Windows Server News and Best Practices articles

Opt-In Windows Server 2025 Feature Update from the WS 2022 and WS 2019 Settings Dialog

Rob-Hindman — Wed, 29 Apr 2026 18:24:14 GMT

This capability allows customers who want to in-place upgrade their servers to Windows Server 2025 to upgrade using the Windows Update service, and without the need for Windows Server 2025 physical media. On the Windows Server team, we aim for 100% application compatibility, and we are confident that most applications and services will continue to work well after the in-place upgrade to Windows Server 2025.

We recognize that in-place upgrade will not be used by all organizations for all of their servers – some organizations will prefer to perform a clean install, I.E., reformatting the system drive, installing Windows Server 2025, and then re-installing applications and services. Other organizations embrace in-place upgrade because it’s quick and they can avoid re-installing applications and services. Some organizations will use a combination of clean install and in-place upgrade approaches, depending on the role of each server.

Planning For the Upgrade

Plan on a gradual roll-out of Windows Server 2025 across your server estate, starting with the least critical servers. We encourage customers to verify upgrade to Windows Server 2025 in a test environment to gain experience with the upgrade process, before upgrading production servers. The time needed to upgrade each server will depend on the performance of the server, the number of applications running on the server, and the number of users on the server. Backup / snapshot and upgrading to Windows Server 2025 usually takes two hours per server.

Check with your system administrator – server upgrades should be carefully coordinated to avoid downtime and workload outages – a maintenance window may need to be scheduled.
Check that Group Policy configuration is correct – in some cases Windows Updates can be installed by non-administrative users. To learn more about blocking users from scanning and applying Windows Updates, see Step 4 - Configure Group Policy Settings for Automatic Updates | Microsoft Learn. Note that some organizations will create a special upgrade OU for their server upgrade process. Customized GPOs can also be used to schedule and manage server updates, to implement a rolling upgrade of servers and managing maintenance windows.
Check if you need to purchase a product key for Windows Server 2025. Windows Server 2019 and Windows Server 2022 volume license customers with active Software Assurance do not need to purchase a product key for Windows Server 2025. However, customers who are using the Retail or OEM licensed versions of Windows Server 2019 and Windows Server 2022 will have to purchase a Windows Server 2025 product key.
Check and validate successful activation with your organization’s KMS for Windows Server activation, to validate that it has been loaded with a valid Windows Server 2025 key. After upgrading to Windows Server 2025, each server will need to be activated using a valid activation method: KMS, Active Directory‑based Activation, or MAK using slgmr or VAMT tools.
Check that you are not using in-place upgrade on a domain controller. We recommend a clean install of Windows Server 2025 for domain controllers, first joining at the Windows Server 2016 domain and forest functional levels, and then upgrading the domain and forest functional levels after all the domain controllers are running Windows Server 2025. See this guidance for the steps to upgrade domain controllers: Upgrade domain controllers to a newer version of Windows Server | Microsoft Learn.
Check that you are not using in-place upgrade on a failover cluster node in isolation – we recommend following the failover clustering upgrade guidance for upgrading failover cluster nodes: Upgrade the OS of a Windows Server failover cluster by performing a cluster OS rolling upgrade | Microsoft Learn.
Check that each server has at least 30-40 GB of free space on the System Disk – low amounts of free space can cause the upgrade process to fail, and is the leading cause of In-place Upgrade failures.
Check pricing, best practices, license terms, and privacy policy: Windows Server pricing guide: Windows Server 2025 Licensing & Pricing | Microsoft. Server Upgrade planning guidance: Plan Your Windows Server Upgrade Path | Microsoft Learn. Windows Server licensing terms are here: Useterms. Microsoft’s privacy policy: Microsoft Privacy Statement – Microsoft privacy
Check online documentation for in-place upgrade for further details: Upgrade Windows Server in Place | Microsoft Learn.
Opt-In Windows Server 2025 Feature Update from the Windows Server 2022 and Windows Server 2019 Settings Dialog should work for any system, physical or virtual – if it can connect to Windows Update, and if the system meets the prerequisites.

Steps for Installing the Windows Server 2025 Feature Update on Windows Server 2019 or Windows Server 2022 Desktop Experience

Install the 2026-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5078766) or later for Windows Server 2022.

Install 2026-03 Cumulative Update for Microsoft server operating system for x64-based Systems (KB5078752) or later for Windows Server 2019.

Note that it may be necessary to reboot the server after installing Quality and Security Updates.

2. Backup / snapshot the server, and if time permits, perform a restore test on a separate server.

3. Stop applications and services running on the server.

4. Add the opt-in registry key to the server using PowerShell or using the Registry Editor:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate"

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1

Note that adding these values can also be automated using Group Policy Objects (GPO), see: Configure Windows Update client policies via Group Policy | Microsoft Learn.

5. The Windows Server 2025 Feature Update will be offered in the Settings Dialog, in the Windows Update section, select Download and Install.

6. Read the Important Information pop-up dialog, press Accept and install:

7. The Windows Server 2025 Feature Update will download and install (in-place upgrade on the server) and will prompt for Reboot.

See Post-Feature Update (Post In-place Upgrade) section below

Steps for Installing the Windows Server 2025 Feature Update on Windows Server 2022 Server Core using SCONFIG

Organizations using Windows Server 2022 Server Core can also get the Windows Server 2025 Feature Update using SCONFIG.
Install the 2026-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5078766) or later for Windows Server 2022.

SCONFIG Option 6, 1 will scan for applicable Quality Updates and Security Updates.

Note that it may be necessary to reboot the server after installing Quality and Security Updates.

3. Backup / snapshot the server, and if time permits, perform a restore test on a separate server.

4. Stop applications and services running on the server.

5. Add the opt-in registry key to the server using PowerShell or using the Registry Editor:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate"

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1

Note that adding these values can also be automated using Group Policy Objects (GPO), see: Configure Windows Update client policies via Group Policy | Microsoft Learn.

6. The Windows Server 2025 Feature Update will be offered in SCONFIG, select option 6 (Install updates):

7. Select option 3 (Feature updates):

8. The Windows Server 2025 feature update will be offered if prerequisite requirements are met. Select Y to download and install the Windows Server 2025 Feature Update:

9. The Windows Server 2025 Feature Update will download and install (in-place upgrade on the server) and will Reboot.

Post-Feature Update (Post In-place Upgrade)

After installation and reboot, check that the applications and services are running correctly. If there are any issues, restore the server from backup / snapshot.
Activate the server using one of the following activation methods: KMS, Active Directory‑based Activation, or MAK using slgmr or VAMT tools.
Check Telemetry settings and any Loopback Adapter settings.
After the server is confirmed to be working, the Windows.old directory can be deleted to free up space on the system drive.
Check Windows Update for additional updates.
Evaluate if Secured-core settings and UEFI Secure boot certificates should be updated. See What is Secured-core server for Windows Server | Microsoft Learn and Secure boot | Microsoft Learn.

Troubleshooting

If there are any issues during the upgrade to Windows Server 2025, use these steps to identify the issue:

Examine the setup log file: C:\Windows\Panther\setupact.log and error log file: C:\Windows\Panther\setuperr.log
The SetupDiag tool can be downloaded for analysis of these files: SetupDiag | Microsoft Learn
Contact customer support who may request that you compress and send them the contents of the C:\Windows\Panther directory.

Send Us Your Feedback

We value your feedback and would love to hear your opinions about this capability (WS 2025 Feature Update from the WS 2019 and WS 2022 Settings Dialog with Opt-In) and any other thoughts you have on Windows Server upgrades. Did it work well for you? What improvements would you like to see in future releases?? Please write to us at this email address: WindowsServerUpdateFeedback@microsoft.com

-Windows Server Update Team.

Introducing the Windows NVMe-oF Initiator Preview in Windows Server Insiders Builds

Yash_Shekar — Fri, 13 Mar 2026 17:34:12 GMT

What Is NVMe-over-Fabrics?

NVMe-over-Fabrics (NVMe-oF) extends the NVMe protocol—originally designed for local PCIe-attached SSDs—across a network fabric. Instead of using legacy SCSI-based protocols such as iSCSI or Fibre Channel, NVMe-oF allows a host to communicate directly with remote NVMe controllers using the same NVMe command set used for local devices. In this Insider build, Windows Server supports:

NVMe-oF over TCP (NVMe/TCP), allowing NVMe-oF to run over standard Ethernet networks without specialized hardware.
NVMe-oF over RDMA (NVMe/RDMA), enabling low-latency, high-throughput NVMe access over RDMA-capable networks (for example, RoCE or iWARP) using supported RDMA NICs.

Why NVMe-oF on Windows Server?

For Windows Server deployments, NVMe-oF builds on the same principles as Native NVMe support: helping you reduce protocol overhead, improve scalability, and better align your storage stack with modern hardware. For Windows Server customers, NVMe-oF offers:

Lower overhead networked storage access — NVMe-oF has less protocol overhead than iSCSI, helping extract the performance of modern NVMe devices while preserving the parallelism and efficiency of NVMe.
Flexible infrastructure choices — NVMe-oF supports both TCP and RDMA transports, allowing customers to choose between standard Ethernet-based deployments or low-latency RDMA-capable networks based on their infrastructure and performance goals.
A forward-looking storage foundation — NVMe-oF is designed to scale across multiple controllers, namespaces, and queues, making it a strong foundation for future disaggregated and software-defined storage architectures.

This Insider release represents the first step in bringing NVMe-oF capabilities natively to Windows Server.

What’s Included in This Insider Release

In this Windows Server Insider build, you can evaluate the following NVMe-oF capabilities:

An inbox NVMe-oF initiator with NVMe/TCP and NVMe/RDMA support
A new command-line utility, nvmeofutil.exe, for configuration and management
Manual configuration of discovery and I/O connections
Automatic exposure of NVMe namespaces as Windows disks once connected

Note: PowerShell cmdlets are not available yet. All configuration is performed using nvmeofutil.exe.

Getting Started with nvmeofutil.exe

To start evaluating NVMe-oF in this build, you’ll use nvmeofutil.exe, the command-line utility included with supported Windows Server Insider builds.

1. Install the Latest Windows Server Insiders Build

Ensure you are running a Windows Server Insiders build that includes:

The inbox NVMe-oF initiator with NVMe/TCP and NVMe/RDMA support
The nvmeofutil.exe utility

2. Open an Elevated Command Prompt

All NVMe-oF commands must be run from an administrator command prompt.

3. List Available NVMe-oF Initiator Adapters

nvmeofutil.exe list -t ia

This command displays the available NVMe-oF initiator adapters on the system.

4. Enumerate Host Gateways

nvmeofutil.exe list -t hg -ia <AdapterNumber>

Host gateways represent transport-specific endpoints, such as NVMe/TCP over IPv4.

5. Configure an I/O Subsystem Port

Tip: You’ll need three values from your target configuration: the Subsystem NQN, the target IP/DNS, and the TCP port. If you haven’t set up a target yet, see the Target Setup section below for a quick Linux-based configuration and where to find these values.

nvmeofutil.exe add -t sp -ia <Adapter> -hg <HostGateway> -dy true -pi <PortNumber> -nq <SubsystemNQN> -ta <TargetAddress> -ts <ServiceId>

This defines the connection parameters to the remote NVMe-oF target.

6. Connect and Use the Namespace

nvmeofutil.exe connect -ia <Adapter> -sp <SubsystemPort>

Once connected, the NVMe namespace appears as a disk in Windows and can be partitioned and formatted using standard Windows tools.

Target Setup (Recommendations for Early Evaluation)

If you plan to evaluate NVMe-oF with an existing storage array, check with your SAN vendor to confirm support and get configuration guidance. Where possible, we also encourage you to validate interoperability using your production storage platform. For early evaluation and lab testing, the simplest and most interoperable option is to use a Linux-based NVMe-oF target, as described below.

To evaluate the inbox Windows NVMe-oF initiator in this Insider release, you’ll need an NVMe-oF target that can export a block device as an NVMe namespace over TCP.

Recommended: Linux kernel NVMe-oF target (nvmet) over TCP

For early testing, the simplest and most interoperable option is the Linux kernel NVMe target (“nvmet”). It’s straightforward to stand up in a lab and is widely used for basic NVMe-oF interoperability validation.

Lab note: The example below uses “allow any host” to reduce friction during evaluation. In production environments, you should restrict access to specific host NQNs instead.

