More examples for TrustedLaunch functionality in VM and VMSS creation (#23412)

Sandido · web-flow · commit ab52aa49c6ae · 2023-11-19T19:31:36.000+08:00
* Update New-AzVM.md

* Update New-AzVmss.md

* Update ChangeLog.md

* Update New-AzVmss.md

* Update New-AzVmss.md

* Update New-AzVmss.md

* Update New-AzVM.md

* Update New-AzVM.md

* Update New-AzVM.md

* Update New-AzVmss.md

* Update New-AzVmss.md

* Update New-AzVmss.md
diff --git a/src/Compute/Compute/ChangeLog.md b/src/Compute/Compute/ChangeLog.md
@@ -20,6 +20,7 @@
 
 -->
 ## Upcoming Release
+* Added new examples in `New-AzVM` and `New-AzVmss` for TrustedLaunch default usage.
 
 ## Version 7.0.0
 * Added update functionality in `Update-AzVmss` for parameters `SecurityType`, `EnableSecureBoot`, and `EnableVtpm` for the parameter set with the Put operation.
diff --git a/src/Compute/Compute/help/New-AzVM.md b/src/Compute/Compute/help/New-AzVM.md
@@ -295,7 +295,7 @@ New-AzResourceGroup -Name $rgname -Location $loc -Force;
 $domainNameLabel1 = 'd1' + $rgname;
 $vmsize = 'Standard_D4s_v3';
 $vmname1 = 'v' + $rgname;
-$imageName = "Win2016DataCenterGenSecond";
+$imageName = "Win2022AzureEdition";
 $disable = $false;
 $enable = $true;
 $securityType = "TrustedLaunch";
@@ -313,16 +313,69 @@ $vm1 = Get-AzVM -ResourceGroupName $rgname -Name $vmname1;
 #$vm1.SecurityProfile.SecurityType "TrustedLaunch";
 #$vm1.SecurityProfile.UefiSettings.VTpmEnabled $true;
 #$vm1.SecurityProfile.UefiSettings.SecureBootEnabled $true;
+```
+This example Creates a new VM with the TrustedLaunch Security Type and sets flags EnableSecureBoot and EnableVtpm as True by default. A Trusted Launch VM requires a Gen2 image. Please check [the Trusted Launch feature page](aka.ms/trustedlaunch) for more information.
 
-# Verify the GuestAttestation extension is installed.
-$vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname1;
-$extDefaultName = "GuestAttestation";
-$vmExt = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmname1 -Name $extDefaultName;
-# verify $vmExt.Name is "GuestAttestation";
+### Example 9: Create a VM with Trusted Launch turned on by defualt using New-AzVMConfig.
+```powershell
+$rgname = "<Resource Group Name>";
+$loc = "<Azure Region>";
+$vmname = 'vm' + $rgname;
+$domainNameLabel = "d1" + $rgname;
+$vnetname = "vn" + $rgname;
+$vnetAddress = "10.0.0.0/16";
+$subnetname = "slb" + $rgname;
+$subnetAddress = "10.0.2.0/24";
+$OSDiskName = $vmname + "-osdisk";
+$NICName = $vmname+ "-nic";
+$NSGName = $vmname + "-NSG";
+$OSDiskSizeinGB = 128;
+$VMSize = "Standard_DS2_v2";
+$PublisherName = "MicrosoftWindowsServer";
+$Offer = "WindowsServer";
+$SKU = "2022-datacenter-azure-edition";
+$version = "latest";
+$password = "<Password>";
+$securePassword = $password | ConvertTo-SecureString -AsPlainText -Force;  
+$user = <Username>;
+$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
+# Network setup
+$frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname -AddressPrefix $subnetAddress;
+$vnet = New-AzVirtualNetwork -Name $vnetname -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet;
+$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP  -Protocol Tcp  -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow;
+$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName  -SecurityRules $nsgRuleRDP;
+$nic = New-AzNetworkInterface -Name $NICName -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking;
+# VM
+$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $VMSize;
+Set-AzVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName -Credential $cred;
+Set-AzVMSourceImage -VM $vmConfig -PublisherName $PublisherName -Offer $Offer -Skus $SKU -Version $version ;
+Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id;
+New-AzVM -ResourceGroupName $rgname -Location $loc -VM $vmConfig;
+$vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname;
+# Verify $vm.SecurityProfile.SecurityType is TrustedLaunch
+# Verify $vm.SecurityProfile.UefiSettings.SecureBootEnabled is true.
+# Verify $vm.SecurityProfile.UefiSettings.VTpmEnabled is true. 
+```
+This example shows how to create a VM with a valid Gen2 image, allowing the VM to default to TrustedLaunch which requires Gen2 images. Please check [the Trusted Launch feature page](aka.ms/trustedlaunch) for more information.
+
+### Example 10: Creates a VM with TrustedLaunch turned on by default.
+```powershell
+$rgname = "<Resource Group Name>";
+$loc = "<Azure Region>";
+$vmname = 'vm' + $rgname;
+$domainNameLabel = "d1" + $rgname;
+$password = "<Password>";
+$securePassword = $password | ConvertTo-SecureString -AsPlainText -Force;  
+$user = <Username>;
+$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
+# Create VM
+$vm = New-AzVM -ResourceGroupName $rgname -Name $vmname -Credential $cred -DomainNameLabel $domainNameLabel; 
+$vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname;
+# Verify $vm.SecurityProfile.SecurityType is TrustedLaunch.
+# Verify the $vm.StorageProfile.ImageReference.Sku has defaulted to "2022-datacenter-azure-edition", a Gen2 image.
 ```
+This example shows how the simple cmdlet call with minimal parameters will result in a TrustedLaunch enabled VM with a Gen2 image. Please check [the Trusted Launch feature page](aka.ms/trustedlaunch) for more information.
 
-This example Creates a new VM with the TrustedLaunch Security Type and sets flags EnableSecureBoot and EnableVtpm as True by default. 
-It also checks that the GuestAttestation extension is installed by default when using TrustedLaunch and the EnableSecureBoot and EnableVtpm are True.
 
 ## PARAMETERS
 
@@ -686,7 +739,7 @@ Accept wildcard characters: False
 ```
 
