Merge pull request #274938 from Howie425/patch-14

v-regandowner · web-flow · commit ea9a370903d4 · 2024-05-21T12:24:20.000-04:00
Update trusted-launch-portal.md
diff --git a/articles/virtual-machines/trusted-launch-portal.md b/articles/virtual-machines/trusted-launch-portal.md
@@ -1,39 +1,39 @@
 ---
 title: Deploy a trusted launch VM
 description: Deploy a VM that uses trusted launch.
-author: lakmeedee
+author: Howie425
 ms.author: howieasmerom
 ms.reviewer: jushiman
 ms.service: virtual-machines
 ms.subservice: trusted-launch
 ms.topic: how-to
-ms.date: 11/06/2023
+ms.date: 05/21/2024
 ms.custom: template-how-to, devx-track-azurecli, devx-track-azurepowershell
 ---
 
-# Deploy a VM with trusted launch enabled
+# Deploy a Virtual Machine with Trusted Launch Enabled
 
-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets
+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets.
 
 [Trusted launch](trusted-launch.md) is a way to improve the security of [generation 2](generation-2.md) VMs. Trusted launch protects against advanced and persistent attack techniques by combining infrastructure technologies like vTPM and secure boot.
 
 ## Prerequisites
 
-- You need to [onboard your subscription to Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/?&ef_id=CjwKCAjwwsmLBhACEiwANq-tXHeKhV--teH6kIijnBTmP-PgktfvGr5zW9TAx00SR7xsGUc3sTj5sBoCkEoQAvD_BwE:G:s&OCID=AID2200277_SEM_CjwKCAjwwsmLBhACEiwANq-tXHeKhV--teH6kIijnBTmP-PgktfvGr5zW9TAx00SR7xsGUc3sTj5sBoCkEoQAvD_BwE:G:s&gclid=CjwKCAjwwsmLBhACEiwANq-tXHeKhV--teH6kIijnBTmP-PgktfvGr5zW9TAx00SR7xsGUc3sTj5sBoCkEoQAvD_BwE#overview) if it isn't already. Microsoft Defender for Cloud has a free tier, which offers very useful insights for various Azure and Hybrid resources. Trusted launch leverages Defender for Cloud to surface multiple recommendations regarding VM health.
+- It's recommended to [onboard your subscription to Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/?&ef_id=CjwKCAjwwsmLBhACEiwANq-tXHeKhV--teH6kIijnBTmP-PgktfvGr5zW9TAx00SR7xsGUc3sTj5sBoCkEoQAvD_BwE:G:s&OCID=AID2200277_SEM_CjwKCAjwwsmLBhACEiwANq-tXHeKhV--teH6kIijnBTmP-PgktfvGr5zW9TAx00SR7xsGUc3sTj5sBoCkEoQAvD_BwE:G:s&gclid=CjwKCAjwwsmLBhACEiwANq-tXHeKhV--teH6kIijnBTmP-PgktfvGr5zW9TAx00SR7xsGUc3sTj5sBoCkEoQAvD_BwE#overview) if it isn't already. Microsoft Defender for Cloud has a free tier, which offers useful insights for various Azure and Hybrid resources. With the absence of MDC, Trusted Launch virtual machine users can't monitor [boot integrity](boot-integrity-monitoring-overview.md) of VM. 
 
-- Assign Azure policies initiatives to your subscription. These policy initiatives  need to be assigned  only once per subscription. This will  automatically install all required extensions on all supported VMs.
+- Assign Azure policies initiatives to your subscription. These policy initiatives need to be assigned only once per subscription. Policy will help deploy, audit for Trusted Launch Virtual Machines while automatically installing all required extensions on all supported VMs.
+   - Configure Trusted Launch Virtual Machines [Built In Policy Initiative](trusted-launch-portal.md#trusted-launch-built-in-policies)
    - Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs.
-
    - Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines.
 
-- Allow service tag **AzureAttestation** in NSG Outbound rules to allow traffic for Microsoft Azure Attestation. Refer to [Virtual network service tags](../virtual-network/service-tags-overview.md).
+- Allow service tag **AzureAttestation** in Network Security Group outbound rules to allow traffic for Microsoft Azure Attestation. Refer to [Virtual network service tags](../virtual-network/service-tags-overview.md).
 
 - Make sure that the firewall policies are allowing access to `*.attest.azure.net`.
 