What You’ll Need

A Linux system (physical or VM)
A block device to export (an NVMe SSD, SATA SSD, a virtual disk, etc.)
IP connectivity to your Windows Server Insider machine
A TCP port opened between initiator and target (you’ll choose a port below)

VMs are fine for functional evaluation. For performance testing, you’ll want to move to physical hosts and realistic networking later.

Option A — Configure nvmet Directly via configfs (Minimal, Copy/Paste Friendly)

On the Linux target, run the following as root (or with sudo). This configures one NVMe-oF subsystem exporting one namespace over NVMe/TCP.

1) Load kernel modules and mount configfs

sudo modprobe nvmet sudo modprobe nvmet-tcp # Required for nvmet configuration sudo mount -t configfs none /sys/kernel/config

2) Create a subsystem (choose an NQN) and allow host access

Pick a subsystem name/NQN. Use a proper NQN format to avoid collisions on shared networks (example shown).

SUBSYS="nqn.2026-02.com.contoso:win-nvmeof-test" sudo mkdir -p /sys/kernel/config/nvmet/subsystems/$SUBSYS # Lab-only: allow any host to connect echo 1 | sudo tee /sys/kernel/config/nvmet/subsystems/$SUBSYS/attr_allow_any_host > /dev/null

3) Add a namespace (export a local block device)

Choose a block device on the target (example: /dev/nvme0n1). Be careful: you are exporting the raw block device.

DEV="/dev/nvme0n1" # <-- replace with your device (e.g., /dev/sdb) sudo mkdir -p /sys/kernel/config/nvmet/subsystems/$SUBSYS/namespaces/1 echo -n $DEV | sudo tee /sys/kernel/config/nvmet/subsystems/$SUBSYS/namespaces/1/device_path > /dev/null echo 1 | sudo tee /sys/kernel/config/nvmet/subsystems/$SUBSYS/namespaces/1/enable > /dev/null

4) Create a TCP port (listener) and bind the subsystem

Choose:

TRADDR = the Linux target’s IP address on the test network
TRSVCID = the TCP port (commonly 4420, but you can use any free TCP port)

PORTID=1 TRADDR="192.168.1.92" # <-- replace with target IP TRSVCID="4420" # <-- TCP port sudo mkdir -p /sys/kernel/config/nvmet/ports/$PORTID echo -n $TRADDR | sudo tee /sys/kernel/config/nvmet/ports/$PORTID/addr_traddr > /dev/null echo -n tcp | sudo tee /sys/kernel/config/nvmet/ports/$PORTID/addr_trtype > /dev/null echo -n $TRSVCID | sudo tee /sys/kernel/config/nvmet/ports/$PORTID/addr_trsvcid > /dev/null echo -n ipv4 | sudo tee /sys/kernel/config/nvmet/ports/$PORTID/addr_adrfam > /dev/null # Bind subsystem to port sudo ln -s /sys/kernel/config/nvmet/subsystems/$SUBSYS \ /sys/kernel/config/nvmet/ports/$PORTID/subsystems/$SUBSYS

5) Quick validation (optional, from any Linux host with nvme-cli)

If you have a Linux host handy, nvme discover will confirm the target is advertising the subsystem and will show the subnqn value you’ll use from Windows.

sudo nvme discover -t tcp -a 192.168.1.92 -s 4420

Mapping the Target Values to Your Windows nvmeofutil.exe Steps

In your Windows steps, you already define the key connection parameters in the Subsystem Port add/connect flow. Use these mappings:

SubsystemNQN (-nq) → the subsystem name/NQN you created (example: nqn.2026-02.com.contoso:win-nvmeof-test)
TargetAddress (-ta) → the Linux target IP address (example: 192.168.1.92)
ServiceId (-ts) → the TCP port you used (example: 4420)

Option B — If You Prefer a Tool-Based Setup: nvmetcli

If you’d rather not manipulate configfs directly, nvmetcli provides an interactive shell and can save/restore configurations from JSON (useful for repeating the setup across reboots in a lab). At a high level, nvmetcli can:

Create subsystems and namespaces
Configure ports (including TCP)
Manage allowed hosts (or allow any host in controlled environments)
Save/restore configs (for example, /etc/nvmet/config.json)

Optional (Advanced): SPDK NVMe-oF Target

If you already use SPDK or want to explore higher-performance user-space targets, SPDK’s NVMe-oF target supports TCP and RDMA and is configured via JSON-RPC. For early evaluation, the Linux kernel target above is usually the quickest path.

Known Limitations

As you evaluate this early Insider release, keep the following limitations in mind:

Configuration is CLI-only (no GUI or PowerShell cmdlets yet)
No multipathing
Limited recovery behavior in some network failure scenarios

These areas are under active development.

Try It and Share Feedback

We encourage you to try NVMe-oF in your lab or test environment and share your experience on Windows Server Insiders Discussions so the engineering team can review public feedback in one place.

For private feedback or questions that can’t be shared publicly, you can also reach us at nvmeofpreview@microsoft.com.

We look forward to your feedback as we take the next steps in modernizing remote storage on Windows Server.

—
Yash Shekar (and the Windows Server team)

Save the date: Windows Server Summit – May 11-13, 2026

JenniferYuan — Wed, 11 Mar 2026 16:00:00 GMT

Windows Server Summit 2026 builds on the strong momentum of last year's event—where you told us you want less marketing and more practical, engineering‑led guidance. If you're responsible for keeping Windows Server environments secure, resilient, and up to date, this year's summit is designed with you in mind.

What you'll learn

Windows Server Summit 2026 returns with a deeper, more forward‑looking agenda focused on real-world operations, security, and hybrid scenarios. Across three days of expert‑led sessions, Microsoft engineers and product leaders will share scenario‑based deep dives, architecture guidance, and actionable takeaways you can apply immediately.

The content is organized around three core pillars:

What's new in Windows Server – Get a practical walkthrough of recent innovations and updates in Windows Server 2025, including hotpatch updates, management improvements, security enhancements, and what's coming next. Find out what's changed, why it matters, and how to operationalize it in production environments.
Windows Server + Azure: Better together – Explore real hybrid and multicloud scenarios enabled by Azure Arc, with guidance that goes beyond theory. Learn how to extend management, security, and governance across on‑premises and cloud infrastructure—and get clear, experience‑based advice for planning migrations and modernization paths that fit your organization's technical and business needs.
Hands‑on technical depth and operational excellence - Expect best practices, operational insights, and hard‑earned lessons from the field—covering topics like security hardening, resiliency, lifecycle management, and keeping environments compliant and current.

The 2026 Summit will also serve as an early engagement moment for Windows Server v.Next, giving you visibility into Microsoft's direction and upcoming investments. Just as importantly, it provides a dedicated forum to share feedback directly with the product team, continuing the Summit's role as a trusted, two‑way conversation between Microsoft engineering and the Windows Server community.

Add it to your calendar

Visit the Windows Server Summit 2026 event page today to save the dates. Follow the event and you'll be notified when roll out the full, day‑by‑day agenda later this month.

Designed for enterprise IT professionals, architects, and technical decision‑makers, Windows Server Summit 2026 delivers actionable, scenario‑driven content to help you secure, modernize, and extend your Windows Server environments—on‑premises, in Azure, and across hybrid infrastructure. We hope to see you there!

Announcing ReFS Boot for Windows Server Insiders

Christina_Curlette — Fri, 27 Feb 2026 01:07:26 GMT

We’re excited to announce that Resilient File System (ReFS) boot support is now available for Windows Server Insiders in Insider Preview builds. For the first time, you can install and boot Windows Server on an ReFS-formatted boot volume directly through the setup UI. With ReFS boot, you can finally bring modern resilience, scalability, and performance to your server’s most critical volume — the OS boot volume.

Why ReFS Boot?

Modern workloads demand more from the boot volume than NTFS can provide. ReFS was designed from the ground up to protect data integrity at scale. By enabling ReFS for the OS boot volume we ensure that even the most critical system data benefits from advanced resilience, future-proof scalability, and improved performance.

In short, ReFS boot means a more robust server right from startup with several benefits:

Resilient OS disk: ReFS improves boot‑volume reliability by detecting corruption early and handling many file‑system issues online without requiring chkdsk. Its integrity‑first, copy‑on‑write design reduces the risk of crash‑induced corruption to help keep your system running smoothly.
Massive scalability: ReFS supports volumes up to 35 petabytes (35,000 TB) — vastly beyond NTFS’s typical limit of 256 TB. That means your boot volume can grow with future hardware, eliminating capacity ceilings.
Performance optimizations: ReFS uses block cloning and sparse provisioning to accelerate I/O‑heavy scenarios — enabling dramatically faster creation or expansion of large fixed‑size VHD(X) files and speeding up large file copy operations by copying data via metadata references rather than full data movement.

Maximum Boot Volume Size: NTFS vs. ReFS

Resiliency Enhancements with ReFS Boot

Feature	ReFS Boot Volume	NTFS Boot Volume
Metadata checksums	✅ Yes	❌ No
Integrity streams (optional)	✅ Yes	❌ No
Proactive error detection (scrubber)	✅ Yes	❌ No
Online integrity (no chkdsk)	✅ Yes	❌ No

Check out Microsoft Learn for more information on ReFS resiliency enhancements.

Performance Enhancements with ReFS Boot

Operation	ReFS Boot Volume	NTFS Boot Volume
Fixed-size VHD creation	Seconds	Minutes
Large file copy operations	Milliseconds-seconds (independent of file size)	Seconds-minutes (linear with file size)
Sparse provisioning	✅	❌

Check out Microsoft Learn for more information on ReFS performance enhancements.

Getting Started with ReFS Boot

Ready to try it out? Here’s how to get started with ReFS boot on Windows Server Insider Preview:

1. Update to the latest Insider build: Ensure you’re running the most recent Windows Server vNext Insider Preview (Join Windows Server Insiders if you haven’t already). Builds from 2/11/26 or later (minimum build number 29531.1000.260206-1841) include ReFS boot in setup.

2. Choose ReFS during setup: When installing Windows Server, format the system (C:) partition as ReFS in the installation UI.
Note: ReFS boot requires UEFI firmware and does not support legacy BIOS boot; as a result, ReFS boot is not supported on Generation 1 VMs.

Screenshot of the Windows Server Setup UI showing ReFS as a File System format option.

3. Complete installation & verify: Finish the Windows Server installation as usual. Once it boots, confirm that your C: drive is using ReFS (for example, by running fsutil fsinfo volumeInfo C: or checking the drive properties). That’s it – your server is now running with an ReFS boot volume.

Screenshot of PowerShell output showing the C: drive formatted as ReFS.

A step-by-step demo video showing how to install Windows Server on an ReFS-formatted boot volume, including UEFI setup, disk formatting, and post-install verification. If the player doesn’t load, open the video in a new window: Open video.

Call to Action

In summary, ReFS boot brings future-proof resiliency, scalability, and performance improvements to the Windows Server boot volume — reducing downtime, removing scalability limits, and accelerating large storage operations from day one.

We encourage you to try ReFS boot on your servers and experience the difference for yourself. As always, we value your feedback. Please share your feedback and questions on the Windows Server Insiders Forum.

—

Christina Curlette (and the Windows Server team)

Windows Server 2025 Remote Desktop Session Host Capacity Planning Whitepaper

WSNewsAdmin — Thu, 26 Feb 2026 16:00:25 GMT

The Remote Desktop Session Host (RDSH) is a role service available on Windows Server 2025, which allows multiple users to access desktops and applications hosted on a single machine simultaneously. This document serves as a guide for capacity planning of Remote Desktop Session Host servers running Windows Server 2025.

In a server-based computing environment, all applications execution and data processing occur on the server. Consequently, the server is one of the systems most likely to experience resource depletion during peak loads, which can lead to disruptions throughout the deployment. A multi-session computing environment experiences significantly higher peak loads compared to single-session environments. An RDSH server with a specific hardware capacity has a maximum workload limit that it can support before its resources are exhausted.

RDSH server customers need to estimate the required hardware type and quantity for their user base. The process of doing this type of evaluation is referred to as capacity planning. Multi session capacity planning is dependent upon the specific application usage pattern of the user base. Based on the user scenario, an estimation can be made about the hardware required to support the targeted user capacity.

This white paper presents guidelines and a general methodology for assessing a server’s capacity using a sample user scenario. It outlines the methodology employed for capacity planning using Microsoft's internal tools. It includes various test cases and provides an analysis of the results. The document also provides guidance on the hardware and other parameters that can have a significant impact on the number of users a server can support effectively.

You can read the rest of the whitepaper by downloading here.

