1.

Edition 2025

© 2025 4sysops

All rights reserved.

No portion of this book may be reproduced in any form without permission from the publisher,
except as permitted by U.S. copyright law.

Every effort has been made to ensure that the content provided in this book is accurate and
helpful for our readers at publishing time.

However, this is not an exhaustive treatment of the subjects.

No liability is assumed for losses or damages due to the information provided. You are
responsible for your own choices, actions, and results.

ii
About the authors

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and
as a tech consultant. Today he runs the German publication WindowsPro.de.

Markus Elsberger

Markus has been working as a teacher in IT training for more than 17 years. He studied electrical engineering and
information technology at the Technical University of Munich and runs the German-language blog IT-Learner.de.

Surender Kumar

Surender Kumar has over 15 years of experience in server and network administration. His fields of interest are Windows
Servers, Active Directory, PowerShell, Web Servers, Networking, Linux, Virtualization, Docker, and Kubernetes. He loves
writing for his blog

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT
management and system administration.

iii
 Table of Contents

Introduction to Windows Server 2025

Download the Windows Server 2025 ISO for Intel (x64) and ARM (ARM64)

Windows Server 2025 upgrade: Feature update versus clean install

Use Winget on Windows Server 2025 to install, update, and uninstall apps

Install Azure Arc on Windows Server 2025

Enable Windows Server 2025 Hotpatching

Windows Server 2025 Routing and Remote Access Services (RRAS)

Windows Server 2025 Network ATC: Automatically configure networks in a cluster using intends

New storage features in Windows Server 2025: NVMe-OF initiator, update for S2D, deduplication for ReFS

Windows Server 2025: New security features for file services (SMB, NTLM)

Windows Server 2025 supports SMB over QUIC in all editions

Change SMB ports in Windows 11 and Server 2025

Enable Credential Guard on Windows Server 2025

OSConfig: Manage security settings in Windows Server 2025 and revert configuration drift

Delegated Managed Service Accounts in Windows Server 2025

Windows Server 2025 Hyper-V: GPU partitioning, deduplication for VHDs, AD-less live migration

Build a Windows Server 2025 S2D cluster lab with Hyper-V and PowerShell

Active Directory in Windows Server 2025: New functional level, updated database, security improvements

Install Windows Server 2025 domain controller, raise AD functional level, enable 32K database

Windows Server 2025 pricing and licensing options

Conclusion

iv
 Introduction to Windows Server 2025
By Michael Pietroforte

At the end of the 4sysops article introducing this eBook, you will find a special ChatGPT chatbot that has access to the
entire eBook and additional Server 2025 resources for context. Since 4sysops AI only uses information from reliable
sources, it’s the top choice for exploring Windows Server 2025. If you have questions about the latest changes in Server
2025, you can use 4sysops AI to search in Google or Tavily. Windows Server 2025 AI is available only to logged-in 4sysops
members. The guest chatbot doesn’t have access to the book’s context. Membership is free, and you can register here.

Windows Server 2025 marks a significant leap in Microsoft’s server technology, bringing forward a host of new features
aimed at enhancing performance, security, and hybrid cloud integration. This eBook guides IT professionals, offering a
detailed exploration of the operating system’s advancements and providing practical knowledge for deployment,
management, and optimization.

The journey begins with a detailed look at obtaining the ISO files for Windows Server 2025. Readers will learn about the
expanded support for ARM64 architectures, reflecting Microsoft’s commitment to diverse hardware platforms. This chapter
also touches on new download sources and methodologies, enabling efficient access to the system.

Understanding the differences between a feature update and a clean install is critical to upgrading to Windows Server
2025. The chapter discusses the pros and cons of both approaches and offers insights into the scenarios best suited for
each. With this information, administrators can confidently decide how to transition their existing environments to the latest
server version.

Winget’s integration into Windows Server 2025 revolutionizes software management by enabling streamlined, automated
application deployment and updates directly from the command line. Its support for centralized, secure repositories
reduces the risks associated with manual installations, while its scripting capabilities allow administrators to standardize
software management across multiple servers. By simplifying tasks like bulk updates and silent installations, Winget
enhances operational efficiency and ensures consistency in enterprise environments.

Hybrid cloud management takes center stage with the integration of Azure Arc. This feature empowers administrators to
manage on-premises, multi-cloud, and edge resources from a single, unified platform. By detailing the setup and
capabilities of Azure Arc, this chapter underscores its role in bridging traditional and cloud-native environments.

Minimizing downtime has always been a priority in server management, and Windows Server 2025 addresses this with its
Hotpatching capability. This innovative feature allows critical updates to be applied without rebooting, providing
uninterrupted service and enhanced security. The chapter explores the technical aspects of Hotpatching and demonstrates
its implementation in various scenarios.

Secure remote connectivity receives a substantial upgrade through the Routing and Remote Access Services (RRAS).
Supporting modern VPN protocols like SSTP and IKEv2, this feature ensures encrypted communication and reliable
routing for hybrid workforces. The chapter provides a comprehensive guide to configuring and optimizing RRAS for secure
network access.

Cluster networking is simplified with the introduction of Network ATC (Automatic Traffic Configuration). This automation tool
reduces manual configuration errors by applying Microsoft’s recommended best practices for cluster networks. The chapter
explains how administrators can leverage Network ATC to streamline management across complex environments.

Windows Server 2025 features notable storage enhancements, including full NVMe-OF (Non-Volatile Memory Express
over Fabrics) support and significant Storage Spaces Direct (S2D) updates. Thin provisioning, improved deduplication for
ReFS drives, and automatic repair processes are just a few of the features that boost efficiency and reduce resource
consumption. The chapter delves into these storage innovations, highlighting their impact on virtualized and physical
environments.

File services also receive substantial security upgrades, with the introduction of SMB over QUIC as a default feature in all
editions. This protocol combines enhanced performance with mandatory encryption, enabling secure file access even over
untrusted networks. The chapter examines how these advancements bolster file services’ resilience and protect against
emerging threats.

Credential protection takes a significant step forward with the integration of Credential Guard, which isolates sensitive
information using Virtualization-Based Security (VBS). Credential Guard ensures a more secure operating environment by
preventing credential theft and common attack vectors like Pass-the-Hash. Readers will learn how to enable, verify, and
troubleshoot this essential feature.

5
OSConfig in Windows Server 2025 streamlines security by detecting and correcting configuration drift, ensuring
compliance with Microsoft’s baselines. Managed via PowerShell, Windows Admin Center, or Azure Policy, it offers flexible
control for standalone and hybrid servers, making secure configurations easier to implement and maintain.

Hyper-V continues to evolve with notable improvements, including GPU partitioning for optimized resource use,
deduplication for virtual hard drives, and the ability to perform live migrations without Active Directory dependencies. The
chapter provides practical insights into leveraging these capabilities for enhanced virtualization performance.

Active Directory undergoes meaningful updates in Windows Server 2025, with a new functional level that improves
database performance and strengthens security. This book explores the enhancements and their implications for domain
management, particularly in high-security environments. It also guides readers through installing domain controllers, raising
functional levels, and managing updated Active Directory databases.

Finally, the book addresses the pricing and licensing options available for Windows Server 2025. This chapter ensures
readers understand the cost structures and can choose the edition that best aligns with their organization’s needs.

This book highlights Windows Server 2025’s new features and capabilities in each chapter, providing readers with the tools
and knowledge to maximize their server deployments. Whether adopting it for hybrid cloud scenarios, security
enhancements, or improved infrastructure management, this guide ensures you’re prepared to unlock its full potential.

6
 Download the Windows Server 2025 ISO for Intel (x64) and ARM (ARM64)
By Michael Pietroforte

Windows Server 2025 is now generally available, and you can download the ISO and VHD files for Intel-based systems.
Since Microsoft hasn’t yet provided an ARM ISO for Windows Server 2025, you can download it from uupdump.net. To test
the GA release, avoid downloading it from the Windows Insider Program page.

Windows Server 2025 introduces new features, particularly in these areas:

Network ATC
Active Directory
Delegated Managed Service Accounts
Security
Storage
SMB over QUIC
Hyper-V

To familiarize yourself with the system, download the ISO or VHD of the Windows Server 2025 evaluation version, which
will function for 180 days.

Download from the Microsoft Evaluation Center

The simplest way, without dealing with Microsoft’s Insider login hassles (see below), is to download Windows Server 2025
from the Microsoft Evaluation Center, as no account is required. The ISOs are currently offered in English, Chinese,
French, German, Italian, Spanish, and even Russian. The VHD is available only in English.

Download Windows Server 2025 from the Microsoft Evaluation Center

Before downloading, be aware that Microsoft will harvest some of your personal data. To avoid this, you can download from
the Windows Insider page. Downloading the Azure and Containers edition also requires being a “Windows Insider.”

Download from the Windows Insider website

The build number of the GA release is 26100.1742. Windows Server uses a versioning system in which the first part of the
build number (e.g., 26100) typically indicates the major version or release iteration. The second part (e.g., .1742) often
represents minor updates, patches, or revisions to that specific build.

7
As of this writing, the Insider Program page provides Windows Server vNext build 26311, which is not a stable release for
production use.

In theory, to become an “insider,” you only have to sign in with a Microsoft account and then click on Register on the
Windows Insider website.

For this article, I decided to create a new account, and I must admit that I wasn’t smart enough for the task because I failed
miserably.

After entering my account name and password, Microsoft offered me the option to create a passkey. When I clicked Skip
now, the page simply reloaded. Creating a passkey didn’t work either. After scanning the QR code with my iPhone, a
window appeared asking me to save a passkey. However, the webpage reloaded again with an error message. It seems
like “Windows Insiders” might not be intended to work on a Mac. It’s frustrating that Microsoft can’t implement a passkey
feature for Macs, which any service provider supporting passkeys can easily do.

I apologize for bothering you, but I need to express my frustration. If you had better luck registering for a new account for
the Windows Insider Program on a Mac, please share your experience in the comments below.

I eventually signed in with my old Microsoft MVP account, which was still registered as “insider.”

Download Windows Server 2025 from the Windows Insider Program

Aside from having access to the latest build, the benefit of downloading from the Windows Insider page is the availability of
more languages and editions.

Windows Server 2025 is designed for deployment across various environments, including on-premises and cloud
platforms. In contrast, the Azure Edition, based on the Datacenter Edition, is optimized explicitly for Azure and Azure Stack
HCI environments. The Annual Channel for Containers is a specialized edition of Windows Server designed to enhance
containerization capabilities.

Download for ARM (ARM64)

To install Windows Server 2025 on an M-chip Mac using Parallels or VMware Workstation, you’ll need the ARM version of
the Windows Server 2025 ISO.

As of November 4, 2024, Microsoft has not released an ARM64 ISO for Windows Server 2025. Discussions within the
Windows Server Insider community indicate that while there is interest in an ARM64 version, Microsoft has not announced
any plans to release such a version in the near future.

However, you can download an ARM version of Windows 2025 on uupdump.net. UUP dump is a community-driven
platform that allows users to download Unified Update Platform (UUP) files directly from Microsoft’s Windows Update
servers. These UUP files can be used to create custom ISO images for various Windows builds, including Insider releases
and stable releases.

8
It’s important to note that while UUP dump facilitates access to these files, it is not affiliated with Microsoft. Therefore, you
should proceed with caution and remain mindful of the risks.

After downloading the Windows Server 2025 ISO, you can mount the ISO using virtualization tools like Hyper-V, VMware
Workstation, or Parallels Desktop. If you’d prefer to test Windows Server 2025 on a physical machine, you can create
installation media using a tool like BalenaEtcher.

If you’ve tried Windows Server 2025, please share your experience in the comments below.

9
 Windows Server 2025 upgrade: Feature update versus clean install
By Wolfgang Sommergut

Microsoft provides two primary options for migrating to Windows Server 2025: performing a clean install (fresh install, wipe
and load) or a feature update (in-place upgrade). Although the upgrade is quicker and less complicated, it is irreversible
and comes with a risk of failure. Windows Server 2025 adopts the same upgrade strategy as Windows 11, with Microsoft’s
recommended method being an in-place update. Terms like feature update, upgrade, and in-place update are used
interchangeably.

It’s crucial to remember that when managing updates via WSUS, you must select the Upgrade classification to receive
feature updates.

Clean install vs. feature update

Microsoft remains neutral regarding the methods for Windows Server, instead emphasizing the advantages and
disadvantages of each. For instance, a clean OS install is more automation-friendly but requires reinstalling and
configuring applications, libraries, and frameworks.

