News

Windows Server 2022 Is Here!

"Overall, there's not really a huge number of new features, and what there is, isn't all available for your traditional on-premises Windows Server," says our hands-on review expert, Paul Schnackenburg.

Quietly released to General Availability in mid-August and then officially on Sept. 1, Windows Server 2022 has arrived.

Microsoft recently held a virtual Windows Server Summit to launch it, with a two-hour livestream featuring different presenters covering different aspects of new features, plus some on-demand video content. Compare that to the huge fanfare that would have accompanied a new version of Windows Server only a few years ago. For someone who was around in the beginning (I can still remember the smell of the printed thick manuals for Windows Server NT 3.51 that I devoured from cover to cover when I set up my first server), I can't help but feel that Windows Server is quietly fading into the background.

However, there are some very useful features and there are definitely reasons to migrate (just not as many as in the past) so let's dig in.

I looked at the preview back in April ("Windows Server 2022 Is Coming!") and most of that information stands for the GA release.

The three main areas are Secure Core Server, SMB over QUIC, and Storage Migration Service, with additional honorable mentions for security, networking and Hyper-V. I'll also provide my own analysis of where each feature actually brings real-world benefits and where it's more of a marketing spin.

Secure Core Server
As the name implies, Microsoft is taking the tech incorporated into newer PC devices to protect against firmware attacks and expanding it to the server platform. This is timely as firmware attacks are on the rise and having a strong guarantee that the underlying hardware is secure is important.

Comprising six areas, Secure Core Servers from the major server manufacturers will come with a Trusted Platform Module (TPM) 2.0 chip, Bitlocker plus Virtualization Based Security (VBS), enabled straight out of the box. The six areas are:

  1. Hypervisor based Code Integrity (HVCI)
  2. Boot DMA Protection
  3. System Guard
  4. Secure Boot
  5. VBS
  6. TPM 2.0

Each of these contribute to a trusted hardware platform: the TPM stores Bitlocker keys plus other secrets securely; VBS uses hardware virtualization (not a whole separate VM, just an area of memory protected using Hyper-V) to stop credential attacks (Mimikatz); and Secure Boot verifies the signatures on the boot software (the OS itself, the UEFI and any EFI applications).

HVCI builds on top of VBS to protect modifications to the Control Flow Guard (CFG) bitmap and checks device drivers for EV certificates. CFG is a part of Windows that stops malicious applications trying to corrupt the memory of benign applications. System Guard builds on these lower-level features and validates the whole boot chain using Static Root of Trust for Measurement (SRTM), Dynamic Root of Trust for Measurement (DRTM) and System Management Mode (SMM) protection.

Secure Core Server Extension in Windows Admin Center
[Click on image for larger view.] Secure Core Server Extension in Windows Admin Center

There's no doubt that these are welcome additions in a server OS, BUT ask yourself, how many of your servers that you're going to be running in your datacenter in 2022 and beyond are going to be physical servers? Because all of these protections are only available on new servers that are Secure Core (or an existing server, with a TPM 2.0 chip where the vendor provides verified firmware drivers). So, perhaps you run a Hyper-V cluster, maybe some Domain Controllers and perhaps a really big SQL server or two. But if you run your DCs virtualized, if you run Windows VMs on VMware, Secure Core server will bring few if any benefits to you. That's not to say that some of these features will (and some already are) available for VMs running on top of Hyper-V, or as IaaS VMs in Azure, but they're not fully protected as Secure Core servers.

Server Message Block
SMB in Windows Server 2022 has received a lot of love. You can now use AES-256-GCM and AES-256-CCM encryption for the traffic and the signing supports GMAC acceleration.

Even cooler, SMB compression can now be enabled at the server, client, share or even in individual file copies (using Robocopy), which at the expense of slightly higher CPU usage, drops the network bandwidth used considerably.

