Microsoft Outlines Windows Server 2022 Coming Features and Editions
Microsoft offered more information about its coming Windows Server 2022 product this week.
Details were presented in a Thursday session, "Windows Server 2022, Best on Azure," that's now available on demand. The live presentation included demos plus some Q&A time. It also included news about the new server's security, patching and management features, plus the product editions to expect.
Windows Server 2022 currently is at the release-to-manufacturing stage (RTM) stage, which means that the finished bits were given to hardware manufacturers for integration work, prior to hardware product releases.
A Microsoft Evaluation Center preview and RTM release of Windows Server 2022 had been announced back on June 1. In early March, Microsoft had announced a preview of the new server for testing on an Azure virtual machines (VMs).
Commercial Release, Editions and Install Options
Windows Server 2022 products are expected to be commercially released sometime this year.
Microsoft's new application server products, such as Exchange Server 2022 and SharePoint Server 2022, will arrive "shortly after" Windows Server 2022's "general availability" commercial release, the talk's Q&A explained.
Windows Server 2022 will have a Standard edition, as well as a Datacenter edition, plus a Datacenter Azure edition (now in preview). The talk didn't elaborate on these products, but a key new feature called "Azure Automanage" with its "hotpatch" capability will require having the Datacenter Azure edition.
Microsoft plans to release the Datacenter Azure edition of Windows Server 2022 for Azure subscribers leveraging Azure VMs, as well as for organizations using Azure Stack HCI, Microsoft's hyperconverged infrastructure product for installation at a customer's premises. Azure Stack HCI, requiring server hardware built by Microsoft's hardware partners, was commercially released back in December.
"We'll first make Windows Server Azure edition VMs available on the Azure public cloud; then on Azure Stack HCI 21 H2 in coming months," said Nick Washburn, a Microsoft program manager, during the talk.
Windows Server 2022 products will have "both Core and Desktop installation options for all editions," the Q&A indicated. Core is the headless low-footprint installation option that's optimal for remote management and automation purposes. The Desktop option installs the server with a graphical user interface, which is traditional but it's viewed as problematic for organizations that carry out large-scale automations.
It will be possible to perform an "in-place upgrade" from the current Windows Server 2019 Datacenter edition product to the new Windows Server 2022 Datacenter Azure edition product. However, at this time, Microsoft hasn't released the media to carry it out, according to the Q&A. An in-place upgrade replaces an operating system's bits with new ones. Under this scheme, IT pros don't have to wipe the old OS first and then "clean install" the new OS, so in-place upgrades are seen as time savers.
Azure Automanage and Hotpatch
Azure Automanage, currently at preview, is a service for automating management tasks, including patching with its hotpatch capability. Windows and Linux VMs hosted on Microsoft Azure datacenter infrastructure can be managed using Azure Automanage.
The Datacenter Azure edition of Windows Server 2022 will be needed to use the Azure Automanage and hotpatch solutions. Moreover, the "Azure Edition will only be supported on Azure (either Azure IaaS or Azure Stack HCI)," Microsoft clarified during the Q&A.
However, when asked if Azure Automanage and its hotpatch capability could be used with Windows Server installed at a customers' premises, Microsoft indicated that "this is on our imminent roadmap."
It'll be possible to use Azure Automanage with "both new and existing Windows Server VMs on Azure," according to Washburn. Azure Automanage handles things like security best practices and VM configuration states, he added:
With Azure Automanage, management best practices, such as Azure Defender Service, and security best practices, such as OS security baseline, are handled for you. Choose from configuration profiles that are available, and Automanage takes care of the rest. Finally, Automanage keeps your VMs in a good configuration state by monitoring and correcting for drift, based on the configuration profile you choose.
The hotpatch capability in Azure Automanage lets IT pros apply security updates to VMs without rebooting, which reduces downtime for apps and services, Washburn added. "Updates that used to take minutes or longer now take seconds," he said. Running workloads don't get interrupted when patching using the hotpatch feature because the bits get stored in memory, he explained.
Microsoft will initially make the hotpatch feature available to Windows Server 2022 Datacenter Azure edition users of the Core installation option, but support for the Desktop installation option also is planned. "Rest assured, we're hard at work on that and it will follow at a later time," Washburn said regarding Desktop hotpatch support.
Server Message Block over QUIC
The Server Message Block (SMB) over QUIC feature wasn't mentioned in Microsoft's March preview announcement of Windows Server 2022. However, it's done now on the server side after being available in Windows 10 and the Microsoft Edge browser, according to Ned Pyle, a Microsoft principal program manager, during the talk.