Windows Server Secure Boot playbook for certificates expiring in 2026

RoySasabe — Mon, 23 Feb 2026 17:45:00 GMT

This guidance describes the tools and options available to help organizations update Secure Boot certificates on Windows Server before the certificates begin expiring in June 2026.

Note: This guidance does not apply to Azure Local hosts, Windows PCs or Generation 1 Hyper-V VMs. For Azure Local information, see Security updates for Azure Local. For IT-managed Windows PC information, see the Secure Boot Playbook for Windows client. Generation 1 Hyper-V VMs do not support Secure Boot.

On Windows Server, Secure Boot is a long‑standing security capability that works in conjunction with the Unified Extensible Firmware Interface (UEFI). It uses cryptographic trust anchors, referred to as certificate authorities (CAs), to confirm that firmware and boot components are trusted before they are allowed to run. This validation helps reduce the risk of malware executing early in the server startup process.

Like other cryptographic assets, Secure Boot certificates are issued with defined lifetimes. Refreshing these certificates periodically helps maintain alignment with current security requirements. For this reason, organizations will need to ensure the 2023 Secure Boot CAs are present on applicable Windows Server systems before the older 2011 CAs begin expiring in June 2026. Systems on the 2011 CAs after June 2026 are at risk of running on degraded security posture.

Windows Server 2025 certified server platforms already include the 2023 certificates in firmware. For servers that do not, IT administrators must manually update the certificates, because Windows Server does not receive them automatically. Unlike Windows PCs, which receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) as part of the monthly update process, Windows Server requires manual action.

Get started today

Below, you can find the checklist with the recommended approach for proactively updating Secure Boot certificates on Windows Server. It outlines key preparation, deployment, and monitoring considerations to help you manage certificate updates across your device fleet.

Step 1: Inventory and prepare your environment
Step 2: Monitor and check your devices for Secure Boot status
Step 3: Apply any needed OEM firmware updates before updating certificates
Step 4: Plan and pilot Secure Boot certificate deployments
Step 5: Troubleshoot if needed

Step 1: Inventory and prepare your environment

Servers in your organization require IT administrators to validate and manually roll out the secure boot certificate updates. As the first step, we recommend conducting an inventory.

Inventory

First, verify if the servers in your organization are Secure Boot enabled. You should also check the status of the Secure Boot certificates with sample inventory PowerShell commands or by checking the value of the UEFICA2023Status registry key. Your ultimate goal for this value is to be "updated” for all applicable servers you manage.

Out of the devices that show up as not updated, build a small, representative sample to validate that the certificates update properly. We recommend that you start with servers hosting less impactful workloads. Then follow the rest of the steps outlined in this post to pilot the certificate updates and confirm that deployment is successful.

Prepare target devices

There are two options available today for managing Secure Boot certificate updates for servers. You can use registry keys or Group Policy. To plan and prepare devices for Secure Boot certificate deployment, the best practice is to start small and verify success. Then, deploy the certificates to the server instances of the same type that have been validated for the update. See Step 4 when you're ready to deploy these updates.

Important: All Secure Boot registry keys are located under these two paths:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

See Registry key updates for Secure Boot: Windows devices with IT-managed updates for more details.

Group Policy settings are available by navigating to: Computer Configuration > Administrative Templates > Windows Components > Secure Boot. To get the updates that include the Group Policy for deploying Secure Boot certificate updates, download the latest Administrative Templates (.admx) for Windows Server.

Step 2: Monitor and check your devices for Secure Boot status

If you have multiple servers to manage, here are the ways to keep track of the device status. If you have a mix of new and old servers in your organization, the newer servers such as those certified by Microsoft for Windows Server 2025 may not need an update. You can use registry keys or Windows Event Log events to identify which devices already have new certificates and which ones need attention.

Deployment progress

The text value of the UEFICA2023Status registry key will indicate if your certificate deployment status is not started, in progress, or updated. The value will change progressively until all new certificates and the new boot manager have been deployed successfully.

Successful deployment

Check the Windows System Event Log events for Event ID 1808. This informational event indicates that the device has the required new Secure Boot certificates applied to the device's firmware.
Check the UEFICA2023Error registry key for issues. This key is created only when there’s an error.
Check that the text value of the UEFICA2023Status registry key reads as "Updated."

Errors during deployment

Check the Windows System Event Log for Event ID 1801. This event indicates that some or all of the updated certificates and 2023 signed boot manager have not been applied to the device
Check if the UEFICA2023Error registry key exists. If you find this key, it means there was an error in certificate deployment. Look for more details at Secure Boot DB and DBX variable update events.

Step 3: Apply any needed OEM firmware updates before updating certificates

The best practice is to always check and apply needed firmware updates before updating certificates. Updated firmware can help prevent compatibility problems and help ensure new Secure Boot certificates are accepted.

Microsoft is partnering with OEMs to provide platform specific information to prepare your environment before the update. Expect the list to grow as we have more partners ready to provide more information.

Note: A firmware update may be necessary if there are known issues with the firmware handling Secure Boot certificate updates. Some firmware updates also set new Secure Boot defaults to include the updated certificates.

If the firmware already handles the certificate updates correctly, a firmware update is not required. Support for firmware updates on older products is determined by the OEM.

If an OEM has ended firmware support for a specific system, firmware updates may no longer be available. For questions regarding Secure boot update support, IT administrators should consult the system manufacturer (OEM) directly.

Step 4: Plan and pilot Secure Boot certificate deployments

Once you identify the servers that need to be updated, choose to do this through registry keys or Group Policy. Pilot your desired method first on a small representative set of devices to gain confidence.

In a typical enterprise deployment, Secure Boot certificates are generally applied within approximately 12 hours after the setting is applied to a device. If Windows detects that one of the updates cannot be applied without a reboot, Event 1800 is logged. In most cases, the reboot requirement is due to the Boot Manager. When a reboot is required, you can wait for the next scheduled restart or perform an unplanned reboot to complete the process. See How updates are deployed for more details. For testing scenarios, you can accelerate the experience by following the steps outlined in Device Testing Using Registry Keys.

Important: Avoid mixing deployment methods on the same device. For additional technical recommendations to help you plan and deploy your Secure Boot updates, see Deployment strategies.

Option 1: Deploy certificates with registry keys

Find the AvailableUpdates registry key located under this registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot.

Set its value to 0x5944 to deploy all needed certificates and update to the Windows UEFI CA 2023 signed boot manager. This key corresponds to the Group Policy setting Enable Secure Boot certificate deployment. For details, see Registry key updates for Secure Boot: Windows devices with IT-managed updates.

Option 2: Deploy certificates using Group Policy

Group Policy settings are available by navigating to:
Computer Configuration > Administrative Templates > Windows Components > Secure Boot.

To apply Secure Boot updates to devices using Group Policy, set the Enable Secure Boot certificate deployment policy to Enabled. This lets Windows automatically begin the certificate deployment process. This setting corresponds to the registry key AvailableUpdates.

Be sure to get the latest version of the .admx for Windows Server. For more details, see Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates.

Option 3: Deploy certificates via Windows Configuration System (WinCS)

New command-line tools are now available for domain-joined Windows Server instances running on Windows Server 2022. These include both a traditional executable and a PowerShell module to query and apply Secure Boot configurations locally to a device. For step-by-step guidance, see Windows Configuration System (WinCS) APIs for Secure Boot .

Deploy the Secure Boot updates via WinCS:

Feature name: Feature_AllKeysAndBootMgrByWinCS
WinCS key value: F33E0C8E002
Secure Boot configuration state: Enabled

Option 4: Start a new VM using the latest version

If your Windows Server instance is running on a virtualization platform and can be migrated to the latest versions of Virtual Machines, starting new in the latest VM versions can be your best option. Reach out to your virtualization platform provider for VM versions that natively support the Secure boot 2023 certificates.

Step 5. Troubleshoot and remediate common issues

You can also use registry keys and Windows Event Log events to identify and resolve common issues:

The UEFICA2023Error registry key doesn't exist if there are no errors. If it exists with a value other than 0, check your remediation recommendations in Secure Boot DB and DBX variable update events.
The AvailableUpdates registry key on a device is set to 0x4104. If it doesn't clear the 0x0004 bit even after multiple restarts, the device doesn't progress past deploying the new Key Exchange Key (KEK) certificate. You will likely see an Event ID 1803 which says “A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.” If you encounter this error, check with your device manufacturer or virtual platform provider to confirm their support policy.
If Event Viewer Windows Logs for System registers an Event ID 1795, it means that there was an error when Windows attempted to hand off the certificates to firmware. Check with your device manufacturer or platform provider to see if there is a firmware update available for the device to resolve this issue.

Learn more

You can start preparing, monitoring, deploying, and troubleshooting Secure Boot certificates today, in advance of the June 2026 expiration date. To manage Secure Boot certificate updates on Windows client, see Secure Boot playbook for certificates expiring in 2026.

For the latest information, bookmark https://aka.ms/GetSecureBoot as your landing page for resources to help you with Windows Secure Boot certificate updates.

Announcing Native NVMe in Windows Server 2025: Ushering in a New Era of Storage Performance

Yash_Shekar — Mon, 05 Jan 2026 19:49:43 GMT

We’re thrilled to announce the arrival of Native NVMe support in Windows Server 2025—a leap forward in storage innovation that will redefine what’s possible for your most demanding workloads. Modern NVMe (Non-Volatile Memory Express) SSDs now operate more efficiently with Windows Server. This improvement comes from a redesigned Windows storage stack that no longer treats all storage devices as SCSI (Small Computer System Interface) devices—a method traditionally used for older, slower drives. By eliminating the need to convert NVMe commands into SCSI commands, Windows Server reduces processing overhead and latency. Additionally, the whole I/O processing workflow is redesigned for extreme performance. This release is the result of close collaboration between our engineering teams and hardware partners, and it serves as a cornerstone in modernizing our storage stack.

Native NVMe is now generally available (GA) with an opt-in model (disabled by default as of October’s latest cumulative update for WS2025). Switch onto Native NVMe as soon as possible or you are leaving performance gains on the table! Stay tuned for more updates from our team as we transition to a dramatically faster, more efficient storage future.

Why Native NVMe and why now?

Modern NVMe devices—like PCIe Gen5 enterprise SSDs capable of 3.3 million IOPS, or HBAs delivering over 10 million IOPS on a single disk—are pushing the boundaries of what storage can do. SCSI-based I/O processing can’t keep up because it uses a single-queue model, originally designed for rotational disks, where protocols like SATA support just one queue with up to 32 commands. In contrast, NVMe was designed from the ground up for flash storage and supports up to 64,000 queues, with each queue capable of handling up to 64,000 commands simultaneously.

With Native NVMe in Windows Server 2025, the storage stack is purpose-built for modern hardware—eliminating translation layers and legacy constraints. Here’s what that means for you:

Massive IOPS Gains: Direct, multi-queue access to NVMe devices means you can finally reach the true limits of your hardware.
Lower Latency: Traditional SCSI-based stacks rely on shared locks and synchronization mechanisms in the kernel I/O path to manage resources. Native NVMe enables streamlined, lock-free I/O paths that slash round-trip times for every operation.
CPU Efficiency: A leaner, optimized stack frees up compute for your workloads instead of storage overhead.
Future-Ready Features: Native support for advanced NVMe capabilities like multi-queue and direct submission ensures you’re ready for next-gen storage innovation.

Performance Data

Graph showing IOPS gains on WS2025 (with Native NVMe) compared to WS2022 on 1, 8, and 16-threaded 4K random read tests using an NTFS-formatted volume.Graph showing reduction in CPU cycles per I/O on WS2025 (with Native NVMe) compared to WS2022 on 8 and 16-threaded 4K random read tests using an NTFS-formatted volume.

Using DiskSpd.exe, basic performance testing shows that with Native NVMe enabled, WS2025 systems can deliver up to ~80% more IOPS and a ~45% savings in CPU cycles per I/O on 4K random read workloads on NTFS volumes when compared to WS2022. This test ran on a host with Intel Dual Socket CPU (208 logical processors, 128GB RAM) and a Solidigm SB5PH27X038T 3.5TB NVMe device. The test can be recreated by running "diskspd.exe -b4k -r -Su -t8 -L -o32 -W10 -d30 testfile1.dat > output.dat" and modifying the parameters as desired. Results may vary.

Top Use Cases: Where You’ll See the Difference

Try Native NVMe on servers running your enterprise applications. These gains are not just for synthetic benchmarks—they translate directly to faster database transactions, quicker VM operations, and more responsive file and analytics workloads.

