Azure marketplace application offer using trusted launch VM image offer

Peter Morrow 91 Reputation points
2022-08-04T13:05:20.637+00:00

Hello,

I have a VM image offer currently in private preview which supports trusted launch, i.e. when I deploy a VM using that image I can use the vTPM. Note, that offer required me to use a SAS URI when specifying the image to use instead of a compute gallery link (I've been testing trusted launch using our VM image uses compute galleries up to this point).

In my Azure application offer I enable the trusted launch feature as follows (trimmed the ARM template a bit): 

        "properties": {  
            "hardwareProfile": {  
                "vmSize": "[parameters('vmSize')]"  
            },  
            "securityProfile": {  
                "securityType": "TrustedLaunch",  
                "uefiSettings": {  
                    "secureBootEnabled": false,  
                    "vTpmEnabled": true  
                }  
            },  
         }

However when I come to deploy my Azure application offer I get this error:

"message": "Use of TrustedLaunch setting is not supported for the provided image."

This is not the case, the VM image definition was created with the following feature settings: 

        {  
            "name": "SecurityType",  
            "value": "TrustedLaunch",  
        }

Further to that when I manually deploy the VM image using an azure template specification then the deployment works and I get a VM using our custom image with a vTPM.

Can anyone help me understand why I cannot deploy my offer in the way I want to? I suspect the issue is due to use of SAS URL rather than Azure compute gallery based image, however I was advised by support to use a SAS URL as using a compute gallery based image caused our submission to hang.

Thanks,
Peter.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,108 questions
Accepted answer
  1. kobulloc-MSFT 23,341 Reputation points Microsoft Employee
    2022-08-15T19:53:17.987+00:00

    Hello, @Peter Morrow !

    I'm going to do my best to consolidate our conversation here to help with readability and I've added some more information below.

    Edit: It appears that not all Virtual Machine products currently support trusted launch however additional support is planned for the future.

    How do I publish a virtual machine offer in the marketplace with trusted launch?
    First, let's review some terminology:

    • Private plan: A private plan within a VM offer is available to only a private audience (configured by the publisher). This private audience is configured on the "Pricing and Availability page" and specified via subscription IDs and/or tenant IDs.
    • Hidden plan: A hidden plan is not visible in the Azure Marketplace and is only visible via Azure CLI/ARM/etc. To hide a plan or plans, enable the checkbox at the bottom of the Technical Configuration page for each plan. If all plans in a VM offer are hidden, then the entire offer will be hidden from the Azure Marketplace (and only visible and deployable via Azure CLI/ARM/etc.).
    • Private offer: A private offer would be very different from the plans above.

    Then let's look at some general properties of trusted launch:

    • Only available for some Virtual Machine products: Trusted launch security type is only available for some Virtual Machine products. This option is not yet available for all Virtual Machine products however there are plans for additional support in the future.
      • Enabled on Technical Configuration page: Trusted launch can be enabled on the “Technical Configuration” page for the respective plan. Once enabled, save the page and publish the offer again.
    • The security type can be increased, but not decreased: A publisher can publish the offer with “None” as the Security type and later come back and set it to “Trusted launch” but not the other way around.
    • Compute gallery or SAS URI should have no impact: Uploading using Azure compute gallery vs SAS URI should not effect trusted launch. This security type just needs to be enabled on the "Technical Configuration" page as noted in the second bullet point.

    Additional notes:

    • With hidden plans (see terminology), VMs won't deploy correctly from the portal. You'll need to create a link similar to this and add the subscription in the hidden plan so that it allows trusted launch VM creation: https://portal.azure.com/#create/<graphiant-image-name>
    • For Bicep/ARM deployments, make sure you are using an up to date version of the API ( securityType was added in December of 2020)

    Looking at your setup:

    • You've created a virtual machine offer (which is in private preview)
    • You switched to using a compute gallery image when submitting the VM offer (which had mixed results but ultimately worked)
    • You've been using a template spec with the ARM snippet from the original question above
    • The offer supports trusted launch
    • A SAS URI was required when specifying the image
    • You've verified that your offer can be manually deployed to use vTPM
    • Deploying the offer results in the error "Use of TrustedLaunch setting is not supported for the provided image."

    Resulting deployment from the template spec, as viewed from the portal:

    231203-image.png

    Deployment options for the same image via the marketplace:

    231120-image.png

    Troubleshooting:
    Regardless of whether the image is associated with a private plan or hidden plan, it should not matter. The only thing that should matter is that:

    • The image being deployed is associated to a private plan.
    • The user deploying the image is part of the configured private audience which is found on the “Availability” page in Partner Center.

    Let me know where that leaves us and we can explore this further.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Peter Morrow 91 Reputation points
    2022-08-09T08:11:08.96+00:00

    Hi @kubolloc-MSFT !

    Thanks for taking the time to reply. Let me make a few clarifications & updates, though you are pretty much spot on.

    1) I switched to using a compute gallery image when submitting the vm offer, this worked this time (unsure why it failed on the previous attempts). The issue with trusted launch still persists though.

    2) Up until this point (prior to attempting to move to the market place) I've been using a template spec with the ARM snippet posted in the original post. When deploying a VM using my template spec the vTPM is available after logging in and I see this on the portal after the VM deploys:

    229414-image.png

    So this is all good so far.

    3) When I deploy the same image via the marketplace private VM offer (without the azure application offer - just straight up deploy the VM) I am presented with security options however trusted launch is not available still, so the only way I can make trusted launch so far it seems is via an ARM template/template spec:

    229459-image.png

    So it seems maybe this is something to do with the VM offer rather than the application offer.

    Hope this additional information is useful!

    Peter.