Coordinated industry effort across the server ecosystem

Microsoft has worked closely with the server ecosystem partners to make this transition as smooth as possible:

• Many newer server hardware and virtual machine versions built since 2024, and almost all released in 2025 are already preconfigured with the 2023 Secure Boot certificates.
• Device manufacturer and firmware partners have collaborated with Microsoft to provide supported upgrade paths for existing deployments that currently use 2011 certificates.
• Microsoft and OEMs are working together to provide holistic guidance and help customers plan and execute the update safely across diverse environments.

This coordinated effort is designed to minimize operational risk while helping to preserve the high security standards expected of modern server platforms.

Please see the Windows Blog post, “Refreshing the root of trust: industry collaboration on Secure Boot certificate updates”, to understand how Microsoft collaborated with device manufacturers and firmware partners to support an efficient and safe deployment.

Because Windows Server instances do not receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR)—unlike Windows PCs—IT administrators must take action on servers that are in scope. As part of standard maintenance, administrators should first ensure their servers are fully up to date by installing the latest cumulative updates. They must then manually initiate the Secure Boot certificate update on Windows Server systems that have Secure Boot enabled and did not ship from the manufacturer with the 2023 Secure Boot certificates or have not otherwise been updated to include them.

Windows Server administrators call to action

Review the available methods to update Secure Boot certificates on Windows Server and plan your environment refresh well before the June 2026 expiration. Start by reviewing the official step‑by‑step guidance designed specifically for IT professionals managing server environments, which can be found here.

Microsoft has also hosted Secure Boot Ask Microsoft Anything (AMA) sessions in December 2025 and February 2026, providing deep technical context and direct answers to common questions around certificate expiration and updates. If you missed these sessions, recordings are available on demand.

If you have questions, you can join our upcoming Secure Boot AMAs in March and April and follow Windows Events on the Microsoft Tech Community to be apprised of future events. The next event is the “Secure Boot certificate updates explained – Microsoft Technical Takeoff”.

For ongoing updates, resources, and centralized guidance, bookmark the Windows Secure Boot certificate updates page. This page serves as your one‑stop resource to help understand, prepare, plan, and execute Secure Boot certificate updates on your Windows Server environment.

The post Prepare your servers for Secure Boot certificate updates appeared first on Microsoft Windows Server Blog.

1. Unpatched vulnerabilities

Unpatched vulnerabilities are known security flaws in software that have not been remediated. Like any critical infrastructure, Active Directory Domain Services relies on the security of the system on which it runs. When vulnerabilities exist in the operating system or supporting components, attackers may exploit those gaps to gain initial access or escalate privileges.

According to the 2025 Verizon DBIR, exploitation of known vulnerabilities accounts for roughly 20% of breaches and is up around34% year over year. These attacks don’t target AD DS because it’s weak—they target environments that fail to apply available fixes. Timely patching is essential to protect against attackers who take advantage of systems left unpatched.

Detection:

• Use Microsoft Defender Vulnerability Management for real-time visibility.
• Defender for Endpoint validates risk reduction.
• Configuration Manager (SCCM) deploys updates and monitors compliance.

Recommendations:

• Automate and enforce timely patch deployment using Azure Update Manager or SCCM.
• Use Microsoft Defender Vulnerability management to prioritize patching based on exploitability and asset exposure.
• Apply Windows Server 2025 OSConfig security baselines to domain controllers.

Once attackers gain an initial foothold—often through unpatched systems—they look for ways to move laterally and escalate privileges. One common technique is authentication relay attack.

2. Authentication relay attacks

Authentication relay attacks (a form of man-in-the-middle) allow adversaries to impersonate users by forwarding legitimate login requests, often exploiting NTLM and sometimes Kerberos. These attacks exploit legitimate authentication flows, enabling lateral movement, data theft, and full domain compromise.

Detection:

• Defender for Identity alerts on suspicious authentication patterns, lateral movement, and NTLM relay attempts.
• Monitor Windows Event Logs for failed logons and unusual authentication attempts.

Recommendations:

• Deprecate and disable NTLM wherever possible.
• Enforce SMB signing and LDAP channel binding. In Windows Server 2025, this is enabled by default.
• Use Extended Protection for Authentication (EPA).
• Implement Just-In-Time (JIT) access and MFA for sensitive resources, and use Privileged Identity Management (PIM) to enforce JIT and MFA.

After establishing a presence, attackers often pivot to techniques that target service accounts, which contain service tickets. Kerberoasting is a prime example, leveraging legitimate Kerberos functionality to extract and crack service tickets.

3. Kerberoasting

Kerberoasting targets service accounts by requesting Kerberos service tickets and performing offline brute-force attacks to recover passwords. Because the attack uses legitimate Kerberos functionality, it often goes undetected. And since many service accounts use weak or non-expiring passwords, they are especially vulnerable. The attack does not require elevated privileges to initiate and leaves minimal traces in logs. If successful, it can serve as a stepping stone to full domain compromise.

Detection:

• Check for ticket requests with unusual Kerberos encryption types in the events in Microsoft Defender XDR.
• Check for alerts from Microsoft Defender XDR, which will raise an alert with an external ID 2410 for suspected Kerberos SPN exposure.
• Use Defender for Identity to detect suspicious ticket requests.