SQL Server and OLTP: Shorter transaction times, higher IOPS, and lower tail latency under mixed read/write workloads.
Hyper‑V and virtualization: Faster VM boot, checkpoint operations, and live migration with reduced storage contention.
High‑performance file servers: Faster large‑file reads/writes and quicker metadata operations (copy, backup, restore).
AI/ML and analytics: Low‑latency access to large datasets and faster ETL, shuffle, and cache/scratch I/O.

How to Get Started

Check your hardware: Ensure you have NVMe-capable devices that are currently using the Windows NVMe driver (StorNVMe.sys). Note that some NVMe device vendors provide their own drivers, so unless using the in-box Windows NVMe driver, you will not notice any differences.
Enable Native NVMe: After applying the 2510-B Latest Cumulative Update (or most recent), add the registry key with the following PowerShell command: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 1176759950 /t REG_DWORD /d 1 /fAlternatively, use this Group Policy MSI to add the policy that controls the feature then run the local Group Policy Editor to enable the policy (found under Local Computer Policy > Computer Configuration > Administrative Templates > KB5066835 251014_21251 Feature Preview > Windows 11, version 24H2, 25H2). Once Native NVMe is enabled, open Device Manager and ensure that all attached NVMe devices are displayed under the “Storage disks” section. Screenshot of Device Manager where NVMe devices show up under the Storage disks section.
Monitor and Validate: Use Performance Monitor and Windows Admin Center to see the gains for yourself. Or try DiskSpd.exe yourself to measure microbenchmarks in your own environment! A quick way to measure IOPS in Performance Monitor is to set up a histogram chart and add a counter for Physical Disk>Disk Transfers/sec (where the selected instance is a drive that corresponds to one of your attached NVMe devices) then run a synthetic workload with DiskSpd. Compare the numbers before and after enabling Native NVMe to see the realized difference in your real environment!

Screenshot of Performance Monitor, showing how to add a counter for Disk Transfers/sec to measure IOPS of an NVMe drive.Screenshot of higher IOPS when running Native NVMe stack on Windows Server 2025.

Join the Storage Revolution

This is more than just a feature—it’s a new foundation for Windows Server storage, built for the future. We can’t wait for you to experience the difference.

Share your feedback, ask questions, and join the conversation. Let’s build the future of high-performance Windows Server storage together. Send us your feedback or questions at nativenvme@microsoft.com!

—
Yash Shekar (and the Windows Server team)

Microsoft Foundry on Windows Server

Priya_Satheesh — Wed, 19 Nov 2025 00:40:15 GMT

As organizations embrace AI, new opportunities exist for Windows Server customers who want to leverage on-premises AI. While Azure remains the best place for cutting edge models and AI inference hardware accelerators, certain industries - such as healthcare, finance, manufacturing, and retail - require on-premises AI to improve and accelerate existing business workflows.

Microsoft Foundry on Windows helps harness the power of AI on existing server deployments. Microsoft Foundry on Windows includes Foundry Local and Windows ML that enable server customers to build local AI experiences and real-time inferencing.

Leveraging AI on your own infrastructure gives control over data residency, compliance, and latency.

This blog details how Microsoft Foundry on Windows brings local AI capabilities to Windows Server deployments. It explores why Foundry Local and Windows ML are a strong fit for on-premises AI, highlighting technical considerations, and showing how customers can easily build generative AI applications with Foundry Local catalog, or proprietary models of any type via Windows ML

Windows Server as local AI platform

Windows Server 2025 reached GA last year and introduced significant enhancements—including advanced storage capabilities, GPU partitioning (GPU-P), and Discrete Device Assignment (DDA) for assigning GPU resources to virtual machines, and massive Hyper V scalability with support for up to 2,048 vCPUs per Gen 2 VM. These capabilities combine to make Windows Server 2025 ideal for AI-intensive workloads. Built to power mission critical environments where compliance and continuity are non-negotiable, Windows Server offers a robust, enterprise grade infrastructure that enables AI inferencing on premises without leaving your datacenter.

Scenarios for On-Premises AI

Although many organizations are investing in AI on Azure to leverage the latest innovations, we understand there are several situations where on-premises AI capabilities are required. Below are a few examples of such scenarios.

Healthcare

Meet regulatory requirements. Maintain Protected Health Information (PHI) and clinical records within your on-premises perimeter to meet compliance requirements—while enabling AI-powered insights locally.

Finance

Act on insights instantly. Process financial reports and transaction logs near the source to reduce latency and avoid round trips to external endpoints, ensuring speed and confidentiality.

Manufacturing

Operate in disconnected environments. Run AI workflows in air-gapped or intermittently connected plants to support predictive maintenance and quality control without relying on cloud connectivity.

Retail offices

Operate in latency-sensitive environments. Run AI models for basic inferencing to improve point-of-sale efficiency and deliver personalized experiences.

Technical Snapshot

Microsoft Foundry on Windows supports a two-pronged approach to make Windows Server platform AI-ready:

Windows ML enables application service owners to introduce AI workflows or inferencing within existing server applications. It automatically identifies available processors (CPU or GPU) based on server hardware, downloads optimal execution providers (EPs) and allows the application to use AI models locally. Windows ML supports ONNX Runtime under the hood, ensuring compatibility with popular frameworks and optimized execution providers.

Foundry Local enables seamless discovery, download, and orchestration of AI models directly on Windows Servers, including support for hardware acceleration on servers with GPUs. It also streamlines deployment of foundational models on virtual machines with GPU-P partitioning, ensuring hardware isolation and optimized resource sharing for compliance sensitive environments.

The foundry model catalog will continue to evolve with more models and APIs, like embedding models support.

Simple steps to get started!

Onboard Foundry Local on your existing server infrastructure: Install Foundry Local on Windows Server 2025
Identify a practical use case for AI inferencing: Start with a simple scenario—such as summarizing reports or translating content to native language.
Pilot with existing prebuilt models in the catalog for rapid results. Validate performance and compatibility with your hardware.
Integrate with existing workflow: Connect inference endpoints to your current applications or automation pipelines. Keep data local while enhancing processes with AI insights. Foundry Local provides an SDK, Command Line Interface (CLI), and a REST API for ease of use and integration into existing workflows and applications.
Measure performance: Track latency, throughput, and resource utilization to optimize deployment. Use these insights to fine-tune and iterate.

Deep dive: Unlock the power of BYOM + Windows ML on Windows Server

Bring Your Own Model (BYOM): This gives organizations the freedom to choose custom AI models tailored to their domain and business needs. For instance, a manufacturing company might bring a predictive maintenance model trained on its own sensor data to anticipate equipment failures and reduce downtime.

Windows ML allows use of proprietary models to run seamlessly on Windows Server. Windows ML automatically discovers, downloads and registers the latest version of all compatible execution providers (EP). Tools like AI Toolkit Extension for VS Code can be used for model optimization and quantization to prepare models for efficient local execution.

In summary, with BYOM and Windows ML on server customers can deploy custom AI models to provide inferencing solutions locally to existing business workloads.

Resources:

Code samples to get started with Foundry Local on Server

Foundry Local Guide

Windows ML Overview

For questions or feedback, reach out to foundrylocal-server@microsoft.com

Introducing Windows Admin Center: Virtualization Mode (vMode)

WSNewsAdmin — Tue, 18 Nov 2025 18:52:09 GMT

Now in Public Preview

Windows Admin Center has long been a favorite tool for IT pros, trusted to manage millions of Windows Servers around the world. Over the years, Windows Admin Center’s browser-based console has made every day server administration easier and more accessible. Now, responding directly to your feedback and evolving needs, we are introducing a new Virtualization Mode (vMode) in the latest Windows Admin Center Public Preview. vMode is a purpose-built experience to help you easily manage on-premises Windows Server Hyper-V virtualization at scale – across multiple hosts and clusters – while effortlessly bridging your environment with Azure Arc for a true hybrid cloud experience.

In this blog post, we’ll explore what Virtualization Mode is all about, why it was created, and how it empowers IT administrators to oversee their entire virtualization estate with greater simplicity. We’ll highlight the capabilities of vMode, discuss how it connects your Hyper-V infrastructure to Azure for hybrid adaptability, share why this update is such a big deal for Windows Server customers, and provide our roadmap for what comes next.

Why a new virtualization mode? Listening to you and adapting to change

Windows Admin Center has been immensely popular since its launch, with an extensible server-oriented design that provides IT professionals with the right tools and insights to manage all their Windows Servers from Active Directory controllers to virtualization hosts and everything in between. This server-oriented design (now called Administration Mode) understands each server’s individual configuration providing optimal insights and tools - perfect for general administration. After carefully considering your feedback, we found that those managing more complex Hyper-V environments needed a specialized console to oversee and manage their on-premises virtualization setups—one capable of handling multiple hosts, clusters, and sophisticated storage and network configurations.

We heard your feedback loud and clear. The result is Windows Admin Center: Virtualization Mode, or vMode. It’s a new approach dedicated to virtualization management, designed as a direct response to your needs. With vMode enabled, Windows Admin Center transforms into a central console for your Hyper-V hosts, clusters, VMs, storage, and virtual networks – all in one place. And it does so while maintaining Windows Admin Center’s hallmark simplicity, leveraging Azure Arc to enable an adaptive cloud approach.

Meet vMode public preview: purpose built management for Hyper-V

When you setup Windows Admin Center Public Preview, you’ll have two separate installation options: the traditional Administrator mode (aMode) or the new Virtualization mode (vMode). At its core, Virtualization Mode (vMode) is about centralizing and streamlining Hyper-V management. Instead of connecting to each server or cluster individually, you can now deploy Windows Admin Center as a stateful appliance and manage your Hyper-V virtualization fabric from a single dashboard. Here are some of the key capabilities and design features that make vMode a game-changer:

Scalable, multi-host management: vMode has been designed for large environments, allowing a single Windows Admin Center system to manage up to hundreds of Hyper-V hosts or tens of thousands of virtual machines. You can onboard both standalone servers and multiple clusters, viewing all VMs and hosts in one unified console without switching between tabs or sessions.

Unified inventory and dashboard: The Virtual Machines tool in vMode offers a single view of all VMs, displaying their status, host, OS, and resource use. Use global search to quickly locate any VM, host, cluster, or storage object by name. The dashboard highlights key stats like active VMs, cluster health, and CPU/memory usage for an instant overview.

Appliance-style deployment: vMode is designed for easy, “appliance-like” setup. Simply install Windows Admin Center on your management server (such as Windows Server 2022/2025), enable Virtualization Mode, and finish deployment in under 10 minutes. The system automatically sets up a lightweight PostgreSQL database to track VM/host inventory and status, so admins don’t need to manage it manually—it’s included with the WAC gateway service. This creates a central Windows Admin Center instance accessible by your entire team.

Bulk actions and simplified workflows: vMode lets you manage multiple resources efficiently with bulk operations and streamlined workflows. The Windows Admin Center UI supports live migrations between cluster nodes, and new wizards help with tasks like importing VMs or replicating VMs between hosts or clusters easily.

Virtualization-focused UI & tools: In vMode, Windows Admin Center displays only virtualization-related tools, such as VM management, virtual networks, Hyper-V settings, and Storage Spaces Direct. This streamlined interface helps admins focus efficiently. Hosts can be organized into logical groups, simplifying navigation as your environment expands.

Performance and responsiveness: Managing thousands of VMs could be overwhelming, but vMode brings significant performance optimizations to make it snappy. The Windows Admin Center team reworked how data is loaded: the VM list and host statuses populate quickly and are quickly retrieved from the database maintaining persistent state.

To sum up, with vMode, you get a unified view, bulk management powers, and a UI tuned to virtualization needs – all without losing the simplicity that made Windows Admin Center popular.

Hybrid-Ready: Azure Arc integration for adaptive cloud management

A huge advantage of Windows Admin Center has always been its ability to integrate on-premises environments with Azure services (the “hybrid” aspect). The new Virtualization Mode will double down on this by making Azure Arc integration easier and more powerful than ever for your virtualized apps.

What is Azure Arc? In brief, Azure Arc is a Microsoft solution that links your on-premises or other-cloud resources to Azure, treating them as “first-class” Azure resources for management purposes. For servers, Arc enables high-value cloud-native tools like Azure Monitor, Azure Update Management, Azure Security Center (Defender for Cloud), and more, even for machines running outside Azure. It’s a key to building a hybrid cloud where you can centrally manage resources across on-prem and Azure in a unified way.