SMB 3 Signing and Encryption Settings
[Click on image for larger view.] SMB 3 Signing and Encryption Settings

If you're using Remote Direct Memory Access (RDMA) to speed up your Hyper-V nodes access to storage spaces direct for instance using SMB Direct, you can now encrypt that traffic. Furthermore, you now have granular control over encryption between nodes in a cluster as well as inbound/outbound traffic to the cluster.

Note that all these features are only available between Windows Server 2022 nodes or when they're communicating with Windows 11 clients. The encryption features for instance will negotiate what each end supports and fall back to unencrypted, so to really ensure that all traffic is protected at the highest level you need to upgrade ALL servers/clients.

SMB Share Compression and Encryption Settings
[Click on image for larger view.] SMB Share Compression and Encryption Settings

SMB Over QUIC
This is the most important feature in Windows Server 2022 for me, with the most real-world application. Basically, it's SMB over UDP, with all traffic protected by TLS 1.3, enabling you to securely provide file shares to remote users without using a VPN. Again, it's only available when connecting from Windows 11 (but at least that upgrade is free -- as long as your client device has the required hardware).

The additional gate here is the server version -- Windows Server 2022 comes in the same Standard and Datacenter flavors (with Desktop/Core) we're used to, plus a new version, Datacenter: Azure Edition. This new edition is the only one that supports SMB over QUIC. Azure Edition only runs in Azure as the name implies OR on Azure Stack HCI. That name itself is very confusing as it implies it runs in Azure (it doesn't, you run this on-premises) and that it's got something to do with Azure Stack Hub (it doesn't, Hub is an integrated system you purchase from a vendor which runs the same software as Azure does, just a few versions behind). Azure Stack HCI is a version of Windows Server that you run on your own hardware, with Hyper-Converged Infrastructure (HCI) so the storage is shared between the nodes using Storage Spaces Direct (S2D). This version of Windows server is a subscription version that you pay monthly for, and in turn it'll receive regular updates.

The bottom line: SMB over QUIC is only available for a new file server that you run in Azure or on Azure Stack HCI in your datacenter, and only if you connect from a Windows 11 client. This artificial limitation of not offering SMB over QUIC in Windows Server 2022 Standard/Datacenter is particularly disappointing. It should be noted that SMB over QUIC is currently in preview, but you do receive support from Microsoft.

Storage Migration Service
Spearheaded by Ned Pyle at Microsoft, this feature has been in Windows for a few versions now, enabling seamless migration of file servers from legacy OS versions to more modern ones. You point a destination server at an existing file server (or if you have a fleet of them, you can have a Storage Migration Service server orchestrating the migrations from multiple source to multiple destination servers), it'll copy the data until both are in sync, and then you can seamlessly migrate to the new one. Server names, share names, permissions, everything is migrated, and your users will notice very little impact. This service now supports Linux Samba servers, NetApp file shares and continues the support for Windows file servers, including clustered ones.

Storage Migration Service
[Click on image for larger view.] Storage Migration Service

Storage Migration Service
Storage Migration Service is also Azure File Sync-aware so that if you're migrating a file server that's tiering data to a file share in Azure, it's going to manage the replication speeds so that the necessary pull down of data from Azure (likely a much slower pipe than between your file servers) isn't going to overwhelm the migration pipeline.

Networking and Security
At the Windows Server summit there was a lot of hay made about Transport Layer Security (TLS) version 1.3 being enabled by default in Windows Server 2022. It is faster (less handshake back and forth, and more of the setup is encrypted) and it's more secure (only five strong Cipher suites supported, and they all support Perfect Forward Secrecy, PFS, which means even if a future flaw is found, you can't go back and decrypt older stored traffic).

But TLS isn't unique to Windows Server 2022. It's available in Windows 10 1903 (preview for testing only) and later, and while I couldn't find a definitive official statement, I can't imagine that Microsoft won't backport TLS 1.3 to Windows Server 2019 at least and most likely 2016.