Pyle is responsible for overseeing Microsoft's SMB Windows component. He's also perhaps known for exhorting organizations to stop using SMB version 1.0, which got targeted by "WannaCry" (NotPetya) wiper malware back in 2017. Amazingly, Windows Server 2022 will still include SMB v1, according to the Q&A.
Pyle had explained more than a year ago that SMB over QUIC was coming to Windows, Windows Server and the Azure Files service as a virtual private network replacement. It relies on the User Datagram Protocol (UDP) and the Transport Layer Security (TLS) 1.3 protocols, rather than TCP/IP and RDMA (Remote Direct Memory Access), and has the effect of making Internet traffic stay always encrypted.
SMB over QUIC can be used "safely over the Internet, safely over untrusted networks, or even inside of your own network," Pyle said. He suggested that SMB over QUIC will open scenarios for file services, permitting secure connections for mobile users and telecommuters, and not just for Windows users:
So instead of going over TCP Port 445, which doesn't really work over the Internet, you'll be going over UDP Port 443, which definitely does. And you'll be doing all of your stuff inside of our very secure TLS 1.3-encrypted tunnel. So you can feel both safe and confident that your users will be able to connect, not just from Windows, but from Android, perhaps from iOS at some point, from Linux.
Windows Server 2022 has an SMB compression capability that can optionally compress files to speed up file transfers. Pyle demonstrated how SMB compression handled a 20GB file during a robocopy operation.
Per the demo, it took almost three minutes to compress the 20GB file during the robocopy operation without SMB compression. With SMB compression turned on, the compression time was reduced to about 30 seconds. These compression benefits extend to end users accessing a file share through Windows Explorer, as well, Pyle indicated.
TLS 1.3, AES-256 Encryption and Secured Core
Windows Server 2022 will use the latest security protocols, including HTTPS and TLS 1.3 by default. The server will have TLS 1.0 and TLS 1.1 turned off by default.
"Windows Server 2022 will have TLS 1.0 and 1.1 disabled by default as well to help drive adoption of the latest secure connectivity standards, and we want to ensure that bad actors won't be able to see what you're transmitting over the network," said Nazmus Sakib, a principal lead program manager at Microsoft, during the talk.
However, Microsoft added during the Q&A that TLS 1.2 "is still there and will totally work" if organizations have applications that can't make the jump.
AES-256 encryption will be used for Server Message Block. Pyle said that AES-128 encryption is still good and likely won't be defeated for decades, but the use of AES-256 encryption will establish a posture of "supreme security for the future."
Microsoft also added encryption support for RDMA. The support gets rid of a performance problem that organizations may have faced, according to Pyle:
In the past, if you were doing SMB direct and using SMB as a fabric, we did not let you encrypt. If you wanted to use encryption we'd let you turn it on and then we would turn off RDMA. Your performance would be really really terrible. Now, you're going to have the best of both worlds ….
Windows Server 2022 will use Domain Name System (DNS) over HTTPS encryption, known as "DoH," for DNS queries, according to Sakib.
"Windows Server 2022 will support making DNS queries using encryption, specifically DNS over HTTPS, which will allow servers to protect their name lookups from being tampered with by path attackers," Sakib said.
Microsoft had previewed DNS over HTTPs for Windows 10 about a year ago. It's an Internet Engineering Task Force standard that adds encryption when clients transmit URL requests over the Internet to servers. Without DNS over HTTPS these requests get transmitted in plain text.
The inclusion of Secured-core capabilities in Windows Server 2022 is a big new security addition, although Secured-core protection for Windows10 PCs has been available for almost two years. Secured-core technologies add protections at the boot level, which typically can be opaque to anti-malware solutions.
Microsoft is using the same Secured-core principles in its server and client products and it collaborated with its original equipment manufacturer partners to add those capabilities to Windows Server 2022, according to the talk. These Secured-core machines need to have a Trusted Platform Module 2.0 chip installed to get the security protections, Sakib explained:
Features like HVCI [hypervisor-enforced code integrity] and Credential Guard that come with VBS [virtualization-based security] can help ensure that customers have that proactive defense strategy that's all rooted with Trusted Platform Module 2.0. TPM 2.0 ensures that there is a hardware root of trust and that customers can start to build out a zero trust strategy that involves ensuring or validating the security properties in a reliable, tamper-resistant way.
A lot more was said during the "Windows Server 2022, Best on Azure" session. It notably included a demo on how Windows Admin Center, Microsoft's browser-based management solution, works with the new server.
Windows Admin Center can be used to remotely manage certificates, deploy containers and track server performance. It also has a new Secured-core tab, showing those enabled features.