Set-AzVMOSDisk

Sets the operating system disk properties on a virtual machine.

Syntax

Set-AzVMOSDisk
   [-VM] <PSVirtualMachine>
   [[-Name] <String>]
   [[-VhdUri] <String>]
   [[-Caching] <CachingTypes>]
   [[-SourceImageUri] <String>]
   [[-CreateOption] <String>]
   [-DiskSizeInGB <Int32>]
   [-ManagedDiskId <String>]
   [-StorageAccountType <String>]
   [-DiskEncryptionSetId <String>]
   [-WriteAccelerator]
   [-DiffDiskSetting <String>]
   [-DiffDiskPlacement <String>]
   [-DeleteOption <String>]
   [-SecurityEncryptionType <String>]
   [-SecureVMDiskEncryptionSet <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Set-AzVMOSDisk
   [-VM] <PSVirtualMachine>
   [[-Name] <String>]
   [[-VhdUri] <String>]
   [[-Caching] <CachingTypes>]
   [[-SourceImageUri] <String>]
   [[-CreateOption] <String>]
   [-Windows]
   [-DiskSizeInGB <Int32>]
   [-ManagedDiskId <String>]
   [-StorageAccountType <String>]
   [-DiskEncryptionSetId <String>]
   [-WriteAccelerator]
   [-DiffDiskSetting <String>]
   [-DiffDiskPlacement <String>]
   [-DeleteOption <String>]
   [-SecurityEncryptionType <String>]
   [-SecureVMDiskEncryptionSet <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Set-AzVMOSDisk
   [-VM] <PSVirtualMachine>
   [[-Name] <String>]
   [[-VhdUri] <String>]
   [[-Caching] <CachingTypes>]
   [[-SourceImageUri] <String>]
   [[-CreateOption] <String>]
   [-Windows]
   [-DiskEncryptionKeyUrl] <String>
   [-DiskEncryptionKeyVaultId] <String>
   [[-KeyEncryptionKeyUrl] <String>]
   [[-KeyEncryptionKeyVaultId] <String>]
   [-DiskSizeInGB <Int32>]
   [-ManagedDiskId <String>]
   [-StorageAccountType <String>]
   [-DiskEncryptionSetId <String>]
   [-WriteAccelerator]
   [-DiffDiskSetting <String>]
   [-DiffDiskPlacement <String>]
   [-DeleteOption <String>]
   [-SecurityEncryptionType <String>]
   [-SecureVMDiskEncryptionSet <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Set-AzVMOSDisk
   [-VM] <PSVirtualMachine>
   [[-Name] <String>]
   [[-VhdUri] <String>]
   [[-Caching] <CachingTypes>]
   [[-SourceImageUri] <String>]
   [[-CreateOption] <String>]
   [-Linux]
   [-DiskSizeInGB <Int32>]
   [-ManagedDiskId <String>]
   [-StorageAccountType <String>]
   [-DiskEncryptionSetId <String>]
   [-WriteAccelerator]
   [-DiffDiskSetting <String>]
   [-DiffDiskPlacement <String>]
   [-DeleteOption <String>]
   [-SecurityEncryptionType <String>]
   [-SecureVMDiskEncryptionSet <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Set-AzVMOSDisk
   [-VM] <PSVirtualMachine>
   [[-Name] <String>]
   [[-VhdUri] <String>]
   [[-Caching] <CachingTypes>]
   [[-SourceImageUri] <String>]
   [[-CreateOption] <String>]
   [-Linux]
   [-DiskEncryptionKeyUrl] <String>
   [-DiskEncryptionKeyVaultId] <String>
   [[-KeyEncryptionKeyUrl] <String>]
   [[-KeyEncryptionKeyVaultId] <String>]
   [-DiskSizeInGB <Int32>]
   [-ManagedDiskId <String>]
   [-StorageAccountType <String>]
   [-DiskEncryptionSetId <String>]
   [-WriteAccelerator]
   [-DiffDiskSetting <String>]
   [-DiffDiskPlacement <String>]
   [-DeleteOption <String>]
   [-SecurityEncryptionType <String>]
   [-SecureVMDiskEncryptionSet <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

The Set-AzVMOSDisk cmdlet sets the operating system disk properties on a virtual machine.

