Some of the new features in Windows Server 2022 are described in this article. Windows Server 2022 builds on the solid basis of Windows Server 2019 and adds a slew of new features in three areas: security, Azure hybrid integration and administration, and application platform. Additionally, Windows Server 2022 Datacenter: Azure Edition enables you to take advantage of the cloud’s benefits to keep your virtual machines up to date while minimizing downtime.

Security

The new security features in Windows Server 2022 combine numerous security features in Windows Server to provide defense-in-depth protection against advanced attacks. Windows Server 2022’s advanced multi-layer security delivers the comprehensive protection that servers require today.

Secured-core server

Additional security protections are provided by certified Secured-core server hardware from an OEM partner, which is useful against sophisticated attacks. In some of the most data-sensitive businesses, this can provide enhanced assurance while handling mission-critical data. To provide enhanced Windows Server security features, a Secured-core server makes use of hardware, firmware, and driver capabilities. Many of these features are already included in Windows Secured-core PCs, and they’re now also included in Secured-core server hardware and Windows Server 2022.

Hardware root-of-trust

Secure crypto-processor chips based on the Trusted Platform Module 2.0 (TPM 2.0) provide a secure, hardware-based repository for sensitive cryptographic keys and data, including system integrity measurements. TPM 2.0 can validate that the server was launched with valid code and that further code execution can be trusted. This is known as a hardware root-of-trust, and it’s what BitLocker drive encryption relies on.

Firmware protection

Firmware has high privileges and is generally undetectable by typical anti-virus software, leading to an increase in firmware-based assaults. Secured-core server CPUs use Dynamic Root of Trust for Measurement (DRTM) technology to measure and verify boot processes, as well as Direct Memory Access (DMA) protection to isolate driver access to memory.

UEFI secure boot

UEFI secure boot is a security standard that guards against malicious rootkits on your servers. Secure boot ensures that only firmware and software trusted by the hardware vendor are loaded onto the server. The firmware checks the signature of each boot component, including firmware drivers and the operating system, when the server is started. The server boots if the signatures are legitimate, and the firmware gives the OS control.

Virtualization-based security (VBS)

Virtualization-based security (VBS) and hypervisor-based code integrity are supported by secured-core servers (HVCI). VBS protects against an entire class of vulnerabilities used in bitcoin mining attacks by using hardware virtualization features to create and isolate a protected zone of memory from the standard operating system. Credential Guard is a feature of VBS that stores user credentials and secrets in a virtual container that the operating system cannot access directly.

HVCI makes extensive use of VBS to improve code integrity policy enforcement, particularly kernel mode integrity, which examines all kernel mode drivers and binaries in a virtualized environment before they are launched, preventing unsigned drivers or system files from being loaded into system memory.

Secure connectivity

Transport: HTTPS and TLS 1.3 enabled by default on Windows Server 2022

Today’s networked systems rely heavily on secure connectivity. The current version of the internet’s most widely used security protocol, Transport Layer Security (TLS), encrypts data to establish a safe communication route between two endpoints. On Windows Server 2022, HTTPS and TLS 1.3 are now enabled by default, protecting the data of clients connecting to the server. It replaces outdated cryptographic methods, improves security over previous versions, and encrypts as much of the handshake as possible.

Secure DNS: Encrypted DNS name resolution requests with DNS-over-HTTPS

DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated.

Server Message Block (SMB): SMB AES-256 encryption for the most security conscious

Windows Server now supports AES-256-GCM and AES-256-CCM cryptographic suites for SMB encryption. Windows will automatically negotiate this more advanced cipher method when connecting to another computer that also supports it, and it can also be mandated through Group Policy. Windows Server still supports AES-128 for down-level compatibility. AES-128-GMAC signing now also accelerates signing performance.

Windows Admin Center

Improvements to Windows Admin Center to manage Windows Server 2022 include capabilities to both report on the current state of the Secured-core features mentioned above, and where applicable, allow customers to enable the features.

Azure Automanage – Hotpatch

Hotpatch, part of Azure Automanage, is supported in Windows Server 2022 Datacenter: Azure Edition. Hotpatching is a new way to install updates on new Windows Server Azure Edition virtual machines (VMs) that doesn’t require a reboot after installation.

Application platform

There are several platform improvements for Windows Containers, including application compatibility and the Windows Container experience with Kubernetes. A major improvement includes reducing the Windows Container image size by up to 40%, which leads to a 30% faster startup time and better performance.

You can now also run applications that depend on Azure Active Directory with group Managed Services Accounts (gMSA) without domain joining the container host, and Windows Containers now support Microsoft Distributed Transaction Control (MSDTC) and Microsoft Message Queuing (MSMQ).

There are several other enhancements that simplify the Windows Container experience with Kubernetes. These enhancements include support for host-process containers for node configuration, IPv6, and consistent network policy implementation with Calico.

