diff --git a/qubes/api/admin.py b/qubes/api/admin.py
index 753a32ea..9004ef3a 100644
--- a/qubes/api/admin.py
+++ b/qubes/api/admin.py
@@ -992,12 +992,15 @@ class QubesAdminAPI(qubes.api.AbstractQubesAPI):
 
         # if argument is given, it needs to be a valid template, and only
         # when given VM class do need a template
-        if hasattr(vm_class, 'template'):
-            if self.arg:
-                self.enforce(self.arg in self.app.domains)
+        if self.arg:
+            if hasattr(vm_class, 'template'):
+                if self.arg not in self.app.domains:
+                    raise qubes.api.PermissionDenied(
+                        'Template {} does not exist'.format(self.arg))
                 kwargs['template'] = self.app.domains[self.arg]
-        else:
-            self.enforce(not self.arg)
+            else:
+                raise qubes.exc.QubesValueError(
+                    '{} cannot be based on template'.format(vm_type))
 
         for untrusted_param in untrusted_payload.decode('ascii',
                 errors='strict').split(' '):
diff --git a/qubes/tests/api_admin.py b/qubes/tests/api_admin.py
index be19fa81..a1b25981 100644
--- a/qubes/tests/api_admin.py
+++ b/qubes/tests/api_admin.py
@@ -1168,7 +1168,7 @@ class TC_00_VMs(AdminAPITestCase):
     @unittest.mock.patch('qubes.storage.Storage.create')
     def test_331_vm_create_standalone_spurious_template(self, storage_mock):
         storage_mock.side_effect = self.dummy_coro
-        with self.assertRaises(qubes.api.PermissionDenied):
+        with self.assertRaises(qubes.exc.QubesValueError):
             self.call_mgmt_func(b'admin.vm.Create.StandaloneVM',
                 b'dom0', b'test-template', b'name=test-vm2 label=red')