Examples

Example 1: Set properties on a virtual machine from platform image

$AvailabilitySet = Get-AzAvailabilitySet -ResourceGroupName "ResourceGroup11" -Name "AvailabilitySet13" 
$VirtualMachine = New-AzVMConfig -VMName "VirtualMachine17" -VMSize "Standard_A1" -AvailabilitySetID $AvailabilitySet.Id 
Set-AzVMOSDisk -VM $VirtualMachine -Name "OsDisk12" -VhdUri "os.vhd" -Caching ReadWrite
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Linux -ComputerName "MainComputer" -Credential (Get-Credential) 
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName "Canonical" -Offer "UbuntuServer" -Skus "15.10" -Version "latest"
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "osDisk.vhd" -VhdUri "https://mystorageaccount.blob.core.windows.net/disks/" -CreateOption FromImage
New-AzVM -VM $VirtualMachine -ResourceGroupName "ResourceGroup11"

The first command gets the availability set named AvailabilitySet13 in the resource group named ResourceGroup11, and then stores that object in the $AvailabilitySet variable. The second command creates a virtual machine object, and then stores it in the $VirtualMachine variable. The command assigns a name and size to the virtual machine. The virtual machine belongs to the availability set stored in $AvailabilitySet. The final command sets the properties on the virtual machine in $VirtualMachine.

Example 2: Sets properties on a virtual machine from generalized user image

$AvailabilitySet = Get-AzAvailabilitySet -ResourceGroupName "ResourceGroup11" -Name "AvailabilitySet13" 
$VirtualMachine = New-AzVMConfig -VMName "VirtualMachine17" -VMSize "Standard_A1"
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Linux -ComputerName "MainComputer" -Credential (Get-Credential)
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "osDisk.vhd" -SourceImageUri "https://mystorageaccount.blob.core.windows.net/vhds/myOSImage.vhd" -VhdUri "https://mystorageaccount.blob.core.windows.net/disks/" -CreateOption fromImage -Linux
New-AzVM -VM $VirtualMachine -ResourceGroupName "ResourceGroup11"

The first command gets the availability set named AvailabilitySet13 in the resource group named ResourceGroup11 and stores that object in the $AvailabilitySet variable. The second command creates a virtual machine object and stores it in the $VirtualMachine variable. The command assigns a name and size to the virtual machine. The virtual machine belongs to the availability set stored in $AvailabilitySet. The final command sets the properties on the virtual machine in $VirtualMachine.

Example 3: Sets properties on a virtual machine from specialized user image

$AvailabilitySet = Get-AzAvailabilitySet -ResourceGroupName "ResourceGroup11" -Name "AvailabilitySet13" 
$VirtualMachine = New-AzVMConfig -VMName "VirtualMachine17" -VMSize "Standard_A1"
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "osDisk.vhd" -VhdUri "https://mystorageaccount.blob.core.windows.net/disks/" -CreateOption Attach -Linux
New-AzVM -VM $VirtualMachine -ResourceGroupName "ResourceGroup11"

The first command gets the availability set named AvailabilitySet13 in the resource group named ResourceGroup11 and stores that object in the $AvailabilitySet variable. The second command creates a virtual machine object and stores it in the $VirtualMachine variable. The command assigns a name and size to the virtual machine. The virtual machine belongs to the availability set stored in $AvailabilitySet. The final command sets the properties on the virtual machine in $VirtualMachine.

Example 4: Set the disk encryption settings on a virtual machine operating system disk

$VirtualMachine = New-AzVMConfig -VMName "VirtualMachine17" -VMSize "Standard_A1"
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -Name "OsDisk12" -VhdUri "os.vhd" -Caching ReadWrite -Windows -CreateOption "Attach" -DiskEncryptionKeyUrl "https://mytestvault.vault.azure.net/secrets/Test1/514ceb769c984379a7e0230bddaaaaaa" -DiskEncryptionKeyVaultId "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mytestvault"
New-AzVM -VM $VirtualMachine -ResourceGroupName " ResourceGroup11"

This example sets the disk encryption settings on a virtual machine operating system disk.

Example 5: Create a ConfidentialVM virtual machine with VM OS Disk encryption of DiskWithVMGuestState, and Disk Encryption Set encryption of ConfidentialVmEncryptedWithCustomerKey.

