Azure Trusted Launch is a security feature for Azure Generation 2 VMs that enables Secure Boot, a virtual Trusted Platform Module (vTPM), and Measured Boot to protect VMs against advanced threats. Starting with Parallels RAS 21.2, Trusted Launch VM types are supported as base templates for both the Azure and Azure Virtual Desktop (AVD) providers.
In Parallels RAS versions prior to 21.2, using a VM with Trusted Launch as a template base caused provisioning failures. Upgrading to RAS 21.2 or later resolves this.
Supported Trusted Launch features
When creating a Trusted Launch template in Parallels RAS 21.2, the following feature configuration is supported:
| Trusted Launch Feature | Support in RAS 21.2 |
|---|---|
| Secure Boot | Supported - can be enabled |
| vTPM (virtual Trusted Platform Module) | Supported - can be enabled |
| Integrity Monitoring | Not supported - must be disabled on the template VM |
How to create a Trusted Launch template
- In the RAS Console, expand the Farm node in the left pane and navigate to your Azure or AVD provider.
- Right-click the Templates node (or use the Add button in the toolbar) to open the template creation wizard.
- When selecting the base VM, choose an Azure Generation 2 VM that has its security type set to Trusted Launch.
- On the security configuration step, verify the following:
- Security type: Trusted Launch (inherited from the source VM - this cannot be changed)
- Secure Boot: Enabled
- vTPM: Enabled
- Integrity Monitoring: Disabled
- Complete the remaining wizard steps and click Finish. Parallels RAS uses Azure VM Images to create the template - this process may take several minutes, which is normal for Trusted Launch templates.
- Once the template is created, verify it appears in the Templates list and that VMs provisioned from it have the Trusted Launch security type in the Azure portal.
Note: The security type of a template is fixed at creation time and cannot be changed afterward. To switch between standard and Trusted Launch, create a new template from a VM of the desired security type.
Maintenance mode
Trusted Launch templates support entering and leaving maintenance mode in the same way as standard templates. When you exit maintenance mode, Parallels RAS creates a new image version in the Azure Compute Gallery automatically.
- In the RAS Console, right-click the template and select Enable Maintenance Mode. A maintenance clone is created from the template image.
- Connect to the maintenance VM and apply the required updates or changes.
- Once finished, right-click the template and select Disable Maintenance Mode. RAS creates a new image version from the updated VM and adds it to the gallery. Sessions using the previous image version are not interrupted until they reconnect.
Was this article helpful?
Tell us how we can improve it.