While a feature update could preserve this work, it carries a higher risk of failure. Microsoft indicates that up to 4% of in-
place updates fail, emphasizing the importance of completing a full backup beforehand.

Microsoft highlights the limitations and potential risks of in-place updates.

Notably, a full system backup is crucial if you need to revert to an earlier version, as Windows Server 2025 does not
support uninstalling feature updates, unlike Windows 11.

Update sources
Users can receive feature updates from familiar sources, including the Setup ISO, Windows Update (for Business), and
WSUS. If you opt for WSUS, ensure you subscribe to Microsoft Server Operating System 24H2 under Products and
Classifications. This follows the same naming convention as Windows Server 2022.

However, at the Windows Server Summit, Windows Server 2025 was listed as an option instead of Microsoft Server
Operating System 24H2. It remains unclear if Microsoft will adjust the naming convention in WSUS.

10
Updates for Windows Server 2025 will likely be accessible through the Microsoft Server Operating System 24H2 option

Upgrades through Windows Update can be controlled using Group Policy. After an update is approved for a particular
server, it will appear in the Settings app under Windows Update. For Server Core, upgrades can be started using the
sconfig utility.

The Settings app in Windows Update shows the feature update for Windows Server 2025.

11
A clean install, on the other hand, requires the use of installation media. This process can be automated by executing
setup.exe with an answer file, and a product key might be required depending on the license type.

Upgrade prerequisites
A fresh OS install only requires compatible hardware, but in-place upgrades have limitations based on the current server
version. Microsoft supports in-place upgrades via N-4 media-based feature updates, meaning you can upgrade directly to
Windows Server 2025 from the last four OS versions. The oldest version that is supported for an upgrade is Windows
Server 2012 R2.

Windows Server 2025, unlike Server 2022, supports an upgrade from version 2012 R2

Considering server roles

Microsoft advises choosing the upgrade method that aligns with the specific use case without going into excessive detail. A
critical factor in this decision is the roles and features the server is running.

A best practice is to avoid in-place upgrades on a Domain Controller (DC). Instead, it’s advisable to set up a new DC,
transfer the FSMO roles to it, and then demote the old DC.

Conversely, file servers, web servers, or DHCP servers are ideal candidates for feature updates. A reliable method for
migrating the service to another server exists for DHCP servers.

Summary
Microsoft provides two options for upgrading to Windows Server 2025: an in-place upgrade or a fresh installation. The in-
place upgrade preserves apps and libraries, speeding up the process. However, Microsoft acknowledges that up to 4
percent of these upgrades may fail.

Feature updates may be obtained from the setup ISO, Windows Update, or WSUS. Clean installs take more time since
applications, libraries, and frameworks need reconfiguration. However, a clean install can be automated and typically
results in more stable systems.

The choice between these methods largely depends on the server’s roles and responsibilities.

12
 Use Winget on Windows Server 2025 to install, update, and uninstall apps
By Markus Elsberger

The Windows Package Manager Winget is now included in Windows Server 2025. In this guide, I will demonstrate how to
use Winget to search for, install, update, and uninstall apps on Windows Server 2025.

What is Winget?
Winget is a tool developed by Microsoft for package management on Windows. It was designed to simplify and automate
software installation and management.

With the new Windows Server 2025, this package manager is now pre-installed. Winget lets you download, install, update,
or uninstall programs from a central repository database. If you are familiar with Linux, this should be familiar since most
Linux distributions include a package manager.

Using Winget, you can quickly and easily install programs as all required installation files can be fetched and processed
directly from the command line. Additionally, Winget allows you to control installations through custom parameters and
scripts, which is particularly useful for automating tasks.

Prerequisites
Winget is already pre-installed on the new Windows Server 2025. All you need to do is open a terminal with administrative
rights. For software installation, you naturally need an active internet connection.

To install Winget on an older server, such as Server 2022, you can download the winget-cli from GitHub.

Checking if Winget is installed

To check if Winget is already available on your system, open PowerShell or Command Prompt and enter the following
command.

1. winget --version

Displaying the Winget version

Install apps
After Winget is installed, you can search for and install programs. Entering winget will show you all possible commands
and parameters.

13
Displaying Winget help

Searching for apps

To check if a specific app is available, you can use the search parameter of winget, followed by the name of the desired
program.

For example, you can search for the program vscode, known as Visual Studio Code, with this command:

1. winget search vscode

Winget then displays a list of programs containing the search term vscode. The list also includes the ID and name you can
use for installation.

14
Searching apps with Winget

Installing an app
To install a program, you need the ID of the program that appears in the search list. Once you find the ID, you can install
the program. For instance, you can install Visual Studio Code with this command:

1. winget install --id Microsoft.VisualStudioCode

Winget will begin downloading and installing the software.

Installing VS Code with Winget

Installation without user interaction

To automate installation with winget, you can use the –silent parameter, appended to the above installation command:

1. winget install --id Microsoft.VisualStudioCode --silent

Updating installed apps

With Winget, you can also update programs. To see which apps can be updated, enter this command:

1. winget upgrade

15
Updating apps with Winget

Use this command to update an individual program:

1. winget upgrade --id Microsoft.WindowsTerminal

To update all installed apps, this is the command you need:

1. winget upgrade --all

Uninstalling programs
Similar to installation, you can uninstall programs with Winget:

1. winget uninstall --id Microsoft.VisualStudioCode

Benefits of using Winget

1. Time Savings: Install, update, or uninstall apps in seconds.
2. Automation: Integrate Winget into scripts and automation processes.
3. Centralized Management: Install all packages from a secure and verified source.
4. Easy Updates: Update all installed programs with a single command.

Conclusion
Winget on Windows Server 2025 is a powerful tool that makes software management more efficient. Utilizing concise
installation and flexible program management through the command line saves time and enables the automation of
installation and maintenance processes.

16
 Install Azure Arc on Windows Server 2025
By Markus Elsberger

Azure Arc is a management platform that enables centralized control of on-premises, multi-cloud, and edge resources
through the Azure Portal. In Windows Server 2025, features such as Hotpatching—which allows for applying security
updates without requiring a system reboot—require integration with Azure Arc. To install Azure Arc on Windows Server
2025, use a PowerShell script or launch the Azure Arc setup wizard on your server.

What is Azure Arc?

Azure Arc is a management platform that allows you to centrally manage servers, Kubernetes clusters, databases, and
other resources through the Azure Portal, whether on-premises, in the cloud, or with different providers.

Think of Azure Arc as a bridge: it brings Azure services to your local resources while enabling you to control everything
from a single location.

Azure Arc and Windows Server

When paired with Azure Arc, Windows Server offers several features:

Seamless integration: Windows servers can now be integrated into Azure Arc more easily. An improved user interface
and optimized tools make the process intuitive.

Automated updates: With Azure Arc, you can centrally manage updates for your Windows servers—even across multiple
locations simultaneously.

Enhanced security features: Security policies can be centrally defined and applied to your Windows Server. This
simplifies compliance and minimizes threats.

Hybrid capabilities: The server supports new hybrid features, such as direct use of Azure Backup and Azure security
functions.

Requirements for Azure Arc

To use Azure Arc with Windows Server, the following requirements must be met:

An Azure subscription
The Azure Arc agent must be installed on Windows Server
Network access to the internet or a connection to Azure via a proxy

Install the Azure Arc agent

You must install the Azure Arc agent to connect your Windows Server to Azure Arc. You can either create an Azure
installation script or use the Azure Arc setup wizard available on Windows Server.

Option 1: Create an Azure script

If your server is not yet connected to Azure Arc, follow these steps:

In the Azure Portal, navigate to Azure Arc > Machines.

Click Add a machine.

17
Adding machines to Azure Arc

Under Add a single server, open the Generate script.

Generating the setup script

Enter your data: subscription, resource group, region, operating system, connectivity method.

Finally, click Download and run the script.

18
Download setup script

Open a PowerShell console on your server and run the script.

After running the script, your server will be registered with Azure Arc. You can verify that your Windows Server is now
connected with the Azure Arc icon in the taskbar and the Azure Portal.

Viewing the Azure Arc connection in Server Manager

19
Option 2: Azure Arc setup

To initiate Azure Arc Setup on Windows Server 2025, click the Azure Arc system tray icon and select Launch Azure Arc
Setup, or access it via the Server Manager under the Azure Arc Management section. This launches a wizard that
guides you through the installation. In the wizard, you must provide your data (subscription, resource group, region,
operating system, connectivity).

Managing Windows Server 2025 via Azure Arc

After connecting your server to Azure Arc, you can manage Windows Server 2025 directly in the Azure Portal. You will have
access to features such as:

Monitoring: Keep track of your server’s status.

Update management: Centrally install updates.

Security policies: Implement compliance standards, such as Azure Policy.

The portal also provides an overview of the current actions needed for the server.

Conclusion
Azure Arc streamlines Windows Server management, enhancing control over hybrid environments and enabling Azure
services. This integration allows on-premises or multi-cloud Windows Servers to utilize Azure services such as Azure
Policy, Azure Monitor, and Azure Security Center. For more information, visit the Azure Arc Portal.

20
 Enable Windows Server 2025 Hotpatching
By Markus Elsberger

Hotpatching in Windows Server 2025 allows admins to apply critical updates without restarting the system. Hotpatching is
available in the Standard and Datacenter editions of Windows Server 2025. It can be used in on-premises environments,
the Azure cloud, or virtual servers with VMware or Hyper-V, provided that Virtualization-Based Security (VBS) is supported.

What is Hotpatching?
Hotpatching updates the in-memory code of running processes, enabling the application of security updates without
requiring a restart. Unlike traditional updates, which necessitate restarts because files cannot be replaced while in use,
Hotpatching allows system updates while avoiding restarts.

Notification from Windows Update indicating that Hotpatching has been applied

Windows Server 2025 Hotpatching only updates security-relevant components. Hotpatch update packages are smaller,
reducing installation times and conserving CPU and storage resources.

Hotpatching offers these advantages:

Minimal downtime: Servers remain operational as no restarts are necessary.

Improved security: Security updates can be applied immediately without waiting for maintenance windows.

Reduced planning time: It simplifies the planning and execution of maintenance tasks.

Hotpatching requirements
The Hotpatching feature is dependent on the following requirements:

Supported editions: Standard or Datacenter editions of Windows Server 2025

Stable internet connection: Essential for accessing Microsoft update servers

Azure Arc integration: Connection to Azure Arc to manage Hotpatch updates

Virtualization-Based Security (VBS): Systems support for VBS

21
VBS uses hardware virtualization to create an isolated environment that protects critical system processes and sensitive
data from unauthorized access or malware.

Enable Hotpatching on Windows Server 2025

Connect to Azure Arc

If your server is not yet connected to Azure Arc, follow these steps:

1. Open Azure Portal: Log in to the Azure portal.

2. Add Azure Arc for Servers: Navigate to Azure Arc > Servers > + Add.
3. Download the installation script: Download the script to connect the server to Azure. Alternatively, use the setup
assistant in Windows Server 2025 to connect directly.
4. Run the script: Execute the script on your server to register it with Azure Arc.
5. Test the connection: Verify that your server is visible in the portal under Azure Arc.

Connecting to Azure Arc

Enable Hotpatching

Configure Azure Update Manager

1. Navigate to Overview
2. Select your server

Enable Hotpatching (Preview)

1. Ensure your server has the necessary license.

2. Save the configuration.

22
Enabling Hotpatching in Azure Arc

Troubleshoot Hotpatching activation

Possible issues include the server not being connected to Azure Arc or VBS not being active. In the first case, ensure an
active internet connection and that your Azure account credentials are available.

VBS is supposed to be enabled by default on Windows Server 2025, but this might not always be the case. You can use
the systeminfo command to verify if VBS is active.

Verifying that VBS Status Hotpatching in Windows Server 2025 is enabled

If VBS is not active, you can turn it on with this Group Policy setting:

Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security

23
Enabling Virtualization-Based Security (VBS) with Group Policy

Verify Hotpatch updates

In Windows Update, you can confirm that Hotpatching is working:

Settings > Windows Update > Update History

You have to look for updates labeled Hotpatch.

Locating hotpatches in Windows Update

Hotpatch update strategy

At the beginning of each calendar quarter—January, April, July, and October—your servers receive a comprehensive
monthly security update. This standard update includes the latest security fixes, new features, and enhancements and is
completed with a restart.

24
In the following two months, so-called Hotpatch updates are provided. These contain only security updates, which can be
installed without a restart, ensuring your servers remain protected.

At the start of the next quarter, the cycle begins anew.

