Citrix Virtual Apps and Desktops

Secure boot

Secure boot is designed to ensure that only trusted software is used to boot the system. The firmware has a database of trusted certificates and verifies that the image it loads is signed by one of the trusted certificates. If that image loads further images, then that image must also be verified in the same way. vTPM is a virtualized software instance of a traditional physical TPM module. The vTPM enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).

See the following for more information on supported cloud services:

Secure boot in AWS

In AWS environments, you can select a master image (AMI) with NitroTPM and/or UEFI secure boot enabled. Accordingly, the provisioned VMs in the catalog are also enabled with NitroTPM and/or UEFI secure boot. This implementation ensures that the VMs are secured and trusted. For more information on NitroTPM and UEFI Secure Boot, see the Amazon documentation. For creating a catalog enabled with NitroTPM and UEFI secure boot, see Enable NitroTPM and UEFI secure boot for VM instances.

Secure boot in Google Cloud Platform

You can provision shielded virtual machines on GCP. A shielded virtual machine is hardened using a set of security controls that provide verifiable integrity of your Compute Engine instances, using advanced platform security capabilities like secure boot, a virtual trusted platform module, UEFI firmware, and integrity monitoring.

For more information on using PowerShell to create a catalog with shielded VM, see Using PowerShell to create a catalog with shielded VM.

Note:

If you install Windows 11 on the master image, then you must enable vTPM during the master image creation process. Also, you must enable vTPM on the machine profile source (VM or instance template). For information on creating Windows 11 VMs on the sole-tenant node, see Create Windows 11 VMs on the sole-tenant node.

Secure boot in Microsoft Azure

In Azure environments, you can create machine catalogs enabled with Trusted launch. Azure offers trusted launch as a seamless way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques. At the root of trusted launch is secure boot for your VM. Trusted launch also uses the vTPM to perform remote attestation by the cloud. This is used for platform health checks and for making trust-based decisions. You can individually enable secure boot and vTPM. For more information on creating a machine catalog with Trusted launch, see Machine catalogs with Trusted launch.

Secure boot in VMware

MCS supports creating a machine catalog with vTPM attached VMware template as a source for machine profile input. If windows 11 is installed on the master image, then it is a requirement to have vTPM enabled for the master image. Therefore, the VMware template, which is a source of machine profile, must have vTPM attached to it. For more information, see Create a machine catalog using a machine profile.

Secure boot