 ### -Image
-The friendly image name upon which the VM will be built. The available aliases are: Win2022AzureEditionCore, Win2019Datacenter, Win2016Datacenter, Win2012R2Datacenter, Win2012Datacenter, Ubuntu2204, CentOS85Gen2, Debian11, OpenSuseLeap154Gen2, RHELRaw8LVMGen2, SuseSles15SP3, FlatcarLinuxFreeGen2.
+The friendly image name upon which the VM will be built. The available aliases are: Win2022AzureEdition, Win2022AzureEditionCore, Win2019Datacenter, Win2016Datacenter, Win2012R2Datacenter, Win2012Datacenter, Ubuntu2204, CentOS85Gen2, Debian11, OpenSuseLeap154Gen2, RHELRaw8LVMGen2, SuseSles15SP3, FlatcarLinuxFreeGen2.
 
 ```yaml
 Type: System.String
diff --git a/src/Compute/Compute/help/New-AzVmss.md b/src/Compute/Compute/help/New-AzVmss.md
@@ -9,7 +9,7 @@ schema: 2.0.0
 # New-AzVmss
 
 ## SYNOPSIS
-Creates a VMSS.
+Creates a virtual machine scale set.
 
 ## SYNTAX
 
@@ -209,14 +209,13 @@ Create a VMSS with a UserData value
 
 ### Example 4: Create a Vmss with the security type TrustedLaunch
 ```powershell
-$rgname = "rganme";
+$rgname = "rgname";
 $loc = "eastus";
 
 # VMSS Profile & Hardware requirements for the TrustedLaunch default behavior.
 $vmssSize = 'Standard_D4s_v3';
 $vmssName1 = 'vmss1' + $rgname;
-$vmssName2 = 'vmss2' + $rgname;
-$imageName = "Win2016DataCenterGenSecond";
+$imageName = "Win2022AzureEdition";
 $adminUsername = "<Username>";
 $adminPassword = "<Password>" | ConvertTo-SecureString -AsPlainText -Force;
 $vmCred = New-Object System.Management.Automation.PSCredential ($adminUsername, $adminPassword);
@@ -228,7 +227,7 @@ $result = New-AzVmss -Credential $vmCred -VMScaleSetName $vmssName1 -ImageName $
 # $result.VirtualMachineProfile.SecurityProfile.UefiSettings.SecureBootEnabled;
 ```
 
-This example Creates a new VMSS with the new Security Type 'TrustedLaunch' and the necessary UEFISettings values,
+This example Creates a new VMSS with the new Security Type 'TrustedLaunch' and the necessary UEFISettings values, VTpmEnabled and SecureBootEnalbed are true. Please check [the Trusted Launch feature page](aka.ms/trustedlaunch) for more information.
 
 ### Example 5: Create a Vmss in Orchestration Mode: Flexible by default
 ```powershell
@@ -237,11 +236,49 @@ $vmssConfig = New-AzVmssConfig -Location EastUs2 -UpgradePolicyMode Manual -Sing
 