With this optimized update strategy, the required restarts are decreased from twelve to four annually, complemented by
eight scheduled Hotpatch updates yearly.

Conclusion
Hotpatching in Windows Server 2025 streamlines the update process, making it faster, safer, and more user-friendly. This
means reduced maintenance effort and enhanced security for administrators and IT professionals. In critical environments
where downtime leads to considerable disruptions, Hotpatching offers substantial improvement.

25
 Windows Server 2025 Routing and Remote Access Services (RRAS)
By Markus Elsberger

Routing and Remote Access Service (RRAS) provides secure remote connectivity and network management on Windows
Server. With support for modern VPN protocols like SSTP and IKEv2, RRAS ensures encrypted connections, reliable
routing, and seamless access to internal resources, making it ideal for hybrid and remote work environments. This guide
covers the latest updates in Windows Server 2025, including changes to VPN protocol support and step-by-step
instructions for configuration and optimization.

What is Routing and Remote Access Services (RRAS)

Remote Access Services (RRAS) is a feature in Microsoft Windows Server that allows organizations to set up secure
remote access to their networks. This feature enables users to connect to the organization’s network from remote locations
through the internet or private networks. RRAS offers various services, including:

Virtual Private Network (VPN): Supports secure encrypted remote connections through protocols such as SSTP,
IKEv2, and the older L2TP.
Routing Services: Functions as a router to relay data across network segments.
Dial-Up Networking: Enables remote connections via telephone lines.
Network Address Translation (NAT): Allows private IP addresses to connect to the internet through a shared
public IP.
Firewall and IP Filtering: Provides fundamental security measures for network traffic.

RRAS is widely used for hybrid work settings, allowing employees to securely access internal resources. It can be
configured using Windows Server Manager or PowerShell.

Change on Windows Server 2025

New installations of Routing and Remote Access Services (RRAS) on Windows Server 2025 no longer accept VPN
connections via PPTP and L2TP protocols by default. Nevertheless, you can enable these protocols if required.
Connections using SSTP and IKEv2 remain unaffected and function as before.

26
Remote Access VPN Port PPTP, L2TP on Server 2022

Current settings keep their original functionality. For example, if you’re operating Windows Server 2022 with PPTP and
L2TP connections activated and you carry out an in-place upgrade to Windows Server 2025, those connections will still
function as before. This update does not affect Windows client operating systems.

Remote Access VPN Port PPTP, L2TP on Server 2025

27
Enable VPN on Windows Server 2025
Prerequisites
To configure the Routing and Remote Access protocols, make sure you have these prerequisites:

Windows Server 2025 with the DirectAccess and VPN (RAS) role service installed and configured.
Membership in the Administrators group or similar permissions. For RAS servers connected to the domain, an
account with administrative rights on the server is required.

About the VPN protocols

Routing and Remote Access Services (RRAS) enables remote users and site-to-site links via virtual private networks
(VPN) or dial-up connections.

RRAS supports various VPN protocols such as PPTP, L2TP, SSTP, and IKEv2. In the past, authorized clients could
connect using any enabled protocol. However, with Windows Server 2025, there’s a significant change: new RRAS
installations will not accept PPTP and L2TP connections by default.

This modification applies solely to new installations. Upgrading from Windows Server 2022 to 2025 will not disrupt existing
PPTP and L2TP configurations. This alteration does not affect Windows client operating systems. While IKEv2 is an option,
you may also opt for SSTP. However, I recommend against using L2TP or PPTP due to their insufficient security features.

Install VPN on Windows Server 2025

Install RRAS

1. Open Server Manager > Click Add Roles and Features.

2. Select Remote Access > Choose Routing and Remote Access Services (RRAS).
3. Complete the installation and restart if required.

Install Remote Access

28
 Installing DirectAccess and VPN (RAS)

Configure RRAS

1. Open RRAS Management Console (rrasmgmt.msc).

2. Right-click the server name > Select Configure and Enable Routing and Remote Access.
3. Choose VPN Access and NAT or just VPN Access.
4. Follow the wizard to specify network interfaces and address assignments.

29
 Enable Remote Access (Dialup VPN)

Configure VPN Protocols

1. SSTP and KEv2 are supported on Windows Server 2025.

2. Make sure that the firewall allows access to ports such as 443 for SSTP and 500/4500 for IKEv2.

Enable user VPN Access

1. Open Active Directory Users and Computers.

2. Edit user properties > Go to the Dial-In tab > Select Allow access under Network Access Permission.

Test the connection

1. On a client device, set up a VPN connection by using the public IP address or domain name of the server.
2. Select the VPN type (e.g., SSTP, IKEv2) along with your credentials.
3. Connect and verify access to the internal network.

Tip: Always ensure strong authentication for the VPN and regularly monitor its usage.

Conclusion
Windows Server 2025 improves VPN functionality by enhancing security and performance. It supports modern protocols
such as SSTP and IKEv2, while phasing out outdated ones like PPTP. With features including encryption, user access
control, and easy integration with Active Directory, it offers a strong solution for secure remote access. By utilizing these
features, organizations can guarantee reliable connectivity for remote users, addressing the needs of hybrid and remote
work settings. Effective configuration and management are crucial for optimizing security and efficiency.

30
 Windows Server 2025 Network ATC: Automatically configure networks in a
cluster using intends
By Wolfgang Sommergut

Setting up management, compute, and storage networks in a Windows cluster can be challenging and error-prone.
Network ATC automates this process. Available in Azure Stack HCI since version 21H2, it is now integrated into Windows
Server 2025.

Windows clusters have fairly strict networking requirements. The nodes should be mostly identical servers, ideally using
the same network adapters for each traffic type.

NICs on each server should be consistently named for optimal administration, ensuring storage connection adapters share
the same designation across all servers. This consistency streamlines management.

Common tasks when setting up networks

When multiple traffic types use the same adapters, assigning distinct VLANs for each is typical. QoS settings can then be
applied to limit the maximum bandwidth for each VLAN.

Conversely, when multiple adapters are available for specific traffic types, you can combine them using NIC teaming or
Switch-Embedded Teaming (SET). This allows multiple traffic types to flow over a single NIC team, with QoS handling their
respective bandwidth allocations.

Configuring networking in a cluster usually involves creating multiple virtual switches and assigning them to the physical
NICs.

Microsoft’s (incomplete) checklist for network configuration in a Windows cluster

It’s evident that the effort needed for these tasks increases as the number of cluster nodes grows.

This extends to maintenance and detecting deviations from the original configuration. Network ATC handles this by
rectifying manual alterations to individual node networks.

Automation using Network ATC

Network ATC aims to free administrators from manually configuring cluster networks. It automatically implements
Microsoft’s recommended best practices while allowing specific settings to be customized through overrides when
necessary.

31
For reference on Microsoft’s recommended settings, the default values for storage VLANs are available in the
documentation.

Install Network ATC

Network ATC, available in Windows Server 2025, can be installed through Server Manager or PowerShell, similar to other
features.

Installing Network ATC via the Server Manager wizard

Alternatively, you can install it using PowerShell with the following command:

1. Install-WindowsFeature -Name NetworkATC -IncludeManagementTools

Both Windows Admin Center (WAC), which provides a dedicated extension, and PowerShell can be used to manage
Network ATC. Since PowerShell allows relatively straightforward management, the notoriously slow WAC, often plagued by
remote management issues, doesn’t offer a significant advantage in this case.

Preparations
Ensure that NICs with the same function across all nodes are assigned identical names before proceeding.

Furthermore, ensure that each adapter displays an Up status. You can check this using PowerShell by executing the
following command on one of the cluster nodes:

1. Get-NetAdapter -CimSession (Get-ClusterNode).Name

32
Displaying NIC names and status in the cluster with PowerShell

Configuration using intents

Network configuration is controlled through intents, specifying the desired purpose for each network. Each physical NIC
can be assigned to only one intent.

To display existing intents, use this command:

1. Get-NetIntent | select IntentName, IntentType, NetAdapterNameCsv

At first, the list will be empty, enabling you to define your intents. You can create new ones using the Add-NetIntent cmdlet.
For instance, to set up the management network, execute the following command on one of the cluster nodes:

1. Add-NetIntent -Name Mgmt -Management -AdapterName NIC1

33
Configuring the management network using PowerShell

In this simple example, the NIC1 adapter would be configured for cluster management on all nodes. The process may take
a while, and you can track its progress with the following command:

1. Get-NetIntentStatus -Name Mgmt

You can also assign two NICs for this task, and Network ATC will automatically set up NIC teaming.

1. Add-NetIntent -Name Mgmt -Management -AdapterName NIC1, NIC2

An alternative converged configuration might integrate both management and compute traffic across two NICs:

1. Add-NetIntent -Name CompMgmt -Management -Compute -AdapterName NIC1, NIC2

If sufficient network adapters are available for optimal performance, you can assign a dedicated NIC or NIC team to each
traffic type.

A storage intent automatically assigns IP addresses to the designated adapters and ensures they are not already in use on
the network. Below is a straightforward example of creating a storage intent:

1. Add-NetIntent -Name Storage -Storage -AdapterName NIC2

Customize intent with override

In a lab environment where cluster nodes run on VMs, attempting to create a storage intent may fail with the error
RdmaNotOperational. This occurs because virtual NICs lack RDMA support.

34
The Storage Intent will fail if the NICs lack RDMA support, as RDMA is required by default

You can bypass this requirement by using an override. It would look like this:

1. $override = New-NetIntentAdapterPropertyOverrides
2.
3. $override.NetworkDirect = 0
4.
5. Add-NetIntent -Name Storage -Storage -AdapterName NIC2 -AdapterPropertyOverrides $override

Adding a storage intent on an adapter or enabling RDMA support

35
In addition to adapter property overrides, the PowerShell module provides several cmdlets for customizing other settings,
such as for switches or storage. You can list these cmdlets with the following command:

1. Get-Command -Noun NetIntent*Over* -Module NetworkATC

Invoking these cmdlets displays a list of modifiable properties. For example, the New-NetIntentSiteOverrides cmdlet lets
you configure VLANs for storage and management networks.

Cmdlets for defining overrides

To limit the bandwidth for SMB traffic to 25 percent, you would configure an override like this:

1. $QosOverride = New-NetIntentQosPolicyOverrides
2. $QosOverride.BandwidthPercentage_SMB = 25

If the intent has already been created without the override, you can apply the override later using the following command:

1. Set-NetIntent -Name ComputeStorage -QosPolicyOverrides $QosOverride

Remove intents
Modifying existing intents is limited to applying overrides. Other changes require removing the Intent and creating a new
one.

The Remove-NetIntent cmdlet is used for this task. However, it only deletes the intent and does not revert the network
configuration changes it applies. As a result, you must manually clean up associated settings, such as switches or NetQoS
configurations.

Summary
Windows Server 2025 introduces Network ATC, a feature first seen in Azure Stack HCI, which significantly streamlines and
accelerates network configuration in clusters. It also tracks manual setting changes and automatically restores them to
maintain consistency.

Network ATC operates on the concept of intents—predefined configurations for managing storage, compute, and network
resources. These intents align with Microsoft’s best practices and automate tasks like NIC teaming and vSwitch setup.

36
You can use overrides to apply custom configurations that are different from the ATC defaults. Microsoft offers two main
tools for managing Network ATC: Windows Admin Center (WAC) and PowerShell.

37
New storage features in Windows Server 2025: NVMe-OF initiator, update for
S2D, deduplication for ReFS
By Wolfgang Sommergut

Although the most notable updates in Windows Server 2025 center on Active Directory, Hyper-V, and SMB, the upcoming
OS release also introduces substantial improvements to the storage subsystem. These features include improved NVMe
support, an updated Storage Spaces Direct (S2D), and enhanced deduplication for ReFS.

As most Windows servers are not installed on bare metal, storage choices primarily impact Hyper-V hosts. These individual
servers can store virtual machines (VMs) on local storage, NAS, or SAN.

Hyper-V clusters can pool local storage from nodes with Storage Spaces Direct (S2D) to create volumes on software-
defined storage. Windows Server 2025 maintains the 16-node limit for S2D clusters.

As an alternative to a hyper-converged architecture, you can set up a separate storage tier using a Scale-out File Server
(SoFS). This approach allows compute and storage resources to be scaled independently. Additionally, you can reduce
licensing costs since the Standard Edition is adequate for running a SoFS, while S2D nodes require the Windows Server
Datacenter Edition.