For more information on how to detect Kerberoasting, see Microsoft Security Blog – Kerberoasting.

Recommendations:

• Migrate service accounts to Group Managed Service Accounts (gMSA).
• Disable RC4 encryption for Kerberos. Starting WS2025, RC4 will be disabled by default.
• Regularly audit and remove unused SPNs.
• Enforce security baselines for Windows Server 2025.

The success of Kerberoasting and similar attacks is amplified when accounts are over-permissioned or misconfigured. Excessive privileges can create shortcuts for attackers to escalate access and compromise critical assets.

4. Excessive privileges & account misconfigurations

Excessive privileges and misconfigurations occur when accounts have more permissions than necessary, often due to legacy setups or poor access control. Overprivileged accounts are prime targets for attackers. If compromised, they can be used to disable security tools, access sensitive data, or take control of the domain. These risks are amplified in hybrid environments where on-prem and cloud permissions intersect. A single misconfigured account can serve as a bridge between environments, expanding the blast radius of an attack.

Detection:

• Defender for Identity flags risky settings and maps lateral movement paths.
• Use Active Directory Administrative Center to review group memberships and delegated permissions using Active Directory tools.

Recommendations:

• Apply least privilege principles.
• Use JIT access and MFA for admin tasks.
• Implement Microsoft’s Tiered Administration model.
• Audit and clean up legacy permissions.

Beyond misconfigurations, legacy features like unconstrained delegation introduce additional risk. If left in place, they can allow attackers to impersonate users and access sensitive resources without detection.

5. Unconstrained delegation

Unconstrained delegation is a legacy Kerberos feature that lets services impersonate any user, posing serious risks if compromised. When enabled, a user’s TGT is stored in memory and reused, posing serious risks. Because the TGT is valid across the domain, if compromised, attackers can extract TGTs to impersonate users and access any Kerberos-protected service, including domain admins.

Detection:

• Use PowerShell to find systems with unconstrained delegation.
• Defender for Identity identifies risky configurations.

Recommendations:

• Deploy Credential Guard on endpoints.
• Add high-risk accounts to the “Protected Users” group.
• Mark privileged accounts as “sensitive and cannot be delegated.”
• Remove support for unconstrained delegation.

Once attackers achieve high privilege, they often seek persistence. Golden Ticket attacks represent the ultimate escalation—granting attackers the ability to forge Kerberos tickets and maintain control indefinitely.

6. Golden Ticket attack

Golden Ticket attacks use a stolen KRBTGT account key to forge Kerberos tickets, granting unrestricted domain access. If this key is compromised, the environment is already seriously breached. Prevention centers on blocking key theft and quickly detecting forged tickets.

This attack is especially dangerous because it bypasses standard authentication and enables persistent, stealthy domain access. Attackers often pair it with methods like DCSync or credential dumping to steal the KRBTGT hash.

Detection:

• Defender for Identity provides real-time alerts for Golden Ticket usage, DCSync/DCShadow attacks, and unusual Kerberos activity.
• Enable Kerberos audit logging on all domain controllers.

Recommendations:

• Rotate the KRBTGT password at least every 180 days (reset twice to fully invalidate tickets).
• Enable LSA Protection on domain controllers.
• Remove non-admin accounts with DCSync permissions.
• Implement tiered administration and least privilege to limit replication rights and administrative access.

Upgrade your cybersecurity with Microsoft

Active Directory Domain Services is central to enterprise identity and access management, making it a frequent focus for cyberattacks. Proactive detection and remediation are essential to reduce risk. If you suspect a compromise, rapid containment is critical. Microsoft Incident Response can help before, during, and after a cybersecurity incident. To learn more, visit Upgrade proactive and Reactive defenses with Microsoft Incident Response.

By applying the detection methods and remediation steps outlined above, organizations can significantly reduce their attack surface. Microsoft’s security tools—Defender for Identity, Defender Vulnerability Management, Sentinel, and Privileged Identity Management—provide the analytics and controls needed to help stay ahead of evolving threats.

The post Microsoft’s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 appeared first on Microsoft Windows Server Blog.

By mid-2026, we will be updating the domain controller default assumed supported encryption types. The assumed supported encryption types is applied to service accounts that do not have an explicit configuration defined. Secure Windows authentication does not require RC4; AES-SHA1 can be used across all supported Windows versions since it was introduced in Windows Server 2008. If existing RC4 use is not addressed before the default change is applied, authentication relying on the legacy algorithm will no longer function. This blog post helps IT professionals transitioning to AES-SHA1 encryption by offering steps to detect and address remaining RC4 usage.

For additional details on our Windows Update rollout strategy, check out this page on how to manage Kerberos KDC usage of RC4.

Detect RC4 usage with new tools

Aside from the Windows Update rollout of changes to domain controller default assumed supported encryption types, RC4 should be completely disabled in domain environments to maximize security. Legacy applications or interoperability with non-Windows devices may still necessitate the use of RC4, and such dependencies will need to be identified and addressed.

To support the identification of RC4 usage, we have enhanced existing information within the Security Event Log and developed new PowerShell auditing scripts. These enhancements are available in Windows Server versions 2019, 2022, and 2025.