 # VMSS Creation 
 New-AzVmss -ResourceGroupName TestRg -VMScaleSetName myVMSS -VirtualMachineScaleSet $vmssConfig
-
 ```
-
 This example Creates a new VMSS and it will default to OrchestrationMode Flexible. 
 
+### Example 6: Create a new VMSS with TrustedLaunch turned on by default. 
+```powershell
+$rgname = "<Resource Group>";
+$loc = "<Azure Region>";
+New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+$vmssName = 'vmss' + $rgname;
+$vmssSize = 'Standard_D4s_v3';
+$imageName = "Win2022AzureEdition";
+$publisherName = "MicrosoftWindowsServer";
+$offer = "WindowsServer";
+$sku = "2022-Datacenter-Azure-Edition";
+$adminUsername = "<Username>";
+$password = "<Password>";
+
+# NRP
+$vnetworkName = 'vnet' + $rgname;
+$subnetName = 'subnet' + $rgname;
+$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix "10.0.0.0/24";
+$vnet = New-AzVirtualNetwork -Name $vnetworkName -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
+$vnet = Get-AzVirtualNetwork -Name $vnetworkName -ResourceGroupName $rgname;
+$subnetId = $vnet.Subnets[0].Id;
+
+$ipCfg = New-AzVmssIpConfig -Name 'test' -SubnetId $subnetId;
+
+$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' `
+    | Add-AzVmssNetworkInterfaceConfiguration -Name 'test' -Primary $true -IPConfiguration $ipCfg `
+    | Set-AzVmssOsProfile -ComputerNamePrefix 'test' -AdminUsername $adminUsername -AdminPassword $password;
+    
+# Create TL Vmss
+$result = New-AzVmss -ResourceGroupName $rgname -VMScaleSetName $vmssName -VirtualMachineScaleSet $vmss;
+$vmssGet = Get-AzVmss -ResourceGroupName $rgname -VMScaleSetName $vmssName;
+
+# Verify $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityType is TrustedLaunch.
+# Verify $vmssGet.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled is True.
+# Verify $vmssGet.VirtualMachineProfile.SecurityProfile.UefiSettings.SecureBootEnabled is True.
+# Verify $vmssGet.VirtualMachineProfile.StorageProfile.ImageReference.Sku is 2022-Datacenter-Azure-Edition.
+```
+The virtual machine scale set above has Trusted Launch enabled by default. Please check [the Trusted Launch feature page](aka.ms/trustedlaunch) for more information.
+
 ## PARAMETERS
 
 ### -AllocationMethod
@@ -527,7 +564,7 @@ Accept wildcard characters: False
 ```
 
 ### -ImageName
-The alias of the image for VMs in this Scale Set. If no value is provided, the "Windows Server 2016 DataCenter" image will be used. The available aliases are: Win2022AzureEditionCore, Win2019Datacenter, Win2016Datacenter, Win2012R2Datacenter, Win2012Datacenter, UbuntuLTS, Ubuntu2204, CentOS85Gen2, Debian11, OpenSuseLeap154Gen2, RHELRaw8LVMGen2, SuseSles15SP3, FlatcarLinuxFreeGen2.
+The alias of the image for VMs in this Scale Set. If no value is provided, the "Windows Server 2016 DataCenter" image will be used. The available aliases are: Win2022AzureEdition, Win2022AzureEditionCore, Win2019Datacenter, Win2016Datacenter, Win2012R2Datacenter, Win2012Datacenter, UbuntuLTS, Ubuntu2204, CentOS85Gen2, Debian11, OpenSuseLeap154Gen2, RHELRaw8LVMGen2, SuseSles15SP3, FlatcarLinuxFreeGen2.
 
 ```yaml
 Type: System.String
