feat(windows): add WS2025 Gen2 Trusted Launch VHD build#8768
Merged
Conversation
sinmentis
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
runzhen,
sulixu,
surajssd,
timmy-wright,
xuexu6666 and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Windows VHD build SKU (2025-gen2-tl) to produce a WS2025 Gen2 image whose SIG image definition is stamped as Trusted Launch, and extends the existing Trusted Launch handling to Windows for test VM creation and SIG→disk conversion.
Changes:
- Add
2025-gen2-tlto Windows settings (JSON + CUE schema). - Introduce a new Windows VHD pipeline stage for WS2025 Gen2 Trusted Launch and thread
ENABLE_TRUSTED_LAUNCHthrough the Windows template chain. - Extend Trusted Launch guards to Windows in
run-test.shandconvert-sig-to-classic-storage-account-blob.sh.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| vhdbuilder/packer/windows/windows_settings.json | Adds 2025-gen2-tl SKU definition mirroring 2025-gen2. |
| schemas/windows_settings.cue | Allows 2025-gen2-tl as a valid Windows base version key. |
| .pipelines/templates/.build-and-test-windows-vhds-template.yaml | Adds build stage wiring for the new 2025-gen2-tl SKU. |
| .pipelines/templates/.build-and-test-windows-vhd-template.yaml | Threads enableTrustedLaunch into the Windows builder template. |
| .pipelines/templates/.builder-release-template-windows.yaml | Adds enableTrustedLaunch parameter and exports ENABLE_TRUSTED_LAUNCH to build/test/convert steps. |
| .pipelines/.vsts-vhd-builder-release-windows.yaml | Enables the new Trusted Launch stage in release builds by default. |
| .pipelines/.vsts-vhd-builder-pr-windows.yaml | Keeps the new Trusted Launch stage disabled for PR builds by default. |
| vhdbuilder/packer/test/run-test.sh | Extends Trusted Launch VM-create flags to Windows test VMs. |
| vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh | Extends Trusted Launch securityProfile disk creation to Windows. |
timmy-wright
left a comment
timmy-wright
left a comment
Contributor
There was a problem hiding this comment.
Core of changes looks good - I wrote some nitpicky comments. It'll need an e2e test. Base that on the ws2025-gen2 e2e test.
r2k1
approved these changes
Jun 25, 2026
r2k1
reviewed
Jun 25, 2026
Add a new `2025-gen2-tl` Windows SKU that builds a WS2025 Gen2 VHD whose SIG image definition is stamped with SecurityType=TrustedLaunch, so AKS Windows node pools can run on a Trusted Launch image. The VHD content is identical to `2025-gen2` (same base image, components, CSE). The only difference is the image definition carries the TrustedLaunch feature, driven by ENABLE_TRUSTED_LAUNCH=True threaded through the Windows template chain into produce-packer-settings (which is already OS-agnostic). - windows_settings.json / windows_settings.cue: new `2025-gen2-tl` entry, reusing the existing TL-capable base SKU 2025-datacenter-core-smalldisk-g2 - windows VHD templates: new build2025gen2tl stage + enableTrustedLaunch param threaded to ENABLE_TRUSTED_LAUNCH in the buildVhd / run-test / convert-sig env blocks - run-test.sh / convert-sig-to-classic-storage-account-blob.sh: extend the Trusted Launch guard to Windows so the cache-test VM boots with --security-type TrustedLaunch (this also makes it the Secure Boot ground-truth check) and the production disk is created with the TrustedLaunch security profile PR build defaults off; release build defaults on. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…unch Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Match the repo convention (same as dryrun): declare enableTrustedLaunch as a boolean in every Windows template. ADO stringifies it to True/False for the ENABLE_TRUSTED_LAUNCH env var, which the shell scripts compare against "True" exactly like they already do for DRY_RUN. Removes the boolean/string declaration mismatch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add VHDWindows2025Gen2TL and Test_Windows2025Gen2TrustedLaunch, mirroring Test_Windows2025Gen2 plus addTrustedLaunchToVMSS (Secure Boot + vTPM), so the AgentBaker e2e runs against the freshly built Trusted Launch VHD. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Drop the OS_TYPE check in the run-test / convert-sig guards; gating on ENABLE_TRUSTED_LAUNCH alone is sufficient (per review). - Remove the default from the release template enableTrustedLaunch param; the caller always sets it explicitly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Windows 2025 Gen2 Trusted Launch e2e VHD reused the non-TL distro AKSWindows2025Gen2, so it resolved the non-TL image definition instead of the Trusted Launch one. Add a dedicated AKSWindows2025Gen2TL distro (image definition windows-2025-gen2-tl), mirroring the Linux TL pattern (AKSACLGen2FIPSTL), and point VHDWindows2025Gen2TL at it so the e2e tests the actual Trusted Launch image. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…uard - sig_config_test: assert ResourceGroup/Gallery/Definition/Version for the new AKSWindows2025Gen2TL entry, not just the map length, to catch miswiring of the image definition. - convert-sig: gate on ENABLE_TRUSTED_LAUNCH case-insensitively to match run-test.sh and avoid value-shape issues. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sinmentis
force-pushed
the
shunlyu/windows-2025-gen2-tl-vhd
branch
from
827f4a4 to
e6adb5c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new
2025-gen2-tlWindows SKU that builds a WS2025 Gen2 VHD whose SIG image definition is stamped with SecurityType=TrustedLaunch, so AKS Windows node pools can run on a Trusted Launch image.The VHD content is identical to
2025-gen2(same base image, components, CSE). The only difference is the image definition carries the TrustedLaunch feature, driven by ENABLE_TRUSTED_LAUNCH=True threaded through the Windows template chain into produce-packer-settings (which is already OS-agnostic).2025-gen2-tlentry, reusing the existing TL-capable base SKU 2025-datacenter-core-smalldisk-g2PR build defaults off; release build defaults on.
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #