As we continue to innovate, support for older Windows Server versions—including security updates—eventually comes to an end. In accordance with the Microsoft Lifecycle Policy, extended support for Windows Server 2016 will end on January 12, 2027.

Many customers are already upgrading to the latest version of Windows Server to take advantage of the newest innovations and modernize their IT environment. Windows Server 2025 stands as the most secure and cloud‑connected version ever—bringing cloud‑grade security, hotpatching, and centralized hybrid management to on‑premises environments.

However, we recognize that Windows Server often supports complex, business-critical applications, and some customers may need additional time to complete their modernization journey. To help protect these workloads during the transition, we are pleased to offer flexible options and benefits through Azure and the latest Windows Server releases.

Today, we are announcing Extended Security Updates for Windows Server 2016.

Extended Security Updates for Windows Server 2016 deliver an enhanced cloud experience through Azure Arc. Security updates are available through the Azure portal, providing a streamlined, customer-centric way to protect on-premises and multi-cloud environments. For customers who need to keep workloads on premises, Extended Security Updates enabled by Azure Arc provide additional Azure benefits, including licensing flexibility, Azure management capabilities, and advanced security features, while also unlocking flexible subscription billing for Windows Server 2016 workloads.

While this provides an option to continue running Windows Server 2016 to avoid any disruption to business-critical applications, this period also presents the opportunity to upgrade to Windows Server 2025 or consider migrating to Azure.

To get started with planning Windows Server 2016 end of support, please refer to the Extended Security Updates frequently asked questions for more information, and learn about the latest in Azure Migration and Modernization Program. For more information on the Microsoft Lifecycle Policy, see the Windows Server 2016 lifecycle page.

The post Planning ahead for Windows Server 2016 end of support appeared first on Microsoft Windows Server Blog.

Coordinated industry effort across the server ecosystem

Microsoft has worked closely with the server ecosystem partners to make this transition as smooth as possible:

• Many newer server hardware and virtual machine versions built since 2024, and almost all released in 2025 are already preconfigured with the 2023 Secure Boot certificates.
• Device manufacturer and firmware partners have collaborated with Microsoft to provide supported upgrade paths for existing deployments that currently use 2011 certificates.
• Microsoft and OEMs are working together to provide holistic guidance and help customers plan and execute the update safely across diverse environments.

This coordinated effort is designed to minimize operational risk while helping to preserve the high security standards expected of modern server platforms.

Please see the Windows Blog post, “Refreshing the root of trust: industry collaboration on Secure Boot certificate updates”, to understand how Microsoft collaborated with device manufacturers and firmware partners to support an efficient and safe deployment.

Because Windows Server instances do not receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR)—unlike Windows PCs—IT administrators must take action on servers that are in scope. As part of standard maintenance, administrators should first ensure their servers are fully up to date by installing the latest cumulative updates. They must then manually initiate the Secure Boot certificate update on Windows Server systems that have Secure Boot enabled and did not ship from the manufacturer with the 2023 Secure Boot certificates or have not otherwise been updated to include them.

Windows Server administrators call to action

Review the available methods to update Secure Boot certificates on Windows Server and plan your environment refresh well before the June 2026 expiration. Start by reviewing the official step‑by‑step guidance designed specifically for IT professionals managing server environments, which can be found here.

Microsoft has also hosted Secure Boot Ask Microsoft Anything (AMA) sessions in December 2025 and February 2026, providing deep technical context and direct answers to common questions around certificate expiration and updates. If you missed these sessions, recordings are available on demand.

If you have questions, you can join our upcoming Secure Boot AMAs in March and April and follow Windows Events on the Microsoft Tech Community to be apprised of future events. The next event is the “Secure Boot certificate updates explained – Microsoft Technical Takeoff”.

For ongoing updates, resources, and centralized guidance, bookmark the Windows Secure Boot certificate updates page. This page serves as your one‑stop resource to help understand, prepare, plan, and execute Secure Boot certificate updates on your Windows Server environment.

The post Prepare your servers for Secure Boot certificate updates appeared first on Microsoft Windows Server Blog.

1. Unpatched vulnerabilities

Unpatched vulnerabilities are known security flaws in software that have not been remediated. Like any critical infrastructure, Active Directory Domain Services relies on the security of the system on which it runs. When vulnerabilities exist in the operating system or supporting components, attackers may exploit those gaps to gain initial access or escalate privileges.

According to the 2025 Verizon DBIR, exploitation of known vulnerabilities accounts for roughly 20% of breaches and is up around34% year over year. These attacks don’t target AD DS because it’s weak—they target environments that fail to apply available fixes. Timely patching is essential to protect against attackers who take advantage of systems left unpatched.

Detection:

• Use Microsoft Defender Vulnerability Management for real-time visibility.
• Defender for Endpoint validates risk reduction.
• Configuration Manager (SCCM) deploys updates and monitors compliance.

Recommendations:

• Automate and enforce timely patch deployment using Azure Update Manager or SCCM.
• Use Microsoft Defender Vulnerability management to prioritize patching based on exploitability and asset exposure.
• Apply Windows Server 2025 OSConfig security baselines to domain controllers.

Once attackers gain an initial foothold—often through unpatched systems—they look for ways to move laterally and escalate privileges. One common technique is authentication relay attack.

2. Authentication relay attacks

Authentication relay attacks (a form of man-in-the-middle) allow adversaries to impersonate users by forwarding legitimate login requests, often exploiting NTLM and sometimes Kerberos. These attacks exploit legitimate authentication flows, enabling lateral movement, data theft, and full domain compromise.

Detection:

• Defender for Identity alerts on suspicious authentication patterns, lateral movement, and NTLM relay attempts.
• Monitor Windows Event Logs for failed logons and unusual authentication attempts.

Recommendations:

• Deprecate and disable NTLM wherever possible.
• Enforce SMB signing and LDAP channel binding. In Windows Server 2025, this is enabled by default.
• Use Extended Protection for Authentication (EPA).
• Implement Just-In-Time (JIT) access and MFA for sensitive resources, and use Privileged Identity Management (PIM) to enforce JIT and MFA.

After establishing a presence, attackers often pivot to techniques that target service accounts, which contain service tickets. Kerberoasting is a prime example, leveraging legitimate Kerberos functionality to extract and crack service tickets.