$keyVaultName="your keyvault name"
$keyName="your key name"
$vmSize = "Standard_DC2as_v5";        
$identityType = "SystemAssigned";
$secureEncryptGuestState = "DiskWithVMGuestState";
$vmSecurityType = "ConfidentialVM";
$user = "your user name";
$desName = "your disk encryption set name";
$vmname = "your vm name";
$computerName = "your computer name"; 
$ResourceGroupName = 'your resource group name'
$Location = 'northeurope'

# Create Resource Group
New-AzResourceGroup -Name $ResourceGroupName -Location $Location -force;

#create a credential object
$securePassword = ConvertTo-SecureString -String "Password to your virtual machine here" -AsPlainText -Force; 
$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);

# Create Key Vault
New-AzKeyVault -Name $keyVaultName -Location $Location -ResourceGroupName $ResourceGroupName -Sku Premium -EnabledForDiskEncryption -DisableRbacAuthorization -SoftDeleteRetentionInDays 10 -EnablePurgeProtection;

$cvmAgent = Get-AzADServicePrincipal -ApplicationId 'bf7b6499-ff71-4aa2-97a4-f372087be7f0'; #AppID of CVM Agent, this is a constant value but locate the SP ID for your tenant
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $ResourceGroupName -ObjectId $cvmAgent.id -PermissionsToKeys get,release;

# Add Key vault Key
$KeyName = "keyname";
$KeySize = 3072;

Add-AzKeyVaultKey -VaultName $keyVaultName -Name $KeyName -Size $KeySize -KeyOps wrapKey,unwrapKey -KeyType RSA -Destination HSM -Exportable -UseDefaultCVMPolicy;
        
# Capture Key Vault and Key details
$encryptionKeyVaultId = (Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $ResourceGroupName).ResourceId;
$encryptionKeyURL = (Get-AzKeyVaultKey -VaultName $keyVaultName -KeyName $keyName).Key.Kid;

# Create new DES Config and Disk Encryption Set
$diskEncryptionType = "ConfidentialVmEncryptedWithCustomerKey";
$desConfig = New-AzDiskEncryptionSetConfig -Location $Location -SourceVaultId $encryptionKeyVaultId -KeyUrl $encryptionKeyURL -IdentityType SystemAssigned -EncryptionType $diskEncryptionType;
New-AzDiskEncryptionSet -ResourceGroupName $ResourceGroupName -Name $desName -DiskEncryptionSet $desConfig;
        
$diskencset = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $desName;
        
# Assign DES Access Policy to key vault
$desIdentity = (Get-AzDiskEncryptionSet -Name $desName -ResourceGroupName $ResourceGroupName).Identity.PrincipalId;
        
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $ResourceGroupName -ObjectId $desIdentity -PermissionsToKeys wrapKey,unwrapKey,get -BypassObjectIdValidation;
        
$VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $vmSize;
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate;
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'windowsserver' -Skus '2022-datacenter-smalldisk-g2' -Version "latest";
        
$subnet = New-AzVirtualNetworkSubnetConfig -Name ($subnetPrefix + $ResourceGroupName) -AddressPrefix "10.0.0.0/24";
$vnet = New-AzVirtualNetwork -Force -Name ($vnetPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $Location -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
$vnet = Get-AzVirtualNetwork -Name ($vnetPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName;
$subnetId = $vnet.Subnets[0].Id;
$pubip = New-AzPublicIpAddress -Force -Name ($pubIpPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $Location -AllocationMethod Static -DomainNameLabel $domainNameLabel2;
$pubip = Get-AzPublicIpAddress -Name ($pubIpPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName;
$pubipId = $pubip.Id;


$nic = New-AzNetworkInterface -Force -Name ($nicPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName -Location $Location -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
$nic = Get-AzNetworkInterface -Name ($nicPrefix + $ResourceGroupName) -ResourceGroupName $ResourceGroupName;
$nicId = $nic.Id;

$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $nicId;

# Set VM SecurityType and connect to DES
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -StorageAccountType "StandardSSD_LRS" -CreateOption "FromImage" -SecurityEncryptionType $secureEncryptGuestState -SecureVMDiskEncryptionSet $diskencset.Id;
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType;
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true;

New-AzVM -ResourceGroupName $ResourceGroupName -Location $Location -Vm $VirtualMachine;
$vm = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $vmname;

# Verify the SecurityEncryptionType value on the disk.
# $vm.StorageProfile.OsDisk.ManagedDisk.SecurityProfile.SecurityEncryptionType == 'DiskWithVMGuestState';

Parameters

-Caching

Specifies the caching mode of the operating system disk. Valid values are:

