Skip to main content
Back to the Azure Footguns Database
SecurityLowCommonAZF-0078

A VM without Trusted Launch has no Secure Boot or vTPM — rootkits load below your EDR

Trusted Launch brings Secure Boot and vTPM to Azure VMs at no extra cost, but plenty of deployment paths still create Standard VMs where the entire boot chain runs unverified.

Footgun ID
AZF-0078 (Azure Footgun No. 78)
Azure service
Azure Virtual Machines
Resource type
Microsoft.Compute/virtualMachines
Updated
July 9, 2026

What it is

A virtual machine whose securityProfile.securityType is not TrustedLaunch (or ConfidentialVM). Trusted Launch gives a Gen2 VM Secure Boot and a virtual TPM, so the firmware and bootloader are cryptographically verified before the OS starts. Without it, nothing checks what runs first on the machine — a bootkit or firmware-level rootkit loads before the OS, which means before every security agent installed on the OS.

Impact (security)
Boot-level malware loads before the OS and its security agents — nothing running inside the VM can see or stop it
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Trusted Launch is a deployment-time setting, and for years the default was off. The Azure portal now defaults new Gen2 VMs to Trusted Launch, but older ARM templates, Terraform modules, golden images, and scripted creation paths that predate the change keep producing Standard VMs every time they run. Fleets built before the default flipped simply never had it.

There's also a real constraint that keeps the gap open: Gen1 VMs can't use Trusted Launch at all, and a VM built without it historically stayed that way. Azure now supports enabling Trusted Launch on existing Gen2 VMs (deallocate, update the security profile, restart), but that's a deliberate migration someone has to plan, so it rarely happens on its own.

What it costs / blast radius

Trusted Launch adds no cost to the VM price, so this is a free control that's simply not switched on. The blast radius is the class of attack it blocks: bootkits and rootkits that persist below the operating system. Malware in the boot chain survives OS reinstalls, hides from EDR and antivirus (which only start after it does), and undermines every attestation you'd want to make about the machine's integrity. Secure Boot refuses unsigned boot components; vTPM enables measured boot and remote attestation. Without them, "the VM is clean" is a statement of hope. (Authored assessment of Azure behavior.)

See it

Footgun: no securityProfile — Secure Boot and vTPM are off
resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
  name: 'app-vm-01'
  location: location
  properties: {
    hardwareProfile: { vmSize: 'Standard_D4s_v5' }
    // ...osProfile and networkProfile omitted for brevity
    // no securityProfile: boots as a Standard VM,
    // nothing verifies the firmware or bootloader
    storageProfile: {
      imageReference: {
        publisher: 'Canonical'
        offer: 'ubuntu-24_04-lts'
        sku: 'server'          // Gen2 image
        version: 'latest'
      }
    }
  }
}
Fix: TrustedLaunch with Secure Boot and vTPM (requires a Gen2 image)
resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
  name: 'app-vm-01'
  location: location
  properties: {
    hardwareProfile: { vmSize: 'Standard_D4s_v5' }
    // ...osProfile and networkProfile omitted for brevity
    securityProfile: {
      securityType: 'TrustedLaunch'
      uefiSettings: {
        secureBootEnabled: true
        vTpmEnabled: true
      }
    }
    storageProfile: {
      imageReference: {
        publisher: 'Canonical'
        offer: 'ubuntu-24_04-lts'
        sku: 'server'
        version: 'latest'
      }
    }
  }
}

How StratoLens helps

StratoLens flags every VM running without Trusted Launch, automatically and continuously, across all your subscriptions — inside your own tenant. Instead of auditing templates one repo at a time, you get the live list of machines still booting unverified, so the free fix actually gets applied.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.