Storage options for Hyper-V clusters

Full support for NVMe

A Hyper-V cluster can connect to SANs using iSCSI, Fibre Channel, and, starting with Windows Server 2025, the
integrated initiator for NVMe over Fabrics (NVMe-OF). Initially limited to TCP, future updates will add RDMA support for
workloads needing lower latency.

Microsoft promises significantly higher performance on NVMe storage, with up to 90% more IOPS. This improvement is
expected to come with lower CPU utilization, freeing up more compute power for VMs.

Storage Spaces Direct

A key innovation in Storage Spaces Direct (S2D) is its support for thin provisioning, which enables overcommitting physical
storage and consuming space only when data is written. Existing fixed volumes can be converted to thin provisioning.

Thin volumes can be set as the default for a storage pool, or admins can choose the preferred type when creating new
volumes.

38
Thin or fixed volumes can be set as the default for storage pools, or you can select the type when creating them

Windows Server 2025 enhances S2D for drive repair and resynchronization. When a faulty disk is replaced, S2D
automatically restores data to the new disk, leveraging redundant storage in the pool.

Synchronization is also required when an offline node is brought back online.

Resource allocation to S2D sync and repair can be prioritized in five levels

Admins can prioritize S2D operations over workloads or prioritize VMs, delaying S2D synchronization. Windows Server
2025 offers five levels for allocating resources between these tasks.

Deduplication and compression for ReFS

Since Windows Server 2016, the Resilient File System (ReFS) has supported data deduplication, but this feature was
restricted to cold data, such as shared drives on a file server.

39
Windows Server 2025 explicitly supports deduplication for ReFS drives storing virtual machines. In Azure Stack HCI 24H2,
this includes Azure Virtual Desktop images. With VHD(X), the potential savings are substantial due to high redundancy.

Deduplication and compression for ReFS can be controlled via the Windows Admin Center

Deduplication and compression for the Resilient File System (ReFS) can be managed through the Windows Admin Center
or PowerShell. PowerShell now offers two distinct algorithms optimized for either higher compression ratios or greater
speed.

Summary
Windows Server 2025 brings numerous enhancements to the storage subsystem, including enhanced NVMe support with
an integrated NVMe-OF initiator, promising significantly improved performance for these storage media.

Thin provisioning support in S2D, a crucial feature also found in competitor platforms like VMware and Nutanix, allows for
dynamic utilization and overcommitting of physical storage space.

ReFS’s advanced deduplication capabilities can manage frequently changing data, making it especially advantageous for
virtual disks, where the potential for savings is significant.

40
 Windows Server 2025: New security features for file services (SMB, NTLM)
By Wolfgang Sommergut

The announced support for SMB over QUIC in all editions of Windows Server 2025 marks a significant advancement for
the file services role. In addition, the upcoming LTSC server release brings several new mechanisms designed to enhance
the security of traditional SMB over TCP or RDMA.

One key advantage of SMB over QUIC lies in its superior performance when accessing file shares. However, it also
enhances the security of file services by acting as an SMB VPN for users working remotely. The SMB traffic, including
authentication, is routed through a TLS 1.3-encrypted tunnel.

Despite Microsoft’s assertion that SMB over QUIC is the future, traditional transport mechanisms will continue to exist.
Windows Server introduces several features to enhance their security as well.

Block NTLM authentication for SMB connections

By default, clients and servers negotiate the authentication protocol using SPNEGO. Typically, Kerberos is utilized for
connections between domain-joined machines.

However, NTLM authentication occurs in specific situations, such as when:

the client establishes a connection via an IP address;

the Kerberos CIFS Service Principal Name for the SMB server is missing in the Active Directory;
a local user account is used to log on to the SMB server.

In the medium to long term, Kerberos extensions will eliminate this necessity for NTLM authentication. In the meantime,
Microsoft provides the option to block NTLM for SMB. However, connections will fail if NTLM must be used due to the
previously mentioned reasons.

Blocking via Group Policy

For this purpose, Windows 11 and Server 2025 introduce a Group Policy named Block NTLM (LM, NTLM, NTLMv2). It is
available specifically for the SMB client and can be found under Computer Configuration > Policies > Administrative
Templates > Network > Lanman Workstation.

41
Group Policy settings for blocking SMB authentication using NTLM

If individual servers rely on NTLM authentication, you can define exceptions for them. The group policy Block NTLM Server
Exception List serves this purpose.

Restrict NTLM authentication using PowerShell

In addition, it is possible to disable NTLM with PowerShell for all or specific SMB servers:

1. Set-SMbClientConfiguration -BlockNTLM $true

This command globally changes the configuration of the SMB client. To narrow the scope to a specific connection, use the
following:

1. New-SmbMapping -RemotePath \\server\share -BlockNTLM $true

The current status of this property can then be queried with

1. Get-SMbClientConfiguration | select BlockNTLM

and

1. Get-SmbMapping | select BlockNTLM

Even the old net use command now has a /blockntlm switch.

Limit the number of NTLM login attempts

If hackers manage to guess usernames or extract them from the Active Directory, they can send NTLM login attempts to an
SMB server at very short intervals.

Typically, dictionaries or lists of compromised passwords are used in attempts to guess the passwords of the targeted
accounts. In automated attacks, where several hundred login attempts per second are possible, there is a high chance of
successful authentication in a short period.

42
Until now, companies have been able to protect themselves against this by locking accounts after a certain number of
failed login attempts. However, this feature can be exploited for denial-of-service attacks.

Intervals between logins

Windows Server 2025 introduces an alternative protection mechanism against abusive SMB NTLM authentications. The
SMB NTLM Authentication Rate Limiter defines intervals that must elapse between two login attempts. This can be used,
for example, when blocking SMB NTLM is not an option.

This feature slows down automated attacks, significantly extending the time to hack a password.

Configuration via Group Policy

The Enable Authentication Rate Limiter policy can reduce the number of login attempts within a specific interval. This
setting is found under LanMan Server.

Throttle logon attempts and brute force attacks via Group Policy.

However, the Group Policy does not allow the configuration of intervals between invalid login attempts; this can only be
done with PowerShell.

Administration via PowerShell

To query the current setting in PowerShell, use the following command:

1. Get-SmbServerConfiguration | select InvalidAuthenticationDelayTimeInMs

43
Configuring the SMB NTLM authentication rate limiter with PowerShell.

To set the interval between two login attempts, run this command:

1. Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs <milliseconds>

Enforce specific SMB versions

By default, SMB clients and servers negotiate the highest protocol version supported by both sides. With two new Group
Policy settings, administrators can now set a minimum and maximum version of SMB.

This means that you can block older and less secure versions. The lowest available version is 2.0.2. For example, if an
organization sets the policy to the latest version, 3.1.1, all previous versions are no longer allowed.

The Group Policy for setting a minimum and maximum SMB version exists for both the client (outgoing connection) and the
server (incoming connection). It can be found under Computer Configuration > Policies > Administrative Templates >
Network > LanMan Workstation or LanMan Server.

44
Selecting the minimum and maximum SMB versions using Group Policy settings

Microsoft also allows configuration through PowerShell. The cmdlets

Set-SmbClientConfiguration
Set-SmbServerConfiguration

support new parameters for this purpose: Smb2DialectMin and Smb2DialectMax. As with the Group Policy setting,
SMB202 to SMB311 can be used as values.

The current settings can be queried via Get-SmbClientConfiguration and Get-SmbServerConfiguration.

Query settings for minimum and maximum SMB versions.

As the above screenshot shows, all SMB versions are allowed by default.

45
SMB signing enabled by default
Previously, only connections to a domain controller required SMB signatures. Microsoft will enable SMB signing by default
for both the client and the server.

The decision was delayed due to potential compatibility issues with older systems. Administrators should, therefore,
prepare for this upcoming change.

The following PowerShell commands can be used to query the current client and server settings for SMB signing:

1. Get-SmbClientConfiguration | Format-List RequireSecuritySignature

2. Get-SmbServerConfiguration | Format-List RequireSecuritySignature

Until now, SMB signing has been disabled by default.

Disable SMB signing

If a legacy system does not support SMB signing, it can be disabled for outgoing client connections using the following
PowerShell command in an elevated PowerShell session:

1. Set-SmbClientConfiguration -RequireSecuritySignature $false

To disable the SMB signature request on the server, use the following PowerShell command:

1. Set-SmbServerConfiguration -RequireSecuritySignature $false

There are also settings in Group Policy for this task, named Microsoft Network (Client/Server): Communication digitally
sign. These settings exist for the client and server with the options always or “if the other party agrees.”

They can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies >
Security Options.

46
The default SMB signing can be deactivated via Group Policies

Firewall rules activated by default

Previously, when installing the file services role, it not only automatically activated firewall rules for SMB or the spooler
service but also opened the NetBIOS ports. In Windows Server 2025, this is no longer the case. However, the
corresponding rules still exist, allowing them to be activated if needed.

In Windows Server 2025, installing the file server role no longer opens the NetBIOS ports in the firewall

47
Summary
The most significant enhancement for file services in Windows Server 2025 is undoubtedly the support for SMB over QUIC
in all editions. This not only improves performance but also enhances security.

In addition, the new OS introduces several improvements to secure SMB across all transport mechanisms. This includes,
notably, the restriction of NTLM authentication at the SMB level, which can either be blocked entirely or delayed by a
specific interval after failed attempts.

Furthermore, users can avoid older versions of SMB by specifying a minimum version through Group Policy settings or
PowerShell. Finally, the default SMB signing and leaving the NetBIOS ports closed in the firewall enhance the security of
file services.

48
 Windows Server 2025 supports SMB over QUIC in all editions
By Wolfgang Sommergut

One of the main new features of Windows Server 2022 is SMB over QUIC. QUIC serves as an alternative to TCP and
RDMA, providing a secure connection to a file server over untrusted networks. This protocol is based on UDP and TLS 1.3,
enhancing the security and performance of file shares. Windows Server 2025 will include it in all editions, along with the
new QUIC Client Access Control. QUIC has been exclusive to the Azure Edition until now.

A major advantage of QUIC is its mandatory certificate-based encryption. SMB over QUIC is like an SMB VPN for users
working remotely. The server certificate creates a TLS 1.3 encrypted tunnel via UDP port 443. SMB traffic, including
authentication, is not exposed to the underlying network.

Transport options for Server Message Block SMB

Within the QUIC tunnel, SMB behaves as usual from the user’s point of view, and features such as multi-channel and
compression are still available.

SMB over QUIC as the preferred protocol in the future

Due to these characteristics, Microsoft has positioned SMB over QUIC as a feature for edge servers, i.e., file servers
running in the cloud or DMZ accessible over the internet. This was the reason for restricting QUIC support to the Azure
Edition, which runs in the Microsoft Cloud or on-premises on Azure Stack HCI.

The announcement of SMB over QUIC for Windows Server 2025 aligns with the overall repositioning of the feature as a
secure alternative to SMB over TCP. It hardens file servers even for internal use, and protects NTLM credentials against
leakage. As a result, QUIC will become the preferred transport mechanism for SMB.

QUIC Client Access Control

Compared to the implementation in Windows Server 2022, there is new a feature that allows restricting access to file
servers via QUIC to certain clients. Currently, a server accepts all clients whose certificate chains up to the same root

49
certificate as the one used for QUIC on the server.

The new restriction is also based on certificates. Admins add the fingerprints of client certificates to a list of trusted devices
on the server. When a computer connects to the server, it can decide, based on the transmitted certificate information,
whether the client is authorized for access.

In large environments, maintaining the thumbprints of all client certificates on the server could be tedious. Therefore, QUIC
Client Access Control also supports SAN certificates, which can include the names of multiple hosts.

Activating SMB over QUIC

The Windows Server Insider Preview Build 25997 includes SMB over QUIC for all editions, including Standard and
Datacenter. By default, the feature is disabled and must be enabled by the server admin. Clients cannot enforce the use of
the protocol.

The tools for activating SMB over QUIC remain the Windows Admin Center (WAC) and PowerShell. The current version of
WAC is still limited to the Azure Edition for this task and denies QUIC configuration for other OS editions.

Enabling SMB over QUIC in the Windows Admin Center

In PowerShell, the cmdlets responsible for this task are New-SmbServerCertificateMapping and Set-
SmbServerConfiguration (see also: How to use SMB over QUIC in Windows Server 2022).

50
Checking the status of SMB over QUIC in PowerShell

Summary
Microsoft initially positioned SMB over QUIC, introduced with Windows Server 2022, exclusively for accessing file servers
via the internet. It was therefore only available in the Azure Edition. However, the enhanced security of the QUIC protocol
also benefits purely on-prem environments.

