Tell us about your PDF experience.

Get started with Windows Server

Article • 09/19/2022

Windows Server is the platform for building an infrastructure of connected applications,

networks, and web services, from the workgroup to the data center. It bridges on-
premises environments with Azure, adding additional layers of security while helping
you modernize your applications and infrastructure.

This collection of articles contains detailed information to help you understand and get
the most from Windows Server, and help determine if you're ready to move to the latest
version. Once you've checked the system requirements, upgrade options, and other
information about Windows Server, you're ready to start down the path of installing the
best edition and installation option for your needs.

 Tip

To download Windows Server, see Windows Server evaluations in the Evaluation

Center.

７ Note

If you're looking for information about earlier versions that are no longer
supported, see the Windows previous versions documentation.

Support and feedback

For the latest news on Windows Server, visit the Windows Server blog to stay up to
date on announcements, features, events, and other information from the Windows
Server engineering teams. You can also visit the Windows Server Community to share
best practices, get latest news, and learn from experts about Windows Server.

Learn
Browse learning paths for Windows Server to help learn new skills and accelerate your
deployment with step-by-step guidance. You can learn how to deploy, configure and
administer Windows Server, as well as network infrastructure, file servers and storage
management, Hyper-V and virtualization, plus much more.
Windows Insider Program
The Windows Insider Program for Windows Server provides preview builds of Windows
Server allowing you early access to learn, test, and help shape the future of Windows
Server. To learn more, you can get started with the Windows Insider Program for
Windows Server and participate in the Windows Server Insiders Community .

Next steps
To get started, find out more from these resources.

What's new in Windows Server 2022 provides an overview of the latest features in
Windows Server.
Learn about the different servicing channels, which each is used for, and what it
means for your workloads and support.
Compare the differences in the editions in Windows Server 2022.
Choose the right installation option based on whether you want the Desktop
Experience or a minimal Core interface.
Understand the hardware requirements to run Windows Server.
Follow the learning path for Windows Server deployment, configuration, and
administration.
If you still need to use Windows Server 2008, Windows Server 2008 R2 (and in
future Windows Server 2012, or Windows Server 2012 R2) Extended Security
Updates are available to help keep you safe with security updates and bulletins
rated critical and important.
Get started with Windows Server
Insiders Preview
Article • 04/26/2024

Join the Windows Insider Program for Windows Server and gain exclusive access to
Windows Server Insider Previews and Remote Server Administration tools. By becoming
a part of this community, you'll have the opportunity to help shape the future of
Windows Server and be at the forefront of innovation!

Where to get Windows Server Insiders Preview

If you're a registered Insider, you can access the Windows Insider Preview Downloads
page directly to view available Window Server Preview builds. If you'd like to participate
as an Insider, you can refer to the Getting started with the Windows Insider Program for
Windows Server .

The following keys are valid only for preview builds and expire on September 15, 2024:

ﾉ Expand table

Windows Server Version Key

Standard MFY9F-XBN2F-TYFMP-CCV49-RMYVH

Datacenter 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67

Azure Edition Keys aren't accepted

７ Note

Downloads may be restricted in certain countries. To learn more, see Microsoft

suspends new sales in Russia .

Insiders Preview known issues

During the OOBE install process, some users notice overlapping windows or
graphics anomalies when using the mouse to proceed to the next step.

First sign-in user privacy settings are limited where all features aren't available nor
function as desired.
 Installing the WinPE-Powershell optional component via any method doesn't
install properly and related cmdlets fail. Customers who are dependent on
PowerShell in WinPE shouldn't use this build.

The new Feedback Hub and Terminal apps aren't functioning properly in this
release.

We advise against using this build to validate upgrades from Windows Server 2019
or 2022 due to identified intermittent upgrade failures.

Using the wevtutil al command to archive event logs causes the Windows Event
Log service to crash and archive operation to fail. To resolve this issue, the service
must be restarted by running the following in an elevated PowerShell prompt:

PowerShell

Start-Service EventLog

If you have the Secure Launch or Dynamic Root of Trust for Measurement (DRTM)
code path enabled, we recommend avoiding installing this build.

How to provide feedback for Insiders Preview

Your feedback is valuable to us as it provides insight to what is currently working,
capturing bugs, and suggestions of where improvements can be made. To learn how to
provide feedback, see Deeper look at feedback.

Use your registered Windows 10 or Windows 11 device and open the Feedback Hub
app. In the Feedback Hub app, provide us:

1. A title about the issue with the preview build number. Example, Server Manager
Issue in Windows Server Standard 25997.
2. A detailed explanation of what is occurring.
3. For the Category, select Windows Server.
4. Attaching a screenshot of the issue is optional.
5. Complete submitting your feedback.

See also
What's new in Windows Server 2025
Explore the Feedback Hub
What's new in Windows Server 2025
(preview)
Article • 04/26/2024

） Important

Windows Server 2025 is in PREVIEW. This information relates to a prerelease

product that may be substantially modified before it's released. Microsoft makes no
warranties, expressed or implied, with respect to the information provided here.

This article describes some of the newest developments in Windows Server 2025, which
boasts advanced features that improve security, performance, and flexibility. With faster
storage options and the ability to integrate with hybrid cloud environments, managing
your infrastructure is now more streamlined. Windows Server 2025 builds on the strong
foundation of its predecessor while introducing a range of innovative enhancements to
adapt to your needs.

If you're interested in trying out the latest features of Windows Server 2025 before
official release, see Get started with Windows Server Insiders Preview.

What's new
The following new features are specific to Windows Server with Desktop Experience
only. Having both the physical devices running the operating system and the correct
drivers readily available are required.

Active Directory Domain Services

The latest enhancements to Active Directory Domain Services (AD DS) and Active
Directory Lightweight Domain Services (AD LDS) introduce a range of new
functionalities and capabilities aimed at optimizing your domain management
experience:

32k database page size optional feature - AD uses an Extensible Storage Engine
(ESE) database since its introduction in Windows 2000 that uses an 8k database
page size. The 8k architectural design decision resulted in limitations throughout
AD that are documented in AD Maximum Limits Scalability. An example of this
limitation is a single record AD object, which can't exceed 8k bytes in size. Moving
to a 32k database page format offers a huge improvement in areas affected by
legacy restrictions, including multi-valued attributes are now able to hold up to
~3,200 values, which is an increase by a factor of 2.6.

New DCs can be installed with a 32k page database that uses 64-bit Long Value
IDs (LIDs) and runs in an "8k page mode" for compatibility with previous versions.
An upgraded DC continues to use its current database format and 8k pages.
Moving to 32k database pages is done on a forest-wide basis and requires that all
DCs in the forest have a 32k page capable database.

AD schema updates - Three new Log Database Files (LDF) are introduced that
extend the AD schema, sch89.ldf , sch90.ldf , and sch91.ldf . The AD LDS
equivalent schema updates are in MS-ADAM-Upgrade3.ldf . For learn more about
previous schema updates, see Windows Server AD schema updates

AD object repair - AD now allows enterprise administrators to repair objects with

missing core attributes SamAccountType and ObjectCategory. Enterprise
administrators can reset the LastLogonTimeStamp attribute on an object to the
current time. These operations are achieved through a new RootDSE modify
operation feature on the affected object called fixupObjectState.

Channel binding audit support - Events 3074 and 3075 can now be enabled for
Lightweight Directory Access Protocol (LDAP) channel binding. When the channel
binding policy was modified to a more secure setting, an administrator can identify
devices in the environment that don't support or fail channel binding validations.
These audit events are also available in Windows Server 2022 and later via
KB4520412 .

DC-location algorithm improvements - DC discovery algorithm provides new

functionality with improvements to mapping of short NetBIOS-style domain names
to DNS-style domain names. To learn more, see Active Directory DC locator
changes.

７ Note

Windows doesn't use mailslots during DC discovery operations as Microsoft

has announced the deprecation of WINS and mailslots for these legacy
technologies.

Forest and Domain Functional Levels - The new functional level is used for
general supportability and is required for the new 32K database page size feature.
The new functional level maps to the value of DomainLevel 10 and ForestLevel 10
for unattended installs. Microsoft has no plans to retrofit functional levels for
Windows Server 2019 and Windows Server 2022. To perform an unattended
promotion and demotion of a Domain Controller (DC), see DCPROMO answer file
syntax for unattended promotion and demotion of domain controllers.

The DsGetDcName Application Programming Interface (API) also supports a new

flag DS_DIRECTORY_SERVICE_13_REQUIRED that enables location of DCs running
Windows Server 2025. You can learn more about functional levels in the following
articles:

Forest and Domain Functional Levels

Raise the Domain Functional Level

Raise the Forest Functional Level

７ Note

New AD forests or AD LDS configuration sets are required to have a functional

level of Windows Server 2016 or greater. Promotion of an AD or AD LDS
replica requires that the existing domain or config set is already running with
a functional level of Windows Server 2016 or greater.

Microsoft recommends that all customers begin planning now to upgrade

their AD and AD LDS servers to Windows Server 2022 in preparation of the
next release.

Improved algorithms for Name/Sid Lookups - Local Security Authority (LSA)

Name and Sid lookup forwarding between machine accounts no longer uses the
legacy Netlogon secure channel. Kerberos authentication and DC Locator
algorithm are used instead. To maintain compatibility with legacy operating
systems, it's still possible to use the Netlogon secure channel as a fallback option.

Improved security for confidential attributes - DCs and AD LDS instances only
allow LDAP add, search, and modify operations involving confidential attributes
when the connection is encrypted.

Improved security for default machine account passwords - AD now uses random
generated default computer account passwords. Windows 2025 DCs block setting
computer account passwords to the default password of the computer account
name.

This behavior can be controlled by enabling the GPO setting Domain controller:
Refuse setting default machine account password located in: Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security
Options

Utilities like Active Directory Administrative Center (ADAC), Active Directory Users
and Computers (ADUC), net computer , and dsmod also honors this new behavior.
Both ADAC and ADUC no longer allow creating a pre-2k Windows account.

Kerberos AES SHA256 and SHA384 - The Kerberos protocol implementation is

updated to support stronger encryption and signing mechanisms with support for
RFC 8009 by adding SHA-256 and SHA-384. RC4 is deprecated and moved to
the do-not-use cipher list.

Kerberos PKINIT support for cryptographic agility - The Kerberos Public Key
Cryptography for Initial Authentication in Kerberos (PKINIT) protocol
implementation is updated to allow for cryptographic agility by supporting more
algorithms and removing hardcoded algorithms.

LAN Manager GPO setting - The GPO setting Network security: Don't store LAN
Manager hash value on next password change is no longer present nor applicable
to new versions of Windows.

LDAP encryption by default - All LDAP client communication after a Simple

Authentication and Security Layer (SASL) bind utilizes LDAP sealing by default. To
learn more about SASL, see SASL Authentication.

LDAP support for TLS 1.3 - LDAP uses the latest SCHANNEL implementation and
supports TLS 1.3 for LDAP over TLS connections. Using TLS 1.3 eliminates obsolete
cryptographic algorithms, enhances security over older versions, and aims to
encrypt as much of the handshake as possible. To learn more, see Protocols in
TLS/SSL (Schannel SSP) and TLS Cipher Suites in Windows Server 2022.

Legacy SAM RPC password change behavior - Secure protocols such as Kerberos
are the preferred way to change domain user passwords. On DCs, the latest SAM
RPC password change method SamrUnicodeChangePasswordUser4 using AES is
accepted by default when called remotely. The following legacy SAM RPC methods
are blocked by default when called remotely:

SamrChangePasswordUser

SamrOemChangePasswordUser2

SamrUnicodeChangePasswordUser2

For domain users that are members of the Protected Users group and for local
accounts on domain member computers, all remote password changes through
 the legacy SAM RPC interface are blocked by default including
SamrUnicodeChangePasswordUser4 .

This behavior can be controlled using the following Group Policy Object (GPO)
setting:

Computer Configuration > Administrative Templates > System > Security

Account Manager > Configure SAM change password RPC methods policy

NUMA support - AD DS now takes advantage of Non-uniform Memory Access

(NUMA) capable hardware by utilizing CPUs in all processor groups. Previously, AD
would only use CPUs in group 0. Active Directory can expand beyond 64 cores.

Performance counters - Monitoring and troubleshooting the performance of the

following counters are now available:

DC Locator - Client and DC specific counters available.

LSA Lookups - Name and SID lookups through the LsaLookupNames,

LsaLookupSids, and equivalent APIs. These counters are available on both Client
and Server SKUs.

LDAP Client - Available in Windows Server 2022 and later via KB 5029250
update.

Replication priority order - AD now allows administrators to increase the system

calculated replication priority with a particular replication partner for a particular
naming context. This feature allows more flexibility in configuring the replication
order to address specific scenarios.

Azure Arc
By default, the Azure Arc setup Feature-on-Demand is installed, which offers a user-
friendly wizard interface and a system tray icon in the taskbar to facilitate the process of
adding servers to Azure Arc. Azure Arc extends the capabilities of the Azure platform,
allowing for the creation of applications and services that can operate in diverse
environments. These include data centers, the edge, multicloud environments, and
provide increased flexibility. To learn more, see Connect Windows Server machines to
Azure through Azure Arc Setup.

Bluetooth
You can now connect mice, keyboards, headsets, audio devices, and more via bluetooth
in Windows Server 2025.

Desktop shell
When you sign in for the first time, the desktop shell experience conforms to the style
and appearance of Windows 11.

Delegated Managed Service Account

This new type of account enables migration from a service account to a delegated
Managed Service Account (dMSA). This account type comes with managed and fully
randomized keys ensuring minimal application changes while disabling the original
service account passwords. To learn more, see Delegated Managed Service Accounts
overview.

DTrace
Windows Server 2025 comes equipped with dtrace as a native tool. DTrace is a
command-line utility that enables users to monitor and troubleshoot their system's
performance in real-time. DTrace allows users to dynamically instrument both the kernel
and user-space code without any need to modify the code itself. This versatile tool
supports a range of data collection and analysis techniques, such as aggregations,
histograms, and tracing of user-level events. To learn more, see DTrace for command
line help and DTrace on Windows for additional capabilities.

Email & accounts

You can now add the following accounts in Settings > Accounts > Email & accounts for
Windows Server 2025:

Microsoft Entra ID
Microsoft account
Work or school account

It's important to keep in mind that domain join is still required for most situations.

Feedback Hub
Submitting feedback or reporting problems encountered while using Windows Server
2025 can now be done using the Windows Feedback Hub. You can include screenshots
or recordings of the process that caused the issue to help us understand your situation
and share suggestions to enhance your Windows experience. To learn more, see Explore
the Feedback Hub.

File Compression
Build 26040 has a new compression feature when compressing an item by performing a
right-click called Compress to. This feature supports ZIP, 7z, and TAR compression
formats with specific compression methods for each.

Flighting
Flighting is only available for the Canary Channel release beginning in early 2024
starting with build 26010, which allows users to receive Windows Server flights similar to
Windows client. To enable flighting on your device, go to Start > Settings > Windows
Update > Windows Insider Program. From there, you can choose to opt into your
desired Insiders release.

Pinned apps
Pinning your most used apps is now available through the Start menu and is
customizable to suit your needs. As of build 26085, the default pinned apps are
currently:

Azure Arc Setup

Feedback Hub
File Explorer
Microsoft Edge
Server Manager
Settings
Terminal
Windows PowerShell

Server Message Block

Server Message Block (SMB) is one of the most widely used protocols in networking by
providing a reliable way to share files and other resources between devices on your
network. Windows Server 2025 brings the following SMB capabilities.

Starting with build 26090, another set of SMB protocol changes are introduced for
disabling QUIC, signing, and encryption.
SMB over QUIC disablement

Administrators can disable SMB over QUIC client through Group Policy and
PowerShell. To disable SMB over QUIC using Group Policy, set the Enable SMB
over QUIC policy in these paths to Disabled.

Computer Configuration\Administrative Templates\Network\Lanman

Workstation

Computer Configuration\Administrative Templates\Network\Lanman Server

To disable SMB over QUIC using PowerShell, run this command in an elevated
PowerShell prompt:

PowerShell

Set-SmbClientConfiguration -EnableSMBQUIC $false

SMB signing and encryption auditing

Administrators can enable auditing of the SMB server and client for support of
SMB signing and encryption. If a third-party client or server lacks support for SMB
encryption or signing, it can be detected. When your third-party device or software
states it supports SMB 3.1.1, but fails to support SMB signing, it violates the SMB
3.1.1 Pre-authentication integrity protocol requirement.

You can configure SMB signing and encryption auditing settings using Group
Policy or PowerShell. These policies can be changed in the following Group Policy
paths:

Computer Configuration\Administrative Templates\Network\Lanman

Server\Audit client does not support encryption

Computer Configuration\Administrative Templates\Network\Lanman

Server\Audit client does not support signing

Computer Configuration\Administrative Templates\Network\Lanman

Workstation\Audit server does not support encryption

Computer Configuration\Administrative Templates\Network\Lanman

Workstation\Audit server does not support signing

To perform these changes using PowerShell, run these commands in an elevated

prompt where $true is to enable and $false to disable these settings:
 PowerShell

Set-SmbServerConfiguration -AuditClientDoesNotSupportEncryption $true

Set-SmbServerConfiguration -AuditClientDoesNotSupportSigning $true

Set-SmbClientConfiguration -AuditServerDoesNotSupportEncryption $true

Set-SmbClientConfiguration -AuditServerDoesNotSupportSigning $true

Event logs for these changes are stored in the following Event Viewer paths with
their given Event ID.

ﾉ Expand table

Path Event ID

Applications and Services Logs\Microsoft\Windows\SMBClient\Audit 31998

31999

Applications and Services Logs\Microsoft\Windows\SMBServer\Audit 3021

3022

SMB over QUIC auditing

SMB over QUIC client connection auditing captures events that are written to an
event log to include the QUIC transport in the Event Viewer. These logs are stored
in the following paths with their given Event ID.

ﾉ Expand table

Path Event ID

Applications and Services Logs\Microsoft\Windows\SMBClient\Connectivity 30832

Applications and Services Logs\Microsoft\Windows\SMBServer\Connectivity 1913

The SMB over QUIC server feature, which was only available in Windows Server
Azure Edition, is now available in both Windows Server Standard and Windows
Server Datacenter versions. SMB over QUIC adds the benefits of the QUIC, which
provides low-latency, encrypted connections over the internet.

Previously, SMB server in Windows mandated inbound connections to use the

IANA-registered port TCP/445 while the SMB TCP client only allowed outbound
connections to that same TCP port. Now, SMB over QUIC allows for SMB
alternative ports where QUIC-mandated UDP/443 ports are available for both
server and client devices. To learn more, see Configure alternative SMB ports.
Another feature that's introduced to SMB over QUIC is client access control, which
is an alternative to TCP and RDMA that supplies secure connectivity to edge file
servers over untrusted networks. To learn more, see How client access control
works.

Previously, when a share was created, the SMB firewall rules would be
automatically configured to enable the "File and Printer Sharing" group for the
relevant firewall profiles. Now, the creation of an SMB share in Windows results in
the automatic configuration of the new "File and Printer Sharing (Restrictive)"
group, which no longer permits inbound NetBIOS ports 137-139. To learn more,
see Updated firewall rules.

Starting with build 25997, an update is made to enforce SMB encryption for all
outbound SMB client connections. With this update, administrators can set a
mandate that all destination servers support SMB 3.x and encryption. If a server
lacks these capabilities, the client is unable to establish a connection.

Also in build 25997, the SMB authentication rate limiter, which limits the number of
authentication attempts that can be made within a certain time period, is enabled
by default. To learn more, see How SMB authentication rate limiter works

Starting with build 25951, the SMB client supports NTLM blocking for remote
outbound connections. Previously, the Windows Simple and Protected GSSAPI
Negotiation Mechanism (SPNEGO) would negotiate Kerberos, NTLM, and other
mechanisms with the destination server to determine a supported security
package. To learn more, see Block NTLM connections on SMB

A new feature in build 25951 allows you to manage SMB dialects in Windows
where the SMB server now controls which SMB 2 and SMB 3 dialects it negotiates
compared to the previous behavior matching only the highest dialect.

Beginning with build 25931, SMB signing is now required by default for all SMB
outbound connections where previously it was only required when connecting to
shares named SYSVOL and NETLOGON on AD domain controllers. To learn more,
see How signing works.

The Remote Mailslot protocol is disabled by default starting in build 25314 and
may be removed in a later release. To learn more, see Features we're no longer
developing.

SMB compression adds support for industry standard LZ4 compression algorithm,
in addition to its existing support for XPRESS (LZ77), XPRESS Huffman
(LZ77+Huffman), LZNT1, and PATTERN_V1.
Storage Replica Enhanced Log
Enhanced Logs help the Storage Replica log implementation to eliminate the
performance costs associated with file system abstractions, leading to improved block
replication performance. To learn more, see Storage Replica Enhanced Log.

Task Manager
Build 26040 now sports the modern Task Manager app with mica material conforming to
the style of Windows 11.

Wi-Fi
It's now easier to enable wireless capabilities as the Wireless LAN Service feature is now
installed by default. The wireless startup service is set to manual and can be enabled by
running net start wlansvc in the Command Prompt, Windows Terminal, or PowerShell.

Windows containers portability

Portability is a crucial aspect of container management and has the ability to simplify
upgrades by applying enhanced flexibility and compatibility of containers in Windows.
Portability is a feature of Windows Server Annual Channel for container hosts that allows
users to move container images, and their associated data, between different hosts or
environments without requiring any modifications. Users can create a container image
on one host and then deploy it on another host without having to worry about
compatibility issues. To learn more, see Portability for containers.

Windows Insider Program

The Windows Insider Program provides early access to the latest Windows OS releases
for a community of enthusiasts. As a member, you can be among the first to try out new
ideas and concepts that Microsoft is developing. After registering as a member, you can
opt to participate in different release channels by going to go to Start > Settings >
Windows Update > Windows Insider Program.

Windows Local Administrator Password Solution (LAPS)

Windows LAPS helps organizations manage local administrator passwords on their
domain-joined computers. It automatically generates unique passwords for each
computer's local administrator account, stores them securely in AD, and updates them
regularly. This helps to improve security by reducing the risk of attackers gaining access
to sensitive systems using compromised or easily guessable passwords.

Several features are introduced to Microsoft LAPS that bring the following
improvements:

New automatic account management feature

The latest update allows IT admins to create a managed local account with ease.
With this feature, you can customize the account name, enable or disable the
account, and even randomize the account name for enhanced security.
Additionally, the update includes improved integration with Microsoft's existing
local account management policies. To learn more about this feature, see Windows
LAPS account management modes.

New image rollback detection feature

Windows LAPS now detects when an image rollback occurs. If a rollback does
happen, the password stored in AD may no longer match the password stored
locally on the device. Rollbacks can result in a "torn state" where the IT admin is
unable to sign into the device using the persisted Windows LAPS password.

To address this issue, a new feature was added that includes an AD attribute called
msLAPS-CurrentPasswordVersion. This attribute contains a random GUID written
by Windows LAPS every time a new password is persisted in AD and saved locally.
During every processing cycle, the GUID stored in msLAPS-
CurrentPasswordVersion is queried and compared to the locally persisted copy. If
they're different, the password is immediately rotated.

To enable this feature, it's necessary to run the latest version of the Update-
LapsADSchema cmdlet. Once complete, Windows LAPS recognizes the new attribute

and begins using it. If you don't run the updated version of the Update-
LapsADSchema cmdlet, Windows LAPS logs a 10108 warning event in the event log,

but continues to function normally in all other respects.

No policy settings are used to enable or configure this feature. The feature is
always enabled once the new schema attribute is added.

New passphrase feature

IT admins can now utilize a new feature in Windows LAPS that enables the
generation of less complex passphrases. An example would be a passphrase such
as "EatYummyCaramelCandy", which is easier to read, remember, and type,
compared to a traditional password like "V3r_b4tim#963?".
This new feature also allows the PasswordComplexity policy setting to be
configured to select one of three different passphrase word lists, all of which are
included in Windows without requiring a separate download. A new policy setting
called PassphraseLength controls the number of words used in the passphrase.

When you're creating a passphrase, the specified number of words are randomly
selected from the chosen word list and concatenated. The first letter of each word
is capitalized to enhance readability. This feature also fully supports backing
passwords up to either Windows Server AD or Microsoft Entra ID.

The passphrase word lists used in the three new PasswordComplexity passphrase
settings are sourced from the Electronic Frontier Foundation's article, "Deep Dive:
EFF's New Wordlists for Random Passphrases ". The Windows LAPS Passphrase
Word Lists is licensed under the CC-BY-3.0 Attribution license and is available for
download.

７ Note

Windows LAPS doesn't allow for customization of the built-in word lists nor
the use of customer-configured word lists.

Improved readability password dictionary

Windows LAPS introduces a new PasswordComplexity setting that enables IT

admins to create less complex passwords. This feature allows you to customize
LAPS to use all four character categories (upper case letters, lower case letters,
numbers, and special characters) like the existing complexity setting of 4. However,
with the new setting of 5, the more complex characters are excluded to enhance
password readability and minimize confusion. For example, the number "1" and the
letter "I" are never used with the new setting.

When PasswordComplexity is configured to 5, the following changes are made to

the default password dictionary character set:

1. Don’t use these letters: 'I', 'O', 'Q', 'l', 'o'

2. Don’t use these numbers: '0', '1'
3. Don’t use these "special" characters: ',', '.', '&', '{', '}', '[', ']', '(', ')', ';'
4. Start using these "special" characters: ':', '=', '?', '*'

The Active Directory Users and Computers snap-in (via Microsoft Management
Console) now features an improved Windows LAPS tab. The Windows LAPS
password is now displayed in a new font that enhances its readability when shown
in plain text.
 PostAuthenticationAction support for terminating individual processes

A new option is added to the PostAuthenticationActions (PAA) Group Policy

setting, “Reset the password, sign out the managed account, and terminate any
remaining processes” located in Computer Configuration > Administrative
Templates > System > LAPS > Post-authentication actions.

This new option is an extension of the previous "Reset the password and sign out
the managed account" option. Once configured, the PAA notifies and then
terminates any interactive sign-in sessions. It enumerates and terminates any
remaining processes that are still running under the Windows LAPS-managed local
account identity. It's important to note that no notification precedes this
termination.

Furthermore, the expansion of logging events during post-authentication-action

execution provides deeper insights into the operation.

To learn more about Windows LAPS, see What is Windows LAPS?.

Windows Terminal
The Windows Terminal, a powerful and efficient multishell application for command-line
users, is available in this build. Search for "Terminal" in the search bar.

Winget
Winget is installed by default, which is a command line Windows Package Manager tool
that provides comprehensive package manager solutions for installing applications on
Windows devices. To learn more, see Use the winget tool to install and manage
applications.

See also
Windows Server Insiders Community discussions
What's new in Windows Server 2022
Article • 04/02/2024

Applies to: Windows Server 2022

This article describes some of the new features in Windows Server 2022. Windows Server
2022 is built on the strong foundation of Windows Server 2019 and brings many
innovations on three key themes: security, Azure hybrid integration and management,
and application platform.

Azure Edition
Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to
keep your VMs up to date while minimizing downtime. This section describes some of
the new features in Windows Server 2022 Datacenter: Azure Edition. Learn more about
how Azure Automanage for Windows Server brings these new capabilities to Windows
Server Azure Edition in the Azure Automanage for Windows Server services article.

Windows Server 2022 Datacenter: Azure Edition builds on Datacenter Edition to deliver a
VM-only operating system that helps to use the benefits of cloud, with advanced
features like SMB over QUIC, Hotpatch, and Azure Extended Networking. This section
describes some of these new features.

Compare the differences in the editions in Windows Server 2022. You can also learn
more about how Azure Automanage for Windows Server brings these new capabilities
to Windows Server Azure Edition in the Azure Automanage for Windows Server services
article.

April 2023

Hotpatching
Windows Server 2022 Datacenter: Azure Edition Hotpatching is now public preview for
the Desktop Experience both in Azure and as a supported guest VM on Azure Stack HCI
version 22H2.

September 2022
This section lists the features and improvements that are now available in Windows
Server Datacenter: Azure Edition beginning with the 2022-09 Cumulative Update for
Microsoft server operating system version 21H2 for x64-based Systems (KB5017381 ).
After you've install the Cumulative Update, the OS build number will be 20348.1070 or
higher.

Storage Replica compression for data transfer

This update includes Storage Replica compression for data transferred between the
source and destination servers. This new functionality compresses the replication data at
the source system, sent over the network and decompressed and saved on the
destination. The compression results in fewer network packets to transfer the same
amount of data, allowing for more throughput, and less network utilization. Higher data
throughput should also result in lowering synchronization time for when you need it
most, for example in a disaster recovery scenario.

New Storage Replica PowerShell parameters are available for existing commands, review
the Windows PowerShell StorageReplica reference to learn more. For more information
about Storage Replica, see the Storage Replica overview.

Support for Azure Stack HCI

With this release you can run Windows Server 2022 Datacenter: Azure Edition as a
supported guest VM on Azure Stack HCI version 22H2. With Azure Edition running on
Azure Stack HCI, you'll be able to use all the existing features including Hotpatch for
Server Core and SMB over QUIC at your datacenter and edge locations.

Begin deploying Windows Server 2022 Datacenter: Azure Edition using the Azure
Marketplace on Arc-enabled Azure Stack HCI or using an ISO. You can download the ISO
from here:

Windows Server 2022 Datacenter: Azure Edition (EN-US) ISO

Windows Server 2022 Datacenter: Azure Edition (ZH-CN) ISO

Your Azure subscription permits you to use Windows Server Datacenter: Azure Edition
on any virtual machine instances running on Azure Stack HCI. For more information, see
your product terms Product Terms .

Learn more about the latest Azure Stack HCI features in our What's new in Azure Stack
HCI, version 22H2 article.
Deploy from Azure Marketplace on Arc-enabled Azure Stack HCI
(preview)

Windows Server 2022 Datacenter: Azure Edition images will be available in the Azure
Marketplace for Arc-enabled Azure Stack HCI, making it easy to try, buy, and deploy
using Azure certified images.

Learn more about the Azure Marketplace integration for Azure Arc-enabled Azure Stack
HCI features in our What's new in Azure Stack HCI, version 22H2 article.

Azure Edition (initial release)

This section lists the features and improvements available in Windows Server
Datacenter: Azure Edition with the release in September 2021.

Azure Automanage - Hotpatch

Hotpatching, part of Azure Automanage, is a new way to install updates on new

Windows Server Azure Edition virtual machines (VMs) that doesn't require a reboot after
installation. More information can be found at the Azure Automanage documentation.

SMB over QUIC

SMB over QUIC updates the SMB 3.1.1 protocol to use the QUIC protocol instead of TCP
in Windows Server 2022 Datacenter: Azure Edition, Windows 11 and later, and third
party clients if they support it. By using SMB over QUIC along with TLS 1.3, users and
applications can securely and reliably access data from edge file servers running in
Azure. Mobile and telecommuter users no longer need a VPN to access their file servers
over SMB when on Windows. More information can be found at the SMB over QUIC
documentation and SMB over QUIC management with Automanage machine best
practices.

To learn more about QUIC, review RFC 9000 .

Extended network for Azure

Azure Extended Network enables you to stretch an on-premises subnet into Azure to let
on-premises virtual machines keep their original on-premises private IP addresses when
migrating to Azure. To learn more, see Azure Extended Network.

All editions
This section describes some of the new features in Windows Server 2022 across all
editions. To learn more about the different editions, review the Comparison of Standard,
Datacenter, and Datacenter: Azure Edition editions of Windows Server 2022 article.

Security
The new security capabilities in Windows Server 2022 combine other security
capabilities in Windows Server across multiple areas to provide defense-in-depth
protection against advanced threats. Advanced multi-layer security in Windows Server
2022 provides the comprehensive protection that servers need today.

Secured-core server

Certified Secured-core server hardware from an OEM partner provides more security
protections that are useful against sophisticated attacks. Certified Secured-core server
hardware can provide increased assurance when handling mission critical data in some
of the most data sensitive industries. A Secured-core server uses hardware, firmware,
and driver capabilities to enable advanced Windows Server security features. Many of
these features are available in Windows Secured-core PCs and are now also available
with Secured-core server hardware and Windows Server 2022. For more information
about Secured-core server, see Secured-core server.

Hardware root-of-trust

Used by features such as BitLocker drive encryption, Trusted Platform Module 2.0 (TPM
2.0) secure crypto-processor chips provide a secure, hardware-based store for sensitive
cryptographic keys and data, including systems integrity measurements. TPM 2.0 can
verify that the server has been started with legitimate code and can be trusted by
subsequent code execution, known as a hardware root-of-trust.

Firmware protection

Firmware executes with high privileges and is often invisible to traditional anti-virus
solutions, which has led to a rise in the number of firmware-based attacks. Secured-core
servers measure and verify boot processes with Dynamic Root of Trust for Measurement
(DRTM) technology. Secured-core servers can also isolate of driver access to memory
with Direct Memory Access (DMA) protection.

UEFI secure boot

UEFI secure boot is a security standard that protects your servers from malicious
rootkits. Secure boot ensures the server boots only firmware and software trusted by the
hardware manufacturer. When the server is started, the firmware checks the signature of
each boot component including firmware drivers and the OS. If the signatures are valid,
the server boots and the firmware gives control to the OS.

Virtualization-based security (VBS)

Secured-core servers support virtualization-based security (VBS) and hypervisor-based

code integrity (HVCI). VBS uses hardware virtualization features to create and isolate a
secure region of memory from the normal operating system, protecting against an
entire class of vulnerabilities used in cryptocurrency mining attacks. VBS also allows for
the use of Credential Guard, where user credentials and secrets are stored in a virtual
container that the operating system can't access directly.

HVCI uses VBS to significantly strengthen code integrity policy enforcement. Kernel
mode integrity prevents unsigned kernel mode drivers or system files from being loaded
into system memory.

Kernel Data Protection (KDP) provides read-only memory protection of kernel memory
containing non-executable data where memory pages are protected by Hypervisor. KDP
protects key structures in the Windows Defender System Guard runtime from being
tampered.

Secure connectivity

Transport: HTTPS and TLS 1.3 enabled by default on Windows

Server 2022

Secure connections are at the heart of today's interconnected systems. Transport Layer
Security (TLS) 1.3 is the latest version of the internet's most deployed security protocol,
which encrypts data to provide a secure communication channel between two
endpoints. HTTPS and TLS 1.3 is now enabled by default on Windows Server 2022,
protecting the data of clients connecting to the server. It eliminates obsolete
cryptographic algorithms, enhances security over older versions, and aims to encrypt as
much of the handshake as possible. Learn more about supported TLS versions and
about supported cipher suites.

Although TLS 1.3 in the protocol layer is now enabled by default, applications and
services also need to actively support it. The Microsoft Security blog has more detail in
the post Taking Transport Layer Security (TLS) to the next level with TLS 1.3 .
Secure DNS: Encrypted DNS name resolution requests with DNS-
over-HTTPS

DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which
encrypts DNS queries using the HTTPS protocol. DoH helps keep your traffic as private
as possible by preventing eavesdropping and your DNS data being manipulated. Learn
more about configuring the DNS client to use DoH.

Server Message Block (SMB): SMB AES-256 encryption for the

most security conscious

Windows Server now supports AES-256-GCM and AES-256-CCM cryptographic suites

for SMB encryption. Windows will automatically negotiate more advanced cipher
method when connecting to another computer that also supports it, and it can also be
mandated through Group Policy. Windows Server still supports AES-128 for down-level
compatibility. AES-128-GMAC signing now also accelerates signing performance.

SMB: East-West SMB encryption controls for internal cluster

communications

Windows Server failover clusters now support granular control of encrypting and
signing intra-node storage communications for Cluster Shared Volumes (CSV) and the
storage bus layer (SBL). When using Storage Spaces Direct, you can now decide to
encrypt or sign east-west communications within the cluster itself for higher security.

SMB Direct and RDMA encryption

SMB Direct and RDMA supply high bandwidth, low latency networking fabric for
workloads like Storage Spaces Direct, Storage Replica, Hyper-V, Scale-out File Server,
and SQL Server. SMB Direct in Windows Server 2022 now supports encryption.
Previously, enabling SMB encryption disabled direct data placement; this was
intentional, but seriously impacted performance. Now data is encrypted before data
placement, leading to far less performance degradation while adding AES-128 and AES-
256 protected packet privacy.

More information on SMB encryption, signing acceleration, secure RDMA, and cluster
support can be found at SMB security enhancements.

Azure hybrid capabilities

You can increase your efficiency and agility with built-in hybrid capabilities in Windows
Server 2022 that allow you to extend your data centers to Azure more easily than ever
before.

Azure Arc enabled Windows Servers

Azure Arc enabled servers with Windows Server 2022 brings on-premises and
multicloud Windows Servers to Azure with Azure Arc. This management experience is
designed to be consistent with how you manage native Azure virtual machines. When a
hybrid machine is connected to Azure, it becomes a connected machine and is treated
as a resource in Azure. More information can be found at the Azure Arc enables servers
documentation.

Add Windows Servers

As of the KB5031364 update, you can now add Windows Servers with an easy, simple
process.

To add new Windows Servers, go to the Azure Arc icon in the bottom-right corner of the
taskbar and launch the Azure Arc Setup program to install and configure an Azure
Connected Machine Agent. Once installed, you can use the Azure Connected Machine
Agent at no extra charge to your Azure account. Once you've enabled Azure Arc on your
server, you can see the status information in the taskbar icon.

To learn more, see Connect Windows Server machines to Azure through Azure Arc
Setup.

Windows Admin Center

Improvements to Windows Admin Center to manage Windows Server 2022 include

capabilities to both report on the current state of the Secured-core features mentioned
above, and where applicable, allow customers to enable the features. More information
on these and many more improvements to Windows Admin Center can be found at the
Windows Admin Center documentation.

Application platform
There are several platform improvements for Windows Containers, including application
compatibility and the Windows Container experience with Kubernetes.

Some of the new features are:

 Reduced Windows Container image size by up to 40%, which leads to a 30% faster
startup time and better performance.

Applications can now use Azure Active Directory with group Managed Services
Accounts (gMSA) without domain joining the container host. Windows Containers
now also support Microsoft Distributed Transaction Control (MSDTC) and Microsoft
Message Queuing (MSMQ).

Simple buses can now be assigned to process-isolated Windows Server containers.

Applications running in containers that need to talk over SPI, I2C, GPIO, and
UART/COM are now able to do so.

We've enabled support for hardware acceleration of DirectX APIs in Windows

containers to support scenarios such as Machine Learning (ML) inference using
local graphical processing unit (GPU) hardware. For more information, see the
Bringing GPU acceleration to Windows containers blog post.

There are several other enhancements that simplify the Windows Container
experience with Kubernetes. These enhancements include support for host-process
containers for node configuration, IPv6, and consistent network policy
implementation with Calico.

Windows Admin Center has been updated to make it easy to containerize .NET
applications. Once the application is in a container, you can host it on Azure
Container Registry to then deploy it to other Azure services, including Azure
Kubernetes Service.

With support for Intel Ice Lake processors, Windows Server 2022 supports
business-critical and large-scale applications that require up to 48 TB of memory
and 2,048 logical cores running on 64 physical sockets. Confidential computing
with Intel Secured Guard Extension (SGX) on Intel Ice Lake improves application
security by isolating applications from each other with protected memory.

To learn more about the new features, see What's new for Windows containers in
Windows Server 2022.

Other key features

Remote Desktop IP virtualization

As of the KB5030216 update, you can now use Remote Desktop IP Virtualization.
Remote Desktop IP Virtualization simulates a single-user desktop by supporting per-
session and per-program Remote Desktop IP Virtualization for Winsock applications. To
learn more, see Remote Desktop IP Virtualization in Windows Server.

Task Scheduler and Hyper-V Manager for Server Core installations

We added two management tools to the App Compatibility Feature on Demand feature
package in this version, Task Scheduler (taskschd.msc) and Hyper-V Manager
(virtmgmt.msc). For more information, see Server Core App Compatibility Feature on
Demand (FOD).

Nested virtualization for AMD processors

Nested virtualization is a feature that allows you to run Hyper-V inside of a Hyper-V
virtual machine (VM). Windows Server 2022 brings support for nested virtualization
using AMD processors, giving more choices of hardware for your environments. More
information can be found at the nested virtualization documentation.

Microsoft Edge browser

Microsoft Edge is included with Windows Server 2022, replacing Internet Explorer. It's
built on Chromium open source and backed by Microsoft security and innovation. It can
be used with the Server with Desktop Experience installation options. More information
can be found at the Microsoft Edge Enterprise documentation. Microsoft Edge, unlike
the rest of Windows Server, follows the Modern Lifecycle for its support lifecycle. For
details, see Microsoft Edge lifecycle documentation.

Networking performance

UDP performance improvements

UDP is becoming a popular protocol carrying more network traffic due to the increasing
popularity of RTP and custom (UDP) streaming and gaming protocols. The QUIC
protocol, built on top of UDP, brings the performance of UDP to a level on par with TCP.
Significantly, Windows Server 2022 includes UDP Segmentation Offload (USO). USO
moves most of the work required to send UDP packets from the CPU to the network
adapter's specialized hardware. Complimenting USO is UDP Receive Side Coalescing
(UDP RSC), which coalesces packets and reduces CPU usage for UDP processing. In
addition, we have also made hundreds of improvements to the UDP data path both
transmit and receive. Windows Server 2022 and Windows 11 both have this new
capability.

TCP performance improvements

Windows Server 2022 uses TCP HyStart++ to reduce packet loss during connection
start-up (especially in high-speed networks) and RACK to reduce Retransmit TimeOuts
(RTO). These features are enabled in the transport stack by default and provide a
smoother network data flow with better performance at high speeds. Windows Server
2022 and Windows 11 both have this new capability.

Hyper-V virtual switch improvements

Virtual switches in Hyper-V have been enhanced with updated Receive Segment
Coalescing (RSC). RSC allows the hypervisor network to coalesce packets and process as
one larger segment. CPU cycles are reduced and segments will remain coalesced across
the entire data path until processed by the intended application. RSC results in
improved performance for both network traffic from an external host, received by a
virtual NIC, and from a virtual NIC to another virtual NIC on the same host.

System Insights disk anomaly detection

System Insights has another capability via Windows Admin Center, disk anomaly
detection.

Disk anomaly detection is a new capability that highlights when disks are behaving
differently than usual. While different isn't necessarily a bad thing, seeing these
anomalous moments can be helpful when troubleshooting issues on your systems. This
capability is also available for servers running Windows Server 2019.

Windows Update rollback improvements

Servers can now automatically recover from startup failures by removing updates if the
startup failure was introduced after the installation of recent driver or quality Windows
Updates. When a device is unable to start up properly after the recent installation of
quality of driver updates, Windows will now automatically uninstall the updates to get
the device back up and running normally.