In addition to platform improvements, Windows Admin Center has been updated to make it easy to containerize .NET applications. Once the application is in a container, you can host it on Azure Container Registry to then deploy it to other Azure services, including Azure Kubernetes Service.

With support for Intel Ice Lake processors, Windows Server 2022 supports business-critical and large-scale applications, such as SQL Server, that require up to 48 TB of memory and 2,048 logical cores running on 64 physical sockets. Confidential computing with Intel Secured Guard Extension (SGX) on Intel Ice Lake improves application security by isolating applications from each other with protected memory.

Other key features

Nested virtualization for AMD processors

Nested virtualization is a feature that allows you to run Hyper-V inside of a Hyper-V virtual machine (VM). Windows Server 2022 brings support for nested virtualization using AMD processors, giving more choices of hardware for your environments.

Microsoft Edge browser

Microsoft Edge is included with Windows Server 2022, replacing Internet Explorer. It is built on Chromium open source and backed by Microsoft security and innovation. It can be used with the Server with Desktop Experience installation options. More information can be found at the Microsoft Edge Enterprise documentation. Note that Microsoft Edge, unlike the rest of Windows Server, follows the Modern Lifecycle for its support lifecycle.

Networking performance

UDP performance improvements

UDP is becoming a very popular protocol carrying more and more network traffic due to the increasing popularity of RTP and custom (UDP) streaming and gaming protocols. The QUIC protocol, built on top of UDP, brings the performance of UDP to a level on par with TCP. Significantly, Windows Server 2022 includes UDP Segmentation Offload (USO). USO moves most of the work required to send UDP packets from the CPU to the network adapter’s specialized hardware. Complimenting USO is UDP Receive Side Coalescing (UDP RSC), which coalesces packets and reduces CPU usage for UDP processing. In addition, we have also made hundreds of improvements to the UDP data path both transmit and receive. Windows Server 2022 and Windows 11 both have this new capability.

TCP performance improvements

Windows Server 2022 uses TCP HyStart++ to reduce packet loss during connection start-up (especially in high-speed networks) and RACK to reduce Retransmit TimeOuts (RTO). These features are enabled in the transport stack by default and provide a smoother network data flow with better performance at high speeds. Windows Server 2022 and Windows 11 both have this new capability.

Hyper-V virtual switch improvements

Virtual switches in Hyper-V have been enhanced with updated Receive Segment Coalescing (RSC). This allows the hypervisor network to coalesce packets and process as one larger segment. CPU cycles are reduced and segments will remain coalesced across the entire data path until processed by the intended application. This means improved performance in both network traffic from an external host, received by a virtual NIC, as well as from a virtual NIC to another virtual NIC on the same host.

Storage

Storage Migration Service

Enhancements to Storage Migration Service in Windows Server 2022 makes it easier to migrate storage to Windows Server or to Azure from more source locations. Here are the features that are available when running the Storage Migration Server orchestrator on Windows Server 2022:

• Migrate local users and groups to the new server.
• Migrate storage from failover clusters, migrate to failover clusters, and migrate between standalone servers and failover clusters.
• Migrate storage from a Linux server that uses Samba.
• More easily synchronize migrated shares into Azure by using Azure File Sync.
• Migrate to new networks such as Azure.
• Migrate NetApp CIFS servers from NetApp FAS arrays to Windows servers and clusters.

Adjustable storage repair speed

User adjustable storage repair speed is a new feature in Storage Spaces Direct that offers more control over the data resync process by allocating resources to either repair data copies (resiliency) or run active workloads (performance). This helps improve availability and allows you to service your clusters more flexibly and efficiently.

Faster repair and resynchronization

Storage repair and resynchronization after events such as node reboots and disk failures are now twice as fast. Repairs have less variance in time taken so you can be more sure of how long the repairs will take, which has been achieved through adding more granularity to data tracking. This only moves the data that needs to be moved, and reduces the system resources used and the time taken.

Storage bus cache with Storage Spaces on standalone servers

Storage bus cache is now available for standalone servers. It can significantly improve read and write performance, while maintaining storage efficiency and keeping the operational costs low. Similar to its implementation for Storage Spaces Direct, this feature binds together faster media (for example, NVMe or SSD) with slower media (for example, HDD) to create tiers. A portion of the faster media tier is reserved for the cache.

ReFS file-level snapshots

Microsoft’s Resilient File System (ReFS) now includes the ability to snapshot files using a quick metadata operation. Snapshots are different than ReFS block cloning in that clones are writable, whereas snapshots are read-only. This functionality is especially useful in virtual machine backup scenarios with VHD/VHDX files. ReFS snapshots are unique in that they take a constant time irrespective of file size. Support for snapshots is available in ReFSUtil or as an API.

SMB compression

Enhancement to SMB in Windows Server 2022 and Windows 11 allows a user or application to compress files as they transfer over the network. Users no longer have to manually zip files in order to transfer much faster on slower or more congested networks.