Hello, @Peter Morrow !
I'm going to do my best to consolidate our conversation here to help with readability and I've added some more information below.
Edit: It appears that not all Virtual Machine products currently support trusted launch however additional support is planned for the future.
How do I publish a virtual machine offer in the marketplace with trusted launch?
First, let's review some terminology:
- Private plan: A private plan within a VM offer is available to only a private audience (configured by the publisher). This private audience is configured on the "Pricing and Availability page" and specified via subscription IDs and/or tenant IDs.
- Hidden plan: A hidden plan is not visible in the Azure Marketplace and is only visible via Azure CLI/ARM/etc. To hide a plan or plans, enable the checkbox at the bottom of the Technical Configuration page for each plan. If all plans in a VM offer are hidden, then the entire offer will be hidden from the Azure Marketplace (and only visible and deployable via Azure CLI/ARM/etc.).
- Private offer: A private offer would be very different from the plans above.
Then let's look at some general properties of trusted launch:
- Only available for some Virtual Machine products: Trusted launch security type is only available for some Virtual Machine products. This option is not yet available for all Virtual Machine products however there are plans for additional support in the future.
-
- Enabled on Technical Configuration page: Trusted launch can be enabled on the “Technical Configuration” page for the respective plan. Once enabled, save the page and publish the offer again.
- The security type can be increased, but not decreased: A publisher can publish the offer with “None” as the Security type and later come back and set it to “Trusted launch” but not the other way around.
- Compute gallery or SAS URI should have no impact: Uploading using Azure compute gallery vs SAS URI should not effect trusted launch. This security type just needs to be enabled on the "Technical Configuration" page as noted in the second bullet point.
Additional notes:
- With hidden plans (see terminology), VMs won't deploy correctly from the portal. You'll need to create a link similar to this and add the subscription in the hidden plan so that it allows trusted launch VM creation:
https://portal.azure.com/#create/<graphiant-image-name>
- For Bicep/ARM deployments, make sure you are using an up to date version of the API (
securityType
was added in December of 2020)
Looking at your setup:
- You've created a virtual machine offer (which is in private preview)
- You switched to using a compute gallery image when submitting the VM offer (which had mixed results but ultimately worked)
- You've been using a template spec with the ARM snippet from the original question above
- The offer supports trusted launch
- A SAS URI was required when specifying the image
- You've verified that your offer can be manually deployed to use vTPM
- Deploying the offer results in the error "Use of TrustedLaunch setting is not supported for the provided image."
Resulting deployment from the template spec, as viewed from the portal:
Deployment options for the same image via the marketplace:
Troubleshooting:
Regardless of whether the image is associated with a private plan or hidden plan, it should not matter. The only thing that should matter is that:
- The image being deployed is associated to a private plan.
- The user deploying the image is part of the configured private audience which is found on the “Availability” page in Partner Center.
Let me know where that leaves us and we can explore this further.