New fields within existing Kerberos Events

The Security Event Log on Key Distribution Centers (KDC) logs when a client requests a ticket during authentication and when they request access to a specific service within the domain:

• 4768: A Kerberos authentication ticket (TGT) was requested
• 4769: A Kerberos service ticket was requested

New fields have been added to these events to capture all of the encryption algorithms supported by an account and to log the specific algorithm that was used during a ticket request. Using this information, you can now better identify:

• Authentication client devices that only support RC4
• Authentication target devices that only support RC4
• Accounts that don’t have AES-SHA1 keys provisioned, specifically for AES128-CTS-HMAC-SHA1-96 (AES128-SHA96) and AES256-CTS-HMAC-SHA1-96 (AES256-SHA96)

The first important, new field is called msds-SupportedEncryptionTypes. This field specifies the encryption algorithms that an account supports and is provided for both the client machine and the target service in a request. By default, this field should include both AES-SHA1 and RC4. If it does not include AES-SHA1, that indicates an account that we would expect to use RC4, which would need to be remediated.

The next new field, Available Keys, provides information on the encryption keys that have been created for an account in Active Directory. For most accounts in Windows, this should include RC4 and AES-SHA1 already. If this field contains RC4 but not AES-SHA1, it indicates an account that is not ready to use AES-SHA1 and that would need to be addressed.

The last important new field is the Session Encryption Type. This field contains the encryption algorithm that was used for a specific Kerberos request. Most events will indicate AES-SHA1 was used because that is the default behavior for Windows devices and accounts today. Filtering this event for RC4 will help identify potential problematic accounts and configurations.

New PowerShell scripts

Instead of manually reviewing the Security Event log on your domain controllers to find problematic RC4 usage via events 4768 and 4769, let’s introduce two new PowerShell scripts that are available to you on the Microsoft Kerberos-Crypto GitHub repository.

List-AccountKeys.ps1

Use this PowerShell script to query the Security Event Log for the new Available Keys field. The script enumerates the keys that are available for the accounts it finds from the event logs, as well as the following information:

• The time at which an event happened
• The account name
• The account type
• The account keys

PS C:\tools> .\List-AccountKeys.ps1

Time                  Name         Type Keys

—-                  —-         —- —-

1/21/2025 2:00:10 PM  LD1$      Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 2:00:10 PM  AdminUser    User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 6:50:34 PM  LD1$      Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 6:50:34 PM  AdminUser    User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 6:50:34 PM  LD1$      Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

In this case, the results show that there are AES128-SHA96 and AES256-SHA96 keys available for the accounts found in the logs, meaning these accounts will continue to work if RC4 is disabled.

Get-KerbEncryptionUsage.ps1

Use this PowerShell script to query the same events to see which encryption types Kerberos used within your environment. In this example, the requests used AES256-SHA96, which is a part of AES-SHA1.

PS C:\tools> .\Get-KerbEncryptionUsage.ps1

Time       : 1/21/2025 2:00:10 PM

Requestor  : ::1

Source     : AdminUser@CONTOSO.COM

Target     : LD1$

Type       : TGS

Ticket     : AES256-SHA96

SessionKey : AES256-SHA96

Time       : 1/21/2025 2:00:10 PM

Requestor  : 192.168.1.1

Source     : AdminUser

Target     : krbtgt

Type       : AS

Ticket     : AES256-SHA96

SessionKey : AES256-SHA96

With this script, you can try out additional filtering options on specific encryption algorithms. For example, use the RC4 filter to specifically find requests that used RC4:

PS C:\tools> .\Get-KerbEncryptionUsage.ps1 -Encryption RC4

You can also use security information and event management (SIEM) solutions, like Microsoft Sentinel, or built-in Windows event forwarding as described in So, you think you’re ready for enforcing AES for Kerberos? to query these logs.

Recommendations on RC4 usage scenarios

You’ve used the scripts and identified RC4 usage. Now what should you do?

Here are some common scenarios and recommended solutions. For deeper dives, see our official Detect and remediate RC4 usage in Kerberos documentation.

A user account only has RC4 keys

You used the List-AccountKeys.ps1 script and have identified a user or machine account that only has RC4 in the list of keys. To prepare this account to use AES-SHA1 instead of RC4, reset the account password. Resetting the password will automatically create AES128-SHA96 and AES256-SHA96 keys in Active Directory for the account.

A user account doesn’t show support for AES-SHA1

You queried the Security log and found an account where the msds-SupportedEncryptionTypes field does not include the AES-SHA1 encryption types. There are multiple reasons why this may be the case and the most common scenarios are outlined below:

Scenario 1: The source or target account for a request might not have AES128-SHA96 and AES256-SHA96 correctly configured in its supported encryption types. If this is the case, here’s how you can view the policy:

• You can use Active Directory Users and Computers (ADUC) with Advanced Features enabled (under View > Advanced features). Review the msDS-SupportedEncryptionTypes attribute for an account to confirm the configuration. Find the account of interest in ADUC and right-click the account name. Select Properties and, in the newly opened window, select the Attribute Editor tab. In the list of attributes, find msDS-SupportedEncryption to confirm the configuration of the account. If needed, configure the account to include AES128-SHA96 and AES256-SHA96 using Group Policy.

