Skip to content

Commit 404abf2

Browse files
vinfnetVeryEarly
vinfnet
and
VeryEarly
authored
Update Set-AzVMOSDisk.md (Azure#26736)
* Update Set-AzVMOSDisk.md Fixed typos in a couple of variable names Added called but undeclared variables to stop script failing Updated some commands to reflect current syntax Added -DisableRbacAuthorization for KeyVault Tested 7.4.5 core (MacOS) and 7.4.6 core (Windows) * Update Set-AzVMOSDisk.md * Update Set-AzVMOSDisk.md --------- Co-authored-by: Yabo Hu <[email protected]>
1 parent 78d4f78 commit 404abf2

File tree

1 file changed

+27
-16
lines changed

1 file changed

+27
-16
lines changed

src/Compute/Compute/help/Set-AzVMOSDisk.md

Lines changed: 27 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -127,36 +127,45 @@ This example sets the disk encryption settings on a virtual machine operating sy
127127

128128
### Example 5: Create a ConfidentialVM virtual machine with VM OS Disk encryption of DiskWithVMGuestState, and Disk Encryption Set encryption of ConfidentialVmEncryptedWithCustomerKey.
129129
```powershell
130-
# Create Resource Group
131-
$Location = 'northeurope';
132-
New-AzResourceGroup -Name $ResourceGroupName -Location $Location;
133-
130+
$keyVaultName="your keyvault name"
131+
$keyName="your key name"
134132
$vmSize = "Standard_DC2as_v5";
135133
$identityType = "SystemAssigned";
136134
$secureEncryptGuestState = "DiskWithVMGuestState";
137135
$vmSecurityType = "ConfidentialVM";
138-
$securePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force;
136+
$user = "your user name";
137+
$desName = "your disk encryption set name";
138+
$vmname = "your vm name";
139+
$computerName = "your computer name";
140+
$ResourceGroupName = 'your resource group name'
141+
$Location = 'northeurope'
142+
143+
# Create Resource Group
144+
New-AzResourceGroup -Name $ResourceGroupName -Location $Location -force;
145+
146+
#create a credential object
147+
$securePassword = ConvertTo-SecureString -String "Password to your virtual machine here" -AsPlainText -Force;
139148
$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
140149
141150
# Create Key Vault
142-
New-AzKeyVault -Name $keyVaultName -Location $Location -ResourceGroupName $ResourceGroupName -Sku Premium -EnablePurgeProtection -EnabledForDiskEncryption;
151+
New-AzKeyVault -Name $keyVaultName -Location $Location -ResourceGroupName $ResourceGroupName -Sku Premium -EnabledForDiskEncryption -DisableRbacAuthorization -SoftDeleteRetentionInDays 10 -EnablePurgeProtection;
143152
144-
$cvmAgent = Get-AzADServicePrincipal -ApplicationId '00001111-aaaa-2222-bbbb-3333cccc4444';
153+
$cvmAgent = Get-AzADServicePrincipal -ApplicationId 'bf7b6499-ff71-4aa2-97a4-f372087be7f0'; #AppID of CVM Agent, this is a constant value but locate the SP ID for your tenant
145154
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $ResourceGroupName -ObjectId $cvmAgent.id -PermissionsToKeys get,release;
146155
147156
# Add Key vault Key
148157
$KeyName = "keyname";
149158
$KeySize = 3072;
150159
151-
Add-AzKeyVaultKey -VaultName $kvname -Name $KeyName -Size $KeySize -KeyOps wrapKey,unwrapKey -KeyType RSA -Destination HSM -Exportable -UseDefaultCVMPolicy;
160+
Add-AzKeyVaultKey -VaultName $keyVaultName -Name $KeyName -Size $KeySize -KeyOps wrapKey,unwrapKey -KeyType RSA -Destination HSM -Exportable -UseDefaultCVMPolicy;
152161
153162
# Capture Key Vault and Key details
154163
$encryptionKeyVaultId = (Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $ResourceGroupName).ResourceId;
155164
$encryptionKeyURL = (Get-AzKeyVaultKey -VaultName $keyVaultName -KeyName $keyName).Key.Kid;
156165
157166
# Create new DES Config and Disk Encryption Set
158167
$diskEncryptionType = "ConfidentialVmEncryptedWithCustomerKey";
159-
$desConfig = New-AzDiskEncryptionSetConfig -Location $loc -SourceVaultId $encryptionKeyVaultId -KeyUrl $encryptionKeyURL -IdentityType SystemAssigned -EncryptionType $diskEncryptionType;
168+
$desConfig = New-AzDiskEncryptionSetConfig -Location $Location -SourceVaultId $encryptionKeyVaultId -KeyUrl $encryptionKeyURL -IdentityType SystemAssigned -EncryptionType $diskEncryptionType;
160169
New-AzDiskEncryptionSet -ResourceGroupName $ResourceGroupName -Name $desName -DiskEncryptionSet $desConfig;
161170
162171
$diskencset = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $desName;
@@ -171,25 +180,27 @@ $VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -Computer
171180
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'windowsserver' -Skus '2022-datacenter-smalldisk-g2' -Version "latest";
172181
173182
$subnet = New-AzVirtualNetworkSubnetConfig -Name ($subnetPrefix + $ResourceGroupName) -AddressPrefix "10.0.0.0/24";
174-
$vnet = New-AzVirtualNetwork -Force -Name ($vnetPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
183+
$vnet = New-AzVirtualNetwork -Force -Name ($vnetPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $Location -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
175184
$vnet = Get-AzVirtualNetwork -Name ($vnetPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName;
176185
$subnetId = $vnet.Subnets[0].Id;
177-
$pubip = New-AzPublicIpAddress -Force -Name ($pubIpPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $loc -AllocationMethod Dynamic -DomainNameLabel $domainNameLabel2;
186+
$pubip = New-AzPublicIpAddress -Force -Name ($pubIpPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $Location -AllocationMethod Static -DomainNameLabel $domainNameLabel2;
178187
$pubip = Get-AzPublicIpAddress -Name ($pubIpPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName;
179188
$pubipId = $pubip.Id;
180-
$nic = New-AzNetworkInterface -Force -Name ($nicPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $loc -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
189+
190+
191+
$nic = New-AzNetworkInterface -Force -Name ($nicPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $Location -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
181192
$nic = Get-AzNetworkInterface -Name ($nicPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName;
182193
$nicId = $nic.Id;
183194
184195
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $nicId;
185196
186197
# Set VM SecurityType and connect to DES
187198
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -StorageAccountType "StandardSSD_LRS" -CreateOption "FromImage" -SecurityEncryptionType $secureEncryptGuestState -SecureVMDiskEncryptionSet $diskencset.Id;
188-
$VirtualMachine = Set-AzVmSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType;
189-
$VirtualMachine = Set-AzVmUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true;
199+
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType;
200+
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true;
190201
191-
New-AzVM -ResourceGroupName $ResourceGroupName -Location $loc -Vm $VirtualMachine;
192-
$vm = Get-AzVm -ResourceGroupName $ResourceGroupName -Name $vmname;
202+
New-AzVM -ResourceGroupName $ResourceGroupName -Location $Location -Vm $VirtualMachine;
203+
$vm = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $vmname;
193204
194205
# Verify the SecurityEncryptionType value on the disk.
195206
# $vm.StorageProfile.OsDisk.ManagedDisk.SecurityProfile.SecurityEncryptionType == 'DiskWithVMGuestState';

0 commit comments

Comments
 (0)