusted Launch|Gen2 image, most Windows OS support Trusted Launch except Windows 2012 Datacenter offerings. In the case of Linux OS, upgrade to the newest SKU offered by the image distribution. 
-2. If using a virtual machine size not supported, please look for an [equivalant Trusted Launch supported size](/sizes/resize-vm.md) that supports Trusted Launch.
+For a Generation 2 VM, that has not met the [prerequisites](#prerequisites) to upgrade to Trusted launch, look how to fulfill the prerequisites. For example, If using a virtual machine size not supported, please look for an [equivalent Trusted launch supported size](trusted-launch.md#virtual-machines-sizes) that supports Trusted launch.
 
 > [!NOTE]
-> For M-series and ARM64 virtual machine users, please dismiss the recommendation for all resources. 
+>
+> Please dismiss the recommendation if Gen2 virtual machine is configured with VM size families which are currently not supported with Trusted launch like MSv2-series.
 
 ## Related content
 
+- Enable Trusted launch for new virtual machine deployments. For more details, see [Deploy Trusted launch virtual machines](trusted-launch-portal.md)
 - After the upgrades, we recommend that you enable [boot integrity monitoring](trusted-launch.md#microsoft-defender-for-cloud-integration) to monitor the health of the VM by using Microsoft Defender for Cloud.
-- Learn more about [Trusted Launch](trusted-launch.md) and review [frequently asked questions](trusted-launch-faq.md).
+- Learn more about [Trusted launch](trusted-launch.md) and review [frequently asked questions](trusted-launch-faq.md).
