Set-AzVmssSecurityProfile
This cmdlet allows users to set the SecurityType enum for Virtual Machines scale sets.
Syntax
Set-AzVmssSecurityProfile
[-VirtualMachineScaleSet] <PSVirtualMachineScaleSet>
[[-SecurityType] <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
Sets the Security Type of the VMSS
Examples
Example 1
$VMSS = Get-AzVmss -ResourceGroupName "ResourceGroup11" -VMScaleSetName "ContosoVM07"
$VMSS = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $VMSS -SecurityType "TrustedLaunch"The first command gets the virtual machine scale set named ContosoVM07 by using Get-AzVmss. The command stores it in the $VMSS variable. The second command sets the SecurityType enum to "TrustedLaunch".
Example 2: Create a Confidential Vmss resource with encryption type VMGuestStateOnly.
# Common Variables
$rgname = <Resource Group Name>
$loc = "northeurope"
New-AzResourceGroup -Name $rgname -Location $loc -Force
$vmssSize = "Standard_DC2as_v5"
$PublisherName = "MicrosoftWindowsServer"
$Offer = "WindowsServer"
$SKU = '2022-datacenter-smalldisk-g2'
$version = "latest"
$securityType = "ConfidentialVM"
$securityEncryptionType = "VMGuestStateOnly"
$secureboot = $true
$vtpm = $true
# NRP
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix "10.0.0.0/24"
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet
$vnet = Get-AzVirtualNetwork -Name ('vnet' + $rgname) -ResourceGroupName $rgname
$subnetId = $vnet.Subnets[0].Id
# New VMSS Parameters
$vmssName = 'vmss' + $rgname
$adminUsername = <User Name>
$adminPassword = ConvertTo-SecureString -String "****" -AsPlainText -Force
$imgRef = New-Object -TypeName 'Microsoft.Azure.Commands.Compute.Models.PSVirtualMachineImage'
$imgRef.PublisherName = $PublisherName
$imgRef.Offer = $Offer
$imgRef.Skus = $SKU
$imgRef.Version = $version
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$computerNamePrefix = <Name Prefix>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' `
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssOsProfile -ComputerNamePrefix $computerNamePrefix -AdminUsername $adminUsername -AdminPassword $adminPassword `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType `
-ImageReferenceOffer $imgRef.Offer -ImageReferenceSku $imgRef.Skus -ImageReferenceVersion $imgRef.Version `
-ImageReferencePublisher $imgRef.PublisherName
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $securityType
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName
# SecurityType value can be seen at $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityTypeExample 3: Create a Confidential Vmss resource with encryption type DiskWithVMGuestState and Image reference Disk Encryption set to EncryptedWithPmk.
# Common variables
$rgname = <Resource Group Name>
$loc = "northeurope"
New-AzResourceGroup -ResourceGroupName $rgName -Location $loc -Force
$secureBoot = $true
$vtpm = $true
$vmssName = "vmss" + $rgname
# VM variables
$vmName = <VM Name>
$vmSize = "Standard_DC2as_v5"
$vmssSize = "Standard_DC2as_v5"
$securePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force
$username = <User Name>
$vmCred = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
$imagePublisher = "MicrosoftWindowsServer"
$imageOffer = "windowsserver"
$imageSku = "2022-datacenter-smalldisk-g2"
$imageVersion = "latest"
$osDiskSecurityType = "DiskwithVMGuestState"
$vmSecurityType = "ConfidentialVM"
# Network variables
$NetworkName = [system.string]::concat($vmName, '-vnet')
$NICName = [system.string]::concat($vmName, '-nic')
$SubnetName = [system.string]::concat($vmName, '-subnet')
$SubnetAddressPrefix = "10.0.0.0/24"
$VnetAddressPrefix = "10.0.0.0/16"
# Setup Network
$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $rgName `
-Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $rgName `
-Location $loc -SubnetId $Vnet.Subnets[0].Id
# Setup CVM
$virtualMachine = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $vmName `
-Credential $vmCred -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $imagePublisher `
-Offer $imageOffer -Skus $imageSku -Version $imageVersion
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -StorageAccountType "StandardSSD_LRS" `
-CreateOption "FromImage" -SecurityEncryptionType $osDiskSecurityType
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true
New-AzVM -ResourceGroupName $rgName -Location $loc -VM $VirtualMachine
$cvm = Get-AzVM -VMName $vmName -ResourceGroupName $rgName
# Image Gallery variables
$galleryName = "rg" + $rgname
$definitionName = "def"+$rgname
$publisherName = "cvm01"
$versionName = "1.0.0"
# Platform Managed Key encryption
$cvmEncryptionType = "EncryptedWithPmk"
$replicaCount = 1
$storageAccountType = "Standard_LRS"
$osState = "Specialized"
$osType = "Windows"
$sourceImageId = $cvm.Id
# Setup Image Gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -location $loc
$imagePublisher = "MicrosoftWindowsServer"
$imageOffer = "windowsserver"
$imageSku = "2022-datacenter-smalldisk-g2"
$vmSecurityType = "ConfidentialVM"
# Setup Image Definition
$SecurityTypeTable = @{Name='SecurityType';Value='ConfidentialVM'}
$features = @($SecurityTypeTable)
New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $definitionName `
-Feature $features -Publisher $imagePublisher -Offer $imageOffer -Sku $imageSku -location $loc `
-OsState $osState -OsType $osType -HyperVGeneration 'V2'
$galDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName
# Setup Image Version
$cvmOsDiskEncryption = @{CVMEncryptionType=$cvmEncryptionType}
$cvmEncryption = @{OSDiskImage = $cvmOsDiskEncryption}
$region = @{Name = $loc; ReplicaCount = $replicaCount; StorageAccountType = $storageAccountType; Encryption = $cvmEncryption}
$targetRegions = @($region)
# Pause the script to ensure the referenced VM is in the Succeeded state. The amount of time can vary and this just a precaution.