 > [!NOTE]
 >  If you are using a Linux image and anticipate the VM may have kernel drivers either unsigned or not signed by the Linux distro vendor, then you may want to consider turning off secure boot. In the Azure portal, in the ‘Create a virtual machine’ page for ‘Security type’ parameter with ‘Trusted Launch Virtual Machines’ selected, click on ‘Configure security features’ and uncheck the ‘Enable secure boot’ checkbox. In CLI, PowerShell, or SDK, set secure boot parameter to false.
 
-## Deploy a trusted launch VM
+## Deploy a Trusted Launch VM
 
 Create a virtual machine with trusted launch enabled. Choose an option below:
 
@@ -46,7 +46,7 @@ Create a virtual machine with trusted launch enabled. Choose an option below:
 1. Under **Project details**, make sure the correct subscription is selected.
 1. Under **Resource group**, select **Create new** and type a name for your resource group or select an existing resource group from the dropdown.
 1. Under **Instance details**, type a name for the virtual machine name and choose a region that supports [trusted launch](trusted-launch.md#additional-information).
-1. For **Security type** select **Trusted launch virtual machines**. This will make three more options appear - **Secure boot**, **vTPM**, and **Integrity Monitoring** . Select the appropriate options for your deployment. To learn more about [Trusted Launch Enabled Security Features](trusted-launch.md#microsoft-defender-for-cloud-integration).
+1. For **Security type** select **Trusted launch virtual machines**. This makes three more options appear - **Secure boot**, **vTPM**, and **Integrity Monitoring** . Select the appropriate options for your deployment. To learn more about [Trusted Launch Enabled Security Features](trusted-launch.md#microsoft-defender-for-cloud-integration).
     :::image type="content" source="./media/trusted-launch/tvm-popup.png" alt-text="Screenshot showing the options for Trusted Launch.":::
 1. Under **Image**, select an image from the **Recommended Gen 2 images compatible with Trusted launch**. For a list, see [trusted launch](trusted-launch.md#virtual-machines-sizes).
    > [!TIP]
@@ -58,11 +58,11 @@ Create a virtual machine with trusted launch enabled. Choose an option below:
 
    :::image type="content" source="./media/trusted-launch/tvm-complete.png" alt-text="Sceenshot of the validation page, showing the trusted launch options are included.":::
 
-It will take a few minutes for your VM to be deployed.
+It takes a few minutes for your VM to be deployed.
 
 ### [CLI](#tab/cli)
 
-Make sure you are running the latest version of Azure CLI 
+Make sure you're running the latest version of Azure CLI. 
 
 Sign in to Azure using `az login`.  
 
@@ -86,7 +86,7 @@ az vm create \
    --enable-vtpm true 
 ```
  
-For existing VMs, you can enable or disable secure boot and vTPM settings. Updating the virtual machine with secure boot and vTPM settings will trigger auto-reboot.
+For existing VMs, you can enable or disable secure boot and vTPM settings. Updating the virtual machine with secure boot and vTPM settings trigger auto-reboot.
 
 ```azurecli-interactive
 az vm update \
@@ -179,7 +179,7 @@ No VM Guest State information shall be included in the image source.
 
 The resulting image version can be used to create either Azure Gen2 VMs or Trusted launch VMs.
 
-These images can be shared using [Azure Compute Gallery - Direct Shared Gallery](../virtual-machines/azure-compute-gallery.md#shared-directly-to-a-tenant-or-subscription) and [Azure Compute Gallery - Community Gallery](../virtual-machines/azure-compute-gallery.md#community-gallery)
+These images can be shared using [Azure Compute Gallery - Direct Shared Gallery](../virtual-machines/azure-compute-gallery.md#shared-directly-to-a-tenant-or-subscription) and [Azure Compute Gallery - Community Gallery](../virtual-machines/azure-compute-gallery.md#community-gallery).
 
