Source image is not set for trusted boot. How would I set it?

[isotonicuk]

Hi 

I'm new to Bicep and IaC in general and I am learning it by deploying a mini environment in my lab. I am using the same code base as defined here: https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/#azure-compute-gallery but I have made some alterations to it as I am trying to create a gen2 Trusted Launch VM to be used instead of a standard SecurityType defined in this blog. 

I create my initial image version of Windows 11 using Securitytype trusted launch. This was just a standard Microsoft gallery image, which I then sysprep and generalise. That all seem to well and my base image has the security Type that I want. Defined in my BICEP file under

resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  // Security profile properties...
  securityProfile: {
    uefiSettings: {
      secureBootEnabled: true
      vTpmEnabled: true
    }
    securityType: 'TrustedLaunch'
  }
  diagnosticsProfile: {
    bootDiagnostics: {
      enabled: true
    }
  }
}

When I come to run the main.bicep file alongside the parameters which then pulls the various modules depending on where it is in the build it goes through the process of deploying the gallery image but fails with the error:

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure, Target: /subscriptions//resourceGroups/uks-rb81-vdi-avd-hpl-priv-001-01/providers/Microsoft.Compute/galleries/uksbldglbssvgal01/images/uks-img-Windows-desktop-11-gen2-22h2-priv-tl-001/versions/2023.09.26) The source 'subscriptions//resourceGroups/rg-Win11-template/providers/Microsoft.Compute/virtualMachines/i4xsd3rrtnobm-vm' has security type 'TrustedLaunch' and cannot be used as a source for an image definition with SecurityType feature set to 'None'. (Code: Conflict)

I am really confused where I need to set this, I thought it would be under the bicep file deploy-shared-image-gallery.bicep but then when I declare the params and resource as 

//Create VM with Security type
resource virtualMachine 'Microsoft.Compute/virtualMachines@2023-07-01' = {
  name: imageDefinitionName
  location: location
  securityType: 'TrustedLaunch'
}

It just says The property "securityType" is not allowed on objects of type "Microsoft.Compute/virtualMachines". Permissible properties include "asserts", "dependsOn", "extendedLocation", "identity", "plan", "properties", "tags", "zones". If this is an inaccuracy in the documentation, please report it to the Bicep Team.

Could it be an expression that I need to define:? Param and var value?

Any help on this would be most appreciated.

Thanks

[GABRIELNGBTUC]

The security type needs to be set inside the properties in the securityProfile property

If you are confused on where to put properties, you can always check the bicep documentation or the REST API documentation as those contains examples and explanations of valid properties.

For example, in the REST documentation:

PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2023-07-01

{
  "location": "westus",
  "properties": {
    "hardwareProfile": {
      "vmSize": "Standard_D2s_v3"
    },
    "securityProfile": {
      "uefiSettings": {
        "secureBootEnabled": true,
        "vTpmEnabled": true
      },
      "securityType": "TrustedLaunch"
    },
    "storageProfile": {
      "imageReference": {
        "sku": "windows10-tvm",
        "publisher": "MicrosoftWindowsServer",
        "version": "18363.592.2001092016",
        "offer": "windowsserver-gen2preview-preview"
      },
      "osDisk": {
        "caching": "ReadOnly",
        "managedDisk": {
          "storageAccountType": "StandardSSD_LRS"
        },
        "createOption": "FromImage",
        "name": "myVMosdisk"
      }
    },
    "osProfile": {
      "adminUsername": "{your-username}",
      "computerName": "myVM",
      "adminPassword": "{your-password}"
    },
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
          "properties": {
            "primary": true
          }
        }
      ]
    }
  }
}

You have a workable example in JSON format of how to enable TPM in your VM.

[jeskew]

Make sure that the source image you've selected supports trusted launch. The error message you report (The source 'subscriptions//resourceGroups/rg-Win11-template/providers/Microsoft.Compute/virtualMachines/i4xsd3rrtnobm-vm' has security type 'TrustedLaunch' and cannot be used as a source for an image definition with SecurityType feature set to 'None'.) indicates that the source image you're trying to deploy is not compatible with trusted launch.

If you believe you are getting this message in error, please open a support case with Azure Compute.

[isotonicuk]

Thanks both, the image does support trusted Launch, I have checked that. Its a B2ms SKU.

Looking at the example shared by @GABRIELNGBTUC I think the issue I am having is more around placement of where that code needs to be in....Sorry still learning the concepts so will give that a try and respond back on how I get on.

Thanks

[isotonicuk]

Thought I would add, managed to resolve in the end. I needed to add features into the deploy-shared-image-gallery.bicep file

features: [
{
name: 'SecurityType'
value: 'TrustedLaunch'
}
]

at the point when it creates the resource galleryDefinition after it declares the hyperVGeneration. What I found is its not well documented at the moment.