Start-Sleep -Seconds 360
New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $definitionName `
-Name $versionName -Location $loc -SourceImageId $sourceImageId -ReplicaCount $replicaCount `
-StorageAccountType $storageAccountType -TargetRegion $targetRegions
$galVersion = Get-AzGalleryImageVersion -ResourceGroupName $rgname -GalleryName $galleryName -GalleryImageDefinitionName $definitionName
# NRP for vmss setup. This is not required if you want to reuse the previous NRP setup.
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix $SubnetAddressPrefix
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $subnet
$subnetId = $vnet.Subnets[0].Id
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId
# Vmss setup
$securityEncryptionType = "DiskWithVMGuestState"
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' -ImageReferenceId $galDefinition.Id`
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $vmSecurityType
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName
# Verify the Vmss SecurityType at $vmssGet.VirtualMAchineProfile.SecurityProfile.SecurityType
$vmssvms = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName
$vmssvm = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName -InstanceId $vmssvms[0].InstanceId
# Verify the SecurityEncryptionType at $vmssvm.StorageProfile.OsDIsk.ManagedDisk.SecurityProfile.SecurityEncryptionTypeExample 4: Create a Confidential Vmss resource with encryption type DiskWithVMGuestState and Image reference Disk Encryption set to EncryptedWithCmk.
# Common Variables
$rgname = <Resource Group Name>;
$loc = "northeurope";
New-AzResourceGroup -ResourceGroupName $rgName -Location $loc -Force;
$secureBoot = $true;
$vtpm = $true;
$vmssName = "vmss" + $rgname;
# VM variables
$vmName = "v" + $rgname;
$vmSize = "Standard_DC2as_v5";
$vmssSize = "Standard_DC2as_v5";
$securePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force;
$username = <Username>;
$vmCred = New-Object System.Management.Automation.PSCredential ($username, $securePassword);
$imagePublisher = "MicrosoftWindowsServer";
$imageOffer = "windowsserver";
$imageSku = "2022-datacenter-smalldisk-g2";
$imageVersion = "latest";
$osDiskSecurityType = "DiskwithVMGuestState";
$vmSecurityType = "ConfidentialVM";
$deployCMK = $true;
$storageType = "StandardSSD_LRS";
# Network variables
$NetworkName = $vmname + "-vnet";
$NICName = $vmName + "-nic";
$SubnetName = $vmName + "-subnet";
$SubnetAddressPrefix = "10.0.0.0/24";
$VnetAddressPrefix = "10.0.0.0/16";
# Key Vault setup
$keyVaultName = "kv" + $rgname;
$keyName = "k" + $rgname;
$desName = "des" + $rgname;
$cvmAgent = Get-AzADServicePrincipal -ApplicationId "00001111-aaaa-2222-bbbb-3333cccc4444";
$kv = New-AzKeyVault -Name $keyVaultName -ResourceGroupName $rgName -Location $loc -Sku "Premium" -EnablePurgeProtection -SoftDeleteRetentionInDays 7;
Set-AzKeyVaultAccessPolicy -ObjectId $cvmAgent.Id -VaultName $keyVaultName -ResourceGroupName $rgName -PermissionsToKeys "get","release";
Start-BitsTransfer -Source https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json -Destination ".\skr-policy.json";
$desKey = Add-AzKeyVaultKey -Name $keyName -VaultName $keyVaultName -KeyOps "wrapKey","unwrapKey" -KeyType "RSA-HSM" -Size 3072 `
-Exportable -ReleasePolicyPath ".\skr-policy.json" -Destination "HSM";
$desConfig = New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $desKey.Id -SourceVaultId $kv.ResourceId -IdentityType "SystemAssigned" `
-EncryptionType "ConfidentialVmEncryptedWithCustomerKey";
$des = New-AzDiskEncryptionSet -DiskEncryptionSet $desConfig -DiskEncryptionSetName $desName -ResourceGroupName $rgName;
$desIdentity = Get-AzADServicePrincipal -ObjectId $des.Identity.PrincipalId -ErrorAction 'SilentlyContinue';
Set-AzKeyVaultAccessPolicy -ObjectId $des.Identity.PrincipalId -ResourceGroupName $rgName -VaultName $keyVaultName -PermissionsToKeys "wrapKey","unwrapKey","get";
$des = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $desName;
# Setup Network
$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix;
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $rgName `
-Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $rgName `
-Location $loc -SubnetId $Vnet.Subnets[0].Id;
# Setup Confidential VM
$virtualMachine = New-AzVMConfig -VMName $vmName -VMSize $vmSize;
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $vmName `