For this reason, all editions of Windows Server 2025 support the QUIC tunnel for SMB. The company hinted that this will
be the preferred transport for SMB in the future.

In addition to making SMB over QUIC available for all Windows Server 2025 editions, they ship with Client Access Control,
allowing access to a file server to be restricted to specific devices.

51
 Change SMB ports in Windows 11 and Server 2025
By Wolfgang Sommergut

Windows 11 24H2 and Server 2025 improve the SMB protocol with a strong focus on security. One key feature is the ability
to change ports to TCP 445, which offers enhanced security and flexibility. However, this capability is restricted to the QUIC
transport on the server side.

For decades, Windows SMB has been restricted to TCP port 445, preventing the use of other ports. However, this has
changed with the latest operating system versions. Utilizing an alternative port enhances protection against opportunistic
scans and strengthens security alongside measures like SMB traffic signing and encryption.

This modification also offers network administrators enhanced flexibility, especially when SMB traffic traverses a firewall or
load balancer.

Configure alternative ports for SMB client

On the client side, you can define an alternative port for each transport mechanism: TCP, RDMA, and QUIC. The default
ports for TCP and RDMA are TCP 445 (though RDMA doesn’t need it for actual data transfer), while SMB over QUIC uses
UDP port 443.

You can modify the default port using PowerShell, net.exe, or Group Policy.

PowerShell

Microsoft has upgraded the New-SmbMapping cmdlet in PowerShell by adding the parameters TcpPort, RdmaPort, and
QuicPort. You can specify a port number between 0 and 65536.

An example command for mapping a network drive would look like this:

1. New-SmbMapping -LocalPath J -RemotePath \\filer.contoso.com\ppt -TcpPort 487

In this example, the network share ppt on filer.contoso.com is mapped to the local drive J, and the SMB connection will use
TCP port 487.

Setting an alternative TCP port for SMB using PowerShell.

Using net.exe

The equivalent command using net.exe is as follows:

1. NET USE J: \\filer.contoso.com\ppt /TCPPORT:487

52
Either way, you can substitute TcpPort with RdmaPort or QuicPort to set up SMB over these protocols using an alternative
port.

Configuration via GPO

A new Group Policy setting has been introduced to centralize the management of the SMB port. It is located under
Computer Configuration => Policies => Administrative Templates => Network => LanMan Workstation and is labeled
Alternative Port Mappings.

Enabling this policy allows you to input the mappings, including the new port, in Alternative Port Registry Mappings. For the
example provided, you would enter:

filer.contoso.com:tcp:487

Each entry includes a server name, transport type, and port number, separated by colons. Unlike the New-SmbMapping
and net.exe commands, specifying the share name is not required here.

Configuring port 487 for TCP on the SMB client.

It is crucial to verify that the SMB server is actively listening on the port you select, regardless of which one you choose.

Alternative port on the server

In this context, “server” applies to any Windows machine acting as an SMB server, not just Windows Server but also
Windows 11. Microsoft offers PowerShell as the only option to configure a non-standard port. The relevant cmdlets are:

Get-SmbServerAlternativePort
New-SmbServerAlternativePort
Remove-SmbServerAlternativePort
Set-SmbServerAlternativePort

The first cmdlet displays the current active port configuration, while the second cmdlet assigns an alternative port to SMB.

1. New-SmbServerAlternativePort -TransportType QUIC -Port 1111

Currently, the TransportType parameter exclusively supports QUIC, meaning TCP and RDMA cannot be assigned different
ports on the server side.

53
Microsoft likely prioritized SMB over QUIC because it allows direct use over the Internet, often making it necessary to open
various firewall ports. On the other hand, SMB over TCP is usually accessed through a VPN for security reasons.

Although changing the port for all three protocols on the client side is possible, the server only offers the option to adjust
the QUIC port. This combination may not seem practical, but it has advantages beyond Windows environments.

Samba, for instance, allows setting an alternative port by adding an entry in the smb.conf file, as shown below:

1. [global]
2. smb ports = 1445

Selecting a different TCP port on the client can be advantageous if the SMB server is behind a load balancer that may not
manage SMB traffic on port 445.

Prevent port changes

Administrators can use a Group Policy to restrict users from altering the port when mapping a network drive, as this could
disrupt the connection.

This policy, Enable Alternative Ports , is located under Computer Configuration => Policies => Administrative Templates =>
Network => LanMan Workstation.

The configuration of alternative ports on the SMB client can be restricted through Group Policy

This setting must be disabled to prevent the use of alternative ports. If left unconfigured or enabled, the option remains
available.

Conclusion
Microsoft upgraded the SMB protocol in Windows Server 2025 with various enhancements, such as allowing the
configuration of an alternative communication port, eliminating the strict dependency on TCP 445.

The client side allows for adjusting the port for all transports, whereas the server is restricted from configuring an
alternative QUIC port. Consequently, the enhanced flexibility on the client side proves most advantageous when dealing
with third-party products, such as a Samba server.

54
 Enable Credential Guard on Windows Server 2025
By Markus Elsberger

Credential Guard in Windows Server 2025 enhances security by isolating credentials using Virtualization-Based Security
(VBS). To enable Credential Guard with PowerShell or Group Policy, ensure your systems meet the hardware and firmware
requirements. After enabling Credential Guard, you can use PowerShell to verify its activation.

What is Credential Guard?

Credential Guard is a security feature in Windows Server 2025 designed to protect credentials like Kerberos Ticket-
Granting Tickets (TGTs) and NTLM hashes. It uses Virtualization-Based Security (VBS) to isolate sensitive data in a
protected environment, separate from the rest of the operating system. This makes it harder for attackers to extract
credentials from memory, even with administrative rights. Credential Guard prevents attacks like Pass-the-Hash and
Pass-the-Ticket.

On Windows Server 2025, Credential Guard offers several security advantages, including:

Hardware security
Technologies like NTLM, Kerberos, and the Credential Manager protect credentials using modern security features like
Secure Boot and virtualization.

Virtualization-Based Security (VBS)

Process NTLM, Kerberos data, and other sensitive information in a protected, isolated environment, independent of the
main operating system, keeping your data secure even if the OS is compromised.

Protection against targeted attacks

VBS makes it difficult for attackers to steal credentials. Malware with administrative privileges cannot extract VBS-protected
data, blocking many tools used in persistent attacks.

Requirements
Credential Guard is generally enabled by default in Windows Server 2025 and Windows 11 22H2, but specific conditions
must be met to utilize it:

Hardware requirements

A processor with virtualization extensions and Second Level Address Translation (SLAT) is required.
TPM 1.2 and 2.0 (Trusted Platform Module) are recommended but not mandatory.

Firmware requirements
Enable UEFI firmware without Compatibility Support Module (CSM).
Activate Secure Boot to ensure the boot chain’s integrity.

Software requirements
Enable Hyper-V in Windows Features because Credential Guard relies on VBS.

License requirements

Fulfill the licensing requirements for Windows Server 2025.

Network Requirements

The device should join a domain but not be a domain controller, as Credential Guard is not recommended on
domain controllers.

55
Enable Credential Guard
Generally, Credential Guard is enabled by default on Windows Server 2025. Read the following section to verify whether
Credential Guard is activated on your systems. If not, follow these steps to enable Credential Guard:

Enable Hyper-V hypervisor

Run PowerShell as administrator and execute this command to enable the Hyper-V hypervisor:

1. Enable-WindowsOptionalFeature -Online -FeatureName HypervisorPlatform

This ensures the virtual infrastructure required by Credential Guard is available.

Enable Virtualization-Based Security (VBS)

Virtualization-based security (VBS) in Windows Server 2025 leverages hardware virtualization to create isolated memory
regions, enhancing protection against sophisticated threats by securely isolating sensitive data and processes from the
main operating system. Execute the following PowerShell command to enable VBS:

1. Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" -Name

"EnableVirtualizationBasedSecurity" -Value 1

Require Secure Boot

Secure Boot is a security feature that ensures a device boots only with software trusted by the manufacturer, protecting
against unauthorized code execution during startup.

1. Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" -Name

"RequirePlatformSecurityFeatures" -Value 1

Enable Credential Guard

The next command sets the LsaCfgFlags registry value to 2, enabling Credential Guard without persisting the configuration
to UEFI firmware, allowing for easier modification or disabling of the feature.

1. Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa" -Name "LsaCfgFlags" -Value 2

Restart Server
Restart the server to apply changes.

1. Restart-Computer

Verify Credential Guard activation

Use PowerShell to verify if Credential Guard is enabled on a single server. To confirm the feature is active in your Active
Directory domain, use Group Policy.

Check with PowerShell:

Open PowerShell as administrator and run this command:

1. (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace

root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

When Credential Guard is active, the SecurityServicesRunning value should be 1.

56
Check if Credential Guard is enabled with PowerShell

Check in Group Policy:

Open the Group Policy Editor and navigate to this location:

Computer Configuration > Administrative Templates> System > Device Guard

Enable Virtualization-Based Security should be set to Enabled.

Verify if Credential Gurard is enabled in Group Policy

57
Key considerations
Application compatibility
Enabling Credential Guard may affect applications relying on specific authentication methods like NTLMv1 or Unsecure
Kerberos Delegation. Test applications for compatibility before deploying Credential Guard in production.

Domain Controllers
Credential Guard on domain controllers provides no additional security benefits and may cause compatibility issues.

TPM clearing

Clearing TPM deletes protected data for all VBS functions, including Credential Guard. Be cautious with TPM operations.

Refer to Microsoft’s documentation for detailed information and additional configuration options.

Conclusion
Credential Guard in Windows Server 2025 enhances security by isolating sensitive credentials using Virtualization-Based
Security (VBS), mitigating threats like Pass-the-Hash and Pass-the-Ticket attacks. To ensure its effective deployment, it’s
crucial to meet specific hardware, firmware, software, licensing, and network prerequisites and verify its activation post-
implementation. Administrators should also assess application compatibility and be aware of considerations related to
domain controllers and TPM operations to maintain a secure and functional environment.

58
 OSConfig: Manage security settings in Windows Server 2025 and revert
configuration drift
By Wolfgang Sommergut

OSConfig, a new feature in Windows Server 2025, allows you to configure Microsoft’s recommended security settings.
These settings largely align with the security baselines. Management options include PowerShell, the Windows Admin
Center, and Azure Policy. OSConfig can automatically detect and correct configuration drifts, ensuring compliance.

Traditionally, Microsoft has provided its recommended security settings as GPO backups, which administrators can import
selectively or entirely into their environments.

The security baseline includes templates for various roles and features, such as member servers, domain controllers,
Defender Antivirus, and Credential Guard. However, as of two months after the release of Windows Server 2025, this
baseline is not yet included in the Security Compliance Toolkit.

GPO templates in the security baseline for various Windows Server 2022 roles and features

OSConfig in Windows Server 2025 largely follows the concept of Microsoft’s security baselines but is not built on Group
Policy. Instead, it leverages a PowerShell interface for local management, along with a dedicated service that continuously
monitors and corrects deviations from the desired configurations.

Installing the OSConfig module

The PowerShell module for OSConfig is not bundled with the operating system and needs to be installed separately:

1. Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force

After installation, you can view the commands available in the module by running the following:

1. Get-Command -Module Microsoft.OSConfig

This will display a list of 8 functions and 3 aliases. Four of these functions are dedicated to configuring drift control. They
allow you to view or change the interval for checks, as well as enable or disable the service.

59
Installing the Microsoft.OSConfig module and displaying its commands.

One function is specifically designed to display metadata for a template, referred to as a scenario. The actual management
of security settings is handled by three functions with the noun OSConfigDesiredConfiguration (Get / Set / Remove).

Listing available scenarios

To identify the available templates for security settings in OSConfig, use the following command:

1. Get-OSConfigMetadata | Format-Table Name, Description -Wrap

Display available scenarios for OSConfig

In addition to the templates familiar from the security baseline, such as those for member servers and domain controllers,
OSConfig also includes scenarios for AppControl, Secured Core , and workgroup servers. Workgroup servers are likely the
primary target for OSConfig, as AD domains already offer centralized management via Group Policy.

60
Applying settings from a baseline
Administrators typically customize the settings with traditional GPOs from the security baseline before applying them to
target computers. In OSConfig, the process often works the other way around: you activate a scenario with all its default
settings and then exclude specific configurations as necessary.

Adjustments are often required, as strict security configurations may cause compatibility issues with certain applications or
systems.

To view the settings and their default values for a specific template, you can run the following command:

1. Get-OSConfigDesiredConfiguration -Scenario Defender\Antivirus |

2. select name, Description, @{n="Reason"; e={$_.Compliance.Reason}},
3. @{n="Status"; e={$_.Compliance.Status}} | Format-List

Display Defender Antivirus settings and their recommended values.