• You can also use PowerShell. Use the following Get-ADObject command. Note: The output for mdds-SupportedEncryptionTypes will be in decimal format.

PS C:\> Get-ADObject -Filter “Name -eq ‘LM1’ -and (ObjectClass -eq ‘Computer’ -or ObjectClass -eq ‘User’)”  -Properties “msds-SupportedEncryptionTypes”

DistinguishedName             : CN=LM1,CN=Computers,DC=contoso,DC=com

msds-SupportedEncryptionTypes : 28

Name                          : LM1

ObjectClass                   : computer

ObjectGUID                    : 3a4c6bc4-1a44-4f1f-b74a-02ec4a931947

To interpret the values and to determine the best configuration for your environment, check out Active Directory Hardening Series – Part 4 – Enforcing AES for Kerberos and Decrypting the Selection of Supported Kerberos Encryption Types.

After setting the right combination for your environment, restart the device, and it will update its msds-SupportedEncryptionTypes attributes in the active directory database.

Scenario 2: The source or the target machine might not have the msds-SupportedEncryptionTypes defined in AD and is falling back to the default supported encryption types.

You’ll need to have a more holistic understanding of your environment. Do you know what happens to devices that don’t have a value defined for msds-SupportedEncryptionTypes or the value is set to 0? Normally, these devices will automatically receive the value of DefaultDomainSupportEncTypes. Depending on your individual risk tolerance, consider using one of the following methods to address this scenario:

• Define the specific msds-SupportedEncryptionTypes value in the account properties to ensure it isn’t falling back to the DefaultDomainSupportedEncTypes.
• Set the DefaultDomainSupportedEncTypes to include AES128-SHA1 and AES256-SHA1. Note: This will change the behavior of all accounts that don’t have a value for msds-SupportedEncryptionTypes.

The device doesn’t support AES128-SHA96 or AES256-SHA96

The last version of Windows devices that did not support AES128-SHA96 and AES256-SHA96 was Windows Server 2003. We strongly recommend that you migrate to a supported version of Windows as soon as possible.

If you have a third-party device that does not support AES128-SHA1 and AES256-SHA1, we want to hear from you! Please reach out to stillneedrc4@microsoft.com telling us:

• What is this device?
• How does it fit into your workflow?
• What is your timeline for upgrading this device?

Using WAC for configuring allowed encryption types

Microsoft provides a security baseline for Windows Server 2025 to set and audit recommended security configurations. This baseline includes disabling RC4 as an allowed encryption type for Kerberos. You can apply security baselines or view compliance using PowerShell or using the Windows Admin Center.

In Windows Admin Center, you can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade. In the Security Baselines tab, you can filter for the policy “Network Security: Configure encryption types allowed for Kerberos” to see your current compliance state for allowed encryption types. The compliant values for this policy in the baseline that do not allow RC4 are:

• 2147483624: AES128-SHA96 + Future Encryption types
• 2147483632: AES256-SHA96 + Future Encryption types
• 2147483640: AES128-SHA96 + AES256-SHA96 + Future Encryption

This is an example of the audit report indicating a device with a compliant setting:

This is an example of audit showing devices configured with a setting that is different from the previous compliant values:

Using stronger ciphers

In the current security landscape, RC4 isn’t required to ensure secure Windows authentication. You can use stronger ciphers, like AES-SHA1, for authentication among all supported versions of Windows. We hope that these detection and mitigation tools help you and your organization in your hardening efforts. Please check out official Detect and remediate RC4 usage in Kerberos documentation for more details and scenarios.

The post Beyond RC4 for Windows authentication appeared first on Microsoft Windows Server Blog.

Would you like to avoid spending your weekends patching servers? The new Hotpatch feature in Windows Server 2022 Datacenter: Azure Edition addresses this pain point—it can reduce many IT teams’ headaches including reboot failures and coordinating multitier workloads. It increases productivity and end-user uptime and can reduce the vulnerability window that would result if an update is delayed.

To demonstrate how Hotpatching works, we’ve brought in an example from our very own Xbox team. In this article you’ll learn how Microsoft has been using Hotpatch with Windows Server 2022 Azure Edition to substantially reduce downtime for SQL Server databases running on Windows Server Azure virtual machines on an important set of backend services for the Xbox network.

Windows Server 2022

Run business critical workloads in Azure, on-premises and at the edge.

Discover more

What is Hotpatch?

Hotpatch for Windows Server 2022 Datacenter: Azure Edition allows you to apply every month’s “patch Tuesday” security updates, but does not require the server operating system to restart two out of three months.

While Hotpatch has been available on the Server Core option of Windows Server 2022 Azure Edition for some time, it has just become available in summer 2023 for the more widely used Desktop Experience option. You can see a demo of it in this on-demand session from Ignite.

Here’s what’s great about it:

• Higher availability and fewer restarts.
• Faster deployment of updates because the packages are smaller, install faster, and have easier patch orchestration using Azure Update Management.
• Better protection because the Hotpatch update packages are scoped to Windows security updates that install faster without restarting.

 When you enable Hotpatch, a baseline Cumulative Update is applied to the server. This update does require a reboot. After this point, your team can update easily, with fewer restarts, which can greatly reduce any vulnerability window. Check out this release documentation for details on the Hotpatch calendar.