 > [!NOTE]
 > The OS disk VHD, Managed Image or Gallery Image Version should be created from a [Gen2 image that is compatible with Trusted launch VMs](trusted-launch.md#virtual-machines-sizes).
@@ -202,8 +202,8 @@ These images can be shared using [Azure Compute Gallery - Direct Shared Gallery]
     1. For **Operating system state**, select either **Generalized** or **Specialized** depending on your use case. If you're using a managed image as the source, always select **Generalized**. If you're using a storage blob (VHD) and want to select **Generalized**, follow the steps to [generalize a Linux VHD](../virtual-machines/linux/create-upload-generic.md) or [generalize a Windows VHD](../virtual-machines/windows/upload-generalized-managed.md) before you continue. If you're using an existing VM Image Version, select either **Generalized** or **Specialized** based on what is used in the source VM image definition.
     1. For **Target VM Image Definition**, select **Create new**.
     1. In the **Create a VM image definition** pane, enter a name for the definition. Make sure the security type is set to **Trustedlaunch Supported**. Enter publisher, offer, and SKU information. Then, select **Ok**.
-1. On the **Replication** tab, enter the replica count and target regions for image replication, if required.
-1. On the **Encryption** tab, enter SSE encryption-related information, if required.
+1. On the **Replication** tab, enter the replica count and target regions for image replication, if necessary.
+1. On the **Encryption** tab, enter SSE encryption-related information, if necessary.
 1. Select **Review + Create**.
 1. After the configuration is successfully validated, select **Create** to finish creating the image.
 1. After the image version is created, select **Create VM**.
@@ -217,15 +217,15 @@ These images can be shared using [Azure Compute Gallery - Direct Shared Gallery]
 
 #### [CLI](#tab/cli3)
 
-Make sure you are running the latest version of Azure CLI 
+Make sure you're running the latest version of Azure CLI. 
 
 Sign in to Azure using `az login`.  
 
 ```azurecli-interactive
 az login 
 ```
 
-Create an image definition with `TrustedLaunchSupported` security type 
+Create an image definition with `TrustedLaunchSupported` security type. 
 
 ```azurecli-interactive
 az sig image-definition create --resource-group MyResourceGroup --location eastus \ 
@@ -236,7 +236,7 @@ az sig image-definition create --resource-group MyResourceGroup --location eastu
 --features SecurityType=TrustedLaunchSupported
 ```
 
-Use an OS disk VHD to create an image version. Ensure that the Linux VHD was generalized before uploading to an Azure storage account blob using steps outlined [here](../virtual-machines/linux/create-upload-generic.md)
+Use an OS disk VHD to create an image version. Ensure that the Linux VHD was generalized before uploading to an Azure storage account blob using steps outlined [here](../virtual-machines/linux/create-upload-generic.md).
 
 ```azurecli-interactive
 az sig image-version create --resource-group MyResourceGroup \
@@ -246,7 +246,7 @@ az sig image-version create --resource-group MyResourceGroup \
 --os-vhd-uri https://mystorageaccount.blob.core.windows.net/container/path_to_vhd_file
 ```
 
-Create a Trusted launch VM from the above image version
+Create a Trusted launch VM from the above image version.
 
 ```azurecli-interactive
 adminUsername=linuxvm
@@ -263,7 +263,7 @@ az vm create --resource-group MyResourceGroup \
 
 #### [PowerShell](#tab/powershell3)
 
-Create an image definition with `TrustedLaunchSupported` security type
+Create an image definition with `TrustedLaunchSupported` security type.
 
 ```azurepowershell-interactive
 $rgName = "MyResourceGroup"
@@ -279,7 +279,7 @@ $features = @($SecurityType)
 New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $galleryImageDefinitionName -Location $location -Publisher $publisherName -Offer $offerName -Sku $skuName -HyperVGeneration "V2" -OsState "Generalized" -OsType "Windows" -Description $description -Feature $features
 ```
 
-To create an image version, we can use an existing Gen2 Gallery Image Version which was generalized during creation.
+To create an image version, we can use an existing Gen2 Gallery Image Version, which was generalized during creation.
 
 ```azurepowershell-interactive
 $rgName = "MyResourceGroup"
@@ -371,12 +371,12 @@ The resulting image version can be used only to create Azure Trusted launch VMs.
 
 1. Sign in to the Azure [portal](https://portal.azure.com).
 2. To create an Azure Compute Gallery Image from a VM, open an existing Trusted launch VM and select **Capture**.
-3. In the Create an Image page that follows, allow the image to be shared to the gallery as a VM image version. Creation of Managed Images is not supported for Trusted Launch VMs.
+3. In the Create an Image page that follows, allow the image to be shared to the gallery as a VM image version. Creation of Managed Images isn't supported for Trusted Launch VMs.
 4. Create a new target Azure Compute Gallery or select an existing gallery.
 5. Select the **Operating system state** as either **Generalized** or **Specialized**. If you want to create a generalized image, ensure that you [generalize the VM to remove machine specific information](generalize.yml) before selecting this option. If Bitlocker based encryption is enabled on your Trusted launch Windows VM, you may not be able to generalize the same.
-6. Create a new image definition by providing a name, publisher, offer and SKU details. The **Security Type** of the image definition should already be set to **Trusted launch**.
+6. Create a new image definition by providing a name, publisher, offer, and SKU details. The **Security Type** of the image definition should already be set to **Trusted launch**.
 7. Provide a version number for the image version.
-8. Modify replication options if required.
+8. Modify replication options if necessary.
 9. At the bottom of the **Create an Image** page, select **Review + Create** and when validation shows as passed, select **Create**.
 10. Once the image version is created, go the image version directly. Alternatively, you can navigate to the required image version through the image definition.
 11. On the **VM image version** page, select the **+ Create VM** to land on the Create a virtual machine page.
@@ -388,11 +388,11 @@ The resulting image version can be used only to create Azure Trusted launch VMs.
 1. On the validation page, review the details of the VM.
 1. After the validation succeeds, select **Create** to finish creating the VM.
 
