Create a Secure Workstation Image with Trusted launch enabled in Azure

We now has support for Trusted Launch VM´s in Azure. It is easy to build Azure VM´s with trusted launch from Microsoft provided gallery images. But sometimes you also want your own image with your own customizations. This guide will show you how to create a customized gallery image with trusted launch enabled. I will also deploy optimizations and security baselines to achieve a secure Workstation image.

Create the VM Template

1. Open Azure Portal
2. Create a new Virtual Machine

3. Make sure you select Trusted Launch and select a Gen2 gallery image

4. Customize disk, network etc. with your preferences
5. Make sure Trusted Launch, Secure boot and vTPM is enabled on a Gen2 image and create the VM

6. Wait for deployment to finish successfully

Customize VM Template

1. Open VM Overview by selecting Go to resource
2. Connect to the VM with RDP connection.

3. Download the RDP file and open it up to connect.
4. Start by open Settings / Windows Update and install all available updates

5. Reboot if needed
6. After reboot start Customizing your VM

You can for example run:

• Virtual Desktop Optimization Tool – to optimize performance
• Windows 11 Security Baseline – to secure Windows
• Microsoft Edge v98 Security Baseline – to secure Edge

Virtual Desktop Optimization Tool

Virtual Desktop Optimization Tool is a fantastic tool to optimize performance for a virtual machine. Often used in Azure VM´s and Azure Virtual Desktop images. Read more here

1. Create a folder (ex. “D:\Optimize”).
2. Download the files for Virtual Desktop Optimization Tool.
3. Unblock the downloaded .zip file, either manually using File -> Properties, or using PowerShell: Unblock-File
4. Extract the VDOT download to the folder previously created (ex. “D:\Optimize).
5. Edit the file appxpackages.json in Virtual Desktop Optimization Tool. This file configures apps to be removed during optimization.
6. Replace “UnChanged” with “Disabled” for all apps not needed.

7. Start PowerShell elevated.
8. In PowerShell, change directory to the scripts folder (ex. D:\Optimize).
9. Run the following PowerShell command:

.\Windows_VDOT.ps1 -WindowsVersion 2009 -Optimizations Edge,All -AcceptEULA

Microsoft Edge v98 Security Baseline

1. Create a folder (ex. “D:\SecureEdge”).
2. Download the files for Microsoft Edge v98 Security Baseline
3. Unblock the downloaded .zip file, either manually using File -> Properties, or using PowerShell: Unblock-File
4. Extract the files to the folder previously created (ex. “D:\SecureEdge).
5. Copy the file d:\optimize\LGPO\LGPO.exe to folder d:\SecureEdge\scripts\tools
6. Start PowerShell elevated.
7. In PowerShell, change directory to the scripts folder (ex. D:\SecureEdge\Scripts).
8. Run the following PowerShell command:

.\Baseline-LocalInstall.ps1

Windows 11 Security Baseline

1. Create a folder (ex. “D:\SecureWindows”).
2. Download the files for Windows 11 Security Baseline
3. Unblock the downloaded .zip file, either manually using File -> Properties, or using PowerShell: Unblock-File
4. Extract the files to the folder previously created (ex. “D:\SecureWindows).
5. Copy the file d:\optimize\LGPO\LGPO.exe to folder d:\SecureWindows\scripts\tools
6. Start PowerShell elevated.
7. In PowerShell, change directory to the scripts folder (ex. D:\SecureWindows\Scripts).
8. Run the following PowerShell command:

.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined

9. Now you will lose access to the VM with RDP. The Security Baseline enable a firewall setting that makes RDP blocked on an Azure VM.
10. Open Azure Portal
11. Open the VM Template created above
12. Select Run Command under Operations
13. Select RunPowerShellScript

14. Copy the below code into the PowerShell Script pane and click Run button

$firewall = "
; ----------------------------------------------------------------------
; PARSING Computer POLICY

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
AllowLocalIPsecPolicyMerge
DELETE

Computer
Software\Policies\Microsoft\WindowsFirewall\PublicProfile
AllowLocalPolicyMerge
DELETE

; PARSING COMPLETED.
; ----------------------------------------------------------------------"
$firewall | out-file d:\firewall.txt
D:\SecureWs\Windows11-Security-Baseline-FINAL\Scripts\Tools\lgpo.exe /t d:\firewall.txt

Sysprep

To prepare the image for deployment, we need to remove all ID´s tied to the VM. This is called to generalize the windows installation.

1. In the VM Template machine
2. Start PowerShell elevated.
3. In PowerShell, change directory to c:\windows\system32\sysprep
4. Run the following PowerShell command:

.\sysprep.exe /generalize /oobe /shutdown

Capture the VM Template

1. Open Azure Portal
2. Open Overview for the VM Template created above
3. Select Capture

4. Enter Project details and select Automatically delete this virtual machine after creating the image

5. Enter Gallery details.
6. Create a new Gallery if none exist
7. Select Generalized

8. Create a new Target VM Image Definition with preferred settings

9. Enter a Version for the image

10. Review and create the image

Deploy VM based on your custom gallery image

1. Open Azure Portal
2. Create a new Virtual Machine

3. Make sure you select Trusted Launch and click see all images

4. Navigate to Shared Images
5. Select your Custom Image created above

6. Note that the Trusted Launch is selected and grayed out,

7. Customize disk, network etc. with your preferences
8. Make sure Trusted Launch, Secure boot and vTPM is enabled on a Gen2 image and create the VM

9. Wait for deployment to finish successfully

The Secure Workstation is created and Trusted Launch, Secure Boot and vTPM is enabled.

About The Author