Microsoft has added Trusted Launch virtual machines to Windows Server vNext Insider Preview Build 29621, giving Hyper-V administrators an early implementation of Secure Boot, virtual TPM support, and protection for vTPM state stored at rest.
Per Microsoft’s July 13 Windows Server Insider announcement, the feature is available only when creating new Generation 2 VMs and is managed through PowerShell. It is a preview feature, not a drop-in upgrade for existing production virtual-machine fleets.
Trusted Launch combines two familiar Hyper-V protections. Secure Boot verifies the VM’s boot chain before the guest OS loads, while a virtual Trusted Platform Module provides a hardware-backed-style root of trust for guest features such as BitLocker, Windows Hello for Business, and measured boot.
The important addition is guest-state protection: Windows Server protects the vTPM’s persisted state at rest. Microsoft’s setup guidance demonstrates this by stopping the host’s IGVmAgent service and restarting the VM; a Trusted Launch VM with guest-state protection will not start while that service is unavailable.
Administrators must enable the
Boot integrity verification is also still absent. Microsoft describes that capability as part of the Trusted Launch direction, but Build 29621 does not yet offer an attestation-based check of the VM boot path against a trusted baseline.
Microsoft says upgrades from vNext preview builds older than 29531 are unsupported and recommends a clean installation of build 29531 or later before moving to newer flights. The company also reiterates that Insider software is pre-release, unsupported for production use, and expires September 15, 2026.
For now, Hyper-V shops should test Trusted Launch only on standalone Generation 2 lab VMs and wait for migration, cluster, Replica, and Windows Admin Center support before considering wider deployment.
Per Microsoft’s July 13 Windows Server Insider announcement, the feature is available only when creating new Generation 2 VMs and is managed through PowerShell. It is a preview feature, not a drop-in upgrade for existing production virtual-machine fleets.
Secure Boot and vTPM, bundled for new VMs
Trusted Launch combines two familiar Hyper-V protections. Secure Boot verifies the VM’s boot chain before the guest OS loads, while a virtual Trusted Platform Module provides a hardware-backed-style root of trust for guest features such as BitLocker, Windows Hello for Business, and measured boot.The important addition is guest-state protection: Windows Server protects the vTPM’s persisted state at rest. Microsoft’s setup guidance demonstrates this by stopping the host’s IGVmAgent service and restarting the VM; a Trusted Launch VM with guest-state protection will not start while that service is unavailable.
Administrators must enable the
IsolatedGuestVm optional feature and configure the required host settings before creating a VM with the GuestStateIsolationType set to TrustedLaunch. Microsoft’s instructions also require the Hyper-V role and an external virtual switch where needed.Not ready for clustered workloads
The preview’s limitations are substantial. Microsoft explicitly lists the following as unsupported in Build 29621:- Moving Trusted Launch VMs to another server
- Failover clustering
- Hyper-V Replica
- Boot integrity verification
- Windows Admin Center management
Boot integrity verification is also still absent. Microsoft describes that capability as part of the Trusted Launch direction, but Build 29621 does not yet offer an attestation-based check of the VM boot path against a trusted baseline.
A security preview, with a clean-install caveat
Build 29621 is a Windows Server vNext LTSC preview, despite retaining Windows Server 2025 branding in parts of the interface. It is available in Desktop Experience and Server Core forms for Standard and Datacenter, with Azure Edition offered for VM evaluation.Microsoft says upgrades from vNext preview builds older than 29531 are unsupported and recommends a clean installation of build 29531 or later before moving to newer flights. The company also reiterates that Insider software is pre-release, unsupported for production use, and expires September 15, 2026.
For now, Hyper-V shops should test Trusted Launch only on standalone Generation 2 lab VMs and wait for migration, cluster, Replica, and Windows Admin Center support before considering wider deployment.
References
- Primary source: Windows Report
Published: 2026-07-15T12:01:33+00:00
Windows Server Insiders Get Trusted Launch for Hyper-V VMs
Microsoft releases Windows Server Insider Build 29621 with Trusted Launch, Secure Boot, and protected vTPM support for Hyper-V.
windowsreport.com
- Official source: techcommunity.microsoft.com
- Official source: blogs.windows.com
- Related coverage: neowin.net
Microsoft announces Trusted Launch for virtual machines in Windows Server Insider Preview - Neowin
A major security upgrade has arrived for Windows Server Insider VMs, but some expected Trusted Launch features are still missing.www.neowin.net
- Official source: support.microsoft.com
Secure Boot update from 2011 to 2023 certificates: Trusted Launch VMs (TVM) and Confidential VMs (CVM) | Microsoft Support
Secure Boot update from 2011 to 2023 certificates: Trusted Launch VMs (TVM) and Confidential VMs (CVM)support.microsoft.com - Related coverage: betawiki.net