As shown in the output, Get-OSConfigDesiredConfiguration is primarily used to check the desired configuration status and
highlight any deviations. Our example shows the settings for Defender Antivirus, all of which are marked as NotCompliant
because the corresponding baseline has not yet been activated.

To resolve this, use the Set-OSConfigDesiredConfiguration, as demonstrated below for Defender Antivirus:

1. Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default

The Default switch ensures that all settings from the template are applied. Alternatively, you can specify Setting to
configure individual settings. One of these two parameters is required.

To modify a specific setting, follow this pattern:

1. Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus `

2. -Setting SubmitSamplesConsent -Value 0

61
Enable all settings for Defender Antivirus, modify SubmitSamplesConsent, and display the setting’s
status

If you want not only to modify but also remove a specific setting, you can use the following command:

1. Remove-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Setting SubmitSamplesConsent

Delete setting SubmitSamplesConsent for Defender Antivirus.

This command deletes the specified setting for Defender Antivirus:

1. Remove-OSConfigDesiredConfiguration -Scenario Defender\Antivirus

However, keep the following restrictions in mind when modifying or deleting settings:

Applying or removing a baseline requires a server reboot for the changes to take effect;
Customizing individual settings often also necessitates a restart;
Deleting a baseline does not always restore the previous configuration state.

Managing OSConfig via Admin Center and Azure Policy

In addition to PowerShell, OSConfig can be managed using the Windows Admin Center (WAC) or Azure Policy. Managing
OSConfig via Azure Policy requires that Windows Server 2025 be connected to the Microsoft Cloud via Azure Arc.

WAC 2410 features a preview of the Security Extension, which allows OSConfig settings to be managed through the
Security Baseline tab. Notably, this approach does not require installing the OSConfig PowerShell module on the target
system.

62
Managing OSConfig with Windows Admin Center.

Summary
With OSConfig, Microsoft integrates security baselines directly into the operating system. The configuration tools available
for OSConfig include PowerShell, Windows Admin Center, and Azure Policy. Additionally, OSConfig features a service that
automatically identifies and corrects deviations from desired configurations.

Essentially, OSConfig serves the same purpose as Group Policy and traditional security baselines. While GPOs enable
centralized management of servers within a Windows domain, OSConfig is primarily designed to manage individual
machines. As such, it is particularly suitable for workgroups and cloud servers.

63
 Delegated Managed Service Accounts in Windows Server 2025
By Surender Kumar

Windows Server 2025 introduces the delegated Managed Service Account (dMSA) feature to address security concerns of
regular service accounts. This blog post provides an overview of dMSA, explaining its functionality and offering guidance
on its setup.

Types of Service Accounts

Before delving into the subject, let’s explore various types of service accounts to ensure clarity for individuals new to
Windows administration.

Regular service accounts

A Windows service account (SA) is a user account used by Windows services to interact with the operating system and
network resources. These accounts provide the necessary permissions and security context for services to run and
perform their intended functions without requiring direct user interaction.

Regular service accounts have several problems:

They require manual password management.

Admins often set never-expiring passwords for management ease, which is a significant security risk.
When you change the password for a service account, the service that depends on this account may cease to
function unless you update the service with the new password.
Service accounts are vulnerable to credential harvesting attacks, like Kerberoasting. In Kerberoasting, the attacker
requests a Ticket Granting Service (TGS) ticket from the Key Distribution Center (KDC). The attacker can then
attempt to crack the session key within the TGS ticket offline or impersonate the service account to access other
network resources.

Managed service accounts

A managed service account (MSA), also known as a standalone managed service account (sMSA), is an Active Directory
(AD) managed account created to run a service on a specific server. It helps reduce administrative overhead by providing
automatic password management. However, the inability to share MSAs across multiple servers may still challenge
administrators. That’s where group-managed service accounts (gMSA) come in.

Group-managed service accounts

A group Managed Service Account (gMSA) is an Active Directory (AD) managed account that extends the functionality of
MSAs to multiple servers. This makes it ideal for load-balanced or clustered environments where a service might need to
failover or be distributed across several servers.

MSAs and gMSAs are more secure than conventional service accounts but are not entirely immune to credential
harvesting attacks.

Delegated Managed Service Accounts

Delegated Managed Service Accounts (dMSAs) assist organizations in transitioning from regular service accounts to more
secure gMSA-style accounts. A dMSA possesses the following key features:

1. It supports multiple servers.

2. It supports automatic password management.
3. The keys are bound to the machine identity and secured with the Credential Guard to offer robust protection against
credential harvesting attacks.
4. The keys are retrieved via Kerberos only. The passwords are never passed to the client and are never stored locally
where dMSA is used.
5. It helps admins migrate from regular service accounts, which are considered unsafe.
6. No changes are required to the target service that uses a regular service account because the domain controllers
handle everything.

64
Migrating to delegated Managed Service Accounts (dMSA)
This is the process of migrating a regular service account to a delegated Managed Service Account (dMSA):

1. Credential Guard is configured to protect the machine identities in your domain.

2. The administrator creates a dMSA to supersede a regular service account.
3. The administrator starts the service account migration.
4. The service account attempts to refresh the Ticket Granting Ticket (TGT). The request is redirected to the Local
Security Authority (LSA), which helps map the service account to the dMSA.
5. The machine identity is added to the dMSA’s PrincipalsAllowedToRetrieveManagedPassword attribute, and the
dMSA inherits all the access rights and permissions that the previous service account had.
6. The administrator completes the migration, which disables the original service account.
7. The target service continues to work using dMSA.

Prerequisites for this guide

You must have domain admin rights.
Only Windows Server 2025 (Preview) allows for creating the dMSA at this time.
There must be at least one Windows Server 2025 domain controller in your Active Directory.
On the client devices, you must activate the following Group Policy settings:Computer Configuration\Administrative
Templates\System\Kerberos\Enable Delegated Managed Service Account logons

Enable Delegated Managed Service Account logons group policy setting

This setting is only available for Windows 11 24H2 (Preview) and Windows Server 2025 (Preview). Other Windows
versions do not support dMSA logons at this time.

65
Enable Kerberos logging [optional]
I had a domain controller and a web server running Windows Server 2025 for my test. The steps described below were
executed on the web server.

To enable Kerberos logging, open Event Viewer, expand Applications and Services, navigate to
Microsoft\Windows\Security-Kerberos, right-click on Operational, and choose Enable Log.

Enable Kerberos logs in the Event Viewer

This step is optional but helps understand what’s happening as you configure a dMSA.

Set up a delegated Managed Service Account (dMSA)

The SFTP service on the web server currently uses the ssh.service service account, which is a regular AD user. I created a
new dMSA and superseded the service account for demonstration purposes.

Launch an elevated PowerShell terminal and install the Remote Server Administration Tools (RSAT) tools for Active
Directory with this command.

1. Install-WindowsFeature -Name RSAT-AD-Tools

If this is your first time using a Managed Service Account, your domain may have no Key Distribution Service (KDS) root
key. Domain controllers need a root key to start generating managed service account passwords. You can use the Get-
KdsRootKey command to check if the key exists. If it returns nothing, run this command to create a new root key.

1. Add-KdsRootKey -EffectiveImmediately

Please note that the newly created root key takes up to 10 hours to become active. This gives sufficient time to replicate
the key in large environments. However, if you’re operating in a test lab, you can use the following command to create a
key that starts working immediately.

1. Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

66
You can create a delegated Managed Service Account (dMSA) with the following command.

1. New-ADServiceAccount -Name <dMSA-Name> -DNSHostName <dMSA-FQDN> -CreateDelegatedServiceAccount -

KerberosEncryptionType AES256

Create a delegated Managed Service Account (dMSA) on Windows Server 2025

You can use the New-ADServiceAccount cmdlet to create various types of managed service accounts. However, the
CreateDelegatedServiceAccount switch parameter indicates we are creating a delegated Managed Service Account
(dMSA). The command does not return any output, so if you don’t see an error, it usually means a success.

Next, you can use the following command to view dMSA attributes.

1. Get-ADServiceAccount -Identity <dMSA-Name> -Properties PrincipalsAllowedToRetrieveManagedPassword,

msDS-DelegatedMSAState

The screenshot above shows that the PrincipalsAllowedToRetrieveManagedPassword attribute is currently empty but will
populate automatically during the dMSA migration. The msDS-DelegatedMSAState attribute value is initially 0, indicating
that it is in an unlinked state (the MSA is not currently associated with or delegated to any specific service or computer).

Now, start the service account migration and view the dMSA attributes again.

1. Start-ADServiceAccountMigration -Identity <dMSA-Name> -SupersededAccount "Superseded-Service-

Distinguished-Name" -Server <Server-2025-DC>

The -Identity parameter specifies the dMSA name, the -SupersededAccount parameter specifies the distinguished name of
the service account, and the optional -Server parameter can be used to specify a dMSA-capable (Windows Server 2025)
domain controller.

You can explore the dMSA attributes using AD Explorer. Navigate to the Managed Service Accounts container and select
the dMSA you created. You will notice that the msDS-DelegatedMSAState attribute value has now changed to 1, indicating
that the account migration has started.

67
Explore delegated Managed Service Account (dMSA) attributes using AD Explorer

Also, the msDS-ManagedAccountPrecededByLink points to the service account (ssh.service in our case). Similarly,
inspecting the service account attributes will reveal that the msDS-SupersededManagedAccountLink and msDS-
ManagedAccountPrecededByLinkBL attributes now point to the newly created dMSA.

Now, you need to restart the target service so that the PrincipalsAllowedToRetrieveManagedPassword attribute can pick
the machine identity of the server where the service runs. When the service starts again, you will notice the web server
automatically adds to the attribute, as shown in the screenshot below.

Start the service account migration

68
If you have made a mistake (e.g., specified the wrong account name), you can undo the migration with this command.

1. Undo-ADServiceAccountMigration -Identity <dMSA-Name> -SupersededAccount <Superseded-Service-

Distinguished-Name>

Similarly, to revert the service account to an unlinked state, use the following command:

1. Reset-ADServiceAccountMigration -Identity <dMSA-Name> -SupersededAccount <Superseded-Service-

Distinguished-Name>

If the service account is used on multiple computers, allow a few days for the
PrincipalsAllowedToRetrieveManagedPassword attribute to identify all servers where the service account is in use. To
complete the migration, use this command.

1. Complete-ADServiceAccountMigration -Identity <dMSA-Name> -SupersededAccount <Superseded-Service-

Distinguished-Name>

Once the migration is complete, dMSA disables the regular service account while the target service, in our case, sshd,
continues functioning. There will be no service disruption, and you don’t need to change the target service.

Complete the dMSA migration and restart the service

Microsoft recommends retaining the original service account in Active Directory even after it has been disabled during
dMSA migration as a precaution.

The Kerberos events in the Event Viewer show Event ID 307 to indicate the dMSA migration has started and Event ID 308
to indicate the machine has been added to the PrincipalsAllowedToRetrieveManagedPassword attribute.

69
View Kerberos logs in the Event Viewer

When the service restarted, Event ID 309 was logged, which indicates that the Kerberos client fetched dMSA keys from the
domain controller.

Conclusion
Delegated Managed Service Accounts (dMSAs) enhance security by leveraging machine identities and Credential Guard.
Remember, dMSAs are meant to supersede regular service accounts, and you cannot use them to migrate Managed
Service Accounts (MSAs) and group Managed Service Accounts (gMSAs). Furthermore, thoroughly test dMSAs in a lab
before deploying them in your production environment. This new feature may evolve before Windows Server 2025 is
generally available.

70
 Windows Server 2025 Hyper-V: GPU partitioning, deduplication for VHDs,
AD-less live migration
By Wolfgang Sommergut

The upcoming LTSC release of Windows Server introduces several enhancements to Hyper-V and new storage functions,
which primarily benefit the operation of virtual machines. This includes GPU virtualization, a new deduplication feature for
ReFS, and live migration of VMs on clusters that are not members of an AD domain.

As hypervisors have matured, there haven’t been too many innovations for them in recent years. The last two versions of
Windows Server showed hardly any progress in this area. However, Microsoft is now addressing some overdue
improvements.

Share GPU between VMs

With the increasing significance of graphics processors, particularly due to their central role for AI applications, the existing
support for GPUs in Hyper-V is no longer sufficient. Up until now, it has been limited to passing a GPU through to a virtual
machine using Direct Device Assignment (DDA), making it exclusively available to that particular VM.

