Set-AzDiskSecurityProfile

Module:: Az.Compute Module

Set SecurityProfile on managed disk

Syntax

Default (Default)

Set-AzDiskSecurityProfile
    [-Disk] <PSDisk>
    -SecurityType <String>
    [-SecureVMDiskEncryptionSet <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

Set the SecurityProfile on managed disks.

Examples

Example 1

$diskconfig = New-AzDiskConfig -DiskSizeGB 10 -AccountType PremiumLRS -OsType Windows -CreateOption FromImage;
$image = '/subscriptions/0000000-0000-0000-0000-000000000000/resourceGroups/ResourceGroup01/providers/Microsoft.Compute/images/TestImage123';
$diskconfig = Set-AzDiskImageReference -Disk $diskconfig -Id $image -Lun 0;
$diskconfig = Set-AzDiskSecurityProfile -Disk $diskconfig -SecurityType "TrustedLaunch";
$disk = New-AzDisk -ResourceGroupName 'ResourceGroup01' -DiskName 'Disk01' -Disk $diskconfig;
# $disk.Properties.SecurityProfile.SecurityType == "TrustedLaunch";

Customers can set the SecurityType of managed Disks.

Example 2: Create a Disk with a Disk Encryption Set with the encryption type of ConfidentialVM_DiskEncryptedWithCustomerKey

$Location = "northeurope";
$KeyVaultName = "val" + $rgname;
$KeyName = "key" + $rgname;
$DesName= "des" + $rgname;
$KeySize = 3072;

$SecurePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force;
$User = "Username";
$Cred = New-Object System.Management.Automation.PSCredential ($User, $SecurePassword);

New-AzKeyVault -Name $KeyVaultName -Location $Location -ResourceGroupName $ResourceGroupName -Sku Premium -EnablePurgeProtection -EnabledForDiskEncryption;

# Add Key vault Key
Add-AzKeyVaultKey -VaultName $KeyVaultName -Name $KeyName -Size $KeySize -KeyOps wrapKey,unwrapKey -KeyType RSA -Destination HSM -Exportable -UseDefaultCVMPolicy;

# Capture Keyvault and key details
$KeyVaultId = (Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName).ResourceId;
$KeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -KeyName $KeyName).Key.Kid;

# Create new DES Config and DES
$diskEncryptionType = "ConfidentialVmEncryptedWithCustomerKey";
$desConfig = New-AzDiskEncryptionSetConfig -Location $Location -SourceVaultId $keyvaultId -KeyUrl $keyUrl -IdentityType SystemAssigned -EncryptionType $diskEncryptionType;
New-AzDiskEncryptionSet -ResourceGroupName $ResourceGroupName -Name $DesName -DiskEncryptionSet $desConfig;
$diskencset = Get-AzDiskEncryptionSet -ResourceGroupName $ResourceGroupName -Name $desName;

# Assign DES Access Policy to key vault
$desIdentity = (Get-AzDiskEncryptionSet -Name $DesName -ResourceGroupName $ResourceGroupName).Identity.PrincipalId;
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -ObjectId $desIdentity -PermissionsToKeys wrapKey,unwrapKey,get -BypassObjectIdValidation;

$diskSecurityType = "ConfidentialVM_DiskEncryptedWithCustomerKey";
$diskName = "diskname";
$diskconfig = New-AzDiskConfig -AccountType Premium_LRS -OsType Windows -CreateOption FromImage -Location $Location;
$diskconfig = Set-AzDiskImageReference -Disk $diskconfig -Id "/Subscriptions/e37510d7-33b6-4676-886f-ee75bcc01871/Providers/Microsoft.Compute/Locations/northeurope/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/windows-cvm/Skus/2019-datacenter-cvm/Versions/latest";
$diskconfig = Set-AzDiskSecurityProfile -Disk $diskconfig -SecurityType $diskSecurityType -SecureVMDiskEncryptionSet $diskencset.id;
New-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $diskName -Disk $diskconfig;
$disk = Get-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $diskName;
# Verify the SecurityType value.
# $disk.Properties.SecurityProfile.SecurityType returns "ConfidentialVM";

Example 3: Set the SecurityType to Standard to avoid TrustedLaunch defaulting.

$rgname = <Resource Group Name>;
$loc = <Azure Region>;
New-AzResourceGroup -Name $rgname -Location $loc -Force;
$securityTypeStnd = "Standard";

# Standard SecurityType
$diskconfig = New-AzDiskConfig -Location $loc -DiskSizeGB 1 -AccountType "Premium_LRS" -OsType "Windows" -CreateOption "Empty" -HyperVGeneration "V1";
$diskname = "diskstnd" + $rgname;
$diskconfig = Set-AzDiskSecurityProfile -Disk $diskconfig -SecurityType $securityTypeStnd;
$diskPr = New-AzDisk -ResourceGroupName $rgname -DiskName $diskname -Disk $diskconfig;
$disk = Get-AzDisk -ResourceGroupName $rgname -DiskName $diskname;
# Verify $disk.SecurityProfile is null;

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Disk

Disk Security Profile

Parameter properties

Type:	PSDisk
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	DiskSecurityProfile

Parameter sets

(All)

Position:	0
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	True
Value from remaining arguments:	False

-SecureVMDiskEncryptionSet

ResourceId of the disk encryption set to use for enabling encryption at rest.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-SecurityType

Security Type of Disk

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	True
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Share via

Set-AzDiskSecurityProfile

Syntax

Default (Default)

Description

Examples

Example 1

Example 2: Create a Disk with a Disk Encryption Set with the encryption type of ConfidentialVM_DiskEncryptedWithCustomerKey

Example 3: Set the SecurityType to Standard to avoid TrustedLaunch defaulting.

Parameters

-Confirm

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-Disk

Parameter properties

Parameter sets

-SecureVMDiskEncryptionSet

Parameter properties

Parameter sets

-SecurityType

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

PSDisk

String

Outputs

PSDisk

Feedback