-In case you want to use either a managed disk or a managed disk snapshot as a source of the image version (instead of a trusted launch VM), then use the following steps
+In case you want to use either a managed disk or a managed disk snapshot as a source of the image version (instead of a trusted launch VM), then use the following steps.
 
 1.	Sign in to the [portal](https://portal.azure.com)
 2.	Search for **VM Image Versions** and select **Create**
-3.	Provide the subscription, resource group, region and image version number
+3.	Provide the subscription, resource group, region, and image version number
 4.	Select the source as **Disks and/or Snapshots**
 5.	Select the OS disk as a managed disk or a managed disk snapshot from the dropdown list
 6.	Select a **Target Azure Compute Gallery** to create and share the image. If no gallery exists, create a new gallery.
@@ -407,7 +407,7 @@ In case you want to use either a managed disk or a managed disk snapshot as a so
 
 #### [CLI](#tab/cli2)
 
-Make sure you are running the latest version of Azure CLI 
+Make sure you're running the latest version of Azure CLI. 
 
 Sign in to Azure using `az login`.  
 
@@ -548,19 +548,26 @@ New-AzVM `
    -VM $vm
 ```
 ---
+## Trusted Launch Built-In Policies
+
+To help end-users adopt Trusted Launch, there is Azure policies available to help resource owners adopt Trusted Launch. The main objbective being to help convert Generation 1 and 2 Virtual Machines that are Trusted Launch capable. **Virtual Machine should have Trusted Launch enabled** single policy checks if the virtual machine, currently enabled with Trusted Launch security configurations. **Disks and OS Supported for Trusted Launch** checks if previously created virtual machines has the [capable Generation 2 operating system and virtual machine size](trusted-launch.md#virtual-machines-sizes) to deploy a Trusted Launch virtual machines. These two policies come together to make the Trusted Launch policy initative, enabling you to group several related policy definitions to simplify assignments and management resources to include Trusted Launch configuration.  
 
+To learn more, and start deploying the [Trusted Launch built-in policies](../governance/policy/samples/built-in-policies.md#trusted-launch). 
+
+---
 ## Verify or update your settings
 
 For VMs created with trusted launch enabled, you can view the trusted launch configuration by visiting the **Overview** page for the VM in the Azure portal. The **Properties** tab will show the status of Trusted Launch features:
 
 :::image type="content" source="./media/trusted-launch/security-type-enabled.png" alt-text="Screenshot of the Trusted Launch properties of the VM.":::
 
-To change the trusted launch configuration, in the left menu, under the **Settings** section, select **Configuration**. You can enable or disable Secure Boot, vTPM, and Integrity Monitoring from the **Security type** section. Select **Save** at the top of the page when you are done.
+To change the trusted launch configuration, in the left menu, under the **Settings** section, select **Configuration**. You can enable or disable Secure Boot, vTPM, and Integrity Monitoring from the **Security type** section. Select **Save** at the top of the page when you're done.
 
 :::image type="content" source="./media/trusted-launch/verify-integrity-boot-on.png" alt-text="Screenshot showing check boxes to change the Trusted Launch settings.":::
 
-If the VM is running, you will receive a message that the VM will be restarted. Select **Yes** then wait for the VM to restart for changes to take effect.
+If the VM is running, you receive a message that the VM will be restarted. Select **Yes** then wait for the VM to restart for changes to take effect.
 
 ## Next steps
 
-Learn more about [trusted launch](trusted-launch.md) and [Boot integrity monitoring](boot-integrity-monitoring-overview.md) VMs.
+Learn more about [trusted launch](trusted-launch.md) and [boot integrity monitoring](boot-integrity-monitoring-overview.md) VMs.
+
