Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themessecurity,Azure hybrid integration and management,and application platform. Security The new security capabilities in Windows Server 2022 combine other security capabilities in Windows Server across multiple areas to provide defense in depth protection against advanced threats. Advanced multi layer security in Windows Server 2022 provides the comprehensive protection that servers need today. Secured core server Certified Secured core server hardware from an OEM partner provides additional security protections that are useful against sophisticated attacks. This can provide increased assurance when handling mission critical data in some of the most data sensitive industries. A Secured core server uses hardware,firmware,and driver capabilities to enable advanced Windows Server security features. Many of these features are available in Windows Secured core PCs and are now also available with Secured core server hardware and Windows Server 2022. Hardware root of trust Trusted Platform Module 2.0 TPM 2.0 secure crypto processor chips provide a secure,hardware based store for sensitive cryptographic keys and data,including systems integrity measurements. TPM 2.0 can verify that the server has been started with legitimate code and can be trusted by subsequent code execution. This is known as a hardware root of trust and is used by features such as BitLocker drive encryption. Firmware protection Firmware executes with high privileges and is often invisible to traditional anti virus solutions,which has lead to a rise in the number of firmware based attacks. Secured core server processors support measurement and verification of boot processes with Dynamic Root of Trust for Measurement DRTM technology and isolation of driver access to memory with Direct Memory Access DMA protection. Virtualization based security VBS Secured core servers support virtualization based security VBS and hypervisor based code integrity HVCI. VBS uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system,protecting against an entire class of vulnerabilities used in cryptocurrency mining attacks. VBS also allows for the use of Credential Guard,where user credentials and secrets are stored in a virtual container that the operating system cannot access directly. HVCI uses VBS to significantly strengthen code integrity policy enforcement,including kernel mode integrity which checks all kernel mode drivers and binaries in a virtualized environment before they are started,preventing unsigned drivers or system files from being loaded into system memory. Secure connectivity Secure connections are at the heart of today's interconnected systems. Transport Layer Security TLS 1.3 is the latest version of the internet's most deployed security protocol,which encrypts data to provide a secure communication channel between two endpoints. HTTPS and TLS 1.3 are now enabled by default on Windows Server 2022,protecting the data of clients connecting to the server. It eliminates obsolete cryptographic algorithms,enhances security over older versions,and aims to encrypt as much of the handshake as possible. Learn more about supported TLS versions and about supported cipher suites. Secure DNSEncrypted DNS name resolution requests with DNS over HTTPS DNS Client in Windows Server 2022 now supports DNS over HTTPS DoH which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH. Server Message Block SMBSMB AES 256 encryption for the most security conscious Windows Server now supports AES 256 GCM and AES 256 CCM cryptographic suites for SMB encryption. Windows will automatically negotiate this more advanced cipher method when connecting to another computer that also supports it,and it can also be mandated through Group Policy. Windows Server still supports AES 128 for down level compatibility. AES 128 GMAC signing now also accelerates signing perfomance. SMBEast West SMB encryption controls for internal cluster communications Windows Server failover clusters now support granular control of encrypting and signing intra node storage communications for Cluster Shared Volumes CSV and the storage bus layer SBL. This means that when using Storage Spaces Direct,you can decide to encrypt or sign east west communications within the cluster itself for higher security. SMB Direct and RDMA encryption SMB Direct and RDMA supply high bandwidth,low latency networking fabric for workloads like Storage Spaces Direct,Storage Replica,Hyper V,Scale out File Server,and SQL Server. SMB Direct in Windows Server 2022 now supports encryption. Previously,enabling SMB encryption disabled direct data placement;this was intentional,but seriously impacted performance. Now data is encrypted data before placement,leading to far less performance degradation while adding AES 128 and AES 256 protected packet privacy. SMB over QUIC SMB over QUIC updates the SMB 3.1.1 protocol in Windows Server 2022 DatacenterAzure Edition and supported Windows clients to use the QUIC protocol instead of TCP. By using SMB over QUIC along with TLS 1.3,users and applications can securely and reliably access data from edge file servers running in Azure. Mobile and telecommuter users no longer need a VPN to access their file servers over SMB when on Windows. More information can be found at the SMB over QUIC documentation. Azure hybrid capabilities You can increase your efficiency and agility with built in hybrid capabilities in Windows Server 2022 that allow you to extend your data centers to Azure more easily than ever before. Azure Arc enabled Windows Servers Azure Arc enabled servers with Windows Server 2022 brings on premises and multi cloud Windows Servers to Azure with Azure Arc. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure,it becomes a connected machine and is treated as a resource in Azure. More information can be found at the Azure Arc enables servers documentation. Windows Admin Center Improvements to Windows Admin Center to manage Windows Server 2022 include capabilities to both report on the current state of the Secured core features mentioned above,and where applicable,allow customers to enable the features. More information on these and many more improvements to Windows Admin Center can be found at the Windows Admin Center documentation. Azure Automanage Hotpatch Hotpatch,part of Azure Automanage,is supported in Windows Server 2022 DatacenterAzure Edition. Hotpatching is a new way to install updates on new Windows Server Azure Edition virtual machines VMs that doesn't require a reboot after installation. More information can be found at the Azure Automanage documentation.
