I have a legacy virtual machine scale set which was not created with Encryption at Host and with Trusted Launch.
Firstly, you’ll need to rebuild any VM image you have so it supports Trusted Launch. I use the Azure Compute Gallery (or whatever it’s called nowadays)
Thankfully, with the right ‘az’ cli commands you can migrate it to have this – specifically :
az vmss update -n my-scale-set -g my-resource-group --set virtualMachineProfile.securityProfile.encryptionAtHost=true
and
az vmss update -n my-scale-set -g my-resource-group --set virtualMachineProfile.storageProfile.imageReference.id="/subscriptions/xxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.Compute/galleries/my-image-gallery/images/ImageWithTrustedLaunch/versions/202504.23.17" --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true
Now you just need the running images to upgrade … and you’ll be (perhaps) slightly more “secure”.