There are a few useful speed improvement features, such as TCP HyStart++ for faster connection start up in high-speed networks and RACK to reduce Retransmit Time Outs. UDP Segmentation Offload (USO) is similar to the TCP offloads that are available on NICs, letting specialized hardware chips on NICs do the heavy lifting.

Azure Extended Network is another feature unique to the Azure Edition and it lets you connect Azure and on-premises networks with full IP address mobility over VXLAN network virtualization, letting you move VMs to Azure without changing their IP addresses.

Fallen Comrades
There are a few casualties in this edition too, Windows Server 2019 still had the Essentials edition for small businesses up to 25 users, although the feature set was severely depleted. The last real version of Windows Server for SMB was Windows Server 2016 Essentials.

In Windows Server 2022 there is a version of Standard for SMB called "Essentials" (max 25 users, 50 devices, single CPU in the server with no more than 10 cores), but from a feature perspective it's really just Standard at a discount.

No one in the tech industry seems to mourn the loss of the "real" Essentials features but the death of Hyper-V Server caused quite a lot of stir a few weeks ago. Basically, every new release of Windows Server has been accompanied by the release of a free Hyper-V server edition. Containing all the Hyper-V features of its paid-for brethren, while being command-line only, this edition was popular for home labs, VDI servers or when virtualizing Linux, where the included Windows Server licensing in full Windows Server Hyper-V editions didn't matter. There will be no Hyper-V Server 2022, and Microsoft's Elden Christensen (he's a great presenter) outlines why in this thread.

Other Considerations
System Center 2022 is going to be available in preview later this year and be GA early next year. This suite of products (now that Configuration Manager has been moved into the Endpoint Manager fold) is very much on life support. When you spend a whole session at the Windows Server Summit contrasting a free, web-based admin tool (Windows Admin Center, WAC) with the capabilities available in a venerable enterprise grade management suite, you know there isn't a lot of innovation coming.

System Center 2022 will support Windows Server 2022 (a few versions ago, it was mandated that new Windows Server and System Center versions be released simultaneously to aid in adoption -- apparently not so important anymore) and Azure Stack HCI.

Windows Server and Hyper-V containers are still a thing, and they've shrunk the size of the Server Core container from 3.6 GB to 2.6 GB, but I think it's fair to say that the only use for containers on Windows that enterprises are seeing is for "modernizing" existing applications by moving them to containers/Kubernetes.

Speaking of containers, you can now give them an identity in Active Directory with group Managed Service Accounts (gMSAs), without having to domain-join your container hosts and also maintain their time zone virtually, without having to match the host, which is important for globally distributed services.

As to be expected, scalability is improved again to 48 TB of memory and 2,048 Logical Processors, LPs (cores, or multithreaded cores), up from 24 TB and 512 LPs in Windows Server 2016/2019.

The twice-yearly releases of Windows Server, Semi Annual Channel (SAC) have been retired and we're back to the normal five years of mainstream support and five years of extended support that we've always had.

Hotpatching, the ability to apply patches to a running OS without having to restart it, is also only available in Azure Edition and then only in the Server Core flavor.

Conclusion
There's one glimmer of hope that Windows Server isn't completely without a future, Microsoft is introducing a certification for Windows Server 2022 (there wasn't one for 2019), called "Windows Server Hybrid Administrator Associate" with two exams required to get it:

  • AZ-800: Administering Windows Server Hybrid Core Infrastructure
  • AZ-801: Configuring Windows Server Hybrid Advanced Services

As you can tell, they'll be focused on how you can integrate Windows Server in a hybrid infrastructure -- they'll be released in December 2021.

Overall, there's not really a huge number of new features, and what there is, isn't all available for your traditional on-premises Windows Server. It's a good idea to dig deeper into Azure Stack HCI and Windows Server 2022 Datacentre: Azure Edition and see exactly how they can fit into your company's IT strategy. I'm curious to see over the next year or so how this push for hybrid and subscription versions is going to work out for Microsoft.

Featured