Microsoft has seeded Windows Server vNext Insider Preview build 29621 to testers, still carrying the Windows Server 2025 branding and delivering a long-awaited feature: Trusted Launch for Generation 2 Hyper-V virtual machines. The July 13 release—available in Desktop Experience and Server Core for Standard, Datacenter, and Datacenter Azure Edition—also advances preview work on Quick Machine Recovery, ReFS boot volumes, and NVMe-over-Fabrics, but the showpiece is the ability to spin up VMs with Secure Boot and a virtual TPM whose state is encrypted at rest. The catch? Those VMs can’t be moved, clustered, replicated, or fully verified yet, which makes build 29621 a lab-exercise build rather than production material.
Concrete changes in this flight
Trusted Launch for Hyper-V VMs is the genuinely new capability. Microsoft is enabling admins to create Generation 2 VMs that boot with Secure Boot, back a virtual TPM, and protect that vTPM’s state while the VM is off. Because Hyper-V stores vTPM data alongside the VM bundle, the “at rest” protection means the blob is encrypted so that an attacker with access to the storage volume can’t extract secrets.
Management is PowerShell-only today. An administrator must first enable the Hyper-V role, add the IsolatedGuestVm optional feature, and set a registry key for the isolated guest VM agent before the cmdlets appear. Microsoft is not yet documenting the full set of cmdlets publicly, but the build does ship the plumbing to create and start a Trusted Launch VM. What the build does not ship is anywhere near the full production experience. Microsoft’s advisory lists an eye-opening set of gaps: no live migration, no quick migration, no support for failover clusters, no Hyper-V Replica, no integration with Windows Admin Center, and no boot-integrity attestation. In plain terms, if you build a Trusted Launch VM on one host, you can’t move it to another or protect it with high-availability clustering—deal-breakers for almost any enterprise virtualization shop. These restrictions clearly mark the feature as early validation code.
Quick Machine Recovery (QMR) is another capability that Insiders can now test on server. QMR uses the Windows Recovery Environment to phone home for cloud-delivered remediation when a boot-critical failure prevents Windows Server from starting. The aim is to reduce manual intervention during widespread boot failures—think a bad driver or update that lands many servers in a reboot loop. Microsoft plans to add a Group Policy control to enable or disable the feature in a future build, but for now it is on by default when the mechanism detects the right error conditions in a test environment.
Storage previews continue along two tracks. NVMe-over-Fabrics support now includes both NVMe/TCP, which runs over ordinary Ethernet, and NVMe/RDMA for RDMA adapters that offer lower latency. Microsoft describes the in-box initiator as an early-evaluation feature; admins should expect to validate target compatibility and operational tooling themselves, as the driver stack is still maturing. The second track is ReFS boot, already detailed in new Microsoft Learn documentation. Windows Server 2025 can now boot from a Resilient File System volume, which eliminates the old split between a boot NTFS volume and data ReFS volumes on storage-dedicated hosts. Because ReFS doesn’t support volume shrink, Setup needs an explicitly created NTFS Windows RE partition. Build 29621 automatically creates a minimum 2 GB recovery partition on ReFS boot systems; if that partition is deleted and the boot volume extended into its space, Microsoft warns that recovery requires a clean installation. That’s a gotcha that storage admins will need to design around from the start.
A critical TLS bug and upgrade hurdles
The release ships with a severity-worthy known issue. A race condition in hybrid key exchange can crash LSASS—the process responsible for authentication—when a TLS server negotiates certain hybrid groups. The affected groups are X25519_MLKEM768, SecP256r1_MLKEM768, and SecP384r1_MLKEM1024. Microsoft’s workaround, until a fix lands, is to disable those groups through TLS cmdlets or Group Policy. For any server exposed to internet-facing TLS, that is a stop-everything-and-check note.
Upgrade rules have also tightened. If you’re on a Server vNext preview build older than 29531, in-place upgrade to 29621 is blocked. You must clean-install 29531 or a later build first. Additionally, Server Core users who upgrade from build 29574 may hit an AppCompat Feature on Demand installation failure—Microsoft offers no automatic mitigation, so a fresh installation is the safest path. Build 29621 itself expires September 15, 2026, underscoring its role as transient test code.
What this means for you
- For Hyper-V admins: You can now build a hardened Gen2 VM that meets Trusted Launch criteria, but you’ll do it with PowerShell and you’ll keep that VM pinned to one host. Use this build to understand the provisioning flow, script the commands, and begin thinking about how Trusted Launch would fit into your security architecture—but do not plan any production rollout around this code. The absence of mobility and clustering means it’s unsuitable for even realistic staging environments unless you willingly accept single-point-of-failure VMs.