Considering their high performance and costs, such utilization of modern graphics processors is inefficient. Therefore,
Windows Server 2025 will allow the partitioning of GPUs, enabling them to be shared among multiple VMs.

Partitioning GPUs across multiple virtual machines

In addition to improving resource utilization, this GPU virtualization also supports live migration, both within a cluster and
between standalone hosts. The previous concept of directly assigning physical hardware to a VM blocked the uninterrupted
transfer of a VM to another host.

The same applies to the high availability of VMs, which is now supported when utilizing GPU partitions.

The prerequisites for the new feature are support for single-root input/output virtualization (SR-IOV), AMD Milan or Intel
Sapphire Rapids processors, and Nvidia GPUs A2, A10, A16 and A40. Windows 10/11, Windows Server 2019/2022, and
Linux Ubuntu 18.04/20.04 LTS can be used as guests.

Pooling of graphics processors

In addition to GPU partitioning, Windows Server 2025 also supports the opposite process: i.e. combining multiple graphics
processors into one virtual GPU. This pooling is exclusively designed for failover, with no support for live migration as it
relies on DDA.

71
GPU pooling for VM failover

Administrators need to create a pool with the same name on each cluster node and assign the VMs to this pool. If a node
fails, the cluster will launch the VM on another server and connect it to the corresponding pool.

Live migration in workgroup clusters

Windows Server 2025 introduces another innovation regarding live migration. Since version 2016, the operating system
allows the setup of a cluster in a workgroup. Such a configuration is primarily suitable for smaller deployments, such as
remote offices, where organizations want to keep the infrastructure as simple as possible.

A cluster that is not a member of an Active Directory traditionally does not support all workloads and for the Hyper-V role, it
only offers quick migration. This changes with Server 2025, which introduces certificate-based live migration on AD-less
clusters.

Mixed CPUs in clusters

There is also an update to Dynamic Processor Compatibility. It allows computers with processors of different generations
from the same manufacturer to be grouped into a cluster. In this case, Windows utilizes only the lowest common
denominator of the CPU’s functions.

72
Dynamic Processor Compatibility allows using different Xeon CPUs in a cluster.

In the 2025 version, it is now possible to mix Intel Xeon processors from the third and fourth generations within a cluster.

Gen2 VMs as the default

Another change will make second-generation VMs the default. Currently, when creating a VM using the Hyper-V Manager
or the Windows Admin Center, the default is still Gen1.

Gen2 not only provides higher scalability but also supports features such as Secure Boot, TPM, and UEFI.

Storage improvements for Hyper-V

The upcoming version of Windows Server introduces a series of enhancements in storage functions, particularly benefiting
virtualized workloads.

These include the improved performance of NVMe thanks to a new native driver. According to the manufacturer, this will
increase the maximum number of IOPS by up to 90 percent compared to Server 2022. Additionally, the new operating
system will include an NVMe over Fabric Initiator for connecting to SANs.

ReFS will receive a new dedup function which, unlike the current implementation, is not limited to cold storage. This
involves data that typically resides on file servers, which rarely changes. However, the new ReFS dedup is also suitable for
hot data such as virtual drives, promising storage space savings of up to 90 percent for VHD(X) and ISO files.

Summary
After a period of relatively slow innovation, Hyper-V in Windows Server 2025 receives several interesting updates. Among
these is GPU virtualization, a capability VMware has had for some time and is particularly crucial for AI applications.

The OS supports both the partitioning and pooling of GPUs. The latter is intended solely for failover, whereas partitioning
also allows for live migration of VMs assigned a vGPU.

A noteworthy addition is the support for live migration in a cluster not joined with AD. The Dynamic Processor Compatibility
feature enables the coexistence of third and fourth-generation Xeon CPUs in a cluster.

Virtualized workloads benefit not only from improvements in Hyper-V but also in the storage subsystem. These include, in
particular, the acceleration of NVMe storage and the new dedup feature for ReFS.

73
 Build a Windows Server 2025 S2D cluster lab with Hyper-V and PowerShell
By Wolfgang Sommergut

To explore Storage Spaces Direct (S2D) in Windows Server 2025, you can set up a lab environment using virtual machines
with Hyper-V and PowerShell.

A hyper-converged infrastructure (HCI) intended for production imposes stringent requirements on the hardware used. For
specific components, mere certification for Windows Server is insufficient; they must also comply with the Software-Defined
Data Center (SDDC) standards.

Although most lab environments fall short of these specifications, it remains feasible to configure an HCI using virtual
machines. These VMs will act as the nodes of the S2D cluster, operating both a nested Hyper-V environment and S2D,
which provides the software-defined storage.

Windows Server 2025 introduces several exciting enhancements to this storage feature, including support for thin
provisioning and accelerated disk resynchronization.

Workflow for setting up an S2D lab

The fundamental steps for establishing a virtual S2D cluster are as follows:

Create a VM with the required specifications

Install Windows Server 2025 as the guest OS
Add necessary server roles
Clone the VM to create a total of three nodes
Join the cluster nodes to the domain
Configure networks using Network ATC
Validate the cluster and form the cluster
Activate Storage Spaces Direct

Creating the VM for the first cluster node

The virtual machines for the S2D nodes should at least have the following specifications:

4 CPU cores
8GB RAM
1 disk for the Operating System
4 additional disks, each with at least 30 GB for S2D
2 Network Adapters (for example, one external for management and one private for compute and storage)

This process can be automated with a PowerShell script, as shown in the example using Azure Stack HCI.

If you choose to use Hyper-V Manager for this task, ensure that the VMs and virtual NICs are named according to a
specific schema (e.g., ws2025-node1, ws2025-node2 for VMs and NIC01, NIC02 for network adapters).

Once Hyper-V runs within the VMs, you must enable MAC address spoofing.

74
MAC address spoofing is required for nested virtualization

Additionally, you must enable Nested Virtualization, which can only be done through PowerShell with the following
command:

1. Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $True

Installing the guest OS

In the newly created VM, install Windows Server 2025. For S2D, you will need the Data Center Edition.

Adding roles and features

Once the initial setup is complete, you can add the required server roles. This can be accomplished through the GUI using
Server Manager, but using PowerShell is faster.

1. Install-WindowsFeature -Name "Hyper-V", "Failover-Clustering", "RSAT-Clustering-PowerShell", "Hyper-V-

PowerShell", "FS-FileServer", "NetworkATC" -IncludeManagementTools

The File Server role is necessary for providing file shares on S2D volumes, whereas Network ATC is a new feature in
Windows Server 2025 that automates network configuration.

In this scenario, you can omit the typically required Data Center Bridging, as the virtual NICs are generally not RDMA-
capable unless physical NICs are assigned to the VM via SR-IOV.

Disable IPv6

To avoid issues during the domain join process, it’s advisable to disable IPv6. You can do this for all network adapters
within the guest OS using the following command:

1. Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true |

2. Disable-NetAdapterBinding -ComponentID "ms_tcpip6"

Clone VM
The simplest method is to clone the initial node to streamline the process of creating and installing the guest operating
system for the rest of the virtual machines. Since Hyper-V doesn’t have a dedicated feature for this, you can export the
virtual machine and then import it again.

75
Exporting the VM for cloning in Hyper-V Manager

Hyper-V Manager allows you to export the VM, but it’s significantly faster to accomplish this through PowerShell with
Export-VM and Import-VM.

Domain join the cluster nodes

The future cluster nodes should only join the AD domain after cloning. Joining the domain in the first VM before cloning can
lead to issues when renaming hostnames, as this would also change the associated AD object.

Microsoft provides several methods for domain joining, with PowerShell being strongly recommended in this case. If you
need to assign a new hostname (which will be required for Node2 and Node3), the following command can be used:

1. Add-Computer -Credential contoso\admin -DomainName contoso.com `

2. -NewName ws2025-node3 -Restart

You can omit the NewName parameter if renaming is not required.

Configure networks
The next step is to set up the networks for different traffic types: management, compute, and storage. This task can be
significantly simplified in Windows Server 2025 with Network ATC, eliminating the need for manual configuration.

To automatically aggregate the adapters NIC1 and NIC2 and direct traffic for management and compute through them, you
can use the following command:

1. Add-NetIntent -Name CompMgmt -Management -Compute -AdapterName NIC1, NIC2

To configure the storage network, this is the command you need:

1. Add-NetIntent -Name Storage -Storage -AdapterName NIC3

76
Create clusters
Before linking the three virtual servers into a cluster, ensuring they fulfill all prerequisites is crucial. Although the failover
cluster manager GUI allows you to perform this verification, PowerShell offers a convenient alternative.

1. Test-Cluster -Node ws2025-node1.contoso.de, ws2025-node2.contoso.de, ws2025-node3.contoso.de -Include

"Storage Spaces Direct", "Inventory", "Network", "System Configuration"

The Test-Cluster cmdlet creates a comprehensive report in HTML format, located at the path provided in the output. While
the test often generates multiple warnings, you can continue with the cluster setup if no errors are detected.

Result of the cluster validation in HTML format

1. New-Cluster -Name S2DCluster -Node WS2025-Node1, WS2025-Node2, WS2025-Node3

In this example, the cluster is named S2DCluster.

Activate Storage Spaces Direct

Next, you can enable the S2D feature using PowerShell:

1. Enable-ClusterS2D

77
Enable Storage Spaces Direct (S2D) with PowerShell

In the screenshot above, the feature displays a warning regarding the absence of cache storage. In a production setting,
allocating extra high-performance drives specifically for this task is common.

To disable caching, use the following command:

1. Set-ClusterS2D -CacheState Disabled

Summary
To evaluate an HCI with Hyper-V and S2D, you can configure the entire setup using virtual machines. To streamline the
process and avoid repeated installations and configurations of the guest OS, it’s recommended to fully configure one node
and then clone it.

Setting up the first node involves creating a VM with the necessary specifications, enabling Nested Virtualization, and
installing the guest OS with all required roles and features.

After cloning the VM, each node can join an Active Directory (AD) domain. Subsequently, you can configure the networks
using the new Network ATC and form the cluster after successful validation.

Finally, activate Storage Spaces Direct and disable caching as necessary based on the warning received.

78
 Active Directory in Windows Server 2025: New functional level, updated
database, security improvements
By Wolfgang Sommergut

Windows Server vNext introduces several interesting enhancements for Active Directory Domain Services (AD DS) and AD
LDS in build 25951. These include a new functional level for domains and forests, an increase in database page size to
32K, a schema update, and several security improvements.

AD DS have not received any significant updates since Windows Server 2016, and the functional level didn’t increase in
Server 2019/2022. However, this will change with the next release of the operating system in the Long Term Service
Channel (LTSC), expected to be called Windows Server 2025 if Microsoft follows its previous update cycles.

New functional level

Elevating the functional level for domains or forests is typically done to take advantage of new features offered by the
respective server version. The vNext update for AD DS and Lightweight Domain Services (AD LDS) carries an internal
version number of 10, whereas Server 2016 was at version 7.

With the next LTSC version of Windows Server the Active Directory AD will receive a new functional level

Microsoft is thus skipping versions 8 and 9, which normally would have been given to Server 2019 and 2022, both of which
are stuck at the 2016 level. According to the announcement, there are no plans to retroactively assign these unused
versions to the two older servers.

For newly created AD forests under Server vNext, the minimum functional level must be set to Server 2016. If you wish to
promote a Server 2025 to a domain controller in an existing domain, that domain must also be at least at the 2016
functional level.

79
More powerful database
The primary reason for upgrading an AD forest to the new functional level 10 is to benefit from the enhanced database
engine. Since the introduction of AD in Windows Server 2000, it has used an 8K page size, resulting in various limitations,
such as individual objects not being able to exceed 8K in size.

The revised Jet Blue extends the page size to 32K, allowing the maximum size of objects to reach this value. Multi-value
attributes can then accommodate up to 3200 values.

New domain controllers are installed with a 32K page size and use 64-bit long value IDs. For compatibility with existing
environments, they also support an 8K page mode.

When upgrading existing DCs to Server vNext, they continue to use the previous database format with an 8K page size.
The global transition to 32K occurs at the forest level by raising the functional level, assuming that all DCs have a 32K-
capable database and the feature is additionally enabled.

The new release also expands the Active Directory Schema with two new LDF files. The equivalent schema update for AD
LDS is contained in the file MS-ADAM-Upgrade3.ldf.

NUMA-Support
The new NUMA (Non-Uniform Memory Access) support benefits scalability and performance. Previously, AD DS could only
utilize CPUs in group 0, but now they have access to all processor groups.

