Create a virtual machine using an approved base

This article describes how to use Azure to create a virtual machine (VM) containing a pre-configured, endorsed operating system. If this isn't compatible with your solution, it's possible to create and configure an on-premises VM using an approved operating system.


Note

Before you start this procedure, review the technical requirements for Azure VM offers, including virtual hard disk (VHD) requirements.

Select an approved base Image

Select one of the following Windows or Linux images as your base.

Windows

Linux

Azure offers a range of approved Linux distributions. For a current list, see Linux on distributions endorsed by Azure.

Create VM on the Azure portal

  1. Sign in to the Azure portal.
  2. Select Virtual machines.
  3. Select + Create and + Virtual machine from the drop-down menu to open the Create a virtual machine screen.
  4. Select the image from the dropdown list or select See all images to search or browse all available virtual machine images. You can also configure the VM generation of your image depending on the image you select.
  5. Select the size of the VM to deploy.
  6. Provide the other required details to create the VM.
  7. Select Review + create to review your choices. When the Validation passed message appears, select Create.

Azure begins provisioning the virtual machine you specified. Track its progress by selecting the Virtual Machines tab in the left menu. After it's created, the status of Virtual Machine changes to Running.

Configure the VM

This section describes how to size, update, and generalize an Azure VM. These steps are necessary to prepare your VM to be deployed on Azure Marketplace.

Connect to your VM

Refer to the following documentation to connect to your Windows or Linux VM.

Install the most current updates

The base images of operating system VMs must contain the latest updates up to their published date. Before publishing, ensure you updated the OS and all installed services with all the latest security and maintenance patches.

  • For Windows Server, run the Check for Updates command.
  • For Linux distributions, updates are commonly downloaded and installed through a command-line tool or a graphical utility. For example, Ubuntu Linux provides the apt-get command and the Update Manager tool for updating the OS.

Perform additional security checks

Maintain a high level of security for your solution images in Azure Marketplace. For a checklist of security configurations and procedures, see Security recommendations for Azure Marketplace images.

Customize your VM image

Now, install the necessary software and make any custom configuration changes on your VM for your solution to work properly, including any scheduled tasks that need to run after deployment. Consider the following when making your custom changes:

  • If it is a scheduled run-once task, the task should delete itself after it successfully completes.
  • Configurations should not rely on drives other than C or D, because only these two drives are always guaranteed to exist (drive C is the operating system disk and drive D is the temporary local disk).
  • Make any technical configuration changes necessary for your solution. Later, you will flag the configurations you make on your VM in the Properties section of the Technical Configuration page in Partner Center. This will show your customers which scenarios are supported based on the configuration changes you make now. Select from the following technical configuration properties during publishing:
    • Supports backup
    • Supports accelerated networking
    • Supports cloud-init configuration
    • Supports extensions
    • Is a network virtual appliance
    • Remote desktop or SSH disabled
    • Requires custom ARM template

For more information about Linux customizations, see Virtual machine extensions and features for Linux.

Generalize the image

All images in Azure Marketplace must be reusable in a generic fashion. To achieve this, the operating system VHD must be generalized, an operation that removes all instance-specific identifiers and software drivers from a VM.

For Windows

Windows OS disks are generalized with the sysprep tool. If you later update or reconfigure the OS, you must run sysprep again.

Warning

After you run sysprep, turn the VM off until it's deployed because updates might run automatically. This shutdown will avoid subsequent updates from making instance-specific changes to the operating system or installed services. For more information about running sysprep, see Generalize a Windows VM.

Note

If you have Microsoft Defender for Cloud (Azure Defender) enabled on the subscription where you are creating the VM to be captured and you do not want any VM created from this image to be enrolled in the Defender for Endpoint portal, ensure you disable Microsoft Defender for Cloud on the subscription or for the VM itself. If this isn't disabled, any VM created from this image will be enrolled in the Defender for Endpoint portal even if the VM is deployed to a different tenant without Microsoft Defender for Cloud.

For Linux

  1. Remove the Azure Linux agent.

    1. Connect to your Linux VM using an SSH client.
    2. In the SSH window, enter this command: sudo waagent –deprovision+user.
    3. Type Y to continue (you can add the -force parameter to the previous command to avoid the confirmation step).
    4. After the command completes, enter Exit to close the SSH client.
  2. If Microsoft Defender for Endpoint (MDE) is installed on your image, uninstall MDE by running the following commands depending on the OS of your image:

    • RHEL, CentOS, and Oracle: sudo yum remove mdatp

    • SLES and variants: sudo zypper remove mdatp

    • Ubuntu and Debian: sudo apt-get purge mdatp

    • Mariner: sudo dnf remove mdatp

  3. Stop virtual machine.

    1. In the Azure portal, select your resource group (RG) and de-allocate the VM.
    2. Your VM is now generalized and you can create a new VM using this VM disk.

Capture image

Note

The Azure subscription containing the Azure Compute Gallery must be under the same tenant as the publisher account in order to publish. Also, the publisher account must have at least Contributor access to the subscription containing Azure Compute Gallery.

Once your VM is ready, you can capture it in an Azure Compute Gallery (formerly know as Shared Image Gallery). Follow the below steps to capture:

  1. On the Azure portal, go to your Virtual Machine's page.
  2. Select Capture.
  3. Under Share image to Azure Compute Gallery select Yes, share it to a gallery as an image version.
  4. Under Operating system state select Generalized.
  5. Select a Target image gallery or Create New.
  6. Select a Target image definition or Create New.
  7. Provide a Version number for the image.
  8. Select Review + create to review your choices.
  9. Once the validation is passed, select Create.