3. Kerberoasting

Kerberoasting targets service accounts by requesting Kerberos service tickets and performing offline brute-force attacks to recover passwords. Because the attack uses legitimate Kerberos functionality, it often goes undetected. And since many service accounts use weak or non-expiring passwords, they are especially vulnerable. The attack does not require elevated privileges to initiate and leaves minimal traces in logs. If successful, it can serve as a stepping stone to full domain compromise.

Detection:

• Check for ticket requests with unusual Kerberos encryption types in the events in Microsoft Defender XDR.
• Check for alerts from Microsoft Defender XDR, which will raise an alert with an external ID 2410 for suspected Kerberos SPN exposure.
• Use Defender for Identity to detect suspicious ticket requests.

For more information on how to detect Kerberoasting, see Microsoft Security Blog – Kerberoasting.

Recommendations:

• Migrate service accounts to Group Managed Service Accounts (gMSA).
• Disable RC4 encryption for Kerberos. Starting WS2025, RC4 will be disabled by default.
• Regularly audit and remove unused SPNs.
• Enforce security baselines for Windows Server 2025.

The success of Kerberoasting and similar attacks is amplified when accounts are over-permissioned or misconfigured. Excessive privileges can create shortcuts for attackers to escalate access and compromise critical assets.

4. Excessive privileges & account misconfigurations

Excessive privileges and misconfigurations occur when accounts have more permissions than necessary, often due to legacy setups or poor access control. Overprivileged accounts are prime targets for attackers. If compromised, they can be used to disable security tools, access sensitive data, or take control of the domain. These risks are amplified in hybrid environments where on-prem and cloud permissions intersect. A single misconfigured account can serve as a bridge between environments, expanding the blast radius of an attack.

Detection:

• Defender for Identity flags risky settings and maps lateral movement paths.
• Use Active Directory Administrative Center to review group memberships and delegated permissions using Active Directory tools.

Recommendations:

• Apply least privilege principles.
• Use JIT access and MFA for admin tasks.
• Implement Microsoft’s Tiered Administration model.
• Audit and clean up legacy permissions.

Beyond misconfigurations, legacy features like unconstrained delegation introduce additional risk. If left in place, they can allow attackers to impersonate users and access sensitive resources without detection.

5. Unconstrained delegation

Unconstrained delegation is a legacy Kerberos feature that lets services impersonate any user, posing serious risks if compromised. When enabled, a user’s TGT is stored in memory and reused, posing serious risks. Because the TGT is valid across the domain, if compromised, attackers can extract TGTs to impersonate users and access any Kerberos-protected service, including domain admins.

Detection:

• Use PowerShell to find systems with unconstrained delegation.
• Defender for Identity identifies risky configurations.

Recommendations:

• Deploy Credential Guard on endpoints.
• Add high-risk accounts to the “Protected Users” group.
• Mark privileged accounts as “sensitive and cannot be delegated.”
• Remove support for unconstrained delegation.

Once attackers achieve high privilege, they often seek persistence. Golden Ticket attacks represent the ultimate escalation—granting attackers the ability to forge Kerberos tickets and maintain control indefinitely.

6. Golden Ticket attack

Golden Ticket attacks use a stolen KRBTGT account key to forge Kerberos tickets, granting unrestricted domain access. If this key is compromised, the environment is already seriously breached. Prevention centers on blocking key theft and quickly detecting forged tickets.

This attack is especially dangerous because it bypasses standard authentication and enables persistent, stealthy domain access. Attackers often pair it with methods like DCSync or credential dumping to steal the KRBTGT hash.

Detection:

• Defender for Identity provides real-time alerts for Golden Ticket usage, DCSync/DCShadow attacks, and unusual Kerberos activity.
• Enable Kerberos audit logging on all domain controllers.

Recommendations:

• Rotate the KRBTGT password at least every 180 days (reset twice to fully invalidate tickets).
• Enable LSA Protection on domain controllers.
• Remove non-admin accounts with DCSync permissions.
• Implement tiered administration and least privilege to limit replication rights and administrative access.

Upgrade your cybersecurity with Microsoft

Active Directory Domain Services is central to enterprise identity and access management, making it a frequent focus for cyberattacks. Proactive detection and remediation are essential to reduce risk. If you suspect a compromise, rapid containment is critical. Microsoft Incident Response can help before, during, and after a cybersecurity incident. To learn more, visit Upgrade proactive and Reactive defenses with Microsoft Incident Response.

By applying the detection methods and remediation steps outlined above, organizations can significantly reduce their attack surface. Microsoft’s security tools—Defender for Identity, Defender Vulnerability Management, Sentinel, and Privileged Identity Management—provide the analytics and controls needed to help stay ahead of evolving threats.

The post Microsoft’s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 appeared first on Microsoft Windows Server Blog.

By mid-2026, we will be updating the domain controller default assumed supported encryption types. The assumed supported encryption types is applied to service accounts that do not have an explicit configuration defined. Secure Windows authentication does not require RC4; AES-SHA1 can be used across all supported Windows versions since it was introduced in Windows Server 2008. If existing RC4 use is not addressed before the default change is applied, authentication relying on the legacy algorithm will no longer function. This blog post helps IT professionals transitioning to AES-SHA1 encryption by offering steps to detect and address remaining RC4 usage.

For additional details on our Windows Update rollout strategy, check out this page on how to manage Kerberos KDC usage of RC4.

Detect RC4 usage with new tools

Aside from the Windows Update rollout of changes to domain controller default assumed supported encryption types, RC4 should be completely disabled in domain environments to maximize security. Legacy applications or interoperability with non-Windows devices may still necessitate the use of RC4, and such dependencies will need to be identified and addressed.

To support the identification of RC4 usage, we have enhanced existing information within the Security Event Log and developed new PowerShell auditing scripts. These enhancements are available in Windows Server versions 2019, 2022, and 2025.

New fields within existing Kerberos Events

The Security Event Log on Key Distribution Centers (KDC) logs when a client requests a ticket during authentication and when they request access to a specific service within the domain:

• 4768: A Kerberos authentication ticket (TGT) was requested
• 4769: A Kerberos service ticket was requested

New fields have been added to these events to capture all of the encryption algorithms supported by an account and to log the specific algorithm that was used during a ticket request. Using this information, you can now better identify:

• Authentication client devices that only support RC4
• Authentication target devices that only support RC4
• Accounts that don’t have AES-SHA1 keys provisioned, specifically for AES128-CTS-HMAC-SHA1-96 (AES128-SHA96) and AES256-CTS-HMAC-SHA1-96 (AES256-SHA96)

The first important, new field is called msds-SupportedEncryptionTypes. This field specifies the encryption algorithms that an account supports and is provided for both the client machine and the target service in a request. By default, this field should include both AES-SHA1 and RC4. If it does not include AES-SHA1, that indicates an account that we would expect to use RC4, which would need to be remediated.

The next new field, Available Keys, provides information on the encryption keys that have been created for an account in Active Directory. For most accounts in Windows, this should include RC4 and AES-SHA1 already. If this field contains RC4 but not AES-SHA1, it indicates an account that is not ready to use AES-SHA1 and that would need to be addressed.

The last important new field is the Session Encryption Type. This field contains the encryption algorithm that was used for a specific Kerberos request. Most events will indicate AES-SHA1 was used because that is the default behavior for Windows devices and accounts today. Filtering this event for RC4 will help identify potential problematic accounts and configurations.

New PowerShell scripts

Instead of manually reviewing the Security Event log on your domain controllers to find problematic RC4 usage via events 4768 and 4769, let’s introduce two new PowerShell scripts that are available to you on the Microsoft Kerberos-Crypto GitHub repository.

List-AccountKeys.ps1

Use this PowerShell script to query the Security Event Log for the new Available Keys field. The script enumerates the keys that are available for the accounts it finds from the event logs, as well as the following information:

• The time at which an event happened
• The account name
• The account type
• The account keys

PS C:\tools> .\List-AccountKeys.ps1

Time                  Name         Type Keys

—-                  —-         —- —-

1/21/2025 2:00:10 PM  LD1$      Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 2:00:10 PM  AdminUser    User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 6:50:34 PM  LD1$      Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 6:50:34 PM  AdminUser    User {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

1/21/2025 6:50:34 PM  LD1$      Machine {RC4, AES128-SHA96, AES256-SHA96, AES128-SHA256…}

In this case, the results show that there are AES128-SHA96 and AES256-SHA96 keys available for the accounts found in the logs, meaning these accounts will continue to work if RC4 is disabled.

Get-KerbEncryptionUsage.ps1

Use this PowerShell script to query the same events to see which encryption types Kerberos used within your environment. In this example, the requests used AES256-SHA96, which is a part of AES-SHA1.

PS C:\tools> .\Get-KerbEncryptionUsage.ps1

Time       : 1/21/2025 2:00:10 PM

Requestor  : ::1

Source     : AdminUser@CONTOSO.COM

Target     : LD1$

Type       : TGS

Ticket     : AES256-SHA96

SessionKey : AES256-SHA96

Time       : 1/21/2025 2:00:10 PM

Requestor  : 192.168.1.1

Source     : AdminUser

Target     : krbtgt

Type       : AS

Ticket     : AES256-SHA96

SessionKey : AES256-SHA96

With this script, you can try out additional filtering options on specific encryption algorithms. For example, use the RC4 filter to specifically find requests that used RC4:

PS C:\tools> .\Get-KerbEncryptionUsage.ps1 -Encryption RC4

You can also use security information and event management (SIEM) solutions, like Microsoft Sentinel, or built-in Windows event forwarding as described in So, you think you’re ready for enforcing AES for Kerberos? to query these logs.

Recommendations on RC4 usage scenarios

You’ve used the scripts and identified RC4 usage. Now what should you do?

Here are some common scenarios and recommended solutions. For deeper dives, see our official Detect and remediate RC4 usage in Kerberos documentation.

A user account only has RC4 keys

You used the List-AccountKeys.ps1 script and have identified a user or machine account that only has RC4 in the list of keys. To prepare this account to use AES-SHA1 instead of RC4, reset the account password. Resetting the password will automatically create AES128-SHA96 and AES256-SHA96 keys in Active Directory for the account.

A user account doesn’t show support for AES-SHA1

You queried the Security log and found an account where the msds-SupportedEncryptionTypes field does not include the AES-SHA1 encryption types. There are multiple reasons why this may be the case and the most common scenarios are outlined below:

Scenario 1: The source or target account for a request might not have AES128-SHA96 and AES256-SHA96 correctly configured in its supported encryption types. If this is the case, here’s how you can view the policy:

• You can use Active Directory Users and Computers (ADUC) with Advanced Features enabled (under View > Advanced features). Review the msDS-SupportedEncryptionTypes attribute for an account to confirm the configuration. Find the account of interest in ADUC and right-click the account name. Select Properties and, in the newly opened window, select the Attribute Editor tab. In the list of attributes, find msDS-SupportedEncryption to confirm the configuration of the account. If needed, configure the account to include AES128-SHA96 and AES256-SHA96 using Group Policy.

• You can also use PowerShell. Use the following Get-ADObject command. Note: The output for mdds-SupportedEncryptionTypes will be in decimal format.

PS C:\> Get-ADObject -Filter “Name -eq ‘LM1’ -and (ObjectClass -eq ‘Computer’ -or ObjectClass -eq ‘User’)”  -Properties “msds-SupportedEncryptionTypes”

DistinguishedName             : CN=LM1,CN=Computers,DC=contoso,DC=com

msds-SupportedEncryptionTypes : 28

Name                          : LM1

ObjectClass                   : computer

ObjectGUID                    : 3a4c6bc4-1a44-4f1f-b74a-02ec4a931947

To interpret the values and to determine the best configuration for your environment, check out Active Directory Hardening Series – Part 4 – Enforcing AES for Kerberos and Decrypting the Selection of Supported Kerberos Encryption Types.

After setting the right combination for your environment, restart the device, and it will update its msds-SupportedEncryptionTypes attributes in the active directory database.

Scenario 2: The source or the target machine might not have the msds-SupportedEncryptionTypes defined in AD and is falling back to the default supported encryption types.

You’ll need to have a more holistic understanding of your environment. Do you know what happens to devices that don’t have a value defined for msds-SupportedEncryptionTypes or the value is set to 0? Normally, these devices will automatically receive the value of DefaultDomainSupportEncTypes. Depending on your individual risk tolerance, consider using one of the following methods to address this scenario:

• Define the specific msds-SupportedEncryptionTypes value in the account properties to ensure it isn’t falling back to the DefaultDomainSupportedEncTypes.
• Set the DefaultDomainSupportedEncTypes to include AES128-SHA1 and AES256-SHA1. Note: This will change the behavior of all accounts that don’t have a value for msds-SupportedEncryptionTypes.

The device doesn’t support AES128-SHA96 or AES256-SHA96

The last version of Windows devices that did not support AES128-SHA96 and AES256-SHA96 was Windows Server 2003. We strongly recommend that you migrate to a supported version of Windows as soon as possible.

If you have a third-party device that does not support AES128-SHA1 and AES256-SHA1, we want to hear from you! Please reach out to stillneedrc4@microsoft.com telling us:

• What is this device?
• How does it fit into your workflow?
• What is your timeline for upgrading this device?

Using WAC for configuring allowed encryption types

Microsoft provides a security baseline for Windows Server 2025 to set and audit recommended security configurations. This baseline includes disabling RC4 as an allowed encryption type for Kerberos. You can apply security baselines or view compliance using PowerShell or using the Windows Admin Center.

In Windows Admin Center, you can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade. In the Security Baselines tab, you can filter for the policy “Network Security: Configure encryption types allowed for Kerberos” to see your current compliance state for allowed encryption types. The compliant values for this policy in the baseline that do not allow RC4 are:

• 2147483624: AES128-SHA96 + Future Encryption types
• 2147483632: AES256-SHA96 + Future Encryption types
• 2147483640: AES128-SHA96 + AES256-SHA96 + Future Encryption

This is an example of the audit report indicating a device with a compliant setting:

This is an example of audit showing devices configured with a setting that is different from the previous compliant values:

Using stronger ciphers

In the current security landscape, RC4 isn’t required to ensure secure Windows authentication. You can use stronger ciphers, like AES-SHA1, for authentication among all supported versions of Windows. We hope that these detection and mitigation tools help you and your organization in your hardening efforts. Please check out official Detect and remediate RC4 usage in Kerberos documentation for more details and scenarios.

The post Beyond RC4 for Windows authentication appeared first on Microsoft Windows Server Blog.

How does hotpatching work?

Hotpatching is a new way to install updates in Windows Server 2025 that does not require a reboot after installation, by patching in-memory code of running processes without the need to restart the process, the application, or operating system.

Some of the benefits of hotpatching include the following:

• Greater uptime with fewer reboots, instead of rebooting monthly (12 times a year) rebooting is reduced to quarterly (4 times a year).
• Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager (optional).
• Hotpatch packages install without the need to schedule a reboot, so they can happen sooner. This decreases the “window of vulnerability” which can result if an administrator might normally delay an update and restart after a Windows security update is released.

Azure Arc-enabled Hotpatching for Windows Server 2025 is available for a subscription of $1.50 USD per CPU core per month. 

With hotpatching, you will still need to restart your Windows Servers about four times yearly for baseline updates, but hotpatching can save significant time and ease the inconvenience of a traditional “patch Tuesday.” 

Hotpatching for Windows Server Datacenter: Azure Edition has been available for years. In fact, our own Xbox team has used it to reduce processes that used to take the team weeks down to just a couple of days. With Windows Server 2025, we have been able to deliver these efficiencies to on-premises and non-Azure servers through connection with Azure Arc.

What are the requirements?

To use hotpatching outside of Azure such as, on-premises or in multicloud environments, you must be using Windows Server 2025 Standard or Datacenter, and your server must be connected to Azure Arc. You will also need to subscribe to the Hotpatch service.

Important reminder: If you are currently using Windows Server 2025 and opted in to try the hotpatching service through Azure Arc in preview, you will need to disenroll if you wish to end your preview and not subscribe to the service. Otherwise, your subscription starts automatically in July 2025.

If you’re running on Azure IaaS, or Azure Local you can still use hotpatching as part of functionality of Windows Server Datacenter: Azure Edition. This feature is included both with Windows Server 2022 Datacenter: Azure Edition and Windows Server 2025 Datacenter: Azure Edition. There are no new requirements in this case, i.e. you don’t need to Arc-enable those machines, and there’s no additional cost for it. 

How do I enable hotpatching?

First, if your server is not yet connected to Azure Arc, you can do so by following these steps. Azure Arc is available at no extra cost and lets you manage physical servers, and virtual machines hosted outside of Azure, on your corporate network, or other cloud providers. In addition to hotpatching, there are several paid Azure services you can access through Azure Arc, including Microsoft Defender for Cloud, Azure Monitor, and many others. For full details, refer to this documentation.

Once you are connected with Azure Arc, you will sign into the Azure Portal, go to Azure Update Manager, select your Azure Arc-enabled server, and select the hotpatching option as outlined in this documentation.

You can also manage your subscription to hotpatching through the Azure Portal as well.

What is the difference between hotpatches and traditional patches/LCUs? 

At Microsoft we have traditionally shipped patches known as Latest Cumulative Updates (LCU). An LCU can have a few different types of fixes in its payload such as: 

1. Security fixes 
2. Bug fixes that are not security fixes 
3. New feature payload 

In contrast, a hotpatch only includes security fixes which makes the patch smaller and scoped to security only. We still need to deliver on #2 and #3 above, so we synchronize these payloads once a quarter in the Hotpatching schedule. 

What is the hotpatching schedule?

The hotpatch service provides up to eight hotpatches in a year. It follows a three-month cycle with the first month as a baseline month (monthly cumulative update) followed by two months of hotpatches. During baseline months the machines will need a reboot. The four planned baseline months are January, April, July and October.

On rare occasions, for security reasons we may have to ship a non-hotpatch update during a hotpatch month which will also need a reboot. But the goal will be to provide up to eight hotpatches in a year. 

The Windows Server hotpatching subscription is billed monthly, so your cost will be consistent throughout the year in both hotpatch and non-hotpatch months. 

Where to learn more about Windows Server

In addition to the documentation above, please check out our blog posts on Tech Community and watch the on-demand videos from the 2025 Windows Server Summit virtual event. We encourage you to try this time-saving feature and start discovering all the time you’ll save! 