This functionality requires the server to be using the Server Core installation option
option with a Windows Recovery Environment partition.
Storage

Storage Migration Service

Enhancements to Storage Migration Service in Windows Server 2022 makes it easier to
migrate storage to Windows Server or to Azure from more source locations. Here are
the features that are available when running the Storage Migration Server orchestrator
on Windows Server 2022:

Migrate local users and groups to the new server.

Migrate storage from failover clusters, migrate to failover clusters, and migrate
between standalone servers and failover clusters.
Migrate storage from a Linux server that uses Samba.
More easily synchronize migrated shares into Azure by using Azure File Sync.
Migrate to new networks such as Azure.
Migrate NetApp CIFS servers from NetApp FAS arrays to Windows servers and
clusters.

Adjustable storage repair speed

User adjustable storage repair speed is a new feature in Storage Spaces Direct that
offers more control over the data resync process. Adjustable storage repair speed
enables you to allocate resources to either repair data copies (resiliency) or to run active
workloads (performance). Controlling the repair speed helps improve availability and
allows you to service your clusters more flexibly and efficiently.

Faster repair and resynchronization

Storage repair and resynchronization after events such as node reboots and disk failures
are now twice as fast. Repairs have less variance in time taken so you can be more sure
of how long the repairs will take, which has been achieved through adding more
granularity to data tracking. Repairs now only move the data that needs to be moved,
reducing the system resources used and time taken.

Storage bus cache with Storage Spaces on standalone servers

Storage bus cache is now available for standalone servers. It can significantly improve
read and write performance, while maintaining storage efficiency and keeping the
operational costs low. Similar to its implementation for Storage Spaces Direct, this
feature binds together faster media (for example, NVMe or SSD) with slower media (for
example, HDD) to create tiers. A portion of the faster media tier is reserved for the
cache. To learn more, see Enable storage bus cache with Storage Spaces on standalone
servers.

ReFS file-level snapshots

Microsoft's Resilient File System (ReFS) now includes the ability to snapshot files using a
quick metadata operation. Snapshots are different than ReFS block cloning in that
clones are writable, whereas snapshots are read-only. This functionality is especially
useful in virtual machine backup scenarios with VHD/VHDX files. ReFS snapshots are
unique in that they take a constant time irrespective of file size. Support for snapshots is
available in ReFSUtil or as an API.

SMB compression
Enhancement to SMB in Windows Server 2022 and Windows 11 allows a user or
application to compress files as they transfer over the network. Users no longer have to
manually zip files in order to transfer much faster on slower or more congested
networks. For details, see SMB Compression.

Containers
Windows Server 2022 includes the following changes to Windows containers.

Server Core image size reduction

We've reduced the size of Server Core images. This smaller image size allows you to
deploy containerized applications faster. In Windows Server 2022, the Server Core
container image release to manufacturing (RTM) layer at the time of GA clocks in at 2.76
GB uncompressed on disk. Compared to the Windows Server 2019 RTM layer at the time
of GA, which clocks in at 3.47 GB uncompressed on disk, that's a 33% reduction in on-
disk footprint for that layer. While you shouldn't expect the total image size to be
reduced by 33%, a smaller RTM layer size generally means the overall image size will be
smaller.

７ Note

Windows container base images ship as two layers: and RTM layer and a patch layer
that contains the latest security fixes for OS libraries and binaries that's overlaid on
the RTM layer. The patch layer's size changes over the life of the container image
 support cycle depending on how many changes are in the binaries. When you pull
a container base image onto a new host, you need to pull both layers.

Longer support cycle for all Windows container images

Windows Server 2022 images, including Server Core, Nano Server, and Server image ,
have five years of mainstream support and five years of extended support. This longer
support cycle ensures you have time to implement, use, and upgrade or migrate when
appropriate for your organization. For more information, see Windows containers base
image lifecycles and Windows Server 2022 lifecycles.

Virtualized time zone

With Windows Server 2022, Windows containers can now maintain a virtualized time
zone configuration separate from the host. All configurations the host time zone
typically uses are now virtualized and instanced for each container. To configure the
container time zone, you can use the tzutil command utility or the Set-TimeZone
Powershell cmdlet. To learn more, see Virtualized time zone.

Scalability improvements for overlay networking support

Windows Server 2022 aggregates several performance and scale improvements that
were already in four earlier Semi-Annual Channel (SAC) releases of Windows Server that
hadn't been backported into Windows Server 2019:

Fixed the issue that caused port exhaustion when using hundreds of Kubernetes
services and pods on the same node.
Improved packet forwarding performance in the Hyper-V virtual switch (vSwitch).
Increased reliability across Container Networking Interface (CNI) restarts in
Kubernetes.
Improvements in the Host Networking Service (HNS) control plane and in the data
plane used by Windows Server containers and Kubernetes networking.

To learn more about the performance and scalability improvements for overlay
networking support, see Kubernetes Overlay Networking for Windows .

Direct Server Return routing for overlay and l2bridge networks

Direct Server Return (DSR) is an asymmetric network load distribution in load balanced
systems that makes request and response traffic use different network paths. Using
different network paths helps avoid extra hops and reduces latency, speeding up
response time between the client and service and removing extra load from the load
balancer. DSR transparently achieves increased network performance for applications
with little to no infrastructure changes.

To learn more, see DSR in Introduction to Windows support in Kubernetes .

gMSA improvements
You can use Group Managed Service Accounts (gMSA) with Windows containers to
facilitate Active Directory (AD) authentication. When introduced in Windows Server
2019, gMSA required joining the container host to a domain to retrieve the gMSA
credentials from Active Directory. In Windows Server 2022, gMSA for containers with a
non-domain joined host uses a portable user identity instead of a host identity to
retrieve gMSA credentials. Therefore, manually joining Windows worker nodes to a
domain is no longer necessary. After authentication, Kubernetes saves the user identity
as a secret. gMSA for containers with a non-domain joined host provides the flexibility
of creating containers with gMSA without joining the host node to the domain.

To learn more about the gMSA improvements, see Create gMSAs for Windows
containers.

IPv6 support
Kubernetes in Windows now supports the IPv6 dual stack in L2bridge-based networks in
Windows Server. IPv6 is dependent on the CNI that Kubernetes uses, and also requires
Kubernetes version 1.20 or later to enable end-to-end IPv6 support. For more
information, see IPv4/IPv6 in Introduction to Windows support in Kubernetes .

Multi-subnet support for Windows worker nodes with Calico for

Windows

The Host Network Service (HNS) now allows you to use more restrictive subnets, such as
subnets with a longer prefix length, and also multiple subnets for each Windows worker
node. Previously, HNS restricted Kubernetes container endpoint configurations to only
use the prefix length of the underlying subnet. The first CNI that makes use of this
functionality is Calico for Windows . For more information, see Multiple subnet support
in Host Networking Service.

HostProcess containers for node management

HostProcess containers are a new container type that runs directly on the host and
extends the Windows container model to enable a wider range of Kubernetes cluster
management scenarios. With HostProcess containers, users can package and distribute
management operations that require host access while retaining versioning and
deployment methods provided by containers. You can use Windows containers for a
variety of device plug-in, storage, and networking management scenarios in Kubernetes.

HostProcess containers have the following benefits:

Cluster users no longer need to sign in and individually configure each Windows
node for administrative tasks and management of Windows services.
Users can utilize the container model to deploy management logic to as many
clusters as needed.
Users can build HostProcess containers on top of existing Windows Server 2019 or
later base images, manage them using Windows container runtime, and run as any
user available in the domain of the host machine.
HostProcess containers provide the best way to manage Windows nodes in
Kubernetes.

For more information, see Windows HostProcess Containers .

Windows Admin Center improvements

Windows Server 2022 expands on the Containers extension added to Windows Admin
Center to containerize existing web applications based on ASP.Net from .NET
Framework. You can use static folders or Visual Studio solutions from your developer.

Windows Admin Center includes the following enhancements:

The Containers extension now supports Web Deploy files, which lets you extract
the app and its configuration from a running server and then containerize the
application.
You can validate the image locally and then push that image to Azure Container
Registry.
Azure Container Registry and Azure Container Instance now have basic
management functionality. You can now use the Windows Admin Center UI to
create and delete registries, manage images, and start and stop new container
instances.

Azure Migrate App Containerization tooling

Azure Migrate App Containerization is an end-to-end solution that containerizes and
moves existing web applications to the Azure Kubernetes Service. You can assess
existing web servers, create a container image, push the image to the Azure Container
Registry, create a Kubernetes deployment, and finally deploy it to the Azure Kubernetes
Service.

For more information about the Azure Migrate App Containerization tool, see ASP.NET
app containerization and migration to Azure Kubernetes Service and Java web app
containerization and migration to Azure Kubernetes Service.
What's new in Windows Server 2019
Article • 04/01/2024

This article describes some of the new features in Windows Server 2019. Windows Server
2019 is built on the strong foundation of Windows Server 2016 and brings numerous
innovations on four key themes: Hybrid Cloud, Security, Application Platform, and
Hyper-Converged Infrastructure (HCI).

General

Windows Admin Center

Windows Admin Center is a locally deployed, browser-based app for managing servers,
clusters, hyper-converged infrastructure, and Windows 10 PCs. It comes at no extra cost
beyond Windows and is ready to use in production.

You can install Windows Admin Center on Windows Server 2019 and Windows 10 and
earlier versions of Windows and Windows Server, and use it to manage servers and
clusters running Windows Server 2008 R2 and later.

For more info, see Windows Admin Center.

Desktop experience
Because Windows Server 2019 is a Long-Term Servicing Channel (LTSC) release, it
includes the Desktop Experience. (Semi-Annual Channel (SAC) releases don't include
the Desktop Experience by design; they're strictly Server Core and Nano Server
container image releases.) As with Windows Server 2016, during setup of the operating
system you can choose between Server Core installations or Server with Desktop
Experience installations.

System Insights
System Insights is a new feature available in Windows Server 2019 that brings local
predictive analytics capabilities natively to Windows Server. These predictive capabilities,
each backed by a machine-learning model, locally analyze Windows Server system data,
such as performance counters and events. System Insights allows you to understand
how your servers are functioning and helps you reduce the operational expenses
associated with reactively managing issues in your Windows Server deployments.
Hybrid Cloud

Server Core App Compatibility Feature on Demand

Server Core App Compatibility Feature on Demand (FOD) significantly improves the app
compatibility by including a subset of binaries and components from Windows Server
with the Desktop Experience. Server Core is kept it as lean as possible by not adding the
Windows Server Desktop Experience graphical environment itself, increasing the
functionality and compatibility.

This optional feature on demand is available on a separate ISO and can be added to
Windows Server Core installations and images only, using DISM.

Windows Deployment Services (WDS) Transport Server

role added to Server Core
Transport Server contains only the core networking parts of WDS. You can now use
Server Core with the Transport Server role to create multicast namespaces that transmit
data (including operating system images) from a standalone server. You can also use it if
you want to have a PXE server that allows clients to PXE boot and download your own
custom setup application.

Remote Desktop Services integration with Azure AD

With Azure AD integration you can use Conditional Access policies, Multifactor
Authentication, Integrated authentication with other SaaS Apps using Azure AD, and
many more. For more information, see Integrate Azure AD Domain Services with your
RDS deployment.

Networking
We made several improvements to the core network stack, such as TCP Fast Open (TFO),
Receive Window Autotuning, IPv6, and more. For more information, see the Core
Network Stack feature improvement post.

Security

Windows Defender Advanced Threat Protection (ATP)

ATP's deep platform sensors and response actions expose memory and kernel level
attacks and respond by suppressing malicious files and terminating malicious processes.

For more information about Windows Defender ATP, see Overview of Windows
Defender ATP capabilities.

For more information on onboarding servers, see Onboard servers to Windows

Defender ATP service.

Windows Defender ATP Exploit Guard is a new set of host-intrusion prevention

capabilities enabling you to balance security risk and productivity requirements.
Windows Defender Exploit Guard is designed to lock down the device against a wide
variety of attack vectors and block behaviors commonly used in malware attacks. The
components are:

Attack Surface Reduction (ASR) ASR is set of controls that enterprises can enable to
prevent malware from getting on the machine by blocking suspicious malicious
files. For example, Office files, scripts, lateral movement, ransomware behavior, and
email-based threats.

Network protection protects the endpoint against web-based threats by blocking

any outbound process on the device to untrusted hosts/IP addresses through
Windows Defender SmartScreen.

Controlled folder access protects sensitive data from ransomware by blocking

untrusted processes from accessing your protected folders.

Exploit protection is a set of mitigations for vulnerability exploits (replacing EMET)

that can be easily configured to protect your system and applications.

Windows Defender Application Control (also known as Code Integrity (CI) policy)
was released in Windows Server 2016. We've made deployment easier by including
default CI policies. The default policy allows all Windows in-box files and Microsoft
applications, such as SQL Server, and blocks known executables that can bypass CI.

Security with Software Defined Networking (SDN)

Security with SDN delivers many features to increase customer confidence in running
workloads, either on-premises, or as a service provider in the cloud.

These security enhancements are integrated into the comprehensive SDN platform
introduced in Windows Server 2016.
For a complete list of what's new in SDN see, What's New in SDN for Windows Server
2019.

Shielded Virtual Machines improvements

Branch office improvements

You can now run shielded virtual machines on machines with intermittent
connectivity to the Host Guardian Service by using the new fallback HGS and
offline mode features. Fallback HGS allows you to configure a second set of URLs
for Hyper-V to try if it can't reach your primary HGS server.

Even if the HGS can't be reached, offline mode will allow you to continue to start
up your shielded VMs. Offline mode will allow you to start your VMs as long as the
VM has started successfully once, and the host's security configuration hasn't
changed.

Troubleshooting improvements

We've also made it easier to troubleshoot your shielded virtual machines by

enabling support for VMConnect Enhanced Session Mode and PowerShell Direct.
These tools are useful if you've lost network connectivity to your VM and need to
update its configuration to restore access.

These features don't need to be configured, and they become available

automatically when a shielded VM is placed on a Hyper-V host running Windows
Server version 1803 or later.

Linux support

If you run mixed-OS environments, Windows Server 2019 now supports running
Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server inside shielded
virtual machines.

HTTP/2 for a faster and safer Web

Improved coalescing of connections to deliver an uninterrupted and properly
encrypted browsing experience.

Upgraded HTTP/2's server-side cipher suite negotiation for automatic mitigation of

connection failures and ease of deployment.

Changed our default TCP congestion provider to Cubic to give you more
throughput!
Encrypted networks
Virtual network encryption encrypts virtual network traffic between virtual machines
within subnets that have the Encryption Enabled label. Encrypted networks also use
Datagram Transport Layer Security (DTLS) on the virtual subnet to encrypt packets. DTLS
protects your data from eavesdropping, tampering, and forgery by anyone with access
to the physical network.

For more information, see Encrypted networks.

Firewall auditing
Firewall auditing is a new feature for SDN firewall that records any flow processed by
SDN firewall rules and access control lists (ACLs) that have logging enabled.

Virtual network peering

Virtual network peering lets you connect two virtual networks seamlessly. Once peered,
the virtual networks appear in monitoring as one.

Egress metering
Egress metering offers usage meters for outbound data transfers. Network Controller
uses this feature to keep an allow list of all IP ranges used within SDN per virtual
network. These lists consider any packet heading to a destination not included within
the listed IP ranges to be billed as outbound data transfers.

Storage
Here are some of the changes we've made to storage in Windows Server 2019. For
details, see What's new in Storage.

Data Deduplication
Data Deduplication now supports ReFS You can now enable Data Deduplication
wherever you can enable ReFS, increasing storage efficiency by up to 95% with
ReFS.

DataPort API for optimized ingress/egress to deduplicated volumes Developers

can now take advantage of the knowledge Data Deduplication has about how to
 store data efficiently to move data between volumes, servers, and clusters
efficiently.

File Server Resource Manager

It's now possible to prevent the File Server Resource Manager service from creating a
change journal (also known as a USN journal) on all volumes when the service starts.
Preventing the creation of the change journey can conserve space on each volume, but
will disable real-time file classification. For more information, see File Server Resource
Manager overview.

SMB
SMB1 and guest authentication removal Windows Server no longer installs the
SMB1 client and server by default. Additionally, the ability to authenticate as a
guest in SMB2 and later is off by default. For more information, review SMBv1 isn't
installed by default in Windows 10, version 1709 and Windows Server, version
1709 .

SMB2/SMB3 security and compatibility You now have the ability to disable
oplocks in SMB2+ for legacy applications, and require signing or encryption on
per-connection basis from a client. For more information, review the SMBShare
PowerShell module help.

Storage Migration Service

Storage Migration Service makes it easier to migrate servers to a newer version of
Windows Server. This graphical tool inventories data on servers, then transfers the data
and configuration to newer servers. The Storage Migration Service can also move the
identities of the old servers to the new servers so users don't have to reconfigure their
profiles and apps. For more information, see Storage Migration Service.

Windows Admin Center version 1910 added the ability to deploy Azure virtual machines.
This update integrates Azure VM deployment into Storage Migration Service. For more
information, see Azure VM migration.

You can also access the following post-release-to-manufacturing (RTM) features when
running the Storage Migration Server orchestrator on Windows Server 2019 with
KB5001384 installed or on Windows Server 2022:

Migrate local users and groups to the new server.

 Migrate storage from failover clusters, migrate to failover clusters, and migrate
between standalone servers and failover clusters.
Migrate storage from a Linux server that uses Samba.
Sync migrated shares more easily into Azure by using Azure File Sync.
Migrate to new networks such as Azure.
Migrate NetApp Common Internet File System (CIFS) servers from NetApp
Federated Authentication Service (FAS) arrays to Windows servers and clusters.

Storage Spaces Direct

Here's a list of what's new in Storage Spaces Direct. For details, see What's new in
Storage Spaces Direct. Also see Azure Stack HCI for info on acquiring validated Storage
Spaces Direct systems.

Deduplication and compression for ReFS volumes

Native support for persistent memory
Nested resiliency for two-node hyper-converged infrastructure at the edge
Two-server clusters using a USB flash drive as a witness
Windows Admin Center support
Performance history
Scale up to 4 PB per cluster
Mirror-accelerated parity is 2X faster
Drive latency outlier detection
Manually delimit the allocation of volumes to increase fault tolerance

Storage Replica
Here's what's new in Storage Replica. For details, see What's new in Storage Replica.

Storage Replica is now available in Windows Server 2019 Standard Edition.

Test failover is a new feature that allows mounting of destination storage to
validate replication or backup data. For more information, see Frequently Asked
Questions about Storage Replica.
Storage Replica log performance improvements
Windows Admin Center support

Failover Clustering
Here's a list of what's new in Failover Clustering. For details, see What's new in Failover
Clustering.
 Cluster sets
Azure-aware clusters
Cross-domain cluster migration
USB witness
Cluster infrastructure improvements
Cluster Aware Updating supports Storage Spaces Direct
File share witness enhancements
Cluster hardening
Failover Cluster no longer uses NTLM authentication

Application Platform

Linux containers on Windows

It's now possible to run Windows and Linux-based containers on the same container
host, using the same docker daemon. You can now have a heterogeneous container
host environment providing flexibility to application developers.

Built-in support for Kubernetes

Windows Server 2019 continues the improvements to compute, networking, and storage
from the Semi-Annual Channel releases needed to support Kubernetes on Windows.
More details are available in upcoming Kubernetes releases.

Container Networking in Windows Server 2019 greatly improves usability of

Kubernetes on Windows. We've enhanced platform networking resiliency and
support of container networking plugins.

Deployed workloads on Kubernetes are able to use network security to protect

both Linux and Windows services using embedded tooling.

Container improvements
Improved integrated identity

We've made integrated Windows authentication in containers easier and more

reliable, addressing several limitations from prior versions of Windows Server.

Better application compatibility

 Containerizing Windows-based applications just got easier: The app compatibility
for the existing windowsservercore image has been increased. For applications
with more API dependencies, there's now a third base image: windows.

Reduced size and higher performance

The base container image download sizes, size on disk and startup times have
been improved to speed up container workflows.

Management experience using Windows Admin Center (preview)

We've made it easier than ever to see which containers are running on your
computer and manage individual containers with a new extension for Windows
Admin Center. Look for the "Containers" extension in the Windows Admin Center
public feed.

Compute improvements
VM Start Ordering VM Start Ordering is also improved with OS and Application
awareness, bringing enhanced triggers for when a VM is considered started before
starting the next.

Storage-class memory support for VMs enables NTFS-formatted direct access

volumes to be created on non-volatile DIMMs and exposed to Hyper-V VMs.
Hyper-V VMs can now use the low-latency performance benefits of storage-class
memory devices.

Persistent Memory support for Hyper-V VMs To use the high throughput and low
latency of persistent memory (also known as storage class memory) in virtual
machines, it can now be projected directly into VMs. Persistent memory can help
to drastically reduce database transaction latency or reduce recovery times for low
latency in-memory databases on failure.

Container storage – persistent data volumes Application containers now have

persistent access to volumes. For more info, see Container Storage Support with
Cluster Shared Volumes (CSV), Storage Spaces Direct (S2D), SMB Global
Mapping .

Virtual machine configuration file format (updated) The VM guest state file
( .vmgs ) has been added for virtual machines with a configuration version of 8.2
and higher. The VM guest state file includes device state information that was
previously part of the VM runtime state file.
Encrypted Networks
Encrypted Networks - Virtual network encryption allows encryption of virtual network
traffic between virtual machines that communicate with each other within subnets
marked as Encryption Enabled. It also utilizes Datagram Transport Layer Security (DTLS)
on the virtual subnet to encrypt packets. DTLS protects against eavesdropping,
tampering, and forgery by anyone with access to the physical network.

Network performance improvements for virtual

workloads
Network performance improvements for virtual workloads maximizes the network
throughput to virtual machines without requiring you to constantly tune or over-
provision your host. Improved performance lowers the operations and maintenance cost
while increasing the available density of your hosts. These new features are:

Dynamic Virtual Machine Multi-Queue (d.VMMQ)

Receive Segment Coalescing in the vSwitch

Low Extra Delay Background Transport

Low Extra Delay Background Transport (LEDBAT) is a latency optimized, network
congestion control provider designed to automatically yield bandwidth to users and
applications. LEDBAT consumes bandwidth available while the network isn't in use. The
technology is intended for use when deploying large, critical updates across an IT
environment without impacting customer facing services and associated bandwidth.

Windows Time Service

The Windows Time Service includes true UTC-compliant leap second support, a new
time protocol called Precision Time Protocol, and end-to-end traceability.

High performance SDN gateways

High performance SDN gateways in Windows Server 2019 greatly improves the
performance for IPsec and GRE connections, providing ultra-high-performance
throughput with much less CPU utilization.
New Deployment UI and Windows Admin Center
extension for SDN
Now, with Windows Server 2019, it's easy to deploy and manage through a new
deployment UI and Windows Admin Center extension that enable anyone to harness the
power of SDN.

Windows Subsystem for Linux (WSL)

WSL enables server administrators to use existing tools and scripts from Linux on
Windows Server. Many improvements showcased in the command line blog are now
part of Windows Server, including Background tasks, DriveFS, WSLPath, and much more.
What's new in Windows Server 2016
Article • 05/14/2024

This article describes some of the new features in Windows Server 2016 that are the
ones most likely to have the greatest impact as you work with this release.

Compute
The Virtualization area includes virtualization products and features for the IT
professional to design, deploy, and maintain Windows Server.

General
Physical and virtual machines benefit from greater time accuracy due to improvements
in the Win32 Time and Hyper-V Time Synchronization Services. Windows Server can now
host services that are compliant with upcoming regulations that require a 1ms accuracy
with regard to UTC.

Hyper-V
Hyper-V network virtualization (HNV) is a fundamental building block of Microsoft's
updated Software Defined Networking (SDN) solution and is fully integrated into the
SDN stack. Windows Server 2016 includes the following changes for Hyper-V:

Windows Server 2016 now includes a programmable Hyper-V switch. Microsoft's

Network Controller pushes HNV policies down to a Host Agent running on each
host using the Open vSwitch Database Management Protocol (OVSDB) as the
SouthBound Interface (SBI). The Host Agent stores this policy using a
customization of the VTEP schema and programs complex flow rules into a
performant flow engine in the Hyper-V switch. The flow engine in the Hyper-V
switch is the same one that Azure uses. The entire SDN stack up through the
Network Controller and Network Resource provider is also consistent with Azure,
making its performance comparable to the Azure public cloud. Within Microsoft's
flow engine, the Hyper-V switch is equipped to handle both stateless and stateful
flow rules through a simple match action mechanism that defines how packets
should be processed within the switch.

HNV now supports Virtual eXtensible Local Area Network (VXLAN) protocol
encapsulation. HNV uses the VXLAN protocol in MAC distribution mode through
the Microsoft Network Controller to map tenant overly network IP addresses to the
 physical underlay network IP addresses. The NVGRE and VXLAN Task Offloads
support third-party drivers for improved performance.

Windows Server 2016 includes a software load balancer (SLB) with full support for
virtual network traffic and seamless interaction with HNV. The performant flow
engine implements the SLB in the data plane v-Switch, then the Network Controller
controls it for Virtual IP (VIP) or Dynamic IP (DIP) mappings.

HNV implements correct L2 Ethernet headers to ensure interoperability with third-

party virtual and physical appliances that depend on industry-standard protocols.
Microsoft ensures that all transmitted packets have compliant values in all fields to
guarantee interoperability. HNV requires support for Jumbo Frames (MTU > 1780)
in the physical L2 network to account for packet overhead introduced by
encapsulation protocols such as NVGRE and VXLAN. Jumbo Frame support ensures
that guest Virtual Machines attached to an HNV Virtual Network maintain a 1514
MTU.

Windows Container support adds performance improvements, simplified network

management, and support for Windows containers on Windows 10. For more
information, see Containers: Docker, Windows, and Trends .

Nano Server
What's New in Nano Server. Nano Server now has an updated module for building Nano
Server images, including more separation of physical host and guest virtual machine
functionality and support for different Windows Server editions.

There are also improvements to the Recovery Console, including separation of inbound
and outbound firewall rules and the ability to repair WinRM configuration.

Shielded Virtual Machines

Windows Server 2016 provides a new Hyper-V-based Shielded Virtual Machine to
protect any Generation 2 virtual machine from a compromised fabric. Among the
features introduced in Windows Server 2016 are the following:

A new Encryption Supported mode that offers more protections than for an
ordinary virtual machine, but less than Shielded mode, while still supporting vTPM,
disk encryption, Live Migration traffic encryption, and other features, including
direct fabric administration conveniences such as virtual machine console
connections and PowerShell Direct.
 Full support for converting existing non-shielded Generation 2 virtual machines to
shielded virtual machines, including automated disk encryption.

Hyper-V Virtual Machine Manager can now view the fabrics upon which a shielded
virtual is authorized to run, providing a way for the fabric administrator to open a
shielded virtual machine's key protector (KP) and view the fabrics it is permitted to
run on.

You can switch Attestation modes on a running Host Guardian Service. Now you
can switch on the fly between the less secure but simpler Active Directory-based
attestation and TPM-based attestation.

End-to-end diagnostics tooling based on Windows PowerShell that is able to

detect misconfigurations or errors in both guarded Hyper-V hosts and the Host
Guardian Service.

A recovery environment that offers a means to securely troubleshoot and repair

shielded virtual machines within the fabric in which they normally run while
offering the same level of protection as the shielded virtual machine itself.

Host Guardian Service support for existing safe Active Directory – you can direct
the Host Guardian Service to use an existing Active Directory forest as its Active
Directory instead of creating its own Active Directory instance

For more details and instructions for working with shielded virtual machines, see
Guarded Fabric and Shielded VMs.

Identity and Access

New features in Identity improve the ability for organizations to secure Active Directory
environments and help them migrate to cloud-only deployments and hybrid
deployments, where some applications and services are hosted in the cloud and others
are hosted on premises.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) in Windows Server 2016 increases support
for TPM key attestation: You can now use Smart Card KSP for key attestation, and
devices that are not joined to the domain can now use NDES enrollment to get
certificates that can be attested for keys being in a TPM.

Active Directory Domain Services

Active Directory Domain Services includes improvements to help organizations secure
Active Directory environments and provide better identity management experiences for
both corporate and personal devices. For more information, see What's new in Active
Directory Domain Services (AD DS) in Windows Server 2016.

Active Directory Federation Services

Active Directory Federation Services (AD FS) in Windows Server 2016 includes new
features that enable you to configure AD FS to authenticate users stored in Lightweight
Directory Access Protocol (LDAP) directories. For more information, see What's New in
AD FS for Windows Server 2016.

Web Application Proxy

The latest version of Web Application Proxy focuses on new features that enable
publishing and pre-authentication for more applications and improved user experience.
Check out the full list of new features that includes pre-authentication for rich client
apps such as Exchange ActiveSync and wildcard domains for easier publishing of
SharePoint apps. For more information, see Web Application Proxy in Windows Server
2016.

Administration
The Management and Automation area focuses on tool and reference information for IT
pros who want to run and manage Windows Server 2016, including Windows
PowerShell.

Windows PowerShell 5.1 includes significant new features, including support for
developing with classes and new security features that extend its use, improve its
usability, and allow you to control and manage Windows-based environments more
easily and comprehensively. See New Scenarios and Features in WMF 5.1 for details.

New additions for Windows Server 2016 include: the ability to run PowerShell.exe locally
on Nano Server (no longer remote only), new Local Users & Groups cmdlets to replace
the GUI, added PowerShell debugging support, and added support in Nano Server for
security logging & transcription and JEA.

Here are some other new administration features:

PowerShell Desired State Configuration (DSC) in Windows

Management Framework (WMF) 5
Windows Management Framework 5 includes updates to Windows PowerShell Desired
State Configuration (DSC), Windows Remote Management (WinRM), and Windows
Management Instrumentation (WMI).

For more info about testing the DSC features of Windows Management Framework 5,
see the series of blog posts discussed in Validate features of PowerShell DSC . To
download, see Windows Management Framework 5.1.

PackageManagement unified package management for

software discovery, installation, and inventory
Windows Server 2016 and Windows 10 includes a new PackageManagement feature
(formerly called OneGet) that enables IT Professionals or DevOps to automate software
discovery, installation, and inventory (SDII), locally or remotely, no matter what the
installer technology is and where the software is located.

For more info, see https://github.com/OneGet/oneget/wiki .

PowerShell enhancements to assist digital forensics and

help reduce security breaches
To help the team responsible for investigating compromised systems - sometimes
known as the "blue team" - we've added additional PowerShell logging and other digital
forensics functionality, and we've added functionality to help reduce vulnerabilities in
scripts, such as constrained PowerShell, and secure CodeGeneration APIs.

For more info, see the PowerShell ♥ the Blue Team blog post.

Networking
The Networking area addresses networking products and features for the IT professional
to design, deploy, and maintain Windows Server 2016.

Software-Defined Networking
You can now both mirror and route traffic to new or existing virtual appliances. Together
with a distributed firewall and Network security groups, this enables you to dynamically
segment and secure workloads in a manner similar to Azure. Second, you can deploy
and manage the entire Software-defined networking (SDN) stack using System Center
Virtual Machine Manager. Finally, you can use Docker to manage Windows Server
container networking, and associate SDN policies not only with virtual machines but
containers as well. For more information, see Plan a Software Defined Network
Infrastructure.

TCP performance improvements

The default Initial Congestion Window (ICW) has been increased from 4 to 10 and TCP
Fast Open (TFO) has been implemented. TFO reduces the amount of time required to
establish a TCP connection and the increased ICW allows larger objects to be transferred
in the initial burst. This combination can significantly reduce the time required to
transfer an Internet object between the client and the cloud.

In order to improve TCP behavior when recovering from packet loss we have
implemented TCP Tail Loss Probe (TLP) and Recent Acknowledgment (RACK). TLP helps
convert Retransmit TimeOuts (RTOs) to Fast Recoveries and RACK reduces the time
required for Fast Recovery to retransmit a lost packet.

Security and Assurance

The Security and Assurance area Includes security solutions and features for the IT
professional to deploy in your data center and cloud environment. For information
about security in Windows Server 2016 generally, see Security and Assurance.

Just Enough Administration

Just Enough Administration in Windows Server 2016 is security technology that enables
delegated administration for anything that can be managed with Windows PowerShell.
Capabilities include support for running under a network identity, connecting over
PowerShell Direct, securely copying files to or from JEA endpoints, and configuring the
PowerShell console to launch in a JEA context by default. For more details, see JEA on
GitHub .

Credential Guard
Credential Guard uses virtualization-based security to isolate secrets so that only
privileged system software can access them. For more information, see Protect derived
domain credentials with Credential Guard.

Credential Guard for Windows Server 2016 includes the following updates for signed-in
user sessions:
 Kerberos and New Technology LAN Manager (NTLM) use virtualization-based
security to protect Kerberos and NTLM secrets for signed-in user sessions.

Credential Manager protects saved domain credentials using virtualization-based

security. Signed-in credentials and saved domain credentials don't pass to remote
hosts using Remote Desktop.

You can enable Credential Guard without a Unified Extensible Firmware Interface
(UEFI) lock.

Remote Credential Guard

Credential Guard includes support for RDP sessions so that the user credentials remain
on the client side and are not exposed on the server side. This also provides Single Sign
On for Remote Desktop. For more information, see Protect derived domain credentials
with Windows Defender Credential Guard.

Remote Credential Guard for Windows Server 2016 includes the following updates for
signed-in users:

Remote Credential Guard keeps Kerberos and NTLM secrets for signed-in user
credentials on the client device. Any authentication requests from the remote host
for assessing network resources as the user require the client device to use the
secrets.

Remote Credential Guard protects supplied user credentials when using Remote
Desktop.

Domain protections
Domain protections now require an Active Directory domain.

PKInit Freshness extension support

Kerberos clients now attempt the PKInit freshness extension for public key based sign-
ons.

KDCs now support the PKInit freshness extension. However, they don't offer the PKInit
freshness extension by default.

For more information, see Kerberos client and KDC support for RFC 8070 PKInit
freshness extension.
Rolling public key only user's NTLM secrets
Starting with the Windows Server 2016 domain functional level (DFL), DCs now support
rolling the NTLM secrets of a public-key-only user. This feature is unavailable in lower
domain functioning levels (DFLs).

２ Warning

Adding a DC enabled before the November 8, 2016 update to a domain that

supports rolling NTLM secrets can cause the DC to crash.

For new domains, this feature is enabled by default. For existing domains, you must
configure it in the Active Directory Administrative Center.

From the Active Directory Administrative Center, right-click on the domain in the left
pane and select Properties. Select the checkbox Enable rolling of expiring NTLM
secrets during sign on for users who are required to use Windows Hello for Business
or smart card for interactive logon. After that, select OK to apply this change.

Allowing network NTLM when user is restricted to

specific domain-joined devices
DCs can now support allowing network NTLM when a user is restricted to specific
domain-joined devices in the Windows Server 2016 DFL and higher. This feature is
unavailable in DFLs running an earlier operating system than Windows Server 2016.

To configure this setting, in the authentication policy, select Allow NTLM network
authentication when the user is restricted to selected devices.

For more information, see Authentication policies and authentication policy silos.

Device Guard (Code Integrity)

Device Guard provides kernel mode code integrity (KMCI) and user mode code integrity
(UMCI) by creating policies that specify what code can run on the server. See
Introduction to Windows Defender Device Guard: virtualization-based security and code
integrity policies.

Windows Defender
Windows Defender Overview for Windows Server 2016. Windows Server Antimalware is
installed and enabled by default in Windows Server 2016, but the user interface for
Windows Server Antimalware is not installed. However, Windows Server Antimalware will
update antimalware definitions and protect the computer without the user interface. If
you need the user interface for Windows Server Antimalware, you can install it after the
operating system installation by using the Add Roles and Features Wizard.

Control Flow Guard

Control Flow Guard (CFG) is a platform security feature that was created to combat
memory corruption vulnerabilities. See Control Flow Guard for more information.

Storage
Storage in Windows Server 2016 includes new features and enhancements for software-
defined storage, and for traditional file servers. Below are a few of the new features, for
more enhancements and further details, see What's New in Storage in Windows Server
2016.

Storage Spaces Direct

Storage Spaces Direct enables building highly available and scalable storage using
servers with local storage. It simplifies the deployment and management of software-
defined storage systems and unlocks use of new classes of disk devices, such as SATA
SSD and NVMe disk devices, that were previously not possible with clustered Storage
Spaces with shared disks.

For more info, see Storage Spaces Direct.

Storage Replica
Storage Replica enables storage-agnostic, block-level, synchronous replication between
servers or clusters for disaster recovery, and stretching of a failover cluster between
sites. Synchronous replication enables mirroring of data in physical sites with crash-
consistent volumes to ensure zero data loss at the file-system level. Asynchronous
replication allows site extension beyond metropolitan ranges with the possibility of data
loss.

For more info, see Storage Replica.

Storage Quality of Service (QoS)
You can now use storage quality of service (QoS) to centrally monitor end-to-end
storage performance and create management policies using Hyper-V and CSV clusters
in Windows Server 2016.

For more info, see Storage Quality of Service.

Failover Clustering
Windows Server 2016 includes many new features and enhancements for multiple
servers that are grouped together into a single fault-tolerant cluster using the Failover
Clustering feature. Some of the additions are listed below; for a more complete listing,
see What's New in Failover Clustering in Windows Server 2016.

Cluster Operating System Rolling Upgrade

Cluster Operating System Rolling Upgrade enables an administrator to upgrade the
operating system of the cluster nodes from Windows Server 2012 R2 to Windows Server
2016 without stopping the Hyper-V or the Scale-Out File Server workloads. Using this
feature, the downtime penalties against Service Level Agreements (SLA) can be avoided.

For more info, see Cluster Operating System Rolling Upgrade.

Cloud Witness
Cloud Witness is a new type of Failover Cluster quorum witness in Windows Server 2016
that leverages Microsoft Azure as the arbitration point. The Cloud Witness, like any
other quorum witness, gets a vote and can participate in the quorum calculations. You
can configure cloud witness as a quorum witness using the Configure a Cluster Quorum
Wizard.

For more info, see Deploy Cloud Witness.

Health Service
The Health Service improves the day-to-day monitoring, operations, and maintenance
experience of cluster resources on a Storage Spaces Direct cluster.

For more info, see Health Service.

Application development

Internet Information Services (IIS) 10.0

New features provided by the IIS 10.0 web server in Windows Server 2016 include:

Support for the HTTP/2 protocol in the Networking stack and integrated with IIS
10.0, allowing IIS 10.0 websites to automatically serve HTTP/2 requests for
supported configurations. This allows numerous enhancements over HTTP/1.1 such
as more efficient reuse of connections and decreased latency, improving load
times for web pages.
Ability to run and manage IIS 10.0 in Nano Server. See IIS on Nano Server.
Support for Wildcard Host Headers, enabling administrators to set up a web server
for a domain and then have the web server serve requests for any subdomain.
A new PowerShell module (IISAdministration) for managing IIS.

For more details, see IIS .

Distributed Transaction Coordinator (MSDTC)

Three new features are added in Microsoft Windows 10 and Windows Server 2016:

A new interface for Resource Manager Rejoin can be used by a resource manager
to determine the outcome of an in-doubt transaction after a database restarts due
to an error. See IResourceManagerRejoinable::Rejoin for details.

The DSN name limit is enlarged from 256 bytes to 3072 bytes. See
IDtcToXaHelperFactory::Create, IDtcToXaHelperSinglePipe::XARMCreate, or
IDtcToXaMapper::RequestNewResourceManager for details.

Improved tracing allowing you to set a registry key to include an image file path in
the Tracelog file name so you can tell which Tracelog file to check. See How to
enable diagnostic tracing for MS DTC on a Windows-based computer for details
on configuring tracing for MSDTC.

DNS Server
Windows Server 2016 contains the following updates for Domain Name System (DNS)
Server.

DNS policies
You can configure DNS policies to specify how a DNS server responds to DNS queries.
You can configure DNS responses based on client IP address, time of day, and several
other parameters. DNS policies can enable location-aware DNS, traffic management,
load balancing, split-brain DNS, and other scenarios. For more information, see the DNS
Policy Scenario Guide.

RRL
You can enable Response Rate Limiting (RRL) on your DNS servers to prevent malicious
systems from using your DNS servers to initiate a Distributed Denial of Service (DDoS)
attack on a DNS client. RRL prevents your DNS server from responding to too many
requests at once, which protects it during scenarios when a botnet sends multiple
requests at once to try to disrupt server operations.

DANE support
You can use DNS-based Authentication of Named Entities (DANE) support (RFC 6394
and RFC 6698 ) to specify which certificate authority your DNS clients should expect
certificates from for domain names hosted in your DNS server. This prevents a form of
man-in-the-middle attack where a malicious actor corrupts a DNS cache and points a
DNS name to their own IP address.

Unknown record support

You can add records that the DNS server doesn't explicitly support by using the
unknown record functionality. A record is unknown when the DNS server doesn't
recognize its RDATA format. Windows Server 2016 supports unknown record types (RFC
3597 ), so you can add unknown records to Windows DNS server zones in binary on-
wire format. The windows caching resolver can already process unknown record types.
Windows DNS server doesn't perform record-specific processing for unknown records,
but can send them in response to queries it receives.

IPv6 root hints

Windows DNS server now includes IPv6 root hints published by the Internet Assigned
Numbers Authority (IANA). Support for IPv6 root hints lets you make internet queries
that use the IPv6 root servers to perform name resolutions.

Windows PowerShell support

Windows Server 2016 includes new commands you can use to configure DNS in
PowerShell. For more information, see Windows Server 2016 DnsServer module and
Windows Server 2016 DnsClient module.

DNS client
The DNS client service now offers enhanced support for computers with more than one
network interface.

Multi-homed computers can also use DNS client service binding to improve server
resolution:

When you use a DNS server configured on a specific interface to resolve a DNS
query, the DNS client binds to the interface before sending the query. This binding
lets the DNS client specify the interface where name resolution should take place,
optimizing communications between applications and DNS client over the network
interface.

If the DNS server you're using was designated by a Group Policy setting from the
Name Resolution Policy Table (NRPT), the DNS client service doesn't bind to the
specified interface.

７ Note

Changes to the DNS Client service in Windows 10 are also present in computers
running Windows Server 2016 and later.

Remote Desktop Services

Remote Desktop Services (RDS) made the following changes for Windows Server 2016.

App compatibility
RDS and Windows Server 2016 are compatible with many Windows 10 applications,
creating a user experience that's almost identical to a physical desktop.

Azure SQL Database

The Remote Desktop (RD) Connection Broker can now store all deployment information,
such as connection states and user-host mappings, in a shared Azure Structured Query
Language (SQL) Database. This feature lets you use a highly available environment
without having to use an SQL Server Always On Availability Group. For more
information, see Use Azure SQL DB for your Remote Desktop Connection Broker high
availability environment .

