diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf
index 3adaae391..4985e4898 100644
--- a/core/terraform/resource_processor/vmss_porter/main.tf
+++ b/core/terraform/resource_processor/vmss_porter/main.tf
@@ -82,6 +82,8 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" {
   encryption_at_host_enabled      = false
   upgrade_mode                    = "Automatic"
   tags                            = local.tre_core_tags
+  secure_boot_enabled             = true
+  vtpm_enabled                    = true
 
   extension {
     auto_upgrade_minor_version = true
diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
index e89ff0520..2d9a2047b 100644
--- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
+++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
@@ -36,6 +36,8 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
   tags                       = local.tre_shared_service_tags
+  secure_boot_enabled        = true
+  vtpm_enabled               = true
 
   source_image_reference {
     publisher = "MicrosoftWindowsDesktop"
@@ -51,7 +53,10 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
     disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.jumpbox_disk_encryption[0].id : null
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 }
 
 resource "azurerm_disk_encryption_set" "jumpbox_disk_encryption" {
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
index 7d3de0703..8bd6d3ff6 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
@@ -103,10 +103,15 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   admin_username                  = "adminuser"
   admin_password                  = random_password.nexus_vm_password.result
   tags                            = local.tre_shared_service_tags
+  secure_boot_enabled             = true
+  vtpm_enabled                    = true
 
   custom_data = data.template_cloudinit_config.nexus_config.rendered
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 
   source_image_reference {
     publisher = "Canonical"