And don’t forget…

As you may have heard at Ignite, hotpatching is also available for Windows 11 Enterprise. Learn more about eligibility and hotpatching for Windows clients here.

*Prices are in US dollars and are subject to change

The post Tired of all the restarts? Get hotpatching for Windows Server appeared first on Microsoft Windows Server Blog.

Last November, our most innovative, secure, and performant release to date was made generally available: Windows Server 2025. Incorporating input and feedback from customers, our Windows Server engineering team delivered a release that can enable customers to safeguard their data and infrastructure, handle their most demanding workloads, and help enhance their operational flexibility and connectivity, all with advanced security, cloud agility, and improved performance. As we continue to build and innovate, our team looks forward to engaging and learning from you at every opportunity to help ensure Windows Server continues to enable customers to accelerate innovation in their businesses.

As we reflect on over 30 years of innovation and our most recent release, we are thrilled to invite you to the Windows Server Summit 2025, held on April 29th and 30th on Microsoft Tech Community. This is a premier event for Windows Server professionals eager to stay involved and ahead of the curve. This year’s summit features a lineup of sessions designed to provide deep insight into the latest innovations and best practices in Microsoft Windows Server and Azure.

How to sign up

This event does not require registration, but you should be a member of Microsoft Tech Community to join us live and ask questions via chat during the sessions. We have tons of great content spanning two days, April 29—30th, each day starting at 7 AM PST. Visit this page for details on how to join and add the event to your calendar

Microsoft Tech Community

Meet the experts

You will have the opportunity to meet Windows Server engineering leaders, including Ian LeGrow, CVP PM. Ian leads the Operating Systems Division product management team, responsible for Windows Server and all Windows-based OS at Microsoft. Throughout the event, product managers will share how they have taken your feedback to deliver improved features and one of our most innovative and secure releases of Windows Server yet. They will also provide an exclusive look behind the scenes at what’s coming next in Windows Server, Azure, and hybrid cloud innovations.

Session highlights

After the keynote, you can listen or watch all the way through or pick and choose from mostly 30-minute sessions according to your interests. Here is a small sample of the sessions we have planned:

• Upgrades made easy with Windows Server 2025: Discover why Windows Server 2025 is the easiest version to upgrade ever. Join Rob Hindman and Jeff Woolsey as they delve into media upgrades and feature updates.
• Securing Active Directory: Join Active Directory Program Manager Cliff Fisher for a deep dive into new security features, policies, and defaults for Windows Server 2025. Learn about the new Windows Local Administrator Password Solution (LAPS) features, Delegated Managed Service Accounts, and more.
• Windows Server Hyper-V Architecture, features, GPUs, and more! Explore the new GPU partitioning innovation in Windows Server 2025 Hyper-V. This session will cover use cases and hardware considerations.
• Modernize server management and connectivity with Azure Arc: Connect Windows Servers across hybrid, multicloud, and edge environments to Azure. This session will showcase connectivity options and highlight Azure capabilities focused on SCCM modernization.
• What’s next for advanced storage: Discover the major improvements to storage in Windows Server 2025 and get a sneak peek at innovations like Native NVMe (nonvolatile memory express) and rack-aware clustering.
• Fine-tuned host networking for Windows Server 2025: Transform your network setup and management for Windows Server 2025 clusters with Network ATC and Network HUD. Learn how to achieve peak network performance for your workloads with AccelNet.
• SDN magic—Windows Server 2025 innovations: Uncover the power of software-defined networking on Windows Server 2025, including effortless deployments with native SDN (Software-defined networking) and enhanced security posture for your applications.
• Harden security and build resiliency with Windows Server 2025: Stay up-to-date with the latest security features and best practices for securing Windows Server. Learn about Microsoft Defender for Cloud and more.
• Hotpatching and update management for Windows Server with Azure Arc: Learn about the popular new hotpatching feature in Windows Server 2025 and watch demos on managing updates with Azure Arc.
• The Support Case Files—Windows Server troubleshooting tips: Join our Windows Server support engineers as they break down your most requested support cases.
• From on-premises to cloud with Azure File Sync: Learn how to use Azure File Sync to employ hybrid topologies and migrate seamlessly from on-premises to cloud.

Don’t miss out!

Windows Server Summit is a special virtual event with a community-driven, educational focus, and Microsoft engineers as featured speakers. While most of the sessions are advanced and assume good Windows Server experience, you will get something out of this event, whether you are a seasoned IT professional or just starting your journey. We hope you will join us live so you can participate in the Q&A, but if you cannot, sessions will be available on demand a few days after the event. Sign up now and join us for two days of learning together.

Microsoft Windows Server

Protect, adapt, and innovate with Windows Server

Try today

The post Join us at Windows Server Summit 2025 and learn more about our latest innovations! appeared first on Microsoft Windows Server Blog.

System Center 2025 and Windows Server 2025 are releasing concurrently, enabling you to start leveraging the latest Windows Server, along with the tools to manage the servers.

About System Center

Managing datacenters is complicated, requiring coordination between multiple teams and tools. System Center provides a unified, simplified solution. System Center is a comprehensive suite of management tools designed to help IT administrators oversee their data centers and IT environments. With tools for orchestrating workflows, managing configurations, and monitoring infrastructure, System Center simplifies the deployment, configuration, operation, and monitoring of infrastructure and virtualized software-defined data centers with a single license. System Center supports a wide range of platforms and environments, making it a versatile solution for organizations with diverse IT landscapes.  

As your datacenter evolves, so do our solutions. Building on the foundation of System Center 2022, this release introduces exciting new capabilities that significantly enhance IT infrastructure management agility and performance.  

System Center 2025 and Windows Server 2025 are releasing concurrently, enabling you to begin leveraging the latest Windows Server features, along with the tools to manage the servers, immediately.  

Let’s dive into what’s new in System Center 2025 and the impact of these updates on users.

Secure by design

With the threat of sophisticated cyberattacks on the rise, investing in security is paramount for all organizations. Powerful security in the datacenter is crucial to protect sensitive data, maintain operational integrity, and defend against bad actors. Microsoft is dedicated to both setting and upholding the highest standards in data privacy and security for our customers, and System Center 2025 delivers on this continued commitment to comprehensive security. 

