This Week in IT: The Best 4 New Features in Windows Server 2025


This Week in IT, I look at the best four new features in Windows Server 2025, including on-premises server hotpatching with Azure Arc, next generation Active Directory and SMB, improved storage performance, and robust in-place upgrades.

Links and resources


This Week in IT, I look at the best four new features in Windows Server 2025, including on-premises hotpatching with Azure Arc, next generation Active Directory and SMB, improved storage performance, and robust in-place upgrades. So, stay tuned for more on the latest features in Windows Server.

Hello and welcome to This Week in IT, the show where I talk about everything connected to Microsoft 365, Windows, and Azure. But before I get started today, I’ve got a quick favor to ask you. 50 percent of the people who watched last week’s video, weren’t subscribed to the channel. Now, as we go live today, we’re on about 3,020 subscribers. So, I’d really love if we could push that up to about 3,050.(…) So if you’d like to see these weekly news updates, and my analysis, then please subscribe to the channel, and don’t forget to check the bell notification to make sure that you don’t miss out on the latest uploads.

Microsoft started to tease the new features coming in the next version of Windows Server at Ignite last year. Now, at that point, it was called Windows Server vNext. But this week, Microsoft announced that surprise, surprise, it’s going to be called Windows Server 2025, and that it should be generally available this autumn. So this is the next version of Windows Server that’s going to be available on the long-term servicing channel, and the one that is probably going to be the most significant update since Windows Server 2016. So let’s talk about what I consider to be the four most important features coming to the next version of Windows Server. I want to start with hot patching. Now, hot patching is something that’s been exclusively available in Windows Server 2022, but the Azure edition. So what that means is a specialised version of Windows Server that’s only available to be licensed on a VM in the Azure cloud. Now, to be honest, I never thought that hot patching was going to come to on-premises Windows Server, because let’s face it, Microsoft wants to keep you in Azure, they want you playing that monthly subscription. But they announced that hot patching is coming to Windows Server 2025.

So, what does that mean exactly? It means that you can install the monthly security update without having to reboot the server. Now, Microsoft basically boasted at Ignite that they’re able to patch a thousand servers all running SQL Server, and they’re able to do that without rebooting the servers and in 48 hours, a process that would have taken them previously up to three weeks, and of course, lots of reboots.

Now, while all of this sounds fantastic, there is a cache. This only works with Azure Arc, so all the configuration of the hot patching happens through Azure Arc, which is basically a server management service in the cloud, and you can use it to manage servers running in Azure, AWS, I think Google Cloud Platform, and of course, on-premises. So there’s the first requirement. It can’t be something that doesn’t involve you connecting to the cloud, at least for management purposes.

As far as I could understand from the presentation that Microsoft gave in November at Ignite, in order to use hot patching in your on-premises Windows Server, it is going to require you to make a monthly payment. Now, there is an exception to that, and that is if you’re using Azure Stack or Azure Stack HCI, it won’t require a monthly payment. So while this is all very well and good, there are a couple of important caveats to note. In Windows Server 2025, hot patching is available in both the standard and the datacenter edition, and you can use this regardless of where the server is actually located. So it could be physically on-premises, you could be running it in a VM, in Azure, or in a different cloud provider. Microsoft also announced Next Generation Active Directory and SMB. So maybe that’s overstating things a little bit here. We all know, of course, that Active Directory is a mature technology, it’s been around for more than 20 years, and there hasn’t been any really significant update to it since Windows Server 2016.

So what is changing here? Well, of course, Active Directory is still widely deployed, especially in large organizations that require on-premises services and all the authorization and authentication that goes with that. And it’s vulnerable, and we know that it’s been vulnerable for many years. So what Microsoft is really doing with this release is making it a much more robust technology in several areas, but of course, most importantly, security. Now, there’s a whole list of changes that Microsoft is making to Active Directory with this release in terms of security improvements. I can’t list them all, but the sixth most important that Microsoft highlighted were LDAP support for TLS 1.3, improved security for confidential attributes in Active Directory, LDAP will prefer encryption by default, there’s new encryption coming to Kerberos, and let’s get in support for AES and SHA256 and 384, changes to the default behavior of legacy SAM RPC password change methods, again, of course, to make things more secure, and Kerberos and PKINT support for cryptographic agility.

So obviously, that’s a whole list of things that are hopefully going to make a difference. Now, one thing that did strike me is that they said, as part of the presentation, NTLM authentication, which has been for many years considered a legacy authentication protocol, of course, Kerberos’ active directory uses by default, is really this time on its way out, and Microsoft is taking more concrete steps to really deprecate it. So how are they going to go about doing that? So the problem is that Windows still falls back to using NTLM in some circumstances.