-Credential $vmCred -ProvisionVMAgent -EnableAutoUpdate;
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id;
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $imagePublisher `
-Offer $imageOffer -Skus $imageSku -Version $imageVersion;
$paramSetAzVmOsDisk = @{
VM = $virtualMachine
StorageAccountType = $storageType
CreateOption = "FromImage"
SecurityEncryptionType = $osDiskSecurityType
ErrorAction = 'Stop'
SecureVMDiskEncryptionSet = $des.Id
};
$VirtualMachine = Set-AzVMOSDisk @paramSetAzVmOsDisk;
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType;
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true;
# Create CVM to be used as Image reference
New-AzVM -ResourceGroupName $rgName -Location $loc -VM $VirtualMachine;
$cvm = Get-AzVM -VMName $vmName -ResourceGroupName $rgName;
# Image Gallery variables
$galleryName = "gal" + $rgname;
$definitionName = "def"+$rgname;
$publisherName = <Publisher Name>;
$versionName = "1.0.0";
# Customer Managed Key encryption
$cvmEncryptionType = "EncryptedWithCmk"
$replicaCount = 1;
$storageAccountType = "Standard_LRS";
$osState = "Specialized";
$osType = "Windows";
$sourceImageId = $cvm.Id;
# Setup Image Gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -location $loc;
# Setup Image Definition
$SecurityTypeTable = @{Name='SecurityType';Value='ConfidentialVM'};
$features = @($SecurityTypeTable);
New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $definitionName `
-Feature $features -Publisher $imagePublisher -Offer $imageOffer -Sku $imageSku -location $loc `
-OsState $osState -OsType $osType -HyperVGeneration 'V2';
$galDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName;
# Setup Image Version
$cvmOsDiskEncryption = @{CVMEncryptionType=$cvmEncryptionType; };
$cvmOsDiskEncryption.Add('CVMDiskEncryptionSetID', $des.Id);
$cvmEncryption = @{OSDiskImage = $cvmOsDiskEncryption};
$region = @{Name = $loc; ReplicaCount = $replicaCount; StorageAccountType = $storageAccountType; Encryption = $cvmEncryption};
$targetRegions = @($region);
# Pause the script to ensure the referenced VM is in the Succeeded state. The amount of time can vary and this just a precaution.
Start-Sleep -Seconds 360;
New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $definitionName `
-Name $versionName -Location $loc -SourceImageId $sourceImageId -ReplicaCount $replicaCount `
-StorageAccountType $storageAccountType -TargetRegion $targetRegions;
$galVersion = Get-AzGalleryImageVersion -ResourceGroupName $rgname -GalleryName $galleryName -GalleryImageDefinitionName $definitionName;
$securityEncryptionType = "DiskWithVMGuestState";
# NRP Vmss setup
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet2' + $rgname) -AddressPrefix $SubnetAddressPrefix;
$vnet = New-AzVirtualNetwork -Force -Name ('vnet2' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $subnet;
$vnet = Get-AzVirtualNetwork -Name ('vnet2' + $rgname) -ResourceGroupName $rgname;
$subnetId = $vnet.Subnets[0].Id;
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId;
# Vmss setup
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' -ImageReferenceId $galDefinition.Id`
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType -SecureVMDiskEncryptionSet $des.Id;
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $vmSecurityType;
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss;
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName;
# Verify Vmss SecurityType at $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityType;
$vmssvms = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName;
$vmssvm = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName -InstanceId $vmssvms[0].InstanceId;
# Verify the SEcurityEncryptionType at $vmssvm.StorageProfile.OsDIsk.ManagedDisk.SecurityProfile.SecurityEncryptionType;
# Verify the Gallery Version encyrption at $galVersion.PublishingProfile.TargetRegions.Encryption.OSDiskImage.SecurityProfile.ConfidentialVMEncryptionType $cvmEncryptionType;Parameters
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SecurityType
Parameter to set the SecurityType on the VMs of the scale set.
| Type: | String |
| Position: | 1 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-VirtualMachineScaleSet
The virtual machine scale set profile.
| Type: | PSVirtualMachineScaleSet |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Inputs
Outputs
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Azure PowerShell