New capabilities introduced in this release further enhance System Center’s security offerings, including:

• A reduction in the number of scenarios that use Credential Security Support Provider protocol (CredSSP) and NTLM as authentication mechanisms, enhancing the security posture for Windows Servers. 
• TLS 1.3 support to ensure that data transmissions are protected by the most advanced security standards available. 
• Enhanced data security developments on Microsoft Azure to securely store passphrases and apply them to your on-premises environments. 
• Flexibility and efficiency in data protection strategies with features like virtual TPM (vTPM) support and the ability to exclude specific disks from backups in Hyper-V environments. This optimizes the backup process and improves overall system performance. 

With the introduction of these security-focused features, System Center 2025 takes significant steps to further safeguard IT environments. 

Seamless heterogenous infrastructure and workload management

System Center 2025 offers a range of enhancements to streamline the management of heterogeneous infrastructure, ensuring seamless control and improved efficiency. Like a Swiss Army Knife for IT management, System Center consists of a suite of components—System Center Operations Manager, System Center Virtual Machine Manager, System Center Data Protection Manager, and System Center Orchestrator—that work together to provide IT professionals with a unified operational experience.

Newly included in this release are:

• Support for managing Azure Stack HCI 23H2 clusters with Virtual Machine Manager 2025, providing unified control of heterogeneous infrastructure through a single management plane. Monitoring to be added soon with updated management pack for Operations Manager.
• Support for the latest versions of Linux distributions, enabling comprehensive handling of both Windows and Linux environments.
• Data Protection Manager 2025 integrates seamlessly with SharePoint Subscription Edition, providing comprehensive backup solutions for enterprise applications and systems.  

System Center 2025 further improves the management of diverse infrastructures, offering IT professionals a simplified and optimized operational experience.

Tame IT sprawl and modernize complex environments

IT sprawl is a common challenge encountered by many organizations, leading to disorganization, hidden costs, and reduced competency. System Center provides a comprehensive solution to these pain points, allowing IT teams to combat these issues by enhancing operational efficiency and reducing infrastructure complexity so they can focus on optimizing, securing, and innovating.

Features available in System Center 2025 that enable infrastructure modernization include:

• System Center 2025 supports the latest Arc-enabled capabilities of Windows Server 2025, including Hotpatching for Arc-enabled Virtual Machine Manager managed VMs, and provides lifecycle operations for Virtual Machine Manager managed VMs hosted in customers’ datacenters. 
• With Azure Arc-enabled management, System Center 2025 users have the flexibility to simplify their experience, allowing them to migrate to the cloud at their own pace while ensuring optimal resource utilization.

System Center 2025 modernizes the datacenter by enhancing operational efficiency, reducing infrastructure complexity, and streamlining processes.

Get started with Microsoft System Center 2025

System Center 2025 is more than just an upgrade; it’s a comprehensive solution that addresses the evolving needs of modern IT environments. With elevated security, advanced cloud capabilities, and user-centric innovations, System Center 2025 delivers a seamless deployment experience, enabling organizations to efficiently and securely manage their infrastructure and virtualized software-defined datacenters.

With System Center 2025, you can stay in control of your IT estate, whether on-premises, in the cloud, or across platforms.

Ready to upgrade or to get started with System Center? Explore the resources below to learn more about this release. 

• Visit the System Center product site to learn more.
• Go to the Evaluation Center for a free trial of System Center 2025.
• Learn about Windows Server 2025, now generally available.

The post Microsoft System Center 2025 is now generally available appeared first on Microsoft Windows Server Blog.

Windows Server 2025

Investing in your success with Windows Server

Try today

Advanced multilayered security 

In an era where cybersecurity is of utmost importance (see the Microsoft Digital Defense Report 2024 and the Microsoft Threat Intelligence Healthcare Ransomware Report), Windows Server 2025 stands out with a suite of security features designed to safeguard your data and infrastructure. Here are a few key capabilities: 

• Active Directory (AD): The gold standard for identity and authentication only gets better with new security capabilities to help fortify your environment against evolving threats with greater scalability and improvements in protocols, encryption, hardening, and new cryptographic support. 

• File services/server message block (SMB) hardening: Windows Server 2025 includes SMB over QUIC to enable secure access to file shares over the internet. SMB security also adds hardened firewall defaults, brute force attack prevention, and protections for man in the middle attacks, relay attacks, and spoofing attacks. 

• Delegate Managed Service Accounts (dMSA): Unlike traditional service accounts, dMSAs don’t require manual password management since AD automatically takes care of it. With dMSAs, specific permissions can be delegated to access resources in the domain, which reduces security risks and provides better visibility and logs of service account activity. 

These advanced security features make Windows Server 2025 a robust and secure platform for your IT infrastructure that you should begin evaluating immediately.

Cloud agility anywhere

Windows Server 2025 introduces several advanced hybrid cloud capabilities designed to enhance operational flexibility and connectivity across various environments. Key features include: 

• Hotpatching enabled by Azure Arc: Customers operating fully in the cloud have inherent modern security advantages like automatic software updates and back-up and recovery.  Now we’re bringing some of those capabilities to Windows Server 2025 for on-premises customers with a new hotpatching subscription service, enabled by Azure Arc. With hotpatching, customers will experience fewer reboots and minimal disruption to operations. Hotpatching delivers security updates for Azure Arc-enabled Windows Server 2025 Standard or Datacenter running on physical machines, virtual machines, on-premises, or multicloud servers. Hotpatching, currently in preview, will require a monthly subscription. The hotpatching feature remains no additional cost for Windows Server Datacenter Azure Edition virtual machines.

• Easy Azure Arc onboarding: Windows Server 2025 brings Azure’s powerful capabilities directly into your datacenter through Azure Arc. This integration simplifies the onboarding process to Azure’s hybrid features and enhances operational flexibility, allowing you to manage and secure your hybrid and multicloud environments more effectively. 

• Software-defined network (SDN) multisite features: The software-defined network (SDN) multisite features offer native L2 and L3 connectivity for seamless workload migration across various locations, coupled with unified network policy management. 

• Unified network policy management: This capability allows for centralized management of network policies, making it easier to maintain consistent security and performance standards across your hybrid cloud environment.

