diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in
index cfd63c488b..0971c6c4b9 100644
--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@@ -20,6 +20,11 @@ image = "@IMAGEPATH@"
 # from memory encryption to both memory and CPU-state encryption and integrity.
 # The Kata Containers runtime dynamically detects the available feature set and
 # aims at enabling the largest possible one.
+#
+# Known limitations:
+# * Does not work by design:
+#   - CPU Hotplug 
+#
 # Default false
 # confidential_guest = true
 
diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in
index 59753db5d6..a603d7607a 100644
--- a/src/runtime/config/configuration-qemu.toml.in
+++ b/src/runtime/config/configuration-qemu.toml.in
@@ -21,6 +21,11 @@ machine_type = "@MACHINETYPE@"
 # from memory encryption to both memory and CPU-state encryption and integrity.
 # The Kata Containers runtime dynamically detects the available feature set and
 # aims at enabling the largest possible one.
+#
+# Known limitations:
+# * Does not work by design:
+#   - CPU Hotplug 
+#
 # Default false
 # confidential_guest = true
 
diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go
index 713280be72..26f33f5d6b 100644
--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@@ -564,6 +564,11 @@ func (conf *HypervisorConfig) Valid() error {
 		conf.DefaultMaxVCPUs = defaultMaxVCPUs
 	}
 
+	if conf.ConfidentialGuest && conf.NumVCPUs != conf.DefaultMaxVCPUs {
+		hvLogger.Warnf("Confidential guests do not support hotplugging of vCPUs. Setting DefaultMaxVCPUs to NumVCPUs (%d)", conf.NumVCPUs)
+		conf.DefaultMaxVCPUs = conf.NumVCPUs
+	}
+
 	if conf.Msize9p == 0 && conf.SharedFS != config.VirtioFS {
 		conf.Msize9p = defaultMsize9p
 	}