Azure · audreyttt · Sep 19, 2025 · Sep 19, 2025 · Sep 24, 2025 · Sep 26, 2025
@@ -213,5 +213,11 @@ public void TestDiskSnapshotInstantAccess()
             TestRunner.RunTestScript("Test-DiskSnapshotInstantAccess");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.LiveOnly)]
+        public void TestDiskSupportedSecurityOption()
+        {
+            TestRunner.RunTestScript("Test-SupportedSecurityOption");
+        }
     }
 }
@@ -1951,3 +1951,35 @@ function Test-DiskSnapshotInstantAccess
         Clean-ResourceGroup $rgname;
     }
 }
+
+<#
+.SYNOPSIS
+Test SupportedSecurityOption Parameter during creation and update of disk
+#>
+function Test-SupportedSecurityOption 
+{
+	$rgname = Get-ComputeTestResourceName;
+	$loc = "eastus2euap";
+
+    try{
+    	New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+        $diskConfig = New-AzDiskConfig -Location $loc -SkuName 'PremiumV2_LRS' -DiskSizeGB 2 -CreateOption Empty -SupportedSecurityOption 'TrustedLaunchSupported';
+		$diskname = "disk" + $rgname;
+		New-AzDisk -ResourceGroupName $rgname -DiskName $diskname -Disk $diskConfig;
+        $disk = Get-AzDisk -ResourceGroupName $rgname -DiskName $diskname;
+
+        Assert-NotNull $disk.SupportedCapabilities;
+        Assert-AreEqual "TrustedLaunchSupported" $disk.SupportedCapabilities.SupportedSecurityOption;
+
+        $updateconfig = New-AzDiskUpdateConfig -SupportedSecurityOption "TrustedLaunchAndConfidentialVMSupported";
+        $disk = Update-AzDisk -ResourceGroupName $rgname -DiskName $diskname -DiskUpdate $updateconfig;
+        Assert-AreEqual "TrustedLaunchAndConfidentialVMSupported" $disk.SupportedCapabilities.SupportedSecurityOption;
+    }
+
+    finally
+    {
+    	# Cleanup
+		Clean-ResourceGroup $rgname
+    }
+}
@@ -21,6 +21,7 @@
 -->
 ## Upcoming Release
 * Added `-Redeploy` switch parameter for `Update-AzHost` cmdlet to enable dedicated host redeployment.
+* Added `-SupportedSecurityOption` parameter to `New-AzDiskConfig` cmdlet.
 
 ## Version 10.4.0
 * Added `-InstantAccessDurationMinutes` parameter to New-AzSnapshotConfig.

@@ -28,7 +28,6 @@
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Management.Compute.Models;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 
 namespace Microsoft.Azure.Commands.Compute.Automation
 {
@@ -266,6 +265,13 @@ public partial class NewAzureRmDiskConfigCommand : Microsoft.Azure.Commands.Reso
             HelpMessage = "If createOption is ImportSecure, this is the URI of a blob to be imported into VM guest state.")]
         public string SecurityDataUri { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Refers to the security capability of the disk supported to create a Trusted launch or Confidential VM.")]
+        [PSArgumentCompleter("TrustedLaunchSupported", "TrustedLaunchAndConfidentialVMSupported")]
+        public string SupportedSecurityOption { get; set; }
+
         protected override void ProcessRecord()
         {
             if (ShouldProcess("Disk", "New"))
@@ -492,6 +498,15 @@ private void Run()
                 vSupportedCapabilities.Architecture = this.Architecture;
             }
 
+            if (this.IsParameterBound(c => c.SupportedSecurityOption))
+            {
+                if (vSupportedCapabilities == null)
+                {
+                    vSupportedCapabilities = new SupportedCapabilities();
+                }
+                vSupportedCapabilities.SupportedSecurityOption = this.SupportedSecurityOption;
+            }
+
             var vDisk = new PSDisk
             {
                 Zones = this.IsParameterBound(c => c.Zone) ? this.Zone : null,

@@ -179,6 +179,12 @@ public partial class NewAzureRmDiskUpdateConfigCommand : Microsoft.Azure.Command
         [PSArgumentCompleter("X64", "Arm64")]
         public string Architecture { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Refers to the security capability of the disk supported to create a Trusted launch or Confidential VM.")]
+        [PSArgumentCompleter("TrustedLaunchSupported", "TrustedLaunchAndConfidentialVMSupported")]
+        public string SupportedSecurityOption { get; set; }
 
         protected override void ProcessRecord()
         {
@@ -301,6 +307,15 @@ private void Run()
                 vSupportedCapabilities.Architecture = this.Architecture;
             }
 
+            if (this.IsParameterBound(c => c.SupportedSecurityOption))
+            {
+                if (vSupportedCapabilities == null)
+                {
+                    vSupportedCapabilities = new SupportedCapabilities();
+                }
+                vSupportedCapabilities.SupportedSecurityOption = this.SupportedSecurityOption;
+            }
+
             var vDiskUpdate = new PSDiskUpdate
             {
                 OsType = this.IsParameterBound(c => c.OsType) ? this.OsType : (OperatingSystemTypes?)null,

@@ -26,7 +26,7 @@ New-AzDiskConfig [[-SkuName] <String>] [-Tier <String>] [-LogicalSectorSize <Int
  [-NetworkAccessPolicy <String>] [-BurstingEnabled <Boolean>] [-PublicNetworkAccess <String>]
  [-AcceleratedNetwork <Boolean>] [-DataAccessAuthMode <String>] [-Architecture <String>]
  [-PerformancePlus <Boolean>] [-OptimizedForFrequentAttach <Boolean>] [-SecurityMetadataUri <String>]
- [-SecurityDataUri <String>] [-DefaultProfile <IAzureContextContainer>]
+ [-SecurityDataUri <String>] [-SupportedSecurityOption <String>] [-DefaultProfile <IAzureContextContainer>]
  [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -93,6 +93,17 @@ New-AzDisk -ResourceGroupName 'ResourceGroup01' -DiskName 'Disk01' -Disk $diskCo
 
 Create a disk with OptimizedForFrequentAttach as true, to improves reliability and performance of the data disks that will be frequently (more than 5 times a day) detached from one virtual machine and attached to another.
 
+### Example 5
+```powershell
+$accountType = <Account Type>
+$sourceUri = <Source URI of the blob>
+$storageAccountId = <Storage Account ID>
+$diskConfig = New-AzDiskConfig -AccountType $accountType -CreateOption Import -SourceUri $sourceUri -StorageAccountId $storageAccountId -SupportedSecurityOption 'TrustedLaunchSupported'
+New-AzDisk -ResourceGroupName 'ResourceGroup01' -DiskName 'Disk01' -Disk $diskConfig
+```
+
+Creation of managed disk using CreateOption of Import, with SupportedSecurityOption as TrustedLaunchSupported
+
 ## PARAMETERS
 
 ### -AcceleratedNetwork
@@ -644,6 +655,22 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -SupportedSecurityOption
+Refers to the security capability of the disk supported to create a Trusted launch or Confidential VM.
+Possible values include: 'TrustedLaunchSupported', 'TrustedLaunchAndConfidentialVMSupported'
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
 ### -SupportsHibernation
 Customers can set the SupportsHibernation flag on the Disk.