|
| 1 | +--- |
| 2 | +title: Migrate Generation 2 Virtual Machines to Azure Trusted Launch Virtual Machines with Azure Migrate |
| 3 | +description: Use Azure Migrate to migrate on premises Generation 2 Virtual Machines to Azure Trusted Launch Virtual Machines |
| 4 | +author: dhananjayanr |
| 5 | +ms.author: dhananjayanr |
| 6 | +ms.topic: how-to |
| 7 | +ms.service: azure-migrate |
| 8 | +ms.reviewer: v-uhabiba |
| 9 | +ms.date: 03/16/2026 |
| 10 | +ms.custom: engagement-fy26 |
| 11 | +# Customer intent: "As an IT administrator, I want to migrate servers to Azure Trusted Launch Virtual Machines so that I can ensure enhanced security for my Virtual Machines." |
| 12 | +--- |
| 13 | + |
| 14 | +# Migrate generation 2 virtual machines to Azure trusted launch virtual machines using Azure Migrate |
| 15 | + |
| 16 | +Azure Migrate now supports migrating Generation 2 virtual machines to Azure Virtual Machines with Trusted Launch. Trusted Launch uses UEFI-based Secure Boot and a virtual Trusted Platform Module (vTPM) to establish a trusted boot chain. This helps ensure that only approved and signed components are loaded during startup, reducing the risk of bootkits, rootkits, and other low-level malware. |
| 17 | + |
| 18 | +Trusted Launch is the default security type for supported Generation 2 Virtual Machines and virtual machine scale sets in Azure, where available. [Learn more](/azure/virtual-machines/trusted-launch) about Trusted Launch Virtual Machines. |
| 19 | + |
| 20 | +## Supported operating systems |
| 21 | +Azure Migrate supports all Operating systems that are supported for Trusted Launch in Azure. For more information, See [Azure supported OS list and Virtual Machine sizes](/azure/virtual-machines/trusted-launch#operating-systems-supported). |
| 22 | + |
| 23 | +>[!Note] |
| 24 | +>Trusted Launch is a security feature for Generation 2 Virtual Machines. Generation 1 Virtual Machines use BIOS and MBR, and they do not support Secure Boot or vTPM by design. As a result, Generation 1 Virtual Machines cannot use Trusted Launch and Azure migrate does not support migrating Gen 1 Virtual Machines to Trusted Launch virtual Machines |
| 25 | +
|
| 26 | +## Secure boot |
| 27 | +At the root of Trusted Launch is Secure Boot. Secure Boot is implemented in platform firmware and protects virtual machines from malware such as bootkits and rootkits. Secure Boot ensures that only signed operating systems and drivers can start. It establishes a trusted boot chain for the virtual machine. When Secure Boot is enabled, all operating system boot components—including the boot loader, kernel, and kernel drivers—must be signed by trusted publishers. Both Windows and supported Linux distributions support Secure Boot. If Secure Boot can't verify a trusted signature, the virtual machine fails to boot. |
| 28 | + |
| 29 | +>[!Note] |
| 30 | +>Secure Boot is configured as part of the Trusted Launch settings on the target Virtual Machine and isn’t inherited from the source Virtual Machine. Even if Secure Boot was enabled on the source Virtual Machine, it isn’t automatically enabled on the migrated Trusted Launch Virtual Machine. You must explicitly enable Secure Boot in the Trusted Launch configuration during migration. |
| 31 | +
|
| 32 | +## How to migrate to trusted launch virtual machines using Azure Migrate |
| 33 | +This guide explains how to migrate your workloads to Trusted Launch Virtual Machines using Azure Migrate. For more information, See [How to migrate to trusted launch virtual machines using Azure Migrate](tutorial-migrate-vmware.md). |
| 34 | + |
0 commit comments