These hybrid cloud capabilities make Windows Server 2025 an ideal choice for organizations looking to optimize their IT infrastructure and leverage the benefits of both on-premises and cloud environments.

AI, performance, and scale 

Windows Server 2025 is designed to handle the most demanding workloads, including AI and machine learning. Here are some key capabilities: 

• Hyper-V, AI, and machine learning: With built-in support for GPU partitioning and the ability to process large data sets across distributed environments, Windows Server 2025 offers a high-performance platform for both traditional applications and advanced AI workloads with live migration and high availability. 

• NVMe storage performance: Windows Server 2025 delivers up to 60% more storage IOPs performance compared to Windows Server 2022 on identical systems. (Based on 4K randread using Diskpsd 2.2 with Kioxia CM7 SSd) 

• Storage Spaces Direct and storage flexibility: Windows Server supports a wide range of storage solutions such as local, NAS, and SAN for decades and continues to this day. Windows Server 2025 delivers more storage innovation with Native ReFS deduplication and compression, thinly provisioned Storage Spaces, and Storage Replica Compression now available in all editions of Windows Server 2025.

• Hyper-V performance and scale: Windows Server 2025 introduces massive performance and scalability improvements that come from Azure. Windows Server 2025 Hyper-V virtual machine maximums: 
  • Maximum memory per VM: 240 Terabytes* — (10x previous) 
  • Maximum virtual processors per VM: 2048 VPs* — (~8.5x previous) 

*Requires Generation 2 VMs

Windows Server 2025 delivers major advancements across the board for Hyper-V, GPU integration, Storage Spaces Direct (software defined storage), software-defined networking, and clustering. These improvements make Windows Server 2025 an excellent option for organizations looking for a virtualization solution and for organizations looking to leverage AI and machine learning while maintaining high performance and scalability.

System Center 2025 is available now

By delivering System Center 2025 concurrently with Windows Server 2025, management of Windows Server at scale is available immediately. This allows organizations to make the most of new Windows Server features. Designed to enhance agility, performance, and security, this release is set to enhance how organizations optimize their infrastructure and virtualized software-defined datacenters. We encourage you to visit the System Center 2025 post learn more. 

Microsoft Ignite 2024

We look forward to meeting you in person and sharing these and other Windows Server 2025 features in our sessions and at our booth at Microsoft Ignite in Chicago, November 19-21. For those of you who can’t make it, many sessions, including our Windows Server breakout titled Windows Server 2025: New Ways to gain cloud agility and security, will be available for online viewing. 

We are also excited to bring new features to customers on existing Windows Server versions like 2016, 2019, 2022, as well as 2025. Windows Server Software Assurance or active subscription customers can access Azure management tools like Azure Update Manager, Azure Policy Guest Configuration, Disaster Recovery, Change Tracking and Inventory, and more, with access to many features coming at no additional cost**. Tune into Microsoft Ignite where we will show more demos and information on how to access these new offerings.

Additional Windows Server resources

• Try Windows Server 2025 today
• Windows Server documentation
• Learn more about what’s new in Windows Server 2025
• Microsoft Certified: Windows Server Hybrid Administrator Associate 
• Administer Active Directory Domain Services

Notes

1. ** Note: compute and storage may incur additional fees. 

The post Windows Server 2025 now generally available, with advanced security, improved performance, and cloud agility  appeared first on Microsoft Windows Server Blog.

Windows Server 2025

Download the public preview to try these exciting new features.

Start here

Advanced security

With a growing number of cyber security threats and the impact of incidents escalating quickly, security is a top priority for our customers. Windows Server 2025 includes a rich set of security innovations, including:

• Modern, scalable identity management with new security capabilities in Active Directory.
• Server Message Block (SMB) improvements including SMB over QUIC and features to help protect against brute force attacks, spoofing, and relay attacks.
• Security updates with fewer reboots, made possible through Azure Arc-enabled hotpatching, new security capabilities in Active Directory, and SMB hardening.

Hybrid innovation

We’re continuing to hear from our customers that the majority of their organizations work in a hybrid or multicloud state. In fact, a recent survey we conducted revealed that 81% of current hybrid cloud customers expect to remain hybrid for another five years.² Now, you can innovate and govern anywhere, as Windows Server 2025 delivers improved hybrid cloud capabilities such as:

• Software-defined network (SDN) multisite features allow for native L2 and L3 connectivity for workloads in multiple locations, and the ease of unified network policy management.
• Flexible hybrid and multicloud management tools that bring Azure capabilities to your datacenter through Azure Arc.
• If you want to use Azure hybrid capabilities but haven’t started yet, Windows Server 2025 has features that allow easier onboarding to Azure Arc.

AI, performance, and scale

Are you curious about how your organization can do more with AI? Well, you’ve come to the right place! Azure hosts some of the world’s largest workloads that push the limits of CPU and memory capabilities to process huge data sets across distributed environments. With the growth of AI and machine learning, GPUs have become a key part of cloud solutions because they’re great at performing many parallel operations on large data. Windows Server 2025 brings you many of these advantages across GPUs, storage, networking, and scalability. New features include:

• GPU partitioning across virtual machines with live migration and failover clustering; built to support AI workloads and inferencing at the edge.
• Reductions in the time you spend on network setup and issue remediation with new Network Adaptive Traffic Control (ATC) and Network Health and Usage Dashboard (HUD) features.
• Massive increases in storage performance and vastly improved Hyper-V performance and scalability.³
• Easy upgrades through Windows Update.

What we’ve provided above is just a quick overview of our top improvement areas for Windows Server 2025. For more details, we encourage you to read more on Microsoft Learn and watch our 2024 Windows Server Summit on demand.

Windows Server customers on the leading edge

While Windows Server 2025 is only coming into its public preview now, we’d like to share just a few inspiring customer stories you might have missed, to help you plot the journey ahead:

• CTT – Correios de Portugal: Learn how an organization that’s been around since 1520 gets ready for AI.

• Hokkoku Bank: This bank laid the initial groundwork for modernization by moving its entire on-premises estate to Windows Server. This created a seamless path to full cloud transformation on Microsoft Azure.