In the context of vMode, Azure Arc integration means you can “Arc-enable” your Hyper-V VMs running on them with a few clicks – and then leverage Azure to extend your management capabilities:

Unified cloud management (adaptive cloud): After connecting on-prem assets via Arc, they're visible in the Azure Portal, allowing you to manage Arc-connected servers with Azure services while retaining local management through WAC. You can use Azure Monitor for centralized VM alerts or Azure Policy to enforce security configurations. Windows Admin Center vMode gives you control over VM settings and migrations. This hybrid approach lets you maintain critical workloads on-premises and use Azure for backup, monitoring, and governance, with vMode streamlining the process.

Real world example: Suppose you're running a Hyper-V cluster with various business apps. With WAC vMode, you can easily organize and monitor your VMs. By enabling Arc through Windows Admin Center, you get Azure Backup for cloud-based VM protection and use Azure Update Manager to automate Windows Updates from the Azure Portal. Your VMs still run locally on Hyper-V, but management becomes streamlined across both on-prem and Azure environments.

In summary, Azure Arc integration in vMode turns your on-prem Hyper-V deployment into a hybrid cloud solution.

No additional cost, no additional complexity

Windows Admin Center (including vMode) is included at no additional charge with Windows Server Datacenter or standard licenses. There’s no additional license or SKU needed for Windows Admin Center or vMode. Unlike many other virtualization management tools that charge extra fees, Microsoft offers these features at no added cost, making Hyper-V with Windows Admin Center a highly cost-effective solution. The inclusion of advanced features like vMode in a free tool helps lower total cost of ownership.

Windows Admin Center vMode public preview was developed with community input, incorporating user and partner feedback as well as Insider previews. We will continue to update Virtualization Mode, available through Windows Admin Center’s extension feed or versioned releases. A new VM conversion extension is already in Public Preview, enabling VMware-to-Hyper-V migration directly from Windows Admin Center. The modular design of Windows Admin Center allows additional extensions to integrate with vMode over time.

Empowering your hybrid virtualization journey

The introduction of Virtualization Mode in Windows Admin Center streamlines Windows Server management by enabling small IT teams to centrally manage Hyper-V resources (such as hosts, VMs, SDN, and S2D) with ease. This feature also supports Azure integration, allowing organizations to adopt a hybrid approach efficiently. With this public preview, we recommend you take vMode for a test drive and let us know what you think. We have more features in the pipeline for Public Preview 2 including:

Virtual Machine Templates

Hyper-V Replica

Azure Arc Integration

Public Preview 2 is scheduled for Q1 of 2026 with more to come so stay tuned for upcoming information and updates!

Ultimately, Windows Admin Center’s Virtualization Mode is about making day-to-day virtualization ops more efficient, helping you consolidate management tasks, and position your environment for the future by connecting it with Azure.

Learn more & get started: Windows Admin Center with vMode is now in Public Preview. Download it here: https://aka.ms/WACDownloadvMode. To share feedback or suggestions, click the question mark in the top right corner of Windows Admin Center and select “Give us feedback.” The WAC dev team actively monitors feedback channels. Please note: This preview is for evaluation only and isn’t supported in production environments.

Windows Admin Center’s new Virtualization Mode is more than just a feature update; it’s an evolution driven by the community of IT professionals. Windows Admin Center vMode simplifies on-premises virtualization management and integrates it with the cloud, on your terms. Give it a try and experience how managing Hyper-V can become as modern and streamlined as the rest of your IT environment.

Happy virtualizing with Windows Admin Center vMode!

-Jeff Woolsey and the Windows Server Team

Upgrading to Windows Server 2025 from Windows Server 2012 R2, 2016, 2019, or 2022 using Media (ISO)

Rob-Hindman — Tue, 23 Sep 2025 23:22:03 GMT

About media-based upgrade to Windows Server 2025

With N-4 media based upgrades, you can upgrade your organization’s physical devices and virtual machines directly from Windows Server 2012R2, Windows Server 2016, Windows Server 2019, or Windows Server 2022 to Windows Server 2025 in one hop using the Windows Server 2025 media. Running Windows Server 2025 setup enables customers to either upgrade or clean install Windows Server 2025. This process takes under an hour per server, depending on the capabilities of the server and the applications installed on it.

(BTW, “Upgrade” has several synonyms: In-place Upgrade and Feature Update – they all refer to the same process which is described here.)

Upgrading Physical or Virtual

Before diving into the details of upgrading to Windows Server 2025, it's helpful to consider several key factors such as whether you're upgrading a physical server or a virtual machine. Let's begin with virtual machines: If your server is running Hyper-V, in-place upgrades are straightforward since the process will automatically update Hyper-V drivers with the new operating system. For those using non-Microsoft virtualization platforms, it is crucial to update guest drivers from that platform before starting the upgrade to Windows Server 2025. Outdated virtualization drivers are a common reason for support requests, so updating them in advance can help you avoid potential issues.

The second scenario involves upgrading physical servers, which can be a bit more complicated. If your server runs Windows Server 2012 R2, it was probably purchased around 2010 or 2011—meaning it's now about 15 years old. While the CPU and motherboard might still work, it's essential to check every component, including network adapters, host bus adapters, storage controllers, and any devices installed in the PCIe slots. Make sure all add-in cards are compatible with Windows Server 2025 and that drivers are available. If you find some components aren't compatible, this could be a good opportunity to move workloads to the cloud, invest in new hardware, or consider virtualizing these workloads to simplify future upgrades.

Planning for the upgrade

Carefully planning the upgrade process will minimize downtime:

Check that your hardware and application vendors support Windows Server 2025 – we’ve worked with a very broad range of hardware and application vendors to ensure support and compatibility.
Checkpoints and Backups - Whenever you're performing an operating system upgrade, it's a good idea to make sure you've got a physical backup or a VM checkpoint just in case of unforeseen issues. If you're using a VM it's easy, take a snapshot of your existing virtual machine so that you can revert in the case that you need to if you're doing a physical server of course make sure you have a backup as well. the upgrade is not 100% perfect and can fail, so a backup is strongly recommended – as is a backup restore test.
Backup storage – backups should be stored on a different device or a remote location – not on the device that is being upgraded to Windows Server 2025.
Test the upgrade process on a test device in your environment to gain experience with the process.
Schedule a maintenance Window for your customers / users and inform them that their data and applications will be offline.

o Although the average time to upgrade a server is typically an hour, the process may take several hours – so set expectations appropriately.

Plan to stop all applications on the server before backing up the server and applications.

Windows Server running Active Directory Domain Services

In place upgrades for Windows Server 2025 can be used for any Windows Server role except for Active Directory. Remember: domain controllers are special. Active Directory is a multi-master directory service which means that changes to the directory data can be made on any domain controller within the domain and those changes are then replicated to other domain controllers to ensure that there's no single point of failure while providing redundancy and high availability. Because Active Directory is a multi-master service, the process for upgrading domain controllers is the same as it has been for decades.

Step 1: Setup new domain controller running Windows Server 2025
Step 2: Synchronize new domain controllers with existing domain controllers
Step 3: Turn off old domain controllers
Step 4: Raise the Forest Functional Level and Domain Functional Level

You can find detailed documentation for upgrading domain controllers here.

Do I need to purchase a Windows Server 2025 product key?

Volume License customers with Software Assurance have upgrade rights and should be able to upgrade to Windows Server 2025 and activate when their KMS is configured. Either a Window Server 2025 product key or a correctly configured Key Management Server (KMS) is needed to Activate Windows Server 2025 devices. Customer Support Services require devices to be activated to receive product support.

Windows Server Upgrade Walk-through

When you have completed the preparation steps above, and you’re ready to upgrade a Windows Server device, the steps are relatively easy:

First, check that you are running Windows Server 2012 R2, 2016, 2019, or 2022 by running winver:

Run Windows Server 2025 setup from the ISO or extracted ISO media:

By default, setup will start by attempting to download updates to the setup process to ensure a smoother upgrade experience:

You will be prompted for the version of Windows Server that you’d like to upgrade to – in this case, Windows Server 2025 Datacenter (Desktop Experience) has been selected:

Next, you will be asked to agree to the license terms:

To upgrade the server, select the “Keep files, settings, and apps” radio button and press Next:

Setup will fetch any available updates for the upgrade process…

After setup have downloaded updates for the upgrade process, it will check that you want to upgrade your server to Windows Server 2025 – select Install:

Setup will attempt to upgrade your server to Windows Server 2025 and migrate your applications, settings, and user profiles. When completed, the server will restart:

Note that the restart will take several minutes to complete the final phases of upgrade. When the server restarts, you will be asked if you want to Include Optional or just Required only telemetry data back to Microsoft. Microsoft uses this data to improve Windows Server. Select the option that you prefer and press Accept:

When Windows Server 2025 starts with the Desktop Experience or ServerCore, you can check the version using winver:

Check for updates using the Settings Dialog | Windows Update (or WSUS or Update Management Software) – to download and install the Latest Cumulative Updates (LCU) packages. Install the LCUs and Restart:

After all LCUs have been installed and the server has been rebooted, verify that applications start correctly and all components and devices are working as expected.
If the upgrade to Windows Server does not succeed:
- You can troubleshoot upgrade issues by examining the setup logs which are in the C:\Windows\Panther directory. There is a setup log parsing utility called SetupDiag that can be downloaded here: SetupDiag | Microsoft Learn.
- Restore the previous version of Windows Server from the backup media.

We hope you enjoy using Windows Server 2025 and have found the Upgrade process to be easy!

Introducing the VM Conversion tool in Windows Admin Center – Public Preview

Priya_Satheesh — Mon, 25 Aug 2025 18:49:22 GMT

As organizations update their infrastructure, a growing number are seeking adaptable, Microsoft-supported solutions that address current requirements while laying the path for future cloud and AI adoption. Azure provides an agile, scalable, cost-effective platform for infrastructure and innovation. Whether by modernizing to cloud technologies like Windows or Linux VMs, containers, Azure VMware Solution or PaaS services, Azure offers a world-class cloud experience. However, we recognize that some organizations must retain workloads on-premises due to data compliance, governance, or other regulatory requirements. For customers wanting to adopt Windows Server and Hyper-V for this use case, we are excited to provide a new option within Windows Admin Center, the VM Conversion tool, in public preview now.

This agentless, cost-free tool streamlines the conversion of virtual machines from VMware to Windows Server with Hyper-V, providing customers flexibility with their on-premises virtualization environments while enabling a seamless transition path to Azure when desired. With minimal infrastructure requirements, the tool is particularly beneficial for small and medium-sized organizations. Additionally, with minimal setup time you can download the new VM Conversion tool extension in Windows Admin Center and begin converting virtual machines in under five minutes.

 Figure 1- VM Conversion tool in Windows Admin Center 

 🔑Key Features :

Agentless, appliance-free discovery
After establishing a connection to the virtualization environment, the tool conducts discovery of all virtual machines without requiring agents or appliances and does so in a non-intrusive manner.

Minimal downtime
The VM Conversion tool enables initial data replication while the source virtual machine remains operational, thereby preventing any interruptions to ongoing applications. After completing this initial replication, on user consent, the source VM is powered down so a subsequent replication pass can capture any data changes made during the first phase. This two-step process ensures that the cutover time from the source to the target VM is minimized.

Group servers
You can select and migrate up to 10 virtual machines at a time. This reduces manual effort and accelerates the transition to Windows Server.

Boot configuration
The tool automatically maps BIOS-based virtual machines to Generation 1 and UEFI-based machines to Generation 2, preserving boot configurations and ensuring compatibility.

OS agnostic
The tool supports conversion of both Linux and Windows guest OS VMs to Windows Server host.

Multi-disk VM support
Virtual machines that use several virtual hard disks—common in production environments—are fully supported. The operating system, data, and application disks all migrated together, so manual setup is not needed.

⚙️How It Works 

To ensure a smooth and reliable transition, the tool performs a comprehensive set of built-in prechecks. These checks validate critical VM attributes such as disk types, boot configuration (BIOS or UEFI), destination disk, memory requirements, and several more. By identifying potential issues early, administrators can proactively address them—minimizing the risk of migration failures and reducing downtime during the final cutover.

The VM Conversion tool uses change block tracking (CBT) to efficiently replicate data from one virtual disk format to another. During the initial seeding phase, a full copy of the virtual machine is created while it remains online. This minimizes downtime and ensures data integrity. Before the final cutover, a delta replication captures all changes made since the initial copy, ensuring the destination VM is fully up-to-date post conversion to Hyper-V hosts.

🚀Ready to Take the Next Step?

The VM Conversion tool is available now in the public feed of Windows Admin Center. You can install it directly from the Extensions settings in Windows Admin Center. To get started, ensure you're running the Windows Admin Center v2 GA release.