Now, what Microsoft would prefer is that, of course, we got rid of NTLM and that Kerberos was the only authentication option, and they’re taking steps to make that happen. So a couple of things.(…) Windows 11 is getting a Kerberos Key Distribution Center. Of course, that’s something that only exists on domain controllers at the moment, but what this is going to do is allow local accounts for the first time on Windows PCs to use Kerberos as their authentication method. So that’s a big step forwards. Essentially, the KDC is going to be available in all versions of Windows going forwards. They’re also introducing a new technology called IAKIRB, and this is a set of extensions to the publicly available Kerberos standard. And what this allows a device or a client device to do is to authenticate using Kerberos, even if it doesn’t have a direct line of sight to a domain controller, which is what is required today.

So essentially, this acts like a proxy technology. So a client can authorize through a Kerberos proxy, which itself has a direct line of sight to a domain controller, even if that client doing the authentication or requesting the authentication doesn’t have that direct line. So another interesting development as well. There are also some performance enhancements coming to Active Directory. The database is going to be upgraded to be based on a 32K page size. So that’s a big increase from the current 8K. So you’ll be able to have much longer multi-value attributes. So, assumedly, some organizations are hitting a barrier there with that. There’s going to be numerous support in Active Directory, so it can actually use all of the CPU cores during any processing operations. Administrators will be able to increase the system-calculated replication priority. So if you want to replicate a particular domain controller in favor of others, you’ll be able to control that. And there are three new performance counters. SMB is also getting a lot of security improvements.

Of course, that server message block, this is basically the protocol that’s used for file sharing in Windows.(…) So SMB over QUIC is getting a new feature that requires the client to also be trusted in Windows Server 2022.(…) Only the server had to be trusted. There is also the option to disable NTLM over SMB. There’s also going to be an SMB authentication rate limiter to try and block brute force attacks. SMB sign-in settings are now secure by default. And if you want to share something through a firewall, you won’t need to open as many ports as you needed to in the past. So again, these are all welcome improvements to secure basic services on Windows Server. Obviously, Active Directory being the most important, and probably, secondly, SMB.

Storage is still a big use for Windows Server. Not everybody wants to put everything into the cloud, of course. And Microsoft announced three major changes to performance and functionality. So if you’re using NVMe SSDs at the moment with the current technology, there’s going to be a 70% increase in input and output performance. So that’s great. If you deploy new NVMe SSDs with the latest technology, then Microsoft is saying you will be able to see up to a 90% improvement in input and output performance with the latest version of Windows Server. There are also some changes coming to improve SAN integration, and this is going to be achieved by supporting NVMe OF TCP initiators.

So you’ll be able to make more efficient connections to remote SAN solutions. And last but not least, but I think something very important, because at the end of the day, if it’s difficult to upgrade the latest version of Windows Server, that can be enough to put organisations off. They’re bringing over the technology that really came about as part of Windows 11 in terms of improving the in-place upgrade to make it a much more robust procedure. So in the past, an in-place upgrade kind of just really did an override of the existing operating system, and unfortunately that could end up resulting in a lot of problems. Now with Windows 11, an in-place upgrade works a little bit differently. When you choose to do an in-place upgrade, what you’re really doing or what’s really happening under the surface is a fresh install of the operating system.

The user and app data is all kind of containerised from the original version of the operating system, lifted out and then placed back on top of that fresh install. So you get a fresh install, and you’re bringing over the user and app data that’s required to ensure that everything continues to work.(…) And that upgrade or in-place upgrade process is a much more robust way of doing things than we ever had before. And I think that’s kind of proven its worth really with Windows 10 to Windows 11 upgrades.

And they’re bringing that technology to Windows Server, so it should take a lot of the risk out of performing those in-place upgrades. If of course you’re not renewing your hardware at the same time. So I’m just scratching the surface with the new features in Windows Server. There’s a whole load of stuff happening here. A lot of stuff connected to storage that I didn’t mention, connected to Hyper-V, containerisation.(…) They’re adding WiFi support, so if you’ve got edge devices that need to connect via WiFi and a whole load of other things, it’s really worth going to check out the presentation. I’ll put a link in the show notes.(…) Let me know in the comments below whether this feature is enough for you to consider upgrading to Windows Server 2025,(…) or if one of the other features is what is going to be the real selling point for you. But let me know what you think in the comments below.

If you found this video useful, I’d really appreciate it if you gave it a like, because that helps to get it seen by more people on YouTube. I’m going to leave you with another video that you might find useful on the screen now about Copilot, what you’re going to get with Copilot, and whether I think it’s worth the $30 per user a month fee. But that’s it from me for this week, and I’ll see you next time.