Publishing your Virtual Machine images to Azure Marketplace from your Azure Compute Gallery requires you to set permissions so that that Partner Center can acquire the images hosted within your gallery.

Important

Microsoft is transitioning the process for acquiring images from your Compute Gallery to a more secure process. To continue updating your Virtual Machine offers, please ensure the following Microsoft apps are granted access by following these steps. These steps must be performed once for each Compute Gallery used to published to Azure Marketplace.

Prerequisites

To grant Partner Center permission, you need to ensure the follow prerequisites are met:

  1. Your Azure Compute Gallery must be in the same Microsoft Entra tenant that is linked to your Partner Center account
  2. You must be an Owner of the subscription where the Compute Gallery is present.

Tip

It is recommended you use a dedicated Compute Gallery for the purposes of publishing to Partner Center and that you only grant permission to this dedicated gallery. You do not need to grant permissions at subscription level.

Step 1: Provision the Service Principals

You first need to provision service principals in your Azure subscription, which is done by registering the Microsoft Partner Center Resource Provider (RP). A service principal is an identity that will then be used to provide Partner Center with access to your Compute Gallery for acquiring your images. This step isn't granting access.

PowerShell
# Connect to your Azure account
Connect-AzAccount

# Set the subscription to use in the current session. Use the subscription that contains your Azure Compute Gallery.
Set-AzContext -Subscription <SubscriptionId>

# Register the Microsoft Partner Center Resource Provider (RP). This creates the Service Principals in your tenant. 
Register-AzResourceProvider -ProviderNamespace Microsoft.PartnerCenterIngestion

# Ensure the Resource Principal is registered successfully.
Get-AzResourceProvider -ProviderNamespace Microsoft.PartnerCenterIngestion
Azure CLI
# Connect to your Azure account
Az login

# Set the subscription to use in the current session. Use the subscription that contains your Azure Compute Gallery.
az account set --subscription <subscriptionId>

# Register the Microsoft Partner Center Resource Provider (RP). This creates the Service Principals in your tenant. 
az provider register --namespace

# Ensure the Resource Principal is registered successfully.
az provider show --namespace Microsoft.PartnerCenterIngestion

Once the service principals are provisioned, they must be granted explicit permissions to read images from a specific Compute Gallery. Partner Center is in the process of transitioning to a more secure process for acquiring your images. During this transition, we ask that you temporarily grant access to two Microsoft applications so that you can continue updating your Virtual Machine offers.

PowerShell
# Get the Resource Id of your Azure Compute Gallery. The result is the <gallery-id>.
Get-AzGallery -ResourceGroupName <resource-group> -GalleryName <gallery-name>

# Get the service principal object Id for the first Microsoft application. The result is the <sp-id1>.
Get-AzADServicePrincipal -SearchString "Microsoft Partner Center Resource Provider"

# Create a role assignment to the first Microsoft application.
New-AzRoleAssignment -ObjectId <sp-id1> -RoleDefinitionId cf7c76d2-98a3-4358-a134-615aa78bf44d -Scope <gallery-id>

# Get the service principal for the second Microsoft application. The result is the <sp-id2>.
Get-AzADServicePrincipal -SearchString "Compute Image Registry"

# Create a role assignment to the second Microsoft application.
New-AzRoleAssignment -ObjectId <sp-id2> -RoleDefinitionId cf7c76d2-98a3-4358-a134-615aa78bf44d -Scope <gallery-id>
Azure CLI
# Get the Resource Id of your Azure Compute Gallery. The result is the <gallery-id>.
az sig show --resource-group <resource-group> --gallery-name <gallery-name>

# Get the service principal object Id for the first Microsoft application. The result is the <sp-id1>.
az ad sp list --display-name "Microsoft Partner Center Resource Provider" --query '[].id'

# Create a role assignment to the first Microsoft application.
az role assignment create --assignee-object-id <sp-id1> --assignee-principal-type ServicePrincipal --role cf7c76d2-98a3-4358-a134-615aa78bf44d –scope <gallery-id>

# Get the service principal for the second Microsoft application. The result is the <sp-id2>.
az ad sp list --display-name "Compute Image Registry" --query '[].id'

# Create a role assignment to the second Microsoft application.
az role assignment create --assignee-object-id <sp-id2> --assignee-principal-type ServicePrincipal --role cf7c76d2-98a3-4358-a134-615aa78bf44d –scope <gallery-id>
Azure portal
  1. Lo gin to Azure portal

  2. Navigate to your Azure Compute Gallery that contains your Virtual Machine image.

  3. Navigate to the Access control tab within your Azure Compute Gallery.

  4. Select Add > Add role assignment.

  5. Select the role Compute Gallery Image Reader and click Next.

  6. Select to assign access to User, group or service principal.

  7. Click + Select members and search for and select the service principals “Microsoft Partner Center Resource Provider” and “Compute Image Registry”. Click Next.

  8. Click Review + Assign.

  • Recommended next step: Test your VM image to ensure it meets Azure Marketplace publishing requirements. This is optional.
  • If you don't want to test your VM image, sign in to Partner Center to publish your image.
  • If you encountered difficulty creating your new Azure-based VHD, see VM FAQ for Azure Marketplace.