Graphical improvements
Discrete Device Assignment for Hyper-V lets you map graphics processing units (GPUs)
on a host machine directly to a virtual machine (VM). Any applications on the VM that
need more GPU than the VM can provide can use the mapped GPU instead. We also
improved the RemoteFX vGPU, including support for OpenGL 4.4, OpenCL 1.1, 4K
resolution, and Windows Server VMs. For more information, see Discrete Device
Assignment .

RD Connection Broker improvements

We improved how the RD Connection Broker handles connection during logon storms,
which are periods of high sign in requests from users. The RD Connection Broker can
now handle over 10,000 concurrent sign in requests! Maintenance improvements also
make it easier for you to perform maintenance on your deployment by being able to
quickly add servers back into the environment once they're ready to go back online. For
more information, see Improved Remote Desktop Connection Broker Performance .

RDP 10 protocol changes

Remote Desktop Protocol (RDP) 10 now uses the H.264/AVC 444 codec, which optimizes
across both video and text. This release also includes pen remoting support. These new
capabilities allow your remote session to feel more like a local session. For more
information, see RDP 10 AVC/H.264 improvements in Windows 10 and Windows Server
2016 .

Personal session desktops

Personal session desktops is a new feature that lets you host your own personal desktop
in the cloud. Administrative privileges and dedicated session hosts removes the
complexity of hosting environments where users want to manage a remote desktop like
a local desktop. For more information, see Personal Session Desktops.

Kerberos authentication
Windows Server 2016 includes the following updates for Kerberos authentication.

KDC support for Public Key Trust-based client

authentication
Key Distribution Centers (KDCs) now support public key mapping. If you provision a
public key for an account, the KDC supports Kerberos PKInit explicitly using that key.
Because there's no certificate validation, Kerberos supports self-signed certificates but
doesn't support authentication mechanism assurance.

Accounts you've configured to use Key Trust will only use Key Trust regardless of how
you configured the UseSubjectAltName setting.

Kerberos client and KDC support for RFC 8070 PKInit

Freshness Extension
Starting with Windows 10, version 1607 and Windows Server 2016, Kerberos clients can
use the RFC 8070 PKInit freshness extension for public key-based sign-ons. KDCs have
the PKInit freshness extension disabled by default, so to enable it you must configure
the KDC support for PKInit Freshness Extension KDC administrative template policy on
all DCs in your domain.

The policy has the following settings available when your domain is in the Windows
Server 2016 domain functional level (DFL):

Disabled: The KDC never offers the PKInit Freshness Extension and accepts valid
authentication requests without checking for freshness. Users don't receive the
fresh public key identity SID.
Supported: Kerberos supports PKInit Freshness Extension on request. Kerberos
clients successfully authenticating with the PKInit Freshness Extension receive the
fresh public key identity SID.
Required: PKInit Freshness Extension is required for successful authentication.
Kerberos clients that don't support the PKInit Freshness Extension will always fail
when using public key credentials.

Domain-joined device support for authentication using

public key
If a domain-joined device can register its bound public key with a Windows Server 2016
domain controller (DC), then the device can authenticate with the public key using
Kerberos PKInit authentication to a Windows Server 2016 DC.
Domain-joined devices with bound public keys registered with a Windows Server 2016
domain controller can now authenticate to a Windows Server 2016 domain controller
using Kerberos Public Key Cryptography for Initial Authentication (PKInit) protocols. To
learn more, see Domain-joined Device Public Key Authentication.

Key Distribution Centers (KDCs) now support authentication using Kerberos key trust.

For more information, see KDC support for Key Trust account mapping.

Kerberos clients allow IPv4 and IPv6 address host names

in Service Principal Names (SPNs)
Starting with Windows 10 version 1507 and Windows Server 2016, you can configure
Kerberos clients to support IPv4 and IPv6 host names in SPNs. For more information, see
Configuring Kerberos for IP Addresses.

To configure support for IP address host names in SPNs, create a TryIPSPN entry. This
entry doesn't exist in the registry by default. You should place this entry on the following
path:

text

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Para
meters

After creating the entry, change its DWORD value to 1. If this value isn't configured,
Kerberos won't attempt IP address host names.

Kerberos authentication only succeeds if the SPN is registered in Active Directory.

KDC support for Key Trust account mapping

Domain controllers now support Key Trust account mapping and fallback to existing
AltSecID and User Principal Name (UPN) in the SAN behavior. You can configure the
UseSubjectAltName variable to the following settings:

Setting the variable to 0 makes explicit mapping required. Users must use either a
Key Trust or set an ExplicitAltSecID variable.

Setting the variable to 1, which is the default value, allows implicit mapping.

If you configure a Key Trust for an account in Windows Server 2016 or later,
then KDC uses the KeyTrust for mapping.
If there's no UPN in the SAN, KDC will attempt to use the AltSecID for mapping.

If there's a UPN in the SAN, KDC will attempt to use the UPN for mapping.
Windows Server servicing channels
Article • 10/02/2023

Beginning in September 2023 Windows Server has two primary release channels
available, the Long-Term Servicing Channel and the Annual Channel. The Long-Term
Servicing Channel (LTSC) provides a longer term option focuses on providing a
traditional lifecycle of quality and security updates, whereas the Annual Channel (AC)
provides more frequent releases. The more frequent releases of the AC enable you to
take advantage of innovation more quickly with focus on containers and microservices.

Long-Term Servicing Channel (LTSC)

With the Long-Term Servicing Channel, a new major version of Windows Server is
typically released every 2-3 years. Users are entitled to five years of mainstream support
and five years of extended support. This channel provides systems with a long servicing
option and consistency, and can be installed with Server Core or Server with Desktop
Experience installation options.

Annual Channel (AC)

Windows Server Annual Channel for Containers is an operating system to host Windows
Server containers. The Annual Channel enables customers who are innovating quickly to
take advantage of new operating system capabilities at a faster pace, focused on
containers and microservices. To learn more about Windows Server Annual Channel for
Containers, see our TechCommunity announcement .

Each release in this channel is supported for 24 months from the initial release. This
channel can only be installed with the Server Core installation option. The Annual
Channel is available to volume-licensed customers with Software Assurance and
loyalty programs such as Visual Studio Subscriptions.

An Annual Channel release isn't an update, it's the next Windows Server release in the
Annual Channel. To move to an Annual Channel release you must perform a clean
installation.

Releases of Windows Server in the Annual Channel typically occur every 12 months. The
24 month support lifecycle for each release is 18 months of mainstream support, plus 6
months of extended support. To learn more about the lifecycle, see Windows Server
2022 lifecycle. Each release is named based on the release cycle; for example, version
23H2 is a release in the second half of the year 2023.
Key differences
The following table summarizes the key differences between the channels:

ﾉ Expand table

Description Long-Term Servicing Channel Annual Channel

Recommended General purpose file servers, Microsoft and Containerized applications

scenarios non-Microsoft workloads, traditional apps, running on container hosts
infrastructure roles, software-defined benefiting from faster
Datacenter, and hyper-converged innovation
infrastructure

New releases Typically 2–3 years Typically 12 months

Support 5 years of mainstream support, plus 5 years of 18 months of mainstream

extended support support, plus 6 months of
extended support

Activation All Windows Server activation keys Windows Server Datacenter

activation keys

Licensing All licensing programs Software Assurance

customers only

Get media All distribution channels Volume Licensing Service

Center (VLSC) and Visual
Studio Subscriptions only

Installation Server Core and Server with Desktop Server Core for a container
options Experience host only

Device compatibility
The minimum hardware requirements to run the Annual Channel releases are the same
as the most recent Long-Term Servicing Channel release of Windows Server. Most
hardware drivers continue to function in these releases.

Servicing
Both the Long-Term Servicing Channel and the Annual Channel releases are supported
with security updates and nonsecurity updates up to the dates listed in the Microsoft
Lifecycle pages. The difference is the length of time that the release is supported, as
described in the Annual Channel (AC) section of this article.
Servicing tools
There are many tools with which you can service Windows Server. Each option has its
pros and cons, ranging from capabilities and control to simplicity and low administrative
requirements. The following are examples of the servicing tools available to manage
servicing updates:

Windows Update (stand-alone): This option is only available for servers that are
connected to the Internet and have Windows Update enabled.
Windows Server Update Services (WSUS) provides extensive control over
Windows Server and Windows client updates and is natively available in the
Windows Server operating system. You can defer updates, add an approval layer,
and choose to deploy them to specific computers or groups of computers
whenever ready.
Microsoft Endpoint Configuration Manager provides the greatest control over
servicing. You can defer updates, approve them, and have multiple options for
targeting deployments and managing bandwidth usage and deployment times.

You can continue using the same process for Annual Channel Releases; for example, if
you already use Configuration Manager to manage updates, you can continue to use it.
Similarly, if you're using WSUS, you can continue to use that.

Where to get Annual Channel

You can obtain Annual Channel releases from the following places:

Volume Licensing Service Center (VLSC): Volume-licensed customers with Software

Assurance can obtain this release by going to the Volume Licensing Service
Center and select Sign In. Finally, select Downloads and Keys, search for Annual
Channel, then download the media.

Visual Studio Subscriptions: Visual Studio Subscribers can obtain Annual Channel
releases by downloading them from the Visual Studio Subscriber download
page . If you aren't already a subscriber, go to Visual Studio Subscriptions to
sign up, and then visit the Visual Studio Subscriber downloads page . Releases
obtained through Visual Studio Subscriptions are for development and testing
only.

Activating Annual Channel releases

You need to activate your installation using your activation keys obtained from the
VLSC. If you're using KMS, Annual Channel releases use the same CSVLK of the last LTSC
release before their release. For example, an Annual Channel released with or after
Windows Server 2022 would use the Windows Server 2022 CSVLK. For more
information, see KMS client setup keys.

How to tell whether a server is running an LTSC

or AC release
Long-Term Servicing Channel releases could be released at the same time as a new
version of the Annual Channel. To determine whether a server is running Annual
Channel release, you must look at the operating system version. The product name
doesn't reflect the servicing channel. To determine whether a server is running an LTSC
or AC release, you can run the Get-ComputerInfo PowerShell command. The following
example is a computer running Windows Server 2022 Datacenter Edition (LTSC).

To determine the operating system version, run the following command:

PowerShell

Get-ComputerInfo | fl WindowsProductName,OSDisplayVersion

Here's an example output from a computer running Windows Server LTSC.

Output

WindowsProductName : Windows Server 2022 Datacenter

OSDisplayVersion : 21H2

Here's an example output from a computer running Windows Server Annual Channel for
Containers.

Output

WindowsProductName : Windows Server 2022 Datacenter

OSDisplayVersion : 23H2

 Tip

OSDisplayVersion only applies to Windows Server 2022 and later. Annual Channel

releases do not apply to Windows Server 2019 and earlier. If you're running
 Windows Server 2019 or earlier, you're running an LTSC release.

The following table lists the Windows Server LTSC and AC releases and their
corresponding operating system versions.

ﾉ Expand table

Channel Operating system display version

LTSC 21H2

Annual Channel 23H2

The guidance is intended to help identify and differentiate between LTSC and AC for
lifecycle and general inventory purposes only. It isn't intended for application
compatibility or to represent a specific API surface. App developers should use guidance
elsewhere to properly ensure compatibility as components, APIs, and functionality can
be added over the life of a system, or not yet be added. To learn more about using
programmatically determining the version, see Operating System Version.
What is Azure Edition for Windows
Server?
Article • 03/07/2024

Windows Server Datacenter: Azure Edition is an edition of Windows Server focused on

innovation and virtualization optimized to run on Azure. Azure Edition features a Long-
Term Servicing Channel (LTSC) and yearly product updates, with two major product
updates in the first 3 years. Azure Edition also brings new functionality to Windows
Server users faster than the Standard and Datacenter editions of Windows Server.

The annual Azure Edition updates are delivered using Windows Update, rather than a
full OS upgrade. As part of this annual update cadence, the Azure Edition Insider
preview program gives the opportunity to access early builds - leading to general
availability. To get started with Azure Edition Insider preview, visit the Azure Edition
preview Azure Marketplace offer. Details regarding each preview is shared in release
announcements posted to the Windows Server Insiders space on Microsoft Tech
Community.

Key differences
The following table summarizes the key differences:

ﾉ Expand table

Description Windows Server Standard, Windows Server Datacenter: Azure

Datacenter Edition

New releases Typically 2-3 years Typically 2-3 years

Product updates With new release Yearly, with two major updates in the
first 3 years

Support 5 years of mainstream support, 5 years of mainstream support, plus 5

plus 5 years of extended years of extended support
support

Servicing channels Long-Term Servicing Channel Long-Term Servicing Channel

Who can use it? All customers through all Software Assurance, Windows Server
channels subscription and cloud customers only

Installation options Server Core, Server with Server Core and Server with Desktop
Desktop Experience, Nano Experience only. Windows Server
 Description Windows Server Standard, Windows Server Datacenter: Azure
Datacenter Edition

Server container image containers aren't supported.

Operating system Physical or virtual Virtual only

environments (OSE)

Associated 2 virtual OSEs for Standard, None

virtualization rights Unlimited virtual OSEs for
Datacenter

Capabilities vary by image, see Getting started with Windows Server Datacenter: Azure
Edition for more detail.

 Tip

For more information, see the Microsoft Software Licensing Terms . The licensing
terms may vary based on the distribution channel, for example, a Commercial
Licensing program, Retail, Original Equipment Manufacturer (OEM), and so on.

Key capabilities

Hotpatch
Beginning with Windows Server 2022 Datacenter: Azure Edition, Hotpatch gives you the
ability to apply security updates on your VM without rebooting. When used with Azure,
Azure Guest Patching Service, along with Automanage for Window Server, automate the
onboarding, configuration, and orchestration of hotpatching. To learn more, see
Hotpatch for new virtual machines.

Supported platforms

Hotpatch is supported on the following operating systems for VMs running on Azure
and Azure Stack HCI:

Windows Server 2022 Datacenter: Azure Edition Core

Windows Server 2022 Datacenter: Azure Edition with Desktop Experience

７ Note
 Hotpatch isn't supported on Windows Server containers base images.

SMB over QUIC

Beginning with Windows Server 2022 Datacenter: Azure Edition, SMB over QUIC offers
an "SMB VPN" for telecommuters, mobile device users, and branch offices. SMB over
QUIC provides secure, reliable connectivity to edge file servers over untrusted networks
like the Internet. QUIC is an IETF-standardized protocol used in HTTP/3, designed for
maximum data protection with TLS 1.3 and requires encryption that can't be disabled.
SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't
change. SMB features like multichannel, signing, compression, continuous availability,
and directory leasing work normally.

SMB over QUIC is also integrated with Azure Automanage machine best practices for
Windows Server to help make SMB over QUIC management easier. QUIC uses
certificates to provide its encryption and organizations often struggle to maintain
complex public key infrastructures. Azure Automanage machine best practices ensure
that certificates don't expire without warning and that SMB over QUIC stays enabled for
maximum continuity of service.

To learn more, see SMB over QUIC and SMB over QUIC management with Automanage
machine best practices.

Storage Replica compression for data transfer

Beginning with Update 1 for Windows Server 2022 Datacenter: Azure Edition, you can
compress Storage Replica data between source and destination server. The compression
results in fewer network packets to transfer the same amount of data, allowing for more
throughput, and less network utilization. Higher data throughput should also result in
lowering synchronization time for when you need it most, for example in a disaster
recovery scenario.

To learn more about Storage Replica features, see Storage Replica features

Extended network for Azure

Beginning with Windows Server 2022 Datacenter: Azure Edition, Azure Extended
Network enables you to stretch an on-premises subnet into Azure to let on-premises
virtual machines keep their original on-premises private IP addresses when migrating to
Azure. To learn more, see
Azure Extended Network.
Get started with Windows Server Datacenter:
Azure Edition
To get started using Azure Edition, use your preferred method to create an Azure or
Azure Stack HCI VM, and select the Windows Server Datacenter: Azure Edition image that
you would like to use.

） Important

Some capabilities have specific configuration steps to perform during VM creation,

and some capabilities that are in preview have specific opt-in and portal viewing
requirements. See the individual capability topics to learn more about using that
capability with your VM.

Ｕ Caution

Once Windows Server Datacenter: Azure Edition is installed, it isn't possible to

switch the OS back to a non-Azure Edition OS. If this occurs, reinstalling the
previous OS is required.

To learn more about creating virtual machine using Azure or Azure Stack HCI, see Create
a Windows virtual machine in the Azure portal and Deploy Windows Server Azure
Edition VMs in Azure Stack HCI.

Next steps
Comparison of Standard, Datacenter, and Datacenter: Azure Edition editions of
Windows Server 2022
Hotpatch for new virtual machines
Enable Hotpatch for Azure Edition virtual machines built from ISO (preview)
SMB over QUIC
Extend your on-premises subnets into Azure using extended network for Azure
What is Windows Server Annual
Channel for Containers?
Article • 02/29/2024

Applies to: Windows Server, version 23H2

Windows Server Annual Channel for Containers is an operating system to host Windows
Server containers. Annual Channel enables customers who are innovating quickly to take
advantage of new operating system capabilities at a faster pace, focusing on containers,
microservices, and portability.

Windows Server Annual Channel for Containers means new features and functionality
being released on an annual basis. The more frequent releases of Annual Channel
enable customers to take advantage of innovation more quickly, with a focus on
containers and microservices. To learn more about the lifecycle, see the Windows Server
Annual Channel lifecycle article. To learn more about difference between servicing
channels, see Windows Server servicing channels.

Supported platforms
A Windows Server, version 23H2 container host only supports the Windows Server 2022
Long Term Servicing Channel (LTSC) container image.

Portability
Portability is an important feature introduced in Windows Server Annual Channel for
Containers that lets users run workloads with different container image versions.
Portability lets Windows Server 2022-based container images run on session hosts
running later versions of Windows Server. This increased support helps container
services like AKS to update the operating systems on container hosts on a more
frequent basis without requiring you to update the containers themselves. Portability
doesn't only streamline the upgrade process, but also helps developers take full
advantage of the enhanced flexibility and compatibility that containers offer. For more
information about portability, see Portability in Windows Server Annual Channel for
containers .
Get started with Windows Server Annual
Channel for Containers
To get started using Annual Channel for Containers, use your preferred method to install
Windows Server on your container host. Annual Channel is available to volume-licensed
customers with Software Assurance and loyalty programs such as Visual Studio
Subscriptions. You can get Annual Channel releases from:

Volume Licensing Service Center (VLSC): Volume-licensed customers with Software

Assurance can obtain this release by going to the Volume Licensing Service
Center and select Sign In. Finally, select Downloads and Keys, search for Annual
Channel, then download the media.

Visual Studio Subscriptions: Visual Studio Subscribers can obtain Annual Channel
releases by downloading them from the Visual Studio Subscriber download
page . If you aren't already a subscriber, go to Visual Studio Subscriptions to
sign up, and then visit the Visual Studio Subscriber downloads page . Releases
obtained through Visual Studio Subscriptions are for development and testing
only.

２ Warning

Annual Channel can only be installed with the Server Core installation option. To
move to an Annual Channel release from LTSC, or to upgrade an existing Annual
Channel installation, you must perform a clean installation.

Related content
Portability in Windows Server Annual Channel for container
Comparison of Standard, Datacenter,
and Datacenter: Azure Edition editions
of Windows Server 2022
Article • 10/18/2022

Use this article to compare Standard, Datacenter, and Datacenter: Azure Edition editions
of Windows Server 2022 to see which will be most appropriate.

Features generally available

Full Comparison

ﾉ Expand table

Features available Windows Server 2022 Windows Server Windows Server

generally Standard 2022 2022 Datacenter:
Datacenter Azure Edition

Azure Extended No No Yes

Network

Best Practices Yes Yes Yes

Analyzer

Containers Yes Yes Yes

Direct Access Yes Yes Yes

Dynamic Memory (in Yes Yes Yes

virtualization)

Hot Add/Replace Yes Yes Yes

RAM

Hotpatching No No Yes

Microsoft Yes Yes Yes

Management
Console

Minimal Server Yes Yes Yes

Interface
Features available Windows Server 2022 Windows Server Windows Server
generally Standard 2022 2022 Datacenter:
Datacenter Azure Edition

Network Load Yes Yes Yes

Balancing

Windows PowerShell Yes Yes Yes

Server Core Yes Yes Yes

installation option

Server Manager Yes Yes Yes

SMB Direct and SMB Yes Yes Yes (not supported in

over RDMA Azure)

SMB Compression Yes Yes Yes

SMB over QUIC No No Yes

Software-defined No Yes Yes

Networking

Storage Migration Yes Yes Yes

Service

Storage Replica Yes, (1 partnership and 1 Yes, unlimited Yes, unlimited

resource group with a
single 2TB volume)

Storage Replica No No Yes

Compression

Storage Spaces Yes Yes Yes

Storage Spaces No Yes Yes

Direct

Volume Activation Yes Yes Yes, (Cannot

Services Configure as a KMS
host)

VSS (Volume Shadow Yes Yes Yes

Copy Service)
integration

Windows Server Yes Yes Yes

Update Services

Server license Yes Yes Yes

logging
 Features available Windows Server 2022 Windows Server Windows Server
generally Standard 2022 2022 Datacenter:
Datacenter Azure Edition

Inherited activation As guest if hosted on Can be a host or Can be a host or a

Datacenter a guest guest

Work Folders Yes Yes Yes

Locks and Limits

Full Comparison

ﾉ Expand table

Locks and Limits Windows Server 2022 Windows Server 2022

Standard Datacenter

Maximum number of Based on CALs Based on CALs

users

Maximum SMB 16,777,216 16,777,216

connections

Maximum RRAS Unlimited Unlimited

connections

Maximum IAS 2,147,483,647 2,147,483,647

connections

Maximum RDS 65,535 65,535

connections

Maximum number of 64- 64 64

bit sockets

Maximum number of Unlimited Unlimited

cores

Maximum RAM 48 TB 48 TB

Can be used as Yes; 2 virtual machines, plus Yes; unlimited virtual machines,
virtualization guest one Hyper-V host per license plus one Hyper-V host per
license

Windows Server Unlimited Unlimited

 Locks and Limits Windows Server 2022 Windows Server 2022
Standard Datacenter

Containers

Virtual OSE/Hyper-V 2 Unlimited

isolated Containers

Server can join a domain Yes Yes

Edge network No No
protection/firewall

DirectAccess Yes Yes

DLNA codecs and web Yes, if installed as Server with Yes, if installed as Server with
media streaming Desktop Experience Desktop Experience

Server roles
Full Comparison

ﾉ Expand table

Windows Server Role services Windows Server Windows Server

roles available 2022 Standard 2022 Datacenter

Active Directory Yes Yes

Certificate Services

Active Directory Yes Yes

Domain Services

Active Directory Yes Yes

Federation Services

Active Directory Yes Yes

Lightweight Directory
Services

Active Directory Yes Yes

Rights Management
Services

Device Health Yes Yes

Attestation
Windows Server Role services Windows Server Windows Server
roles available 2022 Standard 2022 Datacenter

DHCP Server Yes Yes

DNS Server Yes Yes

Fax Server Yes Yes

File and Storage File Server Yes Yes

Services

File and Storage BranchCache for Yes Yes

Services Network Files

File and Storage Data Yes Yes

Services Deduplication

File and Storage DFS Namespaces Yes Yes

Services

File and Storage DFS Replication Yes Yes

Services

File and Storage File Server Yes Yes

Services Resource
Manager

File and Storage File Server VSS Yes Yes

Services Agent Service

File and Storage iSCSI Target Yes Yes

Services Server

File and Storage iSCSI Target Yes Yes

Services Storage Provider

File and Storage Server for NFS Yes Yes

Services

File and Storage Work Folders Yes Yes

Services

File and Storage Storage Services Yes Yes

Services

Host Guardian Service Yes Yes

Hyper-V Yes Yes; including

Shielded Virtual
Machines
 Windows Server Role services Windows Server Windows Server
roles available 2022 Standard 2022 Datacenter

Network Controller No Yes

Network Policy and Yes, when installed as Yes, when installed as

Access Services Server with Desktop Server with Desktop
Experience Experience

Print and Document Yes Yes

Services

Remote Access Yes Yes

Remote Desktop Yes Yes

Services

Volume Activation Yes Yes

Services

Web Services (IIS) Yes Yes

Windows Deployment Yes Yes

Services

Windows Server Yes Yes

Update Services

Features
Full Comparison

ﾉ Expand table

Windows Server Features Windows Server 2022 Windows Server 2022

available Standard Datacenter

.NET Framework 3.5 Yes Yes

.NET Framework 4.8 Yes Yes

Background Intelligent Yes Yes

Transfer Service (BITS)

BitLocker Drive Encryption Yes Yes

Windows Server Features Windows Server 2022 Windows Server 2022
available Standard Datacenter

BitLocker Network Unlock Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

BranchCache Yes Yes

Client for NFS Yes Yes

Containers Yes Yes

Data Center Bridging Yes Yes

Direct Play Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

Enhanced Storage Yes Yes

Failover Clustering Yes Yes

Group Policy Management Yes Yes

Host Guardian Hyper-V No Yes

Support

I/O Quality of Service Yes Yes

IIS Hostable Web Core Yes Yes

Internet Printing Client Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

IP Address Management Yes Yes

(IPAM) Server

LPR Port Monitor Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

Management OData IIS Yes Yes

Extension

Media Foundation Yes Yes

Message Queueing Yes Yes

Microsoft Defender Antivirus Yes Yes

Multipath I/O Yes Yes

MultiPoint Connector Yes Yes

Network Load Balancing Yes Yes

Windows Server Features Windows Server 2022 Windows Server 2022
available Standard Datacenter

Network Virtualization Yes Yes

Peer Name Resolution Yes Yes

Protocol

Quality Windows Audio Video Yes Yes

Experience

RAS Connection Manager Yes, when installed as Server Yes, when installed as Server
Administration Kit (CMAK) with Desktop Experience with Desktop Experience

Remote Assistance Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

Remote Differential Yes Yes

Compression

Remote Server Administration Yes Yes

Tools (RSAT)

RPC over HTTP Proxy Yes Yes

Setup and Boot Event Yes Yes

Collection

Simple TCP/IP Services Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

SMB 1.0/CIFS File Sharing Yes Yes

Support

SMB Bandwidth Limit Yes Yes

SMTP Server Yes Yes

SNMP Service Yes Yes

Software Load Balancer Yes Yes

Storage Migration Service Yes Yes

Storage Migration Service Yes Yes

Proxy

Storage Replica Yes Yes

System Data Archiver Yes Yes

System Insights Yes Yes

Windows Server Features Windows Server 2022 Windows Server 2022
available Standard Datacenter

Telnet Client Yes Yes

TFTP Client Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

VM Shielding Tools for Fabric Yes Yes

Management

WebDAV Redirector Yes Yes

Windows Biometric Yes, when installed as Server Yes, when installed as Server
Framework with Desktop Experience with Desktop Experience

Windows Identity Foundation Yes, when installed as Server Yes, when installed as Server
3.5 with Desktop Experience with Desktop Experience

Windows Internal Database Yes Yes

Windows PowerShell Yes Yes

Windows Process Activation Yes Yes

Service

Windows Search Service Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

Windows Server Backup Yes Yes

Windows Server Migration Yes Yes

Tools

Windows Standards-Based Yes Yes

Storage Management

Windows Subsystem for Linux Yes Yes

Windows TIFF IFilter Yes, when installed as Server Yes, when installed as Server
with Desktop Experience with Desktop Experience

WinRM IIS Extension Yes Yes

WINS Server Yes Yes

Wireless LAN Service Yes Yes

WoW64 support Yes Yes

XPS Viewer Yes, installed with Server Yes, installed with Server
with Desktop Experience with Desktop Experience
Comparison of Standard and Datacenter
editions of Windows Server 2019
Article • 09/19/2022

Use this article to compare Standard and Datacenter editions of Windows Server 2019 to
see which will be most appropriate.

Features generally available

Full Comparison

ﾉ Expand table

Features available Windows Server 2019 Standard Windows Server

generally 2019 Datacenter

Best Practices Analyzer Yes Yes

Direct Access Yes Yes

Dynamic Memory (in Yes Yes

virtualization)

Hot Add/Replace RAM Yes Yes

Microsoft Management Yes Yes

Console

Minimal Server Interface Yes Yes

Network Load Balancing Yes Yes

Windows PowerShell Yes Yes

Server Core installation Yes Yes

option

Server Manager Yes Yes

SMB Direct and SMB over Yes Yes

RDMA

Software-defined No Yes
Networking
 Features available Windows Server 2019 Standard Windows Server
generally 2019 Datacenter

Storage Migration Service Yes Yes

Storage Replica Yes, (1 partnership and 1 resource Yes, unlimited

group with a single 2TB volume)

Storage Spaces Yes Yes

Storage Spaces Direct No Yes

Volume Activation Services Yes Yes

VSS (Volume Shadow Copy Yes Yes

Service) integration

Windows Server Update Yes Yes

Services

Server license logging Yes Yes

Inherited activation As guest if hosted on Datacenter Can be a host or a

guest

Work Folders Yes Yes

Locks and Limits

Full Comparison

ﾉ Expand table

Locks and Limits Windows Server 2019 Windows Server 2019

Standard Datacenter

Maximum number of Based on CALs Based on CALs

users

Maximum SMB 16,777,216 16,777,216

connections

Maximum RRAS unlimited unlimited

connections

Maximum IAS 2,147,483,647 2,147,483,647

connections
 Locks and Limits Windows Server 2019 Windows Server 2019
Standard Datacenter

Maximum RDS 65,535 65,535

connections

Maximum number of 64- 64 64

bit sockets

Maximum number of unlimited unlimited

cores

Maximum RAM 24 TB 24 TB

Can be used as Yes; 2 virtual machines, plus Yes; unlimited virtual machines,
virtualization guest one Hyper-V host per license plus one Hyper-V host per
license

Server can join a domain yes yes

Edge network no no
protection/firewall

DirectAccess yes yes

DLNA codecs and web Yes, if installed as Server with Yes, if installed as Server with
media streaming Desktop Experience Desktop Experience

Server roles
Full Comparison

ﾉ Expand table

Windows Server Role services Windows Server Windows Server

roles available 2019 Standard 2019 Datacenter

Active Directory Yes Yes

Certificate Services

Active Directory Yes Yes

Domain Services

Active Directory Yes Yes

Federation Services
Windows Server Role services Windows Server Windows Server
roles available 2019 Standard 2019 Datacenter

Active Directory Yes Yes

Lightweight Directory
Services

Active Directory Yes Yes

Rights Management
Services

Device Health Yes Yes

Attestation

DHCP Server Yes Yes

DNS Server Yes Yes

Fax Server Yes Yes

File and Storage File Server Yes Yes

Services

File and Storage BranchCache for Yes Yes

Services Network Files

File and Storage Data Yes Yes

Services Deduplication

File and Storage DFS Namespaces Yes Yes

Services

File and Storage DFS Replication Yes Yes

Services

File and Storage File Server Yes Yes

Services Resource
Manager

File and Storage File Server VSS Yes Yes

Services Agent Service

File and Storage iSCSI Target Yes Yes

Services Server

File and Storage iSCSI Target Yes Yes

Services Storage Provider

File and Storage Server for NFS Yes Yes

Services
 Windows Server Role services Windows Server Windows Server
roles available 2019 Standard 2019 Datacenter

File and Storage Work Folders Yes Yes

Services

File and Storage Storage Services Yes Yes

Services

Host Guardian Service Yes Yes

Hyper-V Yes Yes; including

Shielded Virtual
Machines

Network Controller No Yes

Network Policy and Yes, when installed as Yes, when installed as

Access Services Server with Desktop Server with Desktop
Experience Experience

Print and Document Yes Yes

Services

Remote Access Yes Yes

Remote Desktop Yes Yes

Services

Volume Activation Yes Yes

Services

Web Services (IIS) Yes Yes

Windows Deployment Yes* Yes*

Services

Windows Server Yes Yes

Update Services

７ Note

WDS Transport Server is new to Server Core installations in Windows Server

2019 and also included in the Semi-Annual Channel starting with Windows
Server version 1803.

Features
Full Comparison

ﾉ Expand table

Windows Server Features Windows Server 2019 Windows Server 2019

available Standard Datacenter

.NET Framework 3.5 Yes Yes

.NET Framework 4.7 Yes Yes

Background Intelligent Yes Yes

Transfer Service (BITS)

BitLocker Drive Encryption Yes Yes

BitLocker Network Unlock Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

BranchCache Yes Yes

Client for NFS Yes Yes

Containers Yes (unlimited Windows Yes (unlimited Windows

containers; up to two Hyper-V and Hyper-V containers)
containers)

Data Center Bridging Yes Yes

Direct Play Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience

Enhanced Storage Yes Yes

Failover Clustering Yes Yes

Group Policy Management Yes Yes

Host Guardian Hyper-V No Yes

Support

I/O Quality of Service Yes Yes

IIS Hostable Web Core Yes Yes

Internet Printing Client Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience
Windows Server Features Windows Server 2019 Windows Server 2019
available Standard Datacenter

IP Address Management Yes Yes

(IPAM) Server

iSNS Server service Yes Yes

LPR Port Monitor Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

Management OData IIS Yes Yes

Extension

Media Foundation Yes Yes

Message Queueing Yes Yes

Multipath I/O Yes Yes

MultiPoint Connector Yes Yes

Network Load Balancing Yes Yes

Peer Name Resolution Yes Yes

Protocol

Quality Windows Audio Yes Yes

Video Experience

RAS Connection Manager Yes, when installed as Server Yes, when installed as
Administration Kit (CMAK) with Desktop Experience Server with Desktop
Experience

Remote Assistance Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience

Remote Differential Yes Yes

Compression

Remote Server Yes Yes

Administration Tools (RSAT)

RPC over HTTP Proxy Yes Yes

Setup and Boot Event Yes Yes

Collection

Simple TCP/IP Services Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Windows Server Features Windows Server 2019 Windows Server 2019
available Standard Datacenter

Experience

SMB 1.0/CIFS File Sharing Yes Yes

Support

SMB Bandwidth Limit Yes Yes

SMTP Server Yes Yes

SNMP Service Yes Yes

Software Load Balancer Yes Yes

Storage Migration Service Yes Yes

Storage Migration Service Yes Yes

Proxy

Storage Replica Yes Yes

System Data Archiver Yes Yes

System Insights Yes Yes

Telnet Client Yes Yes

TFTP Client Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience

VM Shielding Tools for Yes Yes

Fabric Management

WebDAV Redirector Yes Yes

Windows Biometric Yes, when installed as Server Yes, when installed as

Framework with Desktop Experience Server with Desktop
Experience

Windows Defender Antivirus Yes Yes

Windows Identity Yes, when installed as Server Yes, when installed as

Foundation 3.5 with Desktop Experience Server with Desktop
Experience

Windows Internal Database Yes Yes

Windows PowerShell Yes Yes

Windows Server Features Windows Server 2019 Windows Server 2019
available Standard Datacenter

Windows Process Activation Yes Yes

Service

Windows Search Service Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

Windows Server Backup Yes Yes

Windows Server Migration Yes Yes

Tools

Windows Standards-Based Yes Yes

Storage Management

Windows Subsystem for Yes Yes

Linux

Windows TIFF IFilter Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

WinRM IIS Extension Yes Yes

WINS Server Yes Yes

Wireless LAN Service Yes Yes

WoW64 Support Yes Yes

XPS Viewer Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience
Comparison of Standard and Datacenter
editions of Windows Server 2016
Article • 09/19/2022

Use this article to compare Standard and Datacenter editions of Windows Server 2016 to
see which will be most appropriate.

Features generally available

Full Comparison

ﾉ Expand table

Features available generally Windows Server 2016 Windows Server 2016

Standard Datacenter

Best Practices Analyzer Yes Yes

Direct Access Yes Yes

Dynamic Memory (in virtualization) Yes Yes

Hot Add/Replace RAM Yes Yes

Microsoft Management Console Yes Yes

Minimal Server Interface Yes Yes

Network Load Balancing Yes Yes

Windows PowerShell Yes Yes

Server Core installation option Yes Yes

Nano Server installation option Yes Yes

Server Manager Yes Yes

SMB Direct and SMB over RDMA Yes Yes

Software-defined Networking No Yes

Storage Replica No Yes

Storage Spaces Yes Yes

 Features available generally Windows Server 2016 Windows Server 2016
Standard Datacenter

Storage Spaces Direct No Yes

Volume Activation Services Yes Yes

VSS (Volume Shadow Copy Yes Yes

Service) integration

Windows Server Update Services Yes Yes

Server license logging Yes Yes

Inherited activation As guest if hosted on Can be host or guest

Datacenter

Work Folders Yes Yes

Locks and Limits

Full Comparison

ﾉ Expand table

Locks and Limits Windows Server 2016 Windows Server 2016

Standard Datacenter

Maximum number of Based on CALs Based on CALs

users

Maximum SMB 16,777,216 16,777,216

connections

Maximum RRAS unlimited unlimited

connections

Maximum IAS 2,147,483,647 2,147,483,647

connections

Maximum RDS 65535 65535

connections

Maximum number of 64- 64 64

bit sockets
 Locks and Limits Windows Server 2016 Windows Server 2016
Standard Datacenter

Maximum number of unlimited unlimited

cores

Maximum RAM 24 TB 24 TB

Can be used as Yes; 2 virtual machines, plus Yes; unlimited virtual machines,
virtualization guest one Hyper-V host per license plus one Hyper-V host per
license

Server can join a domain yes yes

Edge network no no
protection/firewall

DirectAccess yes yes

DLNA codecs and web Yes, if installed as Server with Yes, if installed as Server with
media streaming Desktop Experience Desktop Experience

Server roles
Full Comparison

ﾉ Expand table

Windows Server Role services Windows Server Windows Server

roles available 2016 Standard 2016 Datacenter

Active Directory Yes Yes

Certificate Services

Active Directory Yes Yes

Domain Services

Active Directory Yes Yes

Federation Services

Active Directory Yes Yes

Lightweight Directory
Services

Active Directory Yes Yes

Rights Management
Windows Server Role services Windows Server Windows Server
roles available 2016 Standard 2016 Datacenter

Services

Device Health Yes Yes

Attestation

DHCP Server Yes Yes

DNS Server Yes Yes

Fax Server Yes Yes

File and Storage File Server Yes Yes

Services

File and Storage BranchCache for Yes Yes

Services Network Files

File and Storage Data Yes Yes

Services Deduplication

File and Storage DFS Namespaces Yes Yes

Services

File and Storage DFS Replication Yes Yes

Services

File and Storage File Server Yes Yes

Services Resource
Manager

File and Storage File Server VSS Yes Yes

Services Agent Service

File and Storage iSCSI Target Yes Yes

Services Server

File and Storage iSCSI Target Yes Yes

Services Storage Provider

File and Storage Server for NFS Yes Yes

Services

File and Storage Work Folders Yes Yes

Services

File and Storage Storage Services Yes Yes

Services

Host Guardian Service Yes Yes

 Windows Server Role services Windows Server Windows Server
roles available 2016 Standard 2016 Datacenter

Hyper-V Yes Yes; including

Shielded Virtual
Machines

MultiPoint Services Yes Yes

Network Controller No Yes

Network Policy and Yes, when installed as Yes, when installed as

Access Services Server with Desktop Server with Desktop
Experience Experience

Print and Document Yes Yes

Services

Remote Access Yes Yes

Remote Desktop Yes Yes

Services

Volume Activation Yes Yes

Services

Web Services (IIS) Yes Yes

Windows Deployment Yes, when installed as Yes, when installed as

Services Server with Desktop Server with Desktop
Experience Experience

Windows Server Yes Yes

Essentials Experience

Windows Server Yes Yes

Update Services

Features
Full Comparison

ﾉ Expand table
Windows Server Features Windows Server 2016 Windows Server 2016
available Standard Datacenter

.NET Framework 3.5 Yes Yes

.NET Framework 4.6 Yes Yes

Background Intelligent Yes Yes

Transfer Service (BITS)

BitLocker Drive Encryption Yes Yes

BitLocker Network Unlock Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

BranchCache Yes Yes

Client for NFS Yes Yes

Containers Yes (Windows containers Yes (all container types

unlimited; Hyper-V containers unlimited)
up to 2)

Data Center Bridging Yes Yes

Direct Play Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience

Enhanced Storage Yes Yes

Failover Clustering Yes Yes

Group Policy Management Yes Yes

Host Guardian Hyper-V No Yes

Support

I/O Quality of Service Yes Yes

IIS Hostable Web Core Yes Yes

Internet Printing Client Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

IPAM Server Yes Yes

iSNS Server service Yes Yes

LPR Port Monitor Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Windows Server Features Windows Server 2016 Experience
Windows Server 2016
available Standard Datacenter
Management OData IIS Yes Yes
Extension

Media Foundation Yes Yes

Message Queueing Yes Yes

Multipath I/O Yes Yes

MultiPoint Connector Yes Yes

Network Load Balancing Yes Yes

Peer Name Resolution Yes Yes

Protocol

Quality Windows Audio Yes Yes

Video Experience

RAS Connection Manager Yes, when installed as Server Yes, when installed as
Administration Kit with Desktop Experience Server with Desktop
Experience

Remote Assistance Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience

Remote Differential Yes Yes

Compression

RSAT Yes Yes

RPC over HTTP Proxy Yes Yes

Setup and Boot Event Yes Yes

Collection

Simple TCP/IP Services Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

SMB 1.0/CIFS File Sharing Yes Yes

Support

SMB Bandwidth Limit Yes Yes

SMTP Server Yes Yes

SNMP Service Yes Yes

Software Load Balancer No Yes

Windows Server Features Windows Server 2016 Windows Server 2016
available Standard Datacenter

Storage Replica No Yes

Telnet Client Yes Yes

TFTP Client Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience

VM Shielding Tools for Yes Yes

Fabric Management

WebDAV Redirector Yes Yes

Windows Biometric Yes, when installed as Server Yes, when installed as

Framework with Desktop Experience Server with Desktop
Experience

Windows Defender features Yes Yes

Windows Identity Yes, when installed as Server Yes, when installed as

Foundation 3.5 with Desktop Experience Server with Desktop
Experience

Windows Internal Database Yes Yes

Windows PowerShell Yes Yes

Windows Process Activation Yes Yes

Service

Windows Search Service Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

Windows Server Backup Yes Yes

Windows Server Migration Yes Yes

Tools

Windows Standards-Based Yes Yes

Storage Management

Windows TIFF IFilter Yes, when installed as Server Yes, when installed as
with Desktop Experience Server with Desktop
Experience

WinRM IIS Extension Yes Yes

WINS Server Yes Yes

Windows Server Features Windows Server 2016 Windows Server 2016
available Standard Datacenter

Wireless LAN Service Yes Yes

WoW64 support Yes Yes

XPS Viewer Yes, when installed as Server Yes, when installed as

with Desktop Experience Server with Desktop
Experience
Hardware requirements for Windows
Server
Article • 03/07/2024

To install Windows Server correctly, your computer must meet the minimum hardware
requirements outlined in this article. If your computer falls short of these requirements,
the product may not install properly. Actual requirements vary based on your system
configuration, applications, and features that are installed.