However, this improvement isn’t exclusive to Server vNext since it was also delivered with the cumulative update for
August 2022 to Windows Server 2022.

New performance counters

Microsoft has introduced several new counters for tracking the performance of various AD operations. These cover the
following functions:

Local Security Authority (LSA) Lookups

DC Locator
LDAP Client

80
New Indicator for LDAP client performance

Priority of replication partners

The system automatically calculates the priority for data replication between different DCs. However, with Server vNext,
administrators now have the ability to increase the priority for specific replication partners.

This provides greater flexibility in replication for specific scenarios.

New algorithm for locating DC

Microsoft has disabled WINS and Mailslots as methods by which members of the domain can locate a DC. The new
discovery algorithm allows DCs to be found based on NetBIOS names without relying on this outdated protocol.

Security enhancements
The next version of Active Directory introduces several security enhancements, some of which have become necessary
due to past issues.

This includes improvements related to Kerberos support for the RC4 algorithm, which Microsoft had advised against using,
especially after the discovery of CVE-2022-37966. RC4 is now added to the cipher list for methods that should not be
used.

LDAP communication now supports TLS 1.3 for LDAP over TLS. In addition, LDAP sealing is automatically enabled after
SASL authentication.

If LDAP Channel Binding is enforced through a stricter policy, errors can occur, especially on older devices. Two new
events (3074 and 3075) are designed to help detect such issues. This option is now also available in Windows Server
2022.

81
Password change methods
The current SAM-RPC method for changing passwords uses AES encryption and is accepted as the new default. However,
Microsoft will block several older SAM-RPCs in the future.

For members of the Protected Users group and for local accounts of domain computers, the SAM-RPC interface will be
blocked by default. This can be changed via group policy if required.

Conclusion
After two releases of Windows Server without any significant innovation for AD DS, the Active Directory is once again
receiving major enhancements. These include a database upgrade to address long standing limitations, reflected in a new
functional level for forests and domains.

Additional improvements in security, replication management, and long-awaited NUMA support further enhance the
capabilities of Active Directory.

82
 Install Windows Server 2025 domain controller, raise AD functional level,
enable 32K database
By Wolfgang Sommergut

Windows Server 2025 introduces significant improvements for Active Directory, including increased scalability thanks to the
Jet database’s 32K pages. New Server 2025 forests can immediately leverage this feature, whereas existing domains must
be raised to the new functional level before you can enable the 32K database.

The 32K-page database format enhances scalability with 64-bit Long Value IDs (LIDs), enabling multi-value attributes to
hold approximately 3,200 values. However, switching to this format does increase storage consumption.

Integration with legacy domain controllers

A domain controller installed on Windows Server 2025 uses the upgraded database, which also supports an 8K-page
simulation mode. This allows a Server 2025-based DC to be integrated into an Active Directory with domain controllers
running previous versions of Windows Server.

To utilize 32K pages, it’s necessary to raise the domain and forest functional levels to Windows Server 2025. This
irreversible process makes a rollback to the 8K page database impossible.

Install new Windows Server 2025 forest

Installing a Windows Server 2025 Active Directory forest resembles the setup process of previous versions. First, install the
domain services:

1. Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Next, set up the new forest. Start by saving the password for the DSRM admin as a secure string

1. $DSRM = Read-Host -AsSecureString -Prompt "Enter DSRM password"

You will then use this password for configuring the forest:

1. Install-ADDSForest -DomainName "contoso.com" -DomainNetbiosName "contoso" `

2. -ForestMode "Win2025" -DomainMode " Win2025" -InstallDNS `
3. -SafeModeAdministratorPassword $DSRM

Creating a new forest with PowerShell on Windows Server 2025

83
After the mandatory reboot, you can verify the operation’s success using the following PowerShell commands:

1. Get-AdDomain
2. and
3. Get-ADForest

Viewing the properties of the new forest and the new domain with PowerShell

These commands should confirm that the forest and the first domain have been raised to the functional level of Windows
Server 2025.

Enable 32k database page size

The 32K-page database is an optional AD feature that can be enabled using the following PowerShell script:

1. $params = @{
2. Identity = 'Database 32k pages feature'
3. Scope = 'ForestOrConfigurationSet'
4. Target = 'contoso.com'
5. }
6. Enable-ADOptionalFeature @params

This script uses splatting, but you could also pass the parameters directly to the cmdlet if preferred.

You can verify the success of the operation with the following command:

1. Get-ADOptionalFeature -Filter {Name -eq "Database 32k pages feature"}

If the EnabledScopes property is empty, then the optional feature is inactive.

84
Enable AD feature for the use of 32K database pages and check the success of the action

Raise domain and forest functional level

If you are running Active Directory on Windows Server 2016, 2019, or 2022, all domain controllers must be upgraded to
Windows Server 2025 before the database can be expanded to 32K pages.

It is important to note that the database will still use 8K pages after an in-place server upgrade, so it is advisable to avoid
this approach to overcome the limitation.

Instead, install new Windows Server 2025 domain controllers and replicate the data with the existing Active Directory.
These new DCs will temporarily operate in 8K simulation mode in a mixed environment.

Once all DCs are running Windows Server 2025, raise the forest and domain functional levels as follows:

1. Get-ADForest | Set-ADForestMode -ForestMode Windows2025Forest

2. Get-ADDomain | Set-ADDomainMode -DomainMode Windows2025Domain

Verify requirements for 32K migration

Before migrating the database to 32K pages, identify the DCs holding the FSMO roles and the global catalog. Ensure
backups are created for these DCs to safeguard against data loss during the transition.

To determine whether the database supports 32K pages, run the following command on your domain controllers:

1. Get-ADObject -LDAPFilter "(ObjectClass=nTDSDSA)" `

2. -SearchBase "CN=Configuration,DC=contoso,DC=com" -properties msDS-JetDBPageSize |
3. Format-List distinguishedName,msDs-JetDBPageSize

If the result shows 32768, the database meets the requirements for 32K pages. An empty output indicates that the
database is still limited to 8K pages.

85
Query the possible page size in the Jet database.

Finally, enable the optional AD feature for 32K pages following the process described earlier for a new forest. Once this
action is performed on a domain controller, the new setting is replicated across the AD.

Conclusion
The Jet database with 32K pages is one of the key innovations for Active Directory in Windows Server 2025. However, this
feature is only available when creating a new forest with the new AD functional level.

All domain controllers must first be upgraded to Windows Server 2025 in existing environments. Avoid in-place upgrades,
as they will retain the database at 8K pages.

Before enabling the enhanced database, the forest and domain functional levels must be raised to Windows Server 2025.
To migrate to the 32k database, you only have to execute the Enable-ADOptionalFeature cmdlet.

86
 Windows Server 2025 pricing and licensing options
By Wolfgang Sommergut

Windows Server 2025 introduces new pricing and licensing options, with notable updates to the Standard and Datacenter
editions. License fees have increased by 10 to 20 percent.

Microsoft has quietly launched Windows Server 2025 Build 26100.1742 as a General Availability (GA) release. As usual,
this latest version in the Long Term Servicing Channel (LTSC) will receive 10 years of support. Mainstream support will
continue until October 9, 2029, with extended support concluding on October 10, 2034.

Windows Server 2025 comes in two primary editions: Standard and Datacenter. The Essentials edition is still offered but
exclusively via OEM channels. A new pay-as-you-go pricing model has also been introduced, with billing based on usage
through Azure.

Two main editions

The primary difference between the Standard and Datacenter editions lies in their virtualization rights. While Datacenter
Edition allows users to run unlimited virtual instances of Windows Server (Virtual Operating System Environment, VOSE),
the Standard Edition is limited to two VOSEs.

The Datacenter Edition allows unlimited VOSEs with Windows Server 2025

Technical differences also exist. For example, the Standard Edition omits Storage Spaces Direct, which provides software-
defined storage for hyper-converged systems. It also excludes the Network Controller and Host Guardian Service.
Moreover, Storage Replica in the Standard Edition is restricted to up to 2 TB volumes.

The Azure Edition, built on the Datacenter Edition, has some restrictions. It is limited to use on Azure or Azure Stack HCI
and lacks virtualization rights for running Windows Server in virtual machines.

It also does not include the functionality of a KMS server for automatic Windows activation nor the features required to
operate as a container host. A comprehensive comparison of the three editions is available on Microsoft’s website.

87
Limited Essentials edition
The Essentials edition now serves mainly as a licensing and installation option, since Microsoft eliminated all exclusive
features and associated roles with Server 2019. It is designed for smaller environments, supporting up to 25 users and 50
connected devices, and does not require Client Access Licenses (CALs). The Essentials edition is exclusively available
through OEMs.

It also allows running a single OS instance in a VM, but the host system must be restricted to virtualization in this scenario.
There are further hardware limitations. An Essentials server can only have one processor with a maximum of 10 CPU
cores and up to 128GB of RAM.

Remote Desktop Services have never been fully supported with all roles on an Essentials server, but the updated usage
terms now explicitly exclude its use as a terminal server. The 2025 version’s terms of use also ban the deployment of
Rights Management Services (RMS).

Licensing options
Microsoft has long provided core-based licensing for perpetual licenses across multiple generations of its operating
system, mandating a minimum of 16 cores to be licensed per server. If a server exceeds 16 cores, additional licenses must
be acquired in increments of 2, 4, or 16 cores.

The introduction of separate pricing for individual functionalities is a new feature. This now includes hotpatching, also
available in on-premises versions of Windows Server 2025. However, utilizing this technology requires servers to be
connected to Azure Arc and necessitates Software Assurance.

As of now, Microsoft’s website does not provide pricing details for hotpatching, although the company has previously
suggested that a separate subscription might be necessary.

Pay-as-you-go licensing
The consumption-based licensing model is designed for Standard edition users without unlimited virtualization rights who
require temporary extra capacity. It enables them to run additional VMs using Windows Server 2025.

To use this model, servers need to be connected to Microsoft’s cloud through Azure Arc. The licensing and pricing structure
is identical to running Windows Server in an Azure VM.

The prices for both the Standard and Datacenter editions are the same, and no CALs are needed. However, if the VM
functions as a terminal server, RDS CALs must be acquired.

For the pay-as-you-go option to be used, the Windows Server must remain unactivated with any other license, and this
feature is exclusively available in the retail version of the operating system.

88
Windows Server 2025 setup allows users to enter a product key or select pay-as-you-go licensing

Switching between consumption-based and traditional licensing is simple; to end pay-as-you-go, users simply enter a
product key for a perpetual license.

When a VM is shut down or permanently deleted without disabling pay-as-you-go, billing may still continue, potentially
resulting in unexpected charges. This can be controlled via the Azure Portal, PowerShell, or by removing the device from
Azure Arc.

Licensing at the VM level

Since Q4 2022, vCore licensing enabled users to acquire Windows Server licenses for specific VMs, regardless of the
underlying physical hardware. At least eight virtual processor cores are required to be licensed.

Pricing hikes
Microsoft did not reveal pricing during the announcement of Windows Server 2025. However, recommended prices for the
two main editions can be found on the manufacturer’s website.

According to these listings, the Datacenter Edition is priced at $6,771, whereas the Standard Edition costs $1,176. Both
prices cover the base setup with 16 cores.

The prices across various resellers indicate the following increases:

Windows Server 2025 Essentials: 15 percent

Windows Server 2025 Standard, Datacenter and CALs: 10 percent
Windows Server 2025 RDS-CALs: 20 percent

This trend extends beyond Windows Server 2025 and is also apparent in other products. A recent example is System
Center 2025, launched alongside Server 2025, which also saw a 10 percent price hike.

89
 Conclusion
By Michael Pietroforte

Windows Server 2025 equips IT professionals with the tools and knowledge to build secure and modern server
environments. By exploring its new security, storage, networking, and hybrid cloud integration features, readers are well-
prepared to harness the system’s full potential. As the technological landscape continues to evolve, this guide serves as a
foundation for mastering the capabilities of Windows Server 2025 while encouraging further learning and application.

This book will be updated as new articles about Windows Server 2025 are published on 4sysops, ensuring it remains a
current and comprehensive resource for professionals.

Exclusively for members, 4sysops offers an AI-powered chatbot tailored to Windows Server 2025 for ongoing support.
4sysops AI leverages reliable sources, including this eBook, to provide accurate answers. 4sysops AI also integrates
Google and Tavily search to explore the latest Server 2025 topics. Membership is free, grants full access to all AI features,
and allows you to read 4sysops articles without advertisements.

Join the 4sysops IT community now!

90