What it is
A virtual machine whose securityProfile.securityType is not TrustedLaunch (or ConfidentialVM). Trusted Launch gives a Gen2 VM Secure Boot and a virtual TPM, so the firmware and bootloader are cryptographically verified before the OS starts. Without it, nothing checks what runs first on the machine — a bootkit or firmware-level rootkit loads before the OS, which means before every security agent installed on the OS.
Why it happens
Trusted Launch is a deployment-time setting, and for years the default was off. The Azure portal now defaults new Gen2 VMs to Trusted Launch, but older ARM templates, Terraform modules, golden images, and scripted creation paths that predate the change keep producing Standard VMs every time they run. Fleets built before the default flipped simply never had it.
There's also a real constraint that keeps the gap open: Gen1 VMs can't use Trusted Launch at all, and a VM built without it historically stayed that way. Azure now supports enabling Trusted Launch on existing Gen2 VMs (deallocate, update the security profile, restart), but that's a deliberate migration someone has to plan, so it rarely happens on its own.
What it costs / blast radius
Trusted Launch adds no cost to the VM price, so this is a free control that's simply not switched on. The blast radius is the class of attack it blocks: bootkits and rootkits that persist below the operating system. Malware in the boot chain survives OS reinstalls, hides from EDR and antivirus (which only start after it does), and undermines every attestation you'd want to make about the machine's integrity. Secure Boot refuses unsigned boot components; vTPM enables measured boot and remote attestation. Without them, "the VM is clean" is a statement of hope. (Authored assessment of Azure behavior.)
See it
resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
name: 'app-vm-01'
location: location
properties: {
hardwareProfile: { vmSize: 'Standard_D4s_v5' }
// ...osProfile and networkProfile omitted for brevity
// no securityProfile: boots as a Standard VM,
// nothing verifies the firmware or bootloader
storageProfile: {
imageReference: {
publisher: 'Canonical'
offer: 'ubuntu-24_04-lts'
sku: 'server' // Gen2 image
version: 'latest'
}
}
}
}resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
name: 'app-vm-01'
location: location
properties: {
hardwareProfile: { vmSize: 'Standard_D4s_v5' }
// ...osProfile and networkProfile omitted for brevity
securityProfile: {
securityType: 'TrustedLaunch'
uefiSettings: {
secureBootEnabled: true
vTpmEnabled: true
}
}
storageProfile: {
imageReference: {
publisher: 'Canonical'
offer: 'ubuntu-24_04-lts'
sku: 'server'
version: 'latest'
}
}
}
}How StratoLens helps
StratoLens flags every VM running without Trusted Launch, automatically and continuously, across all your subscriptions — inside your own tenant. Instead of auditing templates one repo at a time, you get the live list of machines still booting unverified, so the free fix actually gets applied.