What Are The Features Of Windows Server 2022
Sheldon Cibrian
This article describes some of the new features in Windows Server 2022. Windows Server 2022 is builton the strong foundation of Windows Server 2019 and brings many innovations on three key themes:security, Azure hybrid integration and management, and application platform.
Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMsup to date while minimizing downtime. This section describes some of the new features in WindowsServer 2022 Datacenter: Azure Edition. Learn more about how Azure Automanage for Windows Serverbrings these new capabilities to Windows Server Azure Edition in the Azure Automanage forWindows Server services article.
Windows Server 2022 Datacenter: Azure Edition builds on Datacenter Edition to deliver a VM-onlyoperating system that helps to use the benefits of cloud, with advanced features like SMB over QUIC,Hotpatch, and Azure Extended Networking. This section describes some of these new features.
Compare thedifferences in the editions in Windows Server 2022.You can also learn more about how Azure Automanage for Windows Server brings these new capabilitiesto Windows Server Azure Edition in theAzure Automanage for Windows Server servicesarticle.
This section lists the features and improvements that are now available in Windows ServerDatacenter: Azure Edition beginning with the 2022-09 Cumulative Update for Microsoftserver operating system version 21H2 for x64-based Systems(KB5017381). After you've install the CumulativeUpdate, the OS build number will be 20348.1070 or higher.
This update includes Storage Replica compression for data transferred between the sourceand destination servers. This new functionality compresses the replication data at the sourcesystem, sent over the network and decompressed and saved on the destination. The compression resultsin fewer network packets to transfer the same amount of data, allowing for more throughput, and lessnetwork utilization. Higher data throughput should also result in lowering synchronization time forwhen you need it most, for example in a disaster recovery scenario.
New Storage Replica PowerShell parameters are available for existing commands, review the WindowsPowerShell StorageReplica reference to learn more. For moreinformation about Storage Replica, see theStorage Replica overview.
With this release you can run Windows Server 2022 Datacenter: Azure Edition as a supported guest VMon Azure Stack HCI version 22H2. With Azure Edition running on Azure Stack HCI, you'll be able to useall the existing features including Hotpatch for Server Core andSMB over QUIC at your datacenter and edge locations.
Your Azure subscription permits you to use Windows Server Datacenter: Azure Edition on any virtualmachine instances running on Azure Stack HCI. For more information, see your product termsProduct Terms.
Hotpatching, part of Azure Automanage, is a new way to install updates on new Windows Server AzureEdition virtual machines (VMs) that doesn't require a reboot after installation. More informationcan be found at the Azure Automanage documentation.
SMB over QUIC updates the SMB 3.1.1 protocol to use the QUIC protocol instead of TCP in WindowsServer 2022 Datacenter: Azure Edition, Windows 11 and later, and third party clients if they supportit. By using SMB over QUIC along with TLS 1.3, users and applications can securely and reliablyaccess data from edge file servers running in Azure. Mobile and telecommuter users no longer need aVPN to access their file servers over SMB when on Windows. More information can be found at theSMB over QUIC documentation andSMB over QUIC management with Automanage machine best practices.
Azure Extended Network enables you to stretch an on-premises subnet into Azure to let on-premisesvirtual machines keep their original on-premises private IP addresses when migrating to Azure. Tolearn more, seeAzure Extended Network.
This section describes some of the new features in Windows Server 2022 across all editions. To learnmore about the different editions, review theComparison of Standard, Datacenter, and Datacenter: Azure Edition editions of Windows Server 2022article.
The new security capabilities in Windows Server 2022 combine other security capabilities in Windows Server across multiple areas to provide defense-in-depth protection against advanced threats. Advanced multi-layer security in Windows Server 2022 provides the comprehensive protection that servers need today.