How the Xbox network team uses Hotpatch

The Xbox network relies on several critical backend services hosted in SQL Server databases running on Windows Server Azure virtual machines. There are 18 different services hosted in this manner, with some services handled by two SQL Servers and others up to 120 SQL Servers. Some of these workloads have been in production for 15 years.

Of course, when you’re running backend services for a group of passionate gamers like Xbox network customers, it’s imperative to patch and restore services with as little downtime as possible.

Approximately 1,000 servers hosting these services started their journey on physical hardware when the services were first deployed, and more than 15 years later, through a process of rolling upgrades and migration, are now running in Azure hosted as infrastructure as a service (IaaS) Virtual Machines (VMs). According to senior service engineer Tim Dreyling, the team has found it “magnitudes easier to manage Windows Server on Azure VMs, over relying on data center support to address ‘machine’ issues.”

After migrating the backend Xbox network services from the earlier version of Windows Server 2022 Azure Edition to the version that supported Hotpatch, the team that supported these specific backend services went from an update cycle every month that could take weeks of careful orchestration to being able to apply Hotpatch updates across a fleet of nearly 1,000 servers in less than 48 hours two months out of every three.

“As a database administrator (DBA) this is the biggest thing to increase our service reliability and uptime since SQL Server Availability Groups were introduced with SQL Server 2012,” says Tim.

Hotpatch with Windows Server 2022 Datacenter Azure Edition isn’t just used with SQL Server with Xbox network backend services, but is also used on IaaS VMs running Active Directory DS Domain Controllers and VMs hosting web services roles.

While your services might not have the complexity and scale of the Xbox network, we think you’ll quickly see the Hotpatch advantage of minimizing reboot downtimes while ensuring the services you host are reliable, protected, and available.

Hotpatch is currently available on Azure Edition (see below for details), but the team has more innovations in the works, and many ways to access cloud innovation in your hybrid cloud environment by connecting your servers to Azure Arc.

In case you weren’t able to join us at Ignite, you can watch two Windows Server-focused sessions on-demand. These talks cover Hotpatching and the Xbox example discussed above, along with a number of new and upcoming features for our Windows Server and SQL Server customers:

1. Do More with Windows Server and SQL Server on Azure—Bob Ward, Principal Architect in the Azure Data team, and Jeff Woolsey Principal PM Manager in Windows Server, do a quick-fire session with descriptions of the latest innovations across these technologies.
2. What’s New in Windows Server v.Next—Elden Christensen, Principal Group PM Manager, joins Jeff Woolsey to explain and demo the features that our engineering team is working on for the next Windows Server.

If you’re interested in being hands-on and trying what’s coming next for Windows Server, you can get early access to the latest features in the works by joining the Windows Insider program.

Learn more about Windows Server and Hotpatch

• Try the latest versions of SQL Server and Windows Server 2022 on Azure.
• You can find out more about Hotpatch for Windows Server 2022 Datacenter: Azure Edition in the documentation and in this blog post.
• Download the image here to get the new edition with Hotpatch (Azure account required).

The post How Hotpatching on Windows Server is changing the game for Xbox appeared first on Microsoft Windows Server Blog.

Modernize with PaaS or upgrade to a newer version in Azure

Modernization provides organizations with a more future-proof solution by using a cloud-first approach or updating to a newer version. One modernization option is moving to platform-as-a-service (PaaS) solutions such as Azure SQL Managed Instance or Azure App Service. By modernizing workloads to a PaaS solution, customers can fully offload management and patching tasks in the cloud. This helps teams stay up-to-date, avoid future end-of-support dates, and focus on delivering innovative apps and experiences for their businesses.

Alternatively, customers can migrate and upgrade their Windows Server 2012/R2 with Azure Migrate, our free tool for discovery, assessment, and migration of workloads to Azure. With this feature, organizations can now elect to move their legacy applications and databases to a fully supported, compatible, and compliant operating system. This includes our latest release in Windows Server 2022, which provides organizations with advanced multi-layer security, hybrid capabilities with Azure, and a flexible platform to modernize applications. Learn more about this feature of Azure Migrate.

Migrate to Azure for free Extended Security Updates

If organizations are not able to modernize Windows Server 2012/R2 in time, they can use Extended Security Updates (ESUs), which provide security patches for up to three years past the end of support date.

When organizations migrate end-of-support workloads to Azure, they get free Extended Security Updates. This includes options such as Azure Virtual Machines, Azure Dedicated Host, Azure VMware Solution, and Azure Stack HCI. Combining this with Azure Hybrid Benefit and consumption models such as reserved instances or savings plan for compute allows even more savings in Azure for Windows Server and SQL Server.  

Organizations can get in-depth resources to help them start their cloud journey on Azure with Azure Migrate and Modernize & Azure Innovate—our new offerings that provide end-to-end support from migration and modernization to infusing the latest innovation in analytics and AI. 

Stay protected in hybrid and multicloud environments with ESUs enabled by Azure Arc

For organizations who aren’t able to modernize or migrate prior to the Windows Server 2012/R2 end of support date this October, they can protect their hybrid and multicloud workloads with ESUs enabled by Azure Arc. Here are the key benefits:

• Monthly pay-as-you-go: Activate and enroll from Azure to pay for security updates on a monthly basis, giving organizations more flexibility to migrate and modernize to Azure on their terms.  
• Seamless delivery: The enrollment of Extended Security Updates on Azure Arc-enabled machines does not require the acquisition or activation of keys. Moreover, customers have the flexibility to use Azure Update Manager or another patching solution of their choice to receive the actual patches.
• Organize and inventory your assets: Gain visibility and reporting across servers spanning your hybrid, multicloud, and edge infrastructure. 
• Security and compliance: Extend Azure security and governance services such as Microsoft Defender for Cloud and Microsoft Sentinel to further secure their infrastructure from cloud to edge and stay compliant with supported software. ESUs enabled by Azure Arc also gives free access to Azure Update Manager, Machine Configuration, and Change Tracking and Inventory for further automation and easier delivery of patches.

Connect to Azure Arc today to get started with ESUs enabled by Azure Arc or learn more here.

Prepare for other end of support dates

As organizations continually modernize their estate, there are several other end of support dates to keep in mind for Windows Server and SQL Server customers:

• Upgrade Windows Server 2008 virtual machines (VMs) in Azure. If you are running Windows Server 2008 virtual machines in Azure, the fourth and final year of ESUs end on Jan 9^th, 2024. After this date, no more security patches will be provided to virtual machines running this version. Organizations should plan to upgrade to the latest version to run these workloads securely and compliantly. Learn more about how to perform in-place upgrades for Windows Server.

• Prepare for SQL Server 2014 end of support. Many Windows Server customers often run SQL Server for their databases, which also has some end of support dates to be aware of. SQL Server 2012 reached end of support on July 12^th, 2022, and the upcoming end of support deadline is for SQL Server 2014, which reaches end of support on July 9^th, 2024. Organizations have the same three options outlined above to protect SQL Server 2014 workloads.

See the lifecycle of products supported with Extended Security Updates here.

Start modernizing for end of support

Here are a few key resources to learn more so you can be prepared for current and future end of support scenarios: 

• Learn more about your options for Windows Server and SQL Server end of support. 
• Learn more about Extended Security Updates on our Frequently Asked Questions (FAQ) page and the documentation.
• Learn more about running Windows Server on Azure.
• Watch our latest webinar to learn more about how you can secure your IT foundation to be AI-ready.
• Protect beyond Extended Security Updates by enhancing security with Microsoft Defender for Cloud—a comprehensive and unified cloud-native security solution to protect hybrid and multicloud environments from code to cloud.   

The post Secure Windows Server 2012/R2 workloads with options from Azure appeared first on Microsoft Windows Server Blog.

Azure Hybrid Benefit expansion

As customers are increasing cloud adoption to run virtual machine (VM)–based and containerized applications, they also need to keep some workloads on-premises. At Microsoft, we are committed to meeting customers where they are. Azure Hybrid Benefit is a program that enables customers to reduce the costs of running workloads in the cloud. At Microsoft Ignite, we’re introducing new additions to Azure Hybrid Benefit to bring the value of Azure to where customers are.

As part of our updates, customers with Windows Server Software Assurance or a Cloud Solution Provider subscription will be able to use Azure Kubernetes Service (AKS) on Windows Server and Azure Stack HCI in their own datacenters or edge infrastructure at no additional cost. This will enable customers to containerize their applications and deploy them on Azure or on-premises consistently by maximizing business value with a managed Kubernetes service in their own environments.

For customers looking to modernize their environment, we are also introducing a new benefit for Windows Server Datacenter Software Assurance customers to use Azure Stack HCI at no additional cost.¹ With this, customers can modernize their existing datacenter and edge infrastructure to run their VM and container-based workloads on modern infrastructure with industry-leading price performance and built-in connectivity to Azure. Learn more about Azure Hybrid Benefit for AKS and Azure Stack HCI.

More flexibility to run Windows Server

On October 1, 2022, we implemented several updates to outsourcing and hosting terms for customers and partners globally. Among these is the Flexible Virtualization Benefit, which allows customers with Software Assurance or subscription licenses to run their own licensed software, including Windows Server, on other cloud providers’ infrastructure—dedicated or multitenant.² Additionally, customers can also license Windows Server on a VM basis.

Windows Server customers have been increasingly leveraging Windows containers to modernize their applications. However, we heard from a few of our customers and application vendors that needed the ability to distribute a complete containerized application directly to their end users. Starting today, customers will be able to redistribute Windows Container base images beyond their organization in accordance with the updated End-User Agreement License. Now, customers and application vendors across segments like medical, financial, manufacturing, or other air-gapped environments can more easily use Windows containers to modernize their applications. Learn more about the upcoming changes in our tech community blog.

Modernize for end of support

With all the added benefits and flexibility mentioned above, there is no better time to modernize than now. This is especially true if you are running Windows Server 2012/R2, which is reaching end of support next year on October 10, 2023. We have several options to keep your Windows Server 2012/R2 workloads protected:

• Migrate to Azure and run securely with up to three years of free Extended Security Updates. This includes all Azure destinations such as Azure Virtual Machines, Azure Dedicated Host, Azure VMware Solution, and the Azure Stack portfolio.
• Upgrade to Windows Server 2022 to get the latest innovation in security and application modernization.
• Deploy extended security updates on-premises. Customers that cannot meet the end of support deadline and have Software Assurance or subscription licenses under an enterprise agreement enrollment, and cannot migrate their Windows Server to Azure, will have the option to buy Extended Security Updates.