Unless otherwise specified, these minimum hardware requirements apply to all

installation options (Server Core and Server with Desktop Experience) for both Windows
Server Standard and Windows Server Datacenter editions.

） Important

The highly diverse scope of potential deployments makes it unrealistic to state

recommended hardware requirements that would be generally applicable. Consult
documentation for each of the server roles you intend to deploy for more details
about the resource needs of particular server roles. For the best results, conduct
test deployments to determine appropriate hardware requirements for your
particular deployment scenarios.

Components
CPU

Processor performance depends not only on the clock frequency of the processor,
but also on the number of processor cores and the size of the processor cache. The
following are the processor requirements.

Minimum:

1.4 GHz 64-bit processor

Compatible with x64 instruction set
Supports NX and DEP
Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW
Supports Second Level Address Translation (EPT or NPT)
 You can utilize Coreinfo, which is a tool included in Windows Sysinternals, to verify
the capabilities that your CPU possesses.

Other requirements
There are other hardware requirements to consider depending on your scenario:

DVD drive (if you intend to install the operating system from DVD media)

The following items are only required for certain features:

UEFI 2.3.1c-based system and firmware that supports secure boot

Trusted Platform Module (TPM)
Graphics device and monitor capable of Super VGA (1024 x 768) or higher-
resolution
Keyboard and Microsoft mouse (or other compatible pointing device)
Internet access (fees may apply)

７ Note

A TPM chip is required in order to use certain features such as BitLocker Drive
Encryption. If your computer has a TPM, it must meet these requirements:

Hardware-based TPMs must implement version 2.0 of the TPM specification.

TPMs that implement version 2.0 must have an EK certificate that is either pre-
provisioned to the TPM by the hardware vendor or be capable of being
retrieved by the device during the first boot.
TPMs that implement version 2.0 must ship with SHA-256 PCR banks and
implement PCRs 0 through 23 for SHA-256. It is acceptable to ship TPMs with
a single switchable PCR bank that can be used for both SHA-1 and SHA-256
measurements.
Features removed or no longer
developed starting with Windows
Server 2025 (preview)
Article • 04/10/2024

） Important

Windows Server 2025 is in PREVIEW. This information relates to a prerelease

product that may be substantially modified before it's released. Microsoft makes no
warranties, expressed or implied, with respect to the information provided here.

Each release of Windows Server adds new features and functionality; we also
occasionally remove features and functionality, usually because we've added a better
option. Here are the details about the features and functionalities that we removed in
Windows Server 2025.

 Tip

You can get early access to Windows Server builds by joining the Windows
Insider Program for Business - this is a great way to test feature changes.

The list is subject to change and might not include every affected feature or
functionality.

Features we've removed in this release

We're removing the following features and functionalities from the installed product
image in Windows Server 2025. Applications or code that depend on these features
won't function in this release unless you use an alternate method.

ﾉ Expand table

Feature Explanation

IIS 6 Management The console has been removed after being no longer developed in
Console (Web-Lgcy- Windows Server 2019. You should also start migration from IIS 6.0 or
Mgmt-Console) earlier versions, and move to the latest version of IIS, which is always
available in the most recent release of Windows Server.
 Feature Explanation

Wordpad WordPad has been removed from Windows Server 2025. We

recommend Microsoft Word for rich text documents like .doc and .rtf
and Windows Notepad for plain text documents like .txt .

SMTP Server The SMTP Server features has been removed from Windows Server
2025. There's no replacement within the operating systems.

Windows PowerShell The Windows PowerShell 2.0 Engine has been removed, applications,
2.0 Engine and components should be migrated to PowerShell 5.0+.

Features we're no longer developing

We're no longer actively developing these features and may remove them from a future
update. Some features have been replaced with other features or functionality, while
others are now available from different sources.

ﾉ Expand table

Feature Explanation

Computer Browser The Computer Browser driver and service are deprecated. The browser
(browser protocol and service) is a dated and insecure device location
protocol. This protocol, service, and driver were first disabled by default
in Windows 10 with the removal of the SMB1 service. For more
information on Computer Browser, see MS-BRWS Common Internet File
System.

Remote Mailslots Remote Mailslots are deprecated. The Remote Mailslot protocol, which
was initially introduced in MS DOS, is a dated and simple IPC method
that is both unreliable and insecure. This protocol was first disabled by
default in Windows 11 Insider Preview Build . For more information
on Remote Mailslots, see About Mailslots and [MS-MAIL]: Remote
Mailslot Protocol.

TLS 1.0 TLS versions 1.0 and 1.1 have been deprecated by internet standards
TLS 1.1 and regulatory bodies due to various security concerns. As of the 2024
release of Windows Server Insiders Preview, these versions are disabled
by default. For more information on TLS deprecation, see TLS 1.0 and
TLS 1.1 deprecation in Windows.

WebDAV Redirector The WebDAV Redirector service is deprecated. The service isn't installed
service by default in Windows Server. For more information on the WebDAV
Redirector service, see WebDAV - Win32 apps.

Windows Management WMIC is disabled by default for new installations of Windows Server. It
Instrumentation will be removed from Windows in a future release. PowerShell for WMI
Feature Explanation

Command line (WMIC) replaces the WMIC tool. Use PowerShell or programmatically query
WMI as a replacement for WMIC. To learn more about WMIC
depreciation, see WMI command line (WMIC) utility deprecation: Next
steps

VBScript VBScript is deprecated. In future releases of Windows, VBScript is

available as a feature on demand before its removal from the operating
system.
Features removed or no longer
developed starting with Windows
Server 2022
Article • 04/25/2024

Each release of Windows Server adds new features and functionality; we also
occasionally remove features and functionality, usually because we've added a better
option. Here are the details about the features and functionalities that we removed in
Windows Server 2022.

 Tip

You can get early access to Windows Server builds by joining the Windows
Insider Program for Business - this is a great way to test feature changes.

The list is subject to change and might not include every affected feature or
functionality.

Semi-Annual Channel
As part of our customer-centric approach, we’ll move to the Long-Term Servicing
Channel (LTSC) as our primary release channel. Current Semi-Annual Channel (SAC)
releases will continue through their mainstream support end dates, which are May 10,
2022 for Windows Server version 20H2 and December 14, 2021 for Windows Server
version 2004

The focus on container and microservice innovation previously released in the Semi-
Annual Channel will now continue with Azure Kubernetes Service (AKS), AKS on Azure
Stack HCI, and other platform improvements made in collaboration with the Kubernetes
community. And with the Long-Term Servicing Channel, a major new version of
Windows Server will be released every 2-3 years, so customers can expect both
container host and container images to align with that cadence.

Features we've removed in this release

We're removing the following features and functionalities from the installed product
image in Windows Server 2022. Applications or code that depend on these features
won't function in this release unless you use an alternate method.

ﾉ Expand table

Feature Explanation

Internet Storage The iSNS Server service has now been removed from Windows Server
Name Service (iSNS) 2022 after it was considered for removal in Windows Server, version 1709.
Server service You can still connect to iSNS servers or add iSCSI targets individually.

Features we're no longer developing

We're no longer actively developing these features and may remove them from a future
update. Some features have been replaced with other features or functionality, while
others are now available from different sources.

ﾉ Expand table

Feature Explanation

TLS 1.0 and 1.1 Over the past several years, internet standards and regulatory bodies have
deprecated or disallowed TLS versions 1.0 and 1.1 due to various security
issues. In a future release of Windows Server, TLS 1.0 and 1.1 will be disabled
by default. For more information, see TLS versions 1.0 and 1.1 disablement
resources.

Windows Internet WINS is a legacy computer name registration and resolution service. You
Name Service should replace WINS with Domain Name System (DNS). For more
(WINS) information, see Windows Internet Name Service (WINS).

Guarded Fabric Windows Server and Azure Stack HCI are aligning with Azure to take
and Shielded advantage of continuing enhancements to Azure Confidential Computing
Virtual Machines and Azure Security Center. Having this alignment translates to more cloud
(VMs) security offerings being extended to customer data centers (on-premises).

Microsoft will continue to provide support for these features, but there will
be no further development. On client versions of Windows, the Remote
Server Administration Tools (RSAT): Shielded VM Tools feature will be
removed.

Launching Starting with Windows Server 2022, SConfig is launched by default when you
SConfig from a sign in to a server running Server Core installation option. Moreover,
command prompt PowerShell is now the default shell on Server Core. If you exit SConfig, you
(CMD) window by get to a regular interactive PowerShell window. Similarly, you can opt out
running from SConfig autolaunch. In this case, you'll get a PowerShell window at
sconfig.cmd sign-in. In either scenario, you can launch SConfig from PowerShell by
running SConfig . If needed, you can launch the legacy command prompt
Feature Explanation

(CMD) from PowerShell as well. But to simplify different transition options,

we're going to remove sconfig.cmd from the next version of the operating
system. If you need to start SConfig from a CMD window, you'll have to
launch PowerShell first.

Windows The operating system deployment functionality of WDS is being partially

Deployment deprecated. Workflows that rely on boot.wim from Windows Server 2022
Services (WDS) installation media will show a non-blocking deprecation notice, but the
boot.wim image workflows will otherwise not be impacted.
deployment
Windows 11 workflows and workflows for future versions of Windows Server
that rely on boot.wim from installation media will be blocked.

Alternatives to WDS, such as Microsoft Endpoint Configuration Manager or

the Microsoft Deployment Toolkit (MDT), provide a better, more flexible, and
feature-rich experience for deploying Windows images. You're advised to
move to one of these solutions instead.

WDS PXE boot isn't affected. You can still use WDS to PXE boot devices to
custom boot images. You can also still run setup from a network share.
Workflows that use custom boot.wim images, such as with Configuration
Manager or MDT, will also not be impacted by this change.

LSARPC interface The named pipe \PIPE\lsarpc for accessing EFS encrypted files over the
network will be disabled and eventually removed from future versions of
Windows. You can still use the named pipe \PIPE\efsrpc to access encrypted
files.

Hyper-V vSwitch In a future release, the Hyper-V vSwitch will no longer have the capability to
on LBFO be bound to an LBFO team. Instead, it must be bound via Switch Embedded
Teaming (SET). This change only applies to Hyper-V vSwitches; LBFO is still
fully supported for other non Hyper-V scenarios.

XDDM-based Starting with this release the Remote Desktop Services uses a Windows
remote display Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single
driver session remote desktop. The support for Windows 2000 Display Driver
Model (XDDM) based remote display drivers will be removed in a future
release. Independent Software Vendors that use XDDM-based remote
display driver should plan a migration to the WDDM driver model. For more
information on implementing remote display indirect display driver see
Updates for IddCx versions 1.4 and later.

UCS log collection The UCS log collection tool, while not explicitly intended for use with
tool Windows Server, is nonetheless being replaced by the Feedback hub on
Windows 10.
Features removed or no longer
developed starting with Windows
Server 2019
Article • 11/28/2022

Each release of Windows Server adds new features and functionality; we also
occasionally remove features and functionality, usually because we've added a better
option. Here are the details about the features and functionalities that we removed in
Windows Server 2019.

 Tip

You can get early access to Windows Server builds by joining the Windows
Insider program - this is a great way to test feature changes.

The list is subject to change and might not include every affected feature or
functionality.

Features we've removed in this release

We're removing the following features and functionalities from the installed product
image in Windows Server 2019. Applications or code that depend on these features
won't function in this release unless you use an alternate method.

ﾉ Expand table

Feature Explanation

Business Scanning, also We're removing this secure scanning and scanner management
called Distributed Scan capability - there are no devices that support this feature.
Management (DSM)

Print components - In previous releases of Windows Server, the print components were
now optional disabled by default in the Server Core installation option. We changed
component for Server that in Windows Server 2016, enabling them by default. In Windows
Core installations Server 2019, those print components are once again disabled by
default for Server Core. If you need to enable the print components,
you can do so by running the Install-WindowsFeature Print-Server
cmdlet.
 Feature Explanation

Remote Desktop Most Remote Desktop Services deployments have these roles co-
Connection Broker and located with the Remote Desktop Session Host (RDSH), which requires
Remote Desktop Server with Desktop Experience. To be consistent with RDSH, we're
Virtualization Host in a changing these roles to also require Server with Desktop Experience.
Server Core installation These RDS roles are no longer available for use in a Server Core
installation. If you need to deploy these roles as part of your Remote
Desktop infrastructure, you can install them on Windows Server with
Desktop Experience.

These roles are also included in the Desktop Experience installation

option of Windows Server 2019.

RemoteFX 3D Video We're developing new graphics acceleration options for virtualized
Adapter (vGPU) environments. You can also use Discrete Device Assignment (DDA) as
an alternative.

Nano Server installation Nano Server isn't available as an installable host operating system.
option Instead, Nano Server is available as a container operating system. To
learn more about Nano Server as a container, see Windows Container
Base Images.

Server Message Block Starting with this release, Server Message Block (SMB) version 1 is no
(SMB) version 1 longer installed by default. For details, see SMBv1 isn't installed by
default in Windows 10 version 1709, Windows Server version 1709 and
later versions

File Replication Service File Replication Services, introduced in Windows Server 2003 R2, has
been replaced by DFS Replication. You need to migrate any domain
controllers that use FRS for the sysvol folder to DFS Replication .

Hyper-V Network Network Virtualization is now included in Windows Server as part of

Virtualization (HNV) the Software Defined Networking (SDN) solution. The SDN solution
also includes the Network Controller, Software Load Balancing, User-
Defined Routing, and Access Control Lists.

Features we're no longer developing

We're no longer actively developing these features and may remove them from a future
update. Some features have been replaced with other features or functionality, while
others are now available from different sources.

ﾉ Expand table
Feature Explanation

Key Storage Drive We're no longer working on the Key Storage Drive feature in Hyper-V. If
in Hyper-V you're using generation 1 virtual machines (VMs), check out Generation 1 VM
Virtualization Security for information about options going forward. If you're
creating new VMs, use Generation 2 virtual machines with TPM devices for a
more secure solution.

Trusted Platform The information previously available in the TPM management console is now
Module (TPM) available on the Device security page in the Windows Defender Security
management Center.
console

Host Guardian We're no longer developing Host Guardian Service Active Directory
Service Active attestation mode, instead we've added a new attestation mode, host key
Directory attestation. Host key attestation is simpler and equally as compatible as
attestation mode Active Directory based attestation. This new mode provides equivalent
functionality with a setup experience, simpler management and fewer
infrastructure dependencies than the Active Directory attestation. Host key
attestation has no extra hardware requirements beyond what Active
Directory attestation required, so all existing systems will remain compatible
with the new mode. For more information, see Deploy guarded hosts for
more information about your attestation options.

OneSync service The OneSync service synchronizes data for the Mail, Calendar, and People
apps. We've added a sync engine to the Outlook app that provides the same
synchronization.

Remote Remote Differential Compression API support enabled synchronizing data

Differential with a remote source using compression technologies, which minimized the
Compression API amount of data sent across the network.
support

WFP lightweight The WFP lightweight filter switch extension enables developers to build
filter switch simple network packet filtering extensions for the Hyper-V virtual switch. You
extension can achieve the same functionality by creating a full filtering extension. As
such, we'll be removing this extension in the future.

IIS 6 Management Specific features being considered for replacement are:

compatibility IIS 6 Metabase Compatibility (Web-Metabase)
IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
IIS 6 Scripting Tools (Web-Lgcy-Scripting)
IIS 6 WMI Compatibility (Web-WMI)

IIS 6 Metabase Compatibility acts as an emulation layer between IIS 6-based

metabase scripts and the file-based configuration used by IIS 7 or newer
versions. You should start migrating management scripts to target IIS file-
based configuration directly, by using tools such as the
Microsoft.Web.Administration namespace.
Feature Explanation

You should also start migration from IIS 6.0 or earlier versions, and move to
the latest version of IIS, which is always available in the most recent release
of Windows Server.

IIS Digest This authentication method is planned for replacement. Instead, you should
Authentication start using other authentication methods such as Client Certificate Mapping
(see Configuring One-to-One Client Certificate Mappings) or Windows
Authentication (see Application Settings).

Internet Storage The Server Message Block (SMB) feature offers essentially the same
Name Service functionality with more features. See Server Message Block Overview for
(iSNS) background information on this feature.

RSA/AES This encryption method is being considered for replacement because the
Encryption for IIS superior Cryptography API: Next Generation (CNG) method is already
available. To learn more about CNG encryption, see About CNG.

Windows This early version of Windows PowerShell has been superseded by several
PowerShell 2.0 more recent versions. For the best features and performance, migrate to
Windows PowerShell 5.0 or later. See PowerShell Documentation for plenty
of information.

IPv4/6 Transition 6to4 has been disabled by default since Windows 10, version 1607 (the
Technologies Anniversary Update), ISATAP has been disabled by default since Windows 10,
(6to4, ISATAP, and version 1703 (the Creators Update), and Direct Tunnels has always been
Direct Tunnels) disabled by default. Use native IPv6 support instead.

MultiPoint We're no longer developing the MultiPoint Services role as part of Windows
Services Server. MultiPoint Connector services are available through Feature on
Demand for both Windows Server and Windows 10. You can use Remote
Desktop Services, in particular the Remote Desktop Services Session Host, to
provide RDP connectivity.

Offline symbol We're no longer making the symbol packages available as a downloadable
packages (Debug MSI. Instead, the Microsoft Symbol Server is moving to be an Azure-based
symbol MSIs) symbol store. If you need the Windows symbols, connect to the Microsoft
Symbol Server to cache your symbols locally or use a manifest file with
SymChk.exe on a computer with internet access.

Software Instead of using the Software Restriction Policies through Group Policy, you
Restriction can use AppLocker or Windows Defender Application Control. You can use
Policies in Group AppLocker and Windows Defender Application Control to manage which
Policy apps users can access and what code can run in the kernel.

Storage Spaces in Deploy Storage Spaces Direct instead. Storage Spaces Direct supports the
a Shared use of HLK-certified SAS enclosures, but in a non-shared configuration, as
configuration described in the Storage Spaces Direct hardware requirements.
using a SAS fabric
Feature Explanation

Windows Server We're no longer developing the Essentials Experience role for the Windows
Essentials Server Standard or Windows Server Datacenter SKUs. If you need an easy-to-
Experience use server solution for small-to-medium businesses, check out our new
Microsoft 365 for business solution, or use Windows Server 2016
Essentials.
Features Removed or Deprecated in
Windows Server 2016
Article • 12/23/2021

Each release of Windows Server adds new features and functionality; we also
occasionally remove features and functionality, usually because we've added a better
option. Here are the details about the features and functionalities that we removed in
Windows Server 2016.

 Tip

You can get early access to Windows Server builds by joining the Windows
Insider Program for Business - this is a great way to test feature changes.

The list is subject to change and might not include every affected feature or
functionality.

Features we've removed in this release

We're removing the following features and functionalities from the installed product
image in Windows Server 2016. Applications or code that depend on these features
won't function in this release unless you use an alternate method.

７ Note

If you are moving to Windows Server 2016 from a server release prior to Windows
Server 2012 R2 or Windows Server 2012, you should also review Features Removed
or Deprecated in Windows Server 2012 R2 and Features Removed or Deprecated
in Windows Server 2012.

ﾉ Expand table

Feature Explanation

Share and Storage If the computer you want to manage is running an operating system older
Management than Windows Server 2016, connect to it with Remote Desktop and use the
snap-in for local version of the Share and Storage Management snap-in. On a computer
Microsoft running Windows 8.1 or earlier, use the Share and Storage Management
snap-in from RSAT to view the computer you want to manage. Use Hyper-V
 Feature Explanation

Management on a client computer to run a virtual machine running Windows 7, Windows

Console 8, or Windows 8.1 that has the Share and Storage Management snap-in in
RSAT.

Journal.dll The file Journal.dll is removed from Windows Server 2016. There is no
replacement.

Security The Security Configuration Wizard is removed. Instead, features are secured
Configuration by default. If you need to control specific security settings, you can use
Wizard either Group Policy or Microsoft Security Compliance Manager.

SQM The opt-in components that manage participation in the Customer

Experience Improvement Program have been removed.

Windows Update The wuauclt.exe /detectnow command has been removed and is no longer
supported. To trigger a scan for updates, run these PowerShell commands:

$AutoUpdates = New-Object -ComObject "Microsoft.Update.AutoUpdate"

$AutoUpdates.DetectNow()

Features we're no longer developing

We're no longer actively developing these features and may remove them from a future
update. Some features have been replaced with other features or functionality, while
others are now available from different sources.

ﾉ Expand table

Feature Explanation

Configuration scregedit.exe is deprecated. If you have scripts that depend on

tools scregedit.exe, adjust them to use reg.exe or PowerShell methods.

Sconfig.exe Use Sconfig.cmd instead.

NetCfg custom Installation of PrintProvider, NetClient, and ISDN using NetCfg custom APIs is
APIs deprecated.

Remote WinRM.vbs is deprecated. Instead, use functionality in the WinRM provider of

management PowerShell.

SMB 2+ over SMB 2+ over NetBT is deprecated. Instead, implement SMB over TCP or
NetBT RDMA.
Windows Server release information
Article • 12/23/2021

Beginning in September 2023, Windows Server has two primary release channels
available: the Long-Term Servicing Channel (LTSC) and the Annual Channel (AC). The
Long-Term Servicing Channel provides a longer-term option focusing on stability,
whereas the Annual Channel provides more frequent releases. The Windows Server
Semi-Annual Channel (SAC) was retired on August 9, 2022.

With the Long-Term Servicing Channel, a new major version of Windows Server is
typically released every 2-3 years. The more frequent releases of the AC enable
customers to take advantage of innovation more quickly, with a focus on containers and
microservices. For a detailed comparison, see Windows Server servicing channels.

The focus on virtualization, container, and microservice innovation continues with Azure
Stack HCI, Windows containers, and AKS on Azure Stack HCI.

Windows Server major versions by servicing

option
(All dates are listed in ISO 8601 format: YYYY-MM-DD)

ﾉ Expand table

Windows Servicing Editions Availability Latest Mainstream Extended

Server option date build support end support
release date end date

Windows Long-Term Datacenter, 2021-08-18 20348.2322 2026-10-13 2031-10-

Server Servicing Standard 14
2022 Channel
(LTSC)

Windows Long-Term Datacenter, 2018-11-13 17763.5458 End of 2029-01-

Server Servicing Standard servicing 09
2019 Channel
(version (LTSC)
1809)

Windows Long-Term Datacenter, 2016-08-02 14393.6709 End of 2027-01-

Server Servicing Essentials, servicing 12
2016 Branch Standard
(LTSB)
 (version
1607)

７ Note

Windows Server is governed by the Fixed Lifecycle Policy. See the Windows
Lifecycle FAQ and Comparison of servicing channels for details regarding
servicing requirements and other important information. To learn more about
Windows Server’s Lifecycle Policy, see a Windows Server Releases.

Windows Server release history

The table below shows the history of all monthly security and non-security preview
updates released for Windows Server 2022. To see release notes and learn more about
the contents of Windows Server 2022 updates, check Windows Server 2022 Update
History .

For Windows Server 2016 and Windows Server 2019 release information, see Windows
10 - release information. Release notes for these versions are available on Windows
Server 2016 update history and Server 2019 update history .

Windows Server 2022 (OS build 20348)

ﾉ Expand table

Servicing option Availability date OS build KB article

LTSC 2024-02-13 20348.2322 KB5034770

LTSC 2024-01-09 20348.2227 KB5034129

LTSC 2023-12-12 20348.2159 KB5033118

LTSC 2023-11-14 20348.2113 KB5032198

LTSC 2023-10-10 20348.2031 KB5031364

LTSC 2023-09-12 20348.1970 KB5030216

LTSC 2023-08-08 20348.1906 KB5029250

LTSC 2023-07-11 20348.1850 KB5028171

LTSC 2023-06-13 20348.1787 KB5027225

LTSC 2023-05-09 20348.1726 KB5026370

LTSC 2023-04-11 20348.1668 KB5025230

LTSC 2023-03-14 20348.1607 KB5023705

LTSC 2023-02-14 20348.1547 KB5022842

LTSC 2023-01-10 20348.1487 KB5022291

LTSC 2022-12-20 20348.1368 KB5022553

LTSC 2022-12-13 20348.1366 KB5021249

LTSC 2022-11-22 20348.1311 KB5020032

LTSC 2022-11-17 20348.1251 KB5021656

LTSC 2022-11-08 20348.1249 KB5019081

LTSC 2022-10-25 20348.1194 KB5018485

LTSC 2022-10-17 20348.1131 KB5020436

LTSC 2022-10-11 20348.1129 KB5018421

LTSC 2022-09-20 20348.1070 KB5017381

LTSC 2022-09-13 20348.1006 KB5017316

LTSC 2022-08-16 20348.946 KB5016693

LTSC 2022-08-09 20348.887 KB5016627

LTSC 2022-07-19 20348.859 KB5015879

LTSC 2022-07-12 20348.825 KB5015827

LTSC 2022-06-23 20348.803 KB5014665

LTSC 2022-06-14 20348.768 KB5014678

LTSC 2022-05-24 20348.740 KB5014021

LTSC 2022-05-19 20348.709 KB5015013

LTSC 2022-05-10 20348.707 KB5013944

LTSC 2022-04-25 20348.681 KB5012637

LTSC 2022-04-12 20348.643 KB5012604

LTSC 2022-03-22 20348.617 KB5011558

LTSC 2022-03-08 20348.587 KB5011497

LTSC 2022-02-15 20348.558 KB5010421

LTSC 2022-02-08 20348.524 KB5010354

LTSC 2022-01-25 20348.502 KB5009608

LTSC 2022-01-17 20348.473 KB5010796

LTSC 2022-01-11 20348.469 KB5009555

LTSC 2022-01-05 20348.407 KB5010197

LTSC 2021-12-14 20348.405 KB5008223

LTSC 2021-11-22 20348.380 KB5007254

LTSC 2021-11-09 20348.350 KB5007205

LTSC 2021-10-26 20348.320 KB5006745

LTSC 2021-10-12 20348.288 KB5006699

LTSC 2021-09-27 20348.261 KB5005619

LTSC 2021-09-14 20348.230 KB5005575

LTSC 2021-08-26 20348.202 KB5005104

Windows Server 2019 (OS build 17763)

ﾉ Expand table

Servicing option Availability date OS build KB article

LTSC 2024-02-13 17763.5458 KB5034768

LTSC 2024-01-09 17763.5329 KB5034127

LTSC 2023-12-12 17763.5206 KB5033371

LTSC 2023-11-14 17763.5122 KB5032196

LTSC 2023-10-10 17763.4974 KB5031361

LTSC 2023-09-12 17763.4851 KB5030214

LTSC 2023-08-08 17763.4737 KB5029247

LTSC 2023-07-11 17763.4645 KB5028168

LTSC 2023-06-13 17763.4499 KB5027222

LTSC 2023-05-09 17763.4377 KB5026362

LTSC 2023-04-11 17763.4252 KB5025229

LTSC 2023-03-14 17763.4131 KB5023702

LTSC 2023-02-14 17763.4010 KB5022840

LTSC 2023-01-10 17763.3887 KB5022286

LTSC 2022-12-20 17763.3772 KB5022554

LTSC 2022-12-13 17763.3770 KB5021237

LTSC 2022-11-17 17763.3653 KB5021655

LTSC 2022-11-08 17763.3650 KB5019966

LTSC 2022-10-17 17763.3534 KB5020438

LTSC 2022-10-11 17763.3532 KB5018419

LTSC 2022-09-20 17763.3469 KB5017379

LTSC 2022-09-13 17763.3406 KB5017315

LTSC 2022-08-23 17763.3346 KB5016690

LTSC 2022-08-09 17763.3287 KB5016623

LTSC 2022-07-21 17763.3232 KB5015880

LTSC 2022-07-12 17763.3165 KB5015811

LTSC 2022-06-23 17763.3113 KB5014669

LTSC 2022-06-14 17763.3046 KB5014692

LTSC 2022-05-24 17763.2989 KB5014022

LTSC 2022-05-19 17763.2931 KB5015018

LTSC 2022-05-10 17763.2928 KB5013941

LTSC 2022-04-21 17763.2867 KB5012636

LTSC 2022-04-12 17763.2803 KB5012647

LTSC 2022-03-22 17763.2746 KB5011551

LTSC 2022-03-08 17763.2686 KB5011503

LTSC 2022-02-15 17763.2628 KB5010427

LTSC 2022-02-08 17763.2565 KB5010351

LTSC 2022-01-25 17763.2510 KB5009616

LTSC 2022-01-18 17763.2458 KB5010791

LTSC 2022-01-11 17763.2452 KB5009557

LTSC 2022-01-04 17763.2369 KB5010196

LTSC 2021-12-14 17763.2366 KB5008218

LTSC 2021-11-22 17763.2330 KB5007266

LTSC 2021-11-14 17763.2305 KB5008602

LTSC 2021-11-09 17763.2300 KB5007206

LTSC 2021-10-19 17763.2268 KB5006744

LTSC 2021-10-12 17763.2237 KB5006672

LTSC 2021-09-21 17763.2213 KB5005625

LTSC 2021-09-14 17763.2183 KB5005568

LTSC 2021-08-26 17763.2145 KB5005102

LTSC 2021-08-10 17763.2114 KB5005030

LTSC 2021-07-27 17763.2091 KB5005394

LTSC 2021-07-20 17763.2090 KB5004308

LTSC 2021-07-13 17763.2061 KB5004244

LTSC 2021-07-06 17763.2029 KB5004947

LTSC 2021-06-15 17763.2028 KB5003703

LTSC 2021-06-08 17763.1999 KB5003646

LTSC 2021-05-20 17763.1971 KB5003217

LTSC 2021-05-11 17763.1935 KB5003171

LTSC 2021-04-22 17763.1911 KB5001384

LTSC 2021-04-13 17763.1879 KB5001342

LTSC 2021-03-25 17763.1852 KB5000854

LTSC 2021-03-18 17763.1823 KB5001638

LTSC 2021-03-15 17763.1821 KB5001568

LTSC 2021-03-09 17763.1817 KB5000822

LTSC 2021-02-16 17763.1790 KB4601383

LTSC 2021-02-09 17763.1757 KB4601345

LTSC 2021-01-21 17763.1728 KB4598296

LTSC 2021-01-12 17763.1697 KB4598230

LTSC 2020-12-08 17763.1637 KB4592440

LTSC 2020-11-19 17763.1613 KB4586839

LTSC 2020-11-17 17763.1579 KB4594442

LTSC 2020-11-10 17763.1577 KB4586793

LTSC 2020-10-20 17763.1554 KB4580390

LTSC 2020-10-13 17763.1518 KB4577668

LTSC 2020-09-16 17763.1490 KB4577069

LTSC 2020-09-08 17763.1457 KB4570333

LTSC 2020-08-20 17763.1432 KB4571748

LTSC 2020-08-11 17763.1397 KB4565349

LTSC 2020-07-21 17763.1369 KB4559003

LTSC 2020-07-14 17763.1339 KB4558998

LTSC 2020-06-16 17763.1294 KB4567513

LTSC 2020-06-09 17763.1282 KB4561608

LTSC 2020-05-12 17763.1217 KB4551853

LTSC 2020-04-21 17763.1192 KB4550969

LTSC 2020-04-14 17763.1158 KB4549949

LTSC 2020-03-30 17763.1132 KB4554354

LTSC 2020-03-17 17763.1131 KB4541331

LTSC 2020-03-10 17763.1098 KB4538461

LTSC 2020-02-25 17763.1075 KB4537818

LTSC 2020-02-11 17763.1039 KB4532691

LTSC 2020-01-23 17763.1012 KB4534321

LTSC 2020-01-14 17763.973 KB4534273

LTSC 2019-12-10 17763.914 KB4530715

LTSC 2019-11-12 17763.864 KB4523205

LTSC 2019-10-15 17763.832 KB4520062

LTSC 2019-10-08 17763.805 KB4519338

LTSC 2019-10-03 17763.775 KB4524148

LTSC 2019-09-24 17763.774 KB4516077

LTSC 2019-09-23 17763.740 KB4522015

LTSC 2019-09-10 17763.737 KB4512578

LTSC 2019-08-17 17763.720 KB4512534

LTSC 2019-08-13 17763.678 KB4511553

LTSC 2019-07-22 17763.652 KB4505658

LTSC 2019-07-09 17763.615 KB4507469

LTSC 2019-06-26 17763.593 KB4509479

LTSC 2019-06-18 17763.592 KB4501371

LTSC 2019-06-11 17763.557 KB4503327

LTSC 2019-05-21 17763.529 KB4497934

LTSC 2019-05-19 17763.504 KB4505056

LTSC 2019-05-14 17763.503 KB4494441

LTSC 2019-05-03 17763.475 KB4495667

LTSC 2019-05-01 17763.439 KB4501835

LTSC 2019-04-09 17763.437 KB4493509

LTSC 2019-04-02 17763.404 KB4490481

LTSC 2019-03-12 17763.379 KB4489899

LTSC 2019-03-01 17763.348 KB4482887

LTSC 2019-02-12 17763.316 KB4487044

LTSC 2019-01-22 17763.292 KB4476976

LTSC 2019-01-08 17763.253 KB4480116

LTSC 2018-12-19 17763.195 KB4483235

LTSC 2018-12-11 17763.194 KB4471332

LTSC 2018-12-05 17763.168 KB4469342

LTSC 2018-11-13 17763.134 KB4467708

LTSC 2018-11-13 17763.107 KB4464455

LTSC 2018-10-09 17763.55 KB4464330

LTSC 2018-10-02 17763.1

Windows Server 2016 (OS build 14393)

ﾉ Expand table

Servicing option Availability date OS build KB article

LTSB 2024-02-13 14393.6709 KB5034767

LTSB 2024-01-09 14393.6614 KB5034119

LTSB 2023-12-12 14393.6529 KB5033373

LTSB 2023-11-14 14393.6452 KB5032197

LTSB 2023-10-10 14393.6351 KB5031362

LTSB 2023-09-12 14393.6252 KB5030213

LTSB 2023-08-08 14393.6167 KB5029242

LTSB 2023-07-11 14393.6085 KB5028169

LTSB 2023-06-23 14393.5996 KB5028623

LTSB 2023-06-13 14393.5989 KB5027219

LTSB 2023-05-09 14393.5921 KB5026363

LTSB 2023-04-11 14393.5850 KB5025228

LTSB 2023-03-14 14393.5786 KB5023697

LTSB 2023-02-14 14393.5717 KB5022838

LTSB 2023-01-10 14393.5648 KB5022289

LTSB 2022-12-13 14393.5582 KB5021235

LTSB 2022-11-17 14393.5502 KB5021654

LTSB 2022-11-08 14393.5501 KB5019964

LTSB 2022-10-18 14393.5429 KB5020439

LTSB 2022-10-11 14393.5427 KB5018411

LTSB 2022-09-13 14393.5356 KB5017305

LTSB 2022-08-09 14393.5291 KB5016622

LTSB 2022-07-12 14393.5246 KB5015808

LTSB 2022-06-14 14393.5192 KB5014702

LTSB 2022-05-19 14393.5127 KB5015019

LTSB 2022-05-10 14393.5125 KB5013952

LTSB 2022-04-12 14393.5066 KB5012596

LTSB 2022-03-08 14393.5006 KB5011495

LTSB 2022-02-08 14393.4946 KB5010359

LTSB 2022-01-17 14393.4889 KB5010790

LTSB 2022-01-11 14393.4886 KB5009546

LTSB 2022-01-05 14393.4827 KB5010195

LTSB 2021-12-14 14393.4825 KB5008207

LTSB 2021-11-14 14393.4771 KB5008601

LTSB 2021-11-09 14393.4770 KB5007192

LTSB 2021-10-12 14393.4704 KB5006669

LTSB 2021-09-14 14393.4651 KB5005573

LTSB 2021-08-10 14393.4583 KB5005043

LTSB 2021-07-29 14393.4532 KB5005393

LTSB 2021-07-13 14393.4530 KB5004238

LTSB 2021-07-07 14393.4470 KB5004948

LTSB 2021-06-08 14393.4467 KB5003638

LTSB 2021-05-11 14393.4402 KB5003197

LTSB 2021-04-13 14393.4350 KB5001347

LTSB 2021-03-18 14393.4288 KB5001633

LTSB 2021-03-09 14393.4283 KB5000803

LTSB 2021-02-09 14393.4225 KB4601318

LTSB 2021-01-12 14393.4169 KB4598243

LTSB 2020-12-08 14393.4104 KB4593226

LTSB 2020-11-19 14393.4048 KB4594441

LTSB 2020-11-10 14393.4046 KB4586830

LTSB 2020-10-13 14393.3986 KB4580346

LTSB 2020-09-08 14393.3930 KB4577015

LTSB 2020-08-11 14393.3866 KB4571694

LTSB 2020-07-14 14393.3808 KB4565511

LTSB 2020-06-18 14393.3755 KB4567517

LTSB 2020-06-09 14393.3750 KB4561616

LTSB 2020-05-12 14393.3686 KB4556813

LTSB 2020-04-21 14393.3659 KB4550947

LTSB 2020-04-14 14393.3630 KB4550929

LTSB 2020-03-17 14393.3595 KB4541329

LTSB 2020-03-10 14393.3564 KB4540670

LTSB 2020-02-25 14393.3542 KB4537806

LTSB 2020-02-11 14393.3504 KB4537764

LTSB 2020-01-23 14393.3474 KB4534307

LTSB 2020-01-14 14393.3443 KB4534271

LTSB 2019-12-10 14393.3384 KB4530689

LTSB 2019-11-12 14393.3326 KB4525236

LTSB 2019-10-15 14393.3300 KB4519979

LTSB 2019-10-08 14393.3274 KB4519998

LTSB 2019-10-03 14393.3243 KB4524152

LTSB 2019-09-24 14393.3242 KB4516061

LTSB 2019-09-23 14393.3206 KB4522010

LTSB 2019-09-10 14393.3204 KB4516044

LTSB 2019-08-17 14393.3181 KB4512495

LTSB 2019-08-13 14393.3144 KB4512517

LTSB 2019-07-16 14393.3115 KB4507459

LTSB 2019-07-09 14393.3085 KB4507460

LTSB 2019-06-27 14393.3056 KB4509475

LTSB 2019-06-18 14393.3053 KB4503294

LTSB 2019-06-11 14393.3025 KB4503267

LTSB 2019-05-23 14393.2999 KB4499177

LTSB 2019-05-19 14393.2972 KB4505052

LTSB 2019-05-14 14393.2969 KB4494440

LTSB 2019-04-25 14393.2941 KB4493473

LTSB 2019-04-25 14393.2908 KB4499418

LTSB 2019-04-09 14393.2906 KB4493470

LTSB 2019-03-19 14393.2879 KB4489889

LTSB 2019-03-12 14393.2848 KB4489882

LTSB 2019-02-19 14393.2828 KB4487006

LTSB 2019-02-12 14393.2791 KB4487026

LTSB 2019-01-17 14393.2759 KB4480977

LTSB 2019-01-08 14393.2724 KB4480961

LTSB 2018-12-19 14393.2670 KB4483229

LTSB 2018-12-11 14393.2665 KB4471321

LTSB 2018-12-03 14393.2641 KB4478877

LTSB 2018-11-27 14393.2639 KB4467684

LTSB 2018-11-13 14393.2608 KB4467691

LTSB 2018-10-18 14393.2580 KB4462928

LTSB 2018-10-09 14393.2551 KB4462917

LTSB 2018-09-20 14393.2515 KB4457127

LTSB 2018-09-11 14393.2485 KB4457131

LTSB 2018-08-30 14393.2457 KB4343884

LTSB 2018-08-14 14393.2430 KB4343887

LTSB 2018-07-30 14393.2396 KB4346877

LTSB 2018-07-24 14393.2395 KB4338822

LTSB 2018-07-16 14393.2368 KB4345418

LTSB 2018-07-10 14393.2363 KB4338814

LTSB 2018-06-21 14393.2339 KB4284833

LTSB 2018-06-12 14393.2312 KB4284880

LTSB 2018-05-17 14393.2273 KB4103720

LTSB 2018-05-08 14393.2248 KB4103723

LTSB 2018-04-17 14393.2214 KB4093120

LTSB 2018-04-10 14393.2189 KB4093119

LTSB 2018-03-29 14393.2156 KB4096309

LTSB 2018-03-22 14393.2155 KB4088889

LTSB 2018-03-13 14393.2125 KB4088787

LTSB 2018-02-22 14393.2097 KB4077525

LTSB 2018-02-13 14393.2068 KB4074590

LTSB 2018-01-17 14393.2035 KB4057142

LTSB 2018-01-03 14393.2007 KB4056890

LTSB 2017-12-12 14393.1944 KB4053579

LTSB 2017-11-27 14393.1914 KB4051033

LTSB 2017-11-14 14393.1884 KB4048953

LTSB 2017-11-02 14393.1797 KB4052231

LTSB 2017-10-17 14393.1794 KB4041688

LTSB 2017-10-10 14393.1770 KB4041691

LTSB 2017-09-28 14393.1737 KB4038801

LTSB 2017-09-12 14393.1715 KB4038782

LTSB 2017-08-28 14393.1670 KB4039396

LTSB 2017-08-16 14393.1613 KB4034661

LTSB 2017-08-08 14393.1593 KB4034658

LTSB 2017-08-07 14393.1537 KB4038220

LTSB 2017-07-18 14393.1532 KB4025334

LTSB 2017-07-11 14393.1480 KB4025339

LTSB 2017-06-27 14393.1378 KB4022723

LTSB 2017-06-13 14393.1358 KB4022715

LTSB 2017-05-09 14393.1198 KB4019472

LTSB 2017-04-11 14393.1066 KB4015217

LTSB 2017-03-20 14393.969 KB4015438

LTSB 2017-03-14 14393.953 KB4013429

LTSB 2017-01-10 14393.693 KB3213986

LTSB 2016-12-13 14393.576 KB3206632

LTSB 2016-12-09 14393.479 KB3201845

LTSB 2016-11-08 14393.447 KB3200970

LTSB 2016-10-27 14393.351 KB3197954

LTSB 2016-10-11 14393.321 KB3194798

LTSB 2016-09-29 14393.222 KB3194496

LTSB 2016-09-20 14393.187 KB3193494

LTSB 2016-09-13 14393.187 KB3189866

LTSB 2016-08-31 14393.105 KB3176938

LTSB 2016-08-23 14393.82 KB3176934

LTSB 2016-08-09 14393.51 KB3176495

LTSB 2016-08-02 14393.10 KB3176929

Extended Security Updates for Windows
Server overview
Article • 08/04/2023

The Extended Security Update (ESU) program is a last resort option for customers who
need to run certain legacy Microsoft products past the end of support. Windows Server
Long Term Servicing Channel (LTSC) has a minimum of 10 years of support: five years for
mainstream support and five years for extended support, which includes regular security
updates.