• DICK’s Sporting Goods: This Windows Server customer created an omnichannel athlete experience using Azure Arc and Azure Kubernetes Service.

System Center 2025

We’re also excited to announce the launch of System Center 2025, a leap forward in infrastructure management, enabling you to make the most of the Windows Server 2025 features from “day 0”. Advanced security focus continues to be a theme for System Center 2025 as well, featuring Azure Key Vault integration and reduced NTLM and Credential Security Support Provider protocol (CredSSP) usage. For hybrid innovation, onboarding machines in your System Center Virtual Machine Manager (SCVMM) managed datacenters to Azure Arc is simplified with Azure Arc-enabled SCVMM. In addition to at-scale Arc onboarding, it also enables you to manage the lifecycle of the machines in your datacenter in a self-service fashion from Azure. 

Try out the new Windows Server 2025 preview

Today we’ve shared some of the new features and capabilities of Windows Server 2025. They’re the outcome of more than 30 years of working on, refining, and updating the Windows Server platform based on input from dedicated professionals like you. Thank you for being a valuable Windows Server customer and, through your passion and feedback, helping us shape this new release. For more details, read this Windows Server documentation, watch our Windows Server Summit sessions, or check out the “What’s ahead for Windows 2025” video.

Download the Windows Server 2025 preview.

¹This information relates to a prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

²Based on a 2023 Microsoft survey of Windows Server customers using hybrid cloud in their organization. N=197.

³Up to 70% more IOPs on NVMe SSDs; Windows Server 2025 Hyper-V Virtual Machine Maximums: Maximum Memory per VM: 240 Terabytes* (10x previous) ; Maximum Virtual Processors per VM: 2048 VPs* (~8.5x previous) *Requires Generation 2 VMs ; Windows Server 2025 Host Memory Maximums: 4 Petabytes for hosts that support 5 level paging (166x previous) ; 256 Terabytes for hosts that support 4 level paging (10x previous) 

The post Gain enhanced security and performance with Windows Server 2025—now in preview appeared first on Microsoft Windows Server Blog.

Stay ahead of the curve and learn about the latest innovations and best practices in the world of Windows Server. Session recordings from the Windows Server Summit 2024 virtual event sponsored by Intel^® are available on-demand.

Designed for experienced IT professionals and IT leaders, the event will help deepen knowledge and skills of Windows Server and managing Windows Server workloads in hybrid cloud environments. The event includes talks by Microsoft product engineers, Intel® experts, and Microsoft Most Valuable Professionals (MVPs) sharing insights and tips to get the most out of Windows Server. You won’t want to miss the sneak peek of exciting features and enhancements coming in Windows Server 2025, the next major release of Microsoft’s server operating system!

Windows Server Summit

Recorded presentations available on-demand

View sessions today

Windows Server Summit has been an annual virtual event for the past three years. This year we responded to feedback on this popular event by including more demos and deeper technical content. All sessions are presented by Microsoft engineering teams and technical leaders from Intel® as well as our highly skilled Microsoft MVPs. Here are some examples of our expert content:

Windows Server 2025 preview

Did you catch the Microsoft Ignite 2023 session with Jeff Woolsey and Elden Christensen in matching purple shirts? That was still early days—there is more to share! In his Windows Server Summit session, Elden will provide an overview of all the new features and improvements to expect in Windows Server 2025 when released in late 2024.

Did you know that while you are playing Xbox at home, the team supporting the backend services uses Hotpatch? Find out how they do it in our session with Vishal Baja and Viraj Desai from Windows engineering and Tim Dreyling from Xbox networking teams.

Is software defined networking (SDN) your thing? You won’t want to miss Cindy Wan, Anirban Paul, Kyle Bisnett, and Samuel Liu of the SDN team for their demo bash session—including how to use upcoming Azure Kubernetes Services (AKS) and network security enhancements.

Are you looking for ways to prepare for AI? Afia Boakye and Nicole Bourain from the core operating system (OS) virtualization team will dive into new features in the Windows Server and Azure Stack HCI covering GPU failover clustering and new GPU partitioning (GPU-P) for GPU virtualization.

Security and hardening Windows Server

What are your thoughts on NTLM? Join Ned Pyle as he walks you through the evolution of Windows Authentication with Windows Server 2025 updates to NTLM and Kerberos improvement.

Eric Woodruff, Security MVP, is sharing his expertise with sessions on taking steps to secure Windows Server Active Directory with the Security Compliance Toolkit and Center for Internet Security (CIS) Benchmarks as well as a session specific to protecting your server from management plane attacks.

Microsoft understands not every server is running the latest version of Windows Server. Still, keeping your servers secure is vital. Join Principal Product Managers Poornima Priyadarshini and Jason Leznek to learn how Azure Arc extends the Azure control plane to on-premises servers and take advantage of Extended Security Updates (ESUs) on a flexible monthly billing model with keyless activation.

Windows Server hybrid and cloud

Are you running Windows Server on-premises or at the edge? Learn how you can leverage Azure automation, PowerShell, run command, and many other Azure management solutions for your on-premises Windows Servers. Thomas Maurer, Senior Program Manager and Chief Evangelist Azure Hybrid, and Ryan Willis, Product Manager for Azure Arc, will share how to automate your on-premises Windows Server from the cloud using Azure Arc.

Upgrades and migrations

Want to understand the details of Windows Server upgrade and update processes? We have the core team responsible front and center to walk you through the “how” and “when” of updates—including the upgrade path from Windows Server 2018 to Windows Server 2025.

Gregor Reimling is a rare, dual category MVP in Azure and Security. He will share his best practices for a successful Azure migration starting with the Cloud Adoption Framework (CAF) and look at the Azure Migrate and Modernize program.

Windows Server best practices

Fady Azmy, Program Manager for Windows Server will share practical strategies and best practices for using containers to boost efficiency and simplify deployment while maximizing resource utilization for Windows Server applications.

Interested in host networking on the edge? Join Basel Kablawi, Product Manager for network data plane, and Anirban Paul, Principal Product Manager, as they share what’s new and exciting in networking for Windows Server, highlighting Network ATC, Network HUD, and Accelerated Networking.

Be sure to watch these and other great sessions from our expert speakers!

The post Check out Microsoft Windows Server Summit 2024 appeared first on Microsoft Windows Server Blog.