Start migrating and modernizing your Windows Server workloads

No matter where you are in your migration and modernization journey, we are committed to supporting you at every step. Here are some resources to get started today:  

• Learn more about the unique capabilities and cost-savings available when running Windows Server on Azure.
• Learn more about your options for Windows Server and SQL Server 2012/R2 end of support.
• Migrate and modernize with confidence through the Azure Migration and Modernization Program.

¹_{Currently only available for Windows Server Datacenter licenses with Software Assurance purchased through Enterprise Agreements. Customers can only use Windows Server or Azure Stack HCI. Customers will have 180 days of concurrent use rights to move to Azure Stack HCI.}

²_{Note that these changes exclude what we term Listed Providers: Alibaba, Amazon Web Services, Google, and Microsoft. Customers that want to use a Listed Provider for outsourcing can acquire licenses directly from the Listed Provider.}

³_{Note: In alignment with the servicing model for Windows 7 and Windows 8.1 (link to blog), the Windows Server 2012 and 2012 R2 ESU program will only include Monthly Rollup packages; Security Only update packages will not be provided.}

The post Maximize your Windows Server investments with new benefits and more flexibility appeared first on Microsoft Windows Server Blog.

Ever since its release in 2018, Windows Admin Center has become the solution for managing Windows Server infrastructure running on-premises. It has grown to provide dozens of experiences that make remote investigation and remediation of your servers as easy as possible. Today, we are extending the same tooling to your cloud infrastructure with the general availability of Windows Admin Center for Azure Virtual Machines. Let’s dive into the new features.

Why use Windows Admin Center in Azure

Simplicity and convenience

Windows Admin Center in Azure unlocks incredible capabilities for the Azure portal by providing you with an interface to manage your Windows Server Virtual Machines. By default, the Azure portal provides a singular view for virtual machine management and the essential elements to manage your infrastructure. With the addition of Windows Admin Center, we have supplemented this great experience with additional capabilities such as an enhanced view of virtual machine usage, performance monitoring, viewing of events, and much more. We expect this to reduce the need for you to remote desktop into your virtual machine for administration, simplifying your experience as you deploy and maintain virtual machines with or without a graphical user interface (GUI).

Secure, passwordless authentication

Unlike Windows Admin Center on-premises, Windows Admin Center in Azure features single sign-on using Azure Active Directory (Azure AD) authentication to bring you an end-to-end identity experience in the Azure portal. Regardless of whether your virtual machine is on-premises Active Directory joined, Azure AD joined, or not joined to any domain, Windows Admin Center and Azure AD provide a single sign-on experience. Just add your Azure AD identity to the Windows Admin Center Administrator Login Azure role-based access control (RBAC) role and get access to the full suite of management capabilities that we provide in the Azure Portal. Read more about how this exciting capability reduces the reliance on local administrator accounts when managing Windows Server machines in Azure.

Performant

Users expect a fast, reliable, and personalized experience when managing their infrastructure. Windows Admin Center in Azure leverages cloud-native services such as Azure Front Door, a content delivery network (CDN) that rapidly delivers content and brings you an unmatched server management performance in the Azure Portal. Compared to Windows Admin Center on-premises, the Azure experience is about two and a half times faster, by delivering its static content from the cloud, while keeping your server’s data secure within your network.

Get started with Windows Admin Center

Windows Admin Center in Azure is available to all Windows Server customers on Azure running Windows Server 2016 or higher in the public cloud. Create a new virtual machine today or deploy Windows Admin Center on your existing infrastructure. You can begin managing your virtual machines in Azure using Windows Admin Center by navigating to the Windows Admin Center blade under Settings in the Virtual Machine Azure portal UI.

Windows Admin Center in Azure is also available in preview for managing Windows Server Azure Arc–enabled servers and Azure Stack HCI clusters.

Follow us at Microsoft Ignite and stay tuned for more exciting capabilities coming soon to Windows Admin Center in Azure.

The post Windows Admin Center for Azure Virtual Machines is now generally available appeared first on Microsoft Windows Server Blog.

Today, we are excited to announce the general availability of System Center 2022, which includes System Center Operations Manager (SCOM), Virtual Machine Manager (VMM), System Center Orchestrator (SCORCH), Service Manager (SM), and Data Protection Manager (DPM). With this release, we are continuing to bring new capabilities for best-in-class datacenter management across diverse IT environments that could be comprised of Windows Server, Azure Stack HCI, or VMWare deployments. We have been energized to hear of organizations such as Olympia, Schaeffler, and Entain who have validated the capabilities of System Center 2022 during the preview. Now, let us dive into what is new with System Center 2022.

Why upgrade to System Center 2022

Best-in-class datacenter management

Your IT environments are ever-evolving to have applications running on a diverse set of hardware. Your workforce is spread across multiple locations and remote management is the new normal. System Center 2022 focuses on simplifying collaboration and providing consistent control for all your environments.

