Skip to content

[RULE] VMSS should use secure boot #3730

New issue
New issue
Open
Feature
#3731
coder999999999/PSRule.Rules.Azure
#1
Open
[RULE] VMSS should use secure boot#3730
Feature
#3731
coder999999999/PSRule.Rules.Azure
#1
Labels
good first issueGood for newcomerspillar: securityAligned to the Security pillar.rule: virtual-machinesRule for Virtual Machines
@BernieWhite

Description

@BernieWhite
BernieWhite
opened on Mar 25, 2026

Existing rule

No response

Suggested rule

Fleets Microsoft.Compute/virtualMachineScaleSets should use secure boot by setting the property properties.virtualMachineProfile.securityProfile.securityType = TrustedLaunch and properties.virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled = true.

At the root of Trusted Launch is Secure Boot for your VM. Secure Boot, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VM.

With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) require trusted publishers signing. Both Windows and select Linux distributions support Secure Boot. If Secure Boot fails to authenticate that the image is signed with a trusted publisher, the VM fails to boot.

Pillar

Security

Additional context

Setting the security type to ConfidentialVM is also acceptable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomerspillar: securityAligned to the Security pillar.rule: virtual-machinesRule for Virtual Machines

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions