Update according to review comments

internal/services/batch/batch_pool.go

@@ -411,6 +411,31 @@ func flattenBatchPoolIdentityReferenceToIdentityID(ref *pool.ComputeNodeIdentity
 	return ""
 }
 
+func flattenBatchPoolSecurityProfile(configProfile *pool.SecurityProfile) []interface{} {
+	securityProfile := make([]interface{}, 0)
+	securityConfig := make(map[string]interface{})
+
+	if configProfile.EncryptionAtHost != nil {
+		securityConfig["host_encryption_enabled"] = *configProfile.EncryptionAtHost
+	}
+
+	if configProfile.SecurityType != nil {
+		securityConfig["security_type"] = string(*configProfile.SecurityType)
+	}
+
+	if configProfile.UefiSettings != nil {
+		if configProfile.UefiSettings.SecureBootEnabled != nil {
+			securityConfig["secure_boot_enabled"] = pointer.ToBool(configProfile.UefiSettings.SecureBootEnabled)
+		}
+		if configProfile.UefiSettings.VTpmEnabled != nil {
+			securityConfig["vtpm_enabled"] = pointer.ToBool(configProfile.UefiSettings.VTpmEnabled)
+		}
+	}
+
+	securityProfile = append(securityProfile, securityConfig)
+	return securityProfile
+}
+
 func flattenBatchPoolUserAccount(d *pluginsdk.ResourceData, account *pool.UserAccount) map[string]interface{} {
 	userAccount := make(map[string]interface{})
 	userAccount["name"] = account.Name

internal/services/batch/batch_pool_resource.go

@@ -727,6 +727,7 @@ func resourceBatchPool() *pluginsdk.Resource {
 			"security_profile": {
 				Type:     pluginsdk.TypeList,
 				Optional: true,
+				ForceNew: true,
 				MaxItems: 1,
 				Elem: &pluginsdk.Resource{
 					Schema: map[string]*pluginsdk.Schema{
@@ -1275,25 +1276,17 @@ func resourceBatchPoolRead(d *pluginsdk.ResourceData, meta interface{}) error {
 						nodePlacementConfiguration = append(nodePlacementConfiguration, nodePlacementConfig)
 						d.Set("node_placement", nodePlacementConfiguration)
 					}
+
 					osDiskPlacement := ""
 					if config.OsDisk != nil && config.OsDisk.EphemeralOSDiskSettings != nil && config.OsDisk.EphemeralOSDiskSettings.Placement != nil {
 						osDiskPlacement = string(*config.OsDisk.EphemeralOSDiskSettings.Placement)
 					}
 					d.Set("os_disk_placement", osDiskPlacement)
+
 					if config.SecurityProfile != nil {
-						securityProfile := make([]interface{}, 0)
-						securityConfig := make(map[string]interface{})
-						securityConfig["host_encryption_enabled"] = pointer.ToBool(config.SecurityProfile.EncryptionAtHost)
-						if config.SecurityProfile.SecurityType != nil {
-							securityConfig["security_type"] = string(*config.SecurityProfile.SecurityType)
-						}
-						if config.SecurityProfile.UefiSettings != nil {
-							securityConfig["secure_boot_enabled"] = pointer.ToBool(config.SecurityProfile.UefiSettings.SecureBootEnabled)
-							securityConfig["vtpm_enabled"] = pointer.ToBool(config.SecurityProfile.UefiSettings.VTpmEnabled)
-						}
-						securityProfile = append(securityProfile, securityConfig)
-						d.Set("security_profile", securityProfile)
+						d.Set("security_profile", flattenBatchPoolSecurityProfile(config.SecurityProfile))
 					}
+
 					if config.WindowsConfiguration != nil {
 						windowsConfig := []interface{}{
 							map[string]interface{}{

website/docs/r/batch_pool.html.markdown

@@ -507,13 +507,15 @@ A `task_scheduling_policy` block supports the following:
 ---
 A `security_profile` block supports the following:
 
-* `host_encryption_enabled` - (Optional) Whether to enable host encryption for the Virtual Machine or Virtual Machine Scale Set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. Possible values are `true` and `false`.
+* `host_encryption_enabled` - (Optional) Whether to enable host encryption for the Virtual Machine or Virtual Machine Scale Set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. Possible values are `true` and `false`. Changing this forces a new resource to be created.
 
-* `security_type` - (Optional) The security type of the Virtual Machine. Possible values are `confidentialVM` and `trustedLaunch`.
+* `security_type` - (Optional) The security type of the Virtual Machine. Possible values are `confidentialVM` and `trustedLaunch`. Changing this forces a new resource to be created.
 
-* `secure_boot_enabled` - (Optional) Whether to enable secure boot for the Virtual Machine or Virtual Machine Scale Set. Possible values are `true` and `false`.
+* `secure_boot_enabled` - (Optional) Whether to enable secure boot for the Virtual Machine or Virtual Machine Scale Set. Possible values are `true` and `false`. Changing this forces a new resource to be created.
 
-* `vtpm_enabled` - (Optional) Whether to enable virtual trusted platform module (vTPM) for the Virtual Machine or Virtual Machine Scale Set. Possible values are `true` and `false`.
+* `vtpm_enabled` - (Optional) Whether to enable virtual trusted platform module (vTPM) for the Virtual Machine or Virtual Machine Scale Set. Possible values are `true` and `false`. Changing this forces a new resource to be created.
+
+~> **NOTE:** `security_profile` block can only be specified during creation and does not support updates.
 
 ~> **NOTE:** `security_type` must be specified to set UEFI related properties including `secure_boot_enabled` and `vtpm_enabled`.