📘 For detailed setup instructions and prerequisites, refer to the Public Preview Documentation.

📍 Summary  

 The VM Conversion tool offers a simple, supported path for organizations to streamline VM conversion to Hyper-V virtualization environments. With no added cost and minimal setup, it empowers customers to streamline VM migration and prepare for the cloud at their own pace. Support for Azure Arc-enabled servers is also planned for future releases, further enhancing hybrid management capabilities.

We’re continuously evolving the VM Conversion tool based on user feedback. Please continue to share your feedback here and help us prioritize our efforts for future releases.

Happy converting!

Hotpatching for Azure Arc–Connected Servers: General Availability and Subscription Details

Janine-Patrick — Wed, 16 Jul 2025 22:24:47 GMT

Effective July 16, 2025, Hotpatching for Windows Server 2025 on Azure Arc–connected machines will be generally available (GA) and transition to a paid subscription model. This post provides technical details on the service, the value of hotpatching for on-premises servers, and important enrollment information for customers.

What Is hotpatching?

Hotpatching enables you to install OS security updates on Windows Server without requiring a reboot. This technology, previously exclusive to Windows Server Datacenter: Azure Edition, is now available for on-premises and hybrid environments through Azure Arc. Hotpatching has been in public preview at no cost, but as of July 16, 2025, a monthly subscription fee of $1.50 USD per CPU core will apply.

Why hotpatching for on-premises servers?

Minimize downtime: Apply critical security updates without interrupting workloads or requiring planned maintenance windows.
Improve security posture: Reduce the window of vulnerability by deploying patches as soon as they are available.
Operational efficiency: Eliminate the need for frequent reboots, simplifying patch management for IT teams.
Consistent experience: Use the same hotpatching process across Azure, on-premises, and hybrid environments with Azure Arc.

Enrollment and billing

To receive hotpatches on Windows Servers outside of Azure, customers must enroll their servers. The servers must be on the latest cumulative update released during a baseline month (January, April, July and October) by Microsoft on the second Tuesday of the month. Only enrolled servers will continue to receive hotpatches and be billed accordingly.

Preview customers: If already enrolled during the preview period, then no action is needed to continue to receive hotpatches. If you enrolled in hotpatching during the Preview and do not wish to be billed after GA, you must disenroll your servers before July 16, 2025, to avoid charges.
New customers: Enroll your eligible Windows Server 2025 machines via Azure Arc to activate hotpatching and start receiving updates.

How to enroll in hotpatching

To begin receiving hotpatches for your Azure Arc–connected Windows Server 2025 machines, follow these steps:

Prerequisites

Ensure your machine is connected to Azure Arc.
Ensure Virtualization Based Security (VBS) is enabled and running.
Confirm that the latest cumulative update from a baseline month (January, April, July, or October) is installed. Hotpatching is only offered if this requirement is met.

Enrollment via Azure Portal

Connect your server to Azure Arc.
Navigate to the Windows Server resource in the Azure Arc portal.
Click on the Hotpatch blade
Check the box “I want to license this Windows Server to receive monthly hotpatches” and click on confirm under the hotpatch blade.

Note: Enrollment operation takes a few minutes, so you may need to manually refresh the Azure portal to see the updated status.

How to disenroll from hotpatching

If you no longer wish to receive hotpatches or want to avoid billing after the preview period ending on July 16, 2025, you must disenroll from hotpatching service on Azure Arc portal.

Disenrollment via Azure portal

Go to the Azure Arc–connected server in the Azure Arc portal.
Open the hotpatch blade.
Uncheck the box “I want to license this Windows Server to receive monthly hotpatches” and click on confirm.

Important: Disenroll before disconnecting the machine from Azure Arc. If you disconnect first, billing may continue for up to 30 days after the last connection. See this blog post for additional details.

Disenrollment via API

Set subscriptionStatus to "Disable" in the license profile payload.
This action is synchronous and should reflect immediately, though portal refresh may still be required.

Learn more

If you’re interested in learning more, check out our April blog post and the on-demand session on Hotpatching and Update Management from our recent Windows Server Summit virtual event.

Removal of DES in Kerberos for Windows Server and Client

Anushka_Khare — Fri, 28 Feb 2025 01:02:17 GMT

To enhance security and protect against cyber threats, the Data Encryption Standard (DES) encryption algorithm will be intentionally removed from Kerberos after Windows Server 2025 and Windows 11, version 24H2 computers install Windows Updates released on or after September 9, 2025. While DES encryption in Kerberos is an optional component that isn’t installed by default, it’s important to detect and disable your DES use now to avoid potential disruption later this year. Currently, Kerberos supports stronger encryption ciphers such as AES that should be used instead of DES. Deprecating outdated, less-secure technologies is in-line with Microsoft's Secure Future Initiative (SFI) commitments.

DES removal

As methods to bypass and break cryptographic ciphers continue to evolve, it is important for administrators to decommission older encryption ciphers. This transition to disable DES in Kerberos on Windows devices will occurs in phases.

Compatibility Mode: DES in Kerberos is disabled by default on all Client and Server versions of Windows released on and after Windows 7 and Windows Server 2008 R2. If DES is required in Kerberos, administrators can manually configure the DES cipher on supported operating systems with the exception of Windows 11 24H2 and Windows Server 2025 devices that have installed updates released on and after September 9, 2025.

DES in Kerberos Disabled Mode: Once DES in Kerberos is removed, it will no longer be supported as an encryption cipher in any function of Kerberos in Windows Server 2025 and later and Windows 11, version 24H2 and later. Legacy scenarios using DES on those two operating system versions will stop working until Kerberos-related application and network security configuration changes are made by IT administrators, so a safer cipher can be used.

DES will not be removed from earlier Windows versions.

By adopting stronger encryption methods, such as the Advanced Encryption Standard (AES) algorithm, you can significantly improve your organization’s security posture and enable compliance with modern encryption standards such as the Federal Information Processing Standards (FIPS).

A brief history of DES

The DES symmetric-key encryption algorithm is a block cipher algorithm that encrypts and decrypts messages using a 56-bit key. It was established in 1977 as the first standard encryption algorithm for business use in the United States. DES was added to Kerberos in RFC1510 (1993) and was present in the first Windows Kerberos implementation in Windows 2000, but it was only used for third-party compatibility. Windows machines defaulted to using RC4 in all Windows-to-Windows transactions. As of Windows 7 and Windows Server 2008 R2, DES was disabled by default but remained available as an optional component when manually enabled by an administrator. It was deprecated in the Kerberos standard by RFC6649 in calendar year 2012.

Over the years, an increase in computational power has led to DES becoming increasingly vulnerable to brute force attacks and known-plaintext attacks. In summary, DES encryption has known vulnerabilities when used within the Kerberos protocol.

Note: Windows has never natively used DES for Kerberos. The only major use of DES for Kerberos in Windows that Microsoft is aware of is for older versions of Java. While DES is never used by default for authentication between Windows machines, it might still be used by third-party clients and servers.

Recommendations and next steps

Does your organization use versions of Windows Server and Windows client earlier than Windows Server 2025 and Windows 11, version 24H2? If so, we advise you detect any DES in Kerberos use within your network, identify apps that are using DES, and reconfigure them to use a stronger cipher. Ultimately, you’ll need to disable DES before taking the September 2025 Windows security update. Microsoft also recommends identifying apps and callers negotiating DES and upgrading to a more secure encryption cipher.

How to detect DES usage

Important: Before proceeding with detection, install the Windows Server 2025 updates released in or after January 2025 prior to September 9, 2025, to ensure that the script functions as expected.

To detect DES usage, please use the tools and guide to detect DES usage found here. If DES usage is detected or if you are unsure if accounts use DES in Kerberos, then you should continue to detect the events described below. Identify DES usage via Kerberos Key Distribution Service (KDCSVC) Event IDs 4768 and 4769 in the security event log on a DC. KSDSVC Event ID 4768 is logged every time a Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). KDCSVC Event ID 4769 is generated every time a Kerberos service ticket is requested. These events are shown below.

KDCSVC Event ID 4768

Event log	Security
Event type	Audit
Event source	KDCSVC
Event ID	4768
Event text	More information about event text can be found here

KDCSVC Event ID 4769

Event log	Security
Event type	Audit
Event source	KDCSVC
Event ID	4769
Event text	More information about the event text can be found here

These Event IDs should be visible in the security event logs and do not require additional configuration.

The PowerShell scripts linked above scan the security event log for KDCSVC Event IDs 4768 and 4769 for use of specified ticket, session, and account key types. Make sure that remote event logging is enabled to allow the PowerShell scripts to aggregate data across multiple Kerberos DCs. Review further guidance on how to enable Kerberos event logging.

You can further narrow down the query by specifying a time frame to search for the events. This may be necessary if the event logs are excessively large. Use the PowerShell scripts from GitHub to detect the use of specific ciphers by particular accounts, either on the local machine or across all Kerberos DCs.

How to disable DES in Kerberos

If your environment is currently using software with DES encryption, the next step is to disable DES. Use the following steps to verify that there are no DES-enabled accounts:

Use your event log audit trail to generate a comprehensive inventory of accounts advertising support for DES encryption types. Examine these computers and devices. It’s unlikely that they are running Windows.

2. Navigate to Active Directory > Users and Computers policy. Under account options, make sure the “Use only Kerberos DES encryption types for this account” box is unchecked. The following setting corresponds to USE_DES_KEY_ONLY 0x200000 bit in the UserAccountControl field in Active Directory

Screenshot of account options in Active Directory Users and Computers policy.

3. If the computers are running Windows, examine them for the presence of non-Microsoft software and applications. This third-party software may be the source of DES usage. Tools such as Network Monitor, Process Monitor, and process auditing can help identify which process is using DES.

4. Once identified, navigate to the Group Policy “Network security: Configure encryption types allowed for Kerberos” located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Screenshot of the dialog box for “Network security: Configure encryption types allowed for Kerberos,” focused on the Local Security Settings tab.

Ensure the boxes next to DES_CBC_MD5 and DES_CBC_CRC are unchecked. Then update the encryption method for the service account to AES by checking the boxes next to AES128_HMAC_SHA1, AES256_HMAC_SHA1 and Future Encryption Types.

Important: If the account was created in a DC running Windows Server 2003 or older, change the account’s password to ensure that the account is AES-capable. Microsoft advises you to test any new settings that disable DES before applying them in your environments, use safe deployment practices, and prepare a rollback plan. Gradually replace DES with AES, ensuring all domain trusts are updated to support AES. Consider keeping AES and DES enabled during the transition phase if necessary.

Note: For computers running non-Windows operating systems or appliance devices, review the local Kerberos client configurations or contact the respective vendors for guidance.

Stay secure

Removing nonsecure cryptographic algorithms will help you improve your security posture and make your organization less susceptible to Kerberos attacks. We recommend upgrading to Windows Server 2025 and to Windows 11, version 24H2 if you haven’t already. This will help your organization use more secure encryption methods such as AES and ensure that vulnerable ciphers such as DES are disabled. To prepare for removal of DES in Kerberos through the Windows security update in September 2025, please identify any DES usage within your network and disable it through Group Policy.

At Microsoft, we truly believe that security is a team sport. By partnering with original equipment manufacturers (OEMs), app developers, and other partners in the ecosystem, and by helping you better protect your organization, we are continuing to help make Windows more secure by design and more secure by default. The Windows Security Book is available to help you learn more about what makes it easy to stay secure with Windows 11.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters, and follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

PPTP and L2TP deprecation: A new era of secure connectivity

Farhan_Ali — Tue, 08 Oct 2024 16:17:40 GMT

As technology advances, so must our security protocols. As part of our ongoing commitment to provide the highest level of security and performance, we are deprecating the PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) protocols from future Windows Server versions. While these protocols have served us well over the years and will still be available to users, it is time to transition to more secure and efficient alternatives: SSTP and IKEv2.

In this post, let’s walk through deprecation considerations, reasons, and recommendations to ensure you benefit from the best security options.

What deprecation means for PPTP and L2TP?

Deprecation is not removal. Deprecation refers to the stage in the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases. Features and functionalities are added or occasionally removed from new releases of a product. If they’re removed, that’s typically because we’ve added a better option. Deprecated features continue to work and are fully supported until they are officially removed. We’re certain that you already have product lifecycles incorporated into your management strategy. Even so, the deprecation notification can span a few months or years to help you make the necessary transition. After removal, the feature or capability will no longer work.