However, once products reach the end of support, it also means the end of security
updates and bulletins. This scenario can cause security or compliance issues and put
business applications at risk. Microsoft recommends that you upgrade to the current
version of Windows Server for the most advanced security, performance, and
innovation.

 Tip

You can find information on support dates on Microsoft Lifecycle.

The following versions of Windows Server have reached or are in the process of
reaching the end of extended support:

Extended support for Windows Server 2008 and Windows Server 2008 R2 ended
on January 14, 2020.
Extended support for Windows Server 2012 and Windows Server 2012 R2 will be
ending on October 10, 2023.

What are Extended Security Updates?

Extended Security Updates for Windows Server include security updates and bulletins
rated critical and important for a maximum period of time from the end of extended
support, depending on the version. They're available free of charge for servers hosted in
Azure, and available to purchase for servers not hosted in Azure. Extended Security
Updates don't include new features, customer-requested non-security hotfixes, or
design change requests. For more information, see Lifecycle FAQ - Extended Security
Updates.
With Extended Security Updates, the different phases for these versions of Windows
Server are as follows:

If you haven't already upgraded your servers, you can do the following things to protect
your applications and data during the transition:

Migrate the affected existing Windows Server workloads as-is to Azure Virtual
Machines (VM). Migrating to Azure automatically provides Extended Security
Updates for the defined period. There's no extra charge for Extended Security
Updates on top of an Azure VM's cost, and you don't need to do any other
configuration.

Purchase an Extended Security Update subscription for your servers and remain
protected until you're ready to upgrade to a newer Windows Server version. When
you have an Extended Security Update subscription, Microsoft provides updates
for the defined period. Once you purchase a subscription, you must get a product
key and install it on each applicable server. For more information, see How to get
Extended Security Updates.

When you get the Extended Security Updates depends on which version of Windows
Server you're using and where it's hosted. The following table lists the Extended Security
Update duration for each version of Windows Server.

ﾉ Expand table

Product version Hosted ESU duration ESU end date

Windows Server 2008 Azure* Four years January 9, 2024

Windows Server 2008 R2

Windows Server 2008 Not in Azure Three years January 10, 2023
Windows Server 2008 R2

Windows Server 2012 Azure* Three years October 13, 2026

Windows Server 2012 R2

Windows Server 2012 Not in Azure Three years October 13, 2026
Windows Server 2012 R2
* Includes the Azure Stack portfolio of products that extend Azure services and
capabilities to your environment of choice.

２ Warning

After the period of Extended Security Updates ends, we'll stop providing updates.
We recommend you update your version of Windows Server to a more recent
version as soon as possible.

Migrate to Azure
You can migrate your on-premises servers that run a version of Windows Server that has
reached or is almost reaching the end of extended support to Azure, where you can
continue to run them as virtual machines. When you migrate to Azure, you not only stay
compliant with security updates, but also add cloud innovation to your work. The
benefits of migrating to Azure include:

Security updates in Azure.

Get Windows Server critical and important security updates for a certain period of
time, included at no extra charge.
Upgrades in Azure free of charge.
Adopt more cloud services whenever you're ready.
By migrating SQL Server to Azure VMs, you get three more years of Windows
Server critical security updates, included at no extra charge. You can also
modernize your SQL Server to Azure SQL Managed Instance.
Benefit from Azure Hybrid Benefit , which lets you use existing Windows Server
licenses and SQL Server licenses for cloud savings unique to Azure.

To get started migrating, learn how to upload a generalized VHD and use it to create
new VMs in Azure, or use Shared Image Galleries in Azure.

You can also read the Migration Guide for Windows Server for help with the following
things:

Analyze your existing IT resources.

Assess the current state of your deployment.
Understand whether moving certain services and applications to the cloud or
keeping them on-premises and upgrading to the latest version of Windows Server
instead is best for you.
Upgrade on-premises
If you need to keep your servers on-premises instead of migrating to Azure and the
cloud, you have two choices for how to proceed:

Build new servers with a supported version of Windows Server and migrate your
applications and data.
Upgrade in-place to a supported version of Windows Server.

In-place upgrades can typically upgrade Windows Server through at least one version,
sometimes even two versions. For example, Windows Server 2012 R2 can upgrade in-
place to Windows Server 2019. However, if you're running Windows Server 2008 or
Windows Server 2008 R2, there's no direct upgrade path to Windows Server 2016 or
later. Instead, you must first upgrade to Windows Server 2012 R2, then upgrade to
Windows Server 2016 or Windows Server 2019.

As you upgrade, you can also migrate to Azure at any time. For more information about
your on-premises upgrade options, see supported upgrade paths for Windows Server.

Upgrade SQL Server in parallel with your

Windows Servers
If you're running a version of SQL Server that reached or is reaching the end of
extended support, you can also benefit from Extended Security Updates for SQL Server.
For more information, see Extended Security Updates for SQL Server and Windows
Server .

Next steps
Learn how to get Extended Security Updates (ESU) for Windows Server.
Overview of Windows Server upgrades
Article • 04/12/2024

The process of upgrading to a newer version of Windows Server can vary greatly,
depending on which operating system you are starting with and the pathway you take.
We use the following terms to distinguish between different actions, any of which could
be involved in a new Windows Server deployment.

Upgrade. Also known as an "in-place upgrade". You move from an older version of
the operating system to a newer version, while staying on the same physical
hardware. This is the method we will be covering in this section.

） Important

In-place upgrades might also be supported by public or private cloud

companies; however, you must check with your cloud provider for the details.
Additionally, you'll be unable to perform an in-place upgrade on any
Windows Server configured to Boot from VHD. An in-place upgrade from
Windows Storage Server Editions is not supported. You can perform either a
Migration or Installation instead.

Installation. Also known as a "clean installation". You move from an older version
of the operating system to a newer version, deleting the older operating system.

Migration. You move from an older version of the operating system to a newer
version of the operating system, by transferring to a different set of hardware or
virtual machine.

Cluster OS Rolling Upgrade. You upgrade the operating system of your cluster
nodes without stopping the Hyper-V or the Scale-Out File Server workloads. This
feature allows you to avoid downtime which could impact Service Level
Agreements. For more information, see Cluster OS Rolling Upgrade

License conversion. Convert a particular edition of the release to another edition

of the same release in a single step with a simple command and the appropriate
license key. We call this "license conversion". For example, if your server is running
Standard edition, you can convert it to Datacenter.

Which version of Windows Server should I

upgrade to?
We recommend upgrading to the latest version of Windows Server. Running the latest
version of Windows Server allows you to use the latest features – including the latest
security features – and delivers the best performance.

 Tip

Beginning with Windows Server 2025 (preview), you can upgrade from an
older version of Windows Server from Windows Server 2012 R2 and later.

With Windows Server 2022 and earlier, you can upgrade to a newer version of
Windows Server by up to two versions at a time. For example, Windows Server
2016 can be upgraded to Windows Server 2019 or Windows Server 2022. If
you are using the Cluster OS Rolling Upgrade feature you can only one
version at at time.

In this table you can see the supported upgrade paths, based on the version you're
currently on.

ﾉ Expand table

Upgrade Windows Windows Windows Windows Windows

from / to Server 2012 Server 2016 Server 2019 Server 2022 Server 2025
R2 (preview)

Windows Yes Yes - - -

Server 2012

Windows - Yes Yes - Yes

Server 2012
R2

Windows - - Yes Yes Yes

Server 2016

Windows - - - Yes Yes

Server 2019

Windows - - - - Yes
Server 2022

Windows - - - - Yes
Server 2025
(preview)
You can also upgrade from an evaluation version of the operating system to a retail
version, from an older retail version to a newer version, or, in some cases, from a
volume-licensed edition of the operating system to an ordinary retail edition. For more
information about upgrade options other than in-place upgrade, see Upgrade and
conversion options for Windows Server.

） Important

Windows Server 2025 is in PREVIEW. This information relates to a prerelease

product that may be substantially modified before it's released. Microsoft
makes no warranties, expressed or implied, with respect to the information
provided here.

Support for Windows Server 2008 and Windows Server 2008 R2 has ended.
We recommend you update your version of Windows Server to a more recent
version as soon as possible. Learn more about Extended Security Updates
(ESU) as a last resort.

Next steps
Now that you've ready to upgrade Windows Server, here are some articles that might
help you get started:

Install, upgrade, or migrate to Windows Server

Upgrade and migrate roles and features in Windows Server
Upgrade and conversion options for Windows Server
Perform an in-place upgrade of Windows Server
Install, upgrade, or migrate to Windows
Server
Article • 11/27/2023

Is it time to move to a newer version of Windows Server? Depending on what you're

running now, you have several options to get there.

） Important

Extended support for Windows Server 2008 R2 and Windows Server 2008 ended in
January 2020. Extended Security Updates (ESU) are available, with one option to
migrate your on-premises servers to Azure, where you can continue to run them on
virtual machines. To find out more, see Extended Security Updates overview.

 Tip

You can download and try Windows Server free of charge at Windows Server
Evaluations .

Clean install
A clean install, where you install a blank server or overwrite an existing operating system
(OS), is the simplest way to install Windows Server. However, before you can do a clean
install, you must back up your data and plan for how to reinstall your original
applications. You should also make sure your system meets the hardware requirements
for Windows Server.

In-place upgrade
In-place upgrades let you upgrade to a later version of Windows Server while keeping
your original settings, server roles, features, and data. You can upgrade between up to
two Server versions at a time. For more information, see Which version of Windows
Server should I upgrade to?. Keep in mind that some roles and features don't support
in-place upgrades. In-place upgrades work best with virtual machines (VMs) that don't
need specific Original Equipment Manufacturer (OEM) hardware drivers to upgrade
successfully.
 For step-by-step instructions for how to perform an in-place upgrade, see Perform
an in-place upgrade.

For more information about how upgrades work, see the Windows Server upgrade
overview.

For more detailed guides for how to upgrade for different versions of Windows
Server, including information about which roles and features support in-place
upgrades, see Upgrade and migrate roles and features in Windows Server.

Cluster Operating System rolling upgrade

The Cluster operating system rolling upgrade gives an administrator the ability to
upgrade the operating system of the cluster nodes without stopping the Hyper-V or the
Scale-Out File Server workloads. For example, if nodes in your clusters are running an
earlier version of Windows Server, your admin can use a rolling upgrade to install a later
version on them without having to turn off the cluster, which would otherwise affect
Service Level Agreements. For more information, see Cluster OS rolling upgrade.

Migration
Migration is when you move roles or features from a source computer running Windows
Server to a destination computer that's also running Windows Server. This process is
gradual, moving one role or feature at a time, without upgrading them. You can migrate
your system components to a new machine that's either running the same version of
Windows Server as the source computer or a later version than the source computer.

License conversion
License conversion converts a particular edition of a specific version of Windows Server
to another edition of the same release. All you have to do is run a command and enter
the appropriate license key for the edition you want to convert to. For example, if your
server is running Windows Server Standard edition, you can convert it to Windows
Server Datacenter edition. However, when you convert your edition from Standard to
Datacenter, there's no way to reverse the process to return to Standard edition. In some
releases of Windows Server, you can also freely convert between original equipment
manufacturer (OEM), volume-licensed, and retail versions with the same command and
the appropriate license key.
Server Core vs Server with Desktop
Experience install options
Article • 11/26/2021

When you install Windows Server using the setup wizard, you can choose between
Server Core or Server with Desktop Experience install options. With Server Core, the
standard graphical user interface (the Desktop Experience) is not installed; you manage
the server from the command line using PowerShell, the Server Configuration tool
(SConfig), or by remote methods. Server with Desktop Experience installs the standard
graphical user interface and all tools, including client experience features.

We recommend that you choose the Server Core install option unless you have a
particular need for the extra user interface elements and graphical management tools
that are included in the Server with Desktop Experience install option.

The setup wizard lists the install options below. In this list, editions without Desktop
Experience are the Server Core install options:

Windows Server Standard

Windows Server Standard with Desktop Experience
Windows Server Datacenter
Windows Server Datacenter with Desktop Experience

７ Note

Unlike some previous releases of Windows Server, you cannot convert between
Server Core and Server with Desktop Experience after installation. You will need to
do a clean installation if you install later decide to use a different option.

Differences
There are some key differences between Server Core and Server with Desktop
Experience:

ﾉ Expand table

Component Server Core Server with Desktop Experience

User interface Minimal, command line driven Standard Windows graphical user
(PowerShell, SConfig, cmd) interface
Component Server Core Server with Desktop Experience

Disk space Smaller requirement Larger requirement

Install, configure, PowerShell Server Manager or PowerShell

uninstall server
roles locally

Roles and Some roles and features are not All roles and features are available,
Features available. For more information, see including those for application
Roles, Role Services, and Features not compatibility.
in Windows Server - Server Core.

Some of the features from Server

with Desktop Experience for
application compatibility can be
installed with the App Compatibility
Feature on Demand (FOD).

Remote Yes, can be managed remotely using Yes, can be managed remotely using
management GUI tools, such as Windows Admin GUI tools, such as Windows Admin
Center, Remote Server Center, Remote Server
Administration Tools (RSAT), or Administration Tools (RSAT), or
Server Manager, or by PowerShell. Server Manager, or by PowerShell.

Potential attack Greatly reduced attack surface No reduction

surface

Microsoft Not installed - can be installed with Installed

Management the App Compatibility Feature on
Console Demand (FOD).

７ Note

For RSAT, you must use the version included with Windows 10 or later.
Upgrade and migrate roles and features
in Windows Server
Article • 12/23/2021

You can update roles and features to later versions of Windows Server by migrating to a
new server, or many also support in-place upgrade where you install the new version of
Windows Server over the top of the current one. This article contains links to migration
guides as well a table with migration and in-place upgrade information to help you
decide which method to use.

You can migrate many roles and features by using Windows Server Migration Tools, a
feature built in to Windows Server for migrating roles and features, whereas file servers
and storage can be migrated using Storage Migration Service.

The migration guides support migrations of specified roles and features from one server
to another (not in-place upgrades). Unless otherwise noted in the guides, migrations are
supported between physical and virtual computers, and between installation options of
Windows Server with either Server with Desktop Experience or Server Core.

） Important

Before you begin migrating roles and features, verify that both source and
destination servers are running the most current updates that are available for their
operating systems.

Whenever you migrate or upgrade to any version of Windows Server, you should
review and understand the support lifecycle policy and time frame for that
version and plan accordingly. You can search for the lifecycle information for the
particular Windows Server release that you are interested in.

Windows Server Migration Tools

Windows Server Migration Tools enables you to migrate server roles, features, operating
system settings, and other data and shares to servers, including later versions of
Windows Server. It is a feature of Windows Server and so it is easily installed using the
Add Roles and Features wizard, or PowerShell. Learn more about how to install, use, and
remove Windows Server Migration Tools.

７ Note
 Cross-subnet migrations using Windows Server Migration Tools is available with
Windows Server 2012 and later releases. Previous versions of Windows Server
Migration Tools only support migrations in the same subnet.

Migration guides
Below you can find links to migration guides for specific Windows Roles and Features.

Active Directory
Active Directory Certificate Services Migration Guide for Windows Server 2012 R2
Active Directory Certificate Services Migration Guide for Windows Server 2008 R2
Migrate Active Directory Federation Services Role Service to Windows Server 2012
R2
Migrate Active Directory Federation Services Role Services to Windows Server 2012
Active Directory Rights Management Services Migration and Upgrade Guide
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server
2012
Active Directory Domain Services and Domain Name System (DNS) Server
Migration Guide for Windows Server 2008 R2

BranchCache
BranchCache Migration Guide

DHCP
Migrate DHCP Server to Windows Server 2012 R2
Dynamic Host Configuration Protocol (DHCP) Server Migration Guide for Windows
Server 2008 R2

Failover Clustering
Migrate Cluster Roles to Windows Server 2012 R2
Migrate Clustered Services and Applications to Windows Server 2012

File and Storage Services

Storage Migration Service
 Migrate File and Storage Services to Windows Server 2012 R2

Hyper-V
Migrate Hyper-V to Windows Server 2012 R2 from Windows Server 2012
Migrate Hyper-V to Windows Server 2012 from Windows Server 2008 R2

Network Policy Server

Migrate Network Policy Server to Windows Server 2012
Migrate Health Registration Authority to Windows Server 2012

Print and Document Services

Migrate Print and Document Services to Windows Server 2012

Remote Access
Migrate Remote Access to Windows Server 2012

Remote Desktop Services

Migrate Remote Desktop Services
Migrate Remote Desktop Services to Windows Server 2012 R2
Migrate MultiPoint Services

Routing and Remote Access

RRAS Migration Guide

Web Server (IIS)

Web Server (IIS)

Windows Server Update Services

Migrate Windows Server Update Services to Windows Server 2012 R2

Other Windows migration guides

 Local User and Group Migration Guide
IP Configuration Migration Guide

Upgrade and migration matrix

ﾉ Expand table

Server Role Upgradeable in-place? Migration Can migration be

Supported? completed without
downtime?

Active Directory Yes Yes No

Certificate
Services

Active Directory Yes Yes Yes

Domain Services

Active Directory No Yes No (new nodes need to be

Federation added to the farm)
Services

Active Directory Yes Yes Yes

Lightweight
Directory
Services

Active Directory Yes Yes No

Rights
Management
Services

DHCP Server Yes Yes Yes

DNS Server Yes Yes No

Failover Yes with Cluster OS Rolling Yes Yes for Failover Clusters with
Clustering Upgrade process (Windows Hyper-V VMs or Failover
Server 2012 R2 and later) or Clusters running the Scale-
when the server is removed by out File Server role. See
the cluster for upgrade and Cluster OS Rolling Upgrade
then added to a different (Windows Server 2012 R2
cluster. and later).

File and Storage Yes Varies by No

Services subfeature

Hyper-V Yes with Cluster OS Rolling Yes Yes for Failover Clusters with
Upgrade process (Windows Hyper-V VMs or Failover
Server Role Upgradeable in-place? Migration Can migration be
Supported? completed without
downtime?

Server 2012 R2 and later) Clusters running the Scale-

out File Server role. See
Cluster OS Rolling Upgrade
(Windows Server 2012 R2
and later).

Print and Fax No Yes (using No

Services Printbrm.exe)

Remote Desktop Yes, for all subroles, but mixed Yes No

Services mode farm is not supported

Web Server (IIS) Yes Yes No

Windows Server Yes Yes No

Essentials
Experience

Windows Server Yes Yes No

Update Services

Work Folders Yes Yes Yes with Cluster OS Rolling

Upgrade process (Windows
Server 2012 R2 and later).
Upgrade and conversion options for
Windows Server
Article • 09/19/2023

You can upgrade or convert installations of Windows Server to newer versions, different
editions, or switch between licensing options, such as evaluation, retail, and volume
licensed. This article helps explain what the options are to help with your planning.

The process of upgrading or converting installations of Windows Server might vary

greatly depending on which version and edition you have installed, how it's licensed,
and the pathway you take. We use different terms to distinguish between actions, any of
which could be involved in a deployment of Windows Server: clean install, in-place
upgrade, cluster operating system (OS) rolling upgrade, migration, and license
conversion. You can learn more about these terms at Install, upgrade, or migrate to
Windows Server.

Upgrade licensed versions of Windows Server

The following general guidelines are for in-place upgrade paths where Windows Server
is already licensed, that is, not evaluation:

Upgrades from 32-bit to 64-bit architectures aren't supported. All releases of

Windows Server since Windows Server 2008 R2 are 64-bit only.
Upgrades from one language to another aren't supported.
If the server is an Active Directory domain controller, you can't convert it to a retail
version. See Upgrade Domain Controllers to Windows Server for important
information.
Upgrades from prerelease versions (previews) of Windows Server aren't supported.
Perform a clean installation of Windows Server.
Upgrades that switch from a Server Core installation to a Server with Desktop
Experience installation or vice versa aren't supported.
Upgrades from a previous Windows Server installation to an evaluation copy of
Windows Server aren't supported. Evaluation versions should be installed as clean
installations.
When you upgrade from a previous version to a new version, the default is to
retain the existing operating system edition. For example, the default is to upgrade
from Standard (previous version) to Standard (new version), from Datacenter
(previous version) to Datacenter (new version), or from Datacenter: Azure Edition
(previous version) to Datacenter: Azure Edition (new version).
 Alternatively, you can change to certain other editions when upgrading. You can
change from Standard to Datacenter or to Datacenter: Azure Edition, or change
from Datacenter to Datacenter: Azure Edition. You can't change from Datacenter to
Standard edition or from Datacenter: Azure Edition to either Standard or
Datacenter editions when upgrading.

７ Note

If your server uses NIC Teaming, disable NIC Teaming prior to upgrade, and then
re-enable it after upgrade is complete. See NIC Teaming Overview for details.

Convert an evaluation version to a retail

version
You can convert evaluation versions and editions of Windows Server to retail versions
and editions. For example, if you've installed the evaluation version of Standard
(Desktop Experience) edition, you can convert it to the retail version of either the
Standard (Desktop Experience) edition or the Datacenter (Desktop Experience) edition.

However, you can't convert all Windows Server evaluation versions and editions to all
retail versions or editions. For example, if you've installed the evaluation Datacenter
edition, you can convert it only to the retail Datacenter edition, not to the retail
Standard edition.

In Windows Server versions after 2016, if you've installed Desktop Experience evaluation
versions, you can't convert them to Core retail versions. If you install the Standard Core
evaluation version, you can convert it only to retail Datacenter Core, not to retail
Standard Core.

It's important to run the DISM /online /Get-TargetEditions command as instructed in

the following procedure to determine which retail versions you can upgrade to. If the
retail version you want isn't listed as a target version, you need to do a fresh install of
the retail version you want.

７ Note

To verify that your server is running an evaluation version, you can run either of the
following commands at an elevated command prompt:
 Run DISM /online /Get-CurrentEdition and make sure the current edition
name includes Eval .
Run slmgr.vbs /dlv and make sure the output includes EVAL .

If you haven't already activated Windows, the bottom right-hand corner of the desktop
shows the time remaining in the evaluation period.

Windows Server Standard or Datacenter

If your server is running an evaluation version of Windows Server Standard or
Datacenter edition, you can convert it to an available retail version. Run the following
commands in an elevated command prompt or PowerShell session.

1. Determine the current edition name by running the following command. The
output is an abbreviated form of the edition name. For example, Windows Server
Datacenter (Desktop Experience) Evaluation edition is ServerDatacenterEval .

Windows Command Prompt

DISM /online /Get-CurrentEdition

2. Verify which editions the current installation can be converted to by running the
following command. From the output, make a note of the edition name you want
to upgrade to.

Windows Command Prompt

DISM /online /Get-TargetEditions

3. Run the following command to save the Microsoft Software License Terms for
Windows Server, which you can then review. Replace the <target edition>
placeholder with the edition name you noted from the previous step.

Windows Command Prompt

DISM /online /Set-Edition:<target edition> /GetEula:C:\license.rtf

4. Enter the new edition name and corresponding retail product key in the following
command. The upgrade process requires you to accept the Microsoft Software
License Terms for Windows Server that you saved previously.
 Windows Command Prompt

DISM /online /Set-Edition:<target edition> /ProductKey:<product key>

/AcceptEula

For example:

Windows Command Prompt

DISM /online /Set-Edition:ServerDatacenter /ProductKey:ABCDE-12345-

ABCDE-12345-ABCDE /AcceptEula

 Tip

For more information about Dism.exe, see DISM Command-line options.

） Important

You can't convert an Active Directory domain controller from an evaluation to a

retail version. In this case, install an additional domain controller on a server that
runs a retail version, migrate any FSMO roles held, and remove Active Directory
Domain Services (AD DS) from the domain controller that runs on the evaluation
version. For more information, see Upgrade Domain Controllers to Windows
Server.

Windows Server Essentials

If the server is running Windows Server Essentials, you can convert it to the full retail
version by entering a retail, volume license, or OEM key in the following command at an
elevated command prompt:

Windows Command Prompt

slmgr.vbs /ipk <license key>

Convert Windows Server Standard edition to

Datacenter edition
At any time after installing Windows Server, you can convert Windows Server Standard
edition to Datacenter edition. You can also run setup.exe from the installation media to
upgrade or repair the installation, sometimes called in-place repair. If you run setup.exe
to upgrade or repair in-place on any edition of Windows Server, the result is the same
edition you started with.

You can convert the Standard edition of Windows Server to the Datacenter edition as
follows:

1. Determine that Windows Server Standard is the current edition name by running
the following command. The output is an abbreviated form of the edition name,
for example Windows Server Standard (Desktop Experience) edition is
ServerStandard .

Windows Command Prompt

DISM /online /Get-CurrentEdition

2. Verify that Windows Server Datacenter is a valid option to convert to by running

the following command:

Windows Command Prompt

DISM /online /Get-TargetEditions

3. Enter ServerDatacenter and your retail product key in the following command:

Windows Command Prompt

DISM /online /Set-Edition:ServerDatacenter /ProductKey:<product key>

/AcceptEula

Convert between retail, volume-licensed, and

OEM licenses
At any time after installing Windows Server, you can freely convert between a retail
license, a volume-licensed license, or an OEM license. The edition (Standard or
Datacenter) remains the same during this conversion. If you're starting with an
evaluation version, convert it to the retail version first and then convert between the
versions by running the following command from an elevated command prompt.
Provide your volume-license, retail, or OEM product key.
 Windows Command Prompt

slmgr.vbs /ipk <product key>

See also
For more information about upgrading Windows Server, see the following articles:

Overview of Windows Server upgrades

Server Core vs Server with Desktop Experience install options
Perform an in-place upgrade of Windows Server
In-place upgrade for VMs running Windows Server in Azure
Automatic Virtual Machine Activation in
Windows Server
Article • 05/16/2024

Automatic Virtual Machine Activation (AVMA) acts as a proof-of-purchase mechanism,

helping to ensure that Windows products are used in accordance with the Product Use
Rights and Microsoft Software License Terms.

AVMA lets you activate Windows Server virtual machines (VM) on a Windows Server
Hyper-V host that is properly activated, even in disconnected environments. AVMA
binds the VM activation to the licensed virtualization host and activates the VM when it
starts up. When you use AVMA, you can get real-time reporting on usage and historical
data on the license state of the VM. Reporting and tracking data is available on the
virtualization host.

Practical applications
On virtualization hosts, AVMA offers several benefits.

Server data center managers can use AVMA to do the following tasks:

Activate VMs in remote locations.

Activate VMs with or without an internet connection.
Track VM usage and licenses from the virtualization host, without requiring any
access rights on the virtualized systems.

Service Provider License Agreement (SPLA) partners and other hosting providers don't
have to share product keys with tenants or access a tenant's VM to activate it. VM
activation is transparent to the tenant when AVMA is used. Hosting providers can use
the server logs to verify license compliance and to track client usage history.

System requirements
For a virtualization server host to run guest VMs, you must activate it. To do so, obtain
keys through the Volume Licensing Service Center or your OEM provider.

７ Note
 In a failover cluster, each virtualization server host in the cluster must be activated
for guest VMs to stay activated, regardless of which server they run on.

AVMA requires a Windows Server Datacenter edition with the Hyper-V server host role
installed. The Windows Server version of the host determines which versions it can
activate in a guest VM. The following table lists the guest VM versions that each host
version is able to activate. A host version can access all the editions (Datacenter,
Standard, or Essentials) of its eligible guest VM versions.

ﾉ Expand table

Server host Windows Server Windows Server Windows Server Windows Server
version 2022 guest VM 2019 guest VM 2016 guest VM 2012 R2 guest
VM

Windows X X X X
Server 2022

Windows X X X
Server 2019

Windows X X
Server 2016

Windows X
Server 2012
R2

７ Note

AVMA does not work with other server virtualization technologies.

How to implement AVMA

To activate VMs with AVMA, you use a generic AVMA key (detailed in AVMA keys) that
corresponds to the version of Windows Server that you want to activate. To create a VM
and activate it with an AVMA key, follow these steps:

1. On the server that hosts the VMs, install, and configure the Microsoft Hyper-V
Server role. Ensure that the server is successfully activated. For more information,
see Install Hyper-V Server.
 2. Create a virtual machine and install a supported Windows Server operating system
on it.

） Important

The Data Exchange integration service (also known as Key-Value Pair

Exchange) must be enabled in the VM settings for AVMA to work. It is enabled
by default for new VMs.

3. After installing Windows Server on the VM, install the AVMA key on the VM. From
PowerShell or an elevated command prompt, run the following command:

PowerShell

slmgr /ipk <AVMA_key>

The VM automatically activates, providing that the virtualization host itself is activated.

 Tip

You can also add the AVMA keys in any Unattend setup file.

AVMA keys
Windows Server 2022

ﾉ Expand table

Edition Key

Datacenter W3GNR-8DDXR-2TFRP-H8P33-DV9BG

Datacenter: F7TB6-YKN8Y-FCC6R-KQ484-VMK3J
Azure Edition

Standard YDFWN-MJ9JR-3DYRK-FXXRW-78VHK

Reporting and tracking

The Key-Value Pair (KVP) exchange between the virtualization host and the VM provides
real-time tracking data for the guest operating systems, including activation
information. This activation information is stored in the Windows registry of the VM.
Historical data about AVMA requests is logged in Event Viewer on the virtualization
host.

For more information about KVP, see Data Exchange: Using key-value pairs to share
information between the host and guest on Hyper-V.

７ Note

KVP data is not secured. It can be modified and is not monitored for changes.

） Important

KVP data should be removed if the AVMA key is replaced with another product key
(retail, OEM, or volume licensing key).

Since the AVMA activation process is transparent, error messages aren't displayed.
However, AVMA requests are also logged on the virtualization host in Event Viewer in
the Application log with Event ID 12310, and on the VM with Event ID 12309. The
following events are captured on the VMs:

ﾉ Expand table

Notification Description

AVMA Success The VM was activated.

Invalid Host The virtualization host is unresponsive. This event can happen when the server
isn't running a supported version of Windows.

Invalid Data This event usually results from a failure in communication between the
virtualization host and the VM, often caused by corruption, encryption, or data
mismatch.

Activation The virtualization host couldn't activate the guest operating system because the
Denied AVMA ID didn't match.
Key Management Services (KMS)
activation planning
Article • 05/16/2024

The following information outlines initial planning considerations that you need to
review for Key Management Services (KMS) activation.

KMS uses a client-server model to active clients and is used for volume activation. KMS
clients connect to a KMS server, called the KMS host, for activation. The KMS host must
reside on your local network.

KMS hosts don't need to be dedicated servers, and KMS can be cohosted with other
services. You can run a KMS host on any physical or virtual system that is running a
supported Windows Server or Windows client operating system. A KMS host running on
a Windows Server operating system can activate computers running both server and
client operating systems. However, a KMS host running on a Windows client operating
system can only activate computers also running client operating systems.

To use KMS, a KMS host needs a key that activates, or authenticates, the KMS host with
Microsoft. This key is sometimes referred to as the KMS host key, but it's formally known
as a Microsoft Customer Specific Volume License Key (CSVLK). You can get this key from
the Product Keys section of the Volume Licensing Service Center for the following
agreements: Open, Open Value, Select, Enterprise, and Services Provider License. You
can also get assistance by contacting your local Microsoft Activation Center .

Operational requirements
KMS can activate physical and virtual computers, but to qualify for KMS activation, a
network must have a minimum number of computers (called the activation threshold).
KMS clients activate only after this threshold is met. To ensure that the activation
threshold is met, a KMS host counts the number of computers that are requesting
activation on the network.

KMS hosts count the most recent connections. When a client or server contacts the KMS
host, the host adds the machine ID to its count and then returns the current count value
in its response. The client or server activates if the count is high enough. Clients activate
if the count is 25 or higher. Servers and volume editions of Microsoft Office products
activate if the count is five or greater. The KMS only counts unique connections from the
past 30 days, and only stores the 50 most recent contacts.
KMS activations are valid for 180 days, a period known as the activation validity interval.
KMS clients must renew their activation by connecting to the KMS host at least once
every 180 days to stay activated. By default, KMS client computers attempt to renew
their activation every seven days. After a client's activation is renewed, the activation
validity interval begins again.

A single KMS host can support an unlimited number of KMS clients. If you have more
than 50 clients, we recommend that you have at least two KMS hosts in case one of your
KMS hosts becomes unavailable. Most organizations can operate with as few as two
KMS hosts for their entire infrastructure.

After the first KMS host is activated, the CSVLK that is used on the first host can be used
to activate up to five more KMS hosts on your network for a total of six. After a KMS
host is activated, administrators can reactivate the same host up to nine times with the
same key.

If your organization needs more than six KMS hosts, you can request additional
activations for your organization's CSVLK. For example, if you have 10 physical locations
under one volume licensing agreement and you want each location to have a local KMS
host. To request this exception, contact your local Microsoft Activation Center .

Computers that are running volume licensing editions of Windows Server and Windows
client are, by default, KMS clients with no extra configuration needed.

If you're converting a computer from a KMS host, MAK, or retail edition of Windows to a
KMS client, installing the applicable KMS client setup key is necessary. For more
information, see KMS client setup keys.

Network requirements
KMS activation requires TCP/IP connectivity. KMS hosts and clients are configured by
default to use Domain Name System (DNS). KMS hosts use DNS dynamic updates to
automatically publish the information that KMS clients need to find and connect to
them. You can accept these default settings, or if you have special network and security
configuration requirements, you can manually configure KMS hosts and clients.

By default, a KMS host is configured to use TCP on port 1688.

Activation versions
The following table summarizes KMS host and client versions for networks that include
Windows Server and Windows client devices.
 ） Important

Windows Updates might be required on the KMS server to support activation of

newer clients. If you receive activation errors, check that you have the appropriate
updates listed below this table.

Windows Server 2022

ﾉ Expand table

CSVLK group CSVLK can Windows editions

be hosted on activated by this KMS host

Volume License for Windows Windows Server 2022 (all editions)

Windows Server Server 2022 Windows Server Semi-Annual Channel
2022 Windows Windows Server 2019 (all editions)
Server 2019 Windows Server 2016 (all editions)
Windows Windows Server 2012 R2 (all editions)
Server 2016 Windows Server 2012 (all editions)
Windows Server 2008 R2 (all editions)
Windows Server 2008 (all editions)

Windows 11 Enterprise/Enterprise N
Windows 11 Professional/Professional N
Windows 11 Professional for
Workstations/Professional N for
Workstations
Windows 11 for Education/Education N
Windows 10 IoT Enterprise LTSC 2021
Windows 10 Enterprise LTSC/LTSC N/LTSB
Windows 10 Enterprise/Enterprise N
Windows 10 Professional/Professional N
Windows 10 Professional for
Workstations/Professional N for
Workstations
Windows 10 for Education/Education N
Windows 8.1 Enterprise
Windows 8.1 Professional
Windows 7 Enterprise
Windows 7 Professional

KMS host required updates

Depending on which operating system your KMS host is running and which operating
systems you want to activate, you might need to install one or more of the updates
below. This is required when you want to activate a version of Windows that is newer
than the version your KMS host is running.

７ Note

The updates listed below are the minimum required. Where later cumulative
updates or monthly rollups are listed as an option, please install the latest available
version for your operating system to benefit from additional security and other
fixes.

ﾉ Expand table

KMS host OS KMS client OS Required update

version version(s) to activate

Windows Server - Windows Server 2025 February 13, 2024 - KB5034765 or later cumulative
2022 update

Windows Server - Windows Server 2025 February 13, 2024 - KB5034768 or later cumulative
2019 - Windows Server 2022 update
June 8, 2021 - KB5003646 or later cumulative
update

Windows Server - Windows Server 2022 June 8, 2021 - KB5003638 or later cumulative
2016 - Windows Server 2019 update

Windows Server - Windows Server 2019 December 3, 2018 - KB4478877 or later cumulative
2016 update

Windows Server - Windows Server 2019 November 27, 2018 - KB4467695 (Preview of
2012 R2 - Windows Server 2016 Monthly Rollup) or later monthly rollup
- Windows 10

Windows Server - Windows Server 2016 July 2016 update rollup for Windows 8.1 and
2012 R2 - Windows 10 Windows Server 2012 R2 or later monthly rollup

Windows Server - Windows Server 2016 July 2016 update rollup for Windows Server 2012
2012 - Windows Server 2012 or later monthly rollup
R2
- Windows 10

Windows Server - Windows Server 2012 Update that enables Windows 7 and Windows Server
2008 R2 R2 2008 R2 KMS hosts to activate Windows 10
- Windows Server 2012
- Windows 10
KMS host OS KMS client OS Required update
version version(s) to activate

Windows 8.1 - Windows 10 July 2016 update rollup for Windows 8.1 and
Windows Server 2012 R2 or later monthly rollup

Windows 7 - Windows 10 Update that enables Windows 7 and Windows Server

2008 R2 KMS hosts to activate Windows 10
Server Core App Compatibility Feature
on Demand
Article • 03/16/2023

The Server Core App Compatibility Feature on Demand (FOD) is an optional feature
package that can be added to Server Core installations of Windows Server installations
at any time, beginning with Windows Server 2019.

For more information on other Features on Demand, see Features On Demand.

Why install the App Compatibility FOD?

The App Compatibility Feature on Demand for Server Core improves app compatibility
by including a subset of binaries and packages from the Server with Desktop Experience
installation option. This optional package is available on a separate ISO, or from
Windows Update, but can only be added to Server Core installations and images.

The two primary values the App Compatibility FOD provides are:

Increases the compatibility of Server Core for server applications already in market
or deployed.
Assists with providing OS components and increased app compatibility of software
tools used in acute troubleshooting and debugging scenarios.

Operating system components that are available as part of the Server Core App
Compatibility FOD include:

Microsoft Management Console (mmc.exe)

Event Viewer (Eventvwr.msc)

Performance Monitor (PerfMon.exe)

Resource Monitor (Resmon.exe)

Device Manager (Devmgmt.msc)

File Explorer (Explorer.exe)

Windows PowerShell (Powershell_ISE.exe)

Disk Management (Diskmgmt.msc)

 Failover Cluster Manager (CluAdmin.msc)

７ Note

Failover Cluster Manager requires adding the Failover Clustering Windows

Server feature first, which can be done by running the following command
from an an elevated PowerShell session:

PowerShell

Install-WindowsFeature -Name Failover-Clustering -

IncludeManagementTools

Beginning with Windows Server 2022, the following components are also available
(when using the same version of the App Compatibility FOD):

Hyper-V Manager (virtmgmt.msc)

Task Scheduler (taskschd.msc)

Installing the App Compatibility Feature on

Demand

） Important

The App Compatibility FOD can only be installed on Server Core. Don't
attempt to add the Server Core App Compatibility FOD to the Server with
Desktop Experience installation option.
For servers running Windows Server 2022, ensure you have installed the
2022-01 Cumulative Update Preview for Microsoft server operating system
version 21H2 for x64-based Systems (KB5009608) or later cumulative
update before you install the App Compatibility FOD. You can verify this by
checking that the operating system build number is 20348.502 or greater.
Prior to this, if you tried to connect to the server using Remote Desktop
Protocol (RDP), you could be presented with a black screen and disconnected.

Connected to the internet

 1. If the server can connect to Windows Update, run the following command from an
elevated PowerShell session, then restart Windows Server after the command
finishes running:

PowerShell

Add-WindowsCapability -Online -Name

ServerCore.AppCompatibility~~~~0.0.1.0

Disconnected from the internet

1. If the server can't connect to Windows Update, instead download the Windows
Server Languages and Optional Features ISO image file, and copy the ISO to a
shared folder on your local network:

If you have a volume license, you can download the Windows Server
Languages and Optional Features ISO image file from the same portal where
the operating system ISO image file is obtained: Volume Licensing Service
Center .
The Windows Server Languages and Optional Features ISO image file is also
available on the Microsoft Evaluation Center or on the Visual Studio
portal for subscribers.

７ Note

The Languages and Optional Features ISO image file is new for Windows
Server 2022. Previous versions of Windows Server use the Features on
Demand (FOD) ISO.

2. Sign in with an administrator account on the Server Core computer that is

connected to your local network and that you want to add the App Compatibility
FOD to.

Mount the FOD ISO

1. Use New-PSDrive from PowerShell, net use from Command Prompt, or some other
method, to connect to the location of the FOD ISO. For example, in an elevated
PowerShell session run the following command:

PowerShell
 $credential = Get-Credential

New-PSDrive -Name FODShare -PSProvider FileSystem -Root

"\\server\share" -Credential $credential

2. Copy the FOD ISO to a local folder of your choosing (the copy operation may take
some time). Edit the following variables with your folder location and ISO filename,
and run the following commands, for example:

PowerShell

$isoFolder = "C:\SetupFiles\WindowsServer\ISOs"
$fodIsoFilename = "FOD_ISO_filename.iso"

New-Item -ItemType Directory -Path $isoFolder

Copy-Item -Path "FODShare:\$fodIsoFilename" -Destination $isoFolder -
Verbose

3. Mount the FOD ISO by using the following command:

PowerShell

$fodIso = Mount-DiskImage -ImagePath "$isoFolder\$fodIsoFilename"

4. Run the following command to get the drive letter that the FOD ISO has been
mounted to:

PowerShell

$fodDriveLetter = ($fodIso | Get-Volume).DriveLetter

5. Run the following command (depending on the operating system version):

For Windows Server 2022:

PowerShell

Add-WindowsCapability -Online -Name

ServerCore.AppCompatibility~~~~0.0.1.0 -Source
${fodDriveLetter}:\LanguagesAndOptionalFeatures\ -LimitAccess

For previous versions of Windows Server:

PowerShell
 Add-WindowsCapability -Online -Name
ServerCore.AppCompatibility~~~~0.0.1.0 -Source ${fodDriveLetter}:\ -
LimitAccess

6. After the progress bar completes, restart the operating system.

Optionally add Internet Explorer 11 to Server

Core

７ Note

The Server Core App Compatibility FOD is required for the addition of Internet
Explorer 11, but Internet Explorer 11 is not required to add the Server Core App
Compatibility FOD.

７ Note

Starting with Windows Server 2022, although Internet Explorer 11 can be added to
Server Core installations of Windows Server, Microsoft Edge should be used
instead. Microsoft Edge has Internet Explorer mode ("IE mode") built in, so you can
access legacy Internet Explorer-based websites and applications straight from
Microsoft Edge. Please see here for information on the lifecycle policy for Internet
Explorer.

1. Sign in as Administrator on the Server Core computer that already has the App
Compatibility FOD added and the FOD optional package ISO copied locally.

