Getting Error : creation of OS disk only with SecurityType as TrustedLaunch

Question

I am getting error -
New-AzDisk : The provided gallery image: /subscriptions/44328f0f-3fad-40a5-ae95-390f5b1a0d8c/resourceGroups/co-np-eastu

s-Spectrum-OSImages-rg/providers/Microsoft.Compute/galleries/co_np_eastus_spectrum_os_images/images/Ubuntu_22.04_Baseli

ne_Hardened/versions/0.0.1 supports creation of OS disk only with SecurityType as TrustedLaunch.

ErrorCode: BadRequest

ErrorMessage: The provided gallery image: /subscriptions/44328f0f-3fad-40a5-ae95-390f5b1a0d8c/resourceGroups/co-np-east

us-Spectrum-OSImages-rg/providers/Microsoft.Compute/galleries/co_np_eastus_spectrum_os_images/images/Ubuntu_22.04_Basel

ine_Hardened/versions/0.0.1 supports creation of OS disk only with SecurityType as TrustedLaunch.

ErrorTarget:

StatusCode: 400

ReasonPhrase: Bad Request

OperationID : 76746fcd-3c1a-4c73-93c3-68ab6369f571

At C:\azagent_work\1\s\Export-AzureComputeGalleryImageVersion.ps1:51 char:13

• $Disk = New-AzDisk `
• CategoryInfo : CloseError: (:) [New-AzDisk], ComputeCloudException
• FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Automation.NewAzureRmDisk

Running this script in the agent VM.And i have checked the agent VM security type It's already Trusted Launch. So i am not able to find why i am getting this error.

While running this script in Azure Devops Pipeline:

param(

    $ComputeGalleryName,

    $ComputeGalleryResourceGroupName,

    $ImageDefinitionName,

    $ImageVersionName
)

$ErrorActionPreference = 'Stop'

$DiskPrefix = "disk-$($ImageDefinitionName)-"
$Location = (Get-AzResourceGroup -Name $ComputeGalleryResourceGroupName).Location

# Gets the Image Version ID
$ImageVersion = Get-AzGalleryImageVersion `
    -GalleryImageDefinitionName $ImageDefinitionName `
    -GalleryName $ComputeGalleryName `
    -ResourceGroupName $ComputeGalleryResourceGroupName `
    -Name $ImageVersionName

# Gets the OS Type
$OsType = (Get-AzGalleryImageDefinition `
    -GalleryImageDefinitionName $ImageDefinitionName `
    -GalleryName $ComputeGalleryName `
    -ResourceGroupName $ComputeGalleryResourceGroupName).OsType

$ImageDisksCount = $ImageVersion.StorageProfile.OsDiskImage.Count + $ImageVersion.StorageProfile.DataDiskImages.Count
Write-Output "Image Disks Count: $($ImageDisksCount)"

for($i = 0; $i -lt $ImageDisksCount; $i++)
{    
    $GalleryImageReference = if($i -eq 0)
    {
        @{Id = $ImageVersion.Id}
    }
    else{
        @{Id = $ImageVersion.Id; Lun = $($i - 1)}
    }

    # Creates a Disk Configuration for a Managed Disk using the Image Version in the Compute Gallery
    $DiskConfig = New-AzDiskConfig `
        -Location $Location `
        -CreateOption FromImage `
        -GalleryImageReference $GalleryImageReference `
        -OsType $OsType

    # Creates a Managed Disk using the Image Version in the Compute Gallery
    $Disk = New-AzDisk `
        -Disk $DiskConfig `
        -ResourceGroupName $ComputeGalleryResourceGroupName `
        -DiskName ($DiskPrefix + $i.ToString())
    
    Write-Output "Disk: $($Disk)"

    # Creates a URI with a SAS Token to download the VHD of the Managed Disk
    $DiskAccess = Grant-AzDiskAccess `
        -ResourceGroupName $Disk.ResourceGroupName `
        -DiskName $Disk.Name `
        -Access 'Read' `
        -DurationInSecond 14400

    # Downloads the VHD using 10 concurrent network calls and validates the MD5 hash
    Get-AzStorageBlobContent `
        -AbsoluteUri $DiskAccess.AccessSAS `
        -Destination "f:\Temp\$($Disk.Name).vhd"

    # Revokes the SAS Token to download the VHD
    Revoke-AzDiskAccess `
        -ResourceGroupName $Disk.ResourceGroupName `
        -DiskName $Disk.Name

    # Deletes the Managed Disk
    Remove-AzDisk `
        -ResourceGroupName $Disk.ResourceGroupName `
        -DiskName $Disk.Name `
        -Force
}

Answer 1

Hi Aditya,

Please add below command after $DiskConfig = New-AzDiskConfig -Location $Location -CreateOption FromImage -GalleryImageReference $GalleryImageReference -OsType $OsType line and then test:

$DiskConfig = Set-AzDiskSecurityProfile -Disk $DiskConfig -SecurityType "TrustedLaunch"

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 2

@Aditya Mohapatra Apologies for the delay in responding here,

For a specialized assistance on Azure DevOps/Azure Boards question, kindly just re-post your question on Developer Communityto receive insights from the targetted SMEs/audience.

However, let me share some inisghts on this issue.

It looks like you're encountering an issue with the New-AzDisk command in your Azure DevOps Pipeline. The error message indicates that the provided gallery image supports the creation of OS disks only with the SecurityType set to TrustedLaunch. Here are a few steps you can take to troubleshoot and resolve this issue:

Verify Security Type: Ensure that the security type of the agent VM is indeed set to TrustedLaunch. You mentioned that you have already checked this, but it might be worth double-checking.

Check Image Compatibility: Make sure that the gallery image you are using is compatible with the TrustedLaunch security type. The error message suggests that the image supports only TrustedLaunch, so ensure that your configuration aligns with this requirement.

Update Script: Ensure that your script explicitly sets the SecurityType to TrustedLaunch when creating the disk. You can do this by adding the appropriate parameter to the New-AzDisk command.

Review Documentation: Refer to the Azure documentation on Trusted Launch for more details on how to configure and troubleshoot Trusted Launch VM

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.