Solution

Use the Citrix PowerShell SDK to create a Machine Catalog that supports:

- Azure Trusted Launch
- Persistent VDI (Personal Desktops)
- Machine Creation Services (MCS)
- Azure-based image with Secure Boot and vTPM enabled


A sample script is provided below to use to deploy a Trusted Launch catalog:

- Update the variables (catalog name, hosting unit, resource paths, OU, domain, image, service offering, and network) to match your environment.

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Azure Trusted Launch adds security features (vTPM, Secure Boot, Integrity Monitoring) that require updated provisioning logic within Citrix Machine Creation Services (MCS).
Support for Trusted Launch was added in:

- Citrix Virtual Apps and Desktops (CVAD) 2206 and later
- CVAD 2203 LTSR, but only when the catalog is created through the Citrix SDK, not Studio

If creating a catalog using an earlier version of Studio or using an incorrect provisioning scheme, MCS cannot correctly validate the image security type, resulting in the error.

Cannot Create Catalog from Azure VM with Trusted Launch Enabled

When creating a Machine Catalog using an Azure Trusted Launch–enabled image, Studio may fail with the following:
“CreateTerminatingError in operation PreparingMasterImage: Security type of VM is not compatible with the security type of attached OS Disk.”

This occurs when the catalog workflow does not correctly recognize Trusted Launch security parameters (vTPM, Secure Boot) included with the Azure image.

Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal#enable-trusted-launch-on-existing-vm

https://stage-docs.citrix.com/en-us/citrix-daas/install-configure/machine-catalogs-create/create-machine-catalog-citrix-azure#machine-catalogs-with-trusted-launch  
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/2311/install-configure/machine-catalogs-create/create-machine-catalog-citrix-azure#machine-catalogs-with-trusted-launch