2. Mount the FOD ISO by using the following command. This step assumes that
you've already copied the FOD ISO locally. If not, complete steps 1 and 2 from
Mount the FOD ISO. The commands follow on from these two steps. Edit the
variables with your folder location and ISO filename, and run the following
commands, for example:

PowerShell

$isoFolder = "C:\SetupFiles\WindowsServer\ISOs"
$fodIsoFilename = "FOD_ISO_filename.iso"

$fodIso = Mount-DiskImage -ImagePath "$isoFolder\$fodIsoFilename"

 3. Run the following command to get the drive letter that the FOD ISO has been
mounted to:

PowerShell

$fodDriveLetter = ($fodIso | Get-Volume).DriveLetter

4. Run the following commands (depending on your operating system version), using
the $packagePath variable as the path to the Internet Explorer .cab file:

For Windows Server 2022:

PowerShell

$packagePath =
"${fodDriveLetter}:\LanguagesAndOptionalFeatures\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~.cab"

Add-WindowsPackage -Online -PackagePath $packagePath

For previous versions of Windows Server:

PowerShell

$packagePath = "${fodDriveLetter}:\Microsoft-Windows-InternetExplorer-
Optional-Package~31bf3856ad364e35~amd64~~.cab"

Add-WindowsPackage -Online -PackagePath $packagePath

5. After the progress bar completes, restart the operating system.

Release notes and suggestions

） Important

Packages installed using FoD won't remain in place after an in-place upgrade
to a newer Windows Server version. You will have to install them again after
the upgrade.
Alternatively, you can add FoD packages to your upgrade media. Adding
packages to your upgrade media ensures that the new version of any FoD
package are present after the upgrade completes. For more info, see the
 Adding capabilities and optional packages to an offline WIM Server Core
image section.

After installation of the App Compatibility FOD and reboot of the server, the
command console window frame color will change to a different shade of blue.

If you choose to also install the Internet Explorer 11 optional package, double-
clicking to open locally saved .htm files isn't supported. However, you can right-
click and choose Open with Internet Explorer, or you can open it directly from
Internet Explorer File -> Open.

To further enhance the app compatibility of Server Core with the App Compatibility
FOD, the IIS Management Console has been added to Server Core as an optional
component. However, it's necessary to first add the App Compatibility FOD to use
the IIS Management Console. IIS Management Console relies on the Microsoft
Management Console (mmc.exe), which is only available on Server Core with the
addition of the App Compatibility FOD. Use the PowerShell cmdlet Install-
WindowsFeature to add IIS Management Console:

PowerShell

Install-WindowsFeature -Name Web-Mgmt-Console

As a general point of guidance, when installing applications on Server Core (with

or without these optional packages) it's sometimes necessary to use silent install
options and instructions.

Adding to an offline WIM Server Core image

1. Download both the Languages and Optional Features ISO and the Windows Server
ISO image files to a local folder on a Windows computer. You can complete these
steps on a Windows desktop PC, it doesn't need to be running Windows Server
with the Server Core installation option.

If you have a volume license, you can download the Windows Server
Languages and Optional Features ISO image file from the same portal where
the operating system ISO image file is obtained: Volume Licensing Service
Center .
The Windows Server Languages and Optional Features ISO image file is also
available on the Microsoft Evaluation Center or on the Visual Studio
portal for subscribers.
 ７ Note

The Languages and Optional Features ISO image file is new for Windows
Server 2022. Previous versions of Windows Server use the Features on
Demand (FOD) ISO.

2. Mount both the Languages and Optional Features ISO and the Windows Server
ISO by running the following commands in an elevated PowerShell session. Edit
the variables with your folder location and ISO filename, and run the following
commands, for example::

PowerShell

$isoFolder = "C:\SetupFiles\WindowsServer\ISOs"
$fodIsoFilename = "FOD_ISO_filename.iso"
$wsIsoFilename = "Windows_Server_ISO_filename.iso"

$fodIso = Mount-DiskImage -ImagePath "$isoFolder\$fodIsoFilename"

$wsIso = Mount-DiskImage -ImagePath "$isoFolder\$wsIsoFilename"

3. Run the following command to get the drive letters that the FOD ISO and
Windows Server ISO have been mounted to:

PowerShell

$fodDriveLetter = ($fodIso | Get-Volume).DriveLetter

$wsDriveLetter = ($wsIso | Get-Volume).DriveLetter

4. Copy the contents of the Windows Server ISO file to a local folder, for example,
C:\SetupFiles\WindowsServer\Files. The copy operation may take some time:

PowerShell

$wsFiles = "C:\SetupFiles\WindowsServer\Files"
New-Item -ItemType Directory -Path $wsFiles

Copy-Item -Path ${wsDriveLetter}:\* -Destination $wsFiles -Recurse

5. Get the image name you want to modify within the install.wim file by using the
following command. Add your path to the install.wim file to the $installWimPath
variable, located inside the sources folder of the Windows Server ISO file. Note the
names of the images available in this install.wim file from the output.

PowerShell
 $installWimPath =
"C:\SetupFiles\WindowsServer\Files\sources\install.wim"

Get-WindowsImage -ImagePath $installWimPath

6. Mount the install.wim file in a new folder by using the following command
replacing the sample variable values with your own, and reusing the
$installWimPath variable from the previous command.

$wimImageName - Enter the name of the image you want to mount from the

output of the previous command. The example here uses Windows Server
2022 Datacenter.
$wimMountFolder - Specify an empty folder to use when accessing the

contents of the install.wim file.

PowerShell

$wimImageName = "Windows Server 2022 Datacenter"

$wimMountFolder = "C:\SetupFiles\WindowsServer\WIM"

New-Item -ItemType Directory -Path $wimMountFolder

Set-ItemProperty -Path $installWimPath -Name IsReadOnly -Value $false
Mount-WindowsImage -ImagePath $installWimPath -Name $wimImageName -Path
$wimMountFolder

7. Add the capabilities and packages you want to the mounted install.wim image by
using the following commands (depending on the version), replacing the sample
variable values with your own.

$capabilityName - Specify the name of the capability to install (in this case,

the AppCompatibility capability).

$packagePath - Specify the path to the package to install (in this case, to the

Internet Explorer cab file).

For Windows Server 2022:

PowerShell

$capabilityName = "ServerCore.AppCompatibility~~~~0.0.1.0"
$packagePath =
"${fodDriveLetter}:\LanguagesAndOptionalFeatures\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~.cab"

Add-WindowsCapability -Path $wimMountFolder -Name $capabilityName -

 Source "${fodDriveLetter}:\LanguagesAndOptionalFeatures" -LimitAccess
Add-WindowsPackage -Path $wimMountFolder -PackagePath $packagePath

For previous versions of Windows Server:

PowerShell

$capabilityName = "ServerCore.AppCompatibility~~~~0.0.1.0"
$packagePath = "${fodDriveLetter}:\Microsoft-Windows-InternetExplorer-
Optional-Package~31bf3856ad364e35~amd64~~.cab"

Add-WindowsCapability -Path $wimMountFolder -Name $capabilityName -

Source "${fodDriveLetter}:\" -LimitAccess
Add-WindowsPackage -Path $wimMountFolder -PackagePath $packagePath

8. Dismount and commit changes to the install.wim file by using the following
command, which uses the $wimMountFolder variable from previous commands:

PowerShell

Dismount-WindowsImage -Path $wimMountFolder -Save

You can now upgrade your server by running setup.exe from the folder you created for
the Windows Server installation files, in this example:
C:\SetupFiles\WindowsServer\Files. This folder now contains the Windows Server
installation files with the extra capabilities and optional packages included.
Windows Server 2022 and Microsoft
server applications compatibility
Article • 02/08/2023

This table lists Microsoft server applications that support installation and functionality
on Window Server 2022. This information is for quick reference and isn't intended to
replace the individual product specifications, requirements, announcements, or general
communications of each individual server application. Refer to official documentation
for each product to fully understand compatibility and options.

 Tip

If you are a software vendor partner looking for more information on Windows
Server compatibility with non-Microsoft applications, visit the Commercial App
Certification portal .

Product Supported on Supported on Released Product Web Link

Server Core Server with
Desktop
Experience

Azure DevOps Yes* Yes Yes Azure DevOps Server

Server 2020.1 2020.1 release notes

Configuration Yes as a Yes as a site Yes Support for Windows

Manager managed client server/site systems Server 2022
(version 2107) and distribution and a managed
point. client.
No as a site
server.

Exchange Server Yes Yes Yes Exchange Server

2019 CU12 and supportability matrix
later

Host Integration Yes Yes Yes HIS 2020 - What's

Server 2020 New, Release Notes,
System Requirements,
and Installation

Microsoft 365 No Yes Yes Windows and Office

Apps configuration support
matrix
Product Supported on Supported on Released Product Web Link
Server Core Server with
Desktop
Experience

Office Online No Yes Yes Plan Office Online

Server Server

Project Server No Yes Yes Software requirements

2019 for Project Server 2019
- Project Server

Project Server Yes Yes Yes Software requirements

Subscription for Project Server
Edition Subscription Edition

SharePoint No Yes Yes Hardware and software

Server 2019 requirements for
SharePoint Server 2019

SharePoint Yes Yes Yes System requirements

Server for SharePoint Server
Subscription Subscription edition
Edition

SQL Server 2017 Yes* Yes Yes Hardware and

Software Requirements
for Installing SQL
Server 2017

SQL Server 2019 Yes* Yes Yes Hardware and

Software Requirements
for Installing SQL
Server 2019

System Center Yes as a backup Yes as a backup Yes Preparing your

Data Protection workload. workload. environment for
Manager 2019 No as a DPM No as a DPM server. System Center Data
server. Protection Manager

System Center Yes* Yes Yes Preparing your

Data Protection environment for
Manager 2022 System Center Data
Protection Manager

System Center Yes as an agent. Yes as an agent. Yes System requirements

Operations No as a No as a for System Center
Manager 2019 Management Management Operations Manager
Server** Server**.
 Product Supported on Supported on Released Product Web Link
Server Core Server with
Desktop
Experience

System Center Yes* Yes Yes System requirements

Operations for System Center
Manager 2022 Operations Manager

System Center Yes* Yes Yes System requirements

Virtual Machine for System Center
Manager 2022 Virtual Machine
Manager

* May have limitations or may require the Server Core App Compatibility Feature on
Demand (FOD). For more information, see specific product or Feature on Demand
documentation.

** Refer to Product Web Link

Windows Server 2019 and Microsoft
server applications compatibility
Article • 12/23/2021

This table lists Microsoft server applications that support installation and functionality
on Window Server 2019. This information is for quick reference and is not intended to
replace the individual product specifications, requirements, announcements, or general
communications of each individual server application. Refer to official documentation
for each product to fully understand compatibility and options.

 Tip

If you are a software vendor partner looking for more information on Windows
Server compatibility with non-Microsoft applications, visit the Commercial App
Certification portal .

Product Supported on Supported on Released Product Web Link

Server Core Server with
Desktop
Experience

Azure DevOps Yes* Yes Yes Azure DevOps Server

Server 2019 2019

Azure DevOps Yes* Yes Yes Azure DevOps Server

Server 2020 2020

Configuration Yes as Yes as managed Yes What's new in version

Manager (version managed client, No as site 1806 of Configuration
1806) client, No as server Manager current
site server branch

Exchange Server Yes Yes Yes Exchange Server

2019 system requirements

Host Integration Yes Yes Yes Host Integration Server

Server 2016, CU3 system requirements

Office Online No Yes Yes Plan Office Online

Server Server

Project Server No Yes Yes Software requirements

2016 for Project Server 2016
Product Supported on Supported on Released Product Web Link
Server Core Server with
Desktop
Experience

Project Server No Yes Yes Software requirements

2019 for Project Server 2019

Project Server Yes Yes Yes Software requirements

Subscription for Project Server
Edition Subscription Edition

SharePoint Server No Yes Yes Hardware and software

2016 requirements for
SharePoint Server 2016

SharePoint Server No Yes Yes Hardware and software

2019 requirements for
SharePoint Server 2019

SharePoint Server Yes Yes Yes System requirements

Subscription for SharePoint Server
Edition Subscription edition

Skype for No Yes Yes Install prerequisites for

Business 2019 Skype for Business
Server

SQL Server 2014 Yes* Yes Yes Hardware and Software

Requirements for
Installing SQL Server
2014

SQL Server 2016 Yes* Yes Yes Hardware and Software

Requirements for
Installing SQL Server
2016

SQL Server 2017 Yes* Yes Yes Hardware and Software

Requirements for
Installing SQL Server
2017

SQL Server 2019 Yes* Yes Yes Hardware and Software

Requirements for
Installing SQL Server
2019
 Product Supported on Supported on Released Product Web Link
Server Core Server with
Desktop
Experience

System Center No Yes Yes Preparing your

Data Protection environment for
Manager 2019 System Center Data
Protection Manager

System Center Yes* Yes Yes System requirements

Operations for System Center
Manager 2019 Operations Manager

System Center Yes* Yes Yes System requirements

Virtual Machine for System Center
Manager 2019 Virtual Machine
Manager

*May have limitations or may require the Server Core App Compatibility Feature on
Demand (FOD). Please refer to specific product or FOD documentation.
Windows Server 2016 and Microsoft
server applications compatibility
Article • 12/23/2021

This table lists Microsoft server applications that support installation and functionality
on Window Server 2016. This information is for quick reference and is not intended to
replace the individual product specifications, requirements, announcements, or general
communications of each individual server application. Refer to official documentation
for each product to fully understand compatibility and options.

 Tip

If you are a software vendor partner looking for more information on Windows
Server compatibility with non-Microsoft applications, visit the Commercial App
Certification portal .

Product Released Product Web Link

BizTalk Server 2016 Yes Microsoft BizTalk Server

Configuration Manager (version Yes What's new in version 1606 of Configuration

1606) Manager

Exchange Server 2016 Yes Updates for Exchange 2016

Host Integration Server 2016 Yes What's New in HIS 2016

Office Online Server Yes Plan Office Online Server

Project Server 2016 Yes Software requirements for Project Server 2016

Project Server 2019 Yes Software requirements for Project Server 2019

SharePoint Server 2016 Yes Hardware and software requirements for

SharePoint Server 2016

SharePoint Server 2019 Yes Hardware and software requirements for

SharePoint Server 2019

Skype for Business Server 2015 Yes How to install Skype for Business Server 2015 on
Windows Server 2016

SQL Server 2012 Yes Hardware and Software Requirements for

Installing SQL Server 2012
Product Released Product Web Link

SQL Server 2014 Yes Hardware and Software Requirements for

Installing SQL Server 2014

SQL Server 2016 Yes SQL Server 2016

System Center Virtual Machine Yes What's New in System Center

Manager 2016

System Center Operations Yes What's New in System Center

Manager 2016

System Center Data Protection Yes What's New in System Center

Manager 2016

Visual Studio Team Foundation Yes Team Foundation Server 2017

Server 2017
Azure Hybrid Benefit for Windows
Server
Article • 01/26/2024

Azure Hybrid Benefit enables commercial customers to use their qualifying on-premises
licenses to get Windows virtual machines (VMs) on Azure at a reduced cost. This article
focuses on the benefits of using qualifying Windows Server licenses to get cost savings
for Windows Server VMs in Azure, Azure Stack HCI, and Azure Kubernetes Service (AKS)
hybrid deployments.

For other Azure hybrid benefits (for example, Microsoft SQL Server), see Azure Hybrid
Benefit .

What qualifies you for Azure Hybrid Benefit?

To qualify for Azure Hybrid Benefit for Windows Server, you need on-premises core
licenses for Windows Server from an applicable program with active Software Assurance
or qualifying subscription licenses. Software Assurance and qualifying subscription
licenses are only available as part of certain commercial licensing agreements. To learn
more about commercial licensing, see Microsoft Licensing Resources . To learn more
about Windows Server core licenses, see Windows Server product licensing .

） Important

Workloads using Azure Hybrid Benefit can run only during the Software
Assurance or subscription license term. When the Software Assurance or
subscription license term approaches expiration, you must either renew your
agreement with either Software Assurance or a subscription license, disable
the hybrid benefit functionality, or deprovision those workloads that are using
Azure Hybrid Benefit.

The Microsoft Product Terms for your program take precedent over this
article. For more information, see Microsoft Azure Product Terms and
select your program to show the terms.

What's included in Azure Hybrid Benefit?

Customers with Windows Server licensed by an applicable program with active Software
Assurance or qualifying subscription licenses can use Azure Hybrid Benefit to further
reduce costs in the cloud and in datacenter and edge locations.

Azure Hybrid Benefit includes the following cost savings:

Windows Server VMs on Azure: The license for Windows Server is covered by
Azure Hybrid Benefit, so you only need to pay for the base compute rate of the
VM. The base compute rate is equal to the Linux rate for VMs.

Azure Stack HCI: The Azure Stack HCI host fee and Windows Server subscription
fee are waived with Azure Hybrid Benefit. That is, unlimited virtualization rights are
provided at no extra cost. You still pay other costs associated with Azure Stack HCI
(for example, customer-managed hardware, Azure services, and workloads).

AKS: Run AKS on Windows Server and Azure Stack HCI at no extra cost. You still
pay for the underlying host infrastructure and any licenses for Windows containers
unless you're also eligible for Azure Hybrid Benefit for Azure Stack HCI. With Azure
Hybrid Benefit for Azure Stack HCI, you can waive fees for the Azure Stack HCI host
and Windows Server subscription.

Pricing for Azure Hybrid Benefit

To evaluate your potential cost savings, you can use these resources:
 Windows VMs on Azure: Windows Virtual Machine Pricing . Use the Azure
Hybrid Benefit Savings Calculator to estimate cost savings, or compare Windows
VM pricing with and without Azure Hybrid Benefit.

Azure Stack HCI: Azure Stack HCI pricing .

Azure Kubernetes Service (AKS): AKS on Azure Stack HCI pricing .

Getting Azure Hybrid Benefit

Select the tab for your scenario.

Azure

Follow the guidance in this section to get and maintain Azure Hybrid Benefit for
your Windows VMs in Azure.

Licensing prerequisites
To qualify for Azure Hybrid Benefit for Windows VMs in Azure, you must meet the
following licensing prerequisites.

Types of license
Windows Server Standard with active Software Assurance or subscription.
Windows Server Datacenter with active Software Assurance or subscription.

Number of licenses
You need a minimum of 8 core licenses (Datacenter or Standard edition) per VM.
For example, 8 core licenses are still required if you run a 4-core instance. You may
also run instances larger than 8 cores by allocating licenses equal to the core size of
the instance. For example, 12 core licenses are required for a 12-core instance. For
customers with processor licenses, each processor license is equivalent to 16 core
licenses.

Use rights
Windows Server Standard edition: Licenses must be used either on-premises
or in Azure, but not at the same time. The only exception is on a one-time
 basis, for up to 180 days, to allow you to migrate the same workloads to
Azure.

Windows Server Datacenter edition: Licenses allow simultaneous usage on-

premises and in Azure. Dual Use Rights don't apply for licenses allocated for
Unlimited Virtualization Rights.

Unlimited virtualization
Unlimited Virtualization Rights refers to the right to use any number of Windows
Server VMs on a host.

Windows Server Datacenter edition: You can use any number of Windows
Server VMs on an Azure dedicated host if you allocate Windows Server
Datacenter licenses with active SA or subscription for all the available physical
cores on that Azure server.

Windows Server Standard edition: Unlimited Virtualization Rights aren't

available.

How to apply Azure Hybrid Benefit for Windows VMs

in Azure
To learn how to deploy Windows Server VMs in Azure with Azure Hybrid Benefit,
follow the steps in Explore Azure Hybrid Benefit for Windows VMs. One way to
activate Azure Hybrid Benefit for a Windows Server VM is to check the box under
Licensing during VM creation, as shown in the following screenshot.
How to maintain compliance
If you apply Azure Hybrid Benefit to your Windows Server VMs, verify the number
of eligible licenses and the Software Assurance (or subscription) coverage period
before you activate this benefit. Use the preceding guidelines to make sure you
deploy the correct number of Windows Server VMs with this benefit.

If you already have Windows Server VMs running with Azure Hybrid Benefit,
perform an inventory to see how many units you're running, and check this number
against your Software Assurance or subscription licenses. You can contact your
Microsoft licensing specialist to validate your Software Assurance licensing position.

To see and count all VMs that are deployed with Azure Hybrid Benefit in an Azure
subscription, list all VMs and virtual machine scale sets using the steps in Explore
Azure Hybrid Benefit for Windows VMs.

You can also look at your Microsoft Azure bill to determine how many VMs with
Azure Hybrid Benefit for Windows Server you're running. You can find information
about the number of instances with the benefit under Additional Info:

JSON

"
{"ImageType":"WindowsServerBYOL","ServiceType":"Standard_A1","VMName":""
,"UsageType":"ComputeHR"}"

Billing isn't applied in real time. Expect a delay of several hours after you activate a
Windows Server VM with Azure Hybrid Benefit before the VM shows on your bill.

To get a comprehensive view of your licensing position, perform an inventory in

each of your Azure subscriptions. Confirm that you're fully licensed for the Windows
Server VMs running with Azure Hybrid Benefit. You don't need to take any further
action.

Perform an inventory regularly to make sure you're using any license benefits that
you're entitled to. Regular inventories can help you reduce costs and make sure that
you always have enough licenses to cover the Windows Server VMs you've
deployed with Azure Hybrid Benefit.

If you don't have enough eligible Windows Server licenses for your deployed VMs,
you have three choices:

Purchase extra Windows Server licenses covered by Software Assurance or

subscription through a commercial licensing agreement.
 Disable Azure Hybrid Benefit for some of your VMs and purchase them at
regular Azure hourly rates.
Deallocate some VMs.

７ Note

Microsoft reserves the right to audit customers at any time to verify eligibility
for Azure Hybrid Benefit utilization.

FAQ: Azure Hybrid Benefit

Which regions are eligible for Azure Hybrid Benefit?

Azure Hybrid Benefit is available across all Azure regions and sovereign clouds.

What happens to my benefits if my Software Assurance or

subscription expires?
To use these benefits, your Software Assurance or qualifying subscription must be active.
If you choose not to renew your Software Assurance or subscription when it expires, you
need to remove your benefits from your resources in the Azure portal.

What is Software Assurance?

Software Assurance is a comprehensive Volume Licensing program. Software Assurance
is only available through Volume Licensing and is purchased when you buy or renew a
Volume Licensing agreement. It's included with some agreements and is an optional
purchase with others. Software Assurance benefits include new product version rights,
support, license mobility rights, and a unique set of technologies and services to
maximize your IT investments.

For information about Volume Licensing, see Microsoft Licensing . To learn more about
Software Assurance benefits, and how each benefit can help meet your business needs,
see Software Assurance benefits .

What is a subscription license?

Subscription licenses are licenses to run the software only during the term of the
subscription. Subscription licenses don't include perpetual rights to run the software.
How can customers get Software Assurance?
You can purchase Software Assurance through Volume Licensing. Your Software
Assurance benefits are activated in the Volume Licensing Service Center (VLSC) . If your
organization has a Microsoft Products and Services Agreement (MPSA), the Business
Center is your destination for easy management of your Software Assurance benefits.

See also
Azure Hybrid Benefit product page
Explore Azure Hybrid Benefit for Windows VMs
Azure Hybrid Benefit for Azure Stack HCI
Hotpatch for virtual machines
Article • 10/10/2023

Hotpatching is a way to install OS security updates on supported Windows Server

Datacenter: Azure Edition virtual machines (VMs) that doesn’t require a reboot after
installation. It works by patching the in-memory code of running processes without the
need to restart the process. This article covers information about hotpatch for supported
VMs, which has the following benefits:

Fewer binaries mean update install faster and consume less disk and CPU
resources.
Lower workload impact with fewer reboots.
Better protection, as the hotpatch update packages are scoped to Windows
security updates that install faster without rebooting.
Reduces the time exposed to security risks and change windows, and easier patch
orchestration with Azure Update Manager.

Supported platforms
Hotpatch is supported only on VMs and Azure Stack HCI created from images with the
exact combination of publisher, offer and sku from the below OS images list. Windows
Server container base images or Custom images or any other publisher, offer, sku
combinations aren't supported.

Publisher OS Offer Sku

MicrosoftWindowsServer WindowsServer 2022-Datacenter-Azure-Edition-Core

MicrosoftWindowsServer WindowsServer 2022-Datacenter-Azure-Edition-Core-smalldisk

MicrosoftWindowsServer WindowsServer 2022-Datacenter-Azure-Edition-Hotpatch

MicrosoftWindowsServer WindowsServer 2022-Datacenter-Azure-Edition-Hotpatch-smalldisk

To get started using Hotpatch, use your preferred method to create an Azure or Azure
Stack HCI VM, and select one of the following images that you would like to use.
Hotpatch is selected by default when creating an Azure VM in the Azure portal.

Windows Server 2022 Datacenter: Azure Edition Hotpatch (Desktop Experience)

Windows Server 2022 Datacenter: Azure Edition Core1

1 Hotpatch is enabled by default on Server Core images.

For more information about the available images, see the Windows Server 2022
Datacenter Azure Marketplace product.

How Hotpatch works

Hotpatch works by first establishing a baseline with the current Cumulative Update for
Windows Server. Periodically (starting every three months), the baseline is refreshed with
the latest Cumulative Update, then hotpatches are released for two months following.
For example, if January is a Cumulative Update, February and March would be a
hotpatch release. For the hotpatch release schedule, see Release notes for Hotpatch in
Azure Automanage for Windows Server 2022 .

Hotpatches contains updates that don't require a reboot. Because Hotpatch patches the
in-memory code of running processes without the need to restart the process, your
applications are unaffected by the patching process. This action is separate from any
potential performance and functionality implications of the patch itself.

The following image is an example of an annual three-month schedule (including

example unplanned baselines due to zero-day fixes).

There are two types of baselines: Planned baselines and Unplanned baselines.

Planned baselines are released on a regular cadence, with hotpatch releases in

between. Planned baselines include all the updates in a comparable Latest
Cumulative Update for that month, and require a reboot.
The sample schedule illustrates four planned baseline releases in a calendar year
(five total in the diagram), and eight hotpatch releases.

Unplanned baselines are released when an important update (such as a zero-day

fix) is released, and that particular update can't be released as a hotpatch. When
unplanned baselines are released, a hotpatch release is replaced with an
unplanned baseline in that month. Unplanned baselines also include all the
updates in a comparable Latest Cumulative Update for that month, and also
require a reboot.
The sample schedule illustrates two unplanned baselines that would replace the
hotpatch releases for those months (the actual number of unplanned baselines
in a year isn't known in advance).
Supported updates
Hotpatch covers Windows Security updates and maintains parity with the content of
security updates issued to in the regular (nonhotpatch) Windows update channel.

There are some important considerations to running a supported Windows Server Azure
Edition VM with hotpatch enabled. Reboots are still required to install updates that
aren't included in the hotpatch program. Reboots are also required periodically after a
new baseline has been installed. Reboots keep the VM in sync with nonsecurity patches
included in the latest cumulative update.

Patches that are currently not included in the hotpatch program include non
security updates released for Windows, .NET updates and non-Windows updates
(such as drivers, firmware update etc.). These types of patches may need a reboot
during Hotpatch months.

Patch orchestration process

Hotpatch is an extension of Windows Update and typical orchestration processes. Patch
orchestration tools vary depending on your platform. To orchestrate Hotpatch:

Azure: Virtual machines created in Azure are enabled for Automatic VM Guest
Patching by default with a supported Windows Server Datacenter: Azure Edition
image. Automatic VM guest patching in Azure:

Patches classified as Critical or Security are automatically downloaded and

applied on the VM.

Patches are applied during off-peak hours in the VM's time zone.

Azure manages patch orchestration and patches are applied following

availability-first principles.

Virtual machine health, as determined through platform health signals, is

monitored to detect patching failures.

７ Note

You can't create VM scale sets (VMSS) with Uniform orchestration on Azure
Edition images with Hotpatch. To learn more about which features are
supported by Uniform orchestration for scale sets, see A comparison of
Flexible, Uniform, and availability sets.
 Azure Stack HCI: Hotpatch updates for virtual machines created on Azure Stack
HCI are orchestrated using:

Group Policy to configure the Windows Update client settings.

Configuring Windows Update client settings, or SCONFIG for Server Core.

A third-party patch management solution.

Understand the patch status for your VM in Azure

To view the patch status for your VM, browse to the VM Overview in the Azure portal,
under Operations, select Updates. Under the Recommended updates section, you can
view the latest patches and Hotpatch status for your VM.

On this screen, you see the hotpatch status for your VM. You can also review if there any
available patches for your VM that haven't been installed. As described in the ‘Patch
installation’ previous section, all security and critical updates are automatically installed
on your VM using Automatic VM Guest Patching and no extra actions are required.
Patches with other update classifications aren't automatically installed. Instead, they're
viewable in the list of available patches under the Update compliance tab. You can also
view the history of update deployments on your VM through the Update history.
Update history from the past 30 days is displayed, along with patch installation details.

With automatic VM guest patching, your VM is periodically and automatically assessed

for available updates. These periodic assessments ensure that available patches are
detected. You can view the results of the assessment on the Updates screen in the
previous image, including the time of the last assessment. You can also choose to
trigger an on-demand patch assessment for your VM at any time using the ‘Assess now’
option and review the results after assessment completes.
Similar to on-demand assessment, you can also install patches on-demand for your VM
using the ‘Install updates now’ option. Here you can choose to install all updates under
specific patch classifications. You can also specify updates to include or exclude by
providing a list of individual knowledge base articles. Patches installed on-demand
aren't installed using availability-first principles and may require more reboots and VM
downtime for update installation.

You can also view the installed patches using the Get-HotFix PowerShell command or
using the Settings app when using the Desktop Experience.

Rollback support on Hotpatching

The installation of Hotpatch or Baseline updates doesn't support automatic rollback. If a
VM experiences an issue during or after an update, you'll have to uninstall the latest
update and install the last known good baseline update. You'll need to reboot the VM
after rollback.

Next steps
Automatic VM Guest Patching
Enable Hotpatch for Azure Edition virtual machines built from ISO
Azure Update Management
What is Secured-core server?
Article • 04/06/2023

Applies to: Windows Server 2022, Azure Stack HCI version 21H2 and later

Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver

and operating system security features. The protection provided by Secured-core
systems begins before the operating system boots and continues whilst running.
Secured-core server is designed to deliver a secure platform for critical data and
applications.

Secured-core server is built on three key security pillars:

Creating a hardware backed root of trust.

Defense against firmware level attacks.

Protecting the OS from the execution of unverified code.

What makes a Secured-core server

The Secured-core initiative started with Windows PCs through a deep collaboration
between Microsoft and PC manufacturing partners to provide the most elevated
Windows security ever. Microsoft has expanded the partnership further with server
manufacturing partners to help ensure Windows Server delivers a secure operating
system environment.

Windows Server integrates closely with hardware to provide increasing levels of security:

Recommended baseline: The recommended minimum for all systems to provide

foundational system integrity using TPM 2.0 for a hardware root of trust and
Secure Boot. TPM2.0 and Secure boot are required for Windows Server hardware
certification. To learn more, see Microsoft raises the security standard for next
major Windows Server release

Secured-core server: Recommended for systems and industries requiring higher

levels of assurance. Secured-core server builds on the previous features and uses
advanced processor capabilities to provide protection from firmware attacks.

The following table shows how each security concept and feature are used to create a
Secured-core server.
 ﾉ Expand table

Concept Feature Requirement Recommended Secured-

baseline Core
server

Create a
hardware
backed root
of trust

Secure Boot Secure Boot is enabled in ✓ ✓

the Unified Extensible
Firmware Interface (UEFI)
BIOS by default.

Trusted Platform Meet the latest Microsoft ✓ ✓

Module (TPM) requirements for the
2.0 Trusted Computing Group
(TCG) specification.

Certified for Demonstrates that a server ✓ ✓

Windows Server system meets Microsoft's
highest technical bar for
security, reliability and
manageability.

Boot DMA Support on devices that ✓

protection have the Input/Output
Memory Management Unit
(IOMMU). For example, Intel
VT-D or AMD-Vi.

Defend
against
firmware level
attacks

System Guard Enabled in the operating ✓

Secure Launch system with Dynamic Root
of Trust for Measurement
(DRTM) compatible Intel
and AMD hardware.

Protect the
OS from
execution of
unverified
code
 Concept Feature Requirement Recommended Secured-
baseline Core
server

Virtualization- Requires the Windows ✓ ✓

based Security hypervisor, which is only
(VBS) supported on 64-bit
processors with
virtualization extensions,
including Intel VT-X and
AMD-v.

Hypervisor Hypervisor Code Integrity ✓ ✓

Enhanced Code (HVCI)-compatible drivers
Integrity (HVCI) plus VBS requirements.

Create a hardware backed root of trust

UEFI Secure boot is a security standard that protects your servers from malicious
rootkits by verifying your systems boot components. Secure boot verifies a trusted
author has digitally signed the UEFI firmware drivers and applications. When the server
is started, the firmware checks the signature of each boot component including
firmware drivers and the OS. If the signatures are valid, the server boots and the
firmware gives control to the OS.

To learn more about the boot process, see Secure the Windows boot process.

TPM 2.0 provides a secure, hardware-backed storage for sensitive keys and data. Every
component loaded during the boot process is measured and the measurements stored
in the TPM. By verifying the hardware root-of-trust it elevates the protection provided
by capabilities like BitLocker, which uses TPM 2.0 and facilitates the creation of
attestation-based workflows. These attestation-based workflows can be incorporated
into zero-trust security strategies.

Learn more about Trusted Platform Modules and how Windows uses the TPM.

Along with Secure Boot and TPM 2.0, Windows Server Secured-core uses Boot DMA
protection on compatible processors that have the Input/Output Memory Management
Unit (IOMMU). For example, Intel VT-D or AMD-Vi. With boot DMA protection, systems
are protected from Direct Memory Access (DMA) attacks during boot and during the
operating system runtime.

Defend against firmware level attacks

Endpoint protection and detection solutions usually have limited visibility of firmware,
given that firmware runs underneath of the operating system. Firmware has a higher
level of access and privilege than operating system and hypervisor kernel, making it an
attractive target for attackers. Attacks targeting firmware undermine other security
measures implemented by the operating system, making it more difficult to identify
when a system or user has been compromised.

Beginning with Windows Server 2022, System Guard Secure Launch protects the boot
process from firmware attacks by using hardware capabilities from AMD and Intel. With
processor support for Dynamic Root of Trust for Measurement (DRTM) technology,
Secured-core servers put firmware in a hardware-backed sandbox helping to limit the
effects of vulnerabilities in highly privileged firmware code. System Guard uses the
DRTM capabilities that are built into compatible processors to launch the operating
system, ensuring the system launches into a trusted stated using verified code.

Protect the OS from execution of unverified code

Secured-core server uses Virtualization Based Security (VBS) and hypervisor-protected
code integrity (HVCI) to create and isolate a secure region of memory from the normal
operating system. VBS uses the Windows hypervisor to create a Virtual Secure Mode
(VSM) to offer security boundaries within the operating system, which can be used for
other security solutions.

HVCI, commonly referred to as Memory integrity protection, is a security solution that

helps ensure that only signed and trusted code is allowed to execute in the kernel. Using
only signed and trusted code prevents attacks that attempt to modify the kernel mode
code. For example, attacks that modify drivers, or exploits such as WannaCry that
attempt to inject malicious code into the kernel.

To learn more about VBS and hardware requirements, see Virtualization-based Security.

Simplified management
You can view and configure the OS security features of Secured-core systems using
Windows PowerShell or the security extension in Windows Admin Center. With Azure
Stack HCI Integrated Systems, manufacturing partners have further simplified the
configuration experience for customers so that Microsoft’s best server security is
available right out of the box.
 

Learn more about Windows Admin Center.

Preventative defense
You can proactively defend against and disrupt many of the paths attackers use to
exploit systems by enabling Secured-core functionality. Secured-core server enables
advanced security features at the bottom layers of the technology stack, protecting the
most privileged areas of the system before many security tools are aware of exploits. It
also occurs without the need for extra tasks or monitoring by IT and SecOps teams.

Begin your Secured-core journey

You can find hardware certified for Secured-core server from the Windows Server
Catalog , and Azure Stack HCI servers in the Azure Stack HCI Catalog . These certified
servers come fully equipped with industry-leading security mitigations built into the
hardware, firmware, and the operating system to help thwart some of the most
advanced attack vectors.

Next steps
Now you understand what Secured-core server is, here are some resources to get you
started. Learn about how:

Configure Secured-core server.

Microsoft brings advanced hardware security to Server and Edge with Secured-
core in the Microsoft Security Blog.
New Secured-core servers are now available from the Microsoft ecosystem to help
secure your infrastructure in the Microsoft Security Blog.
Building Windows-compatible devices, systems, and filter drivers across all
Windows Platforms in Windows Hardware Compatibility Program Specifications
and Policies.
How to create a Key Management
Services (KMS) activation host
Article • 12/23/2021

KMS uses a client-server model to active Windows clients and is used for volume
activation on your local network. KMS clients connect to a KMS server, called the KMS
host, for activation. The KMS clients that a KMS host can activate are dependent on the
host key used to activate the KMS host. This article walks you through the steps you
need to create a KMS host. To learn more about KMS and the initial planning
considerations, see Key Management Services (KMS) activation planning.

Prerequisites
A single KMS host can support an unlimited number of KMS clients. If you have more
than 50 clients, we recommend that you have at least two KMS hosts in case one of your
KMS hosts becomes unavailable. Most organizations can operate with as few as two
KMS hosts for their entire infrastructure.

KMS hosts do not need to be dedicated servers, and KMS can be co-hosted with other
services. You can run a KMS host on any physical or virtual system that is running a
supported Windows Server or Windows client operating system.

The version of Windows you use for your KMS host determines the version of Windows
you can activate for your KMS clients. Please see the table of activation versions to help
you decide which is right for your environment.

By default, KMS hosts automatically publish SRV resource records in DNS. This enables
KMS clients to automatically discover the KMS host and activate without the need for
any configuration on the KMS client. Automatic publishing can be disabled and the
records can be created manually, which is also necessary for automatic activation if the
DNS service does not support dynamic updates.

You will need:

A computer running Windows Server or Windows. A KMS host running on a

Windows Server operating system can activate computers running both server and
client operating systems, however a KMS host running on a Windows client
operating system can only activate computers also running client operating
systems.
 The user account you use must be a member of the Administrators group on the
KMS host.

A KMS host key for your organization. You can get this key from the Product Keys
section of the Volume Licensing Service Center .

Install and configure a KMS host

1. From an elevated PowerShell session, run the following command to install the
Volume Activation Services role:

PowerShell

Install-WindowsFeature -Name VolumeActivation -IncludeManagementTools

2. Configure the Windows Firewall to allow the Key Management Service to receive
network traffic. You can allow this for any network profiles (default), or for any
combination of Domain, Private, and Public network profiles. By default, a KMS
host is configured to use TCP on port 1688. In the example below, the firewall rule
is configured to allow network traffic for the Domain and Private network profiles
only:

PowerShell

Set-NetFirewallRule -Name SPPSVC-In-TCP -Profile Domain,Private -

Enabled True

3. Launch the Volume Activation Tools wizard by running:

PowerShell

vmw.exe

4. Select Next on the introduction screen. Select Key Management Service (KMS) as
the activation type and enter localhost to configure the local server or the
hostname of the server you want to configure.

5. Select Install your KMS host key and enter the product key for your organization,
then select Commit.

6. Once the product key has been installed, you need to activate the product. Click
Next.
 7. Select the product you want to activate from the dropdown menu, then select
whether you want to activate online or by phone. In this example, select Activate
online and then Commit.

8. Once activation is successful, the KMS host configuration will be shown. If this is
the configuration you want, you can select Close to exit the wizard. DNS records
will be created and you can start activating KMS clients. See the section below if
you need to manually create DNS records. If you want to change the configuration
settings, select Next.

9. Optional: Change the configuration values based on your requirements and select
Commit.

７ Note

You can now start activating KMS clients, however a network must have a
minimum number of computers (called the activation threshold). KMS hosts count
the number of recent connections and so when a client or server contacts the KMS
host, the host adds the machine ID to its count and then returns the current count
value in its response. The client or server will activate if the count is high enough.
Windows clients will activate if the count is 25 or higher. Windows Server and
volume editions of Microsoft Office products will activate if the count is five or
greater. The KMS only counts unique connections from the past 30 days, and only
stores the 50 most recent contacts.

Manually create DNS records

If your DNS service does not support dynamic update, the resource records must be
manually created to publish the KMS host. Create DNS resource records for KMS
manually with your DNS service using the information below (altering the default port
number if you changed this in the KMS host configuration):

ﾉ Expand table

Property Value

Type SRV

Service/Name _vlmcs

Protocol _tcp
 Property Value

Priority 0

Weight 0

Port number 1688

Hostname FQDN of the KMS host

You should also disable publishing on all KMS hosts if your DNS service does not
support dynamic update to prevent event logs from collecting failed DNS publishing
events.

 Tip

Manually created resource records can also coexist with resource records that KMS
hosts automatically publish in other domains as long as all records are maintained
to prevent conflicts.

Disable publishing of DNS records

To disable publishing of DNS records by the KMS host:

1. Launch the Volume Activation Tools wizard by running:

PowerShell

vmw.exe

2. Select Next on the introduction screen. Select Key Management Service (KMS) as
the activation type and enter localhost to configure the local server or the
hostname of the server you want to configure.

3. Select Skip to Configuration, then select Next.

4. Uncheck the box for publish DNS records, then select Commit.
Key Management Services (KMS) client
activation and product keys
Article • 05/16/2024

To use KMS, you need to have a KMS host available on your local network. Computers
that activate with a KMS host need to have a specific product key. This key is sometimes
referred to as the KMS client key, but it's formally known as a Microsoft Generic Volume
License Key (GVLK). Computers that are running volume licensing editions of Windows
Server and Windows client are, by default, KMS clients with no extra configuration
needed as the relevant GVLK is already there.

There are some scenarios, however, where you'll need to add the GVLK to the computer
you wish to activate against a KMS host, such as:

Converting a computer from using a Multiple Activation Key (MAK)

Converting a retail license of Windows to a KMS client
If the computer was previously a KMS host

） Important

To use the keys listed here (which are GVLKs), you must first have a KMS host
available on your local network. If you don't already have a KMS host, please see
how to create a KMS host to learn more.

If you want to activate Windows without a KMS host available and outside of a
volume-activation scenario (for example, you're trying to activate a retail version of
Windows client), these keys won't work. You will need to use another method of
activating Windows, such as using a MAK, or purchasing a retail license. Get help to
find your Windows product key and learn about genuine versions of
Windows .