PPTP and L2TP have been reliable workhorses in the world of VPN technology. However, with the increasing sophistication of cyber threats, these protocols have become less effective in providing the robust security necessary to protect our data. Their vulnerabilities have been well-documented, and they are no longer sufficient to meet the current security standards.

Transitioning to SSTP and IKEv2

To ensure you continue to benefit from the best available security, we recommend transitioning to Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2). These protocols offer enhanced security features, faster connection speeds, and improved reliability.

Benefits of SSTP

Strong encryption: SSTP uses SSL/TLS encryption, providing a secure communication channel.
Firewall traversal: SSTP can easily pass through most firewalls and proxy servers, ensuring seamless connectivity.
Ease of use: With native support in Windows, SSTP is simple to configure and deploy.

Benefits of IKEv2

High security: IKEv2 supports strong encryption algorithms and robust authentication methods.
Mobility and multihoming: IKEv2 is particularly effective for mobile users, maintaining VPN connections during network changes.
Improved performance: With faster establishment of tunnels and lower latency, IKEv2 offers superior performance compared to legacy protocols.

Steps to transition to SSTP and IKEv2

Note that PPTP and L2TP will still remain available if you want to make outgoing VPN connections based on these protocols. This is true for future Servers and Client SKU releases. However, what is being changed is that Windows RRAS Server (VPN Server) will not accept any incoming VPN connections based on these protocols.

As a result, please refer to the detailed set of instructions here for a step-by-step guide on transitioning to SSTP/IKEv2: How to install and configure Remote Access (RAS) as a VPN server.

Conclusion

The deprecation of PPTP and L2TP is a necessary step in maintaining the highest security standards. By transitioning to SSTP and IKEv2, you are ensuring that your network communications remain secure, efficient, and reliable. We are here to support you through this transition. Reach out to our support team if you have any questions or need further assistance.

Now in preview: Hotpatch for Windows Server 2025

Hari_Pulapaka — Fri, 20 Sep 2024 18:48:33 GMT

You asked and we delivered: Standard and Datacenter edition server hotpatching - security updates without reboots - is ready for your evaluation in Windows Server 2025 Azure Arc-enabled Hotpatch public preview. This feature will be a game changer; simpler change control, shorter patch windows, easier orchestration… and you may finally get to see your family on the weekends.

Hotpatches

Hotpatches are OS security updates that don’t require a reboot. It works by patching the in-memory code of running processes without the need to restart the process. This gives you benefits like:

Lower workload impact with fewer reboots. Instead of 12 mandatory reboots a year on “Patch Tuesday”, you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month).
Fewer binaries mean updates download and install faster while consuming fewer disk and CPU resources.
Easier patch orchestration and change control.
Integrated with the optional Azure Update Manager.

Hotpatch has been available for a few years in Windows Server 2022 Datacenter: Azure Edition, this is tried and true technology. The real change is how and where you get those security updates. Hotpatching will be available as an option through the power of Azure Arc. Azure Arc enables management and allows the Windows Server internal licensing service for Hotpatch to run so that Hotpatch updates are delivered to customers.

Trying it out

Thanks to Azure Arc, enabling hotpatches for your Windows Server 2025 Datacenter and Standard edition evaluation machines takes only a few clicks. Simply enroll through the built in Azure Arc agent setup included in Windows Server 2025 evaluation, enable the hotpatch preview, and you’re in business.

Changing the game

Hotpatching has been around for years in Windows Server 2022 Azure Edition, but always required running a VM in Azure or on Azure Stack HCI. When Windows Server 2025 becomes generally available, you will be able to run the edition you want, where you want - whether on-prem, in Azure, or elsewhere. You'll have an option to hotpatch Windows Server 2025 physical servers or virtual machines, and those VMs can run on Hyper-V, VMware, or anywhere else that supports Microsoft’s protection-focused Virtualization Based Security standard.

We think Windows Server 2025 hotpatching will change the game for organizations. Start your evaluation today!

How to preview: Azure Arc-connected Hotpatching for Windows Server 2025

VishalBajaj — Tue, 19 Nov 2024 06:37:15 GMT

As you may recall we had recently announced a public preview of Hotpatching on Windows Server 2025 VMs in Azure. With this latest preview we are moving towards fulfilling a top request by customers who want this capability for their on-premise machines. You will be able to benefit from the reduced reboots of your Windows Server 2025 machines with this optional Hotpatching capability. This capability was earlier limited to Windows Server 2022 Azure Edition VMs in Azure. The preview provides an opportunity for you to try this new capability to see how it will work in the upcoming Windows Server 2025 and provide feedback.

What is Hotpatching?

Hotpatching is a way to install OS security updates on machines without the need of a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process. We first shipped this feature in Windows Server 2022 Azure Edition.

Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting.
Reduces the time exposed to security risks and change windows, and easier patch orchestration with Azure Update Manager.
Fewer binaries mean updates download and install faster, consume fewer disk and CPU resources.
Lower workload impact with fewer reboots.

What is part of the preview?

With this preview you can connect your Windows Server 2025 Datacenter Evaluation edition machines to Azure Arc and subscribe to Hotpatching. See the steps below.

Connect to Azure Arc your Windows Server 2025 Datacenter Evaluation machines
Subscribe/ unsubscribe Hotpatching service via the Azure Arc portal
Manage deployment of Hotpatch updates natively on Azure via Azure Update Manager.

Getting Started

To get started follow the steps below. For any feedback or questions contact us on hotpatchfeedback@microsoft.com

Create a VM using Windows Server 2025 Datacenter from the Microsoft Evaluation Center

Download the Windows Server 2025 ISO image from the Microsoft Evaluation Center. Note: You may have to fill in a form and provide your email address.
On Hyper-V, or other platform, create a Gen 2 VM and use the option to create the VM using the ISO.
For installation media, point to the ISO downloaded from Evaluation Center.

For detailed steps, see Create a virtual machine in Hyper-V and Create a virtual machine with Hyper-V on Windows 11

If you are using Omnissa as your virtualization platform, on the Select a guest OS page, select Enable Windows Virtualization-Based Security. For more details, click here.

Enable Virtualization-based security (VBS)

Run the command below in an elevated command prompt. You will need to restart after modifying the registry setting.

Reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

To check if VBS is running post reboot, open System Information on your machine.You should see this:

If you are using Omnissa and VBS is still not running, follow the steps outlined in this documentation.

Install the July 2024 monthly security update(KB5040435)

Download and install the July 2024 security update or use Azure Update Manager. This is needed for you to observe that September 2024 security update will not require a restart.

Connect the VM to Azure Arc

For step-by-step instructions on how connect your virtual machine to Azure Arc, see Quickstart - Connect hybrid machine with Azure Arc-enabled servers. You will need to run the PowerShell script from the Azure Arc portal on your machine.

Enabling hotpatching

To enable Hotpatching, in the Azure Portal, select Azure Arc from the Azure services tiles, then select Machines.

You will see the Azure Arc connected machine you set up earlier displayed in the list:

Selecting that machine will take you to the server management page. You will see Hotpatch (preview) card towards the bottom.

Select the tile to activate a pop-out that will allow you to select Hotpatching. Tick the box and select Confirm. Behind the scenes the Azure Arc connected server will be configured to receive Hotpatches.

It takes about 10 minutes for the operation to complete. If you refresh the page while the operation is going,the Hotpatch tile will show a status of Pending. After enrollment is complete, the Hotpatch tile will show that the service is Enabled.

Note: If the Status is stuck on Pending, the Azure Arc agent has likely not yet been updated. To update Arc Agent, run the below command in PowerShell on the machine:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor 3072; Invoke-WebRequest -UseBasicParsing -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$env:TEMP\install_windows_azcmagent.ps1"; & "$env:TEMP\install_windows_azcmagent.ps1";

The Azure Arc attached machine is now ready to receive Hotpatches!

Scan and install the September 2024 Hotpatch

After completing the steps above, when you perform a Windows Update Scan, you will be offered a Hotpatch [see image below]. If you notice that you are not offered a Hotpatch, please pause the update and send us the update logs. To get update logs, run this command in PowerShell:

Get-WindowsUpdateLog

When the Hotpatch update for September has successfully completed, without requiring the machine to restart, you will see this in the Windows Update history

You can also use the Server Configuration tool (SConfig) to download and install the Hotpatch update if you are offered other updates that you are not interested in installing.

Scan and install the September 2024 Hotpatch using Azure Update Manager

Using Azure Update Manager, you can identify all machines that are eligible for hotpatch updates, and plan installation of those updates on a schedule. For hotpatch updates being non-intrusive on availability, you can create faster schedules and update your services immediately after release, with less planning to maintain reliability of your machines at scale.

Here’s how to manage hotpatch updates using Azure Update Manager:

Verify that the Hotpatch subscription is available or has already been enabled from the Updates tab of your Arc Server:

Select change next to Hotpatch to cancel or enable the Hotpatch subscription on demand.
Scan and view the September 2024 security update offered to the machine by performing an assessment:
Choose to include the September 2024 security update and when to install it on your
Arc server by creating a user-defined schedule or a one-time update. You can install it immediately after it is available, allowing your machine to get secure faster.
Verify whether the 9B update has been installed and the reboot status of the
machine by viewing history

By following the steps in this post, you have a streamlined way to plan for the installation of Hotpatches on your Arc machines.

Hotpatch preview: frequently asked questions

Are there any prerequisites for subscribing to Hotpatching?
There are some prerequisites:

Windows Server 2025 Datacenter evaluation
Virtualization Based Security should be enabled and running on your machine
July Security update installed
Machines should be Azure Arc connected

Hotpatching is now available in preview on Windows Server 2025 Evaluation VMs in Azure

VishalBajaj — Wed, 31 Jul 2024 16:00:00 GMT

We’re excited to announce the preview of Hotpatch on Windows Server 2025 Evaluation VMs running in Azure. This preview provides the same great experience of Hotpatching as on Windows Server 2022 Azure Edition. Hotpatching in Azure is only supported on Azure Edition SKUs. Evaluation version is made available for you to validate the capability and ensure readiness. When this is made generally available Azure Edition will be the only supported SKU in Azure for Hotpatching.

Get started today by creating a VM in the preview offer.

Hotpatches are monthly Windows OS security updates that update in-memory processes without requiring server reboots. For information on how Hotpatches work, read this. If you’re already familiar with this feature that was first released three years ago, here are the steps to start previewing:

Steps to create a preview VM

Step	Instructions
Create VM using Windows Server 2025 Preview image published to Azure Marketplace	Create VM using the “Windows Server 2025 Preview” image from Microsoft Server Operating Systems Preview - Microsoft Azure Image has Hotpatch enabled by default.
Verify Virtualization Based Security is running	Ensure VBS is running by going to System Info
Hotpatching enablement	Image has Hotpatching enabled by default, unless it was disabled at provision time.

Hotpatch Preview FAQ

Do I have to sign up or fill in a form to participate?

No forms to fill. This is a public preview and open to all Azure IaaS users.

What to expect from the preview?

After you create a VM using the preview image, the VM will be offered upon release August and September security updates. These OS updates will not require your machines to reboot.

What is expected from users participating in this preview?

Report any errors you see and optionally provide feedback by sending us an email.

Will we be able to run this in production?

The VMs created during preview can only be used for testing and validation purposes. Production workloads should not be run on them.

What happens post public preview?

When the capability launches, Hotpatching will no longer be supported on these preview images. At GA Hotpatching will only be supported on Windows Server 2025 Azure Edition SKUs besides the current Windows Server 2022 Azure Edition.

Why does my Hotpatch status show as “Pending Evaluation” or “Unknown”?

After VM creation, the Azure Portal may show “pending evaluation” or “unknown” status for few days. Once an assessment is completed on the VM, the status will update to reflect the Hotpatch update compatibility.

Useful links:

Hotpatch for Windows Server Azure Edition | Microsoft Learn

What’s New in Windows Server v.Next (microsoft.com)

Hotpatching is now available for Windows Server VMs on Azure with Desktop Experience! - Microsoft Community Hub

Windows Server 2025 Secured-core Server

RoySasabe — Tue, 30 Jul 2024 16:00:00 GMT

The server threat landscape is constantly evolving with cybercriminals becoming more ambitious and sophisticated in their attacks, and the damage is becoming more costly to those targeted. In April 2022, the ransomware group Conti carried out two massive ransomware attacks that breached the Costa Rican government and affected nearly 30 different ministries and different essential services within the country. This attack was so disruptive that the President of Costa Rica had to declare a state of National Emergency, the first ever such instance in response to a cyberattack. In different incidents, Shields Health Care Group had a data breach where nearly 2 million patient records were stolen by attackers, and Medibank Private Ltd., one of the largest health insurance providers in Australia had data pertaining to 9.7 million customers stolen. In the latter case, the attackers threatened to release the customer data on the dark web unless a ransom was paid.

