Related command

Resource Provider

Microsoft.Compute/virtualMachines

Description of Feature or Work Requested

Gen2+TLVM as default (Preferred)

As part of making compute layer secure for customers to deploy workloads, request is to make Trusted Launch (GA Date: November 2021) as default deployment option in CLI. Following changes will need to be made for same:

Scenario 1 - User creates VM from existing disk using `az vm create --attach-os-disk`

Present Behavior Updated Behavior post change

Present Behavior	Updated Behavior post change
New VM with existing managed disk: User runs command `az vm create -g MyResourceGroup -n MyVm --attach-os-disk MyOsDisk --os-type linux --size VMSize` VM is created with specified configuration. If `--size` parameter is not specified, CLI deploys VM with size Standard_DS1_v2.	Updated default parameters and sequence: User runs command `az vm create -g MyResourceGroup -n MyVm --attach-os-disk MyOsDisk --os-type linux --size VMSize` CLI should check for capabilities available with VM Size using API Resource SKU List API and managed disk configuration using az disk show. If `--size` parameter is not specified, CLI deploys VM with size Standard_DS1_v2. Conditions: If VM Size and Managed Disk both supports HyperVGeneration = V2 and SecurityType = TrustedLaunch - Following parameters are set by default: --enable-secure-boot with value false --enable-vtpm with value true --security-type with value TrustedLaunch --disable-integrity-monitoring If VM size and managed disk passed by user both supports HyperVGeneration = v2 but one or both of them do not support SecurityType = TrustedLaunch - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above. If VM size passed by user does not supports Generation 2 but managed disk provided has property HyperVGeneration = v2 - API will throw error. If check can be added in CLI, that'll be ideal. If VM Size or managed disk passed by user does not supports Trusted Launch but user passes any of below parameters explicitly: --enable-secure-boot with value true --enable-vtpm with value true --security-type with value TrustedLaunch - API will throw error, if check can be added in CLI that will be ideal. Catch all VM will get deployed as Generation 1 VM - Deploy VM with user passed configuration along with Notification message should be printed for user. Notification Message `Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch`

New VM with existing managed disk:

User runs command az vm create -g MyResourceGroup -n MyVm --attach-os-disk MyOsDisk --os-type linux --size VMSize
VM is created with specified configuration. If --size parameter is not specified, CLI deploys VM with size Standard_DS1_v2.

Updated default parameters and sequence:

User runs command az vm create -g MyResourceGroup -n MyVm --attach-os-disk MyOsDisk --os-type linux --size VMSize
CLI should check for capabilities available with VM Size using API Resource SKU List API and managed disk configuration using az disk show. If --size parameter is not specified, CLI deploys VM with size Standard_DS1_v2.
Conditions:
- If VM Size and Managed Disk both supports HyperVGeneration = V2 and SecurityType = TrustedLaunch - Following parameters are set by default:
  - --enable-secure-boot with value false
  - --enable-vtpm with value true
  - --security-type with value TrustedLaunch
  - --disable-integrity-monitoring
- If VM size and managed disk passed by user both supports HyperVGeneration = v2 but one or both of them do not support SecurityType = TrustedLaunch - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.
- If VM size passed by user does not supports Generation 2 but managed disk provided has property HyperVGeneration = v2 - API will throw error. If check can be added in CLI, that'll be ideal.
- If VM Size or managed disk passed by user does not supports Trusted Launch but user passes any of below parameters explicitly:
  - --enable-secure-boot with value true
  - --enable-vtpm with value true
  - --security-type with value TrustedLaunch
  - API will throw error, if check can be added in CLI that will be ideal.
- Catch all VM will get deployed as Generation 1 VM - Deploy VM with user passed configuration along with Notification message should be printed for user. Notification Message Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Scenario 2 - User creates VM from existing shared image (Azure Compute Gallery) or managed image using `az vm create --image`

Present Behavior Updated Behavior post change

Present Behavior	Updated Behavior post change
New VM with existing image in Azure Compute Gallery: User runs command `az vm create -g MyResourceGroup -n MyVm --image MyImage --size VMSize` VM is created with specified configuration. If `--size` parameter is not specified, CLI deploys VM with size Standard_DS1_v2.	Updated default parameters and sequence: User runs command `az vm create -g MyResourceGroup -n MyVm --image MyImage --size VMSize` CLI should check for capabilities available with VM Size using API Resource SKU List API and managed image configuration using az sig image-version show for Shared Image or az image show for managed image. If `--size` parameter is not specified, CLI deploys VM with size Standard_DS1_v2. Conditions: If VM Size and Image both supports HyperVGeneration = V2 and SecurityType = TrustedLaunch or TrustedLaunchSupported - Following parameters are set by default: --enable-secure-boot with value false --enable-vtpm with value true --security-type with value TrustedLaunch --disable-integrity-monitoring If VM size and image passed by user both supports HyperVGeneration = v2 but one or both of them do not support SecurityType = TrustedLaunch or TrustedLaunchSupported - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above. If VM size passed by user does not supports Generation 2 but image provided has property HyperVGeneration = v2 - API will throw error. If check can be added in CLI, that'll be ideal. If VM Size or image passed by user does not supports Trusted Launch but user passes any of below parameters explicitly: --enable-secure-boot with value true --enable-vtpm with value true --security-type with value TrustedLaunch - API will throw error, if check can be added in CLI that will be ideal. Catch all VM will get deployed as Generation 1 VM - Deploy VM with user passed configuration along with Notification message should be printed for user. Notification Message `Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch`