Certified Secured-core server hardware from an OEM partner provides more security protections that are useful against sophisticated attacks. Certified Secured-core server hardware can provide increased assurance when handling mission critical data in some of the most data sensitive industries. A Secured-core server uses hardware, firmware, and driver capabilities to enable advanced Windows Server security features. Many of these features are available in Windows Secured-core PCs and are now also available with Secured-core server hardware and Windows Server 2022. For more information about Secured-core server, see Secured-core server.
Used by features such as BitLocker drive encryption, Trusted Platform Module 2.0 (TPM 2.0) secure crypto-processor chips provide a secure, hardware-based store for sensitive cryptographic keys and data, including systems integrity measurements. TPM 2.0 can verify that the server has been started with legitimate code and can be trusted by subsequent code execution, known as a hardware root-of-trust.
Firmware executes with high privileges and is often invisible to traditional anti-virus solutions, which has led to a rise in the number of firmware-based attacks. Secured-core servers measure and verify boot processes with Dynamic Root of Trust for Measurement (DRTM) technology. Secured-core servers can also isolate of driver access to memory with Direct Memory Access (DMA) protection.
UEFI secure boot is a security standard that protects your servers from malicious rootkits. Secure boot ensures the server boots only firmware and software trusted by the hardware manufacturer. When the server is started, the firmware checks the signature of each boot component including firmware drivers and the OS. If the signatures are valid, the server boots and the firmware gives control to the OS.
Secured-core servers support virtualization-based security (VBS) and hypervisor-based code integrity (HVCI). VBS uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system, protecting against an entire class of vulnerabilities used in cryptocurrency mining attacks. VBS also allows for the use of Credential Guard, where user credentials and secrets are stored in a virtual container that the operating system can't access directly.
Kernel Data Protection (KDP) provides read-only memory protection of kernel memory containing non-executable data where memory pages are protected by Hypervisor. KDP protects key structures in the Windows Defender System Guard runtime from being tampered.
Secure connections are at the heart of today's interconnected systems. Transport Layer Security (TLS) 1.3 is the latest version of the internet's most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. HTTPS and TLS 1.3 is now enabled by default on Windows Server 2022, protecting the data of clients connecting to the server. It eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. Learn more about supported TLS versions and about supported cipher suites.
Although TLS 1.3 in the protocol layer is now enabled by default, applications and services also need to actively support it. The Microsoft Security blog has more detail in the post Taking Transport Layer Security (TLS) to the next level with TLS 1.3.
DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. DoH helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH.
Windows Server now supports AES-256-GCM and AES-256-CCM cryptographic suites for SMB encryption. Windows will automatically negotiate more advanced cipher method when connecting to another computer that also supports it, and it can also be mandated through Group Policy. Windows Server still supports AES-128 for down-level compatibility. AES-128-GMAC signing now also accelerates signing performance.
Windows Server failover clusters now support granular control of encrypting and signing intra-node storage communications for Cluster Shared Volumes (CSV) and the storage bus layer (SBL). When using Storage Spaces Direct, you can now decide to encrypt or sign east-west communications within the cluster itself for higher security.
SMB Direct and RDMA supply high bandwidth, low latency networking fabric for workloads like Storage Spaces Direct, Storage Replica, Hyper-V, Scale-out File Server, and SQL Server. SMB Direct in Windows Server 2022 now supports encryption. Previously, enabling SMB encryption disabled direct data placement; this was intentional, but seriously impacted performance. Now data is encrypted before data placement, leading to far less performance degradation while adding AES-128 and AES-256 protected packet privacy.
Azure Arc enabled servers with Windows Server 2022 brings on-premises and multicloud Windows Servers to Azure with Azure Arc. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. More information can be found at the Azure Arc enables servers documentation.
To add new Windows Servers, go to the Azure Arc icon in the bottom-right corner of the taskbar and launch the Azure Arc Setup program to install and configure an Azure Connected Machine Agent. Once installed, you can use the Azure Connected Machine Agent at no extra charge to your Azure account. Once you've enabled Azure Arc on your server, you can see the status information in the taskbar icon.
d3342ee215