Trusted Launch: Pros vs Cons

Is anyone currently using Trusted Launch for their AVD Hosts?
It seems like something we would always want turned-on, but where we haven't used it before, we want to make sure we're testing it appropriately (i.e. not trying to make a spoon work like a shovel).

Have you used only the vanilla Azure Gallery images or are you successfully using custom images?
Are there any issues or gotchyas (i.e. Mac client users get an error message) we need to be concerned about?
Any end-user experience items we need to let our clients know about?

1

Comments (6 comments)

Avatar
Travis Lamming

I would like to know as well, I'm in the same position as you, it would be nice to know if its worth it and what the drawbacks are, if any.

2
Avatar
Stefan Georgiev

Benefits: increased security and if required meets compliances requirements (when coming from on-premises)

Drawbacks: small performance impact on boot, gen2 requirements

In AVD we should use trusted launch (TL): mission-critical apps and/or highly confidential data, and/or healthcare, financial verticals

 

 

2
Avatar
DStephenson

Thanks, Stefan!

1
Avatar
Tony Cai

Microsoft has just made this a default. We will be following suit.

1
Avatar
DStephenson

That's excellent news, Tony Cai!
Will Nerdio have a way to "convert" our desktop images to Trusted Launch images or will we need to recreate them from scratch?

0
Avatar
Peter Yasuda

Hi DStephenson, here's something I just encountered: Our host pool has Trusted Launch enabled, with Secure Boot and vTPM. I built a new image from an Azure Marketplace Gen 2 image (one of the Win 11 23H2 images), but did not enable Trusted Launch. When I tried to re-image, I got this error: 

Trusted Launch is enabled in the Host Pool properties, but the selected image is Gen 1 and doesn't support Trusted Launch. Please choose a Gen 2 image or disable Trusted Launch on the Host Pool properties.

The Nerdio documentation lists a Create image VM as Gen2 option that is no longer there, so it looks like that is determined by selecting Use Trusted Launch or not. 

https://nmmhelp.getnerdio.com/hc/en-us/articles/26125609362573-Overview-of-Desktop-Images#Add2

We set up a new host pool January this year, and the Nerdio deployment engineer said not to enable Trusted Launch because it could create problems, so I don't know how that goes with Tony's comment. If you select a Gen2 image in creating a new Desktop Image, Use Trusted Launch is enabled, so maybe that's what he meant. 

Anyway, now I have to rebuild the image. 

 

 

0

Please sign in to leave a comment.