Document Details

Quick Create Confidential Vm Arm
Home / Scan #41 / Quick Create Confidential Vm Arm
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
powershell_heavy
windows_first
windows_tools
Summary
The documentation demonstrates a Windows bias by requiring PowerShell for variable assignment and scripting, referencing PowerShell installation in the prerequisites, and using Windows-specific tools and patterns (e.g., PowerShell cmdlets, backtick line continuations). Windows parameter file examples are presented before Linux ones, and some instructions (such as those involving Microsoft Graph SDK) are PowerShell-centric. There is minimal guidance for Linux shell users, and Linux command-line patterns are not shown.
Recommendations
  • Provide all variable assignment and scripting examples in both PowerShell and Bash syntax, clearly labeling each.
  • In prerequisites, mention both PowerShell and Bash (or native Linux shell) as supported environments for Azure CLI.
  • For every PowerShell-specific command or pattern (e.g., variable assignment, line continuation), provide the equivalent Bash/Linux shell version.
  • When referencing tools like Microsoft Graph SDK, clarify if there are cross-platform alternatives or CLI equivalents, and provide those where possible.
  • Alternate the order of Windows and Linux examples, or present them side-by-side to avoid 'windows_first' bias.
  • Review all code snippets for Windows-specific conventions (e.g., backticks for line continuation, use of ConvertFrom-Json) and provide Linux alternatives (e.g., jq for JSON parsing).
GitHub Create Pull Request

Scan History

Date Scan Status Result
2025-07-12 23:44 #41 cancelled Biased Biased
2025-07-12 00:58 #8 cancelled Clean Clean
2025-07-10 05:06 #7 processing Clean Clean

Flagged Code Snippets

1. Set your Azure subscription. Replace `<subscription-id>` with your subscription identifier. Make sure to use a subscription that meets the [prerequisites](#prerequisites).

    
1. Set the variables for your confidential VM. Provide the deployment name (`$deployName`), the resource group (`$resourceGroup`), the VM name (`$vmName`), and the Azure region (`$region`). Replace the sample values with your own information.

    > [!NOTE]
    > Confidential VMs are not available in all locations. For currently supported locations, see [which VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).

    
### Define custom parameter file

When you create a confidential VM through the Azure Command-Line Interface (Azure CLI), you need to define a custom parameter file. To create a custom JSON parameter file:

1. Sign in to your Azure account through the Azure CLI.

1. Create a JSON parameter file. For example, `azuredeploy.parameters.json`.

1. Depending on the OS image you're using, copy either the [example Windows parameter file](#example-windows-parameter-file) or the [example Linux parameter file](#example-linux-parameter-file) into your parameter file.

1. Edit the JSON code in the parameter file as needed. For example,  update the OS image name (`osImageName`) or the administrator username (`adminUsername`).

1. Configure your security type setting (`securityType`). Choose `VMGuestStateOnly` for no OS disk confidential encryption. Or, choose `DiskWithVMGuestState` for OS disk confidential encryption with a platform-managed key. For Intel TDX SKUs and Linux-based images only, customers may choose the `NonPersistedTPM` security type to deploy with an ephemeral vTPM. For the `NonPersistedTPM` security type use the minimum "apiVersion": "2023-09-01" under `Microsoft.Compute/virtualMachines` in the template file.

1. Save your parameter file.

#### Example Windows parameter file

Use this example to create a custom parameter file for a Windows-based confidential VM.


1. Grant confidential VM Service Principal `Confidential VM Orchestrator` to tenant

    For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role. [Install Microsoft Graph SDK](/powershell/microsoftgraph/installation) to execute the commands below.

    
    1. Deploy your confidential VM using a confidential VM ARM template for Intel TDX and a [deployment parameter file](#example-windows-parameter-file) (for example, `azuredeploy.parameters.win2022.json`) with the customer-managed key.