Servers are the backbone of modern businesses, and they store and process vast amounts of sensitive data. As a result, server security is critical to protect against cyberattacks that can cause financial losses, reputational damage, and legal liabilities. In 2021, Microsoft announced the launch of Secured-core servers in partnership with our silicon partners and original equipment manufacturers (OEMs). These servers offer some of the most advanced hardware-based security capabilities that make it harder for adversaries to carry out cyberattacks. In this post, we will provide an example of how the upcoming Windows Server 2025 Secured-core servers seamlessly integrate with the broader suite of Microsoft's security offerings to not just identify but also help block real world attacks.

Bring Your Own Vulnerable Drivers (BYOVD) attack technique

There is an entire class of attacks that rely on an attack technique known as "Bring Your Own Vulnerable Driver" (BYOVD). In these attacks, a malicious adversary with administrative privileges installs a legitimately signed driver with a vulnerability in it on the target system. These drivers have direct access to the internals of the operating system. This vulnerability is then exploited to provide the attacker with the highest level of privileges on the system, which is then used to disable security processes running on the system. We'll now take a couple of vulnerable drivers that have been used in attacks in the past.

kprocesshacker.sys

Process Hacker is a free and open-source malware analysis tool that is used for debugging, malware detection and system monitoring. Process Hacker was used by a ransomware known as DoppelPaymer, which had several high-profile targets such as Foxconn, Kia and Boyce Technologies. DoppelPaymer hijacks ProcessHacker to terminate a list of processes such as those responsible for security, e-mail server, backup and database software to impair defenses. It drops the ProcessHacker executable, its driver and a malicious stager DLL into a subdirectory of %APPDATA%. The driver, known as kprocesshacker.sys, allows it to communicate with the kernel and is used to load the stager DLL via DLL Search Order Hijacking and subsequently, upon receiving a trigger, terminate processes running in the kernel.

asWarPot.sys

AvosLocker is a ransomware group that has targeted victims across multiple critical infrastructure sectors in the United States such as financial services and government facilities sectors. Certain samples of the AvosLocker Ransomware used a legitimate but vulnerable Avast Anti-Rootkit driver known as asWarPot.sys to disable endpoint protection agents and security features on the targeted systems.

Secured-core servers and Microsoft Defender for Cloud in action to help protect against modern threats

Configuring your on-premises servers for hybrid cloud security is made simple with Windows Server 2025. Using the Azure Arc installer wizard included in Windows Server 2025, then onboarding with Microsoft Defender for Cloud will add cloud-based protections to Secured-core servers such as continuous assessment, built-in benchmarks, security recommendations, threat protection capabilities and remediation guidance in case threats have been detected. Here we will discuss how each layer of security works to help protect against threats.

Defense against kprocesshacker.sys using Secured-core servers

Secured-core servers offer a hardware-based security feature known as Hypervisor-protected code integrity (HVCI). HVCI uses Virtualization-based Security (VBS) to run kernel mode code integrity inside a secure, isolated environment instead of the main Windows kernel. HVCI contains a code integrity security policy that contains a list of vulnerable drivers that are not allowed to load on the system. As a result, when kprocesshacker.sys tries to load on the system, it is blocked from loading by HVCI, and an analysis of the event logs in the Windows Admin Center shows that the code integrity policy prevented the driver from loading, as this driver was present in the blocklist. This demonstrates how properly configured Secured-core servers can proactively help detect and block threats present on the system.

This can also be viewed in the "Advanced hunting" tab within the Microsoft Defender portal, which allows users to explore up to 30 days of events to locate potential threats.

Defense against asWarPot.sys using Microsoft Defender for Cloud

Microsoft Defender for Cloud constantly keeps monitoring your workloads and clusters for active threats on your servers. When the asWarPot.sys on the system, Defender for Cloud blocks the action from taking place. At the same time, based on the communication preferences set forth by the IT admins, an alert is fired indicating that some suspicious activity was taking place in their environments, and that a threat was detected and blocked.

IT admins can log into the Azure Portal and view the security alerts that fired in their server environment, and drill deeper into the specifics of the malware that tried to execute on their systems.

Security response teams within enterprises might be interested in understanding the exact attack chain associated with the malware to set guardrails to prevent similar attacks in the future. When your servers have been onboarded with Defender for Cloud, a Microsoft Defender for Endpoint agent is also installed. The presence of the Defender for Endpoint agents on these machines allows security response teams to dig deeper into the sequence of events that took place leading up to when the malicious event occurred.

Admins can go the Microsoft Defender portal to view the details associated with the attack, and drill down into exactly what events led to the malicious asWarPot.sys driver attempting to load on the system.

Protect your on-premises workload with Secured-core servers

At the end of the day, your workload is only as secure as the foundation it is built on, and Secured-core servers provide a strong and secure foundation to help protect your on-prem infrastructure. It seamlessly integrates with the broader suite of security offerings such as Defender for Cloud to offer even more powerful capabilities such as threat detection, alerting and remediation capabilities.

Since its launch in 2021, we have observed a consistent rise in the adoption of Secured-core servers. In 2022, we have established Secured-core as a prerequisite for all new Azure Stack HCI, version 22H2 solutions built on Gen 3 or newer server-grade silicon platforms. We are also excited to announce that leading manufacturers such as Dell Technologies, HPE, and Lenovo have committed to supporting Secured-core server across all their products based on Gen 3 or newer server-grade silicon platforms for Windows Server 2022 and Windows Server 2025.

Visit the Windows Server catalog or Azure Stack HCI catalog to find out the latest servers and solutions from the breadth of industry leading partners supporting Secured-core server.

Additional resources

Happening now: Windows Server Summit!

Janine-Patrick — Tue, 26 Mar 2024 14:54:14 GMT

Windows Server Summit sponsored by Intel is happening now -- starting at 8 am Pacific Time today and going through Thursday afternoon. You can check out the schedule directly and join the sessions here. However, if you want to get a post event email with links to some of the presentations and other resources, you'll also want to complete this registration form.

The Future of Windows Server Hyper-V is Bright!

Jeff-Woolsey — Mon, 04 Mar 2024 15:07:54 GMT

Greetings folks!
There have been several recent changes in the virtualization market, so this month, I wanted to take a moment to respond to the flood of questions we are receiving about Hyper-V futures, Windows Server 2025, and more. I surmise this blog will garner questions in the comments section, so I plan to answer those questions in the next blog. Let’s get started beginning with Hyper-V itself.

Hyper-V is Microsoft's hardware virtualization product. It lets you create and run a software version of a computer, called a virtual machine (VM). Each virtual machine acts like a complete computer, running an operating system and programs. When you need computing resources, virtual machines give you more flexibility, help save time and money, and are a more efficient way to use hardware than just running one operating system on physical hardware. This quick description is just the beginning of what Hyper-V delivers…

Hyper-V is a strategic technology at Microsoft.

Please reread that last sentence. When I say strategic technology, I say this because Hyper-V is used throughout Microsoft in:

If you are using Windows Server, you already have Hyper-V. There is no additional charge, it’s built-in, just like it has been for over 15 years. The difference between Hyper-V in Windows Server Standard and Datacenter is the number of Windows Server guest OS instances that are included:

With Windows Server Standard, you are licensed to run two instances of Windows Server guests OS environments.
With Windows Server Datacenter, you are licensed to run unlimited copies of Windows Server guest OS environments.
If you are running Linux as a guest OS, just make sure you are licensed by your distributor, and you can run as many Linux guests as you’d like run on either Windows Server Standard or Datacenter.

In terms of Linux guest OS support, Hyper-V supports Red Hat Enterprise Linux, CentOS, Debian, Oracle Linux, SUSE, and Ubuntu. Linux integration services are included in the Linux kernel and updated for new releases. Hyper-V also supports FreeBSD with FreeBSD Integration Services built into FreeBSD 10.0 and later.

The unlimited use rights of Windows Server Datacenter coupled with the complete package of Hyper-V, Software-defined storage (Storage Spaces Direct) and Software-defined networking (SDN) deliver the best bang for your buck, making it extremely popular. Considering the power and scale of modern compute and storage (Local, SAN, File, Hyperconverged), Windows Server Datacenter is great for virtualization hosts.

Hyper-V is used for more than just virtualization

Hyper-V is used for platform security. Virtualization-based security, or VBS, uses hardware virtualization and the hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Windows uses this isolated environment to host several security solutions, providing them with increased protection from vulnerabilities and preventing the use of malicious exploits which attempt to defeat protections. VBS enforces restrictions to protect vital system and operating system resources, or to protect security assets such as authenticated user credentials.

Hyper-V is used for containers. Hyper-V isolation for containers offers enhanced security and broader compatibility between host and container versions. With Hyper-V isolation, multiple container instances run concurrently on a host; however, each container runs inside of a highly optimized virtual machine and effectively gets its own kernel. The presence of the virtual machine provides hardware-level isolation between each container as well as the container host.

Hyper-V in Azure

Below is a screen shot of a virtual machine in Azure. Take a close look. This single VM supports up to 1,792 Virtual Processors and 29.7 Terabytes of RAM. I apologize that this VM only has 29.7 Terabytes of RAM (we support up to 48 TB of RAM), but those machines are busy running some of the largest workloads on the planet.

Because Hyper-V is used throughout Microsoft and in Azure, you reap the benefits of innovation we deliver in Azure that percolates through the other products. For example, today in Azure we have a wide range of VM offerings from small to gargantuan with a wide range of CPU, memory, networking, storage options and GPUs. Azure VMs with GPUs are available with single or fractional GPUs and designed for compute intensive, graphics intensive and visualization workloads from Virtual Desktops to AI. To enable these VM offerings in Azure with GPUs required changes to Hyper-V. Guess what is coming in Windows Server 2025?

Windows Server 2025 is introducing GPU partitioning (GPU-P) to enable scenarios on-premises or at the edge. You will be able to partition GPUs and assign them to VMs while retaining high availability and live migration. GPU-P is so flexible that you can live migrate VMs with partitioned GPUs between two standalone servers. No cluster required and great for test/dev!

Windows Server 2025 is introducing Workgroup Clusters

Speaking of no cluster required, we are making significant changes to make Hyper-V deployments at the edge easier. One thing we are hearing from you is that due to the power of modern servers, it is easier than ever to deploy small footprints at the edge. Today, you can purchase two and three node clusters that are small enough to fit in the overhead compartment of an airplane. Up to Windows Server 2022, deploying a cluster requires Active Directory. While this is not an issue in the datacenter, this adds complexity at the edge. With Windows Server 2025, we are introducing the ability to deploy “Workgroup Clusters.” Workgroup clusters do not require AD and are a certificate-based solution!

Windows Server 2025 is chock full of innovation, and GPU-P and workgroup clusters are just the beginning. If you would like to learn more about Windows Server 2025 with demos, check out this Ignite Session, “What’s New In Windows Server vNext (2025).”

Windows Server 2025 Insider Preview: Now with Flighting!

If you want to start evaluating Windows Server 2025, there is no better time than right now and we’re making it easier than ever with Windows Server flighting! If you have a recent Windows Server insider build installed, you can now go to Windows Update in Settings, and check for updates. This will provide an update to a newer build, as a Feature update (also known as “in place OS upgrade”). That’s it! The process is easy and has proven well for hundreds of thousands of Windows 10 and Windows 11 insiders over the years.

Windows Server 2025 Hyper-V

As I stated earlier, Hyper-V is a strategic technology at Microsoft used throughout our products. Since the first release of Hyper-V in Windows Server 2008, we never stopped innovating Hyper-V and there are no plans to stop. In the next blog, I will be answering your questions, and we will see where that takes us!

One more thing: Windows Server Engineering Summit 2024

I’m pleased to announce the Windows Server Engineering Summit 2024. This year, we bring you three days of demos, technical sessions, and Q&A, led by Microsoft engineers, guest experts from Intel, and our MVP community. RSVP now to learn:

What’s coming next in Windows Server 2025
Get best practices for security and identity
Tips for cloud migration and hybrid cloud management
Cover new technologies and capabilities
Hybrid cloud with Azure Arc
Security and hardening, (everyone's favorite)
Migration, and much more

We'll also offer live Q&A during all the sessions so watch, learn, and post your questions early and often!

Cheers,

Jeff Woolsey

Microsoft