New VM with existing image in Azure Compute Gallery:

User runs command az vm create -g MyResourceGroup -n MyVm --image MyImage --size VMSize
VM is created with specified configuration. If --size parameter is not specified, CLI deploys VM with size Standard_DS1_v2.

Updated default parameters and sequence:

User runs command az vm create -g MyResourceGroup -n MyVm --image MyImage --size VMSize
CLI should check for capabilities available with VM Size using API Resource SKU List API and managed image configuration using az sig image-version show for Shared Image or az image show for managed image. If --size parameter is not specified, CLI deploys VM with size Standard_DS1_v2.
Conditions:
- If VM Size and Image both supports HyperVGeneration = V2 and SecurityType = TrustedLaunch or TrustedLaunchSupported - Following parameters are set by default:
  - --enable-secure-boot with value false
  - --enable-vtpm with value true
  - --security-type with value TrustedLaunch
  - --disable-integrity-monitoring
- If VM size and image passed by user both supports HyperVGeneration = v2 but one or both of them do not support SecurityType = TrustedLaunch or TrustedLaunchSupported - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.
- If VM size passed by user does not supports Generation 2 but image provided has property HyperVGeneration = v2 - API will throw error. If check can be added in CLI, that'll be ideal.
- If VM Size or image passed by user does not supports Trusted Launch but user passes any of below parameters explicitly:
  - --enable-secure-boot with value true
  - --enable-vtpm with value true
  - --security-type with value TrustedLaunch
  - API will throw error, if check can be added in CLI that will be ideal.
- Catch all VM will get deployed as Generation 1 VM - Deploy VM with user passed configuration along with Notification message should be printed for user. Notification Message Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Scenario 3 - User creates VMSS from existing shared image (Azure Compute Gallery) or managed image using `az vmss create --image`

Present Behavior Updated Behavior post change

Present Behavior	Updated Behavior post change
New VMSS with existing image in Azure Compute Gallery: User runs command `az vmss create -g MyResourceGroup -n MyVmss --image /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/galleries/myGallery/images/myImage` VM is created with specified configuration. If `--size` parameter is not specified, CLI deploys VM with size Standard_DS1_v2.	Updated default parameters and sequence: User runs command `az vmss create -g MyResourceGroup -n MyVmss --image /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/galleries/myGallery/images/myImage` CLI should check for capabilities available with VM Size using API Resource SKU List API and managed image configuration using az sig image-version show for Shared Image or az image show for managed image. If `--size` parameter is not specified, CLI deploys VM with size Standard_DS1_v2. Conditions: If VM Size and Image both supports HyperVGeneration = V2 and SecurityType = TrustedLaunch or TrustedLaunchSupported - Following parameters are set by default: --enable-secure-boot with value false --enable-vtpm with value true --security-type with value TrustedLaunch --disable-integrity-monitoring If VM size and image passed by user both supports HyperVGeneration = v2 but one or both of them do not support SecurityType = TrustedLaunch or TrustedLaunchSupported - VMSS is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above. If VM size passed by user does not supports Generation 2 but image provided has property HyperVGeneration = v2 - API will throw error. If check can be added in CLI, that'll be ideal. If VM Size or image passed by user does not supports Trusted Launch but user passes any of below parameters explicitly: --enable-secure-boot with value true --enable-vtpm with value true --security-type with value TrustedLaunch - API will throw error, if check can be added in CLI that will be ideal. Catch all VMSS will get deployed as Generation 1 VM - Deploy VMSS with user passed configuration along with Notification message should be printed for user. Notification Message `Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch`

New VMSS with existing image in Azure Compute Gallery:

User runs command az vmss create -g MyResourceGroup -n MyVmss --image /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/galleries/myGallery/images/myImage
VM is created with specified configuration. If --size parameter is not specified, CLI deploys VM with size Standard_DS1_v2.

Updated default parameters and sequence:

User runs command az vmss create -g MyResourceGroup -n MyVmss --image /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/galleries/myGallery/images/myImage
CLI should check for capabilities available with VM Size using API Resource SKU List API and managed image configuration using az sig image-version show for Shared Image or az image show for managed image. If --size parameter is not specified, CLI deploys VM with size Standard_DS1_v2.
Conditions:
- If VM Size and Image both supports HyperVGeneration = V2 and SecurityType = TrustedLaunch or TrustedLaunchSupported - Following parameters are set by default:
  - --enable-secure-boot with value false
  - --enable-vtpm with value true
  - --security-type with value TrustedLaunch
  - --disable-integrity-monitoring
- If VM size and image passed by user both supports HyperVGeneration = v2 but one or both of them do not support SecurityType = TrustedLaunch or TrustedLaunchSupported - VMSS is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.
- If VM size passed by user does not supports Generation 2 but image provided has property HyperVGeneration = v2 - API will throw error. If check can be added in CLI, that'll be ideal.
- If VM Size or image passed by user does not supports Trusted Launch but user passes any of below parameters explicitly:
  - --enable-secure-boot with value true
  - --enable-vtpm with value true
  - --security-type with value TrustedLaunch
  - API will throw error, if check can be added in CLI that will be ideal.
- Catch all VMSS will get deployed as Generation 1 VM - Deploy VMSS with user passed configuration along with Notification message should be printed for user. Notification Message Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vmss create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

VM Size and Image capabilities API Checks:

VM Size / SKU capability to support Gen2 or Trusted Launch VM can be queried using API Resource SKU List API
- For Gen2 refer to property HyperVGeneration with supported value of v2
- For trusted launch VM, refer to property TrustedLaunchSupportDisabled set to true, for sizes which support Gen2 but not Trusted Launch.

NOTE: Please review limitations Trusted Launch VM Limitations to assess any impact for CLI users.

Gen2 as default (Failback alternative)

If Gen2+TLVM-as-default cannot be implemented, we request to make Generation 2 VM (GA Date: 2019) as failback alternative default deployment option in CLI. Following changes will need to be made for same:

Scenarios 1, 2 & 3 will remain similar except for first condition: If VM size passed by user with parameter --size supports HyperVGeneration = v2 and SecurityType = TrustedLaunch or TrustedLaunchSupported OR user does not specifies VM size, i.e., default size Standard_DS1_v2 is used - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm create command will deploy Generation 2 VM by default. To know more about Azure Generation 2 VM, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2

NOTE: Generation 2 VMs have full feature parity with existing Generation 1 VMs used by majority of customers.

Minimum API Version Required

2021-11-01

Swagger PR link

Compute Swagger 2021-11-01

Request Example

Target Date

2022-10-10

Additional context

Target date for implementing notification for user is to match ignite event scheduled for 2022-10-12
My understanding is before change is implemented, user will need to be provided with notification, hence target date for implementation of the changes is Build event 2023 (May 2023)
Multiple Trusted Launch VM limitations will be tentatively addressed before actual implementation date of May 2023.
VM Size / SKU capability to support Gen2 or Trusted Launch VM can be queried using API Resource SKU List API
- For Gen2 refer to property HyperVGeneration with supported value of v2
- For trusted launch VM, refer to property TrustedLaunchSupportDisabled set to true, for sizes which support Gen2 but not Trusted Launch.
TLVM-as-default implementation in Azure Portal is planned for December 2022.

Aug 09 '22 08:08 AjKundnani

Related closely to request #23450

Aug 09 '22 08:08 AjKundnani

@zhoxing-ms for awareness

Aug 09 '22 09:08 yonzhan

@PARADISSEEKR @zhoxing-ms If we can remove the block highlighted below, do not want to confuse users between Gen2 and Trusted Launch.

All notification message should be consistent Starting Build 2023 event, "az vm/vmss create" command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Nov 29 '22 09:11 AjKundnani

@PARADISSEEKR @zhoxing-ms - For Scenario User creates VM from existing shared image (Azure Compute Gallery) or managed image using az vm create --image - Notification message is not generated when submitting resource ID for ACG image version:

Nov 29 '22 09:11 AjKundnani

Hi @AjKundnani could you please help review this PR? Thanks!

Nov 01 '23 03:11 yanzhudd

Hi @AjKundnani could you please help review this PR? Thanks!

@yanzhudd at cursory review it looks ok to me, can confirm more confidently post validating with bug bash.

Nov 02 '23 12:11 AjKundnani

CLI - Gen2+TLVM As Default - New VM from existing disk or image (SIG/ACG)

Related command

Resource Provider

Description of Feature or Work Requested

Gen2+TLVM as default (Preferred)

Scenario 1 - User creates VM from existing disk using az vm create --attach-os-disk

Scenario 2 - User creates VM from existing shared image (Azure Compute Gallery) or managed image using az vm create --image

Scenario 3 - User creates VMSS from existing shared image (Azure Compute Gallery) or managed image using az vmss create --image

Gen2 as default (Failback alternative)

Minimum API Version Required

Swagger PR link

Request Example

Target Date

Additional context

Scenario 1 - User creates VM from existing disk using `az vm create --attach-os-disk`

Scenario 2 - User creates VM from existing shared image (Azure Compute Gallery) or managed image using `az vm create --image`

Scenario 3 - User creates VMSS from existing shared image (Azure Compute Gallery) or managed image using `az vmss create --image`