- For IT security architects: Trusted Launch on Hyper-V is Microsoft’s answer to the same concept on Azure, bringing the protections of Secure Boot, vTPM, and ciphered vTPM state to on-premises workloads. The current limitations are severe, but they reflect the complexity of meshing a TPM-based trust model with live migration and replication. Expect the gaps to close gradually over subsequent previews; in the meantime, the build is valuable for developing your own security requirements and giving feedback to Microsoft.
- For storage administrators: ReFS boot is the big draw. If you run dedicated storage hosts that already use ReFS for data volumes, the ability to boot from ReFS simplifies the OS layout and removes NTFS from the equation. The documentation provides a complete unattend.xml and DiskPart script to partition correctly the first time. Pay special attention to the recovery partition size and placement—since ReFS can’t shrink, you cannot fix a mis-sized partition later. Also validate that your backup, antivirus, and monitoring agents work on a ReFS OS volume; many tools assume NTFS and may misbehave.
- For server operators testing QMR: This feature could change how you respond to mass boot failures. Test it in a lab by inducing a boot-critical failure and watch whether WinRE retrieves a fix automatically. Knowing the behavior before a real incident hits will pay off.
- For everyone: The TLS LSASS crash is real. If you’re testing this build in any capacity where a TLS service is active, check whether your server negotiates the affected hybrid groups. The workaround is straightforward, but LSASS crashing means authentication stops, so don’t leave that unaddressed.
How we got here
Windows Server 2025, despite the name, has been in public preview under the “vNext” label for over a year. Microsoft’s strategy has been to ship LTSC-eligible builds early so that enterprise customers can validate hardware, drivers, and workloads long before the formal general-availability date. Along the way, the company has used the Insider program to introduce foundational security and storage features incrementally—Trusted Launch is the latest example.
Trusted Launch itself isn’t new as a concept. Azure has supported it for virtual machines for several releases, rooted in the Trusted Computing Group’s specifications for Secure Boot and virtual TPM. Bringing that to Hyper-V closes a gap for organizations that want consistent security posture whether a VM runs on-premises or in the cloud. Microsoft also has a broader Secure Future Initiative that emphasizes hardware-rooted security; Trusted Launch for Hyper-V is a brick in that wall.
ReFS boot has been an ask from storage-intensive customers for years. Server operating systems have lagged behind client Windows, which has supported ReFS boot in certain Insider configurations. Getting it into a server LTSC preview signals that Microsoft believes ReFS is mature enough to host the OS itself, not just data, for specialized use cases. The NVMe-oF initiator, meanwhile, is part of the industry trend toward disaggregated storage, where compute talks directly to remote NVMe drives over a fabric. Including both TCP and RDMA transports in-box reduces dependency on third-party initiators.
What to do now
Download build 29621 from the Windows Server Insider site and spin up a dedicated lab host—do not upgrade a server you rely on. If you want to test Trusted Launch, the high-level steps are:
- Install the Hyper-V role and the IsolatedGuestVm optional feature.
- Set the required registry key (Microsoft hasn’t published the exact key publicly in the announcement, but it’s referenced in the IsolatedGuestVm documentation for Hyper-V; look for the isolated guest VM agent setting).
- Use the PowerShell cmdlets that appear after the feature is enabled to create a Generation 2 VM with Trusted Launch.
- Start the VM and verify that Secure Boot is active and the vTPM is present (inside the guest, check tpm.msc).
- Experiment within the limitations: power off, move the VM folder manually, observe that the vTPM doesn’t unlock.
For ReFS boot, follow the step-by-step guide on Microsoft Learn, which covers creating an unattend.xml with a ReFS OS partition and an NTFS recovery partition. Alternatively, use the DiskPart script to pre-partition the disk. After installation, register WinRE and confirm the OS volume is reported as ReFS.
For NVMe-oF, identify a suitable target that speaks NVMe/TCP or NVMe/RDMA, connect the initiator, and run validation workloads. Keep in mind this is an early evaluation feature—don’t expect polished performance or tooling.
If you encounter the TLS LSASS crash, immediately apply the workaround by disabling the three hybrid key-exchange groups through the TLS cmdlets or via Group Policy under the SSL Configuration settings. Monitor Microsoft’s Insider blog for a fix.
Outlook
The Trusted Launch restrictions are the clearest signal that Windows Server 2025 still has a way to go before it’s ready for broad production deployment. Microsoft typically lifts such limitations in successive previews as the hypervisor and storage stack gain the necessary support. For admins, the next preview build that adds cluster awareness or live migration for Trusted Launch VMs will be the one that turns lab curiosity into enterprise evaluation. Until then, build 29621 is a well-stocked sandbox for storage and security tinkering.