Share via

How to enable vtpm for a confidential VM using the cli

cloud D 40 Reputation points
2025-04-21T04:28:32.1666667+00:00

I am trying to create an Azure Confidential VM using the cli.
I already created a

Public IP address

Network security group

Network Interface

Disk

Network security group

and I would like to create the VM. I ran

az vm create \
 --name azure-temp \
 --resource-group resource_group \
 --size Standard_DC2ads_v5 \
 --availability-set "" \
 --security-type ConfidentialVM \
 --os-disk-security-encryption-type VMGuestStateOnly \
 --attach-os-disk azure-temp_OsDisk_1_38c7bcf90d4f4509965907685112e8b1 \
 --os-type Linux \
 --ssh-key-name azure \
 --nics azure-temp535 \
 --custom-data cloud-init.yaml

but I'm getting the error:

Confidential VM or Virtual Machine Scale Set VM with 'managedDisk.securityProfile.se curityEncryptionType' set as VMGuestStateOnly should have securityProfile.uefiSettings.vtpmEnabled set to true.

I can't figure out how to enable vtpm. How can that be done?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,743 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chakaravarthi Rangarajan Bhargavi 1,030 Reputation points MVP
    2025-04-21T04:47:15.44+00:00

    Hi cloud D,

    Welcome to the Microsoft Q&A forum and thank you for your question.

    You're attempting to create a Confidential VM using the Azure CLI with the following configuration:

    VM Size: Standard_DC2ads_v5 (Confidential Compute SKU)

    Security Type: ConfidentialVM

    OS Disk Security Encryption: VMGuestStateOnly

    However, you're encountering the following error:

    "Confidential VM or Virtual Machine Scale Set VM with 'managedDisk.securityProfile.securityEncryptionType' set as VMGuestStateOnly should have securityProfile.uefiSettings.vtpmEnabled set to true."

    Root Cause

    When using:

    --security-type ConfidentialVM 
--os-disk-security-encryption-type VMGuestStateOnly

    Azure requires that UEFI settings be explicitly enabled, particularly:

    vtpmEnabled = true

    (Optionally) secureBootEnabled = true

    Note: As of now, the az vm create command does not expose CLI flags to configure UEFI settings like vTPM during VM creation.

    Solution:

    To resolve this, you must first create the VM and then patch it afterward using the az vm update command to enable vTPM.

    Step-by-Step CLI Instructions

    Step 1: Create the VM

    az vm create \
  --name azure-temp \
  --resource-group resource_group \
  --size Standard_DC2ads_v5 \
  --security-type ConfidentialVM \
  --os-disk-security-encryption-type VMGuestStateOnly \
  --os-type Linux \
  --ssh-key-name azure \
  --nics azure-temp535 \
  --custom-data cloud-init.yaml

    Step 2: Enable vTPM and Secure Boot

    az vm update \
  --name azure-temp \
  --resource-group resource_group \
  --set securityProfile.uefiSettings.vtpmEnabled=true \
        securityProfile.uefiSettings.secureBootEnabled=true

    This updates the VM’s UEFI settings to fulfill the compliance required for VMGuestStateOnly encryption under Confidential Compute.

    Verify Configuration: 

    az vm show \
  --name azure-temp \
  --resource-group resource_group \
  --query "securityProfile.uefiSettings"

    Expected output:

    {
  "secureBootEnabled": true,
  "vtpmEnabled": true
}

    References

    Confidential VM CLI Reference – Azure REST API

    UEFI Settings and vTPM Requirements

    Confidential Compute + Semantic Search Overview

    Let me know if you'd like help scripting this flow or integrating it into an automated deployment pipeline — happy to help!

    Regards,
    Chakravarthi Rangarajan Bhargavi

    - If this answer helped, please click 'Yes' and accept the answer to help others in the community. Thank you! 😊

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.