Install a product key

If you're converting a computer from a KMS host, MAK, or retail edition of Windows to a
KMS client, install the applicable product key (GVLK) from the list in this article. To install
a client product key, open an administrative command prompt on the client, and run the
following command and then press Enter :

Windows Command Prompt

 slmgr /ipk <product key>

For example, to install the product key for Windows Server 2022 Datacenter Edition, run
the following command and then press Enter :

Windows Command Prompt

slmgr /ipk WX4NM-KYWYW-QJJR4-XV3QB-6VM33

Generic Volume License Keys

In the tables that follow, you'll find the GVLKs for each version and edition of Windows.
LTSC is Long-Term Servicing Channel, while LTSB is Long-Term Servicing Branch.

Windows Server LTSC

Windows Server 2022

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows Server 2022 Standard VDYBN-27WPP-V4HQT-9VMD4-VMK7H

Windows Server 2022 Datacenter WX4NM-KYWYW-QJJR4-XV3QB-6VM33

Windows Server 2022 Datacenter: Azure Edition NTBV8-9K7Q8-V27C6-M2BTV-KHMXV

Windows Server Semi-Annual Channel

Windows Server, versions 20H2, 2004, 1909, 1903, and 1809

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows Server Standard N2KJX-J94YW-TQVFB-DG9YT-724CC

Windows Server Datacenter 6NMRW-2C8FM-D24W7-TQWMY-CWH2D

 ） Important

Windows Server, version 20H2 reached end of service on August 9, 2022 and is no
longer receiving security updates. This includes the retirement of Windows Server
Semi-Annual Channel (SAC) with no future releases.

Customers using Windows Server SAC should move to Azure Stack HCI.
Alternatively, customers may use the Long-Term Servicing Channel of Windows
Server.

Windows 11 and Windows 10 Semi-Annual Channel

See the Windows lifecycle fact sheet for information about supported versions and
end of service dates.

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows 11 Pro W269N-WFGWX-YVC9B-4J6C9-T83GX

Windows 10 Pro

Windows 11 Pro N MH37W-N47XK-V7XM9-C7227-GCQG9

Windows 10 Pro N

Windows 11 Pro for Workstations NRG8B-VKK3Q-CXVCJ-9G2XF-6Q84J

Windows 10 Pro for Workstations

Windows 11 Pro for Workstations N 9FNHH-K3HBT-3W4TD-6383H-6XYWF

Windows 10 Pro for Workstations N

Windows 11 Pro Education 6TP4R-GNPTD-KYYHQ-7B7DP-J447Y

Windows 10 Pro Education

Windows 11 Pro Education N YVWGF-BXNMC-HTQYQ-CPQ99-66QFC

Windows 10 Pro Education N

Windows 11 Education NW6C2-QMPVW-D7KKK-3GKT6-VCFB2

Windows 10 Education

Windows 11 Education N 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ

Windows 10 Education N

Windows 11 Enterprise NPPR9-FWDCX-D2C8J-H872K-2YT43

Windows 10 Enterprise
Operating system edition KMS Client Product Key

Windows 11 Enterprise N DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4

Windows 10 Enterprise N

Windows 11 Enterprise G YYVX9-NTFWV-6MDM3-9PT4T-4M68B

Windows 10 Enterprise G

Windows 11 Enterprise G N 44RPN-FTY23-9VTTB-MP9BX-T84FV

Windows 10 Enterprise G N

Windows Enterprise LTSC and LTSB

Windows 10 LTSC 2021, 2019

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows 10 Enterprise LTSC 2021 M7XTQ-FN8P6-TTKYV-9D4CC-J462D

Windows 10 Enterprise LTSC 2019

Windows 10 Enterprise N LTSC 2021 92NFX-8DJQP-P6BBQ-THF9C-7CG2H

Windows 10 Enterprise N LTSC 2019

Windows IoT Enterprise

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows IoT Enterprise LTSC 2021 KBN8V-HFGQ4-MGXVD-347P6-PDQGT

７ Note

For ImageVersion: 10.0.19044.2905 or later, see Windows IoT Enterprise LTSC in

Volume License.

Earlier versions of Windows Server

 Windows Server, version 1803

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows Server Standard PTXN8-JFHJM-4WC78-MPCBR-9W4KR

Windows Server Datacenter 2HXDN-KRXHB-GPYC7-YCKFJ-7FVDG

Earlier versions of Windows Client

Windows 8.1

ﾉ Expand table

Operating system edition KMS Client Product Key

Windows 8.1 Pro GCRJD-8NW9H-F2CDX-CCM8D-9D6T9

Windows 8.1 Pro N HMCNV-VVBFX-7HMBH-CTY9B-B4FXY

Windows 8.1 Enterprise MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Windows 8.1 Enterprise N TT4HM-HN7YT-62K67-RGRQJ-JFFXW

Connect Windows Server machines to
Azure through Azure Arc Setup
Article • 04/15/2024

Windows Server machines can be onboarded directly to Azure Arc through a

graphical wizard included in Windows Server. The wizard automates the onboarding
process by checking the necessary prerequisites for successful Azure Arc onboarding
and fetching and installing the latest version of the Azure Connected Machine (AzCM)
agent. Once the wizard process completes, you're directed to your Window Server
machine in the Azure portal, where it can be viewed and managed like any other Azure
Arc-enabled resource.

Onboarding to Azure Arc is not needed if the Windows Server machine is already
running in Azure.

For Windows Server 2022, Azure Arc Setup is an optional component that can be
removed using the Remove Roles and Features Wizard. For Windows Server 2025 and
later, Azure Arc Setup is a Features On Demand. Essentially, this means that the
procedures for removal and enablement differ between OS versions. See for more
information.

７ Note

The Azure Arc Setup feature only applies to Windows Server 2022 and later. It was
released in the Cumulative Update of 10/10/2023 .

Automatic connection for SQL Server

When you connect a Windows or Linux server to Azure Arc that also has Microsoft SQL
Server installed, the SQL Server instances will automatically be connected to Azure Arc
as well. SQL Server enabled by Azure Arc provides a detailed inventory and additional
management capabilities for your SQL Server instances and databases. As part of the
connection process, an extension is deployed to your Azure Arc-enabled server and new
roles will be applied to your SQL Server and databases. If you don't want to
automatically connect your SQL Servers to Azure Arc, you can opt out by adding a tag
to the Windows or Linux server with the name ArcSQLServerExtensionDeployment and
value Disabled when it's connected to Azure Arc.
For more information, see Manage automatic connection for SQL Server enabled by
Azure Arc.

Prerequisites
Azure Arc-enabled servers - Review the prerequisites and verify that your
subscription, your Azure account, and resources meet the requirements.

An Azure subscription. If you don't have one, create a free account before you
begin.

Modern browser (Microsoft Edge) for authentication to Microsoft Azure.

Configuration of the Azure Connected Machine agent requires authentication to
your Azure account, either through interactive authentication on a modern
browser or device code login on a separate device (if the machine doesn't have a
modern browser).

Launch Azure Arc Setup and connect to Azure

Arc
The Azure Arc Setup wizard is launched from a system tray icon at the bottom of the
Windows Server machine when the Azure Arc Setup feature is enabled. This feature is
enabled by default. Alternatively, you can launch the wizard from a pop-up window in
the Server Manager or from the Windows Server Start menu.

1. Select the Azure Arc system tray icon, then select Launch Azure Arc Setup.
2. The introduction window of the Azure Arc Setup wizard explains the benefits of
onboarding your machine to Azure Arc. When you're ready to proceed, click Next.

3. The wizard automatically checks for the prerequisites necessary to install the Azure
Connected Machine agent on your Windows Server machine. Once this process
 completes and the agent is installed, select Configure.

4. The configuration window details the steps required to configure the Azure
Connected Machine agent. When you're ready to begin configuration, select Next.

5. Sign-in to Azure by selecting the applicable Azure cloud, and then selecting Sign
in to Azure. You'll be asked to provide your sign-in credentials.

6. Provide the resource details of how your machine will work within Azure Arc, such
as the Subscription and Resource group, and then select Next.

7. Once the configuration completes and your machine is onboarded to Azure Arc,
select Finish.

8. Go to the Server Manager and select Local Server to view the status of the
machine in the Azure Arc Management field. A successfully onboarded machine
has a status of Enabled.
Server Manager functions
You can select the Enabled/Disabled link in the Azure Arc Management field of the
Server Manager to launch different functions based on the status of the machine:

If Azure Arc Setup isn't installed, selecting Enabled/Disabled launches the Add
Roles and Features Wizard.
If Azure Arc Setup is installed and the Azure Connected Machine agent hasn't been
installed, selecting Disabled launches AzureArcSetup.exe , the executable file for
the Azure Arc Setup wizard.
If Azure Arc Setup is installed and the Azure Connected Machine agent is already
installed, selecting Enabled/Disabled launches AzureArcConfiguration.exe , the
executable file for configuring the Azure Connected Machine agent to work with
your machine.

Viewing the connected machine

The Azure Arc system tray icon at the bottom of your Windows Server machine indicates
if the machine is connected to Azure Arc; a red symbol means the machine does not
have the Azure Connected Machine agent installed. To view a connected machine in
Azure Arc, select the icon and then select View Machine in Azure. You can then view the
machine in the Azure portal , just as you would other Azure Arc-enabled resources.
Uninstalling Azure Arc Setup

７ Note

Uninstalling Azure Arc Setup does not uninstall the Azure Connected Machine
agent from the machine. For instructions on uninstalling the agent, see Managing
and maintaining the Connected Machine agent.

To uninstall Azure Arc Setup from a Windows Server 2022 machine:

1. In the Server Manager, navigate to the Remove Roles and Features Wizard. (See
Remove roles, role services, and features by using the Remove Roles and Features
Wizard for more information.)

2. On the Features page, uncheck the box for Azure Arc Setup.

3. On the confirmation page, select Restart the destination server automatically if

required, then select Remove.

To uninstall Azure Arc Setup through PowerShell, run the following command:

PowerShell
 Disable-WindowsOptionalFeature -Online -FeatureName AzureArcSetup

To uninstall Azure Arc Setup from a Windows Server 2025 machine:

1. Open the Settings app on the machine and select System, then select Optional
features.

2. Select AzureArcSetup, and then select Remove.

To uninstall Azure Arc Setup from a Windows Server 2025 machine from the command
line, run the following line of code:

DISM /online /Remove-Capability /CapabilityName:AzureArcSetup~~~~

Next steps
Troubleshooting information can be found in the Troubleshoot Azure Connected
Machine agent guide.

Review the Planning and deployment guide to plan for deploying Azure Arc-
enabled servers at any scale and implement centralized management and
monitoring.

Learn how to manage your machine using Azure Policy, for such things as VM
guest configuration, verifying the machine is reporting to the expected Log
Analytics workspace, enable monitoring with VM insights, and much more.
How to get Extended Security Updates
(ESU) for Windows Server
Article • 09/26/2023

Extended Security Updates (ESU) for Windows Server include security updates and
bulletins rated critical and important. Before using ESU, you should read Extended
Security Updates for Windows Server Overview to understand what ESUs are, how long
they're available for, and what your options are.

How you get ESUs depends on where your server is hosted. You can get access to ESUs
through the following options.

Azure virtual machines - Applicable virtual machines (VMs) hosted in Azure are
automatically enabled for ESUs and these updates are provided free of charge,
there's no need to deploy a MAK key or take any other action. See Extended
Security Updates on Azure to learn more.

Azure Arc-enabled servers - If your servers are on-premises or in a hosted

environment, you can enroll your Windows Server 2012 and 2012 R2 or SQL Server
2012 machines for Extended Security Updates via the Azure portal, connect
through Azure Arc, and you'll be billed monthly via your Azure subscription. See
Extended Security Updates enabled by Azure Arc to learn more. 1

Non-Azure physical and virtual machines - If you can't connect using Azure Arc,
use Extended Security Updates on non-Azure VMs, by using a Multiple Activation
Key (MAK) and applying it to the relevant servers. This MAK key lets the Windows
Update servers know that you can continue to receive security updates. See Access
your Multiple Activation Key from the Microsoft 365 Admin Center to learn more. 1

1 When using Azure Arc-enabled servers and non-Azure machines you must purchase
ESUs. In order to purchase ESUs, you must have Software Assurance through Volume
Licensing Programs such as an Enterprise Agreement (EA), Enterprise Agreement
Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud
Enrollment (SCE).

７ Note

It may take 3-5 business days for your Multiple Activation Key to become available
after purchasing ESUs for on-premises VMs or physical servers. Your organization
 may also require time to plan and deploy the new keys. Before purchasing ESUs,
you should keep these timelines in mind.

Extended Security Updates on Azure

Applicable virtual machines (VMs) hosted in Azure are automatically enabled for ESU
and these updates are provided free of charge. You don't need to configure anything,
and there's no extra charge for using ESUs with Azure VMs. ESUs are automatically
delivered to Azure VMs if they're configured to receive updates.

７ Note

Extended Security Updates are also free of charge in other Azure products such as
Azure Dedicated Host, Azure VMware Solution, Azure Nutanix Solution, and Azure
Stack (Hub, Edge, and HCI), and might require additional configuration. Contact
Microsoft Support for more help.

Azure Classic VMs (Microsoft.ClassicCompute) also require extra configuration to

receive Extended Security Updates since they don't have access to the Azure
Instance Metadata Service that determines ESUs eligibility.

Extended Security Updates enabled by Azure

Arc
ESUs are automatically delivered to Azure Arc-enabled servers if they're connected and
enrolled for ESUs through Azure Arc. This can also apply to non-Azure servers
connected to Azure Arc.

You can enroll in ESUs at scale by using Azure Policy or Azure portal, there's no upfront
charge and you'll be billed monthly via your Azure subscription. You also don't need to
activate product keys.

Azure Arc-enabled servers also enable to you to use other Azure services, such as:

Azure Update Manager.

Microsoft Defender for Cloud.
Azure Policy (Machine Configuration).
Azure Monitor (VM Insights).
From September 2023, you're able to activate Windows Server 2012 and 2012 R2 ESUs
through Azure Arc. You can connect Windows Server 2012 and 2012 R2 servers to Azure
Arc today, Connect hybrid machines with Azure Arc-enabled servers.

To prepare for activating Windows Server 2012 and 2012R2 ESUs on your Arc-enabled
servers, follow these steps:

1. Sign in to the Azure portal .

2. In the search bar, enter Servers - Azure Arc and select the matching service entry.

3. Add your existing Windows Server 2012 or 2012 R2 machine to Azure Arc. To learn
about getting started with Azure Arc-enabled servers, see Connect hybrid
machines with Azure Arc-enabled servers.

To learn more about ESUs with Azure Arc, see Prepare to deliver Extended Security
Updates for Windows Server 2012 and Deliver Extended Security Updates for Windows
2012 and 2012 R2.

Access your Multiple Activation Key from the

Microsoft 365 Admin Center
Customers who can't connect to Azure Arc to apply ESUs can use Multiple Activation
Keys (MAK) through Microsoft 365 Admin Center:

1. Sign in to the Microsoft 365 Admin Center .

2. Select Your products > Volume licensing > View contracts

3. Select your agreement number used to purchase ESUs, the three dots beside it
(More Actions icon), then select View product keys. All the product keys available
to the agreement shown on this page.

4. Once you have your MAK, install the new key on your eligible servers. To learn
more about installing and activating your MAK, see our Tech Community blog post
Obtaining Extended Security Updates for eligible Windows devices .

Download and installation of Extended Security

Updates
Delivery, download, and application of ESUs for Windows Server is no different than
other Windows Updates. The updates provided through ESUs are only Security updates.
Before you can download and install ESUs, you must have installed the latest Servicing
Stack Update (SSU) and the Licensing Preparation Package. To learn more about the
steps required to install the latest SSU and Licensing Preparation Package, see
KB5031043: Procedure to continue receiving security updates after extended support
has ended on October 10, 2023 .

You can install the updates using whatever tools and processes you already have in
place. The only difference is that the system must be registered using the key generated
in the previous section for the updates to download and install.

For VMs hosted in Azure, the process of enabling the server for ESUs is automatically
completed for you. Updates should download and install without extra configuration.
Deliver Extended Security Updates for
Windows Server 2012
Article • 02/20/2024

This article provides steps to enable delivery of Extended Security Updates (ESUs) to
Windows Server 2012 machines onboarded to Arc-enabled servers. You can enable ESUs
to these machines individually or at scale.

Before you begin

Plan and prepare to onboard your machines to Azure Arc-enabled servers. See Prepare
to deliver Extended Security Updates for Windows Server 2012 to learn more.

You'll also need the Contributor role in Azure RBAC to create and assign ESUs to Arc-
enabled servers.

Manage ESU licenses

1. From your browser, sign in to the Azure portal .

2. On the Azure Arc page, select Extended Security Updates in the left pane.

From here, you can view and create ESU Licenses and view Eligible resources for
ESUs.

７ Note
 When viewing all your Arc-enabled servers from the Servers page, a banner
specifies how many Windows 2012 machines are eligible for ESUs. You can then
select View servers in Extended Security Updates to view a list of resources that
are eligible for ESUs, together with machines already ESU enabled.

Create Azure Arc WS2012 licenses

The first step is to provision Windows Server 2012 and 2012 R2 Extended Security
Update licenses from Azure Arc. You link these licenses to one or more Arc-enabled
servers that you select in the next section.

After you provision an ESU license, you need to specify the SKU (Standard or
Datacenter), type of cores (Physical or vCore), and number of 16-core and 2-core packs
to provision an ESU license. You can also provision an Extended Security Update license
in a deactivated state so that it won’t initiate billing or be functional on creation.
Moreover, the cores associated with the license can be modified after provisioning.

７ Note

The provisioning of ESU licenses requires you to attest to their SA or SPLA

coverage.

The Licenses tab displays Azure Arc WS2012 licenses that are available. From here, you
can select an existing license to apply or create a new license.

1. To create a new WS2012 license, select Create, and then provide the information
required to configure the license on the page.
 For details on how to complete this step, see License provisioning guidelines for
Extended Security Updates for Windows Server 2012.

2. Review the information provided, and then select Create.

The license you created appears in the list and you can link it to one or more Arc-
enabled servers by following the steps in the next section.

Link ESU licenses to Arc-enabled servers

You can select one or more Arc-enabled servers to link to an Extended Security Update
license. Once you've linked a server to an activated ESU license, the server is eligible to
receive Windows Server 2012 and 2012 R2 ESUs.

７ Note

You have the flexibility to configure your patching solution of choice to receive
these updates – whether that’s Update Manager, Windows Server Update
Services, Microsoft Updates, Microsoft Endpoint Configuration Manager, or a
third-party patch management solution.

1. Select the Eligible Resources tab to view a list of all your Arc-enabled servers
running Windows Server 2012 and 2012 R2.
 

The ESUs status column indicates whether or not the machine is ESUs-enabled.

2. To enable ESUs for one or more machines, select them in the list, and then select
Enable ESUs.

3. On the Enable Extended Security Updates page, it shows the number of machines
selected to enable ESU and the WS2012 licenses available to apply. Select a license
to link to the selected machine(s) and then select Enable.

７ Note

You can also create a license from this page by selecting Create an ESU
license.
The status of the selected machines changes to Enabled.

If any problems occur during the enablement process, see Troubleshoot delivery of
Extended Security Updates for Windows Server 2012 for assistance.

At-scale Azure Policy

For at-scale linking of servers to an Azure Arc Extended Security Update license and
locking down license modification or creation, consider the usage of the following built-
in Azure policies:

Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines
protected after their support lifecycle has ended (preview)

Deny Extended Security Updates (ESUs) license creation or modification (preview)

Azure policies can be specified to a targeted subscription or resource group for both
auditing and management scenarios.

Additional scenarios
There are some scenarios in which you may be eligible to receive Extended Security
Updates patches at no additional cost. Two of these scenarios supported by Azure Arc
are (1) Dev/Test (Visual Studio) and (2) Disaster Recovery (Entitled benefit DR instances
from Software Assurance or subscription only. Both of these scenarios require the
customer is already using Windows Server 2012/R2 ESUs enabled by Azure Arc for
billable, production machines.
 ２ Warning

Don't create a Windows Server 2012/R2 ESU License for only Dev/Test or Disaster
Recovery workloads. You shouldn't provision an ESU License only for non-billable
workloads. Moreover, you'll be billed fully for all of the cores provisioned with an
ESU license, and any dev/test cores on the license won't be billed as long as they're
tagged accordingly based on the following qualifications.

To qualify for these scenarios, you must already have:

Billable ESU License. You must already have provisioned and activated a WS2012
Arc ESU License intended to be linked to regular Azure Arc-enabled servers
running in production environments (i.e., normally billed ESU scenarios). This
license should be provisioned only for billable cores, not cores that are eligible for
free Extended Security Updates, for example, dev/test cores.

Arc-enabled servers. Onboarded your Windows Server 2012 and Windows Server
2012 R2 machines to Azure Arc-enabled servers for the purpose of Dev/Test with
Visual Studio subscriptions or Disaster Recovery.

To enroll Azure Arc-enabled servers eligible for ESUs at no additional cost, follow these
steps to tag and link:

1. Tag both the WS2012 Arc ESU License (created for the production environment
with cores for only the production environment servers) and the non-production
Azure Arc-enabled servers with one of the following name-value pairs,
corresponding to the appropriate exception:

a. Name: “ESU Usage”; Value: “WS2012 VISUAL STUDIO DEV TEST”

b. Name: “ESU Usage”; Value: “WS2012 DISASTER RECOVERY”

In the case that you're using the ESU License for multiple exception scenarios,
mark the license with the tag: Name: “ESU Usage”; Value: “WS2012
MULTIPURPOSE”

2. Link the tagged license (created for the production environment with cores only
for the production environment servers) to your tagged non-production Azure
Arc-enabled Windows Server 2012 and Windows Server 2012 R2 machines. Do not
license cores for these servers or create a new ESU license for only these servers.

This linking won't trigger a compliance violation or enforcement block, allowing you to
extend the application of a license beyond its provisioned cores. The expectation is that
the license only includes cores for production and billed servers. Any additional cores
will be charged and result in over-billing.

） Important

Adding these tags to your license will NOT make the license free or reduce the
number of license cores that are chargeable. These tags allow you to link your
Azure machines to existing licenses that are already configured with payable cores
without needing to create any new licenses or add additional cores to your free
machines.

Example:

You have 8 Windows Server 2012 R2 Standard instances, each with 8 physical
cores. Six of these Windows Server 2012 R2 Standard machines are for production,
and 2 of these Windows Server 2012 R2 Standard machines are eligible for free
ESUs because the operating system was licensed through a Visual Studio Dev Test
subscription.
You should first provision and activate a regular ESU License for Windows Server
2012/R2 that's Standard edition and has 48 physical cores to cover the 6
production machines. You should link this regular, production ESU license to
your 6 production servers.
Next, you should reuse this existing license, don't add any more cores or
provision a separate license, and link this license to your 2 non-production
Windows Server 2012 R2 standard machines. You should tag the ESU license
and the 2 non-production Windows Server 2012 R2 Standard machines with
Name: "ESU Usage" and Value: "WS2012 VISUAL STUDIO DEV TEST".
This will result in an ESU license for 48 cores, and you'll be billed for those 48
cores. You won't be charged for the additional 16 cores of the dev test servers
that you added to this license, as long as the ESU license and the dev test server
resources are tagged appropriately.

７ Note

You needed a regular production license to start with, and you'll be billed only for
the production cores.

Upgrading from Windows Server 2012/2012 R2

When upgrading a Windows Server 2012/2012R machine to Windows Server 2016 or
above, it's not necessary to remove the Connected Machine agent from the machine.
The new operating system will be visible for the machine in Azure within a few minutes
of upgrade completion. Upgraded machines no longer require ESUs and are no longer
eligible for them. Any ESU license associated with the machine isn't automatically
unlinked from the machine. See Unlink a license for instructions on doing so manually.

Assess WS2012 ESU patch Status

To detect whether your Azure Arc-enabled servers are patched with the most recent
Windows Server 2012/R2 Extended Security Updates, you can use the Azure Policy
Extended Security Updates should be installed on Windows Server 2012 Arc machines-
Microsoft Azure . This Azure Policy, powered by Machine Configuration, identifies if the
server has received the most recent ESU Patches. This is observable from the Guest
Assignment and Azure Policy Compliance views built into Azure portal.
Enable Hotpatch for Azure Edition
virtual machines built from ISO
Article • 10/31/2023

Hotpatch for Windows Server 2022 Datacenter: Azure Edition allows you to install
security updates on without requiring a reboot after installation. You can use Hotpatch
with both Desktop Experience and Server Core. This article will teach you how to
configure Hotpatch after installing or upgrading the operating system using an ISO.

７ Note

If you're using the Azure marketplace, don't follow the steps in this article. Instead,
use the following images from Azure Marketplace that are ready for Hotpatching:

Windows Server 2022 Datacenter: Azure Edition Hotpatch - Gen2

Windows Server 2022 Datacenter: Azure Edition Core - Gen2

When using Hotpatch for your ISO deployed machine on Azure Stack HCI, there are a
few important differences with the Hotpatch experience compared with using Hotpatch
as part of Azure Automanage for Azure VMs.

The differences include:

Hotpatch configuration isn't available via Azure Update Manager.

Hotpatch can't be disabled.
Automatic Patching orchestration isn't available.
Orchestration must be performed manually (for example, using Windows Update
via SConfig).

Prerequisites
To enable Hotpatch, you must have the following prerequisites ready before you start:

Windows Server 2022 Datacenter: Azure Edition hosted on a supported platform,

such as Azure or Azure Stack HCI with Azure benefits enabled.
Azure Stack HCI must be version 21H2 or later.
Review the How hotpatch works section of the Hotpatch for new virtual machines
article.
 Outbound network access or an outbound port rule allowing HTTPS (TCP/443)
traffic to the following endpoints:
go.microsoft.com
software-static.download.prss.microsoft.com

Prepare your computer

Before you can enable Hotpatch for your VM, you must prepare your computer using
the following steps:

1. Sign-in to your machine. If you're on Server core, from the SConfig menu, enter
option 15, then press Enter to open a PowerShell session. If you're on the desktop
experience, remote desktop into your VM and launch PowerShell.

2. Enable virtualization-based security by running the following PowerShell command

to configure the correct registry settings:

PowerShell

$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
$parameters = $parameters = @{
Path = $registryPath
Name = "EnableVirtualizationBasedSecurity"
Value = "0x1"
Force = $True
PropertyType = "DWORD"
}
New-ItemProperty @parameters

3. Restart your computer.

4. Configure the Hotpatch table size in the registry by running the following
PowerShell command:

PowerShell

$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management"
$parameters = $parameters = @{
Path = $registryPath
Name = "HotPatchTableSize"
Value = "0x1000"
Force = $True
PropertyType = "DWORD"
}
New-ItemProperty @parameters
 5. Configure the Windows Update endpoint for Hotpatch in the registry by running
the following PowerShell command:

PowerShell

$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Update\TargetingInfo\DynamicInstalled\Hotpatch.amd64"
$nameParameters = $parameters = @{
Path = $registryPath
Name = "Name"
Value = "Hotpatch Enrollment Package"
Force = $True
}
$versionParameters = $parameters = @{
Path = $registryPath
Name = "Version"
Value = "10.0.20348.1129"
Force = $True
}
New-Item $registryPath -Force
New-ItemProperty @nameParameters
New-ItemProperty @versionParameters

Now you've prepared your computer, you can install the Hotpatch servicing package.

Install Hotpatch servicing package

７ Note

The Hotpatch Prerequisite KB is currently not published in the Microsoft Update

catalog.

To be able to receive Hotpatch updates, you'll need to download and install the
Hotpatch servicing package. In your PowerShell session, complete the following steps:

1. Download the (KB5003508) Microsoft Update Standalone Package from the

Microsoft Update Catalog and copy it to your computer using the following
PowerShell command:

PowerShell

$parameters = @{
Source = "https://go.microsoft.com/fwlink/?linkid=2211714"
Destination = ".\KB5003508.msu"
}
Start-BitsTransfer @parameters
 2. To install the Standalone Package, run the following command:

PowerShell

wusa.exe .\KB5003508.msu

3. Follow the prompts. Once it's completed, select Finish.

4. To verify the installation, run the following command:

PowerShell

Get-HotFix | Where-Object {$_.HotFixID -eq "KB5003508"}

７ Note

When using Server Core, updates are set to be manually installed by default. You
can change this setting using the SConfig utility.

Next steps
Now you've set up your computer for Hotpatch, here are some articles that might help
you with updating your computer:

Patch a Server Core installation.

Learn more about Windows Server Update Services (WSUS).
Perform a Feature Update of Windows
Server
Article • 04/11/2024

A Feature Update, also known as an in-place upgrade, allows you to go from an older
operating system to a newer one while keeping your settings, server roles, and data
intact. This article teaches you how to move to a later version of Windows Server by
using a Feature Update.

） Important

This article covers the Windows Server Feature Update process for non-Azure
servers and virtual machines (VMs) only. To do a Feature Update of Windows
Server running in an Azure virtual machine (VM), see In-place upgrade for
VMs running Windows Server in Azure.

For users using Microsoft Entra Connect who're looking to upgrade, see
Microsoft Entra Connect: Upgrade from a previous version to the latest.

Prerequisites
Before you start upgrading, fulfill the following prerequisites:

Determine which version of Windows Server to update to.

Make sure you have a valid product key and activation method. Keys and methods
may vary depending on the distribution channel you received Windows Server
media from, for example a Commercial Licensing program, Retail, or Original
Equipment Manufacturer (OEM).
You'll need to have the setup media for the version of Windows Server that you
want to upgrade to. Setup media for the target version of Windows Server can be
obtained from OEM, Retail, Visual Studio Subscriptions, and the Volume Licensing
Service Center (VLSC) channels.
Have a location to store files away from your computer, such as a USB flash drive
or network location.
Review Upgrade and migrate roles and features in Windows Server.
Review Microsoft server applications compatibility.
Review any third-party application vendor support requirements.
Make sure your computer:
 Meets or exceeds the hardware requirements for Windows Server.
Isn't running in Azure.
Perform a full backup of your computer. This includes the operating system, apps,
data, and any virtual machines (VMs) running on the server. You can use Windows
Server Backup or a third-party backup solution.

７ Note

If you're perform a Feature Update of a Windows Server 2012 or Windows

Server 2012 R2 server with Configuration Manager installed, also follow the
pre-upgrade and post-upgrade instructions at Upgrade on-premises
infrastructure that supports Configuration Manager.

Collect diagnostic information

We recommend that you collect some information from your devices for diagnostic and
troubleshooting purposes in case the Feature Update is unsuccessful. We also
recommend you store the information somewhere you can get to even if you can't
access your device.

To collect your information:

1. Open an elevated PowerShell prompt, make a note of your current directory, and
run the following commands.

PowerShell

Get-ComputerInfo -Property WindowsBuildLabEx,WindowsEditionID | Out-

File -FilePath .\computerinfo.txt
systeminfo.exe | Out-File -FilePath systeminfo.txt
ipconfig /all | Out-File -FilePath ipconfig.txt

 Tip

Get-ComputerInfo requires PowerShell 5.1 or later. If your Windows Server

version doesn't include Powershell, you can find this information in the
registry. Open Registry Editor, go to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
key, and then copy and paste the Windows Server BuildLabEx and EditionID
values.
 2. Using File Explorer, navigate to the directory you noted down, and copy the files
to a USB flash drive or network location off of your computer.

After you've collected all of your Windows Server-related information, we recommend

that you back up your server operating system, apps, and VMs. You must also shut
down, quick migrate, or live migrate any VMs currently running on the server. You can't
have any VMs running during the Feature Update.

Perform the Feature Update

Now that you've completed your prerequisites and collected diagnostic information,
you're ready to perform the Feature Update. In this section, you use Windows Server
Setup to select the settings for the Feature Update. Windows Server Setup uses these
settings to update your version of Windows Server, during which time your computer
restarts several times.

To perform the Feature Update:

1. Using File Explorer, navigate to the Windows Server Setup media. Then open
setup.exe. For example, if you're using removal media the file path might be
D:\setup.exe.

） Important

Depending on your security settings, User Account Control may prompt you
to allow setup to make changes to your device. If you're happy to continue,
select Yes.

2. By default, setup automatically downloads updates for the installation. If you're

okay with the default settings, select Next to continue.

If you don't want Setup to automatically download updates, select Change how
Setup downloads updates, choose the option appropriate to your environment,
and then select Next.

3. If prompted, enter your product key and then select Next.

4. Select the edition of Windows Server you want to install and then select Next.

5. Review the applicable notices and license terms. If you agree to the terms, select
Accept.
 6. Select Keep personal files and apps to choose to do an Feature Update, and then
select Next.

7. After Setup finishes analyzing your device, it displays the Ready to install screen.
To continue the Feature Update, select Install.

The Feature Update starts, and you should see a progress bar. After the Feature Update
finishes, your server restarts.

Checking if your Feature Update was successful

After the Feature Update to Windows Server is done, you must make sure the Feature
Update was successful.

To make sure your Feature Update was successful:

1. Open an elevated PowerShell prompt and run the following command to verify
that the version and edition matches the media and values you selected during
setup.

PowerShell

Get-ComputerInfo -Property WindowsProductName

2. Make sure all of your applications are running and that your client connections to
the applications are successful.

If your computer isn't working as expected after the Feature Update, you can contact
Microsoft Support for technical assistance.

Next steps
The following articles can help you prepare for and use your new Windows Server
version:

Install or uninstall roles, role services, or features

Windows Server management overview
Get started with Windows Admin Center
Key Management Services (KMS) activation planning
Activate using Active Directory-based activation

If you'd like to learn more about deploying and post-installation configuration and
activation options, check out the Windows Server deployment, configuration, and
administration learning path.
Configure Secured-core server
Article • 09/01/2023

Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver

and operating system security features. This article shows you how to configure
Secured-core server by using Windows Admin Center, the Windows Server Desktop
Experience, and Group Policy.

Secured-core server is designed to deliver a secure platform for critical data and
applications. For more information, see What is Secured-core server?

Prerequisites
Before you can configure Secured-core server, you must have the following security
components installed and enabled in the BIOS:

Secure Boot.
Trusted Platform Module (TPM) 2.0.
System firmware must meet preboot DMA protection requirements and set
appropriate flags in ACPI tables to opt into and enable Kernel DMA Protection. To
learn more about Kernel DMA Protection, see Kernel DMA Protection (Memory
Access Protection) for OEMs.
A processor with support enabled in the BIOS for:
Virtualization extensions.
Input/Output Memory Management Unit (IOMMU).
Dynamic Root of Trust for Measurement (DRTM).
Transparent Secure Memory Encryption is also required for AMD based systems.

） Important

Enabling each of the security features in the BIOS can vary based on your hardware
vendor. Make sure to check your hardware manufacturer's Secured-core server
enablement guide.

You can find hardware certified for Secured-core server from the Windows Server
Catalog , and Azure Stack HCI servers in the Azure Stack HCI Catalog .

Enable security features

To configure Secured-core server you need to enable specific Windows Server security
features, select the relevant method and follow the steps.

GUI

Here's how to enable Secured-core server using the user interface.

1. From the Windows desktop, open the Start menu, select Windows
Administrative Tools, open Computer Management.
2. In Computer management, select Device Manager, resolve any device error if
necessary.
a. For AMD based systems, confirm the DRTM Boot Driver device is present
before continuing
3. From Windows desktop, open the Start menu, select Windows Security.
4. Select Device security > Core isolation details, then enable Memory Integrity
and Firmware Protection. You might not be able to enable Memory Integrity
until you've enabled Firmware Protection first and restarted your server.
5. Restart your server when prompted.

Once your server has restarted, your server is enabled for Secured-core server.

Verify Secured-core server configuration

Now that you've configured Secured-core server, select the relevant method to verify
your configuration.

GUI

Here's how to verify your Secured-core server is configured using the user interface.

1. From the Windows desktop, open the Start menu, type msinfo32.exe to open
System Information. From the System Summary page, confirm:

a. Secure Boot State and Kernel DMA Protection is On.

b. Virtualization-based security is Running.

c. Virtualization-based security Services Running shows Hypervisor

enforced Code Integrity and Secure Launch.
 

Next steps
Now that you've configured Secured-core server, here are some resources to learn more
about:

Virtualization-based Security (VBS)

Memory integrity and VBS enablement
System Guard Secure Launch
Troubleshooting Windows volume
activation
Article • 05/19/2022

Product activation is the process of validating software after it's installed on a specific
computer. Activation confirms that the product is genuine (not a fraudulent copy) and
that the product key or serial number is valid and has not been compromised or
revoked. Activation also establishes a link or relationship between the product key and
the installation.

Volume activation is the process of activating volume-licensed products. To become a

volume licensing customer, an organization must set up a volume licensing agreement
with Microsoft. Microsoft offers customized volume licensing programs that
accommodate the organization's size and purchasing preference. For more information,
see the Microsoft Volume Licensing Service Center .

The Windows Server 2016 Activation Guide focuses on the Key Management Service
(KMS) activation technology. This section addresses common issues and provides
troubleshooting guidelines for KMS and several other volume activation technologies.

Best practices for volume activation

The following articles provide technical information and best practices for Microsoft's
volume activation technologies.

Key Management Service (KMS)

Plan for volume activation
Understanding KMS
Deploying KMS Activation
Configuring KMS Hosts
Configuring DNS
Activate using Key Management Service

Active Directory-based activation (ADBA)

Deploy Active-Directory-based Activation
Activate using Active Directory-based activation
Active Directory-Based Activation overview
Multiple Activation Key (MAK) activation
Using MAK Activation
Understanding MAK Activation
Activating MAK Clients

Subscription activation
Windows 10 Subscription Activation
Deploy Windows 10 Enterprise licenses
Windows 10 Enterprise E3 in CSP

Resources for troubleshooting activation issues

The following articles provide guidelines and information about tools for
troubleshooting volume activation issues:

Guidelines for troubleshooting the Key Management Service (KMS)

Slmgr.vbs options for obtaining volume activation information
Example: Troubleshooting ADBA clients that do not activate

The following articles provide guidance for addressing more specific activation issues:

Resolving common activation error codes

KMS activation: known issues
MAK activation: known issues
Guidelines for troubleshooting DNS-related activation issues
How to rebuild the Tokens.dat file
Guidelines for troubleshooting the Key
Management Service (KMS)
Article • 09/19/2023

Enterprise customers set up Key Management Service (KMS) as part of their deployment
process because it lets them use a simple, straightforward process to activate Windows
in their environments. Usually, once you set up the KMS host, the KMS clients connect to
the host automatically and activate on their own. However, sometimes the process
doesn't work as expected. This article walks you through how to troubleshoot any issues
you may encounter.

For more information about event log entries and the slmgr.vbs script, see Volume
Activation Technical Reference.

Where to begin troubleshooting KMS

Let’s start with a quick refresher on how KMS activation works. KMS is a client-server
model that has some similarities to Dynamic Host Configuration Protocol (DHCP).
However, instead of handing out IP addresses to clients on their request, KMS enables
product activation. KMS is also a renewal model, in which the clients try to reactivate on
a regular interval. There are two roles: the KMS host and the KMS client.

The KMS host runs the activation service and enables activation in the
environment. To configure a KMS host, you must install KMS key from the Volume
License Service Center (VLSC) and then activate the service.
The KMS client is the Windows operating system that you deploy in the
environment and need to activate. KMS clients can run any edition of Windows
that uses volume activation. The KMS clients come with a preinstalled key, called
the Generic Volume License Key (GVLK) or KMS Client Setup Key. The presence of
the GVLK is what makes a system a KMS client. The KMS clients use DNS SRV
records ( _vlmcs._tcp ) to identify the KMS host. Next, the clients automatically try
to discover and use this service to activate themselves. During the 30-day out-of-
the-box grace period, they try to activate every two hours. After you activate the
KMS clients, they try to renew their activation every seven days.

From a troubleshooting perspective, you may have to look at both the host and client
sides to figure out why an issue is happening.

Troubleshooting on the KMS host

When you're examining the KMS host during troubleshooting, there are two areas you
should look at:

Check the status of the host software license service using the slmgr.vbs
command in a command-line prompt.
Check the Event Viewer for events related to licensing or activation.

Check the Software Licensing service using the slmgr.vbs

command
To see verbose output from the Software Licensing service, open an elevated command
prompt window and enter slmgr.vbs /dlv . The following screenshot shows the results
of running this command on one of our KMS hosts within Microsoft.

Here are some variables you should pay attention to in the output while
troubleshooting:

The Version Information is at the top of the slmgr.vbs /dlv output. The version
information is useful for determining whether the service is up-to-date. Making
sure everything's up to date is important because the KMS service supports
different KMS host keys. You can use this data to evaluate whether or not the
version you're currently using supports the KMS host key you're trying to install.
For more information about updates, see An update is available for Windows Vista
and for Windows Server 2008 to extend KMS activation support for Windows 7 and
for Windows Server 2008 R2 .
The Name indicates which edition of Windows is running on the KMS host system.
You can use this information to troubleshoot issues that involve adding or
changing the KMS host key. For example, you can use this information to verify if
the OS edition supports the key you're trying to use.

The Description shows you which key is currently installed. Use this field to verify
whether the key that first activated the service was the correct one for the KMS
clients you've deployed.

The License Status shows the status of the KMS host system. The value should be
Licensed. Any other value means you should reactivate the host.

The Current Count displays a count between 0 and 50. The count is cumulative
between operating systems and indicates the number of valid systems that have
tried to activate within a 30-day period.

If the count is 0, either the service was recently activated or no valid clients have
connected to the KMS host.

The count doesn't increase above 50, no matter how many valid systems exist in
the environment. The count is set to cache only twice the maximum license policy
returned by a KMS client. The maximum policy set by the Windows client OS
requires a count of 25 or higher from the KMS host to activate itself. Therefore, the
highest count the KMS host can have is 2 x 25, or 50. In environments that contain
only Windows Server KMS clients, the maximum count on the KMS host is 10. This
limit is because the threshold for Windows Server editions is 5 (2 x 5, or 10).

A common issue related to the count happens when the environment has an
activated KMS host and enough clients, but the count doesn't increase beyond
one. When this issue happens, it means the deployed client image wasn't
configured correctly, so the systems don't have unique Client Machine IDs (CMIDs).
For more information, see KMS client and The KMS current count doesn't increase
when you add new Windows Vista or Windows 7-based client computers to the
network . One of our Support Escalation Engineers has also blogged about this
issue at KMS Host Client Count not Increasing Due to Duplicate CMIDs.

Another reason why the count may not be increasing is that there are too many
KMS hosts in the environment and the count is distributed over all of them.

Listening on Port. Communication with KMS uses anonymous RPC. By default, the
clients use the 1688 TCP port to connect to the KMS host. Make sure that this port
is open between your KMS clients and the KMS host. You can change or configure
the port on the KMS host. During their communication, the KMS host sends the
 port designation to the KMS clients. If you change the port on a KMS client, the
port designation is overwritten when that client contacts the host.