Enhanced access control capabilities in SCOM facilitate simpler management of permissions on the monitoring data and alert actions. A critical piece toward adoption of DevOps practices, empowering the users with the right level of control. The integration with Microsoft Teams and management of alert closures reduce the circle time between the application owners and the SCOM administrator. The developers can get notified about alerts for their applications on the Teams channels.

Additionally, to meet the needs of growing environments, you can now assign both IPv4 and IPv6 IP addresses to the software-defined networking (SDN) deployments with VMM. Performance and technology optimizations to the data protection manager mean you get more control and speed on the backups and restores.

Overall, this release gives you more control in managing the environment and working with the DevOps teams.

Flexible infrastructure platform

Datacenters are becoming more heterogeneous, with multiple host platforms and hypervisors, Windows/Linux, VMware, and Hyper-Converged Infrastructure (HCI). System Center 2022 enables the unification of management practices for the datacenter, irrespective of the platform in use.

System Center 2022 is the best toolset to manage your Windows Server 2022 and SQL Server infrastructure. This includes using Windows Server 2022 for the management infrastructure and managing the Windows Server 2022 based environment. In addition to a comprehensive management experience for Windows Server 2022 workloads, this release of System Center adds support for managing Azure Stack HCI 21H2, VMware 7.0 hosts, and the latest Linux distros. You can create, configure, and register HCI 21H2 clusters, control virtual machines on the HCI clusters, set up SDN controllers, and manage storage pools from VMM. There are new management packs in SCOM for monitoring the Azure Stack HCI clusters. To protect the virtual machines on Stack HCI clusters, Microsoft Azure Backup Server can now be used.

Hybrid management with Azure

Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.

We will be bringing hybrid capabilities with System Center 2022 to standardize management and governance across on-premises and cloud environments while reusing your existing investments in System Center.

Stay tuned for more on these exciting capabilities!

Get started with System Center 2022

• Get started at the Evaluation Center, or get it directly from the Volume Licensing Service Center.
• Learn more by going to:
  • Product page.
  • Technical documentation.
  • System Center Tech Community.

The post System Center 2022 is now generally available appeared first on Microsoft Windows Server Blog.

We want to continue to invest in your organizations’ success and enable you to get the most out of Windows Server by keeping you informed of the latest product announcements, news, and overall best practices. Here are the top five to-do’s for you to make the most out of Windows Server:

1. Patch and install security updates without rebooting with Hotpatch

Hotpatch is now generally available. As part of Azure Automanage for Windows Server, this capability allows you to keep your Windows Server virtual machines on Azure up-to-date without rebooting, enabling higher availability with faster and more secure delivery of updates. Other capabilities that are part of Azure Automanage for Windows Server include SMB over QUIC, as well as extended network for Azure, which lets you keep your on-premises IP addresses when you migrate to Azure. Learn more about why Azure is the best destination for Windows Server.

2. Take the recently available Windows Server Hybrid Administrator Certification

Invest in your career and skills with this brand-new Windows Server certification. With this certification, you can keep the Windows Server knowledge you have built your career on and learn how to apply it in the current state of hybrid cloud computing. Earn this certification for managing, monitoring, and securing applications on-premises, in Azure, and at the edge. Learn more about Windows Server Hybrid Administrator Associate certification today.

3. Upgrade to Windows Server 2022

With Windows Server 2022, get the latest innovation for you to continue running your workloads securely, enable new hybrid cloud scenarios, and modernize applications to meet your ever-evolving business requirements. Learn more about investing in your success with Windows Server.

4. Protect your workloads by taking advantage of free extended security updates (ESUs) in Azure

While many customers have adopted Windows Server 2022, we also understand that some need more time to modernize as support for older versions of Windows Server will eventually end.

• For Windows Server 2012/2012 R2 customers, the end of support date is October 10, 2023. 
• For Windows Server 2008/2008 R2 customers, the third year of extended security updates are coming to an end on January 10, 2023. Customers can get an additional fourth year of free extended security updates (ESUs-only) on Azure (including Azure Stack HCI, Azure Stack Hub, and other Azure products). With this, customers will have until January 9, 2024 for Windows Server 2008/2008 R2 to upgrade to a supported release.

We are committed to supporting you as you start planning for end of support if you are running workloads on older versions of Windows Server. Learn more about end of support deadlines for Windows Server 2008/R2 and 2012/R2 and your options.

5. Combine extended security updates with Azure Hybrid Benefit to save even more

In addition to all the innovative Windows Server capabilities available only on Azure, it also has offers for you to start migrating your workloads with Azure Hybrid Benefit. It is a licensing benefit that allows you to save even more by using existing Windows Server licenses on Azure. Learn more about how much you can save with Azure Hybrid Benefit.

Ask questions and engage in our community

Get started implementing these Windows Server best practices today! Join the conversation by sharing stories or questions you have here:  

• Windows Server Tech Community.
• @windowsserver on Twitter.

¹_{Note: In alignment with the servicing model for Windows 7 and Windows 8.1 (link to blog), the Windows Server 2012 and 2012 R2 ESU program will only include Monthly Rollup packages; Security Only update packages will not be provided.}

The post Get the most out of Windows Server with these 5 best practices appeared first on Microsoft Windows Server Blog.