  • ReadOnly
  • ReadWrite The default value is ReadWrite. Changing the caching value causes the virtual machine to restart. This setting affects the performance of the disk.
Type:Nullable<T>[CachingTypes]
Accepted values:None, ReadOnly, ReadWrite
Position:3
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CreateOption

Specifies whether this cmdlet creates a disk in the virtual machine from a platform or user image, or attaches an existing disk. Valid values are:

  • Attach. Specify this option to create a virtual machine from a specialized disk. When you specify this option, do not specify the SourceImageUri parameter. Instead, use the Set-AzVMSourceImage cmdlet. You must also use the use the Windows or Linux parameters to tell the azure platform the type of the operating system on the VHD. The VhdUri parameter is enough to tell the azure platform the location of the disk to attach.
  • FromImage. Specify this option to create a virtual machine from a platform image or a generalized user image. In the case of a generalized user image, you also need to specify the SourceImageUri parameter and either the Windows or Linux parameters to tell the Azure platform the location and type of the operating system disk VHD instead of using the Set-AzVMSourceImage cmdlet. In the case of a platform image, the VhdUri parameter is sufficient.
  • Empty.
Type:String
Position:5
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DeleteOption

Specifies OS Disk delete option after VM deletion. Options are Detach, Delete

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DiffDiskPlacement

Specifies the ephemeral disk placement for operating system disk. This property can be used by user in the request to choose the location i.e. cache disk or resource disk space for Ephemeral OS disk provisioning. For more information on Ephemeral OS disk size requirements, please refer Ephemeral OS disk size requirements for Windows VM at https://learn.microsoft.com/azure/virtual-machines/windows/ephemeral-os-disks#size-requirements and Linux VM at https://learn.microsoft.com/azure/virtual-machines/linux/ephemeral-os-disks#size-requirements. This parameter can only be used if the parameter DiffDiskSetting is set to 'Local'.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DiffDiskSetting

Specifies the differencing disk settings for operating system disk.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DiskEncryptionKeyUrl

Specifies the location of the disk encryption key.

Type:String
Position:7
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-DiskEncryptionKeyVaultId

Specifies the resource ID of the Key Vault containing the disk encryption key.

Type:String
Position:8
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-DiskEncryptionSetId

Specifies the resource Id of customer managed disk encryption set. This can only be specified for managed disk.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DiskSizeInGB

Specifies the size, in GB, of the operating system disk.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-KeyEncryptionKeyUrl

Specifies the location of the key encryption key.

Type:String
Position:9
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-KeyEncryptionKeyVaultId

Specifies the resource ID of the Key Vault containing the key encryption key.

Type:String
Position:10
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Linux

Indicates that the operating system on the user image is Linux. Specify this parameter for user image based virtual machine deployment.

Type:SwitchParameter
Position:6
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ManagedDiskId

Specifies the ID of a managed disk.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Name

Specifies the name of the operating system disk.

Type:String
Aliases:OSDiskName, DiskName
Position:1
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SecureVMDiskEncryptionSet

ARM Resource ID for Disk Encryption Set. Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption with Confidential VM. Parameter SecurityEncryptionType value should be DiskwithVMGuestState.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SecurityEncryptionType

Sets the SecurityEncryptionType value on the managed disk of the VM. possible values include: TrustedLaunch, ConfidentialVM_DiskEncryptedWithCustomerKey, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SourceImageUri

Specifies the URI of the VHD for user image scenarios.

Type:String
Aliases:SourceImage
Position:4
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-StorageAccountType

Specifies the storage account type of managed disk.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-VhdUri

Specifies the Uniform Resource Identifier (URI) of a virtual hard disk (VHD). For an image based virtual machine, this parameter specifies the VHD file to create when a platform image or user image is specified. This is the location from which the image binary large object (BLOB) is copied to start the virtual machine. For a disk based virtual machine boot scenario, this parameter specifies the VHD file that the virtual machine uses directly for starting up.

Type:String
Aliases:OSDiskVhdUri, DiskVhdUri
Position:2
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-VM

Specifies the local virtual machine object on which to set operating system disk properties. To obtain a virtual machine object, use the Get-AzVM cmdlet.

Type:PSVirtualMachine
Aliases:VMProfile
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Windows

Indicates that the operating system on the user image is Windows.

Type:SwitchParameter
Position:6
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WriteAccelerator

Specifies whether WriteAccelerator should be enabled or disabled on the OS disk.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSVirtualMachine

String

Outputs

PSVirtualMachine