We often get asked about the cumulative requests section of the slmgr.vbs /dlv output.
Generally, this data isn't helpful for troubleshooting. The KMS host keeps an ongoing
record of the state of each KMS client that tries to activate or reactivate. Failed requests
indicate the KMS host doesn't support certain KMS clients. For example, if a Windows 7
KMS client tries to activate against a KMS host that was activated by using a Windows
Vista KMS key, the activation fails.

The Requests with License Status lines describe all possible license states, past and
present. From a troubleshooting perspective, this data is relevant only if the count isn't
increasing as expected. In that case, you should see the number of failed requests
increasing. To resolve this issue, you should check the product key that was used to first
activate the KMS host system. Also, notice that the cumulative request values reset only
if you reinstall the KMS host system.

Useful KMS host events

The event IDs described in the following sections are ones you should become familiar
with to make troubleshooting host-related issues more efficient.

Event ID 12290

The KMS host creates a log labeled Event ID 12290 when a KMS client contacts the host
when it's trying to activate. Event ID 12290 contains information you can use to figure
out what kind of client contacted the host and why a failure occurred. The following
segment of an event ID 12290 entry comes from the Key Management Service event log
of our KMS host.

The event details include the following information:

 The Minimum count needed to activate, which reports that the count from the KMS
host must be 5 in order for the client to activate. That means that this OS is a
Windows Server OS, although this variable alone doesn't indicate which edition the
client is using. If your clients aren't activating, make sure that the host's count
allows the client to activate.
The Client Machine ID (CMID), which is a unique value on each system. If this value
isn't unique, it's because the image wasn't correctly configured for distribution
using sysprep. To learn more about generalizing your computers, see Sysprep
(Generalize) a Windows installation. When you encounter this issue, the KMS host
count doesn't increase even though there are enough clients in the environment.
For more information, see The KMS current count doesn't increase when you add
new Windows Vista or Windows 7-based client computers to the network .
The License State and Time to State Expiration, which is the current license state of
the client. This variable can help you tell whether a client is trying to activate for
the first time or if it's trying to reactivate. The time entry can also tell you how long
the client remains in that state if nothing else changes.

If you're troubleshooting a client and can't find a corresponding event ID 12290 on the
KMS host, then the client isn't connecting to the KMS host. Reasons why the event ID
12290 entry is missing can include:

There's been a network outage.

The host isn't resolving or isn't registered in DNS.
The firewall is blocking TCP 1688.
The port could also be blocked in other places within the environment,
including on the KMS host system itself. By default, the KMS host has a firewall
exception for KMS, but this exception isn't automatically enabled. You have to
enable the exception manually.
The event log is full.

KMS clients log two corresponding events: event ID 12288 and event ID 12289. For
information about these events, see the KMS client section.

Event ID 12293

Another relevant event to look for on your KMS host is Event ID 12293. This event
indicates that the host didn't publish the required records in DNS. This scenario can
potentially cause failures, and you should make sure the event isn't there after you set
up your host and before you deploy clients. For more information about DNS issues, see
Common troubleshooting procedures for KMS and DNS issues.
KMS client
You can also use the slmgr.vbs command and Event Viewer to troubleshoot activation
on the KMS clients.

Slmgr.vbs and the Software Licensing service

To see verbose output from the Software Licensing service, open an elevated Command
Prompt window and enter slmgr.vbs /dlv at the command prompt. The following
screenshot shows the results of this command on one of our KMS hosts within
Microsoft.

Here are some variables you should pay attention to in the output while
troubleshooting:

Name, which tells you which edition of Windows the KMS client system is using.
You can use this variable to verify that the version of Windows you're trying to
activate is compatible with KMS.
Description, which shows you which key was installed. For example,
VOLUME_KMSCLIENT indicates that the system has installed the KMS Client Setup Key,

or GVLK, which is the default configuration for volume license media. A system
with a GVLK automatically tries to activate by using a KMS host. If you see a
different value here, such as MAK, you must reinstall the GVLK to configure this
system as a KMS client. You can manually install the key by following the
instructions to run slmgr.vbs /ipk <GVLK> in KMS client setup keys, or follow the
directions in Volume Activation Management Tool (VAMT) Technical Reference to
use the VAMT instead.
 The Partial Product Key, which you can use to determine whether the KMS Client
Setup Key matches the operating system the KMS client is using. By default, the
correct key is present on systems that are built using media from the Volume
License Service Center (VLSC) portal. In some cases, customers may use Multiple
Activation Key (MAK) activation until there are enough systems in the environment
to support KMS activation. You must install the KMS Client Setup key on these
systems to transition them from MAK to KMS. Use VAMT to install this key and
make sure you're using the correct key.
License Status shows the status of the KMS client system. For a system activated by
KMS, this value should be Licensed. Any other value may indicate that there's a
problem. For example, if the KMS host is functioning correctly and the KMS client
still doesn't activate or is stuck in a Grace state, that means something is
preventing the client from reaching the host system. This blockage can be a
firewall issue, network outage, and so on.
The Client Machine ID (CMID), which should be unique in every KMS client. As
mentioned in Check the Software Licensing service using the slmgr.vbs command,
a common issue related to count is if the count doesn't increase beyond one no
matter how many KMS hosts or clients you activate in the environment. For more
information, see The KMS current count doesn't increase when you add new
Windows Vista or Windows 7-based client computers to the network .
The KMS Machine Name from DNS, which shows both the FQDN of the KMS host
that the client successfully used for activation and which TCP port it used to
communicate.
KMS Host Caching, which shows whether or not caching is enabled. Caching is
typically enabled by default. When you enable caching, the KMS client caches the
same KMS host that it used for activation and communicates directly with this host
instead of querying DNS when it's time to reactivate. If the client can't contact the
cached KMS host, it queries DNS to discover a new KMS host.

KMS client events

The following sections describe client events that you should be familiar with to help
you troubleshoot potential issues more efficiently.

Event ID 12288 and Event ID 12289

When a KMS client successfully activates or reactivates, the client logs two events: event
ID 12288 and event ID 12289. The following screenshot showing a segment of an event
ID 12288 entry comes from the Key Management Service event log of our KMS client.
If you see only event ID 12288 without a corresponding event ID 12289, either the KMS
client couldn't reach the KMS host, the KMS host didn't respond, or the client didn't
receive the host's response. In these cases, you must verify that the KMS host is
discoverable and that the KMS clients can contact it.

The most relevant information in event ID 12288 is the data in the Info field. For
example, Info shows the current state of the client and which FQDN and TCP port the
client used when it tried to activate. You can use the FQDN to troubleshoot scenarios
where the count on a KMS host doesn't increase. For example, if there are too many
KMS hosts available to the clients (either legitimate or unsupported systems), then the
count may be distributed over all of them.

An unsuccessful activation doesn't always mean that the client has event ID 12288 and
not 12289. A failed activation or reactivation may also have both events. In this case, you
have to examine the second event to verify the reason for the failure.
The Info section of event ID 12289 provides the following information:

Activation Flag, which indicates whether the activation succeeded (1) or failed (0).
Current Count on the KMS Host, which shows the count value on the KMS host
when the client tries to activate. If activation fails, it may be because the count is
insufficient for this client OS or that there aren't enough systems in the
environment to build the count.

What does support ask for?

If your activations aren't working as expected after troubleshooting, you can contact
Microsoft Support for technical assistance. The Support Engineer typically asks for the
following information:

slmgr.vbs /dlv output from the KMS host and KMS client systems.

Event logs from both the KMS host (Key Management Service log) and KMS client
systems (Application log).

Next steps
Ask the Core Team: #Activation
Slmgr.vbs options for obtaining volume
activation information
Article • 05/19/2022 • Applies to: Windows Server 2012 R2, Windows 10, Windows 8.1

The following describes the syntax of the Slmgr.vbs script, and the tables in this article
describe each command-line option.

Windows Command Prompt

slmgr.vbs [<ComputerName> [<User> <Password>]] [<Options>]

７ Note

In this article, square brackets [] enclose optional arguments, and angle brackets
<> enclose placeholders. When you type these statements, omit the brackets and
replace the placeholders by using corresponding values.

７ Note

For information about other software products that use volume activation, see the
documents specifically written for those applications.

Using Slmgr on remote computers

To manage remote clients, use the Volume Activation Management Tool (VAMT)
version 1.2 or later, or create custom WMI scripts that are aware of the differences
between platforms. For more information about WMI properties and methods for
Volume Activation, see WMI Properties and Methods for Volume Activation.

） Important

Because of WMI changes in Windows 7 and Windows Server 2008 R2, the
Slmgr.vbs script is not intended to work across platforms. Using Slmgr.vbs to
manage a Windows 7 or Windows Server 2008 R2 system from the
Windows Vista® operating system is not supported. Trying to manage an older
system from Windows 7 or Windows Server 2008 R2 will generate a specific version
 mismatch error. For example, running cscript slmgr.vbs <vista_machine_name>
/dlv produces the following output:

Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft
Corporation. All rights reserved.

The remote machine does not support this version of SLMgr.vbs

General Slmgr.vbs options

Option Description

[<ComputerName>] Name of a remote computer (default is local computer)

[<User>] Account that has the required privilege on the remote computer

[<Password>] Password for the account that has the required privileges on the remote
computer

Global options
Option Description

/ipk <ProductKey> Tries to install a 5×5 product key. The product key provided by the
parameter is confirmed valid and applicable to the installed
operating system.
If not, an error is returned.
If the key is valid and applicable, the key is installed. If a key is
already installed, it is silently replaced.
To prevent instability in the license service, the system should be
restarted or the Software Protection Service should be restarted.
This operation must be run from an elevated Command Prompt
window, or the Standard User Operations registry value must be set
to allow unprivileged users extra access to the Software Protection
Service.
Option Description

/ato [<Activation ID>] For retail editions and volume systems that have a KMS host key or a
Multiple Activation Key (MAK) installed, /ato prompts Windows to try
online activation.
For systems that have a Generic Volume License Key (GVLK) installed,
this prompts a KMS activation attempt. Systems that have been set
to suspend automatic KMS activation attempts (/stao) still try KMS
activation when /ato is run.
Note: Starting in Windows 8 (and Windows Server 2012), the /stao
option is deprecated. Use the /act-type option instead.
The parameter <Activation ID> expands /ato support to identify a
Windows edition installed on the computer. Specifying the
<Activation ID> parameter isolates the effects of the option to the
edition associated with that Activation ID. Run slmgr.vbs /dlv all to
get the Activation IDs for the installed version of Windows. If you
have to support other applications, see the guidance provided by
that application for further instruction.
KMS activation does not require elevated privileges. However, online
activation does require elevation, or the Standard User Operations
registry value must be set to allow unprivileged users extra access to
the Software Protection Service.

/dli [<Activation ID> | All] Display license information.

By default, /dli displays the license information for the installed
active Windows edition. Specifying the <Activation ID> parameter
displays the license information for the specified edition that is
associated with that Activation ID. Specifying All as the parameter
displays license information for all applicable installed products.
This operation does not require elevated privileges.

/dlv [<Activation ID> | All] Display detailed license information.

By default, /dlv displays the license information for the installed
operating system. Specifying the <Activation ID> parameter displays
the license information for the specified edition associated with that
Activation ID. Specifying the All parameter displays license
information for all applicable installed products.
This operation does not require elevated privileges.

/xpr [<Activation ID>] Display the activation expiration date for the product. By default, this
refers to the current Windows edition and is primarily useful for KMS
clients, because MAK and retail activation is perpetual.
Specifying the <Activation ID> parameter displays the activation
expiration date of the specified edition that is associated with that
Activation ID.This operation does not require elevated privileges.

Advanced options
Option Description

/cpky Some servicing operations require the product key to be available in

the registry during Out-of-Box Experience (OOBE) operations. The
/cpky option removes the product key from the registry to prevent this
key from being stolen by malicious code.
For retail installations that deploy keys, best practices recommend
running this option. This option is not required for MAK and KMS host
keys, because this is the default behavior for those keys. This option is
required only for other types of keys whose default behavior is not to
clear the key from the registry.
This operation must be run in an elevated Command Prompt window.

/ilc <license_file> This option installs the license file specified by the required parameter.
These licenses may be installed as a troubleshooting measure, to
support token-based activation, or as part of a manual installation of
an on-boarded application.
Licenses are not validated during this process: License validation is out
of scope for Slmgr.vbs. Instead, validation is handled by the Software
Protection Service at runtime.
This operation must be run from an elevated Command Prompt
window, or the Standard User Operations registry value must be set to
allow unprivileged users extra access to the Software Protection
Service.

/rilc This option reinstalls all licenses stored in

%SystemRoot%\system32\oem and
%SystemRoot%\System32\spp\tokens. These are "known-good" copies
that were stored during installation.
Any matching licenses in the Trusted Store are replaced. Any additional
licenses—for example, Trusted Authority (TA) Issuance Licenses (ILs),
licenses for applications—are not affected.
This operation must be run in an elevated Command Prompt window,
or the Standard User Operations registry value must be set to allow
unprivileged users extra access to the Software Protection Service.

/rearm This option resets the activation timers. The /rearm process is also
called by sysprep /generalize.
This operation does nothing if the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm registry
entry is set to 1. See Registry Settings for Volume Activation for details
about this registry entry.
This operation must be run in an elevated Command Prompt window,
or the Standard User Operations registry value must be set to allow
unprivileged users extra access to the Software Protection Service.

/rearm-app Resets the licensing status of the specified app.

<Application ID>
Option Description

/rearm-sku Resets the licensing status of the specified SKU.

<Application ID>

/upk [<Application ID>] This option uninstalls the product key of the current Windows edition.
After a restart, the system will be in an Unlicensed state unless a new
product key is installed.
Optionally, you can use the <Activation ID> parameter to specify a
different installed product.
This operation must be run from an elevated Command Prompt
window.

/dti [<Activation ID>] Displays installation ID for offline activation.

/atp <Confirmation ID> Activate product by using user-provided confirmation ID.

KMS client options

Option Description

/skms This option specifies the name and, optionally, the port of the KMS
<Name[:Port] | : port> host computer to contact. Setting this value disables auto-detection of
[<Activation ID>] the KMS host.
If the KMS host uses Internet Protocol version 6 (IPv6) only, the address
must be specified in the format <hostname>:<port>. IPv6 addresses
contain colons (:), which the Slmgr.vbs script does not parse correctly.
This operation must be run in an elevated Command Prompt window.

/skms- Sets the specific DNS domain in which all KMS SRV records can be
domain <FQDN> found. This setting has no effect if the specific single KMS host is set by
[<Activation ID>] using the /skms option. Use this option, especially in disjoint
namespace environments, to force KMS to ignore the DNS suffix search
list and look for KMS host records in the specified DNS domain instead.

/ckms [<Activation ID>] This option removes the specified KMS host name, address, and port
information from the registry and restores KMS auto-discovery
behavior.
This operation must be run in an elevated Command Prompt window.

/skhc This option enables KMS host caching (default). After the client
discovers a working KMS host, this setting prevents the Domain Name
System (DNS) priority and weight from affecting further communication
with the host. If the system can no longer contact the working KMS
host, the client tries to discover a new host.
This operation must be run in an elevated Command Prompt window.
Option Description

/ckhc This option disables KMS host caching. This setting instructs the client
to use DNS auto-discovery each time it tries KMS activation
(recommended when using priority and weight).
This operation must be run in an elevated Command Prompt window.

KMS host configuration options

Option Description

/sai <Interval> This option sets the interval in minutes for unactivated clients to try to
connect to KMS. The activation interval must be between 15 minutes and
30 days, although the default value (two hours) is recommended.
The KMS client initially picks up this interval from registry but switches to the
KMS setting after it receives the first KMS response.
This operation must be run in an elevated Command Prompt window.

/sri <Interval> This option sets the renewal interval in minutes for activated clients to try to
connect to KMS. The renewal interval must be between 15 minutes and
30 days. This option is set initially on both the KMS server and client sides.
The default value is 10,080 minutes (7 days).
The KMS client initially picks up this interval from the registry but switches to
the KMS setting after it receives the first KMS response.
This operation must be run in an elevated Command Prompt window.

/sprt <Port> This option sets the port on which the KMS host listens for client activation
requests. The default TCP port is 1688.
This operation must be run from an elevated Command Prompt window.

/sdns Enable DNS publishing by the KMS host (default).

This operation must be run in an elevated Command Prompt window.

/cdns Disable DNS publishing by the KMS host.

This operation must be run in an elevated Command Prompt window.

/spri Set the KMS priority to normal (default).

This operation must be run in an elevated Command Prompt window.

/cpri Set the KMS priority to low.

Use this option to minimize contention from KMS in a co-hosted
environment. Note that this could cause KMS starvation, depending on what
other applications or server roles are active. Use with care.
This operation must be run in an elevated Command Prompt window.
Option Description

/act-type This option sets a value in the registry that limits volume activation to a single
[<Activation- type. Activation Type 1 limits activation to Active Directory only; 2 limits it to
Type>] KMS activation; 3 to token-based activation. The 0 option allows any
[<Activation ID>] activation type and is the default value.

Token-based activation configuration options

Option Description

/lil List the installed token-based activation issuance licenses.

/ril <ILID> <ILvID> Remove an installed token-based activation issuance license.

This operation must be run from an elevated Command Prompt
window.

/stao Set the Token-based Activation Only flag, disabling automatic KMS
activation.
This operation must be run in an elevated Command Prompt window.
This option was removed in Windows Server 2012 R2 and Windows
8.1. Use the /act–type option instead.

/ctao Clear the Token-based Activation Only flag (default), enabling

automatic KMS activation.
This operation must be run in an elevated Command Prompt window.
This option was removed in Windows Server 2012 R2 and Windows
8.1. Use the /act–type option instead.

/ltc List valid token-based activation certificates that can activate installed
software.

/fta Force token-based activation by using the identified certificate. The

<Certificate Thumbprint> optional personal identification number (PIN) is provided to unlock
[<PIN>] the private key without a PIN prompt if you use certificates that are
protected by hardware (for example, smart cards).

Active Directory-based activation configuration

options
Option Description
Option Description

/ad-activation-online Collects Active Directory data and starts Active Directory forest
<Product Key> activation using the credentials that the command prompt is
[<Activation Object name>] running. Local administrator access is not required. However,
Read/Write access to the activation object container in the root
domain of the forest is required.

/ad-activation-get-IID This option starts Active Directory forest activation in phone mode.
<Product Key> The output is the installation ID (IID) that can be used to activate
the forest over the telephone if internet connectivity is not
available. Upon providing the IID in the activation phone call, a CID
is returned that is used to complete activation.

/ad-activation-apply-cid When you use this option, enter the CID that was provided in the
<Product Key> activation telephone call to complete activation
<Confirmation ID>
[<Activation Object name>]

[/name: <AO_Name>] Optionally, you can append the /name option to any of these
commands to specify a name for the activation object stored in
Active Directory. The name must not exceed 40 Unicode characters.
Use double quotation marks to explicitly define the name string.
In Windows Server 2012 R2 and Windows 8.1, you can append the
name directly after /ad-activation-online <Product Key> and /ad-
activation-apply-cid without having to use the /name option.

/ao-list Displays all of the activation objects that are available to the local
computer.

/del-ao <AO_DN> Deletes the specified activation object from the forest.
/del-ao <AO_RDN>

Additional References
Volume Activation Technical Reference
Volume Activation Overview
KMS activation: known issues
Article • 08/22/2022

Try our Virtual Agent - It can help you quickly identify and fix common issues

related to KMS and MAK activation

This article describes common questions and issues that can arisse during Key
Management Service (KMS) activations, and provides guidance for addressing the
issues.

７ Note

If you suspect that your issue is related to DNS, see Common troubleshooting
procedures for KMS and DNS issues.

Should I back up KMS host information?

Backup is not required for KMS hosts. However, if you use a tool to routinely clean up
event logs, the activation history stored in the logs can be lost. If you use the event log
to track or document KMS activations, periodically export the Key Management Service
event log from the Applications and Services Logs folder of Event Viewer.

If you use System Center Operations Manager, the System Center Data Warehouse
database stores event log data for reporting, therefore you do not have to back up the
event logs separately.

Is the KMS client computer activated?

On the KMS client computer, open the System control panel, and look for the Windows
is activated message. Alternatively, run Slmgr.vbs and use the the /dli command-line
option.

The KMS client computer does not activate

Verify that the KMS activation threshold is met. On the KMS host computer, run
Slmgr.vbs and use the /dli command-line option to determine the host’s current count.
Until the KMS host has a count of 25, Windows 7 client computers cannot be activated.
Windows Server 2008 R2 KMS clients require a KMS count of 5 for activation. For more
information about KMS requirements, see the Volume Activation Planning Guide.

On the KMS client computer, look in the Application event log for event ID 12289. Check
this event for the following information:

Is the result code 0? Anything else is an error.

Is the KMS host name in the event correct?
Is the KMS port correct?
Is the KMS host accessible?
If the client is running a non-Microsoft firewall, does the outbound port have to be
configured?

On the KMS host computer, look in the KMS event log for event ID 12290. Check this
event for the following information:

Did the KMS host log a request from the client computer? Verify that the name of
the KMS client computer is listed. Verify that the client and KMS host can
communicate. Did the client receive the response?
If no event is logged from the KMS client, the request did not reach the KMS host
or the KMS host was unable to process it. Make sure that routers do not block
traffic using TCP port 1688 (if the default port is used) and that stateful traffic to
the KMS client is allowed.

What does this error code mean?

Except for KMS events that have event ID 12290, Windows logs all activation events to
the Application event log under the event provider name Microsoft-Windows-Security-
SPP. Windows logs KMS events to the Key Management Service log in the Applications
and Services folder. IT pros can run Slui.exe to display a description of most activation-
related error codes. The general syntax for this command is as follows:

Windows Command Prompt

slui.exe 0x2a ErrorCode

For example, if event ID 12293 contains error code 0x8007267C, you can display a
description of that error by running the following command:

Windows Command Prompt

slui.exe 0x2a 0x8007267C

For more information about specific error codes and how to address them, see
Resolving common activation error codes.

Clients are not adding to the KMS count

To reset the client computer ID (CMID) and other product-activation information, run
sysprep /generalize or slmgr /rearm. Otherwise, each client computer looks identical,
and the KMS host does not count them as separate KMS clients.

KMS hosts are unable to create SRV records

Domain Name System (DNS) may restrict Write access or may not support dynamic DNS
(DDNS). In this case, give the KMS host Write access to the DNS database, or create the
service (SRV) resource record (RR) manually. For more information about KMS and DNS
issues, see Common troubleshooting procedures for KMS and DNS issues.

Only the first KMS host is able to create SRV

records
If the organization has more than one KMS host, the other hosts might not able to
update the SRV RR unless the SRV default permissions are changed. For more
information about KMS and DNS issues, see Common troubleshooting procedures for
KMS and DNS issues.

I installed a KMS key on the KMS client

KMS keys should be installed only on KMS hosts, not on KMS clients. Run slmgr.vbs -ipk
<SetupKey>. For tables of keys that you can use to configure the computer as a KMS
client, see KMS client setup keys. These keys are publicly known and are edition-specific.
Remember to delete any unnecessary SRV RRs from DNS, and then restart the
computers.

A KMS host failed

If a KMS host fails, you must install a KMS host key on a new host and then activate the
host. Make sure that the new KMS host has an SRV RR in the DNS database. If you install
the new KMS host using the same computer name and IP address as the failed KMS
host, the new KMS host can use the DNS SRV record of the failed host. If the new host
has a different computer name, you can manually remove the DNS SRV RR of the failed
host or (if scavenging is enabled in DNS) let DNS automatically remove it. If the network
is using DDNS, the new KMS host automatically creates a new SRV RR on the DNS
server. The new KMS host then starts collecting client renewal requests and begins
activating clients as soon as the KMS activation threshold is met.

If your KMS clients use auto-discovery, they automatically select another KMS host if the
original KMS host does not respond to renewal requests. If the clients do not use auto-
discovery, you must manually update the KMS client computers that were assigned to
the failed KMS host by running slmgr.vbs /skms. To avoid this scenario, configure the
KMS clients to use auto-discovery. For more information, see the Volume Activation
Deployment Guide.
MAK activation: known issues
Article • 08/22/2022

Try our Virtual Agent - It can help you quickly identify and fix common issues

related to KMS and MAK activation

This article describes common issues that can occur during Multiple Activation Key
(MAK) activations, and provides guidance for addressing those issues.

How can I tell whether my computer is

activated?
On the computer, open the System control panel and look for Windows is activated.
Alternatively, run Slmgr.vbs and use the /dli command-line option.

The computer does not activate over the

internet
Make sure that the required ports are open in the firewall. For a list of ports, see the
Volume Activation Deployment Guide.

Internet and telephone activation fail

Contact a local Microsoft Activation Center. For the telephone numbers of Microsoft
Activation Centers worldwide, go to Microsoft Licensing Activation Centers worldwide
telephone numbers . Make sure to provide the Volume License agreement information
and proof of purchase when you call.

Slmgr.vbs /ato returns an error code

If Slmgr.vbs returns a hexadecimal error code, determine the corresponding error
message by running the following script:

Windows Command Prompt

slui.exe 0x2a 0x <ErrorCode>

For more information about specific error codes and how to address them, see
Resolving common activation error codes.
Guidelines for troubleshooting DNS-
related activation issues
Article • 05/19/2022

You may have to use some of these methods if one or more of the following conditions
are true:

You use volume-licensed media and a Volume License generic product key to
install one of the following operating systems:
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows 10
Windows 8.1
Windows 8
The activation wizard cannot connect to a KMS host computer.

When you try to activate a client system, the activation wizard uses DNS to locate a
corresponding computer that's running the KMS software. If the wizard queries DNS and
does not find the DNS entry for the KMS host computer, the wizard reports an error.

Review the following list to find an approach that fits your circumstances:

If you cannot install a KMS host or if you cannot use KMS activation, try the
Change the product key to an MAK procedure.
If you have to install and configure a KMS host, use the Configure a KMS host for
the clients to activate against procedure.
If the client cannot locate your existing KMS host, use the following procedures to
troubleshoot your routing configurations. These procedures are arranged from the
simplest to the most complex.
Verify basic IP connectivity to the DNS server
Verify the KMS host configuration
Determine the type of routing issue
Verify the DNS configuration
Manually create a KMS SRV record
Manually assign a KMS host to a KMS client
Configure the KMS host to publish in multiple DNS domains
Change the product key to an MAK
If you cannot install a KMS host or, for some other reason, you cannot use KMS
activation, change the product key to an MAK. If you downloaded Windows images
from the Microsoft Developer Network (MSDN), or from TechNet, the stock-keeping
units (SKUs) that are listed below the media are generally volume licensed-media, and
the product key that's provided is an MAK key.

To change the product key to an MAK, follow these steps:

1. Open an elevated Command Prompt window. To do this, press the Windows logo
key+X, right-click Command Prompt, and then select Run as administrator. If you
are prompted for an administrator password or for confirmation, type the
password or provide confirmation.
2. At the command prompt, run the following command:

Windows Command Prompt

slmgr -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

７ Note

The xxxxx-xxxxx-xxxxx-xxxxx-xxxxx placeholder represents your MAK

product key.

Return to the procedure list.

Configure a KMS host for the clients to activate

against
KMS activation requires that a KMS host be configured for the clients to activate against.
If there are no KMS hosts configured in your environment, install and activate one by
using an appropriate KMS host key. After you configure a computer on the network to
host the KMS software, publish the Domain Name System (DNS) settings.

For information about the KMS host configuration process, see Activate using Key
Management Service and Install and Configure VAMT.

Return to the procedure list.

Verify basic IP connectivity to the DNS server
Verify basic IP connectivity to the DNS server by using the ping command. To do this,
follow these steps on both the KMS client that is experiencing the error and the KMS
host computer:

1. Open an elevated Command Prompt window.

2. At the command prompt, run the following command:

Windows Command Prompt

ping <DNS_Server_IP_address>

７ Note

If the output from this command does not include the phrase "Reply from,"
there is a network problem or DNS issue that you must resolve before you can
use the other procedures in this article. For more information about how to
troubleshoot TCP/IP issues if you cannot ping the DNS server, see Advanced
troubleshooting for TCP/IP issues.

Return to the procedure list.

Verify the configuration of the KMS host

Check the registry of the KMS host server to determine whether it is registering with
DNS. By default, a KMS host server dynamically registers a DNS SRV record one time
every 24 hours.

） Important

Follow the steps in this section carefully. Serious problems might occur if you
modify the registry incorrectly. Before you modify it, back up the registry for
restoration in case problems occur.

To check this setting, follow these steps:

1. Start Registry Editor. To do this, right-click Start, select Run, type regedit, and then
press Enter.
 2. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SoftwareProtectionPlatform subkey (previously SL instead of
SoftwareProtectionPlatform in Windows Server 2008 and Windows Vista), and
check the value of the DisableDnsPublishing entry. This entry has the following
possible values:

0 or undefined (default): The KMS host server registers a SRV record once
every 24 hours.
1: The KMS host server does not automatically register SRV records. If your
implementation does not support dynamic updates, see Manually create a
KMS SRV record.

3. If the DisableDnsPublishing entry is missing, create it (the type is DWORD). If

dynamic registration is acceptable, leave the value undefined or set it to 0.

Return to the procedure list.

Determine the type of routing issue

You can use the following commands to determine whether this is a name resolution
issue or an SRV record issue.

1. On a KMS client, open an elevated Command Prompt window.

2. At the command prompt, run the following commands:

Windows Command Prompt

cscript \windows\system32\slmgr.vbs -skms <KMS_FQDN>:<port>

cscript \windows\system32\slmgr.vbs -ato

７ Note

In this command, <KMS_FQDN> represents the fully qualified domain name

(FQDN) of the KMS host computer and <port> represents the TCP port that
KMS uses.

If these commands resolve the problem, this is an SRV record issue. You can you
can troubleshoot it by using one of the commands that are documented in the
Manually assign a KMS host to a KMS client procedure.

3. If the problem persists, run the following commands:

 Windows Command Prompt

cscript \windows\system32\slmgr.vbs -skms <IP Address>:<port>

cscript \windows\system32\slmgr.vbs -ato

７ Note

In this command, <IP Address> represents the IP address of the KMS host
computer and <port> represents the TCP port that KMS uses.

If these commands resolve the problem, this is most likely a name resolution issue.
For additional troubleshooting information, see the Verify the DNS configuration
procedure.

4. If none of these commands resolves the problem, check the computer's firewall
configuration. Any activation communications that occur between KMS clients and
the KMS host use the 1688 TCP port. The firewalls on both the KMS client and the
KMS host must allow communication over port 1688.

Return to the procedure list.

Verify the DNS configuration

７ Note

Unless otherwise stated, follow these steps on a KMS client that has experienced
the applicable error.

1. Open an elevated Command Prompt window

2. At the command prompt, run the following command:

Windows Command Prompt

IPCONFIG /all

3. From the command results, note the following information:

The assigned IP address of the KMS client computer

The IP address of the Primary DNS server that the KMS client computer uses
The IP address of the default gateway that the KMS client computer uses
The DNS suffix search list that the KMS client computer uses
 4. Verify that the KMS host SRV records are registered in DNS. To do this, follow these
steps:
a. Open an elevated Command Prompt window.
b. At the command prompt, run the following command:

Windows Command Prompt

nslookup -type=all _vlmcs._tcp>kms.txt

c. Open the KMS.txt file that the command generates. This file should contain one
or more entries that resemble the following entry:

_vlmcs._tcp.contoso.com SRV service location:

priority = 0
weight = 0
port = 1688 svr hostname = kms-server.contoso.com

７ Note

In this entry, contoso.com represents the domain of the KMS host.

i. Verify the IP address, host name, port, and domain of the KMS host.
ii. If these _vlmcs entries exist, and if they contain the expected KMS host
names, go to Manually assign a KMS host to a KMS client.

７ Note

If the nslookup command finds the KMS host, it does not mean that the
DNS client can find the KMS host. If the nslookup command finds the KMS
host, but you still cannot activate by using the KMS host, check the other
DNS settings, such as the primary DNS suffix and the search list of the DNS
suffix.

5. Verify that the search list of the primary DNS suffix contains the DNS domain suffix
that is associated with the KMS host. If the search list does not include this
information, go to the Configure the KMS host to publish in multiple DNS domains
procedure.

Return to the procedure list.

Manually create a KMS SRV record

To manually create an SRV record for a KMS host that uses a Microsoft DNS server,
follow these steps:

1. On the DNS server, open DNS Manager. To open DNS Manager, select Start, select
Administrative Tools, and then select DNS.
2. Select the DNS server on which you have to create the SRV resource record.
3. In the console tree, expand Forward Lookup Zones, right-click the domain, and
then select Other New Records.
4. Scroll down the list, select Service Location (SRV), and then select Create Record.
5. Type the following information:

Service: _VLMCS
Protocol: _TCP
Port number: 1688
Host offering the service: <FQDN of the KMS host>

6. When you are finished, select OK, and then select Done.

To manually create an SRV record for a KMS host that uses a BIND 9.x-compliant DNS
server, follow the instructions for that DNS server, and provide the following information
for the SRV record:

Name: _vlmcs._TCP
Type: SRV
Priority: 0
Weight: 0
Port: 1688
Hostname: <FQDN or A-Name of the KMS host>

To configure a BIND 9.x-compatible DNS server to support KMS auto-publishing,

configure the DNS server to enable resource record updates from KMS hosts. For
example, add the following line to the zone definition in Named.conf or in
Named.conf.local:

Windows Command Prompt

allow-update { any; };

Manually assign a KMS host to a KMS client

By default, the KMS clients use the automatic discovery process. According to this
process, a KMS client queries DNS for a list of servers that have published _vlmcs SRV
records within the membership zone of the client. DNS returns the list of KMS hosts in a
random order. The client picks a KMS host and tries to establish a session on it. If this
attempt works, the client caches the name of the KMS host and tries to use it for the
next renewal attempt. If the session setup fails, the client randomly picks another KMS
host. We highly recommend that you use the automatic discovery process.

However, you can manually assign a KMS host to a particular KMS client. To do this,
follow these steps.

1. On a KMS client, open an elevated Command Prompt window.

2. Depending on your implementation, follow one of these steps:

To assign a KMS host by using the FQDN of the host, run the following
command:

Windows Command Prompt

cscript \windows\system32\slmgr.vbs -skms <KMS_FQDN>:<port>

To assign a KMS host by using the version 4 IP address of the host, run the
following command:

Windows Command Prompt

cscript \windows\system32\slmgr.vbs -skms <IPv4Address>:<port>

To assign a KMS host by using the version 6 IP address of the host, run the
following command:

Windows Command Prompt

cscript \windows\system32\slmgr.vbs -skms <IPv6Address>:<port>

To assign a KMS host by using the NETBIOS name of the host, run the
following command:

Windows Command Prompt

cscript \windows\system32\slmgr.vbs -skms <NETBIOSName>:<port>

To revert to automatic discovery on a KMS client, run the following command:

Windows Command Prompt

cscript \windows\system32\slmgr.vbs -ckms

 ７ Note

These commands use the following placeholders:

<KMS_FQDN> represents the fully qualified domain name (FQDN) of
the KMS host computer
<IPv4Address> represents the IP version 4 address of the KMS host
computer
<IPv6Address> represents the IP version 6 address of the KMS host
computer
<NETBIOSName> represents the NETBIOS name of the KMS host
computer
<port> represents the TCP port that KMS uses.

Configure the KMS host to publish in multiple

DNS domains

） Important

Follow the steps in this section carefully. Serious problems might occur if you
modify the registry incorrectly. Before you modify it, back up the registry for
restoration in case problems occur.

As described in Manually assign a KMS host to a KMS client, KMS clients typically use
the automatic discovery process to identify KMS hosts. This process requires that the
_vlmcs SRV records must be available in the DNS zone of the KMS client computer. The

DNS zone corresponds to either the primary DNS suffix of the computer or to one of the
following:

For domain-joined computers, the computer's domain as assigned by the DNS

system (such as Active Directory Domain Services (AD DS) DNS).
For workgroup computers, the computer's domain as assigned by the Dynamic
Host Configuration Protocol (DHCP). This domain name is defined by the option
that has the code value of 15 as defined in Request for Comments (RFC) 2132.

By default, a KMS host registers its SRV records in the DNS zone that corresponds to the
domain of the KMS host computer. For example, assume that a KMS host joins the
contoso.com domain. In this scenario, the KMS host registers its _vlmcs SRV record
under the contoso.com DNS zone. Therefore, the record identifies the service as
_VLMCS._TCP.CONTOSO.COM .

If the KMS host and KMS clients use different DNS zones, you must configure the KMS
host to automatically publish its SRV records in multiple DNS domains. To do this, follow
these steps:

1. On the KMS host, start Registry Editor.

2. Locate and then select the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SoftwareProtectionPlatform subkey (previously SL instead of
SoftwareProtectionPlatform in Windows Server 2008 and Windows Vista).
3. In the Details pane, right-click a blank area, select New, and then select Multi-
String Value.
4. For the name of the new entry, enter DnsDomainPublishList.
5. Right-click the new DnsDomainPublishList entry, and then select Modify.
6. In the Edit Multi-String dialog box, type each DNS domain suffix that KMS
publishes on a separate line, and then select OK.

７ Note

For Windows Server 2008 R2, the format for DnsDomainPublishList differs.
For more information, see the Volume Activation Technical Reference Guide.

7. Use the Services administrative tool to restart the Software Protection service
(previously the Software Licensing service in Windows Server 2008 and Windows
Vista). This operation creates the SRV records.
8. Verify that by using a typical method, the KMS client can contact the KMS host that
you configured. Verify that the KMS client correctly identifies the KMS host both by
name and by IP address. If either of these verifications fails, investigate this DNS
client resolver issue.
9. To clear any previously cached KMS host names on the KMS client, open an
elevated Command Prompt window on the KMS client, and then run the following
command:

Windows Command Prompt

cscript C:\Windows\System32\slmgr.vbs -ckms

Rebuild the Tokens.dat file
Article • 05/19/2022

When you troubleshoot Windows activation issues, you may have to rebuild the
Tokens.dat file. This article describes in detail how to do this.

Resolution
To rebuild the Tokens.dat file, follow these steps:

1. Open an elevated Command Prompt window: For Windows 10

a. Open the Start menu, and enter cmd.
b. In the search results, right-click Command Prompt, and the select Run as
administrator.

For Windows 8.1

a. Swipe in from the right edge of the screen, and then tap Search. Or, if you are
using a mouse, point to the lower-right corner of the screen, and then select
Search.
b. In the search box, enter cmd.
c. Swipe across or right-click the displayed Command Prompt icon.
d. Tap or click Run as administrator.

For Windows 7
a. Open the Start menu, and enter cmd.
b. In the search results, right-click cmd.exe, and the select Run as administrator.

2. Enter the list of commands that is appropriate for your operating system.

For Windows 10, Windows Server 2016 and later versions of Windows, enter the
following commands in sequence:

Windows Command Prompt

net stop sppsvc

cd %Systemdrive%\Windows\System32\spp\store\2.0\
ren tokens.dat tokens.bar
net start sppsvc
cscript.exe %windir%\system32\slmgr.vbs /rilc

For Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, enter the
following commands in sequence:
 Windows Command Prompt

net stop sppsvc

cd %Systemdrive%\Windows\System32\spp\store\
ren tokens.dat tokens.bar
net start sppsvc
cscript.exe %windir%\system32\slmgr.vbs /rilc

For Windows 7, Windows Server 2008 and Windows Server 2008 R2, enter the
following commands in sequence:

Windows Command Prompt

net stop sppsvc

cd
%Systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Mi
crosoft\SoftwareProtectionPlatform
ren tokens.dat tokens.bar
net start sppsvc
cscript.exe %windir%\system32\slmgr.vbs /rilc

3. Restart the computer.

More information
After you rebuild the Tokens.dat file, you must reinstall your product key by using one of
the following methods:

At the same elevated prompt command, type the following command, and then
press Enter:

Windows Command Prompt

cscript.exe %windir%\system32\slmgr.vbs /ipk <Product key>

） Important

Do not use the /upk switch to uninstall a product key. To install a product key
over an existing product key, use the /ipk switch.

Right-click My Computer, select Properties, and then select Change product key.

For more information about KMS client setup keys, see KMS client setup keys.
 Windows release health
Official information on Windows releases and servicing milestones, plus resources, tools, and
news about known issues and safeguards to help you plan your next update. Want the latest
Windows release health updates? Follow @WindowsUpdate on X (formerly known as Twitter).

GET STARTED W H AT ' S N E W W H AT ' S N E W

How to get the Revolutionizing Accelerating
Windows 11 the PC for the innovation: A
2023 Update AI era with… new era of AI…

REFERENCE REFERENCE OVERVIEW

Get updates as Windows 11 Understanding
soon as they're release Windows
available for… information monthly…

Message center Windows 11, version 23H2

ｈ Finding missing devices in Windows Update for ｐ Known issues
Business reports ｃ Resolved issues
ｈ Out-of-band update to address failure to install
｀ Release notes
the May 2024 Windows security update
ｉ Windows 11 release information
ｈ VBScript deprecation: Timelines and next steps
ｈ How to get Windows 11, version 23H2
See more Ｔ

Windows 11, version 22H2 Windows 11, version 21H2

ｐ Known issues ｐ Known issues
ｃ Resolved issues ｃ Resolved issues
｀ Release notes ｀ Release notes
ｉ Windows 11 release information ｉ Windows 11 release information
ｈ How to get Windows 11, version 22H2 ｈ How to get Windows 11
Windows 10, version 22H2 Windows 10, version 21H2
ｐ Known issues ｐ Known issues
ｃ Resolved issues ｃ Resolved issues
｀ Release notes ｀ Release notes
ｉ Windows 10 release information ｉ Windows 10 release information
ｈ How to get Windows 10, version 22H2 ｈ How to get Windows 10, version 21H2

Windows Server 2022 Additional versions

See details on known and resolved issues for other
ｐ Known issues
supported versions of Windows and Windows
ｃ Resolved issues Server.
｀ Release notes ｐ Known issues: earlier versions
ｉ Windows Server release information
ｈ What's new in Windows Server 2022

Questions? Join office Submit feedback Get help

hours! Share your thoughts on Open the Get Help app in your
Get customized guidance, tips existing features -- or ideas for Windows device to find
and tricks, and answers to your new ones through the resources to troubleshoot
questions. feedback Hub. common issues.
Windows Server - License Terms
Article • 03/31/2022

Review our Windows Server-related license terms.

Additional software for Windows Server 2016

Windows Server Technical Preview Expiration

Windows Server 2016 Technical Preview License Terms

Microsoft Software License Terms -

MICROSOFT.WINDOWSSERVER.SYSTEMINSIGHTS

Microsoft Software License Terms -

MICROSOFT.WINDOWSSERVER.SYSTEMINSIGHTS.CAPABILITIES

Windows Admin Center - License Terms