1.0 Introduction
This article describes the procedure for completing the attestation workflow for an Azure Confidential Virtual Machine (CVM) using Fortanix Confidential Computing Manager (CCM) in Windows-based environments.
After configuring the application and build in Fortanix CCM and registering the required Platform Configuration Register (PCR) values, the Azure CVM must run the Fortanix Attestation Client for Windows to establish trust and register itself as an approved compute instance.
2.0 Prerequisites
Before proceeding, ensure the following:
Ensure to download the Fortanix Azure CVM Attestation Client binary from here.
The Azure CVM has been deployed and is accessible.
A Fortanix CCM application and its associated build have been created and approved.
PCR values collected from the Azure CVM environment have been mapped to the build in Fortanix CCM. For more information on VM creation and PCR extraction, refer to Azure Confidential VM Setup - Windows.
Network access exists between the Azure CVM and Fortanix CCM endpoint.
You have access to the following configuration values:
Fortanix CCM tenant URL
Join token
NOTE
Attestation cannot proceed if the application build has not been approved in Fortanix CCM.
3.0 Configure Execution Permissions
The Fortanix Azure CVM Attestation Client for Windows must be executed from an elevated PowerShell session because it requires administrative privileges to access the TPM and write attestation artifacts.
Perform the following steps:
On the Azure Windows CVM, open PowerShell as an Administrator.
If you are using a Windows Server version with a graphical user interface (GUI), right-click Windows PowerShell and select Run as administrator.
NOTE
Run the following command to verify that the current session has administrative privileges:
(New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent() )).IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator )Output:
If the command returns True, the PowerShell session has Administrator privileges.
If the command returns False, you are not running as an administrator. To gain administrator access, close this PowerShell window and reopen it using “Run as Administrator”.
4.0 Configure Environment Variables
The Fortanix Attestation Client uses the following environment variables to determine where to write output and how to connect to the Fortanix CCM service:
NOTE
The
JOIN_TOKENis mandatory. Without it, the node will not register with Fortanix CCM. TheFORTANIX_CLIENT_OUTPUT_DIRis also required, as there is no default output location for the generated files.
Environment Variable | Default Value | Description |
|---|---|---|
| unset | Client writes |
|
| Set to |
| https://ccm.fortanix.com | Fortanix CCM service endpoint for attestation request.
|
| unset | Must be set to the join token generated in Fortanix CCM. |
In your PowerShell session, run the following commands to configure the environment variables:
$env:FORTANIX_CLIENT_OUTPUT_DIR="<Desired output directory for key and certificate>"
$env:JOIN_TOKEN="<JOIN TOKEN VALUE>" Where,
<JOIN TOKEN VALUE>: The join token you generated from Fortanix CCM.<Desired output directory for key and certificate>: The desired output directory path where the Fortanix Attestation Client will save the key and certificate file.
Optionally, configure logging and a custom Fortanix CCM endpoint:
$env:RUST_LOG="<log_level>"
$env:MANAGER_ENDPOINT="<URL of CCM instance>" Where,
<log_level>: Sets the logging verbosity, such asDEBUG,ERROR,WARN,INFO,TRACE, orOFF.<URL of CCM instance>: The Fortanix CCM endpoint. For example, https:/ccm.fortanix.com.
5.0 Generate a Join Token
Perform the following steps to generate a join token in Fortanix CCM:
Log in to Fortanix Armor Platform. For more information, Getting Started with Fortanix Armor.
Navigate to the Fortanix CCM user interface (UI). For more information, refer to Fortanix Armor Solutions.
In the CCM user interface (UI) left navigation panel, click Infrastructure → COMPUTE NODES → Azure SEV Containers, and then click ADD NODE.
.png?sv=2026-02-06&spr=https&st=2026-07-17T07%3A09%3A39Z&se=2026-07-17T07%3A23%3A39Z&sr=c&sp=r&sig=ywBvSavMgyXLr8cLR8QF2CNYc97Tv9sjSECYz%2Bz0C2Y%3D)
Figure 1: Add node
In the Enroll Compute Node window, click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.
6.0 Run the Attestation Client
After configuring the environment variables, run the Fortanix Attestation Client for Windows to perform attestation.
Perform the following steps in a PowerShell session with administrative privileges:
Run the following command to install the CVM Attestation Client:
.\CVMAttestationClientSetup.exe /quiet /norestart /log "C:\Users\<user>\install.log"Navigate to the
C:\Program Files\Fortanix\CVMAttestationClientdirectory.Run the following command to execute the client:
.\ccm_attestation_client_azurecvm.exeIf the client runs successfully:
No error messages are displayed in the console.
The directory specified in
FORTANIX_CLIENT_OUTPUT_DIRcontains two files:key.pem- The private key generated during attestation.cert.pem- The certificate generated during attestation.
The attestation process begins automatically. During this time, the client collects platform evidence, verifies signatures, and submits measurements to Fortanix CCM. The process may take several minutes, depending on the compute environment and network conditions.

Figure 2: Evidence and certificate are fetched
7.0 Verify Attestation Status in Fortanix CCM
After the attestation client has completed execution, verify the attestation result in Fortanix CCM by confirming that the attestation certificate is available for download.
Perform the following steps to download the certificate:
Navigate to the Fortanix CCM UI. For more information, refer to Fortanix Armor Solutions.
Navigate to Applications and select the Azure CVM application, then go to its detailed view and navigate to CERTIFICATES tab.
Click DOWNLOAD CERTIFICATE to verify its validity.
Attestation is considered successful when the attestation certificate appears and is available for download. This confirms that the hardware measurements match the PCR values configured for the build in Fortanix CCM.